From 45d17c5148327d28f2041b057e71ab4beb7db339 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 1 Jun 2020 14:53:04 -0400 Subject: [PATCH 001/314] Pillarize Suricata Round 1 --- salt/suricata/files/defaults.yaml | 2023 +++++++++++++++++++++++++++++ 1 file changed, 2023 insertions(+) create mode 100644 salt/suricata/files/defaults.yaml diff --git a/salt/suricata/files/defaults.yaml b/salt/suricata/files/defaults.yaml new file mode 100644 index 000000000..71cb64392 --- /dev/null +++ b/salt/suricata/files/defaults.yaml @@ -0,0 +1,2023 @@ +%YAML 1.1 + --- + {%- set META = salt['pillar.get']('static:broversion', 'BRO') %} + {%- set SURIRING = salt['pillar.get']('suricata:suriring', '2048') %} + {%- set SURIMPP = salt['pillar.get']('suricata:surimpp', '5000') %} + {%- set interface = salt['pillar.get']('sensor:interface', 'bond0') %} + {%- if grains['role'] == 'so-eval' %} + {%- set MTU = 1500 %} + {%- elif grains['role'] == 'so-helix' %} + {%- set MTU = 9000 %} + {%- else %} + {%- set MTU = salt['pillar.get']('sensor:mtu', '1500') %} + {%- endif %} + {%- if salt['pillar.get']('sensor:homenet') %} + {%- set homenet = salt['pillar.get']('sensor:hnsensor', '') %} + {%- else %} + {%- set homenet = salt['pillar.get']('static:hnmaster', '') %} + {%- endif %} + # Suricata configuration file. In addition to the comments describing all + # options in this file, full documentation can be found at: + # https://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html + + ## + ## Step 1: inform Suricata about your network + ## + +suricata: + vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[{{ homenet }}]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + + ## + ## Step 2: select outputs to enable + ## + + # The default logging directory. Any log or output file will be + # placed here if its not specified with a full path name. This can be + # overridden with the -l command line parameter. + default-log-dir: /var/log/suricata/ + + # global stats configuration + stats: + enabled: yes + # The interval field (in seconds) controls at what interval + # the loggers are invoked. + interval: 30 + # Add decode events as stats. + #decoder-events: true + # Decoder event prefix in stats. Has been 'decoder' before, but that leads + # to missing events in the eve.stats records. See issue #2225. + #decoder-events-prefix: "decoder.event" + # Add stream events as stats. + #stream-events: false + + # Configure the type of alert (and other) logging you would like. + outputs: + # a line based alerts log similar to Snort's fast.log + - fast: + enabled: no + filename: fast.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: /nsm/eve.json + rotate-interval: hour + + #prefix: "@cee: " # prefix to prepend to each log entry + # the following are valid when type: syslog above + #identity: "suricata" + #facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + #redis: + # server: 127.0.0.1 + # port: 6379 + # async: true ## if redis replies are read asynchronously + # mode: list ## possible values: list|lpush (default), rpush, channel|publish + # ## lpush and rpush are using a Redis list. "list" is an alias for lpush + # ## publish is using a Redis channel. "channel" is an alias for publish + # key: suricata ## key or channel to use (default to suricata) + # Redis pipelining set up. This will enable to only do a query every + # 'batch-size' events. This should lower the latency induced by network + # connection at the cost of some memory. There is no flushing implemented + # so this setting as to be reserved to high traffic suricata. + # pipelining: + # enabled: yes ## set enable to yes to enable query pipelining + # batch-size: 10 ## number of entry to keep in buffer + + # Include top level metadata. Default yes. + #metadata: no + + # include the name of the input pcap file in pcap file processing mode + pcap-file: false + + # Community Flow ID + # Adds a 'community_id' field to EVE records. These are meant to give + # a records a predictable flow id that can be used to match records to + # output of other tools such as Bro. + # + # Takes a 'seed' that needs to be same across sensors and tools + # to make the id less predictable. + + # enable/disable the community id feature. + community-id: true + # Seed value for the ID output. Valid values are 0-65535. + community-id-seed: 0 + + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + types: + - alert: + payload: no # enable dumping payload in Base64 + payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + payload-printable: yes # enable dumping payload in printable (lossy) format + packet: yes # enable dumping of packet (without stream segments) + metadata: + app-layer: false + flow: false + rule: + metadata: true + raw: true + + # http-body: yes # Requires metadata; enable dumping of http body in Base64 + # http-body-printable: yes # Requires metadata; enable dumping of http body in printable format + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: no + {%- if META != 'SURICATA' -%} + #- anomaly: + # Anomaly log records describe unexpected conditions such + # as truncated packets, packets with invalid IP/UDP/TCP + # length values, and other events that render the packet + # invalid for further processing or describe unexpected + # behavior on an established stream. Networks which + # experience high occurrences of anomalies may experience + # packet processing degradation. + # + # Anomalies are reported for the following: + # 1. Decode: Values and conditions that are detected while + # decoding individual packets. This includes invalid or + # unexpected values for low-level protocol lengths as well + # as stream related events (TCP 3-way handshake issues, + # unexpected sequence number, etc). + # 2. Stream: This includes stream related events (TCP + # 3-way handshake issues, unexpected sequence number, + # etc). + # 3. Application layer: These denote application layer + # specific conditions that are unexpected, invalid or are + # unexpected given the application monitoring state. + # + # By default, anomaly logging is disabled. When anomaly + # logging is enabled, applayer anomaly reporting is + # enabled. + # enabled: no + # + # Choose one or more types of anomaly logging and whether to enable + # logging of the packet header for packet anomalies. + # types: + # decode: no + # stream: no + # applayer: yes + #packethdr: no + #- http: + # extended: yes # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + # set this value to one and only one among {both, request, response} + # to dump all http headers for every http request and/or response + # dump-all-headers: none + #- dns: + # This configuration uses the new DNS logging format, + # the old configuration is still available: + # https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format + + # As of Suricata 5.0, version 2 of the eve dns output + # format is the default. + #version: 2 + + # Enable/disable this logger. Default: enabled. + #enabled: yes + + # Control logging of requests and responses: + # - requests: enable logging of DNS queries + # - responses: enable logging of DNS answers + # By default both requests and responses are logged. + #requests: no + #responses: no + + # Format of answer logging: + # - detailed: array item per answer + # - grouped: answers aggregated by type + # Default: all + #formats: [detailed, grouped] + + # Types to log, based on the query type. + # Default: all. + #types: [a, aaaa, cname, mx, ns, ptr, txt] + #- tls: + # extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # custom allows to control which tls fields that are included + # in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s] + #- files: + # force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + #force-hash: [md5] + #- drop: + # alerts: yes # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. + #- smtp: + #extended: yes # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + #md5: [body, subject] + + #- dnp3 + #- ftp + #- rdp + #- nfs + #- smb + #- tftp + #- ikev2 + #- krb5 + #- snmp + #- sip + #- dhcp: + # enabled: yes + # When extended mode is on, all DHCP messages are logged + # with full detail. When extended mode is off (the + # default), just enough information to map a MAC address + # to an IP address is logged. + # extended: no + #- ssh + #- stats: + # totals: yes # stats for all threads merged together + # threads: no # per thread stats + # deltas: no # include delta values + # bi-directional flows + #- flow + # uni-directional flows + #- netflow + + # Metadata event type. Triggered whenever a pktvar is saved + # and will include the pktvars, flowvars, flowbits and + # flowints. + #- metadata + {%- else -%} + - anomaly: + # Anomaly log records describe unexpected conditions such + # as truncated packets, packets with invalid IP/UDP/TCP + # length values, and other events that render the packet + # invalid for further processing or describe unexpected + # behavior on an established stream. Networks which + # experience high occurrences of anomalies may experience + # packet processing degradation. + # + # Anomalies are reported for the following: + # 1. Decode: Values and conditions that are detected while + # decoding individual packets. This includes invalid or + # unexpected values for low-level protocol lengths as well + # as stream related events (TCP 3-way handshake issues, + # unexpected sequence number, etc). + # 2. Stream: This includes stream related events (TCP + # 3-way handshake issues, unexpected sequence number, + # etc). + # 3. Application layer: These denote application layer + # specific conditions that are unexpected, invalid or are + # unexpected given the application monitoring state. + # + # By default, anomaly logging is disabled. When anomaly + # logging is enabled, applayer anomaly reporting is + # enabled. + enabled: no + # + # Choose one or more types of anomaly logging and whether to enable + # logging of the packet header for packet anomalies. + types: + decode: no + stream: no + applayer: yes + packethdr: no + - http: + extended: yes # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + # set this value to one and only one among {both, request, response} + # to dump all http headers for every http request and/or response + # dump-all-headers: none + - dns: + # This configuration uses the new DNS logging format, + # the old configuration is still available: + # https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format + + # As of Suricata 5.0, version 2 of the eve dns output + # format is the default. + version: 2 + + # Enable/disable this logger. Default: enabled. + enabled: yes + + # Control logging of requests and responses: + # - requests: enable logging of DNS queries + # - responses: enable logging of DNS answers + # By default both requests and responses are logged. + #requests: no + #responses: no + + # Format of answer logging: + # - detailed: array item per answer + # - grouped: answers aggregated by type + # Default: all + #formats: [detailed, grouped] + + # Types to log, based on the query type. + # Default: all. + #types: [a, aaaa, cname, mx, ns, ptr, txt] + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # custom allows to control which tls fields that are included + # in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s] + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + #force-hash: [md5] + #- drop: + # alerts: yes # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. + + - smtp: + extended: yes # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + #md5: [body, subject] + + - dnp3 + - ftp + - rdp + - nfs + - smb + - tftp + - ikev2 + - krb5 + - snmp + - sip + - dhcp: + enabled: yes + # When extended mode is on, all DHCP messages are logged + # with full detail. When extended mode is off (the + # default), just enough information to map a MAC address + # to an IP address is logged. + # extended: no + - ssh + #- stats: + # totals: yes # stats for all threads merged together + # threads: no # per thread stats + # deltas: no # include delta values + # bi-directional flows + - flow + # uni-directional flows + #- netflow + + # Metadata event type. Triggered whenever a pktvar is saved + # and will include the pktvars, flowvars, flowbits and + # flowints. + #- metadata + {%- endif %-} + + # deprecated - unified2 alert format for use with Barnyard2 + - unified2-alert: + enabled: no + # for further options see: + # https://suricata.readthedocs.io/en/suricata-5.0.0/configuration/suricata-yaml.html#alert-output-for-use-with-barnyard2-unified2-alert + + # a line based log of HTTP requests (no alerts) + - http-log: + enabled: no + filename: http.log + append: yes + #extended: yes # enable this for extended logging information + #custom: yes # enabled the custom logging format (defined by customformat) + #customformat: "" + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # a line based log of TLS handshake parameters (no alerts) + - tls-log: + enabled: no # Log TLS connections. + filename: tls.log # File to store TLS logs. + append: yes + #extended: yes # Log extended information like fingerprint + #custom: yes # enabled the custom logging format (defined by customformat) + #customformat: "" + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + + # output module to store certificates chain to disk + - tls-store: + enabled: no + #certs-log-dir: certs # directory to store the certificates files + + # Packet log... log packets in pcap format. 3 modes of operation: "normal" + # "multi" and "sguil". + # + # In normal mode a pcap file "filename" is created in the default-log-dir, + # or are as specified by "dir". + # In multi mode, a file is created per thread. This will perform much + # better, but will create multiple files where 'normal' would create one. + # In multi mode the filename takes a few special variables: + # - %n -- thread number + # - %i -- thread id + # - %t -- timestamp (secs or secs.usecs based on 'ts-format' + # E.g. filename: pcap.%n.%t + # + # Note that it's possible to use directories, but the directories are not + # created by Suricata. E.g. filename: pcaps/%n/log.%s will log into the + # per thread directory. + # + # Also note that the limit and max-files settings are enforced per thread. + # So the size limit when using 8 threads with 1000mb files and 2000 files + # is: 8*1000*2000 ~ 16TiB. + # + # In Sguil mode "dir" indicates the base directory. In this base dir the + # pcaps are created in th directory structure Sguil expects: + # + # $sguil-base-dir/YYYY-MM-DD/$filename. + # + # By default all packets are logged except: + # - TCP streams beyond stream.reassembly.depth + # - encrypted streams after the key exchange + # + - pcap-log: + enabled: no + filename: log.pcap + + # File size limit. Can be specified in kb, mb, gb. Just a number + # is parsed as bytes. + limit: 1000mb + + # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit" + max-files: 2000 + + # Compression algorithm for pcap files. Possible values: none, lz4. + # Enabling compression is incompatible with the sguil mode. Note also + # that on Windows, enabling compression will *increase* disk I/O. + compression: none + + # Further options for lz4 compression. The compression level can be set + # to a value between 0 and 16, where higher values result in higher + # compression. + #lz4-checksum: no + #lz4-level: 0 + + mode: normal # normal, multi or sguil. + + # Directory to place pcap files. If not provided the default log + # directory will be used. Required for "sguil" mode. + #dir: /nsm_data/ + + #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec + use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets + honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged. + + # a full alerts log containing much information for signature writers + # or for investigating suspected false positives. + - alert-debug: + enabled: no + filename: alert-debug.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # alert output to prelude (https://www.prelude-siem.org/) only + # available if Suricata has been compiled with --enable-prelude + - alert-prelude: + enabled: no + profile: suricata + log-packet-content: no + log-packet-header: yes + + # Stats.log contains data from various counters of the Suricata engine. + - stats: + enabled: yes + filename: stats.log + append: yes # append to file (yes) or overwrite it (no) + totals: yes # stats for all threads merged together + threads: no # per thread stats + null-values: yes # print counters that have value 0 + + # a line based alerts log similar to fast.log into syslog + - syslog: + enabled: no + # reported identity to syslog. If ommited the program name (usually + # suricata) will be used. + #identity: "suricata" + facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + + # deprecated a line based information for dropped packets in IPS mode + - drop: + enabled: no + # further options documented at: + # https://suricata.readthedocs.io/en/suricata-5.0.0/configuration/suricata-yaml.html#drop-log-a-line-based-information-for-dropped-packets + + # Output module for storing files on disk. Files are stored in a + # directory names consisting of the first 2 characters of the + # SHA256 of the file. Each file is given its SHA256 as a filename. + # + # When a duplicate file is found, the existing file is touched to + # have its timestamps updated. + # + # Unlike the older filestore, metadata is not written out by default + # as each file should already have a "fileinfo" record in the + # eve.log. If write-fileinfo is set to yes, the each file will have + # one more associated .json files that consists of the fileinfo + # record. A fileinfo file will be written for each occurrence of the + # file seen using a filename suffix to ensure uniqueness. + # + # To prune the filestore directory see the "suricatactl filestore + # prune" command which can delete files over a certain age. + - file-store: + version: 2 + enabled: no + + # Set the directory for the filestore. If the path is not + # absolute will be be relative to the default-log-dir. + #dir: filestore + + # Write out a fileinfo record for each occurrence of a + # file. Disabled by default as each occurrence is already logged + # as a fileinfo record to the main eve-log. + #write-fileinfo: yes + + # Force storing of all files. Default: no. + #force-filestore: yes + + # Override the global stream-depth for sessions in which we want + # to perform file extraction. Set to 0 for unlimited. + #stream-depth: 0 + + # Uncomment the following variable to define how many files can + # remain open for filestore by Suricata. Default value is 0 which + # means files get closed after each write + #max-open-files: 1000 + + # Force logging of checksums, available hash functions are md5, + # sha1 and sha256. Note that SHA256 is automatically forced by + # the use of this output module as it uses the SHA256 as the + # file naming scheme. + #force-hash: [sha1, md5] + # NOTE: X-Forwarded configuration is ignored if write-fileinfo is disabled + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + # deprecated - file-store v1 + - file-store: + enabled: no + # further options documented at: + # https://suricata.readthedocs.io/en/suricata-5.0.0/file-extraction/file-extraction.html#file-store-version-1 + + # Log TCP data after stream normalization + # 2 types: file or dir. File logs into a single logfile. Dir creates + # 2 files per TCP session and stores the raw TCP data into them. + # Using 'both' will enable both file and dir modes. + # + # Note: limited by stream.reassembly.depth + - tcp-data: + enabled: no + type: file + filename: tcp-data.log + + # Log HTTP body data after normalization, dechunking and unzipping. + # 2 types: file or dir. File logs into a single logfile. Dir creates + # 2 files per HTTP session and stores the normalized data into them. + # Using 'both' will enable both file and dir modes. + # + # Note: limited by the body limit settings + - http-body-data: + enabled: no + type: file + filename: http-data.log + + # Lua Output Support - execute lua script to generate alert and event + # output. + # Documented at: + # https://suricata.readthedocs.io/en/latest/output/lua-output.html + - lua: + enabled: no + #scripts-dir: /etc/suricata/lua-output/ + scripts: + # - script1.lua + + # Logging configuration. This is not about logging IDS alerts/events, but + # output about what Suricata is doing, like startup messages, errors, etc. + logging: + # The default log level, can be overridden in an output section. + # Note that debug level logging will only be emitted if Suricata was + # compiled with the --enable-debug configure option. + # + # This value is overridden by the SC_LOG_LEVEL env var. + default-log-level: notice + + # The default output format. Optional parameter, should default to + # something reasonable if not provided. Can be overridden in an + # output section. You can leave this out to get the default. + # + # This value is overridden by the SC_LOG_FORMAT env var. + #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " + + # A regex to filter output. Can be overridden in an output section. + # Defaults to empty (no filter). + # + # This value is overridden by the SC_LOG_OP_FILTER env var. + default-output-filter: + + # Define your logging outputs. If none are defined, or they are all + # disabled you will get the default - console output. + outputs: + - console: + enabled: yes + # type: json + - file: + enabled: yes + level: info + filename: suricata.log + # type: json + - syslog: + enabled: no + facility: local5 + format: "[%i] <%d> -- " + # type: json + + + ## + ## Step 4: configure common capture settings + ## + ## See "Advanced Capture Options" below for more options, including NETMAP + ## and PF_RING. + ## + + # Linux high speed capture support + af-packet: + - interface: {{ interface }} + # Number of receive threads. "auto" uses the number of cores + #threads: auto + # Default clusterid. AF_PACKET will load balance packets based on flow. + cluster-id: 59 + # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash. + # This is only supported for Linux kernel > 3.1 + # possible value are: + # * cluster_flow: all packets of a given flow are send to the same socket + # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket + # * cluster_qm: all packets linked by network card to a RSS queue are sent to the same + # socket. Requires at least Linux 3.14. + # * cluster_ebpf: eBPF file load balancing. See doc/userguide/capture-hardware/ebpf-xdp.rst for + # more info. + # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system + # with capture card using RSS (require cpu affinity tuning and system irq tuning) + cluster-type: cluster_flow + # In some fragmentation case, the hash can not be computed. If "defrag" is set + # to yes, the kernel will do the needed defragmentation before sending the packets. + defrag: yes + # To use the ring feature of AF_PACKET, set 'use-mmap' to yes + use-mmap: yes + # Lock memory map to avoid it goes to swap. Be careful that over subscribing could lock + # your system + #mmap-locked: yes + # Use tpacket_v3 capture mode, only active if use-mmap is true + # Don't use it in IPS or TAP mode as it causes severe latency + tpacket-v3: yes + # Ring size will be computed with respect to max_pending_packets and number + # of threads. You can set manually the ring size in number of packets by setting + # the following value. If you are using flow cluster-type and have really network + # intensive single-flow you could want to set the ring-size independently of the number + # of threads: + ring-size: {{ SURIRING }} + # Block size is used by tpacket_v3 only. It should set to a value high enough to contain + # a decent number of packets. Size is in bytes so please consider your MTU. It should be + # a power of 2 and it must be multiple of page size (usually 4096). + #block-size: 32768 + # tpacket_v3 block timeout: an open block is passed to userspace if it is not + # filled after block-timeout milliseconds. + #block-timeout: 10 + # On busy system, this could help to set it to yes to recover from a packet drop + # phase. This will result in some packets (at max a ring flush) being non treated. + #use-emergency-flush: yes + # recv buffer size, increase value could improve performance + # buffer-size: 32768 + # Set to yes to disable promiscuous mode + # disable-promisc: no + # Choose checksum verification mode for the interface. At the moment + # of the capture, some packets may be with an invalid checksum due to + # offloading to the network card of the checksum computation. + # Possible values are: + # - kernel: use indication sent by kernel for each packet (default) + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: suricata uses a statistical approach to detect when + # checksum off-loading is used. + # Warning: 'checksum-validation' must be set to yes to have any validation + #checksum-checks: kernel + # BPF filter to apply to this interface. The pcap filter syntax apply here. + #bpf-filter: port 80 or udp + # You can use the following variables to activate AF_PACKET tap or IPS mode. + # If copy-mode is set to ips or tap, the traffic coming to the current + # interface will be copied to the copy-iface interface. If 'tap' is set, the + # copy is complete. If 'ips' is set, the packet matching a 'drop' action + # will not be copied. + #copy-mode: ips + #copy-iface: eth1 + # For eBPF and XDP setup including bypass, filter and load balancing, please + # see doc/userguide/capture-hardware/ebpf-xdp.rst for more info. + + # Put default values here. These will be used for an interface that is not + # in the list above. + - interface: default + #threads: auto + #use-mmap: no + #tpacket-v3: yes + + # Cross platform libpcap capture support + pcap: + - interface: eth0 + # On Linux, pcap will try to use mmaped capture and will use buffer-size + # as total of memory used by the ring. So set this to something bigger + # than 1% of your bandwidth. + #buffer-size: 16777216 + #bpf-filter: "tcp and port 25" + # Choose checksum verification mode for the interface. At the moment + # of the capture, some packets may be with an invalid checksum due to + # offloading to the network card of the checksum computation. + # Possible values are: + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: Suricata uses a statistical approach to detect when + # checksum off-loading is used. (default) + # Warning: 'checksum-validation' must be set to yes to have any validation + #checksum-checks: auto + # With some accelerator cards using a modified libpcap (like myricom), you + # may want to have the same number of capture threads as the number of capture + # rings. In this case, set up the threads variable to N to start N threads + # listening on the same interface. + #threads: 16 + # set to no to disable promiscuous mode: + #promisc: no + # set snaplen, if not set it defaults to MTU if MTU can be known + # via ioctl call and to full capture if not. + #snaplen: 1518 + # Put default values here + - interface: default + #checksum-checks: auto + + # Settings for reading pcap files + pcap-file: + # Possible values are: + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: Suricata uses a statistical approach to detect when + # checksum off-loading is used. (default) + # Warning: 'checksum-validation' must be set to yes to have checksum tested + checksum-checks: auto + + # See "Advanced Capture Options" below for more options, including NETMAP + # and PF_RING. + + + ## + ## Step 5: App Layer Protocol Configuration + ## + + # Configure the app-layer parsers. The protocols section details each + # protocol. + # + # The option "enabled" takes 3 values - "yes", "no", "detection-only". + # "yes" enables both detection and the parser, "no" disables both, and + # "detection-only" enables protocol detection only (parser disabled). + app-layer: + protocols: + krb5: + enabled: yes + snmp: + enabled: yes + ikev2: + enabled: yes + tls: + enabled: yes + detection-ports: + dp: 443 + + # Generate JA3 fingerprint from client hello. If not specified it + # will be disabled by default, but enabled if rules require it. + #ja3-fingerprints: auto + + # What to do when the encrypted communications start: + # - default: keep tracking TLS session, check for protocol anomalies, + # inspect tls_* keywords. Disables inspection of unmodified + # 'content' signatures. + # - bypass: stop processing this flow as much as possible. No further + # TLS parsing and inspection. Offload flow bypass to kernel + # or hardware if possible. + # - full: keep tracking and inspection as normal. Unmodified content + # keyword signatures are inspected as well. + # + # For best performance, select 'bypass'. + # + #encryption-handling: default + + dcerpc: + enabled: yes + ftp: + enabled: yes + # memcap: 64mb + # RDP, disabled by default. + rdp: + #enabled: no + ssh: + enabled: yes + smtp: + enabled: yes + raw-extraction: no + # Configure SMTP-MIME Decoder + mime: + # Decode MIME messages from SMTP transactions + # (may be resource intensive) + # This field supercedes all others because it turns the entire + # process on or off + decode-mime: yes + + # Decode MIME entity bodies (ie. base64, quoted-printable, etc.) + decode-base64: yes + decode-quoted-printable: yes + + # Maximum bytes per header data value stored in the data structure + # (default is 2000) + header-value-depth: 2000 + + # Extract URLs and save in state data structure + extract-urls: yes + # Set to yes to compute the md5 of the mail body. You will then + # be able to journalize it. + body-md5: no + # Configure inspected-tracker for file_data keyword + inspected-tracker: + content-limit: 100000 + content-inspect-min-size: 32768 + content-inspect-window: 4096 + imap: + enabled: detection-only + smb: + enabled: yes + detection-ports: + dp: 139, 445 + + # Stream reassembly size for SMB streams. By default track it completely. + #stream-depth: 0 + + nfs: + enabled: yes + tftp: + enabled: yes + dns: + # memcaps. Globally and per flow/state. + #global-memcap: 16mb + #state-memcap: 512kb + + # How many unreplied DNS requests are considered a flood. + # If the limit is reached, app-layer-event:dns.flooded; will match. + #request-flood: 500 + + tcp: + enabled: yes + detection-ports: + dp: 53 + udp: + enabled: yes + detection-ports: + dp: 53 + http: + enabled: yes + # memcap: Maximum memory capacity for http + # Default is unlimited, value can be such as 64mb + + # default-config: Used when no server-config matches + # personality: List of personalities used by default + # request-body-limit: Limit reassembly of request body for inspection + # by http_client_body & pcre /P option. + # response-body-limit: Limit reassembly of response body for inspection + # by file_data, http_server_body & pcre /Q option. + # + # For advanced options, see the user guide + + + # server-config: List of server configurations to use if address matches + # address: List of IP addresses or networks for this block + # personalitiy: List of personalities used by this block + # + # Then, all the fields from default-config can be overloaded + # + # Currently Available Personalities: + # Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0, + # IIS_7_0, IIS_7_5, Apache_2 + libhtp: + default-config: + personality: IDS + + # Can be specified in kb, mb, gb. Just a number indicates + # it's in bytes. + request-body-limit: 100kb + response-body-limit: 100kb + + # inspection limits + request-body-minimal-inspect-size: 32kb + request-body-inspect-window: 4kb + response-body-minimal-inspect-size: 40kb + response-body-inspect-window: 16kb + + # response body decompression (0 disables) + response-body-decompress-layer-limit: 2 + + # auto will use http-body-inline mode in IPS mode, yes or no set it statically + http-body-inline: auto + + # Decompress SWF files. + # 2 types: 'deflate', 'lzma', 'both' will decompress deflate and lzma + # compress-depth: + # Specifies the maximum amount of data to decompress, + # set 0 for unlimited. + # decompress-depth: + # Specifies the maximum amount of decompressed data to obtain, + # set 0 for unlimited. + swf-decompression: + enabled: yes + type: both + compress-depth: 0 + decompress-depth: 0 + + # Take a random value for inspection sizes around the specified value. + # This lower the risk of some evasion technics but could lead + # detection change between runs. It is set to 'yes' by default. + #randomize-inspection-sizes: yes + # If randomize-inspection-sizes is active, the value of various + # inspection size will be choosen in the [1 - range%, 1 + range%] + # range + # Default value of randomize-inspection-range is 10. + #randomize-inspection-range: 10 + + # decoding + double-decode-path: no + double-decode-query: no + + # Can disable LZMA decompression + #lzma-enabled: yes + # Memory limit usage for LZMA decompression dictionary + # Data is decompressed until dictionary reaches this size + #lzma-memlimit: 1mb + # Maximum decompressed size with a compression ratio + # above 2048 (only LZMA can reach this ratio, deflate cannot) + #compression-bomb-limit: 1mb + + server-config: + + #- apache: + # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] + # personality: Apache_2 + # # Can be specified in kb, mb, gb. Just a number indicates + # # it's in bytes. + # request-body-limit: 4096 + # response-body-limit: 4096 + # double-decode-path: no + # double-decode-query: no + + #- iis7: + # address: + # - 192.168.0.0/24 + # - 192.168.10.0/24 + # personality: IIS_7_0 + # # Can be specified in kb, mb, gb. Just a number indicates + # # it's in bytes. + # request-body-limit: 4096 + # response-body-limit: 4096 + # double-decode-path: no + # double-decode-query: no + + # Note: Modbus probe parser is minimalist due to the poor significant field + # Only Modbus message length (greater than Modbus header length) + # And Protocol ID (equal to 0) are checked in probing parser + # It is important to enable detection port and define Modbus port + # to avoid false positive + modbus: + # How many unreplied Modbus requests are considered a flood. + # If the limit is reached, app-layer-event:modbus.flooded; will match. + #request-flood: 500 + + enabled: no + detection-ports: + dp: 502 + # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it + # is recommended to keep the TCP connection opened with a remote device + # and not to open and close it for each MODBUS/TCP transaction. In that + # case, it is important to set the depth of the stream reassembling as + # unlimited (stream.reassembly.depth: 0) + + # Stream reassembly size for modbus. By default track it completely. + stream-depth: 0 + + # DNP3 + dnp3: + enabled: no + detection-ports: + dp: 20000 + + # SCADA EtherNet/IP and CIP protocol support + enip: + enabled: no + detection-ports: + dp: 44818 + sp: 44818 + + ntp: + enabled: yes + + dhcp: + enabled: yes + + # SIP, disabled by default. + sip: + #enabled: no + + # Limit for the maximum number of asn1 frames to decode (default 256) + asn1-max-frames: 256 + + + ############################################################################## + ## + ## Advanced settings below + ## + ############################################################################## + + ## + ## Run Options + ## + + # Run suricata as user and group. + run-as: + user: suricata + group: suricata + + # Some logging module will use that name in event as identifier. The default + # value is the hostname + #sensor-name: suricata + + # Default location of the pid file. The pid file is only used in + # daemon mode (start Suricata with -D). If not running in daemon mode + # the --pidfile command line option must be used to create a pid file. + #pid-file: /var/run/suricata.pid + + # Daemon working directory + # Suricata will change directory to this one if provided + # Default: "/" + #daemon-directory: "/" + + # Umask. + # Suricata will use this umask if it is provided. By default it will use the + # umask passed on by the shell. + #umask: 022 + + # Suricata core dump configuration. Limits the size of the core dump file to + # approximately max-dump. The actual core dump size will be a multiple of the + # page size. Core dumps that would be larger than max-dump are truncated. On + # Linux, the actual core dump size may be a few pages larger than max-dump. + # Setting max-dump to 0 disables core dumping. + # Setting max-dump to 'unlimited' will give the full core dump file. + # On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size + # to be 'unlimited'. + + coredump: + max-dump: unlimited + + # If Suricata box is a router for the sniffed networks, set it to 'router'. If + # it is a pure sniffing setup, set it to 'sniffer-only'. + # If set to auto, the variable is internally switch to 'router' in IPS mode + # and 'sniffer-only' in IDS mode. + # This feature is currently only used by the reject* keywords. + host-mode: auto + + # Number of packets preallocated per thread. The default is 1024. A higher number + # will make sure each CPU will be more easily kept busy, but may negatively + # impact caching. + max-pending-packets: {{ SURIMPP }} + + # Runmode the engine should use. Please check --list-runmodes to get the available + # runmodes for each packet acquisition method. Default depends on selected capture + # method. 'workers' generally gives best performance. + runmode: workers + + # Specifies the kind of flow load balancer used by the flow pinned autofp mode. + # + # Supported schedulers are: + # + # hash - Flow assigned to threads using the 5-7 tuple hash. + # ippair - Flow assigned to threads using addresses only. + # + #autofp-scheduler: hash + + # Preallocated size for packet. Default is 1514 which is the classical + # size for pcap on ethernet. You should adjust this value to the highest + # packet size (MTU + hardware header) on your system. + default-packet-size: {{ MTU + 15 }} + + # Unix command socket can be used to pass commands to Suricata. + # An external tool can then connect to get information from Suricata + # or trigger some modifications of the engine. Set enabled to yes + # to activate the feature. In auto mode, the feature will only be + # activated in live capture mode. You can use the filename variable to set + # the file name of the socket. + unix-command: + enabled: auto + #filename: custom.socket + + # Magic file. The extension .mgc is added to the value here. + #magic-file: /usr/share/file/magic + #magic-file: + + # GeoIP2 database file. Specify path and filename of GeoIP2 database + # if using rules with "geoip" rule option. + #geoip-database: /usr/local/share/GeoLite2/GeoLite2-Country.mmdb + + legacy: + uricontent: enabled + + ## + ## Detection settings + ## + + # Set the order of alerts based on actions + # The default order is pass, drop, reject, alert + # action-order: + # - pass + # - drop + # - reject + # - alert + + # IP Reputation + #reputation-categories-file: /etc/suricata/iprep/categories.txt + #default-reputation-path: /etc/suricata/iprep + #reputation-files: + # - reputation.list + + # When run with the option --engine-analysis, the engine will read each of + # the parameters below, and print reports for each of the enabled sections + # and exit. The reports are printed to a file in the default log dir + # given by the parameter "default-log-dir", with engine reporting + # subsection below printing reports in its own report file. + engine-analysis: + # enables printing reports for fast-pattern for every rule. + rules-fast-pattern: yes + # enables printing reports for each rule + rules: yes + + #recursion and match limits for PCRE where supported + pcre: + match-limit: 3500 + match-limit-recursion: 1500 + + ## + ## Advanced Traffic Tracking and Reconstruction Settings + ## + + # Host specific policies for defragmentation and TCP stream + # reassembly. The host OS lookup is done using a radix tree, just + # like a routing table so the most specific entry matches. + host-os-policy: + # Make the default policy windows. + windows: [0.0.0.0/0] + bsd: [] + bsd-right: [] + old-linux: [] + linux: [] + old-solaris: [] + solaris: [] + hpux10: [] + hpux11: [] + irix: [] + macos: [] + vista: [] + windows2k3: [] + + # Defrag settings: + + defrag: + memcap: 32mb + hash-size: 65536 + trackers: 65535 # number of defragmented flows to follow + max-frags: 65535 # number of fragments to keep (higher than trackers) + prealloc: yes + timeout: 60 + + # Enable defrag per host settings + # host-config: + # + # - dmz: + # timeout: 30 + # address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"] + # + # - lan: + # timeout: 45 + # address: + # - 192.168.0.0/24 + # - 192.168.10.0/24 + # - 172.16.14.0/24 + + # Flow settings: + # By default, the reserved memory (memcap) for flows is 32MB. This is the limit + # for flow allocation inside the engine. You can change this value to allow + # more memory usage for flows. + # The hash-size determine the size of the hash used to identify flows inside + # the engine, and by default the value is 65536. + # At the startup, the engine can preallocate a number of flows, to get a better + # performance. The number of flows preallocated is 10000 by default. + # emergency-recovery is the percentage of flows that the engine need to + # prune before unsetting the emergency state. The emergency state is activated + # when the memcap limit is reached, allowing to create new flows, but + # pruning them with the emergency timeouts (they are defined below). + # If the memcap is reached, the engine will try to prune flows + # with the default timeouts. If it doesn't find a flow to prune, it will set + # the emergency bit and it will try again with more aggressive timeouts. + # If that doesn't work, then it will try to kill the last time seen flows + # not in use. + # The memcap can be specified in kb, mb, gb. Just a number indicates it's + # in bytes. + + flow: + memcap: 128mb + hash-size: 65536 + prealloc: 10000 + emergency-recovery: 30 + #managers: 1 # default to one flow manager + #recyclers: 1 # default to one flow recycler thread + + # This option controls the use of vlan ids in the flow (and defrag) + # hashing. Normally this should be enabled, but in some (broken) + # setups where both sides of a flow are not tagged with the same vlan + # tag, we can ignore the vlan id's in the flow hashing. + vlan: + use-for-tracking: true + + # Specific timeouts for flows. Here you can specify the timeouts that the + # active flows will wait to transit from the current state to another, on each + # protocol. The value of "new" determine the seconds to wait after a handshake or + # stream startup before the engine free the data of that flow it doesn't + # change the state to established (usually if we don't receive more packets + # of that flow). The value of "established" is the amount of + # seconds that the engine will wait to free the flow if it spend that amount + # without receiving new packets or closing the connection. "closed" is the + # amount of time to wait after a flow is closed (usually zero). "bypassed" + # timeout controls locally bypassed flows. For these flows we don't do any other + # tracking. If no packets have been seen after this timeout, the flow is discarded. + # + # There's an emergency mode that will become active under attack circumstances, + # making the engine to check flow status faster. This configuration variables + # use the prefix "emergency-" and work similar as the normal ones. + # Some timeouts doesn't apply to all the protocols, like "closed", for udp and + # icmp. + + flow-timeouts: + + default: + new: 30 + established: 300 + closed: 0 + bypassed: 100 + emergency-new: 10 + emergency-established: 100 + emergency-closed: 0 + emergency-bypassed: 50 + tcp: + new: 60 + established: 600 + closed: 60 + bypassed: 100 + emergency-new: 5 + emergency-established: 100 + emergency-closed: 10 + emergency-bypassed: 50 + udp: + new: 30 + established: 300 + bypassed: 100 + emergency-new: 10 + emergency-established: 100 + emergency-bypassed: 50 + icmp: + new: 30 + established: 300 + bypassed: 100 + emergency-new: 10 + emergency-established: 100 + emergency-bypassed: 50 + + # Stream engine settings. Here the TCP stream tracking and reassembly + # engine is configured. + # + # stream: + # memcap: 32mb # Can be specified in kb, mb, gb. Just a + # # number indicates it's in bytes. + # checksum-validation: yes # To validate the checksum of received + # # packet. If csum validation is specified as + # # "yes", then packet with invalid csum will not + # # be processed by the engine stream/app layer. + # # Warning: locally generated traffic can be + # # generated without checksum due to hardware offload + # # of checksum. You can control the handling of checksum + # # on a per-interface basis via the 'checksum-checks' + # # option + # prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread + # midstream: false # don't allow midstream session pickups + # async-oneside: false # don't enable async stream handling + # inline: no # stream inline mode + # drop-invalid: yes # in inline mode, drop packets that are invalid with regards to streaming engine + # max-synack-queued: 5 # Max different SYN/ACKs to queue + # bypass: no # Bypass packets when stream.reassembly.depth is reached. + # # Warning: first side to reach this triggers + # # the bypass. + # + # reassembly: + # memcap: 64mb # Can be specified in kb, mb, gb. Just a number + # # indicates it's in bytes. + # depth: 1mb # Can be specified in kb, mb, gb. Just a number + # # indicates it's in bytes. + # toserver-chunk-size: 2560 # inspect raw stream in chunks of at least + # # this size. Can be specified in kb, mb, + # # gb. Just a number indicates it's in bytes. + # toclient-chunk-size: 2560 # inspect raw stream in chunks of at least + # # this size. Can be specified in kb, mb, + # # gb. Just a number indicates it's in bytes. + # randomize-chunk-size: yes # Take a random value for chunk size around the specified value. + # # This lower the risk of some evasion technics but could lead + # # detection change between runs. It is set to 'yes' by default. + # randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is + # # a random value between (1 - randomize-chunk-range/100)*toserver-chunk-size + # # and (1 + randomize-chunk-range/100)*toserver-chunk-size and the same + # # calculation for toclient-chunk-size. + # # Default value of randomize-chunk-range is 10. + # + # raw: yes # 'Raw' reassembly enabled or disabled. + # # raw is for content inspection by detection + # # engine. + # + # segment-prealloc: 2048 # number of segments preallocated per thread + # + # check-overlap-different-data: true|false + # # check if a segment contains different data + # # than what we've already seen for that + # # position in the stream. + # # This is enabled automatically if inline mode + # # is used or when stream-event:reassembly_overlap_different_data; + # # is used in a rule. + # + stream: + memcap: 64mb + checksum-validation: yes # reject wrong csums + inline: auto # auto will use inline mode in IPS mode, yes or no set it statically + reassembly: + memcap: 256mb + depth: 1mb # reassemble 1mb into a stream + toserver-chunk-size: 2560 + toclient-chunk-size: 2560 + randomize-chunk-size: yes + #randomize-chunk-range: 10 + #raw: yes + #segment-prealloc: 2048 + #check-overlap-different-data: true + + # Host table: + # + # Host table is used by tagging and per host thresholding subsystems. + # + host: + hash-size: 4096 + prealloc: 1000 + memcap: 32mb + + # IP Pair table: + # + # Used by xbits 'ippair' tracking. + # + #ippair: + # hash-size: 4096 + # prealloc: 1000 + # memcap: 32mb + + # Decoder settings + + decoder: + # Teredo decoder is known to not be completely accurate + # as it will sometimes detect non-teredo as teredo. + teredo: + enabled: true + # ports to look for Teredo. Max 4 ports. If no ports are given, or + # the value is set to 'any', Teredo detection runs on _all_ UDP packets. + ports: $TEREDO_PORTS # syntax: '[3544, 1234]' or '3533' or 'any'. + + # VXLAN decoder is assigned to up to 4 UDP ports. By default only the + # IANA assigned port 4789 is enabled. + vxlan: + enabled: true + ports: $VXLAN_PORTS # syntax: '8472, 4789' + # ERSPAN Type I decode support + erspan: + typeI: + enabled: false + + + ## + ## Performance tuning and profiling + ## + + # The detection engine builds internal groups of signatures. The engine + # allow us to specify the profile to use for them, to manage memory on an + # efficient way keeping a good performance. For the profile keyword you + # can use the words "low", "medium", "high" or "custom". If you use custom + # make sure to define the values at "- custom-values" as your convenience. + # Usually you would prefer medium/high/low. + # + # "sgh mpm-context", indicates how the staging should allot mpm contexts for + # the signature groups. "single" indicates the use of a single context for + # all the signature group heads. "full" indicates a mpm-context for each + # group head. "auto" lets the engine decide the distribution of contexts + # based on the information the engine gathers on the patterns from each + # group head. + # + # The option inspection-recursion-limit is used to limit the recursive calls + # in the content inspection code. For certain payload-sig combinations, we + # might end up taking too much time in the content inspection code. + # If the argument specified is 0, the engine uses an internally defined + # default limit. On not specifying a value, we use no limits on the recursion. + detect: + profile: medium + custom-values: + toclient-groups: 3 + toserver-groups: 25 + sgh-mpm-context: auto + inspection-recursion-limit: 3000 + # If set to yes, the loading of signatures will be made after the capture + # is started. This will limit the downtime in IPS mode. + #delayed-detect: yes + + prefilter: + # default prefiltering setting. "mpm" only creates MPM/fast_pattern + # engines. "auto" also sets up prefilter engines for other keywords. + # Use --list-keywords=all to see which keywords support prefiltering. + default: mpm + + # the grouping values above control how many groups are created per + # direction. Port whitelisting forces that port to get it's own group. + # Very common ports will benefit, as well as ports with many expensive + # rules. + grouping: + #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 + #udp-whitelist: 53, 135, 5060 + + profiling: + # Log the rules that made it past the prefilter stage, per packet + # default is off. The threshold setting determines how many rules + # must have made it past pre-filter for that rule to trigger the + # logging. + #inspect-logging-threshold: 200 + grouping: + dump-to-disk: false + include-rules: false # very verbose + include-mpm-stats: false + + # Select the multi pattern algorithm you want to run for scan/search the + # in the engine. + # + # The supported algorithms are: + # "ac" - Aho-Corasick, default implementation + # "ac-bs" - Aho-Corasick, reduced memory implementation + # "ac-ks" - Aho-Corasick, "Ken Steele" variant + # "hs" - Hyperscan, available when built with Hyperscan support + # + # The default mpm-algo value of "auto" will use "hs" if Hyperscan is + # available, "ac" otherwise. + # + # The mpm you choose also decides the distribution of mpm contexts for + # signature groups, specified by the conf - "detect.sgh-mpm-context". + # Selecting "ac" as the mpm would require "detect.sgh-mpm-context" + # to be set to "single", because of ac's memory requirements, unless the + # ruleset is small enough to fit in one's memory, in which case one can + # use "full" with "ac". Rest of the mpms can be run in "full" mode. + + mpm-algo: auto + + # Select the matching algorithm you want to use for single-pattern searches. + # + # Supported algorithms are "bm" (Boyer-Moore) and "hs" (Hyperscan, only + # available if Suricata has been built with Hyperscan support). + # + # The default of "auto" will use "hs" if available, otherwise "bm". + + spm-algo: auto + + # Suricata is multi-threaded. Here the threading can be influenced. + threading: + set-cpu-affinity: yes + # Tune cpu affinity of threads. Each family of threads can be bound + # on specific CPUs. + # + # These 2 apply to the all runmodes: + # management-cpu-set is used for flow timeout handling, counters + # worker-cpu-set is used for 'worker' threads + # + # Additionally, for autofp these apply: + # receive-cpu-set is used for capture threads + # verdict-cpu-set is used for IPS verdict threads + # + {%- if salt['pillar.get']('sensor:suriprocs') %} + cpu-affinity: + - management-cpu-set: + cpu: [ all ] # include only these CPUs in affinity settings + - receive-cpu-set: + cpu: [ all ] # include only these CPUs in affinity settings + - worker-cpu-set: + cpu: [ "all" ] + mode: "exclusive" + # Use explicitely 3 threads and don't compute number by using + # detect-thread-ratio variable: + # threads: 3 + threads: {{ salt['pillar.get']('sensor:suriprocs') }} + prio: + low: [ 0 ] + medium: [ "1-2" ] + high: [ 3 ] + default: "high" + #- verdict-cpu-set: + # cpu: [ 0 ] + # prio: + # default: "high" + {%- endif -%} + {%- if salt['pillar.get']('sensor:suripins') %} + cpu-affinity: + - management-cpu-set: + cpu: [ {{ salt['pillar.get']('sensor:suripins')|join(",") }} ] # include only these cpus in affinity settings + - receive-cpu-set: + cpu: [ {{ salt['pillar.get']('sensor:suripins')|join(",") }} ] # include only these cpus in affinity settings + - worker-cpu-set: + cpu: [ {{ salt['pillar.get']('sensor:suripins')|join(",") }} ] + mode: "exclusive" + # Use explicitely 3 threads and don't compute number by using + # detect-thread-ratio variable: + threads: {{ salt['pillar.get']('sensor:suripins')|length }} + prio: + default: "high" + {% endif %} + + # + # By default Suricata creates one "detect" thread per available CPU/CPU core. + # This setting allows controlling this behaviour. A ratio setting of 2 will + # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this + # will result in 4 detect threads. If values below 1 are used, less threads + # are created. So on a dual core CPU a setting of 0.5 results in 1 detect + # thread being created. Regardless of the setting at a minimum 1 detect + # thread will always be created. + # + detect-thread-ratio: 1.0 + + # Luajit has a strange memory requirement, it's 'states' need to be in the + # first 2G of the process' memory. + # + # 'luajit.states' is used to control how many states are preallocated. + # State use: per detect script: 1 per detect thread. Per output script: 1 per + # script. + luajit: + states: 128 + + # Profiling settings. Only effective if Suricata has been built with the + # the --enable-profiling configure flag. + # + profiling: + # Run profiling for every xth packet. The default is 1, which means we + # profile every packet. If set to 1000, one packet is profiled for every + # 1000 received. + #sample-rate: 1000 + + # rule profiling + rules: + + # Profiling can be disabled here, but it will still have a + # performance impact if compiled in. + enabled: yes + filename: rule_perf.log + append: yes + + # Sort options: ticks, avgticks, checks, matches, maxticks + # If commented out all the sort options will be used. + #sort: avgticks + + # Limit the number of sids for which stats are shown at exit (per sort). + limit: 10 + + # output to json + json: yes + + # per keyword profiling + keywords: + enabled: yes + filename: keyword_perf.log + append: yes + + prefilter: + enabled: yes + filename: prefilter_perf.log + append: yes + + # per rulegroup profiling + rulegroups: + enabled: yes + filename: rule_group_perf.log + append: yes + + # packet profiling + packets: + + # Profiling can be disabled here, but it will still have a + # performance impact if compiled in. + enabled: yes + filename: packet_stats.log + append: yes + + # per packet csv output + csv: + + # Output can be disabled here, but it will still have a + # performance impact if compiled in. + enabled: no + filename: packet_stats.csv + + # profiling of locking. Only available when Suricata was built with + # --enable-profiling-locks. + locks: + enabled: no + filename: lock_stats.log + append: yes + + pcap-log: + enabled: no + filename: pcaplog_stats.log + append: yes + + ## + ## Netfilter integration + ## + + # When running in NFQ inline mode, it is possible to use a simulated + # non-terminal NFQUEUE verdict. + # This permit to do send all needed packet to Suricata via this a rule: + # iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE + # And below, you can have your standard filtering ruleset. To activate + # this mode, you need to set mode to 'repeat' + # If you want packet to be sent to another queue after an ACCEPT decision + # set mode to 'route' and set next-queue value. + # On linux >= 3.1, you can set batchcount to a value > 1 to improve performance + # by processing several packets before sending a verdict (worker runmode only). + # On linux >= 3.6, you can set the fail-open option to yes to have the kernel + # accept the packet if Suricata is not able to keep pace. + # bypass mark and mask can be used to implement NFQ bypass. If bypass mark is + # set then the NFQ bypass is activated. Suricata will set the bypass mark/mask + # on packet of a flow that need to be bypassed. The Nefilter ruleset has to + # directly accept all packets of a flow once a packet has been marked. + nfq: + # mode: accept + # repeat-mark: 1 + # repeat-mask: 1 + # bypass-mark: 1 + # bypass-mask: 1 + # route-queue: 2 + # batchcount: 20 + # fail-open: yes + + #nflog support + nflog: + # netlink multicast group + # (the same as the iptables --nflog-group param) + # Group 0 is used by the kernel, so you can't use it + - group: 2 + # netlink buffer size + buffer-size: 18432 + # put default value here + - group: default + # set number of packet to queue inside kernel + qthreshold: 1 + # set the delay before flushing packet in the queue inside kernel + qtimeout: 100 + # netlink max buffer size + max-size: 20000 + + ## + ## Advanced Capture Options + ## + + # general settings affecting packet capture + capture: + # disable NIC offloading. It's restored when Suricata exits. + # Enabled by default. + #disable-offloading: false + # + # disable checksum validation. Same as setting '-k none' on the + # commandline. + #checksum-validation: none + + # Netmap support + # + # Netmap operates with NIC directly in driver, so you need FreeBSD 11+ which have + # built-in netmap support or compile and install netmap module and appropriate + # NIC driver on your Linux system. + # To reach maximum throughput disable all receive-, segmentation-, + # checksum- offloadings on NIC. + # Disabling Tx checksum offloading is *required* for connecting OS endpoint + # with NIC endpoint. + # You can find more information at https://github.com/luigirizzo/netmap + # + netmap: + # To specify OS endpoint add plus sign at the end (e.g. "eth0+") + - interface: eth2 + # Number of capture threads. "auto" uses number of RSS queues on interface. + # Warning: unless the RSS hashing is symmetrical, this will lead to + # accuracy issues. + #threads: auto + # You can use the following variables to activate netmap tap or IPS mode. + # If copy-mode is set to ips or tap, the traffic coming to the current + # interface will be copied to the copy-iface interface. If 'tap' is set, the + # copy is complete. If 'ips' is set, the packet matching a 'drop' action + # will not be copied. + # To specify the OS as the copy-iface (so the OS can route packets, or forward + # to a service running on the same machine) add a plus sign at the end + # (e.g. "copy-iface: eth0+"). Don't forget to set up a symmetrical eth0+ -> eth0 + # for return packets. Hardware checksumming must be *off* on the interface if + # using an OS endpoint (e.g. 'ifconfig eth0 -rxcsum -txcsum -rxcsum6 -txcsum6' for FreeBSD + # or 'ethtool -K eth0 tx off rx off' for Linux). + #copy-mode: tap + #copy-iface: eth3 + # Set to yes to disable promiscuous mode + # disable-promisc: no + # Choose checksum verification mode for the interface. At the moment + # of the capture, some packets may be with an invalid checksum due to + # offloading to the network card of the checksum computation. + # Possible values are: + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: Suricata uses a statistical approach to detect when + # checksum off-loading is used. + # Warning: 'checksum-validation' must be set to yes to have any validation + #checksum-checks: auto + # BPF filter to apply to this interface. The pcap filter syntax apply here. + #bpf-filter: port 80 or udp + #- interface: eth3 + #threads: auto + #copy-mode: tap + #copy-iface: eth2 + # Put default values here + - interface: default + + # PF_RING configuration. for use with native PF_RING support + # for more info see http://www.ntop.org/products/pf_ring/ + pfring: + - interface: eth0 + # Number of receive threads. If set to 'auto' Suricata will first try + # to use CPU (core) count and otherwise RSS queue count. + threads: auto + + # Default clusterid. PF_RING will load balance packets based on flow. + # All threads/processes that will participate need to have the same + # clusterid. + cluster-id: 99 + + # Default PF_RING cluster type. PF_RING can load balance per flow. + # Possible values are cluster_flow or cluster_round_robin. + cluster-type: cluster_flow + + # bpf filter for this interface + #bpf-filter: tcp + + # If bypass is set then the PF_RING hw bypass is activated, when supported + # by the interface in use. Suricata will instruct the interface to bypass + # all future packets for a flow that need to be bypassed. + #bypass: yes + + # Choose checksum verification mode for the interface. At the moment + # of the capture, some packets may be with an invalid checksum due to + # offloading to the network card of the checksum computation. + # Possible values are: + # - rxonly: only compute checksum for packets received by network card. + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: Suricata uses a statistical approach to detect when + # checksum off-loading is used. (default) + # Warning: 'checksum-validation' must be set to yes to have any validation + #checksum-checks: auto + # Second interface + #- interface: eth1 + # threads: 3 + # cluster-id: 93 + # cluster-type: cluster_flow + # Put default values here + - interface: default + #threads: 2 + + # For FreeBSD ipfw(8) divert(4) support. + # Please make sure you have ipfw_load="YES" and ipdivert_load="YES" + # in /etc/loader.conf or kldload'ing the appropriate kernel modules. + # Additionally, you need to have an ipfw rule for the engine to see + # the packets from ipfw. For Example: + # + # ipfw add 100 divert 8000 ip from any to any + # + # The 8000 above should be the same number you passed on the command + # line, i.e. -d 8000 + # + ipfw: + + # Reinject packets at the specified ipfw rule number. This config + # option is the ipfw rule number AT WHICH rule processing continues + # in the ipfw processing system after the engine has finished + # inspecting the packet for acceptance. If no rule number is specified, + # accepted packets are reinjected at the divert rule which they entered + # and IPFW rule processing continues. No check is done to verify + # this will rule makes sense so care must be taken to avoid loops in ipfw. + # + ## The following example tells the engine to reinject packets + # back into the ipfw firewall AT rule number 5500: + # + # ipfw-reinjection-rule-number: 5500 + + + napatech: + # The Host Buffer Allowance for all streams + # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back) + # This may be enabled when sharing streams with another application. + # Otherwise, it should be turned off. + #hba: -1 + + # When use_all_streams is set to "yes" the initialization code will query + # the Napatech service for all configured streams and listen on all of them. + # When set to "no" the streams config array will be used. + # + # This option necessitates running the appropriate NTPL commands to create + # the desired streams prior to running suricata. + #use-all-streams: no + + # The streams to listen on when auto-config is disabled or when and threading + # cpu-affinity is disabled. This can be either: + # an individual stream (e.g. streams: [0]) + # or + # a range of streams (e.g. streams: ["0-3"]) + # + streams: ["0-3"] + + # When auto-config is enabled the streams will be created and assigned + # automatically to the NUMA node where the thread resides. If cpu-affinity + # is enabled in the threading section. Then the streams will be created + # according to the number of worker threads specified in the worker cpu set. + # Otherwise, the streams array is used to define the streams. + # + # This option cannot be used simultaneous with "use-all-streams". + # + auto-config: yes + + # Ports indicates which napatech ports are to be used in auto-config mode. + # these are the port ID's of the ports that will be merged prior to the + # traffic being distributed to the streams. + # + # This can be specified in any of the following ways: + # + # a list of individual ports (e.g. ports: [0,1,2,3]) + # + # a range of ports (e.g. ports: [0-3]) + # + # "all" to indicate that all ports are to be merged together + # (e.g. ports: [all]) + # + # This has no effect if auto-config is disabled. + # + ports: [all] + + # When auto-config is enabled the hashmode specifies the algorithm for + # determining to which stream a given packet is to be delivered. + # This can be any valid Napatech NTPL hashmode command. + # + # The most common hashmode commands are: hash2tuple, hash2tuplesorted, + # hash5tuple, hash5tuplesorted and roundrobin. + # + # See Napatech NTPL documentation other hashmodes and details on their use. + # + # This has no effect if auto-config is disabled. + # + hashmode: hash5tuplesorted + + ## + ## Configure Suricata to load Suricata-Update managed rules. + ## + ## If this section is completely commented out move down to the "Advanced rule + ## file configuration". + ## + + default-rule-path: /etc/suricata/rules + + rule-files: + - all.rules + + ## + ## Auxiliary configuration files. + ## + + classification-file: /etc/suricata/classification.config + reference-config-file: /etc/suricata/reference.config + # threshold-file: /etc/suricata/threshold.config + + ## + ## Include other configs + ## + + # Includes. Files included here will be handled as if they were + # inlined in this configuration file. + #include: include1.yaml + #include: include2.yaml + \ No newline at end of file From f8193cb9142e5a676e5c85a563464ac4eb8f216d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 4 Jun 2020 09:40:38 -0400 Subject: [PATCH 002/314] beginning to pillarize suricata --- salt/suricata/defaults3.yaml | 1695 +++++++++++++++++++++++ salt/suricata/init.sls | 11 + salt/suricata/suricata_config.map.jinja | 36 + salt/suricata/suricata_meta.yaml | 136 ++ 4 files changed, 1878 insertions(+) create mode 100644 salt/suricata/defaults3.yaml create mode 100644 salt/suricata/suricata_config.map.jinja create mode 100644 salt/suricata/suricata_meta.yaml diff --git a/salt/suricata/defaults3.yaml b/salt/suricata/defaults3.yaml new file mode 100644 index 000000000..e523f2445 --- /dev/null +++ b/salt/suricata/defaults3.yaml @@ -0,0 +1,1695 @@ +suricata: + lookup: + vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + + ## + ## Step 2: select outputs to enable + ## + + # The default logging directory. Any log or output file will be + # placed here if its not specified with a full path name. This can be + # overridden with the -l command line parameter. + default-log-dir: /var/log/suricata/ + + # global stats configuration + stats: + enabled: "yes" + # The interval field (in seconds) controls at what interval + # the loggers are invoked. + interval: 30 + # Add decode events as stats. + #decoder-events: true + # Decoder event prefix in stats. Has been 'decoder' before, but that leads + # to missing events in the eve.stats records. See issue #2225. + #decoder-events-prefix: "decoder.event" + # Add stream events as stats. + #stream-events: false + + # Configure the type of alert (and other) logging you would like. + outputs: + # a line based alerts log similar to Snort's fast.log + - fast: + enabled: "no" + filename: fast.log + append: "yes" + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: "yes" + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: /nsm/eve.json + rotate-interval: hour + + #prefix: "@cee: " # prefix to prepend to each log entry + # the following are valid when type: syslog above + #identity: "suricata" + #facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + #redis: + # server: 127.0.0.1 + # port: 6379 + # async: true ## if redis replies are read asynchronously + # mode: list ## possible values: list|lpush (default), rpush, channel|publish + # ## lpush and rpush are using a Redis list. "list" is an alias for lpush + # ## publish is using a Redis channel. "channel" is an alias for publish + # key: suricata ## key or channel to use (default to suricata) + # Redis pipelining set up. This will enable to only do a query every + # 'batch-size' events. This should lower the latency induced by network + # connection at the cost of some memory. There is no flushing implemented + # so this setting as to be reserved to high traffic suricata. + # pipelining: + # enabled: "yes" ## set enable to yes to enable query pipelining + # batch-size: 10 ## number of entry to keep in buffer + + # Include top level metadata. Default yes. + #metadata: "no" + + # include the name of the input pcap file in pcap file processing mode + pcap-file: false + + # Community Flow ID + # Adds a 'community_id' field to EVE records. These are meant to give + # a records a predictable flow id that can be used to match records to + # output of other tools such as Bro. + # + # Takes a 'seed' that needs to be same across sensors and tools + # to make the id less predictable. + + # enable/disable the community id feature. + community-id: true + # Seed value for the ID output. Valid values are 0-65535. + community-id-seed: 0 + + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: "no" + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + types: + - alert: + payload: "no" # enable dumping payload in Base64 + payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + payload-printable: "yes" # enable dumping payload in printable (lossy) format + packet: "yes" # enable dumping of packet (without stream segments) + metadata: + app-layer: false + flow: false + rule: + metadata: true + raw: true + + # http-body: "yes" # Requires metadata; enable dumping of http body in Base64 + # http-body-printable: "yes" # Requires metadata; enable dumping of http body in printable format + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: "no" + + + # deprecated - unified2 alert format for use with Barnyard2 + - unified2-alert: + enabled: "no" + # for further options see: + # https://suricata.readthedocs.io/en/suricata-5.0.0/configuration/suricata-yaml.html#alert-output-for-use-with-barnyard2-unified2-alert + + # a line based log of HTTP requests (no alerts) + - http-log: + enabled: "no" + filename: http.log + append: "yes" + #extended: "yes" # enable this for extended logging information + #custom: "yes" # enabled the custom logging format (defined by customformat) + #customformat: "" + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # a line based log of TLS handshake parameters (no alerts) + - tls-log: + enabled: "no" # Log TLS connections. + filename: tls.log # File to store TLS logs. + append: "yes" + #extended: "yes" # Log extended information like fingerprint + #custom: "yes" # enabled the custom logging format (defined by customformat) + #customformat: "" + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: "no" + + # output module to store certificates chain to disk + - tls-store: + enabled: "no" + #certs-log-dir: certs # directory to store the certificates files + + # Packet log... log packets in pcap format. 3 modes of operation: "normal" + # "multi" and "sguil". + # + # In normal mode a pcap file "filename" is created in the default-log-dir, + # or are as specified by "dir". + # In multi mode, a file is created per thread. This will perform much + # better, but will create multiple files where 'normal' would create one. + # In multi mode the filename takes a few special variables: + # - %n -- thread number + # - %i -- thread id + # - %t -- timestamp (secs or secs.usecs based on 'ts-format' + # E.g. filename: pcap.%n.%t + # + # Note that it's possible to use directories, but the directories are not + # created by Suricata. E.g. filename: pcaps/%n/log.%s will log into the + # per thread directory. + # + # Also note that the limit and max-files settings are enforced per thread. + # So the size limit when using 8 threads with 1000mb files and 2000 files + # is: 8*1000*2000 ~ 16TiB. + # + # In Sguil mode "dir" indicates the base directory. In this base dir the + # pcaps are created in th directory structure Sguil expects: + # + # $sguil-base-dir/YYYY-MM-DD/$filename. + # + # By default all packets are logged except: + # - TCP streams beyond stream.reassembly.depth + # - encrypted streams after the key exchange + # + - pcap-log: + enabled: "no" + filename: log.pcap + + # File size limit. Can be specified in kb, mb, gb. Just a number + # is parsed as bytes. + limit: 1000mb + + # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit" + max-files: 2000 + + # Compression algorithm for pcap files. Possible values: "no"ne, lz4. + # Enabling compression is incompatible with the sguil mode. Note also + # that on Windows, enabling compression will *increase* disk I/O. + compression: none + + # Further options for lz4 compression. The compression level can be set + # to a value between 0 and 16, where higher values result in higher + # compression. + #lz4-checksum: "no" + #lz4-level: 0 + + mode: normal # normal, multi or sguil. + + # Directory to place pcap files. If not provided the default log + # directory will be used. Required for "sguil" mode. + #dir: /nsm_data/ + + #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec + use-stream-depth: "no" #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets + honor-pass-rules: "no" # If set to "yes", flows in which a pass rule matched will stopped being logged. + + # a full alerts log containing much information for signature writers + # or for investigating suspected false positives. + - alert-debug: + enabled: "no" + filename: alert-debug.log + append: "yes" + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # alert output to prelude (https://www.prelude-siem.org/) only + # available if Suricata has been compiled with --enable-prelude + - alert-prelude: + enabled: "no" + profile: suricata + log-packet-content: "no" + log-packet-header: "yes" + + # Stats.log contains data from various counters of the Suricata engine. + - stats: + enabled: "yes" + filename: stats.log + append: "yes" # append to file (yes) or overwrite it (no) + totals: "yes" # stats for all threads merged together + threads: "no" # per thread stats + null-values: "yes" # print counters that have value 0 + + # a line based alerts log similar to fast.log into syslog + - syslog: + enabled: "no" + # reported identity to syslog. If ommited the program name (usually + # suricata) will be used. + #identity: "suricata" + facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + + # deprecated a line based information for dropped packets in IPS mode + - drop: + enabled: "no" + # further options documented at: + # https://suricata.readthedocs.io/en/suricata-5.0.0/configuration/suricata-yaml.html#drop-log-a-line-based-information-for-dropped-packets + + # Output module for storing files on disk. Files are stored in a + # directory names consisting of the first 2 characters of the + # SHA256 of the file. Each file is given its SHA256 as a filename. + # + # When a duplicate file is found, the existing file is touched to + # have its timestamps updated. + # + # Unlike the older filestore, metadata is not written out by default + # as each file should already have a "fileinfo" record in the + # eve.log. If write-fileinfo is set to yes, the each file will have + # one more associated .json files that consists of the fileinfo + # record. A fileinfo file will be written for each occurrence of the + # file seen using a filename suffix to ensure uniqueness. + # + # To prune the filestore directory see the "suricatactl filestore + # prune" command which can delete files over a certain age. + - file-store: + version: 2 + enabled: "no" + + # Set the directory for the filestore. If the path is not + # absolute will be be relative to the default-log-dir. + #dir: filestore + + # Write out a fileinfo record for each occurrence of a + # file. Disabled by default as each occurrence is already logged + # as a fileinfo record to the main eve-log. + #write-fileinfo: "yes" + + # Force storing of all files. Default: no. + #force-filestore: "yes" + + # Override the global stream-depth for sessions in which we want + # to perform file extraction. Set to 0 for unlimited. + #stream-depth: 0 + + # Uncomment the following variable to define how many files can + # remain open for filestore by Suricata. Default value is 0 which + # means files get closed after each write + #max-open-files: 1000 + + # Force logging of checksums, available hash functions are md5, + # sha1 and sha256. Note that SHA256 is automatically forced by + # the use of this output module as it uses the SHA256 as the + # file naming scheme. + #force-hash: [sha1, md5] + # NOTE: X-Forwarded configuration is ignored if write-fileinfo is disabled + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: "no" + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + # deprecated - file-store v1 + - file-store: + enabled: "no" + # further options documented at: + # https://suricata.readthedocs.io/en/suricata-5.0.0/file-extraction/file-extraction.html#file-store-version-1 + + # Log TCP data after stream normalization + # 2 types: file or dir. File logs into a single logfile. Dir creates + # 2 files per TCP session and stores the raw TCP data into them. + # Using 'both' will enable both file and dir modes. + # + # Note: limited by stream.reassembly.depth + - tcp-data: + enabled: "no" + type: file + filename: tcp-data.log + + # Log HTTP body data after normalization, dechunking and unzipping. + # 2 types: file or dir. File logs into a single logfile. Dir creates + # 2 files per HTTP session and stores the normalized data into them. + # Using 'both' will enable both file and dir modes. + # + # Note: limited by the body limit settings + - http-body-data: + enabled: "no" + type: file + filename: http-data.log + + # Lua Output Support - execute lua script to generate alert and event + # output. + # Documented at: + # https://suricata.readthedocs.io/en/latest/output/lua-output.html + - lua: + enabled: "no" + #scripts-dir: /etc/suricata/lua-output/ + scripts: + # - script1.lua + + # Logging configuration. This is not about logging IDS alerts/events, but + # output about what Suricata is doing, like startup messages, errors, etc. + logging: + # The default log level, can be overridden in an output section. + # Note that debug level logging will only be emitted if Suricata was + # compiled with the --enable-debug configure option. + # + # This value is overridden by the SC_LOG_LEVEL env var. + default-log-level: notice + + # The default output format. Optional parameter, should default to + # something reasonable if not provided. Can be overridden in an + # output section. You can leave this out to get the default. + # + # This value is overridden by the SC_LOG_FORMAT env var. + #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " + + # A regex to filter output. Can be overridden in an output section. + # Defaults to empty (no filter). + # + # This value is overridden by the SC_LOG_OP_FILTER env var. + default-output-filter: + + # Define your logging outputs. If none are defined, or they are all + # disabled you will get the default - console output. + outputs: + - console: + enabled: "yes" + # type: json + - file: + enabled: "yes" + level: info + filename: suricata.log + # type: json + - syslog: + enabled: "no" + facility: local5 + format: "[%i] <%d> -- " + # type: json + + + ## + ## Step 4: configure common capture settings + ## + ## See "Advanced Capture Options" below for more options, including NETMAP + ## and PF_RING. + ## + + # Linux high speed capture support + af-packet: + - interface: bond0 + # Number of receive threads. "auto" uses the number of cores + #threads: auto + # Default clusterid. AF_PACKET will load balance packets based on flow. + cluster-id: 59 + # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash. + # This is only supported for Linux kernel > 3.1 + # possible value are: + # * cluster_flow: all packets of a given flow are send to the same socket + # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket + # * cluster_qm: all packets linked by network card to a RSS queue are sent to the same + # socket. Requires at least Linux 3.14. + # * cluster_ebpf: eBPF file load balancing. See doc/userguide/capture-hardware/ebpf-xdp.rst for + # more info. + # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system + # with capture card using RSS (require cpu affinity tuning and system irq tuning) + cluster-type: cluster_flow + # In some fragmentation case, the hash can not be computed. If "defrag" is set + # to yes, the kernel will do the needed defragmentation before sending the packets. + defrag: "yes" + # To use the ring feature of AF_PACKET, set 'use-mmap' to yes + use-mmap: "yes" + # Lock memory map to avoid it goes to swap. Be careful that over subscribing could lock + # your system + #mmap-locked: "yes" + # Use tpacket_v3 capture mode, only active if use-mmap is true + # Don't use it in IPS or TAP mode as it causes severe latency + tpacket-v3: "yes" + # Ring size will be computed with respect to max_pending_packets and number + # of threads. You can set manually the ring size in number of packets by setting + # the following value. If you are using flow cluster-type and have really network + # intensive single-flow you could want to set the ring-size independently of the number + # of threads: + ring-size: 2056 + # Block size is used by tpacket_v3 only. It should set to a value high enough to contain + # a decent number of packets. Size is in bytes so please consider your MTU. It should be + # a power of 2 and it must be multiple of page size (usually 4096). + #block-size: 32768 + # tpacket_v3 block timeout: an open block is passed to userspace if it is not + # filled after block-timeout milliseconds. + #block-timeout: 10 + # On busy system, this could help to set it to yes to recover from a packet drop + # phase. This will result in some packets (at max a ring flush) being non treated. + #use-emergency-flush: "yes" + # recv buffer size, increase value could improve performance + # buffer-size: 32768 + # Set to yes to disable promiscuous mode + # disable-promisc: "no" + # Choose checksum verification mode for the interface. At the moment + # of the capture, some packets may be with an invalid checksum due to + # offloading to the network card of the checksum computation. + # Possible values are: + # - kernel: use indication sent by kernel for each packet (default) + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: suricata uses a statistical approach to detect when + # checksum off-loading is used. + # Warning: 'checksum-validation' must be set to yes to have any validation + #checksum-checks: kernel + # BPF filter to apply to this interface. The pcap filter syntax apply here. + #bpf-filter: port 80 or udp + # You can use the following variables to activate AF_PACKET tap or IPS mode. + # If copy-mode is set to ips or tap, the traffic coming to the current + # interface will be copied to the copy-iface interface. If 'tap' is set, the + # copy is complete. If 'ips' is set, the packet matching a 'drop' action + # will not be copied. + #copy-mode: ips + #copy-iface: eth1 + # For eBPF and XDP setup including bypass, filter and load balancing, please + # see doc/userguide/capture-hardware/ebpf-xdp.rst for more info. + + # Put default values here. These will be used for an interface that is not + # in the list above. + - interface: default + #threads: auto + #use-mmap: "no" + #tpacket-v3: "yes" + + # Cross platform libpcap capture support + pcap: + - interface: eth0 + # On Linux, pcap will try to use mmaped capture and will use buffer-size + # as total of memory used by the ring. So set this to something bigger + # than 1% of your bandwidth. + #buffer-size: 16777216 + #bpf-filter: "tcp and port 25" + # Choose checksum verification mode for the interface. At the moment + # of the capture, some packets may be with an invalid checksum due to + # offloading to the network card of the checksum computation. + # Possible values are: + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: Suricata uses a statistical approach to detect when + # checksum off-loading is used. (default) + # Warning: 'checksum-validation' must be set to yes to have any validation + #checksum-checks: auto + # With some accelerator cards using a modified libpcap (like myricom), you + # may want to have the same number of capture threads as the number of capture + # rings. In this case, set up the threads variable to N to start N threads + # listening on the same interface. + #threads: 16 + # set to no to disable promiscuous mode: + #promisc: "no" + # set snaplen, if not set it defaults to MTU if MTU can be known + # via ioctl call and to full capture if not. + #snaplen: 1518 + # Put default values here + - interface: default + #checksum-checks: auto + + # Settings for reading pcap files + pcap-file: + # Possible values are: + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: Suricata uses a statistical approach to detect when + # checksum off-loading is used. (default) + # Warning: 'checksum-validation' must be set to yes to have checksum tested + checksum-checks: auto + + # See "Advanced Capture Options" below for more options, including NETMAP + # and PF_RING. + + + ## + ## Step 5: App Layer Protocol Configuration + ## + + # Configure the app-layer parsers. The protocols section details each + # protocol. + # + # The option "enabled" takes 3 values - "yes", "no", "detection-only". + # "yes" enables both detection and the parser, "no" disables both, and + # "detection-only" enables protocol detection only (parser disabled). + app-layer: + protocols: + krb5: + enabled: "yes" + snmp: + enabled: "yes" + ikev2: + enabled: "yes" + tls: + enabled: "yes" + detection-ports: + dp: 443 + + # Generate JA3 fingerprint from client hello. If not specified it + # will be disabled by default, but enabled if rules require it. + #ja3-fingerprints: auto + + # What to do when the encrypted communications start: + # - default: keep tracking TLS session, check for protocol anomalies, + # inspect tls_* keywords. Disables inspection of unmodified + # 'content' signatures. + # - bypass: stop processing this flow as much as possible. No further + # TLS parsing and inspection. Offload flow bypass to kernel + # or hardware if possible. + # - full: keep tracking and inspection as normal. Unmodified content + # keyword signatures are inspected as well. + # + # For best performance, select 'bypass'. + # + #encryption-handling: default + + dcerpc: + enabled: "yes" + ftp: + enabled: "yes" + # memcap: 64mb + # RDP, disabled by default. + rdp: + #enabled: "no" + ssh: + enabled: "yes" + smtp: + enabled: "yes" + raw-extraction: "no" + # Configure SMTP-MIME Decoder + mime: + # Decode MIME messages from SMTP transactions + # (may be resource intensive) + # This field supercedes all others because it turns the entire + # process on or off + decode-mime: "yes" + + # Decode MIME entity bodies (ie. base64, quoted-printable, etc.) + decode-base64: "yes" + decode-quoted-printable: "yes" + + # Maximum bytes per header data value stored in the data structure + # (default is 2000) + header-value-depth: 2000 + + # Extract URLs and save in state data structure + extract-urls: "yes" + # Set to yes to compute the md5 of the mail body. You will then + # be able to journalize it. + body-md5: "no" + # Configure inspected-tracker for file_data keyword + inspected-tracker: + content-limit: 100000 + content-inspect-min-size: 32768 + content-inspect-window: 4096 + imap: + enabled: detection-only + smb: + enabled: "yes" + detection-ports: + dp: 139, 445 + + # Stream reassembly size for SMB streams. By default track it completely. + #stream-depth: 0 + + nfs: + enabled: "yes" + tftp: + enabled: "yes" + dns: + # memcaps. Globally and per flow/state. + #global-memcap: 16mb + #state-memcap: 512kb + + # How many unreplied DNS requests are considered a flood. + # If the limit is reached, app-layer-event:dns.flooded; will match. + #request-flood: 500 + + tcp: + enabled: "yes" + detection-ports: + dp: 53 + udp: + enabled: "yes" + detection-ports: + dp: 53 + http: + enabled: "yes" + # memcap: Maximum memory capacity for http + # Default is unlimited, value can be such as 64mb + + # default-config: Used when no server-config matches + # personality: List of personalities used by default + # request-body-limit: Limit reassembly of request body for inspection + # by http_client_body & pcre /P option. + # response-body-limit: Limit reassembly of response body for inspection + # by file_data, http_server_body & pcre /Q option. + # + # For advanced options, see the user guide + + + # server-config: List of server configurations to use if address matches + # address: List of IP addresses or networks for this block + # personalitiy: List of personalities used by this block + # + # Then, all the fields from default-config can be overloaded + # + # Currently Available Personalities: + # Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0, + # IIS_7_0, IIS_7_5, Apache_2 + libhtp: + default-config: + personality: IDS + + # Can be specified in kb, mb, gb. Just a number indicates + # it's in bytes. + request-body-limit: 100kb + response-body-limit: 100kb + + # inspection limits + request-body-minimal-inspect-size: 32kb + request-body-inspect-window: 4kb + response-body-minimal-inspect-size: 40kb + response-body-inspect-window: 16kb + + # response body decompression (0 disables) + response-body-decompress-layer-limit: 2 + + # auto will use http-body-inline mode in IPS mode, yes or no set it statically + http-body-inline: auto + + # Decompress SWF files. + # 2 types: 'deflate', 'lzma', 'both' will decompress deflate and lzma + # compress-depth: + # Specifies the maximum amount of data to decompress, + # set 0 for unlimited. + # decompress-depth: + # Specifies the maximum amount of decompressed data to obtain, + # set 0 for unlimited. + swf-decompression: + enabled: "yes" + type: both + compress-depth: 0 + decompress-depth: 0 + + # Take a random value for inspection sizes around the specified value. + # This lower the risk of some evasion technics but could lead + # detection change between runs. It is set to 'yes' by default. + #randomize-inspection-sizes: "yes" + # If randomize-inspection-sizes is active, the value of various + # inspection size will be choosen in the [1 - range%, 1 + range%] + # range + # Default value of randomize-inspection-range is 10. + #randomize-inspection-range: 10 + + # decoding + double-decode-path: "no" + double-decode-query: "no" + + # Can disable LZMA decompression + #lzma-enabled: "yes" + # Memory limit usage for LZMA decompression dictionary + # Data is decompressed until dictionary reaches this size + #lzma-memlimit: 1mb + # Maximum decompressed size with a compression ratio + # above 2048 (only LZMA can reach this ratio, deflate cannot) + #compression-bomb-limit: 1mb + + server-config: + + #- apache: + # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] + # personality: Apache_2 + # # Can be specified in kb, mb, gb. Just a number indicates + # # it's in bytes. + # request-body-limit: 4096 + # response-body-limit: 4096 + # double-decode-path: "no" + # double-decode-query: "no" + + #- iis7: + # address: + # - 192.168.0.0/24 + # - 192.168.10.0/24 + # personality: IIS_7_0 + # # Can be specified in kb, mb, gb. Just a number indicates + # # it's in bytes. + # request-body-limit: 4096 + # response-body-limit: 4096 + # double-decode-path: "no" + # double-decode-query: "no" + + # Note: Modbus probe parser is minimalist due to the poor significant field + # Only Modbus message length (greater than Modbus header length) + # And Protocol ID (equal to 0) are checked in probing parser + # It is important to enable detection port and define Modbus port + # to avoid false positive + modbus: + # How many unreplied Modbus requests are considered a flood. + # If the limit is reached, app-layer-event:modbus.flooded; will match. + #request-flood: 500 + + enabled: "no" + detection-ports: + dp: 502 + # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it + # is recommended to keep the TCP connection opened with a remote device + # and not to open and close it for each MODBUS/TCP transaction. In that + # case, it is important to set the depth of the stream reassembling as + # unlimited (stream.reassembly.depth: 0) + + # Stream reassembly size for modbus. By default track it completely. + stream-depth: 0 + + # DNP3 + dnp3: + enabled: "no" + detection-ports: + dp: 20000 + + # SCADA EtherNet/IP and CIP protocol support + enip: + enabled: "no" + detection-ports: + dp: 44818 + sp: 44818 + + ntp: + enabled: "yes" + + dhcp: + enabled: "yes" + + # SIP, disabled by default. + sip: + #enabled: "no" + + # Limit for the maximum number of asn1 frames to decode (default 256) + asn1-max-frames: 256 + + + ############################################################################## + ## + ## Advanced settings below + ## + ############################################################################## + + ## + ## Run Options + ## + + # Run suricata as user and group. + run-as: + user: suricata + group: suricata + + # Some logging module will use that name in event as identifier. The default + # value is the hostname + #sensor-name: suricata + + # Default location of the pid file. The pid file is only used in + # daemon mode (start Suricata with -D). If not running in daemon mode + # the --pidfile command line option must be used to create a pid file. + #pid-file: /var/run/suricata.pid + + # Daemon working directory + # Suricata will change directory to this one if provided + # Default: "/" + #daemon-directory: "/" + + # Umask. + # Suricata will use this umask if it is provided. By default it will use the + # umask passed on by the shell. + #umask: 022 + + # Suricata core dump configuration. Limits the size of the core dump file to + # approximately max-dump. The actual core dump size will be a multiple of the + # page size. Core dumps that would be larger than max-dump are truncated. On + # Linux, the actual core dump size may be a few pages larger than max-dump. + # Setting max-dump to 0 disables core dumping. + # Setting max-dump to 'unlimited' will give the full core dump file. + # On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size + # to be 'unlimited'. + + coredump: + max-dump: unlimited + + # If Suricata box is a router for the sniffed networks, set it to 'router'. If + # it is a pure sniffing setup, set it to 'sniffer-only'. + # If set to auto, the variable is internally switch to 'router' in IPS mode + # and 'sniffer-only' in IDS mode. + # This feature is currently only used by the reject* keywords. + host-mode: auto + + # Number of packets preallocated per thread. The default is 1024. A higher number + # will make sure each CPU will be more easily kept busy, but may negatively + # impact caching. + max-pending-packets: 1024 + + # Runmode the engine should use. Please check --list-runmodes to get the available + # runmodes for each packet acquisition method. Default depends on selected capture + # method. 'workers' generally gives best performance. + runmode: workers + + # Specifies the kind of flow load balancer used by the flow pinned autofp mode. + # + # Supported schedulers are: + # + # hash - Flow assigned to threads using the 5-7 tuple hash. + # ippair - Flow assigned to threads using addresses only. + # + #autofp-scheduler: hash + + # Preallocated size for packet. Default is 1514 which is the classical + # size for pcap on ethernet. You should adjust this value to the highest + # packet size (MTU + hardware header) on your system. + default-packet-size: 1500 + + # Unix command socket can be used to pass commands to Suricata. + # An external tool can then connect to get information from Suricata + # or trigger some modifications of the engine. Set enabled to yes + # to activate the feature. In auto mode, the feature will only be + # activated in live capture mode. You can use the filename variable to set + # the file name of the socket. + unix-command: + enabled: auto + #filename: custom.socket + + # Magic file. The extension .mgc is added to the value here. + #magic-file: /usr/share/file/magic + #magic-file: + + # GeoIP2 database file. Specify path and filename of GeoIP2 database + # if using rules with "geoip" rule option. + #geoip-database: /usr/local/share/GeoLite2/GeoLite2-Country.mmdb + + legacy: + uricontent: enabled + + ## + ## Detection settings + ## + + # Set the order of alerts based on actions + # The default order is pass, drop, reject, alert + # action-order: + # - pass + # - drop + # - reject + # - alert + + # IP Reputation + #reputation-categories-file: /etc/suricata/iprep/categories.txt + #default-reputation-path: /etc/suricata/iprep + #reputation-files: + # - reputation.list + + # When run with the option --engine-analysis, the engine will read each of + # the parameters below, and print reports for each of the enabled sections + # and exit. The reports are printed to a file in the default log dir + # given by the parameter "default-log-dir", with engine reporting + # subsection below printing reports in its own report file. + engine-analysis: + # enables printing reports for fast-pattern for every rule. + rules-fast-pattern: "yes" + # enables printing reports for each rule + rules: "yes" + + #recursion and match limits for PCRE where supported + pcre: + match-limit: 3500 + match-limit-recursion: 1500 + + ## + ## Advanced Traffic Tracking and Reconstruction Settings + ## + + # Host specific policies for defragmentation and TCP stream + # reassembly. The host OS lookup is done using a radix tree, just + # like a routing table so the most specific entry matches. + host-os-policy: + # Make the default policy windows. + windows: [0.0.0.0/0] + bsd: [] + bsd-right: [] + old-linux: [] + linux: [] + old-solaris: [] + solaris: [] + hpux10: [] + hpux11: [] + irix: [] + macos: [] + vista: [] + windows2k3: [] + + # Defrag settings: + + defrag: + memcap: 32mb + hash-size: 65536 + trackers: 65535 # number of defragmented flows to follow + max-frags: 65535 # number of fragments to keep (higher than trackers) + prealloc: "yes" + timeout: 60 + + # Enable defrag per host settings + # host-config: + # + # - dmz: + # timeout: 30 + # address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"] + # + # - lan: + # timeout: 45 + # address: + # - 192.168.0.0/24 + # - 192.168.10.0/24 + # - 172.16.14.0/24 + + # Flow settings: + # By default, the reserved memory (memcap) for flows is 32MB. This is the limit + # for flow allocation inside the engine. You can change this value to allow + # more memory usage for flows. + # The hash-size determine the size of the hash used to identify flows inside + # the engine, and by default the value is 65536. + # At the startup, the engine can preallocate a number of flows, to get a better + # performance. The number of flows preallocated is 10000 by default. + # emergency-recovery is the percentage of flows that the engine need to + # prune before unsetting the emergency state. The emergency state is activated + # when the memcap limit is reached, allowing to create new flows, but + # pruning them with the emergency timeouts (they are defined below). + # If the memcap is reached, the engine will try to prune flows + # with the default timeouts. If it doesn't find a flow to prune, it will set + # the emergency bit and it will try again with more aggressive timeouts. + # If that doesn't work, then it will try to kill the last time seen flows + # not in use. + # The memcap can be specified in kb, mb, gb. Just a number indicates it's + # in bytes. + + flow: + memcap: 128mb + hash-size: 65536 + prealloc: 10000 + emergency-recovery: 30 + #managers: 1 # default to one flow manager + #recyclers: 1 # default to one flow recycler thread + + # This option controls the use of vlan ids in the flow (and defrag) + # hashing. Normally this should be enabled, but in some (broken) + # setups where both sides of a flow are not tagged with the same vlan + # tag, we can ignore the vlan id's in the flow hashing. + vlan: + use-for-tracking: true + + # Specific timeouts for flows. Here you can specify the timeouts that the + # active flows will wait to transit from the current state to another, on each + # protocol. The value of "new" determine the seconds to wait after a handshake or + # stream startup before the engine free the data of that flow it doesn't + # change the state to established (usually if we don't receive more packets + # of that flow). The value of "established" is the amount of + # seconds that the engine will wait to free the flow if it spend that amount + # without receiving new packets or closing the connection. "closed" is the + # amount of time to wait after a flow is closed (usually zero). "bypassed" + # timeout controls locally bypassed flows. For these flows we don't do any other + # tracking. If no packets have been seen after this timeout, the flow is discarded. + # + # There's an emergency mode that will become active under attack circumstances, + # making the engine to check flow status faster. This configuration variables + # use the prefix "emergency-" and work similar as the normal ones. + # Some timeouts doesn't apply to all the protocols, like "closed", for udp and + # icmp. + + flow-timeouts: + + default: + new: 30 + established: 300 + closed: 0 + bypassed: 100 + emergency-new: 10 + emergency-established: 100 + emergency-closed: 0 + emergency-bypassed: 50 + tcp: + new: 60 + established: 600 + closed: 60 + bypassed: 100 + emergency-new: 5 + emergency-established: 100 + emergency-closed: 10 + emergency-bypassed: 50 + udp: + new: 30 + established: 300 + bypassed: 100 + emergency-new: 10 + emergency-established: 100 + emergency-bypassed: 50 + icmp: + new: 30 + established: 300 + bypassed: 100 + emergency-new: 10 + emergency-established: 100 + emergency-bypassed: 50 + + # Stream engine settings. Here the TCP stream tracking and reassembly + # engine is configured. + # + # stream: + # memcap: 32mb # Can be specified in kb, mb, gb. Just a + # # number indicates it's in bytes. + # checksum-validation: "yes" # To validate the checksum of received + # # packet. If csum validation is specified as + # # "yes", then packet with invalid csum will not + # # be processed by the engine stream/app layer. + # # Warning: locally generated traffic can be + # # generated without checksum due to hardware offload + # # of checksum. You can control the handling of checksum + # # on a per-interface basis via the 'checksum-checks' + # # option + # prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread + # midstream: false # don't allow midstream session pickups + # async-oneside: false # don't enable async stream handling + # inline: "no" # stream inline mode + # drop-invalid: "yes" # in inline mode, drop packets that are invalid with regards to streaming engine + # max-synack-queued: 5 # Max different SYN/ACKs to queue + # bypass: "no" # Bypass packets when stream.reassembly.depth is reached. + # # Warning: first side to reach this triggers + # # the bypass. + # + # reassembly: + # memcap: 64mb # Can be specified in kb, mb, gb. Just a number + # # indicates it's in bytes. + # depth: 1mb # Can be specified in kb, mb, gb. Just a number + # # indicates it's in bytes. + # toserver-chunk-size: 2560 # inspect raw stream in chunks of at least + # # this size. Can be specified in kb, mb, + # # gb. Just a number indicates it's in bytes. + # toclient-chunk-size: 2560 # inspect raw stream in chunks of at least + # # this size. Can be specified in kb, mb, + # # gb. Just a number indicates it's in bytes. + # randomize-chunk-size: "yes" # Take a random value for chunk size around the specified value. + # # This lower the risk of some evasion technics but could lead + # # detection change between runs. It is set to 'yes' by default. + # randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is + # # a random value between (1 - randomize-chunk-range/100)*toserver-chunk-size + # # and (1 + randomize-chunk-range/100)*toserver-chunk-size and the same + # # calculation for toclient-chunk-size. + # # Default value of randomize-chunk-range is 10. + # + # raw: "yes" # 'Raw' reassembly enabled or disabled. + # # raw is for content inspection by detection + # # engine. + # + # segment-prealloc: 2048 # number of segments preallocated per thread + # + # check-overlap-different-data: true|false + # # check if a segment contains different data + # # than what we've already seen for that + # # position in the stream. + # # This is enabled automatically if inline mode + # # is used or when stream-event:reassembly_overlap_different_data; + # # is used in a rule. + # + stream: + memcap: 64mb + checksum-validation: "yes" # reject wrong csums + inline: auto # auto will use inline mode in IPS mode, yes or no set it statically + reassembly: + memcap: 256mb + depth: 1mb # reassemble 1mb into a stream + toserver-chunk-size: 2560 + toclient-chunk-size: 2560 + randomize-chunk-size: "yes" + #randomize-chunk-range: 10 + #raw: "yes" + #segment-prealloc: 2048 + #check-overlap-different-data: true + + # Host table: + # + # Host table is used by tagging and per host thresholding subsystems. + # + host: + hash-size: 4096 + prealloc: 1000 + memcap: 32mb + + # IP Pair table: + # + # Used by xbits 'ippair' tracking. + # + #ippair: + # hash-size: 4096 + # prealloc: 1000 + # memcap: 32mb + + # Decoder settings + + decoder: + # Teredo decoder is known to not be completely accurate + # as it will sometimes detect non-teredo as teredo. + teredo: + enabled: true + # ports to look for Teredo. Max 4 ports. If no ports are given, or + # the value is set to 'any', Teredo detection runs on _all_ UDP packets. + ports: $TEREDO_PORTS # syntax: '[3544, 1234]' or '3533' or 'any'. + + # VXLAN decoder is assigned to up to 4 UDP ports. By default only the + # IANA assigned port 4789 is enabled. + vxlan: + enabled: true + ports: $VXLAN_PORTS # syntax: '8472, 4789' + # ERSPAN Type I decode support + erspan: + typeI: + enabled: false + + + ## + ## Performance tuning and profiling + ## + + # The detection engine builds internal groups of signatures. The engine + # allow us to specify the profile to use for them, to manage memory on an + # efficient way keeping a good performance. For the profile keyword you + # can use the words "low", "medium", "high" or "custom". If you use custom + # make sure to define the values at "- custom-values" as your convenience. + # Usually you would prefer medium/high/low. + # + # "sgh mpm-context", indicates how the staging should allot mpm contexts for + # the signature groups. "single" indicates the use of a single context for + # all the signature group heads. "full" indicates a mpm-context for each + # group head. "auto" lets the engine decide the distribution of contexts + # based on the information the engine gathers on the patterns from each + # group head. + # + # The option inspection-recursion-limit is used to limit the recursive calls + # in the content inspection code. For certain payload-sig combinations, we + # might end up taking too much time in the content inspection code. + # If the argument specified is 0, the engine uses an internally defined + # default limit. On not specifying a value, we use no limits on the recursion. + detect: + profile: medium + custom-values: + toclient-groups: 3 + toserver-groups: 25 + sgh-mpm-context: auto + inspection-recursion-limit: 3000 + # If set to yes, the loading of signatures will be made after the capture + # is started. This will limit the downtime in IPS mode. + #delayed-detect: "yes" + + prefilter: + # default prefiltering setting. "mpm" only creates MPM/fast_pattern + # engines. "auto" also sets up prefilter engines for other keywords. + # Use --list-keywords=all to see which keywords support prefiltering. + default: mpm + + # the grouping values above control how many groups are created per + # direction. Port whitelisting forces that port to get it's own group. + # Very common ports will benefit, as well as ports with many expensive + # rules. + grouping: + #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 + #udp-whitelist: 53, 135, 5060 + + profiling: + # Log the rules that made it past the prefilter stage, per packet + # default is off. The threshold setting determines how many rules + # must have made it past pre-filter for that rule to trigger the + # logging. + #inspect-logging-threshold: 200 + grouping: + dump-to-disk: false + include-rules: false # very verbose + include-mpm-stats: false + + # Select the multi pattern algorithm you want to run for scan/search the + # in the engine. + # + # The supported algorithms are: + # "ac" - Aho-Corasick, default implementation + # "ac-bs" - Aho-Corasick, reduced memory implementation + # "ac-ks" - Aho-Corasick, "Ken Steele" variant + # "hs" - Hyperscan, available when built with Hyperscan support + # + # The default mpm-algo value of "auto" will use "hs" if Hyperscan is + # available, "ac" otherwise. + # + # The mpm you choose also decides the distribution of mpm contexts for + # signature groups, specified by the conf - "detect.sgh-mpm-context". + # Selecting "ac" as the mpm would require "detect.sgh-mpm-context" + # to be set to "single", because of ac's memory requirements, unless the + # ruleset is small enough to fit in one's memory, in which case one can + # use "full" with "ac". Rest of the mpms can be run in "full" mode. + + mpm-algo: auto + + # Select the matching algorithm you want to use for single-pattern searches. + # + # Supported algorithms are "bm" (Boyer-Moore) and "hs" (Hyperscan, only + # available if Suricata has been built with Hyperscan support). + # + # The default of "auto" will use "hs" if available, otherwise "bm". + + spm-algo: auto + + # Suricata is multi-threaded. Here the threading can be influenced. + threading: + set-cpu-affinity: "yes" + # Tune cpu affinity of threads. Each family of threads can be bound + # on specific CPUs. + # + # These 2 apply to the all runmodes: + # management-cpu-set is used for flow timeout handling, counters + # worker-cpu-set is used for 'worker' threads + # + # Additionally, for autofp these apply: + # receive-cpu-set is used for capture threads + # verdict-cpu-set is used for IPS verdict threads + # + + # + # By default Suricata creates one "detect" thread per available CPU/CPU core. + # This setting allows controlling this behaviour. A ratio setting of 2 will + # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this + # will result in 4 detect threads. If values below 1 are used, less threads + # are created. So on a dual core CPU a setting of 0.5 results in 1 detect + # thread being created. Regardless of the setting at a minimum 1 detect + # thread will always be created. + # + detect-thread-ratio: 1.0 + + # Luajit has a strange memory requirement, it's 'states' need to be in the + # first 2G of the process' memory. + # + # 'luajit.states' is used to control how many states are preallocated. + # State use: per detect script: 1 per detect thread. Per output script: 1 per + # script. + luajit: + states: 128 + + # Profiling settings. Only effective if Suricata has been built with the + # the --enable-profiling configure flag. + # + profiling: + # Run profiling for every xth packet. The default is 1, which means we + # profile every packet. If set to 1000, one packet is profiled for every + # 1000 received. + #sample-rate: 1000 + + # rule profiling + rules: + + # Profiling can be disabled here, but it will still have a + # performance impact if compiled in. + enabled: "yes" + filename: rule_perf.log + append: "yes" + + # Sort options: ticks, avgticks, checks, matches, maxticks + # If commented out all the sort options will be used. + #sort: avgticks + + # Limit the number of sids for which stats are shown at exit (per sort). + limit: 10 + + # output to json + json: "yes" + + # per keyword profiling + keywords: + enabled: "yes" + filename: keyword_perf.log + append: "yes" + + prefilter: + enabled: "yes" + filename: prefilter_perf.log + append: "yes" + + # per rulegroup profiling + rulegroups: + enabled: "yes" + filename: rule_group_perf.log + append: "yes" + + # packet profiling + packets: + + # Profiling can be disabled here, but it will still have a + # performance impact if compiled in. + enabled: "yes" + filename: packet_stats.log + append: "yes" + + # per packet csv output + csv: + + # Output can be disabled here, but it will still have a + # performance impact if compiled in. + enabled: "no" + filename: packet_stats.csv + + # profiling of locking. Only available when Suricata was built with + # --enable-profiling-locks. + locks: + enabled: "no" + filename: lock_stats.log + append: "yes" + + pcap-log: + enabled: "no" + filename: pcaplog_stats.log + append: "yes" + + ## + ## Netfilter integration + ## + + # When running in NFQ inline mode, it is possible to use a simulated + # non-terminal NFQUEUE verdict. + # This permit to do send all needed packet to Suricata via this a rule: + # iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE + # And below, you can have your standard filtering ruleset. To activate + # this mode, you need to set mode to 'repeat' + # If you want packet to be sent to another queue after an ACCEPT decision + # set mode to 'route' and set next-queue value. + # On linux >= 3.1, you can set batchcount to a value > 1 to improve performance + # by processing several packets before sending a verdict (worker runmode only). + # On linux >= 3.6, you can set the fail-open option to yes to have the kernel + # accept the packet if Suricata is not able to keep pace. + # bypass mark and mask can be used to implement NFQ bypass. If bypass mark is + # set then the NFQ bypass is activated. Suricata will set the bypass mark/mask + # on packet of a flow that need to be bypassed. The Nefilter ruleset has to + # directly accept all packets of a flow once a packet has been marked. + nfq: + # mode: accept + # repeat-mark: 1 + # repeat-mask: 1 + # bypass-mark: 1 + # bypass-mask: 1 + # route-queue: 2 + # batchcount: 20 + # fail-open: "yes" + + #nflog support + nflog: + # netlink multicast group + # (the same as the iptables --nflog-group param) + # Group 0 is used by the kernel, so you can't use it + - group: 2 + # netlink buffer size + buffer-size: 18432 + # put default value here + - group: default + # set number of packet to queue inside kernel + qthreshold: 1 + # set the delay before flushing packet in the queue inside kernel + qtimeout: 100 + # netlink max buffer size + max-size: 20000 + + ## + ## Advanced Capture Options + ## + + # general settings affecting packet capture + capture: + # disable NIC offloading. It's restored when Suricata exits. + # Enabled by default. + #disable-offloading: false + # + # disable checksum validation. Same as setting '-k none' on the + # commandline. + #checksum-validation: none + + # Netmap support + # + # Netmap operates with NIC directly in driver, so you need FreeBSD 11+ which have + # built-in netmap support or compile and install netmap module and appropriate + # NIC driver on your Linux system. + # To reach maximum throughput disable all receive-, segmentation-, + # checksum- offloadings on NIC. + # Disabling Tx checksum offloading is *required* for connecting OS endpoint + # with NIC endpoint. + # You can find more information at https://github.com/luigirizzo/netmap + # + netmap: + # To specify OS endpoint add plus sign at the end (e.g. "eth0+") + - interface: eth2 + # Number of capture threads. "auto" uses number of RSS queues on interface. + # Warning: unless the RSS hashing is symmetrical, this will lead to + # accuracy issues. + #threads: auto + # You can use the following variables to activate netmap tap or IPS mode. + # If copy-mode is set to ips or tap, the traffic coming to the current + # interface will be copied to the copy-iface interface. If 'tap' is set, the + # copy is complete. If 'ips' is set, the packet matching a 'drop' action + # will not be copied. + # To specify the OS as the copy-iface (so the OS can route packets, or forward + # to a service running on the same machine) add a plus sign at the end + # (e.g. "copy-iface: eth0+"). Don't forget to set up a symmetrical eth0+ -> eth0 + # for return packets. Hardware checksumming must be *off* on the interface if + # using an OS endpoint (e.g. 'ifconfig eth0 -rxcsum -txcsum -rxcsum6 -txcsum6' for FreeBSD + # or 'ethtool -K eth0 tx off rx off' for Linux). + #copy-mode: tap + #copy-iface: eth3 + # Set to yes to disable promiscuous mode + # disable-promisc: "no" + # Choose checksum verification mode for the interface. At the moment + # of the capture, some packets may be with an invalid checksum due to + # offloading to the network card of the checksum computation. + # Possible values are: + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: Suricata uses a statistical approach to detect when + # checksum off-loading is used. + # Warning: 'checksum-validation' must be set to yes to have any validation + #checksum-checks: auto + # BPF filter to apply to this interface. The pcap filter syntax apply here. + #bpf-filter: port 80 or udp + #- interface: eth3 + #threads: auto + #copy-mode: tap + #copy-iface: eth2 + # Put default values here + - interface: default + + # PF_RING configuration. for use with native PF_RING support + # for more info see http://www.ntop.org/products/pf_ring/ + pfring: + - interface: eth0 + # Number of receive threads. If set to 'auto' Suricata will first try + # to use CPU (core) count and otherwise RSS queue count. + threads: auto + + # Default clusterid. PF_RING will load balance packets based on flow. + # All threads/processes that will participate need to have the same + # clusterid. + cluster-id: 99 + + # Default PF_RING cluster type. PF_RING can load balance per flow. + # Possible values are cluster_flow or cluster_round_robin. + cluster-type: cluster_flow + + # bpf filter for this interface + #bpf-filter: tcp + + # If bypass is set then the PF_RING hw bypass is activated, when supported + # by the interface in use. Suricata will instruct the interface to bypass + # all future packets for a flow that need to be bypassed. + #bypass: "yes" + + # Choose checksum verification mode for the interface. At the moment + # of the capture, some packets may be with an invalid checksum due to + # offloading to the network card of the checksum computation. + # Possible values are: + # - rxonly: only compute checksum for packets received by network card. + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: Suricata uses a statistical approach to detect when + # checksum off-loading is used. (default) + # Warning: 'checksum-validation' must be set to yes to have any validation + #checksum-checks: auto + # Second interface + #- interface: eth1 + # threads: 3 + # cluster-id: 93 + # cluster-type: cluster_flow + # Put default values here + - interface: default + #threads: 2 + + # For FreeBSD ipfw(8) divert(4) support. + # Please make sure you have ipfw_load="YES" and ipdivert_load="YES" + # in /etc/loader.conf or kldload'ing the appropriate kernel modules. + # Additionally, you need to have an ipfw rule for the engine to see + # the packets from ipfw. For Example: + # + # ipfw add 100 divert 8000 ip from any to any + # + # The 8000 above should be the same number you passed on the command + # line, i.e. -d 8000 + # + ipfw: + + # Reinject packets at the specified ipfw rule number. This config + # option is the ipfw rule number AT WHICH rule processing continues + # in the ipfw processing system after the engine has finished + # inspecting the packet for acceptance. If no rule number is specified, + # accepted packets are reinjected at the divert rule which they entered + # and IPFW rule processing continues. No check is done to verify + # this will rule makes sense so care must be taken to avoid loops in ipfw. + # + ## The following example tells the engine to reinject packets + # back into the ipfw firewall AT rule number 5500: + # + # ipfw-reinjection-rule-number: 5500 + + + napatech: + # The Host Buffer Allowance for all streams + # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back) + # This may be enabled when sharing streams with another application. + # Otherwise, it should be turned off. + #hba: -1 + + # When use_all_streams is set to "yes" the initialization code will query + # the Napatech service for all configured streams and listen on all of them. + # When set to "no" the streams config array will be used. + # + # This option necessitates running the appropriate NTPL commands to create + # the desired streams prior to running suricata. + #use-all-streams: "no" + + # The streams to listen on when auto-config is disabled or when and threading + # cpu-affinity is disabled. This can be either: + # an individual stream (e.g. streams: [0]) + # or + # a range of streams (e.g. streams: ["0-3"]) + # + streams: ["0-3"] + + # When auto-config is enabled the streams will be created and assigned + # automatically to the NUMA node where the thread resides. If cpu-affinity + # is enabled in the threading section. Then the streams will be created + # according to the number of worker threads specified in the worker cpu set. + # Otherwise, the streams array is used to define the streams. + # + # This option cannot be used simultaneous with "use-all-streams". + # + auto-config: "yes" + + # Ports indicates which napatech ports are to be used in auto-config mode. + # these are the port ID's of the ports that will be merged prior to the + # traffic being distributed to the streams. + # + # This can be specified in any of the following ways: + # + # a list of individual ports (e.g. ports: [0,1,2,3]) + # + # a range of ports (e.g. ports: [0-3]) + # + # "all" to indicate that all ports are to be merged together + # (e.g. ports: [all]) + # + # This has no effect if auto-config is disabled. + # + ports: [all] + + # When auto-config is enabled the hashmode specifies the algorithm for + # determining to which stream a given packet is to be delivered. + # This can be any valid Napatech NTPL hashmode command. + # + # The most common hashmode commands are: hash2tuple, hash2tuplesorted, + # hash5tuple, hash5tuplesorted and roundrobin. + # + # See Napatech NTPL documentation other hashmodes and details on their use. + # + # This has no effect if auto-config is disabled. + # + hashmode: hash5tuplesorted + + ## + ## Configure Suricata to load Suricata-Update managed rules. + ## + ## If this section is completely commented out move down to the "Advanced rule + ## file configuration". + ## + + default-rule-path: /etc/suricata/rules + + rule-files: + - all.rules + + ## + ## Auxiliary configuration files. + ## + + classification-file: /etc/suricata/classification.config + reference-config-file: /etc/suricata/reference.config + # threshold-file: /etc/suricata/threshold.config + + ## + ## Include other configs + ## + + # Includes. Files included here will be handled as if they were + # inlined in this configuration file. + #include: include1.yaml + #include: include2.yaml + \ No newline at end of file diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 0f3d49bc3..e53b7332b 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -20,6 +20,9 @@ {% set BPF_NIDS = salt['pillar.get']('nids:bpf') %} {% set BPF_STATUS = 0 %} +{# import_yaml 'suricata/files/defaults2.yaml' as suricata #} +{% from 'suricata/suricata_config.map.jinja' import suricata_defaults as suricata with context %} + # Suricata # Add Suricata Group @@ -80,6 +83,14 @@ suriconfigsync: - group: 940 - template: jinja +test_suri_config: + file.managed: + - name: /opt/so/conf/suricata/test.yaml + - source: salt://suricata/files/test.jinja + - context: + suricata: {{ suricata|json }} + - template: jinja + surithresholding: file.managed: - name: /opt/so/conf/suricata/threshold.conf diff --git a/salt/suricata/suricata_config.map.jinja b/salt/suricata/suricata_config.map.jinja new file mode 100644 index 000000000..7eeb8379d --- /dev/null +++ b/salt/suricata/suricata_config.map.jinja @@ -0,0 +1,36 @@ +{% import_yaml 'suricata/files/defaults3.yaml' as suricata_defaults with context %} +{% import_yaml 'suricata/suricata_meta.yaml' as suricata_meta with context %} +{% set evelog_index = [] %} + +{% set hardware_header = 15 %} +{% set default_packet_size = salt['grains.filter_by']({ + '*_eval': { + 'default-packet-size': 1500 + hardware_header, + }, + '*_helix': { + 'default-packet-size': 9000 + hardware_header, + }, + '*': { + 'default-packet-size': 1500 + hardware_header, + }, +},grain='id', merge=salt['pillar.get']('suricata')) %} + +{% set meta_data = salt['pillar.filter_by']({ + 'SURICATA': suricata_meta.suricata.lookup.outputs[0], + 'default': suricata_defaults.suricata.lookup.outputs[1] +},pillar='static:broversion', merge=salt['pillar.get']('suricata'), default='default') %} + +{% do suricata_defaults.suricata.lookup.update(default_packet_size) %} +{% for li in suricata_defaults.suricata.lookup.outputs %} + {% for k, v in li.items() %} + {% if k == 'eve-log' %} + {% do evelog_index.append(li) %} + {# do suricata_defaults.suricata.lookup.outputs[loop.index].update(meta_data) #} + {% endif %} + {% endfor %} +{% endfor %} + + +{# do suricata_defaults.suricata.lookup.outputs[0].update(meta_data) #} + +{% set suricata_yaml = salt['pillar.get']('suricata', suricata_defaults, merge=True) %} \ No newline at end of file diff --git a/salt/suricata/suricata_meta.yaml b/salt/suricata/suricata_meta.yaml new file mode 100644 index 000000000..b052a3c9b --- /dev/null +++ b/salt/suricata/suricata_meta.yaml @@ -0,0 +1,136 @@ +suricata: + lookup: + outputs: + - eve-log: + - anomaly: + # Anomaly log records describe unexpected conditions such + # as truncated packets, packets with invalid IP/UDP/TCP + # length values, and other events that render the packet + # invalid for further processing or describe unexpected + # behavior on an established stream. Networks which + # experience high occurrences of anomalies may experience + # packet processing degradation. + # + # Anomalies are reported for the following: + # 1. Decode: Values and conditions that are detected while + # decoding individual packets. This includes invalid or + # unexpected values for low-level protocol lengths as well + # as stream related events (TCP 3-way handshake issues, + # unexpected sequence number, etc). + # 2. Stream: This includes stream related events (TCP + # 3-way handshake issues, unexpected sequence number, + # etc). + # 3. Application layer: These denote application layer + # specific conditions that are unexpected, invalid or are + # unexpected given the application monitoring state. + # + # By default, anomaly logging is disabled. When anomaly + # logging is enabled, applayer anomaly reporting is + # enabled. + enabled: "no" + # + # Choose one or more types of anomaly logging and whether to enable + # logging of the packet header for packet anomalies. + types: + decode: "no" + stream: "no" + applayer: "yes" + packethdr: "no" + - http: + extended: "yes" # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + # set this value to one and only one among {both, request, response} + # to dump all http headers for every http request and/or response + # dump-all-headers: none + - dns: + # This configuration uses the new DNS logging format, + # the old configuration is still available: + # https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format + + # As of Suricata 5.0, version 2 of the eve dns output + # format is the default. + version: 2 + + # Enable/disable this logger. Default: enabled. + enabled: "yes" + + # Control logging of requests and responses: + # - requests: enable logging of DNS queries + # - responses: enable logging of DNS answers + # By default both requests and responses are logged. + #requests: "no" + #responses: "no" + + # Format of answer logging: + # - detailed: array item per answer + # - grouped: answers aggregated by type + # Default: all + #formats: [detailed, grouped] + + # Types to log, based on the query type. + # Default: all. + #types: [a, aaaa, cname, mx, ns, ptr, txt] + - tls: + extended: "yes" # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: "no" + # custom allows to control which tls fields that are included + # in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s] + - files: + force-magic: "no" # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + #force-hash: [md5] + #- drop: + # alerts: "yes" # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. + + - smtp: + extended: "yes" # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + #md5: [body, subject] + + - dnp3 + - ftp + - rdp + - nfs + - smb + - tftp + - ikev2 + - krb5 + - snmp + - sip + - dhcp: + enabled: "yes" + # When extended mode is on, all DHCP messages are logged + # with full detail. When extended mode is off (the + # default), just enough information to map a MAC address + # to an IP address is logged. + # extended: "no" + - ssh + #- stats: + # totals: "yes" # stats for all threads merged together + # threads: "no" # per thread stats + # deltas: "no" # include delta values + # bi-directional flows + - flow + # uni-directional flows + #- netflow + + # Metadata event type. Triggered whenever a pktvar is saved + # and will include the pktvars, flowvars, flowbits and + # flowints. + #- metadata \ No newline at end of file From 03dfece9af3f8266caba7687d32a2ddf720dde92 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 10 Jun 2020 14:18:25 -0400 Subject: [PATCH 003/314] [feat] Fail setup early if "ERROR" is found in setup log --- setup/so-functions | 5 +++-- setup/so-setup | 5 ++++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 70c96f794..3fb98cd23 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1241,8 +1241,9 @@ salt_checkin() { cat /etc/pki/ca.crt echo " Applyng a mine hack"; salt '*' mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt; - echo " Confirming salt mine now contain the certificate" - salt \* mine.get \* x509.get_pem_entries + salt '*' mine.update; + echo " Confirming salt mine now contain the certificate"; + salt '*' mine.get '*' x509.get_pem_entries; echo " Applying SSL state"; salt-call state.apply ssl; } >> "$setup_log" 2>&1 diff --git a/setup/so-setup b/setup/so-setup index 478151def..54b5a03e4 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -52,10 +52,14 @@ echo "---- Starting setup at $(date -u) ----" >> $setup_log 2>&1 automated=no function progress() { if [ $automated == no ]; then + if grep -q "ERROR" $setup_log || [[ -s /var/spool/mail/root ]]; then + whiptail_setup_failed + fi whiptail --title "Security Onion Install" --gauge 'Please wait while installing' 6 60 0 else cat >> $setup_log 2>&1 fi + } if [[ -f automation/$automation && $(basename $automation) == $automation ]]; then @@ -389,7 +393,6 @@ fi set_progress_str 9 'Initializing Salt minion' configure_minion "$minion_type" >> $setup_log 2>&1 - if [[ $is_master || $is_helix ]]; then set_progress_str 10 'Configuring Salt master' create_local_directories >> $setup_log 2>&1 From 379a5445e88dbcb61ce53f097d2958018c85e0fe Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 10 Jun 2020 14:27:18 -0400 Subject: [PATCH 004/314] [feat] Also exit with non-zero status for automated installs --- setup/so-setup | 3 +++ 1 file changed, 3 insertions(+) diff --git a/setup/so-setup b/setup/so-setup index 54b5a03e4..86d3b5e5c 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -57,6 +57,9 @@ function progress() { fi whiptail --title "Security Onion Install" --gauge 'Please wait while installing' 6 60 0 else + if grep -q "ERROR" $setup_log || [[ -s /var/spool/mail/root ]]; then + exit 1 + fi cat >> $setup_log 2>&1 fi From 7de02752e5d9c44e294714ca74aede5ceb62f870 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 10 Jun 2020 15:29:54 -0400 Subject: [PATCH 005/314] [fix] Reboot on early failure too, better if statements --- setup/so-setup | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 86d3b5e5c..495e92637 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -51,18 +51,17 @@ echo "---- Starting setup at $(date -u) ----" >> $setup_log 2>&1 automated=no function progress() { - if [ $automated == no ]; then - if grep -q "ERROR" $setup_log || [[ -s /var/spool/mail/root ]]; then - whiptail_setup_failed - fi - whiptail --title "Security Onion Install" --gauge 'Please wait while installing' 6 60 0 + if grep -q "ERROR" $setup_log || [[ -s /var/spool/mail/root ]]; then + if [[ $automated == no ]]; then whiptail_setup_failed; else exit 1; fi + + if [[ -z $SKIP_REBOOT ]]; then shutdown -r now; fi else - if grep -q "ERROR" $setup_log || [[ -s /var/spool/mail/root ]]; then - exit 1 + if [ $automated == no ]; then + whiptail --title "Security Onion Install" --gauge 'Please wait while installing' 6 60 0 + else + cat >> $setup_log 2>&1 fi - cat >> $setup_log 2>&1 fi - } if [[ -f automation/$automation && $(basename $automation) == $automation ]]; then @@ -368,10 +367,10 @@ fi # Set initial percentage to 0 export percentage=0 - if [[ $is_minion ]]; then - set_progress_str 1 'Configuring firewall' - set_initial_firewall_policy >> $setup_log 2>&1 - fi + if [[ $is_minion ]]; then + set_progress_str 1 'Configuring firewall' + set_initial_firewall_policy >> $setup_log 2>&1 + fi set_progress_str 2 'Updating packages' update_packages >> $setup_log 2>&1 @@ -599,10 +598,12 @@ fi success=$(tail -10 $setup_log | grep Failed | awk '{ print $2}') if [[ "$success" = 0 ]]; then whiptail_setup_complete + if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then export IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1 fi + if [[ $THEHIVE == 1 ]]; then check_hive_init fi From 07b2f2885cce4935a99269ee0add4037b2b502af Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 10 Jun 2020 15:32:46 -0400 Subject: [PATCH 006/314] [fix] Always exit on early failure --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 495e92637..8c1ffe6a1 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -54,7 +54,7 @@ function progress() { if grep -q "ERROR" $setup_log || [[ -s /var/spool/mail/root ]]; then if [[ $automated == no ]]; then whiptail_setup_failed; else exit 1; fi - if [[ -z $SKIP_REBOOT ]]; then shutdown -r now; fi + if [[ -z $SKIP_REBOOT ]]; then shutdown -r now; else exit 1; fi else if [ $automated == no ]; then whiptail --title "Security Onion Install" --gauge 'Please wait while installing' 6 60 0 From ce86dbfac0b11366ab04bc352f74a86c3feefe30 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 11 Jun 2020 09:24:23 -0400 Subject: [PATCH 007/314] [feat] Add message about root mail spool growing --- setup/so-setup | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/setup/so-setup b/setup/so-setup index 8c1ffe6a1..3b5653cbc 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -52,6 +52,10 @@ echo "---- Starting setup at $(date -u) ----" >> $setup_log 2>&1 automated=no function progress() { if grep -q "ERROR" $setup_log || [[ -s /var/spool/mail/root ]]; then + if [[ -s /var/spool/mail/root ]]; then + echo '[ ERROR ] /var/spool/mail/root grew unexpectedly' >> $setup_log 2>&1 + fi + if [[ $automated == no ]]; then whiptail_setup_failed; else exit 1; fi if [[ -z $SKIP_REBOOT ]]; then shutdown -r now; else exit 1; fi From cbfe375407d95ffd8845e05c5ffe7786f2c6bd35 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 17 Jun 2020 13:16:52 +0000 Subject: [PATCH 008/314] Custom analyzer and responder dirs --- salt/thehive/etc/cortex-application.conf | 16 ++++++++++++++++ salt/thehive/init.sls | 18 +++++++++++++++++- 2 files changed, 33 insertions(+), 1 deletion(-) diff --git a/salt/thehive/etc/cortex-application.conf b/salt/thehive/etc/cortex-application.conf index 1a887cdb3..28fbe6791 100644 --- a/salt/thehive/etc/cortex-application.conf +++ b/salt/thehive/etc/cortex-application.conf @@ -127,4 +127,20 @@ analyzer { } } +## RESPONDERS +## +responder { + # Directory that holds responders + urls = ["/Cortex-Analyzers/responders", "/custom-responders"] + + fork-join-executor { + # Min number of threads available for analyze + parallelism-min = 2 + # Parallelism (threads) ... ceil(available processors * factor) + parallelism-factor = 2.0 + # Max number of threads available for analyze + parallelism-max = 4 + } +} + # It's the end my friend. Happy hunting! diff --git a/salt/thehive/init.sls b/salt/thehive/init.sls index 732fe4a77..74ca71630 100644 --- a/salt/thehive/init.sls +++ b/salt/thehive/init.sls @@ -44,6 +44,20 @@ cortexconf: - user: 939 - group: 939 - template: jinja +i +cortexanalyzers: + file.directory: + - name: /opt/so/conf/cortex/custom-analyzers + - user: 939 + - group: 939 + - template: jinja + +cortexresponders: + file.directory: + - name: /opt/so/conf/cortex/custom-responders + - user: 939 + - group: 939 + - template: jinja # Install Elasticsearch @@ -91,7 +105,9 @@ so-cortex: - user: 939 - binds: - /opt/so/conf/thehive/etc/cortex-application.conf:/opt/cortex/conf/application.conf:ro - - port_bindings: + - /opt/so/conf/cortex/custom-analyzers:/custom-analyzers:ro + - /opt/so/conf/cortex/custom-responders:/custom-responders:ro + - port_bindings: - 0.0.0.0:9001:9001 cortexscript: From 1beff65cc9f2e84eba9a2894fcb7f168e555c32c Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 17 Jun 2020 13:20:32 +0000 Subject: [PATCH 009/314] fix typo --- salt/thehive/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/thehive/init.sls b/salt/thehive/init.sls index 74ca71630..dcb6d3f3b 100644 --- a/salt/thehive/init.sls +++ b/salt/thehive/init.sls @@ -44,7 +44,7 @@ cortexconf: - user: 939 - group: 939 - template: jinja -i + cortexanalyzers: file.directory: - name: /opt/so/conf/cortex/custom-analyzers From 3451f74b63b746392e40cb2f03d4195e246d8ff2 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 17 Jun 2020 10:32:39 -0400 Subject: [PATCH 010/314] Update version to 2.0.0-rc.1 --- VERSION | 2 +- setup/so-functions | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/VERSION b/VERSION index e21e727f9..d0c10bc48 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.4.0 \ No newline at end of file +2.0.0-rc.1 \ No newline at end of file diff --git a/setup/so-functions b/setup/so-functions index 25cbd11d8..dcbd33b1a 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -19,7 +19,7 @@ source ./so-whiptail source ./so-variables source ./so-common-functions -SOVERSION=1.4.0 +SOVERSION=2.0.0-rc.1 accept_salt_key_remote() { systemctl restart salt-minion @@ -689,7 +689,7 @@ docker_registry() { } docker_seed_registry() { - local VERSION="HH$SOVERSION" + local VERSION="$SOVERSION" if ! [ -f /nsm/docker-registry/docker/registry.tar ]; then local TRUSTED_CONTAINERS=(\ @@ -929,7 +929,7 @@ master_static() { # Create a static file for global values printf '%s\n'\ "static:"\ - " soversion: HH$SOVERSION"\ + " soversion: $SOVERSION"\ " hnmaster: $HNMASTER"\ " ntpserver: $NTPSERVER"\ " proxy: $PROXY"\ From 6bf8f0af0847c95e8be0bc1f528210968b5f7c94 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 17 Jun 2020 10:46:07 -0400 Subject: [PATCH 011/314] Eliminate multiple version definitions in this repo --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index dcbd33b1a..1ba4b66a1 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -19,7 +19,7 @@ source ./so-whiptail source ./so-variables source ./so-common-functions -SOVERSION=2.0.0-rc.1 +SOVERSION=$(cat ../VERSION) accept_salt_key_remote() { systemctl restart salt-minion From 3418f5748c65c29186c94542ecbe3fa00a1ce9ca Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 17 Jun 2020 13:08:47 -0400 Subject: [PATCH 012/314] Fleet custom hostname regex fix --- salt/reactor/fleet.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/reactor/fleet.sls b/salt/reactor/fleet.sls index 609806de8..4b09abe0a 100644 --- a/salt/reactor/fleet.sls +++ b/salt/reactor/fleet.sls @@ -82,7 +82,7 @@ def run(): # Update the Fleet host in the static pillar for line in fileinput.input(STATICFILE, inplace=True): - line = re.sub(r'fleet_custom_hostname: \S*', f"fleet_custom_hostname: {CUSTOMHOSTNAME}", line.rstrip()) + line = re.sub(r'fleet_custom_hostname:.*\n', f"fleet_custom_hostname: {CUSTOMHOSTNAME}", line.rstrip()) print(line) return {} From 90c278096c23059def9883f9b89aef217a8840f7 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 17 Jun 2020 17:11:27 +0000 Subject: [PATCH 013/314] Add custom Zeek script dir --- salt/zeek/policy/custom/ADD.CUSTOM.ZEEK.SCRIPTS.HERE | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 salt/zeek/policy/custom/ADD.CUSTOM.ZEEK.SCRIPTS.HERE diff --git a/salt/zeek/policy/custom/ADD.CUSTOM.ZEEK.SCRIPTS.HERE b/salt/zeek/policy/custom/ADD.CUSTOM.ZEEK.SCRIPTS.HERE new file mode 100644 index 000000000..e69de29bb From 6d25151ab8dc1dbe5af05a1fdb1a3f5dc72a4991 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 17 Jun 2020 18:59:13 +0000 Subject: [PATCH 014/314] Basic index read-only attr removal script --- .../tools/sbin/so-elasticsearch-indices-rw | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 salt/common/tools/sbin/so-elasticsearch-indices-rw diff --git a/salt/common/tools/sbin/so-elasticsearch-indices-rw b/salt/common/tools/sbin/so-elasticsearch-indices-rw new file mode 100644 index 000000000..acc46ff0d --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsearch-indices-rw @@ -0,0 +1,26 @@ +#!/bin/bash +# +# +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +IP={{ salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('master:mainint', salt['pillar.get']('node:mainint', salt['pillar.get']('host:mainint')))))[0] }} +ESPORT=9200 +THEHIVEESPORT=9400 + +echo "Removing read only attributes for indices..." +echo +for p in $ESPORT $THEHIVEESPORT; do + curl -XPUT -H "Content-Type: application/json" http://$IP:$p/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}' 2>&1 | if grep -q ack; then echo "Index settings updated..."; else echo "There was any issue updating the read-only attribute. Please ensure Elasticsearch is running.";fi; +done From 2f3a99cfb07941f54930f9d3823cb9fca963ce9b Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 17 Jun 2020 17:42:35 -0400 Subject: [PATCH 015/314] fix: indentation is incorrect --- salt/thehive/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/thehive/init.sls b/salt/thehive/init.sls index dcb6d3f3b..da07247c4 100644 --- a/salt/thehive/init.sls +++ b/salt/thehive/init.sls @@ -107,7 +107,7 @@ so-cortex: - /opt/so/conf/thehive/etc/cortex-application.conf:/opt/cortex/conf/application.conf:ro - /opt/so/conf/cortex/custom-analyzers:/custom-analyzers:ro - /opt/so/conf/cortex/custom-responders:/custom-responders:ro - - port_bindings: + - port_bindings: - 0.0.0.0:9001:9001 cortexscript: From 6dbe83a77fe7f52ca0f1ebbb7d861b8d81681c10 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 18 Jun 2020 12:38:07 -0400 Subject: [PATCH 016/314] Update so-docker-refresh --- salt/common/tools/sbin/so-docker-refresh | 83 ++++++++++++------------ 1 file changed, 41 insertions(+), 42 deletions(-) diff --git a/salt/common/tools/sbin/so-docker-refresh b/salt/common/tools/sbin/so-docker-refresh index 3c1a2e301..75415e6fa 100644 --- a/salt/common/tools/sbin/so-docker-refresh +++ b/salt/common/tools/sbin/so-docker-refresh @@ -61,52 +61,51 @@ version_check # Use the hostname HOSTNAME=$(hostname) -BUILD=HH # List all the containers if [ $MASTERCHECK != 'so-helix' ]; then TRUSTED_CONTAINERS=( \ - "so-acng:$BUILD$VERSION" \ - "so-thehive-cortex:$BUILD$VERSION" \ - "so-curator:$BUILD$VERSION" \ - "so-domainstats:$BUILD$VERSION" \ - "so-elastalert:$BUILD$VERSION" \ - "so-elasticsearch:$BUILD$VERSION" \ - "so-filebeat:$BUILD$VERSION" \ - "so-fleet:$BUILD$VERSION" \ - "so-fleet-launcher:$BUILD$VERSION" \ - "so-freqserver:$BUILD$VERSION" \ - "so-grafana:$BUILD$VERSION" \ - "so-idstools:$BUILD$VERSION" \ - "so-influxdb:$BUILD$VERSION" \ - "so-kibana:$BUILD$VERSION" \ - "so-kratos:$BUILD$VERSION" \ - "so-logstash:$BUILD$VERSION" \ - "so-mysql:$BUILD$VERSION" \ - "so-navigator:$BUILD$VERSION" \ - "so-nginx:$BUILD$VERSION" \ - "so-playbook:$BUILD$VERSION" \ - "so-redis:$BUILD$VERSION" \ - "so-soc:$BUILD$VERSION" \ - "so-soctopus:$BUILD$VERSION" \ - "so-steno:$BUILD$VERSION" \ - "so-strelka:$BUILD$VERSION" \ - "so-suricata:$BUILD$VERSION" \ - "so-telegraf:$BUILD$VERSION" \ - "so-thehive:$BUILD$VERSION" \ - "so-thehive-es:$BUILD$VERSION" \ - "so-wazuh:$BUILD$VERSION" \ - "so-zeek:$BUILD$VERSION" ) + "so-acng:$VERSION" \ + "so-thehive-cortex:$VERSION" \ + "so-curator:$VERSION" \ + "so-domainstats:$VERSION" \ + "so-elastalert$VERSION" \ + "so-elasticsearch:$VERSION" \ + "so-filebeat:$VERSION" \ + "so-fleet:$VERSION" \ + "so-fleet-launcher:$VERSION" \ + "so-freqserver:$VERSION" \ + "so-grafana:$VERSION" \ + "so-idstools:$VERSION" \ + "so-influxdb:$VERSION" \ + "so-kibana:$VERSION" \ + "so-kratos:$VERSION" \ + "so-logstash:$VERSION" \ + "so-mysql:$VERSION" \ + "so-navigator:$VERSION" \ + "so-nginx:$VERSION" \ + "so-playbook:$VERSION" \ + "so-redis:$VERSION" \ + "so-soc:$VERSION" \ + "so-soctopus:$VERSION" \ + "so-steno:$VERSION" \ + "so-strelka:$VERSION" \ + "so-suricata:$VERSION" \ + "so-telegraf:$VERSION" \ + "so-thehive:$VERSION" \ + "so-thehive-es:$VERSION" \ + "so-wazuh:$VERSION" \ + "so-zeek:$VERSION" ) else TRUSTED_CONTAINERS=( \ - "so-filebeat:$BUILD$VERSION" \ - "so-idstools:$BUILD$VERSION" \ - "so-logstash:$BUILD$VERSION" \ - "so-nginx:$BUILD$VERSION" \ - "so-redis:$BUILD$VERSION" \ - "so-steno:$BUILD$VERSION" \ - "so-suricata:$BUILD$VERSION" \ - "so-telegraf:$BUILD$VERSION" \ - "so-zeek:$BUILD$VERSION" ) + "so-filebeat:$VERSION" \ + "so-idstools:$VERSION" \ + "so-logstash:$VERSION" \ + "so-nginx:$VERSION" \ + "so-redis:$VERSION" \ + "so-steno:$VERSION" \ + "so-suricata:$VERSION" \ + "so-telegraf:$VERSION" \ + "so-zeek:$VERSION" ) fi -update_docker_containers \ No newline at end of file +update_docker_containers From 76e3118bd3af981fd1867bb62cfee42831c41961 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Sun, 21 Jun 2020 08:33:09 -0400 Subject: [PATCH 017/314] Split Sensoroni and Stenographer executables into separate images --- salt/pcap/files/sensoroni.json | 1 + salt/pcap/init.sls | 59 +++++++++++++++++++++++++--------- 2 files changed, 45 insertions(+), 15 deletions(-) diff --git a/salt/pcap/files/sensoroni.json b/salt/pcap/files/sensoroni.json index 81776b021..ed673d969 100644 --- a/salt/pcap/files/sensoroni.json +++ b/salt/pcap/files/sensoroni.json @@ -12,6 +12,7 @@ "apiKey": "{{ SENSORONIKEY }}" }, "stenoquery": { + "executablePath": "/opt/sensoroni/scripts/stenoquery.sh", "pcapInputPath": "/nsm/pcap", "pcapOutputPath": "/nsm/pcapout" } diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls index 93203ca5b..9910507b7 100644 --- a/salt/pcap/init.sls +++ b/salt/pcap/init.sls @@ -20,19 +20,28 @@ # PCAP Section -# Create the logstash group stenographergroup: group.present: - name: stenographer - gid: 941 -# Add the logstash user for the jog4j settings stenographer: user.present: - uid: 941 - gid: 941 - home: /opt/so/conf/steno +sensoronigroup: + group.present: + - name: sensoroni + - gid: 948 + +sensoroni: + user.present: + - uid: 948 + - gid: 948 + - home: /opt/so/conf/steno + stenoconfdir: file.directory: - name: /opt/so/conf/steno @@ -58,8 +67,8 @@ stenoconf: file.managed: - name: /opt/so/conf/steno/config - source: salt://pcap/files/config - - user: root - - group: root + - user: stenographer + - group: stenographer - mode: 644 - template: jinja - defaults: @@ -67,10 +76,10 @@ stenoconf: sensoroniagentconf: file.managed: - - name: /opt/so/conf/steno/sensoroni.json + - name: /opt/so/conf/sensoroni/sensoroni.json - source: salt://pcap/files/sensoroni.json - - user: stenographer - - group: stenographer + - user: sensoroni + - group: sensoroni - mode: 600 - template: jinja @@ -97,8 +106,8 @@ pcaptmpdir: pcapoutdir: file.directory: - name: /nsm/pcapout - - user: 941 - - group: 941 + - user: sensoroni + - group: sensoroni - makedirs: True pcapindexdir: @@ -115,23 +124,43 @@ stenolog: - group: 941 - makedirs: True +pcap_network: + docker_network.present + so-steno: docker_container.running: - image: {{ MASTER }}:5000/soshybridhunter/so-steno:{{ VERSION }} - network_mode: host - privileged: True - - port_bindings: - - 127.0.0.1:1234:1234 + - networks: + - pcap_network: + - aliases: + - steno + - require: + - docker_network: pcap_network - binds: - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw - /opt/so/conf/steno/config:/etc/stenographer/config:rw - /nsm/pcap:/nsm/pcap:rw - /nsm/pcapindex:/nsm/pcapindex:rw - /nsm/pcaptmp:/tmp:rw - - /nsm/pcapout:/nsm/pcapout:rw - /opt/so/log/stenographer:/var/log/stenographer:rw - - /opt/so/conf/steno/sensoroni.json:/opt/sensoroni/sensoroni.json:ro - - /opt/so/log/stenographer:/opt/sensoroni/logs:rw - watch: - file: /opt/so/conf/steno/config - - file: /opt/so/conf/steno/sensoroni.json + +so-sensoroni: + docker_container.running: + - image: {{ MASTER }}:5000/soshybridhunter/so-soc:{{ VERSION }} + - networks: + - pcap_network: + - aliases: + - sensoroni + - require: + - docker_network: pcap_network + - binds: + - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw + - /nsm/pcapout:/nsm/pcapout:rw + - /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro + - /opt/so/log/sensoroni:/opt/sensoroni/logs:rw + - watch: + - file: /opt/so/conf/sensoroni/sensoroni.json From 81ed656ba041aff5df362aaea6bd0466410621de Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Sun, 21 Jun 2020 10:50:10 -0400 Subject: [PATCH 018/314] Bind both steno and sensoroni processes to host network --- salt/pcap/init.sls | 49 +++++++++++++++++++--------------------------- 1 file changed, 20 insertions(+), 29 deletions(-) diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls index 9910507b7..310b7e153 100644 --- a/salt/pcap/init.sls +++ b/salt/pcap/init.sls @@ -31,17 +31,6 @@ stenographer: - gid: 941 - home: /opt/so/conf/steno -sensoronigroup: - group.present: - - name: sensoroni - - gid: 948 - -sensoroni: - user.present: - - uid: 948 - - gid: 948 - - home: /opt/so/conf/steno - stenoconfdir: file.directory: - name: /opt/so/conf/steno @@ -49,6 +38,13 @@ stenoconfdir: - group: 939 - makedirs: True +sensoroniconfdir: + file.directory: + - name: /opt/so/conf/sensoroni + - user: 939 + - group: 939 + - makedirs: True + {% if BPF_STENO %} {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', INTERFACE + ' ' + BPF_STENO|join(" "),cwd='/root') %} {% if BPF_CALC['stderr'] == "" %} @@ -78,8 +74,8 @@ sensoroniagentconf: file.managed: - name: /opt/so/conf/sensoroni/sensoroni.json - source: salt://pcap/files/sensoroni.json - - user: sensoroni - - group: sensoroni + - user: 939 + - group: 939 - mode: 600 - template: jinja @@ -106,8 +102,8 @@ pcaptmpdir: pcapoutdir: file.directory: - name: /nsm/pcapout - - user: sensoroni - - group: sensoroni + - user: 939 + - group: 939 - makedirs: True pcapindexdir: @@ -124,20 +120,20 @@ stenolog: - group: 941 - makedirs: True -pcap_network: - docker_network.present +sensoronilog: + file.directory: + - name: /opt/so/log/sensoroni + - user: 939 + - group: 939 + - makedirs: True so-steno: docker_container.running: - image: {{ MASTER }}:5000/soshybridhunter/so-steno:{{ VERSION }} - network_mode: host - privileged: True - - networks: - - pcap_network: - - aliases: - - steno - - require: - - docker_network: pcap_network + - port_bindings: + - 127.0.0.1:1234:1234 - binds: - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw - /opt/so/conf/steno/config:/etc/stenographer/config:rw @@ -151,12 +147,7 @@ so-steno: so-sensoroni: docker_container.running: - image: {{ MASTER }}:5000/soshybridhunter/so-soc:{{ VERSION }} - - networks: - - pcap_network: - - aliases: - - sensoroni - - require: - - docker_network: pcap_network + - network_mode: host - binds: - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw - /nsm/pcapout:/nsm/pcapout:rw From 1ee3625f6104695e005ab554bf24b39b5847c113 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Sun, 21 Jun 2020 15:46:36 -0400 Subject: [PATCH 019/314] Ensure certs dir is group readable by socore since Sensoroni process will need to read the client key --- salt/pcap/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls index 310b7e153..02a2e23d8 100644 --- a/salt/pcap/init.sls +++ b/salt/pcap/init.sls @@ -83,7 +83,7 @@ stenoca: file.directory: - name: /opt/so/conf/steno/certs - user: 941 - - group: 941 + - group: 939 pcapdir: file.directory: From d7693f9b555704b030d2da6cfa71128c81dff04f Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 22 Jun 2020 08:27:43 -0400 Subject: [PATCH 020/314] Expose pcap dir to sensoroni for epoch discovery --- salt/pcap/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls index 02a2e23d8..bcf09b765 100644 --- a/salt/pcap/init.sls +++ b/salt/pcap/init.sls @@ -150,6 +150,7 @@ so-sensoroni: - network_mode: host - binds: - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw + - /nsm/pcap:/nsm/pcap:rw - /nsm/pcapout:/nsm/pcapout:rw - /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro - /opt/so/log/sensoroni:/opt/sensoroni/logs:rw From 36a329214ad054e26ff5fa1cab6c3d69490ef3c6 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 22 Jun 2020 16:56:03 -0400 Subject: [PATCH 021/314] merge eve-log in outputs for suricata meta data generation or zeek/default - https://github.com/Security-Onion-Solutions/securityonion/issues/584 --- salt/suricata/defaults3.yaml | 2 +- salt/suricata/files/test.jinja | 1 + salt/suricata/suricata_config.map.jinja | 22 +-- salt/suricata/suricata_meta.yaml | 250 ++++++++++++------------ salt/suricata/test.sls | 9 + 5 files changed, 147 insertions(+), 137 deletions(-) create mode 100644 salt/suricata/files/test.jinja create mode 100644 salt/suricata/test.sls diff --git a/salt/suricata/defaults3.yaml b/salt/suricata/defaults3.yaml index e523f2445..7a5eae178 100644 --- a/salt/suricata/defaults3.yaml +++ b/salt/suricata/defaults3.yaml @@ -74,7 +74,7 @@ suricata: - eve-log: enabled: "yes" filetype: regular #regular|syslog|unix_dgram|unix_stream|redis - filename: /nsm/eve.json + filename: /nsm/eve-%Y-%m-%d-%H:%M.json rotate-interval: hour #prefix: "@cee: " # prefix to prepend to each log entry diff --git a/salt/suricata/files/test.jinja b/salt/suricata/files/test.jinja new file mode 100644 index 000000000..3a024390a --- /dev/null +++ b/salt/suricata/files/test.jinja @@ -0,0 +1 @@ +{{ suricata | yaml(False) }} \ No newline at end of file diff --git a/salt/suricata/suricata_config.map.jinja b/salt/suricata/suricata_config.map.jinja index 7eeb8379d..38439e940 100644 --- a/salt/suricata/suricata_config.map.jinja +++ b/salt/suricata/suricata_config.map.jinja @@ -1,6 +1,6 @@ -{% import_yaml 'suricata/files/defaults3.yaml' as suricata_defaults with context %} +{% import_yaml 'suricata/defaults3.yaml' as suricata_defaults with context %} {% import_yaml 'suricata/suricata_meta.yaml' as suricata_meta with context %} -{% set evelog_index = [] %} +{% set default_evelog_index = [] %} {% set hardware_header = 15 %} {% set default_packet_size = salt['grains.filter_by']({ @@ -15,22 +15,22 @@ }, },grain='id', merge=salt['pillar.get']('suricata')) %} -{% set meta_data = salt['pillar.filter_by']({ - 'SURICATA': suricata_meta.suricata.lookup.outputs[0], - 'default': suricata_defaults.suricata.lookup.outputs[1] -},pillar='static:broversion', merge=salt['pillar.get']('suricata'), default='default') %} - -{% do suricata_defaults.suricata.lookup.update(default_packet_size) %} +{# Find the index of eve-log so it can be updated later #} {% for li in suricata_defaults.suricata.lookup.outputs %} {% for k, v in li.items() %} {% if k == 'eve-log' %} - {% do evelog_index.append(li) %} - {# do suricata_defaults.suricata.lookup.outputs[loop.index].update(meta_data) #} + {% do default_evelog_index.append(loop.index) %} {% endif %} {% endfor %} {% endfor %} +{% set default_evelog_index = default_evelog_index[0] %} +{% set meta_data = salt['pillar.filter_by']({ + 'SURICATA': suricata_meta.suricata.lookup.outputs[0], + 'default': suricata_defaults.suricata.lookup.outputs[default_evelog_index] +},pillar='static:broversion', merge=salt['pillar.get']('suricata'), default='default') %} -{# do suricata_defaults.suricata.lookup.outputs[0].update(meta_data) #} +{% do suricata_defaults.suricata.lookup.update(default_packet_size) %} +{% do suricata_defaults.suricata.lookup.outputs[default_evelog_index].update(meta_data) %} {% set suricata_yaml = salt['pillar.get']('suricata', suricata_defaults, merge=True) %} \ No newline at end of file diff --git a/salt/suricata/suricata_meta.yaml b/salt/suricata/suricata_meta.yaml index b052a3c9b..747e9b8f9 100644 --- a/salt/suricata/suricata_meta.yaml +++ b/salt/suricata/suricata_meta.yaml @@ -1,136 +1,136 @@ suricata: lookup: outputs: - - eve-log: - - anomaly: - # Anomaly log records describe unexpected conditions such - # as truncated packets, packets with invalid IP/UDP/TCP - # length values, and other events that render the packet - # invalid for further processing or describe unexpected - # behavior on an established stream. Networks which - # experience high occurrences of anomalies may experience - # packet processing degradation. - # - # Anomalies are reported for the following: - # 1. Decode: Values and conditions that are detected while - # decoding individual packets. This includes invalid or - # unexpected values for low-level protocol lengths as well - # as stream related events (TCP 3-way handshake issues, - # unexpected sequence number, etc). - # 2. Stream: This includes stream related events (TCP - # 3-way handshake issues, unexpected sequence number, - # etc). - # 3. Application layer: These denote application layer - # specific conditions that are unexpected, invalid or are - # unexpected given the application monitoring state. - # - # By default, anomaly logging is disabled. When anomaly - # logging is enabled, applayer anomaly reporting is - # enabled. - enabled: "no" - # - # Choose one or more types of anomaly logging and whether to enable - # logging of the packet header for packet anomalies. - types: - decode: "no" - stream: "no" - applayer: "yes" - packethdr: "no" - - http: - extended: "yes" # enable this for extended logging information - # custom allows additional http fields to be included in eve-log - # the example below adds three additional fields when uncommented - #custom: [Accept-Encoding, Accept-Language, Authorization] - # set this value to one and only one among {both, request, response} - # to dump all http headers for every http request and/or response - # dump-all-headers: none - - dns: - # This configuration uses the new DNS logging format, - # the old configuration is still available: - # https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format + - eve-log: + - anomaly: + # Anomaly log records describe unexpected conditions such + # as truncated packets, packets with invalid IP/UDP/TCP + # length values, and other events that render the packet + # invalid for further processing or describe unexpected + # behavior on an established stream. Networks which + # experience high occurrences of anomalies may experience + # packet processing degradation. + # + # Anomalies are reported for the following: + # 1. Decode: Values and conditions that are detected while + # decoding individual packets. This includes invalid or + # unexpected values for low-level protocol lengths as well + # as stream related events (TCP 3-way handshake issues, + # unexpected sequence number, etc). + # 2. Stream: This includes stream related events (TCP + # 3-way handshake issues, unexpected sequence number, + # etc). + # 3. Application layer: These denote application layer + # specific conditions that are unexpected, invalid or are + # unexpected given the application monitoring state. + # + # By default, anomaly logging is disabled. When anomaly + # logging is enabled, applayer anomaly reporting is + # enabled. + enabled: "no" + # + # Choose one or more types of anomaly logging and whether to enable + # logging of the packet header for packet anomalies. + types: + decode: "no" + stream: "no" + applayer: "yes" + packethdr: "no" + - http: + extended: "yes" # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + # set this value to one and only one among {both, request, response} + # to dump all http headers for every http request and/or response + # dump-all-headers: none + - dns: + # This configuration uses the new DNS logging format, + # the old configuration is still available: + # https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format - # As of Suricata 5.0, version 2 of the eve dns output - # format is the default. - version: 2 + # As of Suricata 5.0, version 2 of the eve dns output + # format is the default. + version: 2 - # Enable/disable this logger. Default: enabled. - enabled: "yes" + # Enable/disable this logger. Default: enabled. + enabled: "yes" - # Control logging of requests and responses: - # - requests: enable logging of DNS queries - # - responses: enable logging of DNS answers - # By default both requests and responses are logged. - #requests: "no" - #responses: "no" + # Control logging of requests and responses: + # - requests: enable logging of DNS queries + # - responses: enable logging of DNS answers + # By default both requests and responses are logged. + #requests: "no" + #responses: "no" - # Format of answer logging: - # - detailed: array item per answer - # - grouped: answers aggregated by type - # Default: all - #formats: [detailed, grouped] + # Format of answer logging: + # - detailed: array item per answer + # - grouped: answers aggregated by type + # Default: all + #formats: [detailed, grouped] - # Types to log, based on the query type. - # Default: all. - #types: [a, aaaa, cname, mx, ns, ptr, txt] - - tls: - extended: "yes" # enable this for extended logging information - # output TLS transaction where the session is resumed using a - # session id - #session-resumption: "no" - # custom allows to control which tls fields that are included - # in eve-log - #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s] - - files: - force-magic: "no" # force logging magic on all logged files - # force logging of checksums, available hash functions are md5, - # sha1 and sha256 - #force-hash: [md5] - #- drop: - # alerts: "yes" # log alerts that caused drops - # flows: all # start or all: 'start' logs only a single drop - # # per flow direction. All logs each dropped pkt. + # Types to log, based on the query type. + # Default: all. + #types: [a, aaaa, cname, mx, ns, ptr, txt] + - tls: + extended: "yes" # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: "no" + # custom allows to control which tls fields that are included + # in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s] + - files: + force-magic: "no" # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + #force-hash: [md5] + #- drop: + # alerts: "yes" # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. - - smtp: - extended: "yes" # enable this for extended logging information - # this includes: bcc, message-id, subject, x_mailer, user-agent - # custom fields logging from the list: - # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, - # x-originating-ip, in-reply-to, references, importance, priority, - # sensitivity, organization, content-md5, date - #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] - # output md5 of fields: body, subject - # for the body you need to set app-layer.protocols.smtp.mime.body-md5 - # to yes - #md5: [body, subject] + - smtp: + extended: "yes" # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + #md5: [body, subject] - - dnp3 - - ftp - - rdp - - nfs - - smb - - tftp - - ikev2 - - krb5 - - snmp - - sip - - dhcp: - enabled: "yes" - # When extended mode is on, all DHCP messages are logged - # with full detail. When extended mode is off (the - # default), just enough information to map a MAC address - # to an IP address is logged. - # extended: "no" - - ssh - #- stats: - # totals: "yes" # stats for all threads merged together - # threads: "no" # per thread stats - # deltas: "no" # include delta values - # bi-directional flows - - flow - # uni-directional flows - #- netflow + - dnp3 + - ftp + - rdp + - nfs + - smb + - tftp + - ikev2 + - krb5 + - snmp + - sip + - dhcp: + enabled: "yes" + # When extended mode is on, all DHCP messages are logged + # with full detail. When extended mode is off (the + # default), just enough information to map a MAC address + # to an IP address is logged. + # extended: "no" + - ssh + #- stats: + # totals: "yes" # stats for all threads merged together + # threads: "no" # per thread stats + # deltas: "no" # include delta values + # bi-directional flows + - flow + # uni-directional flows + #- netflow - # Metadata event type. Triggered whenever a pktvar is saved - # and will include the pktvars, flowvars, flowbits and - # flowints. - #- metadata \ No newline at end of file + # Metadata event type. Triggered whenever a pktvar is saved + # and will include the pktvars, flowvars, flowbits and + # flowints. + #- metadata \ No newline at end of file diff --git a/salt/suricata/test.sls b/salt/suricata/test.sls new file mode 100644 index 000000000..118e76950 --- /dev/null +++ b/salt/suricata/test.sls @@ -0,0 +1,9 @@ +{% from 'suricata/suricata_config.map.jinja' import suricata_defaults as suricata with context %} + +test_suri_config: + file.managed: + - name: /tmp/test.yaml + - source: salt://suricata/files/test.jinja + - context: + suricata: {{ suricata | json }} + - template: jinja \ No newline at end of file From af451573ebfe432d435f3903864448a937cb5eab Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 23 Jun 2020 17:43:28 +0000 Subject: [PATCH 022/314] Move dataset from files to file --- salt/elasticsearch/files/ingest/zeek.files | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elasticsearch/files/ingest/zeek.files b/salt/elasticsearch/files/ingest/zeek.files index f72bde097..53600180f 100644 --- a/salt/elasticsearch/files/ingest/zeek.files +++ b/salt/elasticsearch/files/ingest/zeek.files @@ -30,6 +30,7 @@ { "rename": { "field": "message2.extracted", "target_field": "file.extracted.filename", "ignore_missing": true } }, { "rename": { "field": "message2.extracted_cutoff", "target_field": "file.extracted.cutoff", "ignore_missing": true } }, { "rename": { "field": "message2.extracted_size", "target_field": "file.extracted.size", "ignore_missing": true } }, + { "set": { "field": "dataset", "value": "file" } }, { "pipeline": { "name": "zeek.common" } } ] } From c0428ce79ddb9099334e18f5472f3d5a79b5cbf6 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 23 Jun 2020 17:48:12 +0000 Subject: [PATCH 023/314] Update file dataset name for hunt queries --- salt/soc/files/soc/soc.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 090db59ea..693c44aeb 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -107,8 +107,8 @@ { "name": "DNS", "description": "DNS queries grouped by response code", "query": "event.dataset:dns | groupby dns.response.code_name destination.port"}, { "name": "DNS", "description": "DNS highest registered domain", "query": "event.dataset:dns | groupby dns.highest_registered_domain.keyword destination.port"}, { "name": "DNS", "description": "DNS grouped by parent domain", "query": "event.dataset:dns | groupby dns.parent_domain.keyword destination.port"}, - { "name": "Files", "description": "Files grouped by mimetype", "query": "event.dataset:files | groupby file.mime_type source.ip"}, - { "name": "Files", "description": "Files grouped by source", "query": "event.dataset:files | groupby file.source source.ip"}, + { "name": "Files", "description": "Files grouped by mimetype", "query": "event.dataset:file | groupby file.mime_type source.ip"}, + { "name": "Files", "description": "Files grouped by source", "query": "event.dataset:file | groupby file.source source.ip"}, { "name": "FTP", "description": "FTP grouped by argument", "query": "event.dataset:ftp | groupby ftp.argument"}, { "name": "FTP", "description": "FTP grouped by command", "query": "event.dataset:ftp | groupby ftp.command"}, { "name": "FTP", "description": "FTP grouped by username", "query": "event.dataset:ftp | groupby ftp.user"}, From f7eacc2b05c17c0b72d4956f3df54e07ef20cfc2 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 23 Jun 2020 18:47:23 +0000 Subject: [PATCH 024/314] Add FW config for Strelka frontend --- files/firewall/hostgroups.local.yaml | 6 +++++- salt/common/tools/sbin/so-allow | 8 ++++++++ salt/firewall/assigned_hostgroups.map.yaml | 5 ++++- salt/firewall/portgroups.yaml | 5 ++++- 4 files changed, 21 insertions(+), 3 deletions(-) diff --git a/files/firewall/hostgroups.local.yaml b/files/firewall/hostgroups.local.yaml index 9d2c4c0c7..27ad40f6e 100644 --- a/files/firewall/hostgroups.local.yaml +++ b/files/firewall/hostgroups.local.yaml @@ -44,6 +44,10 @@ firewall: ips: delete: insert: + strelka_frontend: + ips: + delete: + insert: syslog: ips: delete: @@ -59,4 +63,4 @@ firewall: wazuh_authd: ips: delete: - insert: \ No newline at end of file + insert: diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow index 82d25c25e..d273cfce5 100755 --- a/salt/common/tools/sbin/so-allow +++ b/salt/common/tools/sbin/so-allow @@ -38,6 +38,11 @@ do FULLROLE="beats_endpoint" SKIP=1 ;; + f) + FULLROLE="strelka_frontend" + SKIP=1 + ;; + i) IP=$OPTARG ;; o) @@ -72,6 +77,7 @@ if [ "$SKIP" -eq 0 ]; then echo "" echo "[a] - Analyst - ports 80/tcp and 443/tcp" echo "[b] - Logstash Beat - port 5044/tcp" + echo "[f] - Strelka frontend - port 57314/tcp" echo "[o] - Osquery endpoint - port 8090/tcp" echo "[s] - Syslog device - 514/tcp/udp" echo "[w] - Wazuh agent - port 1514/tcp/udp" @@ -86,6 +92,8 @@ if [ "$SKIP" -eq 0 ]; then FULLROLE=analyst elif [ "$ROLE" == "b" ]; then FULLROLE=beats_endpoint + elif [ "$ROLE" == "f" ]; then + FULLROLE=strelka_frontend elif [ "$ROLE" == "o" ]; then FULLROLE=osquery_endpoint elif [ "$ROLE" == "w" ]; then diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index beda399e7..ea7b23afb 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -52,6 +52,9 @@ role: osquery_endpoint: portgroups: - {{ portgroups.fleet_api }} + strelka_frontend: + portgroups: + - {{ portgroups.strelka_frontend }} syslog: portgroups: - {{ portgroups.syslog }} @@ -466,4 +469,4 @@ role: - {{ portgroups.all }} localhost: portgroups: - - {{ portgroups.all }} \ No newline at end of file + - {{ portgroups.all }} diff --git a/salt/firewall/portgroups.yaml b/salt/firewall/portgroups.yaml index 94dace60f..2f3d5032a 100644 --- a/salt/firewall/portgroups.yaml +++ b/salt/firewall/portgroups.yaml @@ -74,6 +74,9 @@ firewall: ssh: tcp: - 22 + strelka_frontend: + tcp: + - 57314 syslog: tcp: - 514 @@ -89,4 +92,4 @@ firewall: - 55000 wazuh_authd: tcp: - - 1515 \ No newline at end of file + - 1515 From 0a0fe5914a5a38fca881c5b6cce503a9b3558a6d Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 23 Jun 2020 17:57:14 -0400 Subject: [PATCH 025/314] [fix][feat] Move navigator entries to static files + fix indent --- salt/nginx/etc/nginx.conf.so-eval | 536 +++++++++++---------- salt/nginx/etc/nginx.conf.so-fleet | 128 +++--- salt/nginx/etc/nginx.conf.so-heavynode | 64 +-- salt/nginx/etc/nginx.conf.so-master | 536 +++++++++++---------- salt/nginx/etc/nginx.conf.so-mastersearch | 537 +++++++++++----------- salt/nginx/etc/nginx.conf.so-standalone | 536 +++++++++++---------- 6 files changed, 1156 insertions(+), 1181 deletions(-) diff --git a/salt/nginx/etc/nginx.conf.so-eval b/salt/nginx/etc/nginx.conf.so-eval index 193932ade..49ba4b2ef 100644 --- a/salt/nginx/etc/nginx.conf.so-eval +++ b/salt/nginx/etc/nginx.conf.so-eval @@ -14,318 +14,312 @@ pid /run/nginx.pid; include /usr/share/nginx/modules/*.conf; events { - worker_connections 1024; + worker_connections 1024; } http { - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; - access_log /var/log/nginx/access.log main; + access_log /var/log/nginx/access.log main; - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - client_max_body_size 1024M; + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + client_max_body_size 1024M; - include /etc/nginx/mime.types; - default_type application/octet-stream; + include /etc/nginx/mime.types; + default_type application/octet-stream; - # Load modular configuration files from the /etc/nginx/conf.d directory. - # See http://nginx.org/en/docs/ngx_core_module.html#include - # for more information. - include /etc/nginx/conf.d/*.conf; + # Load modular configuration files from the /etc/nginx/conf.d directory. + # See http://nginx.org/en/docs/ngx_core_module.html#include + # for more information. + include /etc/nginx/conf.d/*.conf; - #server { - # listen 80 default_server; - # listen [::]:80 default_server; - # server_name _; - # root /opt/socore/html; - # index index.html; + #server { + # listen 80 default_server; + # listen [::]:80 default_server; + # server_name _; + # root /opt/socore/html; + # index index.html; - # Load configuration files for the default server block. - #include /etc/nginx/default.d/*.conf; + # Load configuration files for the default server block. + #include /etc/nginx/default.d/*.conf; - # location / { - # } + # location / { + # } - # error_page 404 /404.html; - # location = /40x.html { - # } + # error_page 404 /404.html; + # location = /40x.html { + # } - # error_page 500 502 503 504 /50x.html; - # location = /50x.html { - # } - #} - server { - listen 80 default_server; - server_name _; - return 301 https://$host$request_uri; - } + # error_page 500 502 503 504 /50x.html; + # location = /50x.html { + # } + #} + server { + listen 80 default_server; + server_name _; + return 301 https://$host$request_uri; + } {% if FLEET_MASTER %} - server { - listen 8090 ssl http2 default_server; - server_name _; - root /opt/socore/html; - index blank.html; + server { + listen 8090 ssl http2 default_server; + server_name _; + root /opt/socore/html; + index blank.html; - ssl_certificate "/etc/pki/nginx/server.crt"; - ssl_certificate_key "/etc/pki/nginx/server.key"; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; + ssl_certificate "/etc/pki/nginx/server.crt"; + ssl_certificate_key "/etc/pki/nginx/server.key"; + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 10m; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; - location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ { - grpc_pass grpcs://{{ masterip }}:8080; - grpc_set_header Host $host; - grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_buffering off; - } + location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ { + grpc_pass grpcs://{{ masterip }}:8080; + grpc_set_header Host $host; + grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_buffering off; + } - } + } {% endif %} # Settings for a TLS enabled server. - server { - listen 443 ssl http2 default_server; - #listen [::]:443 ssl http2 default_server; - server_name _; - root /opt/socore/html; - index index.html; + server { + listen 443 ssl http2 default_server; + #listen [::]:443 ssl http2 default_server; + server_name _; + root /opt/socore/html; + index index.html; - ssl_certificate "/etc/pki/nginx/server.crt"; - ssl_certificate_key "/etc/pki/nginx/server.key"; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; + ssl_certificate "/etc/pki/nginx/server.crt"; + ssl_certificate_key "/etc/pki/nginx/server.key"; + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 10m; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; - # Load configuration files for the default server block. - #include /etc/nginx/default.d/*.conf; + # Load configuration files for the default server block. + #include /etc/nginx/default.d/*.conf; - location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) { - proxy_pass http://{{ masterip }}:9822; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header X-Forwarded-Proto $scheme; - } + location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) { + proxy_pass http://{{ masterip }}:9822; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header X-Forwarded-Proto $scheme; + } - location / { - auth_request /auth/sessions/whoami; - proxy_pass http://{{ masterip }}:9822/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header X-Forwarded-Proto $scheme; - } + location / { + auth_request /auth/sessions/whoami; + proxy_pass http://{{ masterip }}:9822/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header X-Forwarded-Proto $scheme; + } - location ~ ^/auth/.*?(whoami|login|logout|settings) { - rewrite /auth/(.*) /$1 break; - proxy_pass http://{{ masterip }}:4433; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location ~ ^/auth/.*?(whoami|login|logout|settings) { + rewrite /auth/(.*) /$1 break; + proxy_pass http://{{ masterip }}:4433; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /cyberchef/ { - auth_request /auth/sessions/whoami; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /cyberchef/ { + auth_request /auth/sessions/whoami; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /cyberchef { - rewrite ^ /cyberchef/ permanent; - } + location /navigator/ { + auth_request /auth/sessions/whoami; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /packages/ { - try_files $uri =206; - auth_request /auth/sessions/whoami; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /grafana/ { - rewrite /grafana/(.*) /$1 break; - proxy_pass http://{{ masterip }}:3000/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /packages/ { + try_files $uri =206; + auth_request /auth/sessions/whoami; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /grafana/ { + rewrite /grafana/(.*) /$1 break; + proxy_pass http://{{ masterip }}:3000/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /kibana/ { - auth_request /auth/sessions/whoami; - rewrite /kibana/(.*) /$1 break; - proxy_pass http://{{ masterip }}:5601/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /kibana/ { + auth_request /auth/sessions/whoami; + rewrite /kibana/(.*) /$1 break; + proxy_pass http://{{ masterip }}:5601/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /nodered/ { - proxy_pass http://{{ masterip }}:1880/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /playbook/ { - proxy_pass http://{{ masterip }}:3200/playbook/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /nodered/ { + proxy_pass http://{{ masterip }}:1880/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /playbook/ { + proxy_pass http://{{ masterip }}:3200/playbook/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + {%- if FLEET_NODE %} + location /fleet/ { + return 301 https://{{ FLEET_IP }}/fleet; + } + {%- else %} + location /fleet/ { + proxy_pass https://{{ masterip }}:8080; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + {%- endif %} - location /navigator/ { - auth_request /auth/sessions/whoami; - proxy_pass http://{{ masterip }}:4200/navigator/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /thehive/ { + proxy_pass http://{{ masterip }}:9000/thehive/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_http_version 1.1; # this is essential for chunked responses to work + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - {%- if FLEET_NODE %} - location /fleet/ { - return 301 https://{{ FLEET_IP }}/fleet; - } - {%- else %} - location /fleet/ { - proxy_pass https://{{ masterip }}:8080; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - {%- endif %} + location /cortex/ { + proxy_pass http://{{ masterip }}:9001/cortex/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_http_version 1.1; # this is essential for chunked responses to work + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /soctopus/ { + proxy_pass http://{{ masterip }}:7000/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /thehive/ { - proxy_pass http://{{ masterip }}:9000/thehive/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_http_version 1.1; # this is essential for chunked responses to work - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /kibana/app/soc/ { + rewrite ^/kibana/app/soc/(.*) /soc/$1 permanent; + } - location /cortex/ { - proxy_pass http://{{ masterip }}:9001/cortex/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_http_version 1.1; # this is essential for chunked responses to work - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /soctopus/ { - proxy_pass http://{{ masterip }}:7000/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /kibana/app/fleet/ { + rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent; + } - location /kibana/app/soc/ { - rewrite ^/kibana/app/soc/(.*) /soc/$1 permanent; - } + location /kibana/app/soctopus/ { + rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent; + } - location /kibana/app/fleet/ { - rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent; - } + location /sensoroniagents/ { + proxy_pass http://{{ masterip }}:9822/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /kibana/app/soctopus/ { - rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent; - } + error_page 401 = @error401; - location /sensoroniagents/ { - proxy_pass http://{{ masterip }}:9822/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location @error401 { + add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400"; + return 302 /auth/self-service/browser/flows/login; + } - error_page 401 = @error401; + #error_page 404 /404.html; + # location = /usr/share/nginx/html/40x.html { + #} - location @error401 { - add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400"; - return 302 /auth/self-service/browser/flows/login; - } - - #error_page 404 /404.html; - # location = /usr/share/nginx/html/40x.html { - #} - - error_page 500 502 503 504 /50x.html; - location = /usr/share/nginx/html/50x.html { - } - } + error_page 500 502 503 504 /50x.html; + location = /usr/share/nginx/html/50x.html { + } + } } diff --git a/salt/nginx/etc/nginx.conf.so-fleet b/salt/nginx/etc/nginx.conf.so-fleet index c4144447c..937f09a5b 100644 --- a/salt/nginx/etc/nginx.conf.so-fleet +++ b/salt/nginx/etc/nginx.conf.so-fleet @@ -14,87 +14,87 @@ pid /run/nginx.pid; include /usr/share/nginx/modules/*.conf; events { - worker_connections 1024; + worker_connections 1024; } http { - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; - access_log /var/log/nginx/access.log main; + access_log /var/log/nginx/access.log main; - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; - include /etc/nginx/mime.types; - default_type application/octet-stream; + include /etc/nginx/mime.types; + default_type application/octet-stream; - include /etc/nginx/conf.d/*.conf; + include /etc/nginx/conf.d/*.conf; - server { - listen 80 default_server; - server_name _; - return 301 https://$host$request_uri; - } + server { + listen 80 default_server; + server_name _; + return 301 https://$host$request_uri; + } - server { - listen 8090 ssl http2 default_server; - server_name _; - root /opt/socore/html; - index blank.html; + server { + listen 8090 ssl http2 default_server; + server_name _; + root /opt/socore/html; + index blank.html; - ssl_certificate "/etc/pki/nginx/server.crt"; - ssl_certificate_key "/etc/pki/nginx/server.key"; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; + ssl_certificate "/etc/pki/nginx/server.crt"; + ssl_certificate_key "/etc/pki/nginx/server.key"; + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 10m; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; - location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ { - grpc_pass grpcs://{{ MAINIP }}:8080; - grpc_set_header Host $host; - grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_buffering off; - } + location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ { + grpc_pass grpcs://{{ MAINIP }}:8080; + grpc_set_header Host $host; + grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_buffering off; + } - } + } - server { - listen 443 ssl http2 default_server; - server_name _; - root /opt/socore/html/packages; - index index.html; + server { + listen 443 ssl http2 default_server; + server_name _; + root /opt/socore/html/packages; + index index.html; - ssl_certificate "/etc/pki/nginx/server.crt"; - ssl_certificate_key "/etc/pki/nginx/server.key"; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; + ssl_certificate "/etc/pki/nginx/server.crt"; + ssl_certificate_key "/etc/pki/nginx/server.key"; + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 10m; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; - location /fleet/ { - proxy_pass https://{{ MAINIP }}:8080; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /fleet/ { + proxy_pass https://{{ MAINIP }}:8080; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - #error_page 404 /404.html; - # location = /40x.html { - #} + #error_page 404 /404.html; + # location = /40x.html { + #} - error_page 500 502 503 504 /50x.html; - location = /usr/share/nginx/html/50x.html { - } - } + error_page 500 502 503 504 /50x.html; + location = /usr/share/nginx/html/50x.html { + } + } } diff --git a/salt/nginx/etc/nginx.conf.so-heavynode b/salt/nginx/etc/nginx.conf.so-heavynode index f3fc913de..7ec3fef7d 100644 --- a/salt/nginx/etc/nginx.conf.so-heavynode +++ b/salt/nginx/etc/nginx.conf.so-heavynode @@ -11,50 +11,50 @@ pid /run/nginx.pid; include /usr/share/nginx/modules/*.conf; events { - worker_connections 1024; + worker_connections 1024; } http { - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; - access_log /var/log/nginx/access.log main; + access_log /var/log/nginx/access.log main; - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; - include /etc/nginx/mime.types; - default_type application/octet-stream; + include /etc/nginx/mime.types; + default_type application/octet-stream; - # Load modular configuration files from the /etc/nginx/conf.d directory. - # See http://nginx.org/en/docs/ngx_core_module.html#include - # for more information. - include /etc/nginx/conf.d/*.conf; + # Load modular configuration files from the /etc/nginx/conf.d directory. + # See http://nginx.org/en/docs/ngx_core_module.html#include + # for more information. + include /etc/nginx/conf.d/*.conf; - server { - listen 80 default_server; - listen [::]:80 default_server; - server_name _; - root /usr/share/nginx/html; + server { + listen 80 default_server; + listen [::]:80 default_server; + server_name _; + root /usr/share/nginx/html; - # Load configuration files for the default server block. - include /etc/nginx/default.d/*.conf; + # Load configuration files for the default server block. + include /etc/nginx/default.d/*.conf; - location / { - } + location / { + } - error_page 404 /404.html; - location = /40x.html { - } + error_page 404 /404.html; + location = /40x.html { + } - error_page 500 502 503 504 /50x.html; - location = /50x.html { - } - } + error_page 500 502 503 504 /50x.html; + location = /50x.html { + } + } # Settings for a TLS enabled server. # diff --git a/salt/nginx/etc/nginx.conf.so-master b/salt/nginx/etc/nginx.conf.so-master index 64e1fa7d6..34b5ea9cd 100644 --- a/salt/nginx/etc/nginx.conf.so-master +++ b/salt/nginx/etc/nginx.conf.so-master @@ -14,318 +14,312 @@ pid /run/nginx.pid; include /usr/share/nginx/modules/*.conf; events { - worker_connections 1024; + worker_connections 1024; } http { - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; - access_log /var/log/nginx/access.log main; + access_log /var/log/nginx/access.log main; - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - client_max_body_size 1024M; + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + client_max_body_size 1024M; - include /etc/nginx/mime.types; - default_type application/octet-stream; + include /etc/nginx/mime.types; + default_type application/octet-stream; - # Load modular configuration files from the /etc/nginx/conf.d directory. - # See http://nginx.org/en/docs/ngx_core_module.html#include - # for more information. - include /etc/nginx/conf.d/*.conf; + # Load modular configuration files from the /etc/nginx/conf.d directory. + # See http://nginx.org/en/docs/ngx_core_module.html#include + # for more information. + include /etc/nginx/conf.d/*.conf; - #server { - # listen 80 default_server; - # listen [::]:80 default_server; - # server_name _; - # root /opt/socore/html; - # index index.html; + #server { + # listen 80 default_server; + # listen [::]:80 default_server; + # server_name _; + # root /opt/socore/html; + # index index.html; - # Load configuration files for the default server block. - #include /etc/nginx/default.d/*.conf; + # Load configuration files for the default server block. + #include /etc/nginx/default.d/*.conf; - # location / { - # } + # location / { + # } - # error_page 404 /404.html; - # location = /40x.html { - # } + # error_page 404 /404.html; + # location = /40x.html { + # } - # error_page 500 502 503 504 /50x.html; - # location = /50x.html { - # } - #} - server { - listen 80 default_server; - server_name _; - return 301 https://$host$request_uri; - } + # error_page 500 502 503 504 /50x.html; + # location = /50x.html { + # } + #} + server { + listen 80 default_server; + server_name _; + return 301 https://$host$request_uri; + } {% if FLEET_MASTER %} - server { - listen 8090 ssl http2 default_server; - server_name _; - root /opt/socore/html; - index blank.html; + server { + listen 8090 ssl http2 default_server; + server_name _; + root /opt/socore/html; + index blank.html; - ssl_certificate "/etc/pki/nginx/server.crt"; - ssl_certificate_key "/etc/pki/nginx/server.key"; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; + ssl_certificate "/etc/pki/nginx/server.crt"; + ssl_certificate_key "/etc/pki/nginx/server.key"; + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 10m; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; - location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ { - grpc_pass grpcs://{{ masterip }}:8080; - grpc_set_header Host $host; - grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_buffering off; - } + location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ { + grpc_pass grpcs://{{ masterip }}:8080; + grpc_set_header Host $host; + grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_buffering off; + } - } + } {% endif %} # Settings for a TLS enabled server. - server { - listen 443 ssl http2 default_server; - #listen [::]:443 ssl http2 default_server; - server_name _; - root /opt/socore/html; - index index.html; + server { + listen 443 ssl http2 default_server; + #listen [::]:443 ssl http2 default_server; + server_name _; + root /opt/socore/html; + index index.html; - ssl_certificate "/etc/pki/nginx/server.crt"; - ssl_certificate_key "/etc/pki/nginx/server.key"; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; + ssl_certificate "/etc/pki/nginx/server.crt"; + ssl_certificate_key "/etc/pki/nginx/server.key"; + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 10m; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; - # Load configuration files for the default server block. - #include /etc/nginx/default.d/*.conf; + # Load configuration files for the default server block. + #include /etc/nginx/default.d/*.conf; - location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) { - proxy_pass http://{{ masterip }}:9822; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header X-Forwarded-Proto $scheme; - } + location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) { + proxy_pass http://{{ masterip }}:9822; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header X-Forwarded-Proto $scheme; + } - location / { - auth_request /auth/sessions/whoami; - proxy_pass http://{{ masterip }}:9822/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header X-Forwarded-Proto $scheme; - } + location / { + auth_request /auth/sessions/whoami; + proxy_pass http://{{ masterip }}:9822/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header X-Forwarded-Proto $scheme; + } - location ~ ^/auth/.*?(whoami|login|logout|settings) { - rewrite /auth/(.*) /$1 break; - proxy_pass http://{{ masterip }}:4433; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location ~ ^/auth/.*?(whoami|login|logout|settings) { + rewrite /auth/(.*) /$1 break; + proxy_pass http://{{ masterip }}:4433; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /cyberchef/ { - auth_request /auth/sessions/whoami; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /cyberchef/ { + auth_request /auth/sessions/whoami; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /cyberchef { - rewrite ^ /cyberchef/ permanent; - } + location /navigator/ { + auth_request /auth/sessions/whoami; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /packages/ { - try_files $uri =206; - auth_request /auth/sessions/whoami; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /grafana/ { - rewrite /grafana/(.*) /$1 break; - proxy_pass http://{{ masterip }}:3000/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /packages/ { + try_files $uri =206; + auth_request /auth/sessions/whoami; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /grafana/ { + rewrite /grafana/(.*) /$1 break; + proxy_pass http://{{ masterip }}:3000/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /kibana/ { - auth_request /auth/sessions/whoami; - rewrite /kibana/(.*) /$1 break; - proxy_pass http://{{ masterip }}:5601/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /kibana/ { + auth_request /auth/sessions/whoami; + rewrite /kibana/(.*) /$1 break; + proxy_pass http://{{ masterip }}:5601/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /nodered/ { - proxy_pass http://{{ masterip }}:1880/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /playbook/ { - proxy_pass http://{{ masterip }}:3200/playbook/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /nodered/ { + proxy_pass http://{{ masterip }}:1880/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /playbook/ { + proxy_pass http://{{ masterip }}:3200/playbook/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + {%- if FLEET_NODE %} + location /fleet/ { + return 301 https://{{ FLEET_IP }}/fleet; + } + {%- else %} + location /fleet/ { + proxy_pass https://{{ masterip }}:8080; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + {%- endif %} - location /navigator/ { - auth_request /auth/sessions/whoami; - proxy_pass http://{{ masterip }}:4200/navigator/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /thehive/ { + proxy_pass http://{{ masterip }}:9000/thehive/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_http_version 1.1; # this is essential for chunked responses to work + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - {%- if FLEET_NODE %} - location /fleet/ { - return 301 https://{{ FLEET_IP }}/fleet; - } - {%- else %} - location /fleet/ { - proxy_pass https://{{ masterip }}:8080; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - {%- endif %} + location /cortex/ { + proxy_pass http://{{ masterip }}:9001/cortex/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_http_version 1.1; # this is essential for chunked responses to work + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /soctopus/ { + proxy_pass http://{{ masterip }}:7000/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /thehive/ { - proxy_pass http://{{ masterip }}:9000/thehive/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_http_version 1.1; # this is essential for chunked responses to work - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /kibana/app/soc/ { + rewrite ^/kibana/app/soc/(.*) /soc/$1 permanent; + } - location /cortex/ { - proxy_pass http://{{ masterip }}:9001/cortex/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_http_version 1.1; # this is essential for chunked responses to work - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /soctopus/ { - proxy_pass http://{{ masterip }}:7000/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /kibana/app/fleet/ { + rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent; + } - location /kibana/app/soc/ { - rewrite ^/kibana/app/soc/(.*) /soc/$1 permanent; - } + location /kibana/app/soctopus/ { + rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent; + } - location /kibana/app/fleet/ { - rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent; - } + location /sensoroniagents/ { + proxy_pass http://{{ masterip }}:9822/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /kibana/app/soctopus/ { - rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent; - } + error_page 401 = @error401; - location /sensoroniagents/ { - proxy_pass http://{{ masterip }}:9822/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location @error401 { + add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400"; + return 302 /auth/self-service/browser/flows/login; + } - error_page 401 = @error401; + #error_page 404 /404.html; + # location = /40x.html { + #} - location @error401 { - add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400"; - return 302 /auth/self-service/browser/flows/login; - } - - #error_page 404 /404.html; - # location = /40x.html { - #} - - error_page 500 502 503 504 /50x.html; - location = /usr/share/nginx/html/50x.html { - } - } + error_page 500 502 503 504 /50x.html; + location = /usr/share/nginx/html/50x.html { + } + } } diff --git a/salt/nginx/etc/nginx.conf.so-mastersearch b/salt/nginx/etc/nginx.conf.so-mastersearch index 64e1fa7d6..7c8f8ff5d 100644 --- a/salt/nginx/etc/nginx.conf.so-mastersearch +++ b/salt/nginx/etc/nginx.conf.so-mastersearch @@ -14,318 +14,311 @@ pid /run/nginx.pid; include /usr/share/nginx/modules/*.conf; events { - worker_connections 1024; + worker_connections 1024; } http { - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; - access_log /var/log/nginx/access.log main; + access_log /var/log/nginx/access.log main; - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - client_max_body_size 1024M; + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + client_max_body_size 1024M; - include /etc/nginx/mime.types; - default_type application/octet-stream; + include /etc/nginx/mime.types; + default_type application/octet-stream; - # Load modular configuration files from the /etc/nginx/conf.d directory. - # See http://nginx.org/en/docs/ngx_core_module.html#include - # for more information. - include /etc/nginx/conf.d/*.conf; + # Load modular configuration files from the /etc/nginx/conf.d directory. + # See http://nginx.org/en/docs/ngx_core_module.html#include + # for more information. + include /etc/nginx/conf.d/*.conf; - #server { - # listen 80 default_server; - # listen [::]:80 default_server; - # server_name _; - # root /opt/socore/html; - # index index.html; + #server { + # listen 80 default_server; + # listen [::]:80 default_server; + # server_name _; + # root /opt/socore/html; + # index index.html; - # Load configuration files for the default server block. - #include /etc/nginx/default.d/*.conf; + # Load configuration files for the default server block. + #include /etc/nginx/default.d/*.conf; - # location / { - # } + # location / { + # } - # error_page 404 /404.html; - # location = /40x.html { - # } + # error_page 404 /404.html; + # location = /40x.html { + # } - # error_page 500 502 503 504 /50x.html; - # location = /50x.html { - # } - #} - server { - listen 80 default_server; - server_name _; - return 301 https://$host$request_uri; - } + # error_page 500 502 503 504 /50x.html; + # location = /50x.html { + # } + #} + server { + listen 80 default_server; + server_name _; + return 301 https://$host$request_uri; + } {% if FLEET_MASTER %} - server { - listen 8090 ssl http2 default_server; - server_name _; - root /opt/socore/html; - index blank.html; + server { + listen 8090 ssl http2 default_server; + server_name _; + root /opt/socore/html; + index blank.html; - ssl_certificate "/etc/pki/nginx/server.crt"; - ssl_certificate_key "/etc/pki/nginx/server.key"; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; + ssl_certificate "/etc/pki/nginx/server.crt"; + ssl_certificate_key "/etc/pki/nginx/server.key"; + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 10m; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; - location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ { - grpc_pass grpcs://{{ masterip }}:8080; - grpc_set_header Host $host; - grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_buffering off; - } - - } + location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ { + grpc_pass grpcs://{{ masterip }}:8080; + grpc_set_header Host $host; + grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_buffering off; + } + } {% endif %} # Settings for a TLS enabled server. - server { - listen 443 ssl http2 default_server; - #listen [::]:443 ssl http2 default_server; - server_name _; - root /opt/socore/html; - index index.html; + server { + listen 443 ssl http2 default_server; + #listen [::]:443 ssl http2 default_server; + server_name _; + root /opt/socore/html; + index index.html; - ssl_certificate "/etc/pki/nginx/server.crt"; - ssl_certificate_key "/etc/pki/nginx/server.key"; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; + ssl_certificate "/etc/pki/nginx/server.crt"; + ssl_certificate_key "/etc/pki/nginx/server.key"; + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 10m; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; - # Load configuration files for the default server block. - #include /etc/nginx/default.d/*.conf; + # Load configuration files for the default server block. + #include /etc/nginx/default.d/*.conf; - location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) { - proxy_pass http://{{ masterip }}:9822; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header X-Forwarded-Proto $scheme; - } + location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) { + proxy_pass http://{{ masterip }}:9822; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header X-Forwarded-Proto $scheme; + } - location / { - auth_request /auth/sessions/whoami; - proxy_pass http://{{ masterip }}:9822/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header X-Forwarded-Proto $scheme; - } + location / { + auth_request /auth/sessions/whoami; + proxy_pass http://{{ masterip }}:9822/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header X-Forwarded-Proto $scheme; + } - location ~ ^/auth/.*?(whoami|login|logout|settings) { - rewrite /auth/(.*) /$1 break; - proxy_pass http://{{ masterip }}:4433; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location ~ ^/auth/.*?(whoami|login|logout|settings) { + rewrite /auth/(.*) /$1 break; + proxy_pass http://{{ masterip }}:4433; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /cyberchef/ { - auth_request /auth/sessions/whoami; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /cyberchef/ { + auth_request /auth/sessions/whoami; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /cyberchef { - rewrite ^ /cyberchef/ permanent; - } + location /navigator/ { + auth_request /auth/sessions/whoami; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /packages/ { - try_files $uri =206; - auth_request /auth/sessions/whoami; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /grafana/ { - rewrite /grafana/(.*) /$1 break; - proxy_pass http://{{ masterip }}:3000/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /packages/ { + try_files $uri =206; + auth_request /auth/sessions/whoami; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /grafana/ { + rewrite /grafana/(.*) /$1 break; + proxy_pass http://{{ masterip }}:3000/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /kibana/ { - auth_request /auth/sessions/whoami; - rewrite /kibana/(.*) /$1 break; - proxy_pass http://{{ masterip }}:5601/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /kibana/ { + auth_request /auth/sessions/whoami; + rewrite /kibana/(.*) /$1 break; + proxy_pass http://{{ masterip }}:5601/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /nodered/ { - proxy_pass http://{{ masterip }}:1880/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /playbook/ { - proxy_pass http://{{ masterip }}:3200/playbook/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /nodered/ { + proxy_pass http://{{ masterip }}:1880/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /playbook/ { + proxy_pass http://{{ masterip }}:3200/playbook/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + {%- if FLEET_NODE %} + location /fleet/ { + return 301 https://{{ FLEET_IP }}/fleet; + } + {%- else %} + location /fleet/ { + proxy_pass https://{{ masterip }}:8080; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + {%- endif %} - location /navigator/ { - auth_request /auth/sessions/whoami; - proxy_pass http://{{ masterip }}:4200/navigator/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /thehive/ { + proxy_pass http://{{ masterip }}:9000/thehive/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_http_version 1.1; # this is essential for chunked responses to work + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - {%- if FLEET_NODE %} - location /fleet/ { - return 301 https://{{ FLEET_IP }}/fleet; - } - {%- else %} - location /fleet/ { - proxy_pass https://{{ masterip }}:8080; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - {%- endif %} + location /cortex/ { + proxy_pass http://{{ masterip }}:9001/cortex/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_http_version 1.1; # this is essential for chunked responses to work + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /soctopus/ { + proxy_pass http://{{ masterip }}:7000/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /thehive/ { - proxy_pass http://{{ masterip }}:9000/thehive/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_http_version 1.1; # this is essential for chunked responses to work - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /kibana/app/soc/ { + rewrite ^/kibana/app/soc/(.*) /soc/$1 permanent; + } - location /cortex/ { - proxy_pass http://{{ masterip }}:9001/cortex/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_http_version 1.1; # this is essential for chunked responses to work - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /soctopus/ { - proxy_pass http://{{ masterip }}:7000/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /kibana/app/fleet/ { + rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent; + } - location /kibana/app/soc/ { - rewrite ^/kibana/app/soc/(.*) /soc/$1 permanent; - } + location /kibana/app/soctopus/ { + rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent; + } - location /kibana/app/fleet/ { - rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent; - } + location /sensoroniagents/ { + proxy_pass http://{{ masterip }}:9822/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /kibana/app/soctopus/ { - rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent; - } + error_page 401 = @error401; - location /sensoroniagents/ { - proxy_pass http://{{ masterip }}:9822/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location @error401 { + add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400"; + return 302 /auth/self-service/browser/flows/login; + } - error_page 401 = @error401; + #error_page 404 /404.html; + # location = /40x.html { + #} - location @error401 { - add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400"; - return 302 /auth/self-service/browser/flows/login; - } - - #error_page 404 /404.html; - # location = /40x.html { - #} - - error_page 500 502 503 504 /50x.html; - location = /usr/share/nginx/html/50x.html { - } - } + error_page 500 502 503 504 /50x.html; + location = /usr/share/nginx/html/50x.html { + } + } } diff --git a/salt/nginx/etc/nginx.conf.so-standalone b/salt/nginx/etc/nginx.conf.so-standalone index 64e1fa7d6..34b5ea9cd 100644 --- a/salt/nginx/etc/nginx.conf.so-standalone +++ b/salt/nginx/etc/nginx.conf.so-standalone @@ -14,318 +14,312 @@ pid /run/nginx.pid; include /usr/share/nginx/modules/*.conf; events { - worker_connections 1024; + worker_connections 1024; } http { - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; - access_log /var/log/nginx/access.log main; + access_log /var/log/nginx/access.log main; - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - client_max_body_size 1024M; + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + client_max_body_size 1024M; - include /etc/nginx/mime.types; - default_type application/octet-stream; + include /etc/nginx/mime.types; + default_type application/octet-stream; - # Load modular configuration files from the /etc/nginx/conf.d directory. - # See http://nginx.org/en/docs/ngx_core_module.html#include - # for more information. - include /etc/nginx/conf.d/*.conf; + # Load modular configuration files from the /etc/nginx/conf.d directory. + # See http://nginx.org/en/docs/ngx_core_module.html#include + # for more information. + include /etc/nginx/conf.d/*.conf; - #server { - # listen 80 default_server; - # listen [::]:80 default_server; - # server_name _; - # root /opt/socore/html; - # index index.html; + #server { + # listen 80 default_server; + # listen [::]:80 default_server; + # server_name _; + # root /opt/socore/html; + # index index.html; - # Load configuration files for the default server block. - #include /etc/nginx/default.d/*.conf; + # Load configuration files for the default server block. + #include /etc/nginx/default.d/*.conf; - # location / { - # } + # location / { + # } - # error_page 404 /404.html; - # location = /40x.html { - # } + # error_page 404 /404.html; + # location = /40x.html { + # } - # error_page 500 502 503 504 /50x.html; - # location = /50x.html { - # } - #} - server { - listen 80 default_server; - server_name _; - return 301 https://$host$request_uri; - } + # error_page 500 502 503 504 /50x.html; + # location = /50x.html { + # } + #} + server { + listen 80 default_server; + server_name _; + return 301 https://$host$request_uri; + } {% if FLEET_MASTER %} - server { - listen 8090 ssl http2 default_server; - server_name _; - root /opt/socore/html; - index blank.html; + server { + listen 8090 ssl http2 default_server; + server_name _; + root /opt/socore/html; + index blank.html; - ssl_certificate "/etc/pki/nginx/server.crt"; - ssl_certificate_key "/etc/pki/nginx/server.key"; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; + ssl_certificate "/etc/pki/nginx/server.crt"; + ssl_certificate_key "/etc/pki/nginx/server.key"; + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 10m; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; - location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ { - grpc_pass grpcs://{{ masterip }}:8080; - grpc_set_header Host $host; - grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_buffering off; - } + location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ { + grpc_pass grpcs://{{ masterip }}:8080; + grpc_set_header Host $host; + grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_buffering off; + } - } + } {% endif %} # Settings for a TLS enabled server. - server { - listen 443 ssl http2 default_server; - #listen [::]:443 ssl http2 default_server; - server_name _; - root /opt/socore/html; - index index.html; + server { + listen 443 ssl http2 default_server; + #listen [::]:443 ssl http2 default_server; + server_name _; + root /opt/socore/html; + index index.html; - ssl_certificate "/etc/pki/nginx/server.crt"; - ssl_certificate_key "/etc/pki/nginx/server.key"; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; + ssl_certificate "/etc/pki/nginx/server.crt"; + ssl_certificate_key "/etc/pki/nginx/server.key"; + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 10m; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; - # Load configuration files for the default server block. - #include /etc/nginx/default.d/*.conf; + # Load configuration files for the default server block. + #include /etc/nginx/default.d/*.conf; - location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) { - proxy_pass http://{{ masterip }}:9822; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header X-Forwarded-Proto $scheme; - } + location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) { + proxy_pass http://{{ masterip }}:9822; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header X-Forwarded-Proto $scheme; + } - location / { - auth_request /auth/sessions/whoami; - proxy_pass http://{{ masterip }}:9822/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header X-Forwarded-Proto $scheme; - } + location / { + auth_request /auth/sessions/whoami; + proxy_pass http://{{ masterip }}:9822/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header X-Forwarded-Proto $scheme; + } - location ~ ^/auth/.*?(whoami|login|logout|settings) { - rewrite /auth/(.*) /$1 break; - proxy_pass http://{{ masterip }}:4433; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location ~ ^/auth/.*?(whoami|login|logout|settings) { + rewrite /auth/(.*) /$1 break; + proxy_pass http://{{ masterip }}:4433; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /cyberchef/ { - auth_request /auth/sessions/whoami; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /cyberchef/ { + auth_request /auth/sessions/whoami; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /cyberchef { - rewrite ^ /cyberchef/ permanent; - } + location /navigator/ { + auth_request /auth/sessions/whoami; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /packages/ { - try_files $uri =206; - auth_request /auth/sessions/whoami; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /grafana/ { - rewrite /grafana/(.*) /$1 break; - proxy_pass http://{{ masterip }}:3000/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /packages/ { + try_files $uri =206; + auth_request /auth/sessions/whoami; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /grafana/ { + rewrite /grafana/(.*) /$1 break; + proxy_pass http://{{ masterip }}:3000/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /kibana/ { - auth_request /auth/sessions/whoami; - rewrite /kibana/(.*) /$1 break; - proxy_pass http://{{ masterip }}:5601/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /kibana/ { + auth_request /auth/sessions/whoami; + rewrite /kibana/(.*) /$1 break; + proxy_pass http://{{ masterip }}:5601/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /nodered/ { - proxy_pass http://{{ masterip }}:1880/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /playbook/ { - proxy_pass http://{{ masterip }}:3200/playbook/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /nodered/ { + proxy_pass http://{{ masterip }}:1880/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /playbook/ { + proxy_pass http://{{ masterip }}:3200/playbook/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + {%- if FLEET_NODE %} + location /fleet/ { + return 301 https://{{ FLEET_IP }}/fleet; + } + {%- else %} + location /fleet/ { + proxy_pass https://{{ masterip }}:8080; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + {%- endif %} - location /navigator/ { - auth_request /auth/sessions/whoami; - proxy_pass http://{{ masterip }}:4200/navigator/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /thehive/ { + proxy_pass http://{{ masterip }}:9000/thehive/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_http_version 1.1; # this is essential for chunked responses to work + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - {%- if FLEET_NODE %} - location /fleet/ { - return 301 https://{{ FLEET_IP }}/fleet; - } - {%- else %} - location /fleet/ { - proxy_pass https://{{ masterip }}:8080; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - {%- endif %} + location /cortex/ { + proxy_pass http://{{ masterip }}:9001/cortex/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_http_version 1.1; # this is essential for chunked responses to work + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /soctopus/ { + proxy_pass http://{{ masterip }}:7000/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /thehive/ { - proxy_pass http://{{ masterip }}:9000/thehive/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_http_version 1.1; # this is essential for chunked responses to work - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /kibana/app/soc/ { + rewrite ^/kibana/app/soc/(.*) /soc/$1 permanent; + } - location /cortex/ { - proxy_pass http://{{ masterip }}:9001/cortex/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_http_version 1.1; # this is essential for chunked responses to work - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /soctopus/ { - proxy_pass http://{{ masterip }}:7000/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /kibana/app/fleet/ { + rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent; + } - location /kibana/app/soc/ { - rewrite ^/kibana/app/soc/(.*) /soc/$1 permanent; - } + location /kibana/app/soctopus/ { + rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent; + } - location /kibana/app/fleet/ { - rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent; - } + location /sensoroniagents/ { + proxy_pass http://{{ masterip }}:9822/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /kibana/app/soctopus/ { - rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent; - } + error_page 401 = @error401; - location /sensoroniagents/ { - proxy_pass http://{{ masterip }}:9822/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location @error401 { + add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400"; + return 302 /auth/self-service/browser/flows/login; + } - error_page 401 = @error401; + #error_page 404 /404.html; + # location = /40x.html { + #} - location @error401 { - add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400"; - return 302 /auth/self-service/browser/flows/login; - } - - #error_page 404 /404.html; - # location = /40x.html { - #} - - error_page 500 502 503 504 /50x.html; - location = /usr/share/nginx/html/50x.html { - } - } + error_page 500 502 503 504 /50x.html; + location = /usr/share/nginx/html/50x.html { + } + } } From bd367499590f5e4aeb1fef14c12d3354992a2013 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 24 Jun 2020 12:38:32 -0400 Subject: [PATCH 026/314] [feat] Remove navigator container references --- pillar/docker/config.sls | 3 --- salt/common/maps/playbook.map.jinja | 3 +-- salt/common/tools/sbin/so-docker-refresh | 1 - salt/common/tools/sbin/so-elastic-download | 1 - .../files/bin/so-curator-closed-delete-delete | 4 ++-- salt/firewall/assigned_hostgroups.map.yaml | 5 ----- salt/firewall/portgroups.yaml | 3 --- .../files/registry/scripts/so-docker-download | 1 - .../files/nav_layer_playbook.json | 0 .../files/navigator_config.json | 0 salt/nginx/init.sls | 12 ++++++++++++ salt/top.sls | 13 ------------- setup/automation/pm_standalone_defaults | 1 - setup/so-functions | 2 -- setup/so-setup | 5 ----- setup/so-whiptail | 1 - upgrade/so-update-functions | 1 - 17 files changed, 15 insertions(+), 41 deletions(-) rename salt/{navigator => nginx}/files/nav_layer_playbook.json (100%) rename salt/{navigator => nginx}/files/navigator_config.json (100%) diff --git a/pillar/docker/config.sls b/pillar/docker/config.sls index 3c90b710a..f8426b8cb 100644 --- a/pillar/docker/config.sls +++ b/pillar/docker/config.sls @@ -44,7 +44,6 @@ eval: {% endif %} {% if PLAYBOOK != '0' %} - so-playbook - - so-navigator {% endif %} {% if FREQSERVER != '0' %} - so-freqserver @@ -116,7 +115,6 @@ master_search: {% endif %} {% if PLAYBOOK != '0' %} - so-playbook - - so-navigator {% endif %} {% if FREQSERVER != '0' %} - so-freqserver @@ -159,7 +157,6 @@ master: {% endif %} {% if PLAYBOOK != '0' %} - so-playbook - - so-navigator {% endif %} {% if FREQSERVER != '0' %} - so-freqserver diff --git a/salt/common/maps/playbook.map.jinja b/salt/common/maps/playbook.map.jinja index 064262119..84baa8dec 100644 --- a/salt/common/maps/playbook.map.jinja +++ b/salt/common/maps/playbook.map.jinja @@ -1,6 +1,5 @@ {% set docker = { 'containers': [ - 'so-playbook', - 'so-navigator' + 'so-playbook' ] } %} \ No newline at end of file diff --git a/salt/common/tools/sbin/so-docker-refresh b/salt/common/tools/sbin/so-docker-refresh index 75415e6fa..d4796818d 100644 --- a/salt/common/tools/sbin/so-docker-refresh +++ b/salt/common/tools/sbin/so-docker-refresh @@ -81,7 +81,6 @@ if [ $MASTERCHECK != 'so-helix' ]; then "so-kratos:$VERSION" \ "so-logstash:$VERSION" \ "so-mysql:$VERSION" \ - "so-navigator:$VERSION" \ "so-nginx:$VERSION" \ "so-playbook:$VERSION" \ "so-redis:$VERSION" \ diff --git a/salt/common/tools/sbin/so-elastic-download b/salt/common/tools/sbin/so-elastic-download index 216f51410..4c3406c74 100755 --- a/salt/common/tools/sbin/so-elastic-download +++ b/salt/common/tools/sbin/so-elastic-download @@ -18,7 +18,6 @@ TRUSTED_CONTAINERS=( \ "so-kibana:$VERSION" \ "so-logstash:$VERSION" \ "so-mysql:$VERSION" \ -"so-navigator:$VERSION" \ "so-playbook:$VERSION" \ "so-redis:$VERSION" \ "so-sensoroni:$VERSION" \ diff --git a/salt/curator/files/bin/so-curator-closed-delete-delete b/salt/curator/files/bin/so-curator-closed-delete-delete index 3d397defc..9075752db 100755 --- a/salt/curator/files/bin/so-curator-closed-delete-delete +++ b/salt/curator/files/bin/so-curator-closed-delete-delete @@ -1,4 +1,6 @@ +#!/bin/bash + {%- if grains['role'] in ['so-node', 'so-searchnode', 'so-heavynode'] %} {%- set ELASTICSEARCH_HOST = salt['pillar.get']('node:mainip', '') -%} {%- set ELASTICSEARCH_PORT = salt['pillar.get']('node:es_port', '') -%} @@ -9,8 +11,6 @@ {%- set LOG_SIZE_LIMIT = salt['pillar.get']('master:log_size_limit', '') -%} {%- endif -%} -#!/bin/bash -# # Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC # # This program is free software: you can redistribute it and/or modify diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index ea7b23afb..aa41322a3 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -13,7 +13,6 @@ role: - {{ portgroups.wazuh_authd }} - {{ portgroups.playbook }} - {{ portgroups.mysql }} - - {{ portgroups.navigator }} - {{ portgroups.kibana }} - {{ portgroups.redis }} - {{ portgroups.influxdb }} @@ -95,7 +94,6 @@ role: - {{ portgroups.wazuh_authd }} - {{ portgroups.playbook }} - {{ portgroups.mysql }} - - {{ portgroups.navigator }} - {{ portgroups.kibana }} - {{ portgroups.redis }} - {{ portgroups.influxdb }} @@ -174,7 +172,6 @@ role: - {{ portgroups.wazuh_authd }} - {{ portgroups.playbook }} - {{ portgroups.mysql }} - - {{ portgroups.navigator }} - {{ portgroups.kibana }} - {{ portgroups.redis }} - {{ portgroups.influxdb }} @@ -253,7 +250,6 @@ role: - {{ portgroups.wazuh_authd }} - {{ portgroups.playbook }} - {{ portgroups.mysql }} - - {{ portgroups.navigator }} - {{ portgroups.kibana }} - {{ portgroups.redis }} - {{ portgroups.influxdb }} @@ -330,7 +326,6 @@ role: - {{ portgroups.wazuh_agent }} - {{ portgroups.playbook }} - {{ portgroups.mysql }} - - {{ portgroups.navigator }} - {{ portgroups.kibana }} - {{ portgroups.redis }} - {{ portgroups.influxdb }} diff --git a/salt/firewall/portgroups.yaml b/salt/firewall/portgroups.yaml index 2f3d5032a..7f09d1139 100644 --- a/salt/firewall/portgroups.yaml +++ b/salt/firewall/portgroups.yaml @@ -48,9 +48,6 @@ firewall: mysql: tcp: - 3306 - navigator: - tcp: - - 4200 nginx: tcp: - 80 diff --git a/salt/master/files/registry/scripts/so-docker-download b/salt/master/files/registry/scripts/so-docker-download index 2670acf26..1213ae72a 100644 --- a/salt/master/files/registry/scripts/so-docker-download +++ b/salt/master/files/registry/scripts/so-docker-download @@ -18,7 +18,6 @@ TRUSTED_CONTAINERS=( \ "so-wazuh:$VERSION" \ "so-kibana:$VERSION" \ "so-elastalert:$VERSION" \ -"so-navigator:$VERSION" \ "so-filebeat:$VERSION" \ "so-suricata:$VERSION" \ "so-logstash:$VERSION" \ diff --git a/salt/navigator/files/nav_layer_playbook.json b/salt/nginx/files/nav_layer_playbook.json similarity index 100% rename from salt/navigator/files/nav_layer_playbook.json rename to salt/nginx/files/nav_layer_playbook.json diff --git a/salt/navigator/files/navigator_config.json b/salt/nginx/files/navigator_config.json similarity index 100% rename from salt/navigator/files/navigator_config.json rename to salt/nginx/files/navigator_config.json diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls index 296774a02..2ead5587a 100644 --- a/salt/nginx/init.sls +++ b/salt/nginx/init.sls @@ -40,6 +40,15 @@ nginxtmp: - group: 939 - makedirs: True +navigatorconfig: + file.managed: + - name: /opt/so/conf/navigator/navigator_config.json + - source: salt://nginx/files/navigator_config.json + - user: 939 + - group: 939 + - makedirs: True + - template: jinja + so-nginx: docker_container.running: - image: {{ MASTER }}:5000/soshybridhunter/so-nginx:{{ VERSION }} @@ -52,6 +61,9 @@ so-nginx: - /etc/pki/masterssl.crt:/etc/pki/nginx/server.crt:ro - /etc/pki/masterssl.key:/etc/pki/nginx/server.key:ro - /opt/so/conf/fleet/packages:/opt/socore/html/packages + # ATT&CK Navigator binds + - /opt/so/conf/navigator/navigator_config.json:/opt/socore/html/navigator/assets/config.json:ro + - /opt/so/conf/navigator/nav_layer_playbook.json:/opt/socore/html/navigator/assets/playbook.json:ro - cap_add: NET_BIND_SERVICE - port_bindings: - 80:80 diff --git a/salt/top.sls b/salt/top.sls index 3629fbe0b..3cc7ec7a5 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -2,7 +2,6 @@ {%- set WAZUH = salt['pillar.get']('static:wazuh', '0') -%} {%- set THEHIVE = salt['pillar.get']('master:thehive', '0') -%} {%- set PLAYBOOK = salt['pillar.get']('master:playbook', '0') -%} -{%- set NAVIGATOR = salt['pillar.get']('master:navigator', '0') -%} {%- set FREQSERVER = salt['pillar.get']('master:freq', '0') -%} {%- set DOMAINSTATS = salt['pillar.get']('master:domainstats', '0') -%} {%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%} @@ -109,9 +108,6 @@ base: {%- if PLAYBOOK != 0 %} - playbook {%- endif %} - {%- if NAVIGATOR != 0 %} - - navigator - {%- endif %} {%- if FREQSERVER != 0 %} - freqserver {%- endif %} @@ -159,9 +155,6 @@ base: {%- if PLAYBOOK != 0 %} - playbook {%- endif %} - {%- if NAVIGATOR != 0 %} - - navigator - {%- endif %} {%- if FREQSERVER != 0 %} - freqserver {%- endif %} @@ -219,9 +212,6 @@ base: {%- if PLAYBOOK != 0 %} - playbook {%- endif %} - {%- if NAVIGATOR != 0 %} - - navigator - {%- endif %} {%- if FREQSERVER != 0 %} - freqserver {%- endif %} @@ -336,9 +326,6 @@ base: {%- if PLAYBOOK != 0 %} - playbook {%- endif %} - {%- if NAVIGATOR != 0 %} - - navigator - {%- endif %} {%- if FREQSERVER != 0 %} - freqserver {%- endif %} diff --git a/setup/automation/pm_standalone_defaults b/setup/automation/pm_standalone_defaults index 2f62fab98..ac0033f83 100644 --- a/setup/automation/pm_standalone_defaults +++ b/setup/automation/pm_standalone_defaults @@ -50,7 +50,6 @@ MNIC=eth0 # MSEARCH= # MSRV= # MTU= -NAVIGATOR=1 NIDS=Suricata # NODE_ES_HEAP_SIZE= # NODE_LS_HEAP_SIZE= diff --git a/setup/so-functions b/setup/so-functions index 1ba4b66a1..04bdbe8dd 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -718,7 +718,6 @@ docker_seed_registry() { "so-influxdb:$VERSION" \ "so-kibana:$VERSION" \ "so-mysql:$VERSION" \ - "so-navigator:$VERSION" \ "so-playbook:$VERSION" \ "so-soc:$VERSION" \ "so-kratos:$VERSION" \ @@ -910,7 +909,6 @@ master_pillar() { " osquery: $OSQUERY"\ " thehive: $THEHIVE"\ " playbook: $PLAYBOOK"\ - " navigator: $NAVIGATOR"\ " url_base: $REDIRECTIT"\ ""\ "kratos:" >> "$pillar_file" diff --git a/setup/so-setup b/setup/so-setup index 478151def..070a3b857 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -555,11 +555,6 @@ fi salt-call state.apply -l info playbook >> $setup_log 2>&1 fi - if [[ "$NAVIGATOR" = 1 ]]; then - set_progress_str 78 "$(print_salt_state_apply 'navigator')" - salt-call state.apply -l info navigator >> $setup_log 2>&1 - fi - if [[ $is_master || $is_helix ]]; then set_progress_str 81 "$(print_salt_state_apply 'utility')" salt-call state.apply -l info utility >> $setup_log 2>&1 diff --git a/setup/so-whiptail b/setup/so-whiptail index 48e74e9b5..563f84105 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -343,7 +343,6 @@ whiptail_enable_components() { WAZUH "Enable Wazuh" ON \ THEHIVE "Enable TheHive" ON \ PLAYBOOK "Enable Playbook" ON \ - NAVIGATOR "Enable ATT&CK Navigator" ON \ STRELKA "Enable Strelka" ON 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus diff --git a/upgrade/so-update-functions b/upgrade/so-update-functions index dd4235902..8b7fcd312 100644 --- a/upgrade/so-update-functions +++ b/upgrade/so-update-functions @@ -51,7 +51,6 @@ if [ $MASTERCHECK != 'so-helix' ]; then "so-kratos:$BUILD$UPDATEVERSION" \ "so-logstash:$BUILD$UPDATEVERSION" \ "so-mysql:$BUILD$UPDATEVERSION" \ - "so-navigator:$BUILD$UPDATEVERSION" \ "so-nginx:$BUILD$UPDATEVERSION" \ "so-playbook:$BUILD$UPDATEVERSION" \ "so-redis:$BUILD$UPDATEVERSION" \ From 52a0ace1b8d87b4ce0e7e8d1aa8feb584b25a688 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 24 Jun 2020 17:08:58 +0000 Subject: [PATCH 027/314] Use Strelka rules if enabled --- salt/strelka/init.sls | 6 +++++- salt/top.sls | 2 +- setup/so-functions | 8 +++++--- 3 files changed, 11 insertions(+), 5 deletions(-) diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index 5767531f4..145b9e620 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -15,6 +15,7 @@ {%- set MASTER = grains['master'] %} {%- set MASTERIP = salt['pillar.get']('static:masterip', '') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} +{%- set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') -%} # Strelka config strelkaconfdir: @@ -32,6 +33,9 @@ strelkasync: - user: 939 - group: 939 - template: jinja + {%- if STRELKA_RULES != 1 %} + - exclude_pat: rules/ + {%- endif %} strelkadatadir: file.directory: @@ -87,7 +91,7 @@ strelka_backend: - image: {{ MASTER }}:5000/soshybridhunter/so-strelka-backend:{{ VERSION }} - binds: - /opt/so/conf/strelka/backend/:/etc/strelka/:ro - - /opt/so/conf/strelka/backend/yara:/etc/yara/:ro + - /opt/so/conf/strelka/rules/:/etc/yara/:ro - name: so-strelka-backend - command: strelka-backend - restart_policy: on-failure diff --git a/salt/top.sls b/salt/top.sls index 3629fbe0b..7af856b35 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -7,7 +7,7 @@ {%- set DOMAINSTATS = salt['pillar.get']('master:domainstats', '0') -%} {%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%} {%- set FLEETNODE = salt['pillar.get']('static:fleet_node', False) -%} -{%- set STRELKA = salt['pillar.get']('static:strelka', '0') -%} +{%- set STRELKA = salt['pillar.get']('strelka:enabled', '0') -%} base: diff --git a/setup/so-functions b/setup/so-functions index 1ba4b66a1..37145e12b 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -953,9 +953,11 @@ master_static() { " fleet_hostname: N/A"\ " fleet_ip: N/A"\ " sensoronikey: $SENSORONIKEY"\ - " strelka: $STRELKA"\ - " wazuh: $WAZUH"\ - " masterupdate: $MASTERUPDATES"\ + " wazuh: $WAZUH"\ + " masterupdate: $MASTERUPDATES"\ + "strelka:"\ + " enabled: $STRELKA"\ + " rules: $STRELKARULES"\ "elastic:"\ " features: False" > "$static_pillar" From 8bd6c067aa48184b15409c0c44b558303e5288cd Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 24 Jun 2020 13:10:18 -0400 Subject: [PATCH 028/314] [fix] discovery.zen.minimum_master_nodes is deprecated, update the key --- salt/elasticsearch/files/elasticsearch.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/elasticsearch.yml b/salt/elasticsearch/files/elasticsearch.yml index 271ef40cf..c00a1ca12 100644 --- a/salt/elasticsearch/files/elasticsearch.yml +++ b/salt/elasticsearch/files/elasticsearch.yml @@ -6,7 +6,7 @@ network.host: 0.0.0.0 # minimum_master_nodes need to be explicitly set when bound on a public IP # set to 1 to allow single node clusters # Details: https://github.com/elastic/elasticsearch/pull/17288 -discovery.zen.minimum_master_nodes: 1 +cluster.initial_master_nodes: 1 # This is a test -- if this is here, then the volume is mounted correctly. path.logs: /var/log/elasticsearch action.destructive_requires_name: true From 8bfbd773671dec71f92132e436eaa16187a6786f Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 24 Jun 2020 17:18:05 +0000 Subject: [PATCH 029/314] Update whiptail for Strelka --- setup/so-whiptail | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/setup/so-whiptail b/setup/so-whiptail index 48e74e9b5..b99f306b0 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1028,6 +1028,26 @@ whiptail_shard_count() { } +whiptail_strelka_rules() { + + [ -n "$TESTING" ] && return + + # Ask to inherit from master + whiptail --title "Security Onion Setup" --yesno "Do you want to enable the default YARA rules for Strelka?" 8 75 + + local exitstatus=$? + + if [ $exitstatus == 0 ]; then + export STRELKARULES=1 + else + local exitstatus=$? + whiptail_check_exitstatus $exitstatus + export STRELKARULES + + fi + +} + whiptail_suricata_pins() { [ -n "$TESTING" ] && return From 0849014b249b567a7c33ddfb03491b168d1afd68 Mon Sep 17 00:00:00 2001 From: bryant-treacle Date: Wed, 24 Jun 2020 17:21:58 +0000 Subject: [PATCH 030/314] Issue #885: so-elastic-clear not removing so-* indices --- salt/common/tools/sbin/so-elastic-clear | 32 ++++++++++++++++++------- 1 file changed, 23 insertions(+), 9 deletions(-) diff --git a/salt/common/tools/sbin/so-elastic-clear b/salt/common/tools/sbin/so-elastic-clear index 2db400839..84ebcaf78 100755 --- a/salt/common/tools/sbin/so-elastic-clear +++ b/salt/common/tools/sbin/so-elastic-clear @@ -13,9 +13,7 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program. If not, see . -{%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%} -. /usr/sbin/so-common +# along with this program. If not, see .. /usr/sbin/so-common SKIP=0 ######################################### @@ -50,7 +48,7 @@ done if [ $SKIP -ne 1 ]; then # List indices echo - curl {{ MASTERIP }}:9200/_cat/indices?v&pretty + curl {{ MASTERIP }}:9200/_cat/indices?v echo # Inform user we are about to delete all data echo @@ -63,18 +61,34 @@ if [ $SKIP -ne 1 ]; then if [ "$INPUT" != "AGREE" ] ; then exit 0; fi fi -/usr/sbin/so-filebeat-stop -/usr/sbin/so-logstash-stop +# Check to see if Logstash/Filebeat are running +LS_ENABLED=$(so-status | grep logstash) +FB_ENABLED=$(so-status | grep filebeat) + +if [ ! -z "$FB_ENABLED" ]; then + /usr/sbin/so-filebeat-stop + +elif [ ! -z "$LS_ENABLED" ]; then + + /usr/sbin/so-logstash-stop +fi # Delete data echo "Deleting data..." -INDXS=$(curl -s -XGET {{ MASTERIP }}:9200/_cat/indices?v | egrep 'logstash|elastalert' | awk '{ print $3 }') +INDXS=$(curl -s -XGET {{ MASTERIP }}:9200/_cat/indices?v | egrep 'logstash|elastalert|so-' | awk '{ print $3 }') for INDX in ${INDXS} do curl -XDELETE "{{ MASTERIP }}:9200/${INDX}" > /dev/null 2>&1 done -/usr/sbin/so-logstash-start -/usr/sbin/so-filebeat-start +#Start Logstash/Filebeat +if [ ! -z "$FB_ENABLED" ]; then + + /usr/sbin/so-filebeat-start + +elif [ ! -z "$LS_ENABLED" ]; then + + /usr/sbin/so-logstash-start +fi From a01339039af058147efff82ffb90d49a87d83749 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 24 Jun 2020 17:22:55 +0000 Subject: [PATCH 031/314] Update Setup for Strelka rules --- setup/so-setup | 3 +++ 1 file changed, 3 insertions(+) diff --git a/setup/so-setup b/setup/so-setup index 478151def..634389dcd 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -255,6 +255,9 @@ fi if [[ $is_master ]]; then whiptail_components_adv_warning whiptail_enable_components + if [[ $STRELKA == 1 ]]; then + whiptail_strelka_rules + fi collect_webuser_inputs get_redirect fi From f5bb831edff2d01f0c50741acf478c7b3ff5afc2 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 24 Jun 2020 17:27:59 +0000 Subject: [PATCH 032/314] Fix comment --- setup/so-whiptail | 1 - 1 file changed, 1 deletion(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index b99f306b0..6c27fcd81 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1032,7 +1032,6 @@ whiptail_strelka_rules() { [ -n "$TESTING" ] && return - # Ask to inherit from master whiptail --title "Security Onion Setup" --yesno "Do you want to enable the default YARA rules for Strelka?" 8 75 local exitstatus=$? From 08220e3330e00bbce0b286a8f3851d0cbd600297 Mon Sep 17 00:00:00 2001 From: bryant-treacle Date: Wed, 24 Jun 2020 18:40:11 +0000 Subject: [PATCH 033/314] Issue #885: so-elastic-clear not removing so-* indices --- salt/common/tools/sbin/so-elastic-clear | 30 +++++++++++++++++++++---- test.test | 0 2 files changed, 26 insertions(+), 4 deletions(-) create mode 100644 test.test diff --git a/salt/common/tools/sbin/so-elastic-clear b/salt/common/tools/sbin/so-elastic-clear index 84ebcaf78..8e0ca877a 100755 --- a/salt/common/tools/sbin/so-elastic-clear +++ b/salt/common/tools/sbin/so-elastic-clear @@ -14,6 +14,8 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see .. /usr/sbin/so-common +{%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%} +. /usr/sbin/so-common SKIP=0 ######################################### @@ -64,13 +66,24 @@ fi # Check to see if Logstash/Filebeat are running LS_ENABLED=$(so-status | grep logstash) FB_ENABLED=$(so-status | grep filebeat) +EA_ENABLED=$(so-status | grep elastalert) if [ ! -z "$FB_ENABLED" ]; then + /usr/sbin/so-filebeat-stop -elif [ ! -z "$LS_ENABLED" ]; then +fi + +if [ ! -z "$LS_ENABLED" ]; then /usr/sbin/so-logstash-stop + +fi + +if [ ! -z "$EA_ENABLED" ]; then + + /usr/sbin/so-elastalert-stop + fi # Delete data @@ -87,8 +100,17 @@ if [ ! -z "$FB_ENABLED" ]; then /usr/sbin/so-filebeat-start -elif [ ! -z "$LS_ENABLED" ]; then - - /usr/sbin/so-logstash-start +fi + +if [ ! -z "$LS_ENABLED" ]; then + + /usr/sbin/so-logstash-start + +fi + +if [ ! -z "$EA_ENABLED" ]; then + + /usr/sbin/so-elastalert-start + fi diff --git a/test.test b/test.test new file mode 100644 index 000000000..e69de29bb From ffc9567278b11099629ac94b62388e36746a97b5 Mon Sep 17 00:00:00 2001 From: bryant-treacle Date: Wed, 24 Jun 2020 15:01:30 -0400 Subject: [PATCH 034/314] Delete test.test --- test.test | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 test.test diff --git a/test.test b/test.test deleted file mode 100644 index e69de29bb..000000000 From 443332d5845cc002e0676be0ff9b49535429ee47 Mon Sep 17 00:00:00 2001 From: bryant-treacle Date: Wed, 24 Jun 2020 15:03:25 -0400 Subject: [PATCH 035/314] Update so-elastic-clear --- salt/common/tools/sbin/so-elastic-clear | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-elastic-clear b/salt/common/tools/sbin/so-elastic-clear index 8e0ca877a..f7030bc13 100755 --- a/salt/common/tools/sbin/so-elastic-clear +++ b/salt/common/tools/sbin/so-elastic-clear @@ -13,7 +13,7 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program. If not, see .. /usr/sbin/so-common +# along with this program. If not, see . {%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%} . /usr/sbin/so-common From a45fbb6f5c1c460fee9a709053cc726e7107eccc Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 25 Jun 2020 10:53:26 -0400 Subject: [PATCH 036/314] Revert "[fix] discovery.zen.minimum_master_nodes is deprecated, update the key" This reverts commit 8bd6c067aa48184b15409c0c44b558303e5288cd. --- salt/elasticsearch/files/elasticsearch.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/elasticsearch.yml b/salt/elasticsearch/files/elasticsearch.yml index c00a1ca12..271ef40cf 100644 --- a/salt/elasticsearch/files/elasticsearch.yml +++ b/salt/elasticsearch/files/elasticsearch.yml @@ -6,7 +6,7 @@ network.host: 0.0.0.0 # minimum_master_nodes need to be explicitly set when bound on a public IP # set to 1 to allow single node clusters # Details: https://github.com/elastic/elasticsearch/pull/17288 -cluster.initial_master_nodes: 1 +discovery.zen.minimum_master_nodes: 1 # This is a test -- if this is here, then the volume is mounted correctly. path.logs: /var/log/elasticsearch action.destructive_requires_name: true From 6487fdf5e6b85923f4f8c40b0598610b6a13f694 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 25 Jun 2020 15:46:37 +0000 Subject: [PATCH 037/314] Add Strelka YARA function --- setup/so-functions | 4 ++++ setup/so-setup | 3 +++ 2 files changed, 7 insertions(+) diff --git a/setup/so-functions b/setup/so-functions index 37145e12b..1afd6b90f 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1622,3 +1622,7 @@ es_heapsize() { export NODE_ES_HEAP_SIZE fi } + +strelka_yara_update() { + so-yara-update +} diff --git a/setup/so-setup b/setup/so-setup index 634389dcd..60bffd618 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -257,6 +257,9 @@ if [[ $is_master ]]; then whiptail_enable_components if [[ $STRELKA == 1 ]]; then whiptail_strelka_rules + if [[ $STRELKARULES == 1 ]]; then + strelka_yara_update + fi fi collect_webuser_inputs get_redirect From 63c45be3884aa1981fb5b8b0dd171ccdb90197e3 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 25 Jun 2020 15:49:58 +0000 Subject: [PATCH 038/314] Update Strelka init for rules --- salt/strelka/init.sls | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index 145b9e620..4a422b642 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -25,6 +25,13 @@ strelkaconfdir: - group: 939 - makedirs: True +strelkarulesdir: + file.directory: + - name: /opt/so/conf/strelka/rules + - user: 939 + - group: 939 + - makedirs: True + # Sync dynamic config to conf dir strelkasync: file.recurse: @@ -33,9 +40,21 @@ strelkasync: - user: 939 - group: 939 - template: jinja - {%- if STRELKA_RULES != 1 %} - - exclude_pat: rules/ - {%- endif %} + +{%- if STRELKA_RULES == 1 %} +strelka_yara_update: + cron.present: + - user: root + - name: '[ -d /opt/so/saltstack/default/salt/strelka/rules/ ] && /usr/sbin/so-yara-update > /dev/null 2>&1' + - hour: '7' + +strelkarules: + file.recurse: + - name: /opt/so/conf/strelka/rules + - source: salt://strelka/rules + - user: 939 + - group: 939 +{%- endif %} strelkadatadir: file.directory: From a24402de9933ecd875ad06dc86a8a86024420805 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 25 Jun 2020 16:31:04 +0000 Subject: [PATCH 039/314] More Strelka rule config --- salt/common/tools/sbin/so-yara-update | 84 +++++++++++++++++++++++++++ salt/strelka/rules/ignore.txt | 4 ++ salt/strelka/rules/repos.txt | 1 + 3 files changed, 89 insertions(+) create mode 100644 salt/common/tools/sbin/so-yara-update create mode 100644 salt/strelka/rules/ignore.txt create mode 100644 salt/strelka/rules/repos.txt diff --git a/salt/common/tools/sbin/so-yara-update b/salt/common/tools/sbin/so-yara-update new file mode 100644 index 000000000..e6b682690 --- /dev/null +++ b/salt/common/tools/sbin/so-yara-update @@ -0,0 +1,84 @@ +#!/bin/bash +output_dir="/opt/so/saltstack/default/salt/strelka/rules" +#mkdir -p $output_dir +repos="$output_dir/repos.txt" +ignorefile="$output_dir/ignore.txt" + +deletecounter=0 +newcounter=0 +updatecounter=0 + +gh_status=$(curl -s -o /dev/null -w "%{http_code}" http://github.com) + +if [ "$gh_status" == "200" ] || [ "$gh_status" == "301" ]; then + + while IFS= read -r repo; do + + # Remove old repo if existing bc of previous error condition or unexpected disruption + repo_name=`echo $repo | awk -F '/' '{print $NF}'` + [ -d $repo_name ] && rm -rf $repo_name + + # Clone repo and make appropriate directories for rules + git clone $repo + echo "Analyzing rules from $repo_name..." + mkdir -p $output_dir/$repo_name + [ -f $repo_name/LICENSE ] && cp $repo_name/LICENSE $output_dir/$repo_name + + # Copy over rules + for i in $(find $repo_name -name "*.yar*"); do + rule_name=$(echo $i | awk -F '/' '{print $NF}') + repo_sum=$(sha256sum $i | awk '{print $1}') + + # Check rules against those in ignore list -- don't copy if ignored. + if ! grep -iq $rule_name $ignorefile; then + existing_rules=$(find $output_dir/$repo_name/ -name $rule_name | wc -l) + + # For existing rules, check to see if they need to be updated, by comparing checksums + if [ $existing_rules -gt 0 ];then + local_sum=$(sha256sum $output_dir/$repo_name/$rule_name | awk '{print $1}') + if [ "$repo_sum" != "$local_sum" ]; then + echo "Checksums do not match!" + echo "Updating $rule_name..." + cp $i $output_dir/$repo_name; + ((updatecounter++)) + fi + else + # If rule doesn't exist already, we'll add it + echo "Adding new rule: $rule_name..." + cp $i $output_dir/$repo_name + ((newcounter++)) + fi + fi; + done + + # Check to see if we have any old rules that need to be removed + for i in $(find $output_dir/$repo_name -name "*.yar*" | awk -F '/' '{print $NF}'); do + is_repo_rule=$(find $repo_name -name "$i" | wc -l) + if [ $is_repo_rule -eq 0 ]; then + echo "Could not find $i in source $repo_name repo...removing from $output_dir/$repo_name..." + rm $output_dir/$repo_name/$i + ((deletecounter++)) + fi + done + #rm -rf $repo_name + done < $repos + + echo "Done!" + + if [ "$newcounter" -gt 0 ];then + echo "$newcounter new rules added." + fi + + if [ "$updatecounter" -gt 0 ];then + echo "$updatecounter rules updated." + fi + + if [ "$deletecounter" -gt 0 ];then + echo "$deletecounter rules removed because they were deprecated or don't exist in the source repo." + fi + +else + echo "Server returned $gh_status status code." + echo "No connectivity to Github...exiting..." + exit 1 +fi diff --git a/salt/strelka/rules/ignore.txt b/salt/strelka/rules/ignore.txt new file mode 100644 index 000000000..a803f8c28 --- /dev/null +++ b/salt/strelka/rules/ignore.txt @@ -0,0 +1,4 @@ +generic_anomalies.yar +general_cloaking.yar +thor_inverse_matches.yar +yara_mixed_ext_vars.yar diff --git a/salt/strelka/rules/repos.txt b/salt/strelka/rules/repos.txt new file mode 100644 index 000000000..e26687ea9 --- /dev/null +++ b/salt/strelka/rules/repos.txt @@ -0,0 +1 @@ +https://github.com/Neo23x0/signature-base From 30ac5f97644198250a97a6f1ceb57e1f65570e07 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 25 Jun 2020 12:56:26 -0400 Subject: [PATCH 040/314] ADding Suricata log compression --- salt/suricata/cron/surilogcompress | 6 ++++++ salt/suricata/init.sls | 15 +++++++++++++++ 2 files changed, 21 insertions(+) create mode 100644 salt/suricata/cron/surilogcompress diff --git a/salt/suricata/cron/surilogcompress b/salt/suricata/cron/surilogcompress new file mode 100644 index 000000000..b77c4d635 --- /dev/null +++ b/salt/suricata/cron/surilogcompress @@ -0,0 +1,6 @@ +#!/bin/bash + +# Gzip the eve logs +find /nsm/suricata/eve*.json -type f -printf '%T@\t%p\n' | sort -t $'\t' -g | head -n -1 | cut -d $'\t' -f 2- | xargs nice gzip + +# TODO Add stats log \ No newline at end of file diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 0f3d49bc3..03a5679eb 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -68,6 +68,21 @@ surirulesync: - user: 940 - group: 940 +surilogscript: + file.managed: + - name: /usr/local/bin/surilogcompress + - source: salt://suricata/cron/surilogcompress + - mode: 755 + +/usr/local/bin/surilogcompress: + cron.present: + - user: suricata + - minute: '17' + - hour: '*' + - daymonth: '*' + - month: '*' + - dayweek: '*' + suriconfigsync: file.managed: - name: /opt/so/conf/suricata/suricata.yaml From 65687fd28e4481692ca3ba2289667559bcbf5e94 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 25 Jun 2020 13:02:17 -0400 Subject: [PATCH 041/314] Update saltstack update to point to correct github --- salt/common/tools/sbin/so-saltstack-update | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-saltstack-update b/salt/common/tools/sbin/so-saltstack-update index d4e380b61..ce323025d 100644 --- a/salt/common/tools/sbin/so-saltstack-update +++ b/salt/common/tools/sbin/so-saltstack-update @@ -21,8 +21,8 @@ clone_to_tmp() { # Make a temp location for the files mkdir /tmp/sogh cd /tmp/sogh - #git clone -b dev https://github.com/Security-Onion-Solutions/securityonion-saltstack.git - git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack.git + #git clone -b dev https://github.com/Security-Onion-Solutions/securityonion.git + git clone https://github.com/Security-Onion-Solutions/securityonion.git cd /tmp } From 1e6fab4e6ea7382891a9b0328ec7acc08380a503 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 25 Jun 2020 13:54:01 -0400 Subject: [PATCH 042/314] Fix math for suri loss calulcations --- salt/telegraf/scripts/suriloss.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/telegraf/scripts/suriloss.sh b/salt/telegraf/scripts/suriloss.sh index acfb8c214..c9e9d478e 100644 --- a/salt/telegraf/scripts/suriloss.sh +++ b/salt/telegraf/scripts/suriloss.sh @@ -15,7 +15,7 @@ if [ $CHECKIT == 2 ]; then else CURRENTPACKETS=${RESULT[9]} PASTPACKETS=${RESULT[19]} - TOTAL=$(($CURRENTPACKETS - $PASTPACKETS)) + TOTAL=$(($CURRENTPACKETS - $PASTPACKETS + $DROPPED)) LOSS=$(echo $DROPPED $TOTAL / p | dc) echo "suridrop drop=$LOSS" From 1e4c967afc22098c9fce9b585042bde5d536d8c7 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 25 Jun 2020 14:02:02 -0400 Subject: [PATCH 043/314] Fix math for suri loss calulcations --- salt/telegraf/scripts/suriloss.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/salt/telegraf/scripts/suriloss.sh b/salt/telegraf/scripts/suriloss.sh index c9e9d478e..48745c161 100644 --- a/salt/telegraf/scripts/suriloss.sh +++ b/salt/telegraf/scripts/suriloss.sh @@ -15,7 +15,9 @@ if [ $CHECKIT == 2 ]; then else CURRENTPACKETS=${RESULT[9]} PASTPACKETS=${RESULT[19]} - TOTAL=$(($CURRENTPACKETS - $PASTPACKETS + $DROPPED)) + TOTALCURRENT=$(($CURRENTPACKETS + $CURRENTDROP)) + TOTALPAST=$(($PASTPACKETS + $PASTDROP)) + TOTAL=$(($TOTALCURRENT - $TOTALPAST)) LOSS=$(echo $DROPPED $TOTAL / p | dc) echo "suridrop drop=$LOSS" From 7f0eacd342d81c55e8bf8cecbe279c63b0803c4b Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Fri, 26 Jun 2020 06:24:09 -0400 Subject: [PATCH 044/314] Playbook - Initial Support for Unit Testing --- salt/soctopus/files/SOCtopus.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/soctopus/files/SOCtopus.conf b/salt/soctopus/files/SOCtopus.conf index e5878cb70..71318b58d 100644 --- a/salt/soctopus/files/SOCtopus.conf +++ b/salt/soctopus/files/SOCtopus.conf @@ -4,6 +4,7 @@ [es] es_url = http://{{MASTER}}:9200 +es_ip = {{MASTER}} es_user = YOURESUSER es_pass = YOURESPASS es_index_pattern = so-* @@ -62,6 +63,7 @@ slack_webhook = YOURSLACKWEBHOOK playbook_url = https://{{MASTER}}/playbook playbook_key = de6639318502476f2fa5aa06f43f51fb389a3d7f playbook_verifycert = no +playbook_unit_test_index = playbook-testing [log] logfile = /var/log/SOCtopus/soctopus.log From cf7e5f1b6f34986a3e14789c701b02fbd6639ae8 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 26 Jun 2020 09:59:44 -0400 Subject: [PATCH 045/314] [fix] Change permissions on so-yara-update + fix indents --- salt/common/tools/sbin/so-yara-update | 0 setup/so-functions | 2 +- setup/so-setup | 6 +++--- 3 files changed, 4 insertions(+), 4 deletions(-) mode change 100644 => 100755 salt/common/tools/sbin/so-yara-update diff --git a/salt/common/tools/sbin/so-yara-update b/salt/common/tools/sbin/so-yara-update old mode 100644 new mode 100755 diff --git a/setup/so-functions b/setup/so-functions index 1afd6b90f..0595874ed 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1624,5 +1624,5 @@ es_heapsize() { } strelka_yara_update() { - so-yara-update + so-yara-update } diff --git a/setup/so-setup b/setup/so-setup index 60bffd618..bfd3d506c 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -257,9 +257,9 @@ if [[ $is_master ]]; then whiptail_enable_components if [[ $STRELKA == 1 ]]; then whiptail_strelka_rules - if [[ $STRELKARULES == 1 ]]; then - strelka_yara_update - fi + if [[ $STRELKARULES == 1 ]]; then + strelka_yara_update + fi fi collect_webuser_inputs get_redirect From 052c65c05ebe6a864ceb7df52df826be8d404f69 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 26 Jun 2020 13:07:41 -0400 Subject: [PATCH 046/314] add the things to pillarize suricata - https://github.com/Security-Onion-Solutions/securityonion/issues/584 --- salt/suricata/afpacket.map.jinja | 14 + salt/suricata/defaults.yaml | 594 +++++++ salt/suricata/defaults3.yaml | 1695 ------------------- salt/suricata/files/defaults.yaml | 2023 ----------------------- salt/suricata/files/suricata.yaml | 1883 --------------------- salt/suricata/files/suricata.yaml.jinja | 3 + salt/suricata/files/suricataMETA.yaml | 1883 --------------------- salt/suricata/files/test.jinja | 1 - salt/suricata/init.sls | 18 +- salt/suricata/suricata_config.map.jinja | 59 +- salt/suricata/suricata_meta.yaml | 188 +-- salt/suricata/test.sls | 9 - salt/suricata/threading.map.jinja | 32 + 13 files changed, 742 insertions(+), 7660 deletions(-) create mode 100644 salt/suricata/afpacket.map.jinja create mode 100644 salt/suricata/defaults.yaml delete mode 100644 salt/suricata/defaults3.yaml delete mode 100644 salt/suricata/files/defaults.yaml delete mode 100644 salt/suricata/files/suricata.yaml create mode 100644 salt/suricata/files/suricata.yaml.jinja delete mode 100644 salt/suricata/files/suricataMETA.yaml delete mode 100644 salt/suricata/files/test.jinja delete mode 100644 salt/suricata/test.sls create mode 100644 salt/suricata/threading.map.jinja diff --git a/salt/suricata/afpacket.map.jinja b/salt/suricata/afpacket.map.jinja new file mode 100644 index 000000000..cd700765a --- /dev/null +++ b/salt/suricata/afpacket.map.jinja @@ -0,0 +1,14 @@ +{% load_yaml as afpacket %} +af-packet: + - interface: {{ salt['pillar.get']('sensor:interface', 'bond0') }} + cluster-id: 59 + cluster-type: cluster_flow + defrag: yes + use-mmap: yes + tpacket-v3: yes + ring-size: {{ salt['pillar.get']('sensor:suriringsize', '2048') }} + - interface: default + #threads: auto + #use-mmap: no + #tpacket-v3: yes +{% endload %} \ No newline at end of file diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml new file mode 100644 index 000000000..3945573a2 --- /dev/null +++ b/salt/suricata/defaults.yaml @@ -0,0 +1,594 @@ +suricata: + config: + vars: + address-groups: + HOME_NET: "[192.168.0.0/16]" + EXTERNAL_NET: "!$HOME_NET" + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + default-log-dir: /var/log/suricata/ + stats: + enabled: "yes" + interval: 30 + #decoder-events: true + #decoder-events-prefix: "decoder.event" + #stream-events: false + outputs: + - fast: + enabled: "no" + filename: fast.log + append: "yes" + - eve-log: + enabled: "yes" + filetype: regular + filename: /nsm/eve-%Y-%m-%d-%H:%M.json + rotate-interval: hour + #prefix: "@cee: " + #identity: "suricata" + #facility: local5 + #level: Info + #redis: + # server: 127.0.0.1 + # port: 6379 + # async: true + # mode: list + # key: suricata + # pipelining: + # enabled: "yes" + # batch-size: 10 + #metadata: "no" + pcap-file: false + community-id: true + community-id-seed: 0 + xff: + enabled: "no" + mode: extra-data + deployment: reverse + header: X-Forwarded-For + types: + - alert: + payload: "no" + payload-buffer-size: 4kb + payload-printable: "yes" + packet: "yes" + metadata: + app-layer: false + flow: false + rule: + metadata: true + raw: true + # http-body: "yes" + # http-body-printable: "yes" + tagged-packets: "no" + - unified2-alert: + enabled: "no" + - http-log: + enabled: "no" + filename: http.log + append: "yes" + #extended: "yes" + #custom: "yes" + #customformat: "" + #filetype: regular + - tls-log: + enabled: "no" + filename: tls.log + append: "yes" + #extended: "yes" + #custom: "yes" + #customformat: "" + #filetype: regular + #session-resumption: "no" + - tls-store: + enabled: "no" + #certs-log-dir: certs + - pcap-log: + enabled: "no" + filename: log.pcap + limit: 1000mb + max-files: 2000 + compression: none + #lz4-checksum: "no" + #lz4-level: 0 + + mode: normal + #dir: /nsm_data/ + #ts-format: usec + use-stream-depth: "no" + honor-pass-rules: "no" + - alert-debug: + enabled: "no" + filename: alert-debug.log + append: "yes" + #filetype: regular + - alert-prelude: + enabled: "no" + profile: suricata + log-packet-content: "no" + log-packet-header: "yes" + - stats: + enabled: "yes" + filename: stats.log + append: "yes" + totals: "yes" + threads: "no" + null-values: "yes" + - syslog: + enabled: "no" + #identity: "suricata" + facility: local5 + #level: Info + - drop: + enabled: "no" + - file-store: + version: 2 + enabled: "no" + #dir: filestore + #write-fileinfo: "yes" + #force-filestore: "yes" + #stream-depth: 0 + #max-open-files: 1000 + #force-hash: [sha1, md5] + xff: + enabled: "no" + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - file-store: + enabled: "no" + - tcp-data: + enabled: "no" + type: file + filename: tcp-data.log + - http-body-data: + enabled: "no" + type: file + filename: http-data.log + - lua: + enabled: "no" + #scripts-dir: /etc/suricata/lua-output/ + scripts: + # - script1.lua + logging: + default-log-level: notice + #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " + default-output-filter: + outputs: + - console: + enabled: "yes" + # type: json + - file: + enabled: "yes" + level: info + filename: suricata.log + # type: json + - syslog: + enabled: "no" + facility: local5 + format: "[%i] <%d> -- " + # type: json + pcap: + - interface: eth0 + #buffer-size: 16777216 + #bpf-filter: "tcp and port 25" + #checksum-checks: auto + #threads: 16 + #promisc: "no" + #snaplen: 1518 + - interface: default + #checksum-checks: auto + pcap-file: + checksum-checks: auto + app-layer: + protocols: + krb5: + enabled: "yes" + snmp: + enabled: "yes" + ikev2: + enabled: "yes" + tls: + enabled: "yes" + detection-ports: + dp: 443 + #ja3-fingerprints: auto + #encryption-handling: default + dcerpc: + enabled: "yes" + ftp: + enabled: "yes" + # memcap: 64mb + rdp: + #enabled: "no" + ssh: + enabled: "yes" + smtp: + enabled: "yes" + raw-extraction: "no" + mime: + decode-mime: "yes" + decode-base64: "yes" + decode-quoted-printable: "yes" + header-value-depth: 2000 + extract-urls: "yes" + body-md5: "no" + inspected-tracker: + content-limit: 100000 + content-inspect-min-size: 32768 + content-inspect-window: 4096 + imap: + enabled: detection-only + smb: + enabled: "yes" + detection-ports: + dp: 139, 445 + #stream-depth: 0 + + nfs: + enabled: "yes" + tftp: + enabled: "yes" + dns: + #global-memcap: 16mb + #state-memcap: 512kb + #request-flood: 500 + tcp: + enabled: "yes" + detection-ports: + dp: 53 + udp: + enabled: "yes" + detection-ports: + dp: 53 + http: + enabled: "yes" + # memcap: + # default-config: + # personality: + # request-body-limit: + # response-body-limit: + # server-config: + # address: + # personalitiy: + libhtp: + default-config: + personality: IDS + request-body-limit: 100kb + response-body-limit: 100kb + request-body-minimal-inspect-size: 32kb + request-body-inspect-window: 4kb + response-body-minimal-inspect-size: 40kb + response-body-inspect-window: 16kb + response-body-decompress-layer-limit: 2 + http-body-inline: auto + # compress-depth: + # decompress-depth: + swf-decompression: + enabled: "yes" + type: both + compress-depth: 0 + decompress-depth: 0 + #randomize-inspection-sizes: "yes" + #randomize-inspection-range: 10 + double-decode-path: "no" + double-decode-query: "no" + #lzma-enabled: "yes" + #lzma-memlimit: 1mb + #compression-bomb-limit: 1mb + server-config: + #- apache: + # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] + # personality: Apache_2 + # request-body-limit: 4096 + # response-body-limit: 4096 + # double-decode-path: "no" + # double-decode-query: "no" + #- iis7: + # address: + # - 192.168.0.0/24 + # - 192.168.10.0/24 + # personality: IIS_7_0 + # request-body-limit: 4096 + # response-body-limit: 4096 + # double-decode-path: "no" + # double-decode-query: "no" + modbus: + #request-flood: 500 + enabled: "no" + detection-ports: + dp: 502 + stream-depth: 0 + dnp3: + enabled: "no" + detection-ports: + dp: 20000 + enip: + enabled: "no" + detection-ports: + dp: 44818 + sp: 44818 + ntp: + enabled: "yes" + dhcp: + enabled: "yes" + sip: + #enabled: "no" + asn1-max-frames: 256 + run-as: + user: suricata + group: suricata + #sensor-name: suricata + #pid-file: /var/run/suricata.pid + #daemon-directory: "/" + #umask: 022 + coredump: + max-dump: unlimited + host-mode: auto + max-pending-packets: 1024 + runmode: workers + #autofp-scheduler: hash + default-packet-size: 1500 + unix-command: + enabled: auto + #filename: custom.socket + #magic-file: /usr/share/file/magic + #magic-file: + #geoip-database: /usr/local/share/GeoLite2/GeoLite2-Country.mmdb + legacy: + uricontent: enabled + #reputation-categories-file: /etc/suricata/iprep/categories.txt + #default-reputation-path: /etc/suricata/iprep + #reputation-files: + # - reputation.list + engine-analysis: + rules-fast-pattern: "yes" + rules: "yes" + pcre: + match-limit: 3500 + match-limit-recursion: 1500 + host-os-policy: + windows: [0.0.0.0/0] + bsd: [] + bsd-right: [] + old-linux: [] + linux: [] + old-solaris: [] + solaris: [] + hpux10: [] + hpux11: [] + irix: [] + macos: [] + vista: [] + windows2k3: [] + defrag: + memcap: 32mb + hash-size: 65536 + trackers: 65535 + max-frags: 65535 + prealloc: "yes" + timeout: 60 + flow: + memcap: 128mb + hash-size: 65536 + prealloc: 10000 + emergency-recovery: 30 + #managers: 1 + #recyclers: 1 + vlan: + use-for-tracking: true + flow-timeouts: + default: + new: 30 + established: 300 + closed: 0 + bypassed: 100 + emergency-new: 10 + emergency-established: 100 + emergency-closed: 0 + emergency-bypassed: 50 + tcp: + new: 60 + established: 600 + closed: 60 + bypassed: 100 + emergency-new: 5 + emergency-established: 100 + emergency-closed: 10 + emergency-bypassed: 50 + udp: + new: 30 + established: 300 + bypassed: 100 + emergency-new: 10 + emergency-established: 100 + emergency-bypassed: 50 + icmp: + new: 30 + established: 300 + bypassed: 100 + emergency-new: 10 + emergency-established: 100 + emergency-bypassed: 50 + stream: + memcap: 64mb + checksum-validation: "yes" + inline: auto + reassembly: + memcap: 256mb + depth: 1mb + toserver-chunk-size: 2560 + toclient-chunk-size: 2560 + randomize-chunk-size: "yes" + #randomize-chunk-range: 10 + #raw: "yes" + #segment-prealloc: 2048 + #check-overlap-different-data: true + host: + hash-size: 4096 + prealloc: 1000 + memcap: 32mb + #ippair: + # hash-size: 4096 + # prealloc: 1000 + # memcap: 32mb + decoder: + teredo: + enabled: true + ports: $TEREDO_PORTS + vxlan: + enabled: true + ports: $VXLAN_PORTS + erspan: + typeI: + enabled: false + detect: + profile: medium + custom-values: + toclient-groups: 3 + toserver-groups: 25 + sgh-mpm-context: auto + inspection-recursion-limit: 3000 + #delayed-detect: "yes" + prefilter: + default: mpm + grouping: + #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 + #udp-whitelist: 53, 135, 5060 + + profiling: + #inspect-logging-threshold: 200 + grouping: + dump-to-disk: false + include-rules: false + include-mpm-stats: false + mpm-algo: auto + spm-algo: auto + threading: + set-cpu-affinity: "yes" + detect-thread-ratio: 1.0 + luajit: + states: 128 + + profiling: + #sample-rate: 1000 + rules: + enabled: "yes" + filename: rule_perf.log + append: "yes" + #sort: avgticks + limit: 10 + json: "yes" + keywords: + enabled: "yes" + filename: keyword_perf.log + append: "yes" + + prefilter: + enabled: "yes" + filename: prefilter_perf.log + append: "yes" + rulegroups: + enabled: "yes" + filename: rule_group_perf.log + append: "yes" + packets: + enabled: "yes" + filename: packet_stats.log + append: "yes" + csv: + enabled: "no" + filename: packet_stats.csv + locks: + enabled: "no" + filename: lock_stats.log + append: "yes" + + pcap-log: + enabled: "no" + filename: pcaplog_stats.log + append: "yes" + nfq: + # mode: accept + # repeat-mark: 1 + # repeat-mask: 1 + # bypass-mark: 1 + # bypass-mask: 1 + # route-queue: 2 + # batchcount: 20 + # fail-open: "yes" + nflog: + - group: 2 + buffer-size: 18432 + - group: default + qthreshold: 1 + qtimeout: 100 + max-size: 20000 + capture: + #checksum-validation: none + netmap: + - interface: eth2 + #threads: auto + #copy-mode: tap + #copy-iface: eth3 + # disable-promisc: "no" + #checksum-checks: auto + #bpf-filter: port 80 or udp + #- interface: eth3 + #threads: auto + #copy-mode: tap + #copy-iface: eth2 + - interface: default + pfring: + - interface: eth0 + threads: auto + cluster-id: 99 + cluster-type: cluster_flow + #bpf-filter: tcp + #bypass: "yes" + #checksum-checks: auto + #- interface: eth1 + # threads: 3 + # cluster-id: 93 + # cluster-type: cluster_flow + - interface: default + #threads: 2 + ipfw: + # ipfw-reinjection-rule-number: 5500 + napatech: + #hba: -1 + #use-all-streams: "no" + streams: ["0-3"] + auto-config: "yes" + ports: [all] + hashmode: hash5tuplesorted + default-rule-path: /etc/suricata/rules + rule-files: + - all.rules + classification-file: /etc/suricata/classification.config + reference-config-file: /etc/suricata/reference.config + # threshold-file: /etc/suricata/threshold.config + #include: include1.yaml + #include: include2.yaml + \ No newline at end of file diff --git a/salt/suricata/defaults3.yaml b/salt/suricata/defaults3.yaml deleted file mode 100644 index 7a5eae178..000000000 --- a/salt/suricata/defaults3.yaml +++ /dev/null @@ -1,1695 +0,0 @@ -suricata: - lookup: - vars: - # more specific is better for alert accuracy and performance - address-groups: - HOME_NET: "[192.168.0.0/16]" - #HOME_NET: "[192.168.0.0/16]" - #HOME_NET: "[10.0.0.0/8]" - #HOME_NET: "[172.16.0.0/12]" - #HOME_NET: "any" - - EXTERNAL_NET: "!$HOME_NET" - #EXTERNAL_NET: "any" - - HTTP_SERVERS: "$HOME_NET" - SMTP_SERVERS: "$HOME_NET" - SQL_SERVERS: "$HOME_NET" - DNS_SERVERS: "$HOME_NET" - TELNET_SERVERS: "$HOME_NET" - AIM_SERVERS: "$EXTERNAL_NET" - DC_SERVERS: "$HOME_NET" - DNP3_SERVER: "$HOME_NET" - DNP3_CLIENT: "$HOME_NET" - MODBUS_CLIENT: "$HOME_NET" - MODBUS_SERVER: "$HOME_NET" - ENIP_CLIENT: "$HOME_NET" - ENIP_SERVER: "$HOME_NET" - - port-groups: - HTTP_PORTS: "80" - SHELLCODE_PORTS: "!80" - ORACLE_PORTS: 1521 - SSH_PORTS: 22 - DNP3_PORTS: 20000 - MODBUS_PORTS: 502 - FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" - FTP_PORTS: 21 - VXLAN_PORTS: 4789 - TEREDO_PORTS: 3544 - - ## - ## Step 2: select outputs to enable - ## - - # The default logging directory. Any log or output file will be - # placed here if its not specified with a full path name. This can be - # overridden with the -l command line parameter. - default-log-dir: /var/log/suricata/ - - # global stats configuration - stats: - enabled: "yes" - # The interval field (in seconds) controls at what interval - # the loggers are invoked. - interval: 30 - # Add decode events as stats. - #decoder-events: true - # Decoder event prefix in stats. Has been 'decoder' before, but that leads - # to missing events in the eve.stats records. See issue #2225. - #decoder-events-prefix: "decoder.event" - # Add stream events as stats. - #stream-events: false - - # Configure the type of alert (and other) logging you would like. - outputs: - # a line based alerts log similar to Snort's fast.log - - fast: - enabled: "no" - filename: fast.log - append: "yes" - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # Extensible Event Format (nicknamed EVE) event log in JSON format - - eve-log: - enabled: "yes" - filetype: regular #regular|syslog|unix_dgram|unix_stream|redis - filename: /nsm/eve-%Y-%m-%d-%H:%M.json - rotate-interval: hour - - #prefix: "@cee: " # prefix to prepend to each log entry - # the following are valid when type: syslog above - #identity: "suricata" - #facility: local5 - #level: Info ## possible levels: Emergency, Alert, Critical, - ## Error, Warning, Notice, Info, Debug - #redis: - # server: 127.0.0.1 - # port: 6379 - # async: true ## if redis replies are read asynchronously - # mode: list ## possible values: list|lpush (default), rpush, channel|publish - # ## lpush and rpush are using a Redis list. "list" is an alias for lpush - # ## publish is using a Redis channel. "channel" is an alias for publish - # key: suricata ## key or channel to use (default to suricata) - # Redis pipelining set up. This will enable to only do a query every - # 'batch-size' events. This should lower the latency induced by network - # connection at the cost of some memory. There is no flushing implemented - # so this setting as to be reserved to high traffic suricata. - # pipelining: - # enabled: "yes" ## set enable to yes to enable query pipelining - # batch-size: 10 ## number of entry to keep in buffer - - # Include top level metadata. Default yes. - #metadata: "no" - - # include the name of the input pcap file in pcap file processing mode - pcap-file: false - - # Community Flow ID - # Adds a 'community_id' field to EVE records. These are meant to give - # a records a predictable flow id that can be used to match records to - # output of other tools such as Bro. - # - # Takes a 'seed' that needs to be same across sensors and tools - # to make the id less predictable. - - # enable/disable the community id feature. - community-id: true - # Seed value for the ID output. Valid values are 0-65535. - community-id-seed: 0 - - # HTTP X-Forwarded-For support by adding an extra field or overwriting - # the source or destination IP address (depending on flow direction) - # with the one reported in the X-Forwarded-For HTTP header. This is - # helpful when reviewing alerts for traffic that is being reverse - # or forward proxied. - xff: - enabled: "no" - # Two operation modes are available, "extra-data" and "overwrite". - mode: extra-data - # Two proxy deployments are supported, "reverse" and "forward". In - # a "reverse" deployment the IP address used is the last one, in a - # "forward" deployment the first IP address is used. - deployment: reverse - # Header name where the actual IP address will be reported, if more - # than one IP address is present, the last IP address will be the - # one taken into consideration. - header: X-Forwarded-For - - types: - - alert: - payload: "no" # enable dumping payload in Base64 - payload-buffer-size: 4kb # max size of payload buffer to output in eve-log - payload-printable: "yes" # enable dumping payload in printable (lossy) format - packet: "yes" # enable dumping of packet (without stream segments) - metadata: - app-layer: false - flow: false - rule: - metadata: true - raw: true - - # http-body: "yes" # Requires metadata; enable dumping of http body in Base64 - # http-body-printable: "yes" # Requires metadata; enable dumping of http body in printable format - - # Enable the logging of tagged packets for rules using the - # "tag" keyword. - tagged-packets: "no" - - - # deprecated - unified2 alert format for use with Barnyard2 - - unified2-alert: - enabled: "no" - # for further options see: - # https://suricata.readthedocs.io/en/suricata-5.0.0/configuration/suricata-yaml.html#alert-output-for-use-with-barnyard2-unified2-alert - - # a line based log of HTTP requests (no alerts) - - http-log: - enabled: "no" - filename: http.log - append: "yes" - #extended: "yes" # enable this for extended logging information - #custom: "yes" # enabled the custom logging format (defined by customformat) - #customformat: "" - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # a line based log of TLS handshake parameters (no alerts) - - tls-log: - enabled: "no" # Log TLS connections. - filename: tls.log # File to store TLS logs. - append: "yes" - #extended: "yes" # Log extended information like fingerprint - #custom: "yes" # enabled the custom logging format (defined by customformat) - #customformat: "" - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - # output TLS transaction where the session is resumed using a - # session id - #session-resumption: "no" - - # output module to store certificates chain to disk - - tls-store: - enabled: "no" - #certs-log-dir: certs # directory to store the certificates files - - # Packet log... log packets in pcap format. 3 modes of operation: "normal" - # "multi" and "sguil". - # - # In normal mode a pcap file "filename" is created in the default-log-dir, - # or are as specified by "dir". - # In multi mode, a file is created per thread. This will perform much - # better, but will create multiple files where 'normal' would create one. - # In multi mode the filename takes a few special variables: - # - %n -- thread number - # - %i -- thread id - # - %t -- timestamp (secs or secs.usecs based on 'ts-format' - # E.g. filename: pcap.%n.%t - # - # Note that it's possible to use directories, but the directories are not - # created by Suricata. E.g. filename: pcaps/%n/log.%s will log into the - # per thread directory. - # - # Also note that the limit and max-files settings are enforced per thread. - # So the size limit when using 8 threads with 1000mb files and 2000 files - # is: 8*1000*2000 ~ 16TiB. - # - # In Sguil mode "dir" indicates the base directory. In this base dir the - # pcaps are created in th directory structure Sguil expects: - # - # $sguil-base-dir/YYYY-MM-DD/$filename. - # - # By default all packets are logged except: - # - TCP streams beyond stream.reassembly.depth - # - encrypted streams after the key exchange - # - - pcap-log: - enabled: "no" - filename: log.pcap - - # File size limit. Can be specified in kb, mb, gb. Just a number - # is parsed as bytes. - limit: 1000mb - - # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit" - max-files: 2000 - - # Compression algorithm for pcap files. Possible values: "no"ne, lz4. - # Enabling compression is incompatible with the sguil mode. Note also - # that on Windows, enabling compression will *increase* disk I/O. - compression: none - - # Further options for lz4 compression. The compression level can be set - # to a value between 0 and 16, where higher values result in higher - # compression. - #lz4-checksum: "no" - #lz4-level: 0 - - mode: normal # normal, multi or sguil. - - # Directory to place pcap files. If not provided the default log - # directory will be used. Required for "sguil" mode. - #dir: /nsm_data/ - - #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec - use-stream-depth: "no" #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets - honor-pass-rules: "no" # If set to "yes", flows in which a pass rule matched will stopped being logged. - - # a full alerts log containing much information for signature writers - # or for investigating suspected false positives. - - alert-debug: - enabled: "no" - filename: alert-debug.log - append: "yes" - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # alert output to prelude (https://www.prelude-siem.org/) only - # available if Suricata has been compiled with --enable-prelude - - alert-prelude: - enabled: "no" - profile: suricata - log-packet-content: "no" - log-packet-header: "yes" - - # Stats.log contains data from various counters of the Suricata engine. - - stats: - enabled: "yes" - filename: stats.log - append: "yes" # append to file (yes) or overwrite it (no) - totals: "yes" # stats for all threads merged together - threads: "no" # per thread stats - null-values: "yes" # print counters that have value 0 - - # a line based alerts log similar to fast.log into syslog - - syslog: - enabled: "no" - # reported identity to syslog. If ommited the program name (usually - # suricata) will be used. - #identity: "suricata" - facility: local5 - #level: Info ## possible levels: Emergency, Alert, Critical, - ## Error, Warning, Notice, Info, Debug - - # deprecated a line based information for dropped packets in IPS mode - - drop: - enabled: "no" - # further options documented at: - # https://suricata.readthedocs.io/en/suricata-5.0.0/configuration/suricata-yaml.html#drop-log-a-line-based-information-for-dropped-packets - - # Output module for storing files on disk. Files are stored in a - # directory names consisting of the first 2 characters of the - # SHA256 of the file. Each file is given its SHA256 as a filename. - # - # When a duplicate file is found, the existing file is touched to - # have its timestamps updated. - # - # Unlike the older filestore, metadata is not written out by default - # as each file should already have a "fileinfo" record in the - # eve.log. If write-fileinfo is set to yes, the each file will have - # one more associated .json files that consists of the fileinfo - # record. A fileinfo file will be written for each occurrence of the - # file seen using a filename suffix to ensure uniqueness. - # - # To prune the filestore directory see the "suricatactl filestore - # prune" command which can delete files over a certain age. - - file-store: - version: 2 - enabled: "no" - - # Set the directory for the filestore. If the path is not - # absolute will be be relative to the default-log-dir. - #dir: filestore - - # Write out a fileinfo record for each occurrence of a - # file. Disabled by default as each occurrence is already logged - # as a fileinfo record to the main eve-log. - #write-fileinfo: "yes" - - # Force storing of all files. Default: no. - #force-filestore: "yes" - - # Override the global stream-depth for sessions in which we want - # to perform file extraction. Set to 0 for unlimited. - #stream-depth: 0 - - # Uncomment the following variable to define how many files can - # remain open for filestore by Suricata. Default value is 0 which - # means files get closed after each write - #max-open-files: 1000 - - # Force logging of checksums, available hash functions are md5, - # sha1 and sha256. Note that SHA256 is automatically forced by - # the use of this output module as it uses the SHA256 as the - # file naming scheme. - #force-hash: [sha1, md5] - # NOTE: X-Forwarded configuration is ignored if write-fileinfo is disabled - # HTTP X-Forwarded-For support by adding an extra field or overwriting - # the source or destination IP address (depending on flow direction) - # with the one reported in the X-Forwarded-For HTTP header. This is - # helpful when reviewing alerts for traffic that is being reverse - # or forward proxied. - xff: - enabled: "no" - # Two operation modes are available, "extra-data" and "overwrite". - mode: extra-data - # Two proxy deployments are supported, "reverse" and "forward". In - # a "reverse" deployment the IP address used is the last one, in a - # "forward" deployment the first IP address is used. - deployment: reverse - # Header name where the actual IP address will be reported, if more - # than one IP address is present, the last IP address will be the - # one taken into consideration. - header: X-Forwarded-For - - # deprecated - file-store v1 - - file-store: - enabled: "no" - # further options documented at: - # https://suricata.readthedocs.io/en/suricata-5.0.0/file-extraction/file-extraction.html#file-store-version-1 - - # Log TCP data after stream normalization - # 2 types: file or dir. File logs into a single logfile. Dir creates - # 2 files per TCP session and stores the raw TCP data into them. - # Using 'both' will enable both file and dir modes. - # - # Note: limited by stream.reassembly.depth - - tcp-data: - enabled: "no" - type: file - filename: tcp-data.log - - # Log HTTP body data after normalization, dechunking and unzipping. - # 2 types: file or dir. File logs into a single logfile. Dir creates - # 2 files per HTTP session and stores the normalized data into them. - # Using 'both' will enable both file and dir modes. - # - # Note: limited by the body limit settings - - http-body-data: - enabled: "no" - type: file - filename: http-data.log - - # Lua Output Support - execute lua script to generate alert and event - # output. - # Documented at: - # https://suricata.readthedocs.io/en/latest/output/lua-output.html - - lua: - enabled: "no" - #scripts-dir: /etc/suricata/lua-output/ - scripts: - # - script1.lua - - # Logging configuration. This is not about logging IDS alerts/events, but - # output about what Suricata is doing, like startup messages, errors, etc. - logging: - # The default log level, can be overridden in an output section. - # Note that debug level logging will only be emitted if Suricata was - # compiled with the --enable-debug configure option. - # - # This value is overridden by the SC_LOG_LEVEL env var. - default-log-level: notice - - # The default output format. Optional parameter, should default to - # something reasonable if not provided. Can be overridden in an - # output section. You can leave this out to get the default. - # - # This value is overridden by the SC_LOG_FORMAT env var. - #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " - - # A regex to filter output. Can be overridden in an output section. - # Defaults to empty (no filter). - # - # This value is overridden by the SC_LOG_OP_FILTER env var. - default-output-filter: - - # Define your logging outputs. If none are defined, or they are all - # disabled you will get the default - console output. - outputs: - - console: - enabled: "yes" - # type: json - - file: - enabled: "yes" - level: info - filename: suricata.log - # type: json - - syslog: - enabled: "no" - facility: local5 - format: "[%i] <%d> -- " - # type: json - - - ## - ## Step 4: configure common capture settings - ## - ## See "Advanced Capture Options" below for more options, including NETMAP - ## and PF_RING. - ## - - # Linux high speed capture support - af-packet: - - interface: bond0 - # Number of receive threads. "auto" uses the number of cores - #threads: auto - # Default clusterid. AF_PACKET will load balance packets based on flow. - cluster-id: 59 - # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash. - # This is only supported for Linux kernel > 3.1 - # possible value are: - # * cluster_flow: all packets of a given flow are send to the same socket - # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket - # * cluster_qm: all packets linked by network card to a RSS queue are sent to the same - # socket. Requires at least Linux 3.14. - # * cluster_ebpf: eBPF file load balancing. See doc/userguide/capture-hardware/ebpf-xdp.rst for - # more info. - # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system - # with capture card using RSS (require cpu affinity tuning and system irq tuning) - cluster-type: cluster_flow - # In some fragmentation case, the hash can not be computed. If "defrag" is set - # to yes, the kernel will do the needed defragmentation before sending the packets. - defrag: "yes" - # To use the ring feature of AF_PACKET, set 'use-mmap' to yes - use-mmap: "yes" - # Lock memory map to avoid it goes to swap. Be careful that over subscribing could lock - # your system - #mmap-locked: "yes" - # Use tpacket_v3 capture mode, only active if use-mmap is true - # Don't use it in IPS or TAP mode as it causes severe latency - tpacket-v3: "yes" - # Ring size will be computed with respect to max_pending_packets and number - # of threads. You can set manually the ring size in number of packets by setting - # the following value. If you are using flow cluster-type and have really network - # intensive single-flow you could want to set the ring-size independently of the number - # of threads: - ring-size: 2056 - # Block size is used by tpacket_v3 only. It should set to a value high enough to contain - # a decent number of packets. Size is in bytes so please consider your MTU. It should be - # a power of 2 and it must be multiple of page size (usually 4096). - #block-size: 32768 - # tpacket_v3 block timeout: an open block is passed to userspace if it is not - # filled after block-timeout milliseconds. - #block-timeout: 10 - # On busy system, this could help to set it to yes to recover from a packet drop - # phase. This will result in some packets (at max a ring flush) being non treated. - #use-emergency-flush: "yes" - # recv buffer size, increase value could improve performance - # buffer-size: 32768 - # Set to yes to disable promiscuous mode - # disable-promisc: "no" - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - kernel: use indication sent by kernel for each packet (default) - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: suricata uses a statistical approach to detect when - # checksum off-loading is used. - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: kernel - # BPF filter to apply to this interface. The pcap filter syntax apply here. - #bpf-filter: port 80 or udp - # You can use the following variables to activate AF_PACKET tap or IPS mode. - # If copy-mode is set to ips or tap, the traffic coming to the current - # interface will be copied to the copy-iface interface. If 'tap' is set, the - # copy is complete. If 'ips' is set, the packet matching a 'drop' action - # will not be copied. - #copy-mode: ips - #copy-iface: eth1 - # For eBPF and XDP setup including bypass, filter and load balancing, please - # see doc/userguide/capture-hardware/ebpf-xdp.rst for more info. - - # Put default values here. These will be used for an interface that is not - # in the list above. - - interface: default - #threads: auto - #use-mmap: "no" - #tpacket-v3: "yes" - - # Cross platform libpcap capture support - pcap: - - interface: eth0 - # On Linux, pcap will try to use mmaped capture and will use buffer-size - # as total of memory used by the ring. So set this to something bigger - # than 1% of your bandwidth. - #buffer-size: 16777216 - #bpf-filter: "tcp and port 25" - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: Suricata uses a statistical approach to detect when - # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: auto - # With some accelerator cards using a modified libpcap (like myricom), you - # may want to have the same number of capture threads as the number of capture - # rings. In this case, set up the threads variable to N to start N threads - # listening on the same interface. - #threads: 16 - # set to no to disable promiscuous mode: - #promisc: "no" - # set snaplen, if not set it defaults to MTU if MTU can be known - # via ioctl call and to full capture if not. - #snaplen: 1518 - # Put default values here - - interface: default - #checksum-checks: auto - - # Settings for reading pcap files - pcap-file: - # Possible values are: - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: Suricata uses a statistical approach to detect when - # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have checksum tested - checksum-checks: auto - - # See "Advanced Capture Options" below for more options, including NETMAP - # and PF_RING. - - - ## - ## Step 5: App Layer Protocol Configuration - ## - - # Configure the app-layer parsers. The protocols section details each - # protocol. - # - # The option "enabled" takes 3 values - "yes", "no", "detection-only". - # "yes" enables both detection and the parser, "no" disables both, and - # "detection-only" enables protocol detection only (parser disabled). - app-layer: - protocols: - krb5: - enabled: "yes" - snmp: - enabled: "yes" - ikev2: - enabled: "yes" - tls: - enabled: "yes" - detection-ports: - dp: 443 - - # Generate JA3 fingerprint from client hello. If not specified it - # will be disabled by default, but enabled if rules require it. - #ja3-fingerprints: auto - - # What to do when the encrypted communications start: - # - default: keep tracking TLS session, check for protocol anomalies, - # inspect tls_* keywords. Disables inspection of unmodified - # 'content' signatures. - # - bypass: stop processing this flow as much as possible. No further - # TLS parsing and inspection. Offload flow bypass to kernel - # or hardware if possible. - # - full: keep tracking and inspection as normal. Unmodified content - # keyword signatures are inspected as well. - # - # For best performance, select 'bypass'. - # - #encryption-handling: default - - dcerpc: - enabled: "yes" - ftp: - enabled: "yes" - # memcap: 64mb - # RDP, disabled by default. - rdp: - #enabled: "no" - ssh: - enabled: "yes" - smtp: - enabled: "yes" - raw-extraction: "no" - # Configure SMTP-MIME Decoder - mime: - # Decode MIME messages from SMTP transactions - # (may be resource intensive) - # This field supercedes all others because it turns the entire - # process on or off - decode-mime: "yes" - - # Decode MIME entity bodies (ie. base64, quoted-printable, etc.) - decode-base64: "yes" - decode-quoted-printable: "yes" - - # Maximum bytes per header data value stored in the data structure - # (default is 2000) - header-value-depth: 2000 - - # Extract URLs and save in state data structure - extract-urls: "yes" - # Set to yes to compute the md5 of the mail body. You will then - # be able to journalize it. - body-md5: "no" - # Configure inspected-tracker for file_data keyword - inspected-tracker: - content-limit: 100000 - content-inspect-min-size: 32768 - content-inspect-window: 4096 - imap: - enabled: detection-only - smb: - enabled: "yes" - detection-ports: - dp: 139, 445 - - # Stream reassembly size for SMB streams. By default track it completely. - #stream-depth: 0 - - nfs: - enabled: "yes" - tftp: - enabled: "yes" - dns: - # memcaps. Globally and per flow/state. - #global-memcap: 16mb - #state-memcap: 512kb - - # How many unreplied DNS requests are considered a flood. - # If the limit is reached, app-layer-event:dns.flooded; will match. - #request-flood: 500 - - tcp: - enabled: "yes" - detection-ports: - dp: 53 - udp: - enabled: "yes" - detection-ports: - dp: 53 - http: - enabled: "yes" - # memcap: Maximum memory capacity for http - # Default is unlimited, value can be such as 64mb - - # default-config: Used when no server-config matches - # personality: List of personalities used by default - # request-body-limit: Limit reassembly of request body for inspection - # by http_client_body & pcre /P option. - # response-body-limit: Limit reassembly of response body for inspection - # by file_data, http_server_body & pcre /Q option. - # - # For advanced options, see the user guide - - - # server-config: List of server configurations to use if address matches - # address: List of IP addresses or networks for this block - # personalitiy: List of personalities used by this block - # - # Then, all the fields from default-config can be overloaded - # - # Currently Available Personalities: - # Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0, - # IIS_7_0, IIS_7_5, Apache_2 - libhtp: - default-config: - personality: IDS - - # Can be specified in kb, mb, gb. Just a number indicates - # it's in bytes. - request-body-limit: 100kb - response-body-limit: 100kb - - # inspection limits - request-body-minimal-inspect-size: 32kb - request-body-inspect-window: 4kb - response-body-minimal-inspect-size: 40kb - response-body-inspect-window: 16kb - - # response body decompression (0 disables) - response-body-decompress-layer-limit: 2 - - # auto will use http-body-inline mode in IPS mode, yes or no set it statically - http-body-inline: auto - - # Decompress SWF files. - # 2 types: 'deflate', 'lzma', 'both' will decompress deflate and lzma - # compress-depth: - # Specifies the maximum amount of data to decompress, - # set 0 for unlimited. - # decompress-depth: - # Specifies the maximum amount of decompressed data to obtain, - # set 0 for unlimited. - swf-decompression: - enabled: "yes" - type: both - compress-depth: 0 - decompress-depth: 0 - - # Take a random value for inspection sizes around the specified value. - # This lower the risk of some evasion technics but could lead - # detection change between runs. It is set to 'yes' by default. - #randomize-inspection-sizes: "yes" - # If randomize-inspection-sizes is active, the value of various - # inspection size will be choosen in the [1 - range%, 1 + range%] - # range - # Default value of randomize-inspection-range is 10. - #randomize-inspection-range: 10 - - # decoding - double-decode-path: "no" - double-decode-query: "no" - - # Can disable LZMA decompression - #lzma-enabled: "yes" - # Memory limit usage for LZMA decompression dictionary - # Data is decompressed until dictionary reaches this size - #lzma-memlimit: 1mb - # Maximum decompressed size with a compression ratio - # above 2048 (only LZMA can reach this ratio, deflate cannot) - #compression-bomb-limit: 1mb - - server-config: - - #- apache: - # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] - # personality: Apache_2 - # # Can be specified in kb, mb, gb. Just a number indicates - # # it's in bytes. - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: "no" - # double-decode-query: "no" - - #- iis7: - # address: - # - 192.168.0.0/24 - # - 192.168.10.0/24 - # personality: IIS_7_0 - # # Can be specified in kb, mb, gb. Just a number indicates - # # it's in bytes. - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: "no" - # double-decode-query: "no" - - # Note: Modbus probe parser is minimalist due to the poor significant field - # Only Modbus message length (greater than Modbus header length) - # And Protocol ID (equal to 0) are checked in probing parser - # It is important to enable detection port and define Modbus port - # to avoid false positive - modbus: - # How many unreplied Modbus requests are considered a flood. - # If the limit is reached, app-layer-event:modbus.flooded; will match. - #request-flood: 500 - - enabled: "no" - detection-ports: - dp: 502 - # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it - # is recommended to keep the TCP connection opened with a remote device - # and not to open and close it for each MODBUS/TCP transaction. In that - # case, it is important to set the depth of the stream reassembling as - # unlimited (stream.reassembly.depth: 0) - - # Stream reassembly size for modbus. By default track it completely. - stream-depth: 0 - - # DNP3 - dnp3: - enabled: "no" - detection-ports: - dp: 20000 - - # SCADA EtherNet/IP and CIP protocol support - enip: - enabled: "no" - detection-ports: - dp: 44818 - sp: 44818 - - ntp: - enabled: "yes" - - dhcp: - enabled: "yes" - - # SIP, disabled by default. - sip: - #enabled: "no" - - # Limit for the maximum number of asn1 frames to decode (default 256) - asn1-max-frames: 256 - - - ############################################################################## - ## - ## Advanced settings below - ## - ############################################################################## - - ## - ## Run Options - ## - - # Run suricata as user and group. - run-as: - user: suricata - group: suricata - - # Some logging module will use that name in event as identifier. The default - # value is the hostname - #sensor-name: suricata - - # Default location of the pid file. The pid file is only used in - # daemon mode (start Suricata with -D). If not running in daemon mode - # the --pidfile command line option must be used to create a pid file. - #pid-file: /var/run/suricata.pid - - # Daemon working directory - # Suricata will change directory to this one if provided - # Default: "/" - #daemon-directory: "/" - - # Umask. - # Suricata will use this umask if it is provided. By default it will use the - # umask passed on by the shell. - #umask: 022 - - # Suricata core dump configuration. Limits the size of the core dump file to - # approximately max-dump. The actual core dump size will be a multiple of the - # page size. Core dumps that would be larger than max-dump are truncated. On - # Linux, the actual core dump size may be a few pages larger than max-dump. - # Setting max-dump to 0 disables core dumping. - # Setting max-dump to 'unlimited' will give the full core dump file. - # On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size - # to be 'unlimited'. - - coredump: - max-dump: unlimited - - # If Suricata box is a router for the sniffed networks, set it to 'router'. If - # it is a pure sniffing setup, set it to 'sniffer-only'. - # If set to auto, the variable is internally switch to 'router' in IPS mode - # and 'sniffer-only' in IDS mode. - # This feature is currently only used by the reject* keywords. - host-mode: auto - - # Number of packets preallocated per thread. The default is 1024. A higher number - # will make sure each CPU will be more easily kept busy, but may negatively - # impact caching. - max-pending-packets: 1024 - - # Runmode the engine should use. Please check --list-runmodes to get the available - # runmodes for each packet acquisition method. Default depends on selected capture - # method. 'workers' generally gives best performance. - runmode: workers - - # Specifies the kind of flow load balancer used by the flow pinned autofp mode. - # - # Supported schedulers are: - # - # hash - Flow assigned to threads using the 5-7 tuple hash. - # ippair - Flow assigned to threads using addresses only. - # - #autofp-scheduler: hash - - # Preallocated size for packet. Default is 1514 which is the classical - # size for pcap on ethernet. You should adjust this value to the highest - # packet size (MTU + hardware header) on your system. - default-packet-size: 1500 - - # Unix command socket can be used to pass commands to Suricata. - # An external tool can then connect to get information from Suricata - # or trigger some modifications of the engine. Set enabled to yes - # to activate the feature. In auto mode, the feature will only be - # activated in live capture mode. You can use the filename variable to set - # the file name of the socket. - unix-command: - enabled: auto - #filename: custom.socket - - # Magic file. The extension .mgc is added to the value here. - #magic-file: /usr/share/file/magic - #magic-file: - - # GeoIP2 database file. Specify path and filename of GeoIP2 database - # if using rules with "geoip" rule option. - #geoip-database: /usr/local/share/GeoLite2/GeoLite2-Country.mmdb - - legacy: - uricontent: enabled - - ## - ## Detection settings - ## - - # Set the order of alerts based on actions - # The default order is pass, drop, reject, alert - # action-order: - # - pass - # - drop - # - reject - # - alert - - # IP Reputation - #reputation-categories-file: /etc/suricata/iprep/categories.txt - #default-reputation-path: /etc/suricata/iprep - #reputation-files: - # - reputation.list - - # When run with the option --engine-analysis, the engine will read each of - # the parameters below, and print reports for each of the enabled sections - # and exit. The reports are printed to a file in the default log dir - # given by the parameter "default-log-dir", with engine reporting - # subsection below printing reports in its own report file. - engine-analysis: - # enables printing reports for fast-pattern for every rule. - rules-fast-pattern: "yes" - # enables printing reports for each rule - rules: "yes" - - #recursion and match limits for PCRE where supported - pcre: - match-limit: 3500 - match-limit-recursion: 1500 - - ## - ## Advanced Traffic Tracking and Reconstruction Settings - ## - - # Host specific policies for defragmentation and TCP stream - # reassembly. The host OS lookup is done using a radix tree, just - # like a routing table so the most specific entry matches. - host-os-policy: - # Make the default policy windows. - windows: [0.0.0.0/0] - bsd: [] - bsd-right: [] - old-linux: [] - linux: [] - old-solaris: [] - solaris: [] - hpux10: [] - hpux11: [] - irix: [] - macos: [] - vista: [] - windows2k3: [] - - # Defrag settings: - - defrag: - memcap: 32mb - hash-size: 65536 - trackers: 65535 # number of defragmented flows to follow - max-frags: 65535 # number of fragments to keep (higher than trackers) - prealloc: "yes" - timeout: 60 - - # Enable defrag per host settings - # host-config: - # - # - dmz: - # timeout: 30 - # address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"] - # - # - lan: - # timeout: 45 - # address: - # - 192.168.0.0/24 - # - 192.168.10.0/24 - # - 172.16.14.0/24 - - # Flow settings: - # By default, the reserved memory (memcap) for flows is 32MB. This is the limit - # for flow allocation inside the engine. You can change this value to allow - # more memory usage for flows. - # The hash-size determine the size of the hash used to identify flows inside - # the engine, and by default the value is 65536. - # At the startup, the engine can preallocate a number of flows, to get a better - # performance. The number of flows preallocated is 10000 by default. - # emergency-recovery is the percentage of flows that the engine need to - # prune before unsetting the emergency state. The emergency state is activated - # when the memcap limit is reached, allowing to create new flows, but - # pruning them with the emergency timeouts (they are defined below). - # If the memcap is reached, the engine will try to prune flows - # with the default timeouts. If it doesn't find a flow to prune, it will set - # the emergency bit and it will try again with more aggressive timeouts. - # If that doesn't work, then it will try to kill the last time seen flows - # not in use. - # The memcap can be specified in kb, mb, gb. Just a number indicates it's - # in bytes. - - flow: - memcap: 128mb - hash-size: 65536 - prealloc: 10000 - emergency-recovery: 30 - #managers: 1 # default to one flow manager - #recyclers: 1 # default to one flow recycler thread - - # This option controls the use of vlan ids in the flow (and defrag) - # hashing. Normally this should be enabled, but in some (broken) - # setups where both sides of a flow are not tagged with the same vlan - # tag, we can ignore the vlan id's in the flow hashing. - vlan: - use-for-tracking: true - - # Specific timeouts for flows. Here you can specify the timeouts that the - # active flows will wait to transit from the current state to another, on each - # protocol. The value of "new" determine the seconds to wait after a handshake or - # stream startup before the engine free the data of that flow it doesn't - # change the state to established (usually if we don't receive more packets - # of that flow). The value of "established" is the amount of - # seconds that the engine will wait to free the flow if it spend that amount - # without receiving new packets or closing the connection. "closed" is the - # amount of time to wait after a flow is closed (usually zero). "bypassed" - # timeout controls locally bypassed flows. For these flows we don't do any other - # tracking. If no packets have been seen after this timeout, the flow is discarded. - # - # There's an emergency mode that will become active under attack circumstances, - # making the engine to check flow status faster. This configuration variables - # use the prefix "emergency-" and work similar as the normal ones. - # Some timeouts doesn't apply to all the protocols, like "closed", for udp and - # icmp. - - flow-timeouts: - - default: - new: 30 - established: 300 - closed: 0 - bypassed: 100 - emergency-new: 10 - emergency-established: 100 - emergency-closed: 0 - emergency-bypassed: 50 - tcp: - new: 60 - established: 600 - closed: 60 - bypassed: 100 - emergency-new: 5 - emergency-established: 100 - emergency-closed: 10 - emergency-bypassed: 50 - udp: - new: 30 - established: 300 - bypassed: 100 - emergency-new: 10 - emergency-established: 100 - emergency-bypassed: 50 - icmp: - new: 30 - established: 300 - bypassed: 100 - emergency-new: 10 - emergency-established: 100 - emergency-bypassed: 50 - - # Stream engine settings. Here the TCP stream tracking and reassembly - # engine is configured. - # - # stream: - # memcap: 32mb # Can be specified in kb, mb, gb. Just a - # # number indicates it's in bytes. - # checksum-validation: "yes" # To validate the checksum of received - # # packet. If csum validation is specified as - # # "yes", then packet with invalid csum will not - # # be processed by the engine stream/app layer. - # # Warning: locally generated traffic can be - # # generated without checksum due to hardware offload - # # of checksum. You can control the handling of checksum - # # on a per-interface basis via the 'checksum-checks' - # # option - # prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread - # midstream: false # don't allow midstream session pickups - # async-oneside: false # don't enable async stream handling - # inline: "no" # stream inline mode - # drop-invalid: "yes" # in inline mode, drop packets that are invalid with regards to streaming engine - # max-synack-queued: 5 # Max different SYN/ACKs to queue - # bypass: "no" # Bypass packets when stream.reassembly.depth is reached. - # # Warning: first side to reach this triggers - # # the bypass. - # - # reassembly: - # memcap: 64mb # Can be specified in kb, mb, gb. Just a number - # # indicates it's in bytes. - # depth: 1mb # Can be specified in kb, mb, gb. Just a number - # # indicates it's in bytes. - # toserver-chunk-size: 2560 # inspect raw stream in chunks of at least - # # this size. Can be specified in kb, mb, - # # gb. Just a number indicates it's in bytes. - # toclient-chunk-size: 2560 # inspect raw stream in chunks of at least - # # this size. Can be specified in kb, mb, - # # gb. Just a number indicates it's in bytes. - # randomize-chunk-size: "yes" # Take a random value for chunk size around the specified value. - # # This lower the risk of some evasion technics but could lead - # # detection change between runs. It is set to 'yes' by default. - # randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is - # # a random value between (1 - randomize-chunk-range/100)*toserver-chunk-size - # # and (1 + randomize-chunk-range/100)*toserver-chunk-size and the same - # # calculation for toclient-chunk-size. - # # Default value of randomize-chunk-range is 10. - # - # raw: "yes" # 'Raw' reassembly enabled or disabled. - # # raw is for content inspection by detection - # # engine. - # - # segment-prealloc: 2048 # number of segments preallocated per thread - # - # check-overlap-different-data: true|false - # # check if a segment contains different data - # # than what we've already seen for that - # # position in the stream. - # # This is enabled automatically if inline mode - # # is used or when stream-event:reassembly_overlap_different_data; - # # is used in a rule. - # - stream: - memcap: 64mb - checksum-validation: "yes" # reject wrong csums - inline: auto # auto will use inline mode in IPS mode, yes or no set it statically - reassembly: - memcap: 256mb - depth: 1mb # reassemble 1mb into a stream - toserver-chunk-size: 2560 - toclient-chunk-size: 2560 - randomize-chunk-size: "yes" - #randomize-chunk-range: 10 - #raw: "yes" - #segment-prealloc: 2048 - #check-overlap-different-data: true - - # Host table: - # - # Host table is used by tagging and per host thresholding subsystems. - # - host: - hash-size: 4096 - prealloc: 1000 - memcap: 32mb - - # IP Pair table: - # - # Used by xbits 'ippair' tracking. - # - #ippair: - # hash-size: 4096 - # prealloc: 1000 - # memcap: 32mb - - # Decoder settings - - decoder: - # Teredo decoder is known to not be completely accurate - # as it will sometimes detect non-teredo as teredo. - teredo: - enabled: true - # ports to look for Teredo. Max 4 ports. If no ports are given, or - # the value is set to 'any', Teredo detection runs on _all_ UDP packets. - ports: $TEREDO_PORTS # syntax: '[3544, 1234]' or '3533' or 'any'. - - # VXLAN decoder is assigned to up to 4 UDP ports. By default only the - # IANA assigned port 4789 is enabled. - vxlan: - enabled: true - ports: $VXLAN_PORTS # syntax: '8472, 4789' - # ERSPAN Type I decode support - erspan: - typeI: - enabled: false - - - ## - ## Performance tuning and profiling - ## - - # The detection engine builds internal groups of signatures. The engine - # allow us to specify the profile to use for them, to manage memory on an - # efficient way keeping a good performance. For the profile keyword you - # can use the words "low", "medium", "high" or "custom". If you use custom - # make sure to define the values at "- custom-values" as your convenience. - # Usually you would prefer medium/high/low. - # - # "sgh mpm-context", indicates how the staging should allot mpm contexts for - # the signature groups. "single" indicates the use of a single context for - # all the signature group heads. "full" indicates a mpm-context for each - # group head. "auto" lets the engine decide the distribution of contexts - # based on the information the engine gathers on the patterns from each - # group head. - # - # The option inspection-recursion-limit is used to limit the recursive calls - # in the content inspection code. For certain payload-sig combinations, we - # might end up taking too much time in the content inspection code. - # If the argument specified is 0, the engine uses an internally defined - # default limit. On not specifying a value, we use no limits on the recursion. - detect: - profile: medium - custom-values: - toclient-groups: 3 - toserver-groups: 25 - sgh-mpm-context: auto - inspection-recursion-limit: 3000 - # If set to yes, the loading of signatures will be made after the capture - # is started. This will limit the downtime in IPS mode. - #delayed-detect: "yes" - - prefilter: - # default prefiltering setting. "mpm" only creates MPM/fast_pattern - # engines. "auto" also sets up prefilter engines for other keywords. - # Use --list-keywords=all to see which keywords support prefiltering. - default: mpm - - # the grouping values above control how many groups are created per - # direction. Port whitelisting forces that port to get it's own group. - # Very common ports will benefit, as well as ports with many expensive - # rules. - grouping: - #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 - #udp-whitelist: 53, 135, 5060 - - profiling: - # Log the rules that made it past the prefilter stage, per packet - # default is off. The threshold setting determines how many rules - # must have made it past pre-filter for that rule to trigger the - # logging. - #inspect-logging-threshold: 200 - grouping: - dump-to-disk: false - include-rules: false # very verbose - include-mpm-stats: false - - # Select the multi pattern algorithm you want to run for scan/search the - # in the engine. - # - # The supported algorithms are: - # "ac" - Aho-Corasick, default implementation - # "ac-bs" - Aho-Corasick, reduced memory implementation - # "ac-ks" - Aho-Corasick, "Ken Steele" variant - # "hs" - Hyperscan, available when built with Hyperscan support - # - # The default mpm-algo value of "auto" will use "hs" if Hyperscan is - # available, "ac" otherwise. - # - # The mpm you choose also decides the distribution of mpm contexts for - # signature groups, specified by the conf - "detect.sgh-mpm-context". - # Selecting "ac" as the mpm would require "detect.sgh-mpm-context" - # to be set to "single", because of ac's memory requirements, unless the - # ruleset is small enough to fit in one's memory, in which case one can - # use "full" with "ac". Rest of the mpms can be run in "full" mode. - - mpm-algo: auto - - # Select the matching algorithm you want to use for single-pattern searches. - # - # Supported algorithms are "bm" (Boyer-Moore) and "hs" (Hyperscan, only - # available if Suricata has been built with Hyperscan support). - # - # The default of "auto" will use "hs" if available, otherwise "bm". - - spm-algo: auto - - # Suricata is multi-threaded. Here the threading can be influenced. - threading: - set-cpu-affinity: "yes" - # Tune cpu affinity of threads. Each family of threads can be bound - # on specific CPUs. - # - # These 2 apply to the all runmodes: - # management-cpu-set is used for flow timeout handling, counters - # worker-cpu-set is used for 'worker' threads - # - # Additionally, for autofp these apply: - # receive-cpu-set is used for capture threads - # verdict-cpu-set is used for IPS verdict threads - # - - # - # By default Suricata creates one "detect" thread per available CPU/CPU core. - # This setting allows controlling this behaviour. A ratio setting of 2 will - # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this - # will result in 4 detect threads. If values below 1 are used, less threads - # are created. So on a dual core CPU a setting of 0.5 results in 1 detect - # thread being created. Regardless of the setting at a minimum 1 detect - # thread will always be created. - # - detect-thread-ratio: 1.0 - - # Luajit has a strange memory requirement, it's 'states' need to be in the - # first 2G of the process' memory. - # - # 'luajit.states' is used to control how many states are preallocated. - # State use: per detect script: 1 per detect thread. Per output script: 1 per - # script. - luajit: - states: 128 - - # Profiling settings. Only effective if Suricata has been built with the - # the --enable-profiling configure flag. - # - profiling: - # Run profiling for every xth packet. The default is 1, which means we - # profile every packet. If set to 1000, one packet is profiled for every - # 1000 received. - #sample-rate: 1000 - - # rule profiling - rules: - - # Profiling can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: "yes" - filename: rule_perf.log - append: "yes" - - # Sort options: ticks, avgticks, checks, matches, maxticks - # If commented out all the sort options will be used. - #sort: avgticks - - # Limit the number of sids for which stats are shown at exit (per sort). - limit: 10 - - # output to json - json: "yes" - - # per keyword profiling - keywords: - enabled: "yes" - filename: keyword_perf.log - append: "yes" - - prefilter: - enabled: "yes" - filename: prefilter_perf.log - append: "yes" - - # per rulegroup profiling - rulegroups: - enabled: "yes" - filename: rule_group_perf.log - append: "yes" - - # packet profiling - packets: - - # Profiling can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: "yes" - filename: packet_stats.log - append: "yes" - - # per packet csv output - csv: - - # Output can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: "no" - filename: packet_stats.csv - - # profiling of locking. Only available when Suricata was built with - # --enable-profiling-locks. - locks: - enabled: "no" - filename: lock_stats.log - append: "yes" - - pcap-log: - enabled: "no" - filename: pcaplog_stats.log - append: "yes" - - ## - ## Netfilter integration - ## - - # When running in NFQ inline mode, it is possible to use a simulated - # non-terminal NFQUEUE verdict. - # This permit to do send all needed packet to Suricata via this a rule: - # iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE - # And below, you can have your standard filtering ruleset. To activate - # this mode, you need to set mode to 'repeat' - # If you want packet to be sent to another queue after an ACCEPT decision - # set mode to 'route' and set next-queue value. - # On linux >= 3.1, you can set batchcount to a value > 1 to improve performance - # by processing several packets before sending a verdict (worker runmode only). - # On linux >= 3.6, you can set the fail-open option to yes to have the kernel - # accept the packet if Suricata is not able to keep pace. - # bypass mark and mask can be used to implement NFQ bypass. If bypass mark is - # set then the NFQ bypass is activated. Suricata will set the bypass mark/mask - # on packet of a flow that need to be bypassed. The Nefilter ruleset has to - # directly accept all packets of a flow once a packet has been marked. - nfq: - # mode: accept - # repeat-mark: 1 - # repeat-mask: 1 - # bypass-mark: 1 - # bypass-mask: 1 - # route-queue: 2 - # batchcount: 20 - # fail-open: "yes" - - #nflog support - nflog: - # netlink multicast group - # (the same as the iptables --nflog-group param) - # Group 0 is used by the kernel, so you can't use it - - group: 2 - # netlink buffer size - buffer-size: 18432 - # put default value here - - group: default - # set number of packet to queue inside kernel - qthreshold: 1 - # set the delay before flushing packet in the queue inside kernel - qtimeout: 100 - # netlink max buffer size - max-size: 20000 - - ## - ## Advanced Capture Options - ## - - # general settings affecting packet capture - capture: - # disable NIC offloading. It's restored when Suricata exits. - # Enabled by default. - #disable-offloading: false - # - # disable checksum validation. Same as setting '-k none' on the - # commandline. - #checksum-validation: none - - # Netmap support - # - # Netmap operates with NIC directly in driver, so you need FreeBSD 11+ which have - # built-in netmap support or compile and install netmap module and appropriate - # NIC driver on your Linux system. - # To reach maximum throughput disable all receive-, segmentation-, - # checksum- offloadings on NIC. - # Disabling Tx checksum offloading is *required* for connecting OS endpoint - # with NIC endpoint. - # You can find more information at https://github.com/luigirizzo/netmap - # - netmap: - # To specify OS endpoint add plus sign at the end (e.g. "eth0+") - - interface: eth2 - # Number of capture threads. "auto" uses number of RSS queues on interface. - # Warning: unless the RSS hashing is symmetrical, this will lead to - # accuracy issues. - #threads: auto - # You can use the following variables to activate netmap tap or IPS mode. - # If copy-mode is set to ips or tap, the traffic coming to the current - # interface will be copied to the copy-iface interface. If 'tap' is set, the - # copy is complete. If 'ips' is set, the packet matching a 'drop' action - # will not be copied. - # To specify the OS as the copy-iface (so the OS can route packets, or forward - # to a service running on the same machine) add a plus sign at the end - # (e.g. "copy-iface: eth0+"). Don't forget to set up a symmetrical eth0+ -> eth0 - # for return packets. Hardware checksumming must be *off* on the interface if - # using an OS endpoint (e.g. 'ifconfig eth0 -rxcsum -txcsum -rxcsum6 -txcsum6' for FreeBSD - # or 'ethtool -K eth0 tx off rx off' for Linux). - #copy-mode: tap - #copy-iface: eth3 - # Set to yes to disable promiscuous mode - # disable-promisc: "no" - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: Suricata uses a statistical approach to detect when - # checksum off-loading is used. - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: auto - # BPF filter to apply to this interface. The pcap filter syntax apply here. - #bpf-filter: port 80 or udp - #- interface: eth3 - #threads: auto - #copy-mode: tap - #copy-iface: eth2 - # Put default values here - - interface: default - - # PF_RING configuration. for use with native PF_RING support - # for more info see http://www.ntop.org/products/pf_ring/ - pfring: - - interface: eth0 - # Number of receive threads. If set to 'auto' Suricata will first try - # to use CPU (core) count and otherwise RSS queue count. - threads: auto - - # Default clusterid. PF_RING will load balance packets based on flow. - # All threads/processes that will participate need to have the same - # clusterid. - cluster-id: 99 - - # Default PF_RING cluster type. PF_RING can load balance per flow. - # Possible values are cluster_flow or cluster_round_robin. - cluster-type: cluster_flow - - # bpf filter for this interface - #bpf-filter: tcp - - # If bypass is set then the PF_RING hw bypass is activated, when supported - # by the interface in use. Suricata will instruct the interface to bypass - # all future packets for a flow that need to be bypassed. - #bypass: "yes" - - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - rxonly: only compute checksum for packets received by network card. - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: Suricata uses a statistical approach to detect when - # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: auto - # Second interface - #- interface: eth1 - # threads: 3 - # cluster-id: 93 - # cluster-type: cluster_flow - # Put default values here - - interface: default - #threads: 2 - - # For FreeBSD ipfw(8) divert(4) support. - # Please make sure you have ipfw_load="YES" and ipdivert_load="YES" - # in /etc/loader.conf or kldload'ing the appropriate kernel modules. - # Additionally, you need to have an ipfw rule for the engine to see - # the packets from ipfw. For Example: - # - # ipfw add 100 divert 8000 ip from any to any - # - # The 8000 above should be the same number you passed on the command - # line, i.e. -d 8000 - # - ipfw: - - # Reinject packets at the specified ipfw rule number. This config - # option is the ipfw rule number AT WHICH rule processing continues - # in the ipfw processing system after the engine has finished - # inspecting the packet for acceptance. If no rule number is specified, - # accepted packets are reinjected at the divert rule which they entered - # and IPFW rule processing continues. No check is done to verify - # this will rule makes sense so care must be taken to avoid loops in ipfw. - # - ## The following example tells the engine to reinject packets - # back into the ipfw firewall AT rule number 5500: - # - # ipfw-reinjection-rule-number: 5500 - - - napatech: - # The Host Buffer Allowance for all streams - # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back) - # This may be enabled when sharing streams with another application. - # Otherwise, it should be turned off. - #hba: -1 - - # When use_all_streams is set to "yes" the initialization code will query - # the Napatech service for all configured streams and listen on all of them. - # When set to "no" the streams config array will be used. - # - # This option necessitates running the appropriate NTPL commands to create - # the desired streams prior to running suricata. - #use-all-streams: "no" - - # The streams to listen on when auto-config is disabled or when and threading - # cpu-affinity is disabled. This can be either: - # an individual stream (e.g. streams: [0]) - # or - # a range of streams (e.g. streams: ["0-3"]) - # - streams: ["0-3"] - - # When auto-config is enabled the streams will be created and assigned - # automatically to the NUMA node where the thread resides. If cpu-affinity - # is enabled in the threading section. Then the streams will be created - # according to the number of worker threads specified in the worker cpu set. - # Otherwise, the streams array is used to define the streams. - # - # This option cannot be used simultaneous with "use-all-streams". - # - auto-config: "yes" - - # Ports indicates which napatech ports are to be used in auto-config mode. - # these are the port ID's of the ports that will be merged prior to the - # traffic being distributed to the streams. - # - # This can be specified in any of the following ways: - # - # a list of individual ports (e.g. ports: [0,1,2,3]) - # - # a range of ports (e.g. ports: [0-3]) - # - # "all" to indicate that all ports are to be merged together - # (e.g. ports: [all]) - # - # This has no effect if auto-config is disabled. - # - ports: [all] - - # When auto-config is enabled the hashmode specifies the algorithm for - # determining to which stream a given packet is to be delivered. - # This can be any valid Napatech NTPL hashmode command. - # - # The most common hashmode commands are: hash2tuple, hash2tuplesorted, - # hash5tuple, hash5tuplesorted and roundrobin. - # - # See Napatech NTPL documentation other hashmodes and details on their use. - # - # This has no effect if auto-config is disabled. - # - hashmode: hash5tuplesorted - - ## - ## Configure Suricata to load Suricata-Update managed rules. - ## - ## If this section is completely commented out move down to the "Advanced rule - ## file configuration". - ## - - default-rule-path: /etc/suricata/rules - - rule-files: - - all.rules - - ## - ## Auxiliary configuration files. - ## - - classification-file: /etc/suricata/classification.config - reference-config-file: /etc/suricata/reference.config - # threshold-file: /etc/suricata/threshold.config - - ## - ## Include other configs - ## - - # Includes. Files included here will be handled as if they were - # inlined in this configuration file. - #include: include1.yaml - #include: include2.yaml - \ No newline at end of file diff --git a/salt/suricata/files/defaults.yaml b/salt/suricata/files/defaults.yaml deleted file mode 100644 index 71cb64392..000000000 --- a/salt/suricata/files/defaults.yaml +++ /dev/null @@ -1,2023 +0,0 @@ -%YAML 1.1 - --- - {%- set META = salt['pillar.get']('static:broversion', 'BRO') %} - {%- set SURIRING = salt['pillar.get']('suricata:suriring', '2048') %} - {%- set SURIMPP = salt['pillar.get']('suricata:surimpp', '5000') %} - {%- set interface = salt['pillar.get']('sensor:interface', 'bond0') %} - {%- if grains['role'] == 'so-eval' %} - {%- set MTU = 1500 %} - {%- elif grains['role'] == 'so-helix' %} - {%- set MTU = 9000 %} - {%- else %} - {%- set MTU = salt['pillar.get']('sensor:mtu', '1500') %} - {%- endif %} - {%- if salt['pillar.get']('sensor:homenet') %} - {%- set homenet = salt['pillar.get']('sensor:hnsensor', '') %} - {%- else %} - {%- set homenet = salt['pillar.get']('static:hnmaster', '') %} - {%- endif %} - # Suricata configuration file. In addition to the comments describing all - # options in this file, full documentation can be found at: - # https://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html - - ## - ## Step 1: inform Suricata about your network - ## - -suricata: - vars: - # more specific is better for alert accuracy and performance - address-groups: - HOME_NET: "[{{ homenet }}]" - #HOME_NET: "[192.168.0.0/16]" - #HOME_NET: "[10.0.0.0/8]" - #HOME_NET: "[172.16.0.0/12]" - #HOME_NET: "any" - - EXTERNAL_NET: "!$HOME_NET" - #EXTERNAL_NET: "any" - - HTTP_SERVERS: "$HOME_NET" - SMTP_SERVERS: "$HOME_NET" - SQL_SERVERS: "$HOME_NET" - DNS_SERVERS: "$HOME_NET" - TELNET_SERVERS: "$HOME_NET" - AIM_SERVERS: "$EXTERNAL_NET" - DC_SERVERS: "$HOME_NET" - DNP3_SERVER: "$HOME_NET" - DNP3_CLIENT: "$HOME_NET" - MODBUS_CLIENT: "$HOME_NET" - MODBUS_SERVER: "$HOME_NET" - ENIP_CLIENT: "$HOME_NET" - ENIP_SERVER: "$HOME_NET" - - port-groups: - HTTP_PORTS: "80" - SHELLCODE_PORTS: "!80" - ORACLE_PORTS: 1521 - SSH_PORTS: 22 - DNP3_PORTS: 20000 - MODBUS_PORTS: 502 - FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" - FTP_PORTS: 21 - VXLAN_PORTS: 4789 - TEREDO_PORTS: 3544 - - ## - ## Step 2: select outputs to enable - ## - - # The default logging directory. Any log or output file will be - # placed here if its not specified with a full path name. This can be - # overridden with the -l command line parameter. - default-log-dir: /var/log/suricata/ - - # global stats configuration - stats: - enabled: yes - # The interval field (in seconds) controls at what interval - # the loggers are invoked. - interval: 30 - # Add decode events as stats. - #decoder-events: true - # Decoder event prefix in stats. Has been 'decoder' before, but that leads - # to missing events in the eve.stats records. See issue #2225. - #decoder-events-prefix: "decoder.event" - # Add stream events as stats. - #stream-events: false - - # Configure the type of alert (and other) logging you would like. - outputs: - # a line based alerts log similar to Snort's fast.log - - fast: - enabled: no - filename: fast.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # Extensible Event Format (nicknamed EVE) event log in JSON format - - eve-log: - enabled: yes - filetype: regular #regular|syslog|unix_dgram|unix_stream|redis - filename: /nsm/eve.json - rotate-interval: hour - - #prefix: "@cee: " # prefix to prepend to each log entry - # the following are valid when type: syslog above - #identity: "suricata" - #facility: local5 - #level: Info ## possible levels: Emergency, Alert, Critical, - ## Error, Warning, Notice, Info, Debug - #redis: - # server: 127.0.0.1 - # port: 6379 - # async: true ## if redis replies are read asynchronously - # mode: list ## possible values: list|lpush (default), rpush, channel|publish - # ## lpush and rpush are using a Redis list. "list" is an alias for lpush - # ## publish is using a Redis channel. "channel" is an alias for publish - # key: suricata ## key or channel to use (default to suricata) - # Redis pipelining set up. This will enable to only do a query every - # 'batch-size' events. This should lower the latency induced by network - # connection at the cost of some memory. There is no flushing implemented - # so this setting as to be reserved to high traffic suricata. - # pipelining: - # enabled: yes ## set enable to yes to enable query pipelining - # batch-size: 10 ## number of entry to keep in buffer - - # Include top level metadata. Default yes. - #metadata: no - - # include the name of the input pcap file in pcap file processing mode - pcap-file: false - - # Community Flow ID - # Adds a 'community_id' field to EVE records. These are meant to give - # a records a predictable flow id that can be used to match records to - # output of other tools such as Bro. - # - # Takes a 'seed' that needs to be same across sensors and tools - # to make the id less predictable. - - # enable/disable the community id feature. - community-id: true - # Seed value for the ID output. Valid values are 0-65535. - community-id-seed: 0 - - # HTTP X-Forwarded-For support by adding an extra field or overwriting - # the source or destination IP address (depending on flow direction) - # with the one reported in the X-Forwarded-For HTTP header. This is - # helpful when reviewing alerts for traffic that is being reverse - # or forward proxied. - xff: - enabled: no - # Two operation modes are available, "extra-data" and "overwrite". - mode: extra-data - # Two proxy deployments are supported, "reverse" and "forward". In - # a "reverse" deployment the IP address used is the last one, in a - # "forward" deployment the first IP address is used. - deployment: reverse - # Header name where the actual IP address will be reported, if more - # than one IP address is present, the last IP address will be the - # one taken into consideration. - header: X-Forwarded-For - - types: - - alert: - payload: no # enable dumping payload in Base64 - payload-buffer-size: 4kb # max size of payload buffer to output in eve-log - payload-printable: yes # enable dumping payload in printable (lossy) format - packet: yes # enable dumping of packet (without stream segments) - metadata: - app-layer: false - flow: false - rule: - metadata: true - raw: true - - # http-body: yes # Requires metadata; enable dumping of http body in Base64 - # http-body-printable: yes # Requires metadata; enable dumping of http body in printable format - - # Enable the logging of tagged packets for rules using the - # "tag" keyword. - tagged-packets: no - {%- if META != 'SURICATA' -%} - #- anomaly: - # Anomaly log records describe unexpected conditions such - # as truncated packets, packets with invalid IP/UDP/TCP - # length values, and other events that render the packet - # invalid for further processing or describe unexpected - # behavior on an established stream. Networks which - # experience high occurrences of anomalies may experience - # packet processing degradation. - # - # Anomalies are reported for the following: - # 1. Decode: Values and conditions that are detected while - # decoding individual packets. This includes invalid or - # unexpected values for low-level protocol lengths as well - # as stream related events (TCP 3-way handshake issues, - # unexpected sequence number, etc). - # 2. Stream: This includes stream related events (TCP - # 3-way handshake issues, unexpected sequence number, - # etc). - # 3. Application layer: These denote application layer - # specific conditions that are unexpected, invalid or are - # unexpected given the application monitoring state. - # - # By default, anomaly logging is disabled. When anomaly - # logging is enabled, applayer anomaly reporting is - # enabled. - # enabled: no - # - # Choose one or more types of anomaly logging and whether to enable - # logging of the packet header for packet anomalies. - # types: - # decode: no - # stream: no - # applayer: yes - #packethdr: no - #- http: - # extended: yes # enable this for extended logging information - # custom allows additional http fields to be included in eve-log - # the example below adds three additional fields when uncommented - #custom: [Accept-Encoding, Accept-Language, Authorization] - # set this value to one and only one among {both, request, response} - # to dump all http headers for every http request and/or response - # dump-all-headers: none - #- dns: - # This configuration uses the new DNS logging format, - # the old configuration is still available: - # https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format - - # As of Suricata 5.0, version 2 of the eve dns output - # format is the default. - #version: 2 - - # Enable/disable this logger. Default: enabled. - #enabled: yes - - # Control logging of requests and responses: - # - requests: enable logging of DNS queries - # - responses: enable logging of DNS answers - # By default both requests and responses are logged. - #requests: no - #responses: no - - # Format of answer logging: - # - detailed: array item per answer - # - grouped: answers aggregated by type - # Default: all - #formats: [detailed, grouped] - - # Types to log, based on the query type. - # Default: all. - #types: [a, aaaa, cname, mx, ns, ptr, txt] - #- tls: - # extended: yes # enable this for extended logging information - # output TLS transaction where the session is resumed using a - # session id - #session-resumption: no - # custom allows to control which tls fields that are included - # in eve-log - #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s] - #- files: - # force-magic: no # force logging magic on all logged files - # force logging of checksums, available hash functions are md5, - # sha1 and sha256 - #force-hash: [md5] - #- drop: - # alerts: yes # log alerts that caused drops - # flows: all # start or all: 'start' logs only a single drop - # # per flow direction. All logs each dropped pkt. - #- smtp: - #extended: yes # enable this for extended logging information - # this includes: bcc, message-id, subject, x_mailer, user-agent - # custom fields logging from the list: - # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, - # x-originating-ip, in-reply-to, references, importance, priority, - # sensitivity, organization, content-md5, date - #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] - # output md5 of fields: body, subject - # for the body you need to set app-layer.protocols.smtp.mime.body-md5 - # to yes - #md5: [body, subject] - - #- dnp3 - #- ftp - #- rdp - #- nfs - #- smb - #- tftp - #- ikev2 - #- krb5 - #- snmp - #- sip - #- dhcp: - # enabled: yes - # When extended mode is on, all DHCP messages are logged - # with full detail. When extended mode is off (the - # default), just enough information to map a MAC address - # to an IP address is logged. - # extended: no - #- ssh - #- stats: - # totals: yes # stats for all threads merged together - # threads: no # per thread stats - # deltas: no # include delta values - # bi-directional flows - #- flow - # uni-directional flows - #- netflow - - # Metadata event type. Triggered whenever a pktvar is saved - # and will include the pktvars, flowvars, flowbits and - # flowints. - #- metadata - {%- else -%} - - anomaly: - # Anomaly log records describe unexpected conditions such - # as truncated packets, packets with invalid IP/UDP/TCP - # length values, and other events that render the packet - # invalid for further processing or describe unexpected - # behavior on an established stream. Networks which - # experience high occurrences of anomalies may experience - # packet processing degradation. - # - # Anomalies are reported for the following: - # 1. Decode: Values and conditions that are detected while - # decoding individual packets. This includes invalid or - # unexpected values for low-level protocol lengths as well - # as stream related events (TCP 3-way handshake issues, - # unexpected sequence number, etc). - # 2. Stream: This includes stream related events (TCP - # 3-way handshake issues, unexpected sequence number, - # etc). - # 3. Application layer: These denote application layer - # specific conditions that are unexpected, invalid or are - # unexpected given the application monitoring state. - # - # By default, anomaly logging is disabled. When anomaly - # logging is enabled, applayer anomaly reporting is - # enabled. - enabled: no - # - # Choose one or more types of anomaly logging and whether to enable - # logging of the packet header for packet anomalies. - types: - decode: no - stream: no - applayer: yes - packethdr: no - - http: - extended: yes # enable this for extended logging information - # custom allows additional http fields to be included in eve-log - # the example below adds three additional fields when uncommented - #custom: [Accept-Encoding, Accept-Language, Authorization] - # set this value to one and only one among {both, request, response} - # to dump all http headers for every http request and/or response - # dump-all-headers: none - - dns: - # This configuration uses the new DNS logging format, - # the old configuration is still available: - # https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format - - # As of Suricata 5.0, version 2 of the eve dns output - # format is the default. - version: 2 - - # Enable/disable this logger. Default: enabled. - enabled: yes - - # Control logging of requests and responses: - # - requests: enable logging of DNS queries - # - responses: enable logging of DNS answers - # By default both requests and responses are logged. - #requests: no - #responses: no - - # Format of answer logging: - # - detailed: array item per answer - # - grouped: answers aggregated by type - # Default: all - #formats: [detailed, grouped] - - # Types to log, based on the query type. - # Default: all. - #types: [a, aaaa, cname, mx, ns, ptr, txt] - - tls: - extended: yes # enable this for extended logging information - # output TLS transaction where the session is resumed using a - # session id - #session-resumption: no - # custom allows to control which tls fields that are included - # in eve-log - #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s] - - files: - force-magic: no # force logging magic on all logged files - # force logging of checksums, available hash functions are md5, - # sha1 and sha256 - #force-hash: [md5] - #- drop: - # alerts: yes # log alerts that caused drops - # flows: all # start or all: 'start' logs only a single drop - # # per flow direction. All logs each dropped pkt. - - - smtp: - extended: yes # enable this for extended logging information - # this includes: bcc, message-id, subject, x_mailer, user-agent - # custom fields logging from the list: - # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, - # x-originating-ip, in-reply-to, references, importance, priority, - # sensitivity, organization, content-md5, date - #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] - # output md5 of fields: body, subject - # for the body you need to set app-layer.protocols.smtp.mime.body-md5 - # to yes - #md5: [body, subject] - - - dnp3 - - ftp - - rdp - - nfs - - smb - - tftp - - ikev2 - - krb5 - - snmp - - sip - - dhcp: - enabled: yes - # When extended mode is on, all DHCP messages are logged - # with full detail. When extended mode is off (the - # default), just enough information to map a MAC address - # to an IP address is logged. - # extended: no - - ssh - #- stats: - # totals: yes # stats for all threads merged together - # threads: no # per thread stats - # deltas: no # include delta values - # bi-directional flows - - flow - # uni-directional flows - #- netflow - - # Metadata event type. Triggered whenever a pktvar is saved - # and will include the pktvars, flowvars, flowbits and - # flowints. - #- metadata - {%- endif %-} - - # deprecated - unified2 alert format for use with Barnyard2 - - unified2-alert: - enabled: no - # for further options see: - # https://suricata.readthedocs.io/en/suricata-5.0.0/configuration/suricata-yaml.html#alert-output-for-use-with-barnyard2-unified2-alert - - # a line based log of HTTP requests (no alerts) - - http-log: - enabled: no - filename: http.log - append: yes - #extended: yes # enable this for extended logging information - #custom: yes # enabled the custom logging format (defined by customformat) - #customformat: "" - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # a line based log of TLS handshake parameters (no alerts) - - tls-log: - enabled: no # Log TLS connections. - filename: tls.log # File to store TLS logs. - append: yes - #extended: yes # Log extended information like fingerprint - #custom: yes # enabled the custom logging format (defined by customformat) - #customformat: "" - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - # output TLS transaction where the session is resumed using a - # session id - #session-resumption: no - - # output module to store certificates chain to disk - - tls-store: - enabled: no - #certs-log-dir: certs # directory to store the certificates files - - # Packet log... log packets in pcap format. 3 modes of operation: "normal" - # "multi" and "sguil". - # - # In normal mode a pcap file "filename" is created in the default-log-dir, - # or are as specified by "dir". - # In multi mode, a file is created per thread. This will perform much - # better, but will create multiple files where 'normal' would create one. - # In multi mode the filename takes a few special variables: - # - %n -- thread number - # - %i -- thread id - # - %t -- timestamp (secs or secs.usecs based on 'ts-format' - # E.g. filename: pcap.%n.%t - # - # Note that it's possible to use directories, but the directories are not - # created by Suricata. E.g. filename: pcaps/%n/log.%s will log into the - # per thread directory. - # - # Also note that the limit and max-files settings are enforced per thread. - # So the size limit when using 8 threads with 1000mb files and 2000 files - # is: 8*1000*2000 ~ 16TiB. - # - # In Sguil mode "dir" indicates the base directory. In this base dir the - # pcaps are created in th directory structure Sguil expects: - # - # $sguil-base-dir/YYYY-MM-DD/$filename. - # - # By default all packets are logged except: - # - TCP streams beyond stream.reassembly.depth - # - encrypted streams after the key exchange - # - - pcap-log: - enabled: no - filename: log.pcap - - # File size limit. Can be specified in kb, mb, gb. Just a number - # is parsed as bytes. - limit: 1000mb - - # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit" - max-files: 2000 - - # Compression algorithm for pcap files. Possible values: none, lz4. - # Enabling compression is incompatible with the sguil mode. Note also - # that on Windows, enabling compression will *increase* disk I/O. - compression: none - - # Further options for lz4 compression. The compression level can be set - # to a value between 0 and 16, where higher values result in higher - # compression. - #lz4-checksum: no - #lz4-level: 0 - - mode: normal # normal, multi or sguil. - - # Directory to place pcap files. If not provided the default log - # directory will be used. Required for "sguil" mode. - #dir: /nsm_data/ - - #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec - use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets - honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged. - - # a full alerts log containing much information for signature writers - # or for investigating suspected false positives. - - alert-debug: - enabled: no - filename: alert-debug.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # alert output to prelude (https://www.prelude-siem.org/) only - # available if Suricata has been compiled with --enable-prelude - - alert-prelude: - enabled: no - profile: suricata - log-packet-content: no - log-packet-header: yes - - # Stats.log contains data from various counters of the Suricata engine. - - stats: - enabled: yes - filename: stats.log - append: yes # append to file (yes) or overwrite it (no) - totals: yes # stats for all threads merged together - threads: no # per thread stats - null-values: yes # print counters that have value 0 - - # a line based alerts log similar to fast.log into syslog - - syslog: - enabled: no - # reported identity to syslog. If ommited the program name (usually - # suricata) will be used. - #identity: "suricata" - facility: local5 - #level: Info ## possible levels: Emergency, Alert, Critical, - ## Error, Warning, Notice, Info, Debug - - # deprecated a line based information for dropped packets in IPS mode - - drop: - enabled: no - # further options documented at: - # https://suricata.readthedocs.io/en/suricata-5.0.0/configuration/suricata-yaml.html#drop-log-a-line-based-information-for-dropped-packets - - # Output module for storing files on disk. Files are stored in a - # directory names consisting of the first 2 characters of the - # SHA256 of the file. Each file is given its SHA256 as a filename. - # - # When a duplicate file is found, the existing file is touched to - # have its timestamps updated. - # - # Unlike the older filestore, metadata is not written out by default - # as each file should already have a "fileinfo" record in the - # eve.log. If write-fileinfo is set to yes, the each file will have - # one more associated .json files that consists of the fileinfo - # record. A fileinfo file will be written for each occurrence of the - # file seen using a filename suffix to ensure uniqueness. - # - # To prune the filestore directory see the "suricatactl filestore - # prune" command which can delete files over a certain age. - - file-store: - version: 2 - enabled: no - - # Set the directory for the filestore. If the path is not - # absolute will be be relative to the default-log-dir. - #dir: filestore - - # Write out a fileinfo record for each occurrence of a - # file. Disabled by default as each occurrence is already logged - # as a fileinfo record to the main eve-log. - #write-fileinfo: yes - - # Force storing of all files. Default: no. - #force-filestore: yes - - # Override the global stream-depth for sessions in which we want - # to perform file extraction. Set to 0 for unlimited. - #stream-depth: 0 - - # Uncomment the following variable to define how many files can - # remain open for filestore by Suricata. Default value is 0 which - # means files get closed after each write - #max-open-files: 1000 - - # Force logging of checksums, available hash functions are md5, - # sha1 and sha256. Note that SHA256 is automatically forced by - # the use of this output module as it uses the SHA256 as the - # file naming scheme. - #force-hash: [sha1, md5] - # NOTE: X-Forwarded configuration is ignored if write-fileinfo is disabled - # HTTP X-Forwarded-For support by adding an extra field or overwriting - # the source or destination IP address (depending on flow direction) - # with the one reported in the X-Forwarded-For HTTP header. This is - # helpful when reviewing alerts for traffic that is being reverse - # or forward proxied. - xff: - enabled: no - # Two operation modes are available, "extra-data" and "overwrite". - mode: extra-data - # Two proxy deployments are supported, "reverse" and "forward". In - # a "reverse" deployment the IP address used is the last one, in a - # "forward" deployment the first IP address is used. - deployment: reverse - # Header name where the actual IP address will be reported, if more - # than one IP address is present, the last IP address will be the - # one taken into consideration. - header: X-Forwarded-For - - # deprecated - file-store v1 - - file-store: - enabled: no - # further options documented at: - # https://suricata.readthedocs.io/en/suricata-5.0.0/file-extraction/file-extraction.html#file-store-version-1 - - # Log TCP data after stream normalization - # 2 types: file or dir. File logs into a single logfile. Dir creates - # 2 files per TCP session and stores the raw TCP data into them. - # Using 'both' will enable both file and dir modes. - # - # Note: limited by stream.reassembly.depth - - tcp-data: - enabled: no - type: file - filename: tcp-data.log - - # Log HTTP body data after normalization, dechunking and unzipping. - # 2 types: file or dir. File logs into a single logfile. Dir creates - # 2 files per HTTP session and stores the normalized data into them. - # Using 'both' will enable both file and dir modes. - # - # Note: limited by the body limit settings - - http-body-data: - enabled: no - type: file - filename: http-data.log - - # Lua Output Support - execute lua script to generate alert and event - # output. - # Documented at: - # https://suricata.readthedocs.io/en/latest/output/lua-output.html - - lua: - enabled: no - #scripts-dir: /etc/suricata/lua-output/ - scripts: - # - script1.lua - - # Logging configuration. This is not about logging IDS alerts/events, but - # output about what Suricata is doing, like startup messages, errors, etc. - logging: - # The default log level, can be overridden in an output section. - # Note that debug level logging will only be emitted if Suricata was - # compiled with the --enable-debug configure option. - # - # This value is overridden by the SC_LOG_LEVEL env var. - default-log-level: notice - - # The default output format. Optional parameter, should default to - # something reasonable if not provided. Can be overridden in an - # output section. You can leave this out to get the default. - # - # This value is overridden by the SC_LOG_FORMAT env var. - #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " - - # A regex to filter output. Can be overridden in an output section. - # Defaults to empty (no filter). - # - # This value is overridden by the SC_LOG_OP_FILTER env var. - default-output-filter: - - # Define your logging outputs. If none are defined, or they are all - # disabled you will get the default - console output. - outputs: - - console: - enabled: yes - # type: json - - file: - enabled: yes - level: info - filename: suricata.log - # type: json - - syslog: - enabled: no - facility: local5 - format: "[%i] <%d> -- " - # type: json - - - ## - ## Step 4: configure common capture settings - ## - ## See "Advanced Capture Options" below for more options, including NETMAP - ## and PF_RING. - ## - - # Linux high speed capture support - af-packet: - - interface: {{ interface }} - # Number of receive threads. "auto" uses the number of cores - #threads: auto - # Default clusterid. AF_PACKET will load balance packets based on flow. - cluster-id: 59 - # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash. - # This is only supported for Linux kernel > 3.1 - # possible value are: - # * cluster_flow: all packets of a given flow are send to the same socket - # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket - # * cluster_qm: all packets linked by network card to a RSS queue are sent to the same - # socket. Requires at least Linux 3.14. - # * cluster_ebpf: eBPF file load balancing. See doc/userguide/capture-hardware/ebpf-xdp.rst for - # more info. - # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system - # with capture card using RSS (require cpu affinity tuning and system irq tuning) - cluster-type: cluster_flow - # In some fragmentation case, the hash can not be computed. If "defrag" is set - # to yes, the kernel will do the needed defragmentation before sending the packets. - defrag: yes - # To use the ring feature of AF_PACKET, set 'use-mmap' to yes - use-mmap: yes - # Lock memory map to avoid it goes to swap. Be careful that over subscribing could lock - # your system - #mmap-locked: yes - # Use tpacket_v3 capture mode, only active if use-mmap is true - # Don't use it in IPS or TAP mode as it causes severe latency - tpacket-v3: yes - # Ring size will be computed with respect to max_pending_packets and number - # of threads. You can set manually the ring size in number of packets by setting - # the following value. If you are using flow cluster-type and have really network - # intensive single-flow you could want to set the ring-size independently of the number - # of threads: - ring-size: {{ SURIRING }} - # Block size is used by tpacket_v3 only. It should set to a value high enough to contain - # a decent number of packets. Size is in bytes so please consider your MTU. It should be - # a power of 2 and it must be multiple of page size (usually 4096). - #block-size: 32768 - # tpacket_v3 block timeout: an open block is passed to userspace if it is not - # filled after block-timeout milliseconds. - #block-timeout: 10 - # On busy system, this could help to set it to yes to recover from a packet drop - # phase. This will result in some packets (at max a ring flush) being non treated. - #use-emergency-flush: yes - # recv buffer size, increase value could improve performance - # buffer-size: 32768 - # Set to yes to disable promiscuous mode - # disable-promisc: no - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - kernel: use indication sent by kernel for each packet (default) - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: suricata uses a statistical approach to detect when - # checksum off-loading is used. - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: kernel - # BPF filter to apply to this interface. The pcap filter syntax apply here. - #bpf-filter: port 80 or udp - # You can use the following variables to activate AF_PACKET tap or IPS mode. - # If copy-mode is set to ips or tap, the traffic coming to the current - # interface will be copied to the copy-iface interface. If 'tap' is set, the - # copy is complete. If 'ips' is set, the packet matching a 'drop' action - # will not be copied. - #copy-mode: ips - #copy-iface: eth1 - # For eBPF and XDP setup including bypass, filter and load balancing, please - # see doc/userguide/capture-hardware/ebpf-xdp.rst for more info. - - # Put default values here. These will be used for an interface that is not - # in the list above. - - interface: default - #threads: auto - #use-mmap: no - #tpacket-v3: yes - - # Cross platform libpcap capture support - pcap: - - interface: eth0 - # On Linux, pcap will try to use mmaped capture and will use buffer-size - # as total of memory used by the ring. So set this to something bigger - # than 1% of your bandwidth. - #buffer-size: 16777216 - #bpf-filter: "tcp and port 25" - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: Suricata uses a statistical approach to detect when - # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: auto - # With some accelerator cards using a modified libpcap (like myricom), you - # may want to have the same number of capture threads as the number of capture - # rings. In this case, set up the threads variable to N to start N threads - # listening on the same interface. - #threads: 16 - # set to no to disable promiscuous mode: - #promisc: no - # set snaplen, if not set it defaults to MTU if MTU can be known - # via ioctl call and to full capture if not. - #snaplen: 1518 - # Put default values here - - interface: default - #checksum-checks: auto - - # Settings for reading pcap files - pcap-file: - # Possible values are: - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: Suricata uses a statistical approach to detect when - # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have checksum tested - checksum-checks: auto - - # See "Advanced Capture Options" below for more options, including NETMAP - # and PF_RING. - - - ## - ## Step 5: App Layer Protocol Configuration - ## - - # Configure the app-layer parsers. The protocols section details each - # protocol. - # - # The option "enabled" takes 3 values - "yes", "no", "detection-only". - # "yes" enables both detection and the parser, "no" disables both, and - # "detection-only" enables protocol detection only (parser disabled). - app-layer: - protocols: - krb5: - enabled: yes - snmp: - enabled: yes - ikev2: - enabled: yes - tls: - enabled: yes - detection-ports: - dp: 443 - - # Generate JA3 fingerprint from client hello. If not specified it - # will be disabled by default, but enabled if rules require it. - #ja3-fingerprints: auto - - # What to do when the encrypted communications start: - # - default: keep tracking TLS session, check for protocol anomalies, - # inspect tls_* keywords. Disables inspection of unmodified - # 'content' signatures. - # - bypass: stop processing this flow as much as possible. No further - # TLS parsing and inspection. Offload flow bypass to kernel - # or hardware if possible. - # - full: keep tracking and inspection as normal. Unmodified content - # keyword signatures are inspected as well. - # - # For best performance, select 'bypass'. - # - #encryption-handling: default - - dcerpc: - enabled: yes - ftp: - enabled: yes - # memcap: 64mb - # RDP, disabled by default. - rdp: - #enabled: no - ssh: - enabled: yes - smtp: - enabled: yes - raw-extraction: no - # Configure SMTP-MIME Decoder - mime: - # Decode MIME messages from SMTP transactions - # (may be resource intensive) - # This field supercedes all others because it turns the entire - # process on or off - decode-mime: yes - - # Decode MIME entity bodies (ie. base64, quoted-printable, etc.) - decode-base64: yes - decode-quoted-printable: yes - - # Maximum bytes per header data value stored in the data structure - # (default is 2000) - header-value-depth: 2000 - - # Extract URLs and save in state data structure - extract-urls: yes - # Set to yes to compute the md5 of the mail body. You will then - # be able to journalize it. - body-md5: no - # Configure inspected-tracker for file_data keyword - inspected-tracker: - content-limit: 100000 - content-inspect-min-size: 32768 - content-inspect-window: 4096 - imap: - enabled: detection-only - smb: - enabled: yes - detection-ports: - dp: 139, 445 - - # Stream reassembly size for SMB streams. By default track it completely. - #stream-depth: 0 - - nfs: - enabled: yes - tftp: - enabled: yes - dns: - # memcaps. Globally and per flow/state. - #global-memcap: 16mb - #state-memcap: 512kb - - # How many unreplied DNS requests are considered a flood. - # If the limit is reached, app-layer-event:dns.flooded; will match. - #request-flood: 500 - - tcp: - enabled: yes - detection-ports: - dp: 53 - udp: - enabled: yes - detection-ports: - dp: 53 - http: - enabled: yes - # memcap: Maximum memory capacity for http - # Default is unlimited, value can be such as 64mb - - # default-config: Used when no server-config matches - # personality: List of personalities used by default - # request-body-limit: Limit reassembly of request body for inspection - # by http_client_body & pcre /P option. - # response-body-limit: Limit reassembly of response body for inspection - # by file_data, http_server_body & pcre /Q option. - # - # For advanced options, see the user guide - - - # server-config: List of server configurations to use if address matches - # address: List of IP addresses or networks for this block - # personalitiy: List of personalities used by this block - # - # Then, all the fields from default-config can be overloaded - # - # Currently Available Personalities: - # Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0, - # IIS_7_0, IIS_7_5, Apache_2 - libhtp: - default-config: - personality: IDS - - # Can be specified in kb, mb, gb. Just a number indicates - # it's in bytes. - request-body-limit: 100kb - response-body-limit: 100kb - - # inspection limits - request-body-minimal-inspect-size: 32kb - request-body-inspect-window: 4kb - response-body-minimal-inspect-size: 40kb - response-body-inspect-window: 16kb - - # response body decompression (0 disables) - response-body-decompress-layer-limit: 2 - - # auto will use http-body-inline mode in IPS mode, yes or no set it statically - http-body-inline: auto - - # Decompress SWF files. - # 2 types: 'deflate', 'lzma', 'both' will decompress deflate and lzma - # compress-depth: - # Specifies the maximum amount of data to decompress, - # set 0 for unlimited. - # decompress-depth: - # Specifies the maximum amount of decompressed data to obtain, - # set 0 for unlimited. - swf-decompression: - enabled: yes - type: both - compress-depth: 0 - decompress-depth: 0 - - # Take a random value for inspection sizes around the specified value. - # This lower the risk of some evasion technics but could lead - # detection change between runs. It is set to 'yes' by default. - #randomize-inspection-sizes: yes - # If randomize-inspection-sizes is active, the value of various - # inspection size will be choosen in the [1 - range%, 1 + range%] - # range - # Default value of randomize-inspection-range is 10. - #randomize-inspection-range: 10 - - # decoding - double-decode-path: no - double-decode-query: no - - # Can disable LZMA decompression - #lzma-enabled: yes - # Memory limit usage for LZMA decompression dictionary - # Data is decompressed until dictionary reaches this size - #lzma-memlimit: 1mb - # Maximum decompressed size with a compression ratio - # above 2048 (only LZMA can reach this ratio, deflate cannot) - #compression-bomb-limit: 1mb - - server-config: - - #- apache: - # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] - # personality: Apache_2 - # # Can be specified in kb, mb, gb. Just a number indicates - # # it's in bytes. - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: no - # double-decode-query: no - - #- iis7: - # address: - # - 192.168.0.0/24 - # - 192.168.10.0/24 - # personality: IIS_7_0 - # # Can be specified in kb, mb, gb. Just a number indicates - # # it's in bytes. - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: no - # double-decode-query: no - - # Note: Modbus probe parser is minimalist due to the poor significant field - # Only Modbus message length (greater than Modbus header length) - # And Protocol ID (equal to 0) are checked in probing parser - # It is important to enable detection port and define Modbus port - # to avoid false positive - modbus: - # How many unreplied Modbus requests are considered a flood. - # If the limit is reached, app-layer-event:modbus.flooded; will match. - #request-flood: 500 - - enabled: no - detection-ports: - dp: 502 - # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it - # is recommended to keep the TCP connection opened with a remote device - # and not to open and close it for each MODBUS/TCP transaction. In that - # case, it is important to set the depth of the stream reassembling as - # unlimited (stream.reassembly.depth: 0) - - # Stream reassembly size for modbus. By default track it completely. - stream-depth: 0 - - # DNP3 - dnp3: - enabled: no - detection-ports: - dp: 20000 - - # SCADA EtherNet/IP and CIP protocol support - enip: - enabled: no - detection-ports: - dp: 44818 - sp: 44818 - - ntp: - enabled: yes - - dhcp: - enabled: yes - - # SIP, disabled by default. - sip: - #enabled: no - - # Limit for the maximum number of asn1 frames to decode (default 256) - asn1-max-frames: 256 - - - ############################################################################## - ## - ## Advanced settings below - ## - ############################################################################## - - ## - ## Run Options - ## - - # Run suricata as user and group. - run-as: - user: suricata - group: suricata - - # Some logging module will use that name in event as identifier. The default - # value is the hostname - #sensor-name: suricata - - # Default location of the pid file. The pid file is only used in - # daemon mode (start Suricata with -D). If not running in daemon mode - # the --pidfile command line option must be used to create a pid file. - #pid-file: /var/run/suricata.pid - - # Daemon working directory - # Suricata will change directory to this one if provided - # Default: "/" - #daemon-directory: "/" - - # Umask. - # Suricata will use this umask if it is provided. By default it will use the - # umask passed on by the shell. - #umask: 022 - - # Suricata core dump configuration. Limits the size of the core dump file to - # approximately max-dump. The actual core dump size will be a multiple of the - # page size. Core dumps that would be larger than max-dump are truncated. On - # Linux, the actual core dump size may be a few pages larger than max-dump. - # Setting max-dump to 0 disables core dumping. - # Setting max-dump to 'unlimited' will give the full core dump file. - # On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size - # to be 'unlimited'. - - coredump: - max-dump: unlimited - - # If Suricata box is a router for the sniffed networks, set it to 'router'. If - # it is a pure sniffing setup, set it to 'sniffer-only'. - # If set to auto, the variable is internally switch to 'router' in IPS mode - # and 'sniffer-only' in IDS mode. - # This feature is currently only used by the reject* keywords. - host-mode: auto - - # Number of packets preallocated per thread. The default is 1024. A higher number - # will make sure each CPU will be more easily kept busy, but may negatively - # impact caching. - max-pending-packets: {{ SURIMPP }} - - # Runmode the engine should use. Please check --list-runmodes to get the available - # runmodes for each packet acquisition method. Default depends on selected capture - # method. 'workers' generally gives best performance. - runmode: workers - - # Specifies the kind of flow load balancer used by the flow pinned autofp mode. - # - # Supported schedulers are: - # - # hash - Flow assigned to threads using the 5-7 tuple hash. - # ippair - Flow assigned to threads using addresses only. - # - #autofp-scheduler: hash - - # Preallocated size for packet. Default is 1514 which is the classical - # size for pcap on ethernet. You should adjust this value to the highest - # packet size (MTU + hardware header) on your system. - default-packet-size: {{ MTU + 15 }} - - # Unix command socket can be used to pass commands to Suricata. - # An external tool can then connect to get information from Suricata - # or trigger some modifications of the engine. Set enabled to yes - # to activate the feature. In auto mode, the feature will only be - # activated in live capture mode. You can use the filename variable to set - # the file name of the socket. - unix-command: - enabled: auto - #filename: custom.socket - - # Magic file. The extension .mgc is added to the value here. - #magic-file: /usr/share/file/magic - #magic-file: - - # GeoIP2 database file. Specify path and filename of GeoIP2 database - # if using rules with "geoip" rule option. - #geoip-database: /usr/local/share/GeoLite2/GeoLite2-Country.mmdb - - legacy: - uricontent: enabled - - ## - ## Detection settings - ## - - # Set the order of alerts based on actions - # The default order is pass, drop, reject, alert - # action-order: - # - pass - # - drop - # - reject - # - alert - - # IP Reputation - #reputation-categories-file: /etc/suricata/iprep/categories.txt - #default-reputation-path: /etc/suricata/iprep - #reputation-files: - # - reputation.list - - # When run with the option --engine-analysis, the engine will read each of - # the parameters below, and print reports for each of the enabled sections - # and exit. The reports are printed to a file in the default log dir - # given by the parameter "default-log-dir", with engine reporting - # subsection below printing reports in its own report file. - engine-analysis: - # enables printing reports for fast-pattern for every rule. - rules-fast-pattern: yes - # enables printing reports for each rule - rules: yes - - #recursion and match limits for PCRE where supported - pcre: - match-limit: 3500 - match-limit-recursion: 1500 - - ## - ## Advanced Traffic Tracking and Reconstruction Settings - ## - - # Host specific policies for defragmentation and TCP stream - # reassembly. The host OS lookup is done using a radix tree, just - # like a routing table so the most specific entry matches. - host-os-policy: - # Make the default policy windows. - windows: [0.0.0.0/0] - bsd: [] - bsd-right: [] - old-linux: [] - linux: [] - old-solaris: [] - solaris: [] - hpux10: [] - hpux11: [] - irix: [] - macos: [] - vista: [] - windows2k3: [] - - # Defrag settings: - - defrag: - memcap: 32mb - hash-size: 65536 - trackers: 65535 # number of defragmented flows to follow - max-frags: 65535 # number of fragments to keep (higher than trackers) - prealloc: yes - timeout: 60 - - # Enable defrag per host settings - # host-config: - # - # - dmz: - # timeout: 30 - # address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"] - # - # - lan: - # timeout: 45 - # address: - # - 192.168.0.0/24 - # - 192.168.10.0/24 - # - 172.16.14.0/24 - - # Flow settings: - # By default, the reserved memory (memcap) for flows is 32MB. This is the limit - # for flow allocation inside the engine. You can change this value to allow - # more memory usage for flows. - # The hash-size determine the size of the hash used to identify flows inside - # the engine, and by default the value is 65536. - # At the startup, the engine can preallocate a number of flows, to get a better - # performance. The number of flows preallocated is 10000 by default. - # emergency-recovery is the percentage of flows that the engine need to - # prune before unsetting the emergency state. The emergency state is activated - # when the memcap limit is reached, allowing to create new flows, but - # pruning them with the emergency timeouts (they are defined below). - # If the memcap is reached, the engine will try to prune flows - # with the default timeouts. If it doesn't find a flow to prune, it will set - # the emergency bit and it will try again with more aggressive timeouts. - # If that doesn't work, then it will try to kill the last time seen flows - # not in use. - # The memcap can be specified in kb, mb, gb. Just a number indicates it's - # in bytes. - - flow: - memcap: 128mb - hash-size: 65536 - prealloc: 10000 - emergency-recovery: 30 - #managers: 1 # default to one flow manager - #recyclers: 1 # default to one flow recycler thread - - # This option controls the use of vlan ids in the flow (and defrag) - # hashing. Normally this should be enabled, but in some (broken) - # setups where both sides of a flow are not tagged with the same vlan - # tag, we can ignore the vlan id's in the flow hashing. - vlan: - use-for-tracking: true - - # Specific timeouts for flows. Here you can specify the timeouts that the - # active flows will wait to transit from the current state to another, on each - # protocol. The value of "new" determine the seconds to wait after a handshake or - # stream startup before the engine free the data of that flow it doesn't - # change the state to established (usually if we don't receive more packets - # of that flow). The value of "established" is the amount of - # seconds that the engine will wait to free the flow if it spend that amount - # without receiving new packets or closing the connection. "closed" is the - # amount of time to wait after a flow is closed (usually zero). "bypassed" - # timeout controls locally bypassed flows. For these flows we don't do any other - # tracking. If no packets have been seen after this timeout, the flow is discarded. - # - # There's an emergency mode that will become active under attack circumstances, - # making the engine to check flow status faster. This configuration variables - # use the prefix "emergency-" and work similar as the normal ones. - # Some timeouts doesn't apply to all the protocols, like "closed", for udp and - # icmp. - - flow-timeouts: - - default: - new: 30 - established: 300 - closed: 0 - bypassed: 100 - emergency-new: 10 - emergency-established: 100 - emergency-closed: 0 - emergency-bypassed: 50 - tcp: - new: 60 - established: 600 - closed: 60 - bypassed: 100 - emergency-new: 5 - emergency-established: 100 - emergency-closed: 10 - emergency-bypassed: 50 - udp: - new: 30 - established: 300 - bypassed: 100 - emergency-new: 10 - emergency-established: 100 - emergency-bypassed: 50 - icmp: - new: 30 - established: 300 - bypassed: 100 - emergency-new: 10 - emergency-established: 100 - emergency-bypassed: 50 - - # Stream engine settings. Here the TCP stream tracking and reassembly - # engine is configured. - # - # stream: - # memcap: 32mb # Can be specified in kb, mb, gb. Just a - # # number indicates it's in bytes. - # checksum-validation: yes # To validate the checksum of received - # # packet. If csum validation is specified as - # # "yes", then packet with invalid csum will not - # # be processed by the engine stream/app layer. - # # Warning: locally generated traffic can be - # # generated without checksum due to hardware offload - # # of checksum. You can control the handling of checksum - # # on a per-interface basis via the 'checksum-checks' - # # option - # prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread - # midstream: false # don't allow midstream session pickups - # async-oneside: false # don't enable async stream handling - # inline: no # stream inline mode - # drop-invalid: yes # in inline mode, drop packets that are invalid with regards to streaming engine - # max-synack-queued: 5 # Max different SYN/ACKs to queue - # bypass: no # Bypass packets when stream.reassembly.depth is reached. - # # Warning: first side to reach this triggers - # # the bypass. - # - # reassembly: - # memcap: 64mb # Can be specified in kb, mb, gb. Just a number - # # indicates it's in bytes. - # depth: 1mb # Can be specified in kb, mb, gb. Just a number - # # indicates it's in bytes. - # toserver-chunk-size: 2560 # inspect raw stream in chunks of at least - # # this size. Can be specified in kb, mb, - # # gb. Just a number indicates it's in bytes. - # toclient-chunk-size: 2560 # inspect raw stream in chunks of at least - # # this size. Can be specified in kb, mb, - # # gb. Just a number indicates it's in bytes. - # randomize-chunk-size: yes # Take a random value for chunk size around the specified value. - # # This lower the risk of some evasion technics but could lead - # # detection change between runs. It is set to 'yes' by default. - # randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is - # # a random value between (1 - randomize-chunk-range/100)*toserver-chunk-size - # # and (1 + randomize-chunk-range/100)*toserver-chunk-size and the same - # # calculation for toclient-chunk-size. - # # Default value of randomize-chunk-range is 10. - # - # raw: yes # 'Raw' reassembly enabled or disabled. - # # raw is for content inspection by detection - # # engine. - # - # segment-prealloc: 2048 # number of segments preallocated per thread - # - # check-overlap-different-data: true|false - # # check if a segment contains different data - # # than what we've already seen for that - # # position in the stream. - # # This is enabled automatically if inline mode - # # is used or when stream-event:reassembly_overlap_different_data; - # # is used in a rule. - # - stream: - memcap: 64mb - checksum-validation: yes # reject wrong csums - inline: auto # auto will use inline mode in IPS mode, yes or no set it statically - reassembly: - memcap: 256mb - depth: 1mb # reassemble 1mb into a stream - toserver-chunk-size: 2560 - toclient-chunk-size: 2560 - randomize-chunk-size: yes - #randomize-chunk-range: 10 - #raw: yes - #segment-prealloc: 2048 - #check-overlap-different-data: true - - # Host table: - # - # Host table is used by tagging and per host thresholding subsystems. - # - host: - hash-size: 4096 - prealloc: 1000 - memcap: 32mb - - # IP Pair table: - # - # Used by xbits 'ippair' tracking. - # - #ippair: - # hash-size: 4096 - # prealloc: 1000 - # memcap: 32mb - - # Decoder settings - - decoder: - # Teredo decoder is known to not be completely accurate - # as it will sometimes detect non-teredo as teredo. - teredo: - enabled: true - # ports to look for Teredo. Max 4 ports. If no ports are given, or - # the value is set to 'any', Teredo detection runs on _all_ UDP packets. - ports: $TEREDO_PORTS # syntax: '[3544, 1234]' or '3533' or 'any'. - - # VXLAN decoder is assigned to up to 4 UDP ports. By default only the - # IANA assigned port 4789 is enabled. - vxlan: - enabled: true - ports: $VXLAN_PORTS # syntax: '8472, 4789' - # ERSPAN Type I decode support - erspan: - typeI: - enabled: false - - - ## - ## Performance tuning and profiling - ## - - # The detection engine builds internal groups of signatures. The engine - # allow us to specify the profile to use for them, to manage memory on an - # efficient way keeping a good performance. For the profile keyword you - # can use the words "low", "medium", "high" or "custom". If you use custom - # make sure to define the values at "- custom-values" as your convenience. - # Usually you would prefer medium/high/low. - # - # "sgh mpm-context", indicates how the staging should allot mpm contexts for - # the signature groups. "single" indicates the use of a single context for - # all the signature group heads. "full" indicates a mpm-context for each - # group head. "auto" lets the engine decide the distribution of contexts - # based on the information the engine gathers on the patterns from each - # group head. - # - # The option inspection-recursion-limit is used to limit the recursive calls - # in the content inspection code. For certain payload-sig combinations, we - # might end up taking too much time in the content inspection code. - # If the argument specified is 0, the engine uses an internally defined - # default limit. On not specifying a value, we use no limits on the recursion. - detect: - profile: medium - custom-values: - toclient-groups: 3 - toserver-groups: 25 - sgh-mpm-context: auto - inspection-recursion-limit: 3000 - # If set to yes, the loading of signatures will be made after the capture - # is started. This will limit the downtime in IPS mode. - #delayed-detect: yes - - prefilter: - # default prefiltering setting. "mpm" only creates MPM/fast_pattern - # engines. "auto" also sets up prefilter engines for other keywords. - # Use --list-keywords=all to see which keywords support prefiltering. - default: mpm - - # the grouping values above control how many groups are created per - # direction. Port whitelisting forces that port to get it's own group. - # Very common ports will benefit, as well as ports with many expensive - # rules. - grouping: - #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 - #udp-whitelist: 53, 135, 5060 - - profiling: - # Log the rules that made it past the prefilter stage, per packet - # default is off. The threshold setting determines how many rules - # must have made it past pre-filter for that rule to trigger the - # logging. - #inspect-logging-threshold: 200 - grouping: - dump-to-disk: false - include-rules: false # very verbose - include-mpm-stats: false - - # Select the multi pattern algorithm you want to run for scan/search the - # in the engine. - # - # The supported algorithms are: - # "ac" - Aho-Corasick, default implementation - # "ac-bs" - Aho-Corasick, reduced memory implementation - # "ac-ks" - Aho-Corasick, "Ken Steele" variant - # "hs" - Hyperscan, available when built with Hyperscan support - # - # The default mpm-algo value of "auto" will use "hs" if Hyperscan is - # available, "ac" otherwise. - # - # The mpm you choose also decides the distribution of mpm contexts for - # signature groups, specified by the conf - "detect.sgh-mpm-context". - # Selecting "ac" as the mpm would require "detect.sgh-mpm-context" - # to be set to "single", because of ac's memory requirements, unless the - # ruleset is small enough to fit in one's memory, in which case one can - # use "full" with "ac". Rest of the mpms can be run in "full" mode. - - mpm-algo: auto - - # Select the matching algorithm you want to use for single-pattern searches. - # - # Supported algorithms are "bm" (Boyer-Moore) and "hs" (Hyperscan, only - # available if Suricata has been built with Hyperscan support). - # - # The default of "auto" will use "hs" if available, otherwise "bm". - - spm-algo: auto - - # Suricata is multi-threaded. Here the threading can be influenced. - threading: - set-cpu-affinity: yes - # Tune cpu affinity of threads. Each family of threads can be bound - # on specific CPUs. - # - # These 2 apply to the all runmodes: - # management-cpu-set is used for flow timeout handling, counters - # worker-cpu-set is used for 'worker' threads - # - # Additionally, for autofp these apply: - # receive-cpu-set is used for capture threads - # verdict-cpu-set is used for IPS verdict threads - # - {%- if salt['pillar.get']('sensor:suriprocs') %} - cpu-affinity: - - management-cpu-set: - cpu: [ all ] # include only these CPUs in affinity settings - - receive-cpu-set: - cpu: [ all ] # include only these CPUs in affinity settings - - worker-cpu-set: - cpu: [ "all" ] - mode: "exclusive" - # Use explicitely 3 threads and don't compute number by using - # detect-thread-ratio variable: - # threads: 3 - threads: {{ salt['pillar.get']('sensor:suriprocs') }} - prio: - low: [ 0 ] - medium: [ "1-2" ] - high: [ 3 ] - default: "high" - #- verdict-cpu-set: - # cpu: [ 0 ] - # prio: - # default: "high" - {%- endif -%} - {%- if salt['pillar.get']('sensor:suripins') %} - cpu-affinity: - - management-cpu-set: - cpu: [ {{ salt['pillar.get']('sensor:suripins')|join(",") }} ] # include only these cpus in affinity settings - - receive-cpu-set: - cpu: [ {{ salt['pillar.get']('sensor:suripins')|join(",") }} ] # include only these cpus in affinity settings - - worker-cpu-set: - cpu: [ {{ salt['pillar.get']('sensor:suripins')|join(",") }} ] - mode: "exclusive" - # Use explicitely 3 threads and don't compute number by using - # detect-thread-ratio variable: - threads: {{ salt['pillar.get']('sensor:suripins')|length }} - prio: - default: "high" - {% endif %} - - # - # By default Suricata creates one "detect" thread per available CPU/CPU core. - # This setting allows controlling this behaviour. A ratio setting of 2 will - # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this - # will result in 4 detect threads. If values below 1 are used, less threads - # are created. So on a dual core CPU a setting of 0.5 results in 1 detect - # thread being created. Regardless of the setting at a minimum 1 detect - # thread will always be created. - # - detect-thread-ratio: 1.0 - - # Luajit has a strange memory requirement, it's 'states' need to be in the - # first 2G of the process' memory. - # - # 'luajit.states' is used to control how many states are preallocated. - # State use: per detect script: 1 per detect thread. Per output script: 1 per - # script. - luajit: - states: 128 - - # Profiling settings. Only effective if Suricata has been built with the - # the --enable-profiling configure flag. - # - profiling: - # Run profiling for every xth packet. The default is 1, which means we - # profile every packet. If set to 1000, one packet is profiled for every - # 1000 received. - #sample-rate: 1000 - - # rule profiling - rules: - - # Profiling can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: yes - filename: rule_perf.log - append: yes - - # Sort options: ticks, avgticks, checks, matches, maxticks - # If commented out all the sort options will be used. - #sort: avgticks - - # Limit the number of sids for which stats are shown at exit (per sort). - limit: 10 - - # output to json - json: yes - - # per keyword profiling - keywords: - enabled: yes - filename: keyword_perf.log - append: yes - - prefilter: - enabled: yes - filename: prefilter_perf.log - append: yes - - # per rulegroup profiling - rulegroups: - enabled: yes - filename: rule_group_perf.log - append: yes - - # packet profiling - packets: - - # Profiling can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: yes - filename: packet_stats.log - append: yes - - # per packet csv output - csv: - - # Output can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: no - filename: packet_stats.csv - - # profiling of locking. Only available when Suricata was built with - # --enable-profiling-locks. - locks: - enabled: no - filename: lock_stats.log - append: yes - - pcap-log: - enabled: no - filename: pcaplog_stats.log - append: yes - - ## - ## Netfilter integration - ## - - # When running in NFQ inline mode, it is possible to use a simulated - # non-terminal NFQUEUE verdict. - # This permit to do send all needed packet to Suricata via this a rule: - # iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE - # And below, you can have your standard filtering ruleset. To activate - # this mode, you need to set mode to 'repeat' - # If you want packet to be sent to another queue after an ACCEPT decision - # set mode to 'route' and set next-queue value. - # On linux >= 3.1, you can set batchcount to a value > 1 to improve performance - # by processing several packets before sending a verdict (worker runmode only). - # On linux >= 3.6, you can set the fail-open option to yes to have the kernel - # accept the packet if Suricata is not able to keep pace. - # bypass mark and mask can be used to implement NFQ bypass. If bypass mark is - # set then the NFQ bypass is activated. Suricata will set the bypass mark/mask - # on packet of a flow that need to be bypassed. The Nefilter ruleset has to - # directly accept all packets of a flow once a packet has been marked. - nfq: - # mode: accept - # repeat-mark: 1 - # repeat-mask: 1 - # bypass-mark: 1 - # bypass-mask: 1 - # route-queue: 2 - # batchcount: 20 - # fail-open: yes - - #nflog support - nflog: - # netlink multicast group - # (the same as the iptables --nflog-group param) - # Group 0 is used by the kernel, so you can't use it - - group: 2 - # netlink buffer size - buffer-size: 18432 - # put default value here - - group: default - # set number of packet to queue inside kernel - qthreshold: 1 - # set the delay before flushing packet in the queue inside kernel - qtimeout: 100 - # netlink max buffer size - max-size: 20000 - - ## - ## Advanced Capture Options - ## - - # general settings affecting packet capture - capture: - # disable NIC offloading. It's restored when Suricata exits. - # Enabled by default. - #disable-offloading: false - # - # disable checksum validation. Same as setting '-k none' on the - # commandline. - #checksum-validation: none - - # Netmap support - # - # Netmap operates with NIC directly in driver, so you need FreeBSD 11+ which have - # built-in netmap support or compile and install netmap module and appropriate - # NIC driver on your Linux system. - # To reach maximum throughput disable all receive-, segmentation-, - # checksum- offloadings on NIC. - # Disabling Tx checksum offloading is *required* for connecting OS endpoint - # with NIC endpoint. - # You can find more information at https://github.com/luigirizzo/netmap - # - netmap: - # To specify OS endpoint add plus sign at the end (e.g. "eth0+") - - interface: eth2 - # Number of capture threads. "auto" uses number of RSS queues on interface. - # Warning: unless the RSS hashing is symmetrical, this will lead to - # accuracy issues. - #threads: auto - # You can use the following variables to activate netmap tap or IPS mode. - # If copy-mode is set to ips or tap, the traffic coming to the current - # interface will be copied to the copy-iface interface. If 'tap' is set, the - # copy is complete. If 'ips' is set, the packet matching a 'drop' action - # will not be copied. - # To specify the OS as the copy-iface (so the OS can route packets, or forward - # to a service running on the same machine) add a plus sign at the end - # (e.g. "copy-iface: eth0+"). Don't forget to set up a symmetrical eth0+ -> eth0 - # for return packets. Hardware checksumming must be *off* on the interface if - # using an OS endpoint (e.g. 'ifconfig eth0 -rxcsum -txcsum -rxcsum6 -txcsum6' for FreeBSD - # or 'ethtool -K eth0 tx off rx off' for Linux). - #copy-mode: tap - #copy-iface: eth3 - # Set to yes to disable promiscuous mode - # disable-promisc: no - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: Suricata uses a statistical approach to detect when - # checksum off-loading is used. - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: auto - # BPF filter to apply to this interface. The pcap filter syntax apply here. - #bpf-filter: port 80 or udp - #- interface: eth3 - #threads: auto - #copy-mode: tap - #copy-iface: eth2 - # Put default values here - - interface: default - - # PF_RING configuration. for use with native PF_RING support - # for more info see http://www.ntop.org/products/pf_ring/ - pfring: - - interface: eth0 - # Number of receive threads. If set to 'auto' Suricata will first try - # to use CPU (core) count and otherwise RSS queue count. - threads: auto - - # Default clusterid. PF_RING will load balance packets based on flow. - # All threads/processes that will participate need to have the same - # clusterid. - cluster-id: 99 - - # Default PF_RING cluster type. PF_RING can load balance per flow. - # Possible values are cluster_flow or cluster_round_robin. - cluster-type: cluster_flow - - # bpf filter for this interface - #bpf-filter: tcp - - # If bypass is set then the PF_RING hw bypass is activated, when supported - # by the interface in use. Suricata will instruct the interface to bypass - # all future packets for a flow that need to be bypassed. - #bypass: yes - - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - rxonly: only compute checksum for packets received by network card. - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: Suricata uses a statistical approach to detect when - # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: auto - # Second interface - #- interface: eth1 - # threads: 3 - # cluster-id: 93 - # cluster-type: cluster_flow - # Put default values here - - interface: default - #threads: 2 - - # For FreeBSD ipfw(8) divert(4) support. - # Please make sure you have ipfw_load="YES" and ipdivert_load="YES" - # in /etc/loader.conf or kldload'ing the appropriate kernel modules. - # Additionally, you need to have an ipfw rule for the engine to see - # the packets from ipfw. For Example: - # - # ipfw add 100 divert 8000 ip from any to any - # - # The 8000 above should be the same number you passed on the command - # line, i.e. -d 8000 - # - ipfw: - - # Reinject packets at the specified ipfw rule number. This config - # option is the ipfw rule number AT WHICH rule processing continues - # in the ipfw processing system after the engine has finished - # inspecting the packet for acceptance. If no rule number is specified, - # accepted packets are reinjected at the divert rule which they entered - # and IPFW rule processing continues. No check is done to verify - # this will rule makes sense so care must be taken to avoid loops in ipfw. - # - ## The following example tells the engine to reinject packets - # back into the ipfw firewall AT rule number 5500: - # - # ipfw-reinjection-rule-number: 5500 - - - napatech: - # The Host Buffer Allowance for all streams - # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back) - # This may be enabled when sharing streams with another application. - # Otherwise, it should be turned off. - #hba: -1 - - # When use_all_streams is set to "yes" the initialization code will query - # the Napatech service for all configured streams and listen on all of them. - # When set to "no" the streams config array will be used. - # - # This option necessitates running the appropriate NTPL commands to create - # the desired streams prior to running suricata. - #use-all-streams: no - - # The streams to listen on when auto-config is disabled or when and threading - # cpu-affinity is disabled. This can be either: - # an individual stream (e.g. streams: [0]) - # or - # a range of streams (e.g. streams: ["0-3"]) - # - streams: ["0-3"] - - # When auto-config is enabled the streams will be created and assigned - # automatically to the NUMA node where the thread resides. If cpu-affinity - # is enabled in the threading section. Then the streams will be created - # according to the number of worker threads specified in the worker cpu set. - # Otherwise, the streams array is used to define the streams. - # - # This option cannot be used simultaneous with "use-all-streams". - # - auto-config: yes - - # Ports indicates which napatech ports are to be used in auto-config mode. - # these are the port ID's of the ports that will be merged prior to the - # traffic being distributed to the streams. - # - # This can be specified in any of the following ways: - # - # a list of individual ports (e.g. ports: [0,1,2,3]) - # - # a range of ports (e.g. ports: [0-3]) - # - # "all" to indicate that all ports are to be merged together - # (e.g. ports: [all]) - # - # This has no effect if auto-config is disabled. - # - ports: [all] - - # When auto-config is enabled the hashmode specifies the algorithm for - # determining to which stream a given packet is to be delivered. - # This can be any valid Napatech NTPL hashmode command. - # - # The most common hashmode commands are: hash2tuple, hash2tuplesorted, - # hash5tuple, hash5tuplesorted and roundrobin. - # - # See Napatech NTPL documentation other hashmodes and details on their use. - # - # This has no effect if auto-config is disabled. - # - hashmode: hash5tuplesorted - - ## - ## Configure Suricata to load Suricata-Update managed rules. - ## - ## If this section is completely commented out move down to the "Advanced rule - ## file configuration". - ## - - default-rule-path: /etc/suricata/rules - - rule-files: - - all.rules - - ## - ## Auxiliary configuration files. - ## - - classification-file: /etc/suricata/classification.config - reference-config-file: /etc/suricata/reference.config - # threshold-file: /etc/suricata/threshold.config - - ## - ## Include other configs - ## - - # Includes. Files included here will be handled as if they were - # inlined in this configuration file. - #include: include1.yaml - #include: include2.yaml - \ No newline at end of file diff --git a/salt/suricata/files/suricata.yaml b/salt/suricata/files/suricata.yaml deleted file mode 100644 index 28e5b4bcf..000000000 --- a/salt/suricata/files/suricata.yaml +++ /dev/null @@ -1,1883 +0,0 @@ -%YAML 1.1 ---- - {%- set interface = salt['pillar.get']('sensor:interface', 'bond0') %} - {%- if grains['role'] == 'so-eval' %} - {%- set MTU = 1500 %} - {%- elif grains['role'] == 'so-helix' %} - {%- set MTU = 9000 %} - {%- else %} - {%- set MTU = salt['pillar.get']('sensor:mtu', '1500') %} - {%- endif %} - {%- if salt['pillar.get']('sensor:homenet') %} - {%- set homenet = salt['pillar.get']('sensor:hnsensor', '') %} - {%- else %} - {%- set homenet = salt['pillar.get']('static:hnmaster', '') %} - {%- endif %} -# Suricata configuration file. In addition to the comments describing all -# options in this file, full documentation can be found at: -# https://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html - -## -## Step 1: inform Suricata about your network -## - -vars: - # more specific is better for alert accuracy and performance - address-groups: - HOME_NET: "[{{ homenet }}]" - #HOME_NET: "[192.168.0.0/16]" - #HOME_NET: "[10.0.0.0/8]" - #HOME_NET: "[172.16.0.0/12]" - #HOME_NET: "any" - - EXTERNAL_NET: "!$HOME_NET" - #EXTERNAL_NET: "any" - - HTTP_SERVERS: "$HOME_NET" - SMTP_SERVERS: "$HOME_NET" - SQL_SERVERS: "$HOME_NET" - DNS_SERVERS: "$HOME_NET" - TELNET_SERVERS: "$HOME_NET" - AIM_SERVERS: "$EXTERNAL_NET" - DC_SERVERS: "$HOME_NET" - DNP3_SERVER: "$HOME_NET" - DNP3_CLIENT: "$HOME_NET" - MODBUS_CLIENT: "$HOME_NET" - MODBUS_SERVER: "$HOME_NET" - ENIP_CLIENT: "$HOME_NET" - ENIP_SERVER: "$HOME_NET" - - port-groups: - HTTP_PORTS: "80" - SHELLCODE_PORTS: "!80" - ORACLE_PORTS: 1521 - SSH_PORTS: 22 - DNP3_PORTS: 20000 - MODBUS_PORTS: 502 - FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" - FTP_PORTS: 21 - VXLAN_PORTS: 4789 - TEREDO_PORTS: 3544 - -## -## Step 2: select outputs to enable -## - -# The default logging directory. Any log or output file will be -# placed here if its not specified with a full path name. This can be -# overridden with the -l command line parameter. -default-log-dir: /var/log/suricata/ - -# global stats configuration -stats: - enabled: yes - # The interval field (in seconds) controls at what interval - # the loggers are invoked. - interval: 30 - # Add decode events as stats. - #decoder-events: true - # Decoder event prefix in stats. Has been 'decoder' before, but that leads - # to missing events in the eve.stats records. See issue #2225. - #decoder-events-prefix: "decoder.event" - # Add stream events as stats. - #stream-events: false - -# Configure the type of alert (and other) logging you would like. -outputs: - # a line based alerts log similar to Snort's fast.log - - fast: - enabled: no - filename: fast.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # Extensible Event Format (nicknamed EVE) event log in JSON format - - eve-log: - enabled: yes - filetype: regular #regular|syslog|unix_dgram|unix_stream|redis - filename: /nsm/eve-%Y-%m-%d-%H:%M.json - rotate-interval: hour - - #prefix: "@cee: " # prefix to prepend to each log entry - # the following are valid when type: syslog above - #identity: "suricata" - #facility: local5 - #level: Info ## possible levels: Emergency, Alert, Critical, - ## Error, Warning, Notice, Info, Debug - #redis: - # server: 127.0.0.1 - # port: 6379 - # async: true ## if redis replies are read asynchronously - # mode: list ## possible values: list|lpush (default), rpush, channel|publish - # ## lpush and rpush are using a Redis list. "list" is an alias for lpush - # ## publish is using a Redis channel. "channel" is an alias for publish - # key: suricata ## key or channel to use (default to suricata) - # Redis pipelining set up. This will enable to only do a query every - # 'batch-size' events. This should lower the latency induced by network - # connection at the cost of some memory. There is no flushing implemented - # so this setting as to be reserved to high traffic suricata. - # pipelining: - # enabled: yes ## set enable to yes to enable query pipelining - # batch-size: 10 ## number of entry to keep in buffer - - # Include top level metadata. Default yes. - #metadata: no - - # include the name of the input pcap file in pcap file processing mode - pcap-file: false - - # Community Flow ID - # Adds a 'community_id' field to EVE records. These are meant to give - # a records a predictable flow id that can be used to match records to - # output of other tools such as Bro. - # - # Takes a 'seed' that needs to be same across sensors and tools - # to make the id less predictable. - - # enable/disable the community id feature. - community-id: true - # Seed value for the ID output. Valid values are 0-65535. - community-id-seed: 0 - - # HTTP X-Forwarded-For support by adding an extra field or overwriting - # the source or destination IP address (depending on flow direction) - # with the one reported in the X-Forwarded-For HTTP header. This is - # helpful when reviewing alerts for traffic that is being reverse - # or forward proxied. - xff: - enabled: no - # Two operation modes are available, "extra-data" and "overwrite". - mode: extra-data - # Two proxy deployments are supported, "reverse" and "forward". In - # a "reverse" deployment the IP address used is the last one, in a - # "forward" deployment the first IP address is used. - deployment: reverse - # Header name where the actual IP address will be reported, if more - # than one IP address is present, the last IP address will be the - # one taken into consideration. - header: X-Forwarded-For - - types: - - alert: - payload: no # enable dumping payload in Base64 - payload-buffer-size: 4kb # max size of payload buffer to output in eve-log - payload-printable: yes # enable dumping payload in printable (lossy) format - packet: yes # enable dumping of packet (without stream segments) - metadata: - app-layer: false - flow: false - rule: - metadata: true - raw: true - - # http-body: yes # Requires metadata; enable dumping of http body in Base64 - # http-body-printable: yes # Requires metadata; enable dumping of http body in printable format - - # Enable the logging of tagged packets for rules using the - # "tag" keyword. - tagged-packets: no - #- anomaly: - # Anomaly log records describe unexpected conditions such - # as truncated packets, packets with invalid IP/UDP/TCP - # length values, and other events that render the packet - # invalid for further processing or describe unexpected - # behavior on an established stream. Networks which - # experience high occurrences of anomalies may experience - # packet processing degradation. - # - # Anomalies are reported for the following: - # 1. Decode: Values and conditions that are detected while - # decoding individual packets. This includes invalid or - # unexpected values for low-level protocol lengths as well - # as stream related events (TCP 3-way handshake issues, - # unexpected sequence number, etc). - # 2. Stream: This includes stream related events (TCP - # 3-way handshake issues, unexpected sequence number, - # etc). - # 3. Application layer: These denote application layer - # specific conditions that are unexpected, invalid or are - # unexpected given the application monitoring state. - # - # By default, anomaly logging is disabled. When anomaly - # logging is enabled, applayer anomaly reporting is - # enabled. - # enabled: no - # - # Choose one or more types of anomaly logging and whether to enable - # logging of the packet header for packet anomalies. - # types: - # decode: no - # stream: no - # applayer: yes - #packethdr: no - #- http: - # extended: yes # enable this for extended logging information - # custom allows additional http fields to be included in eve-log - # the example below adds three additional fields when uncommented - #custom: [Accept-Encoding, Accept-Language, Authorization] - # set this value to one and only one among {both, request, response} - # to dump all http headers for every http request and/or response - # dump-all-headers: none - #- dns: - # This configuration uses the new DNS logging format, - # the old configuration is still available: - # https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format - - # As of Suricata 5.0, version 2 of the eve dns output - # format is the default. - #version: 2 - - # Enable/disable this logger. Default: enabled. - #enabled: yes - - # Control logging of requests and responses: - # - requests: enable logging of DNS queries - # - responses: enable logging of DNS answers - # By default both requests and responses are logged. - #requests: no - #responses: no - - # Format of answer logging: - # - detailed: array item per answer - # - grouped: answers aggregated by type - # Default: all - #formats: [detailed, grouped] - - # Types to log, based on the query type. - # Default: all. - #types: [a, aaaa, cname, mx, ns, ptr, txt] - #- tls: - # extended: yes # enable this for extended logging information - # output TLS transaction where the session is resumed using a - # session id - #session-resumption: no - # custom allows to control which tls fields that are included - # in eve-log - #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s] - #- files: - # force-magic: no # force logging magic on all logged files - # force logging of checksums, available hash functions are md5, - # sha1 and sha256 - #force-hash: [md5] - #- drop: - # alerts: yes # log alerts that caused drops - # flows: all # start or all: 'start' logs only a single drop - # # per flow direction. All logs each dropped pkt. - #- smtp: - #extended: yes # enable this for extended logging information - # this includes: bcc, message-id, subject, x_mailer, user-agent - # custom fields logging from the list: - # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, - # x-originating-ip, in-reply-to, references, importance, priority, - # sensitivity, organization, content-md5, date - #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] - # output md5 of fields: body, subject - # for the body you need to set app-layer.protocols.smtp.mime.body-md5 - # to yes - #md5: [body, subject] - - #- dnp3 - #- ftp - #- rdp - #- nfs - #- smb - #- tftp - #- ikev2 - #- krb5 - #- snmp - #- sip - #- dhcp: - # enabled: yes - # When extended mode is on, all DHCP messages are logged - # with full detail. When extended mode is off (the - # default), just enough information to map a MAC address - # to an IP address is logged. - # extended: no - #- ssh - #- stats: - # totals: yes # stats for all threads merged together - # threads: no # per thread stats - # deltas: no # include delta values - # bi-directional flows - #- flow - # uni-directional flows - #- netflow - - # Metadata event type. Triggered whenever a pktvar is saved - # and will include the pktvars, flowvars, flowbits and - # flowints. - #- metadata - - # deprecated - unified2 alert format for use with Barnyard2 - - unified2-alert: - enabled: no - # for further options see: - # https://suricata.readthedocs.io/en/suricata-5.0.0/configuration/suricata-yaml.html#alert-output-for-use-with-barnyard2-unified2-alert - - # a line based log of HTTP requests (no alerts) - - http-log: - enabled: no - filename: http.log - append: yes - #extended: yes # enable this for extended logging information - #custom: yes # enabled the custom logging format (defined by customformat) - #customformat: "" - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # a line based log of TLS handshake parameters (no alerts) - - tls-log: - enabled: no # Log TLS connections. - filename: tls.log # File to store TLS logs. - append: yes - #extended: yes # Log extended information like fingerprint - #custom: yes # enabled the custom logging format (defined by customformat) - #customformat: "" - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - # output TLS transaction where the session is resumed using a - # session id - #session-resumption: no - - # output module to store certificates chain to disk - - tls-store: - enabled: no - #certs-log-dir: certs # directory to store the certificates files - - # Packet log... log packets in pcap format. 3 modes of operation: "normal" - # "multi" and "sguil". - # - # In normal mode a pcap file "filename" is created in the default-log-dir, - # or are as specified by "dir". - # In multi mode, a file is created per thread. This will perform much - # better, but will create multiple files where 'normal' would create one. - # In multi mode the filename takes a few special variables: - # - %n -- thread number - # - %i -- thread id - # - %t -- timestamp (secs or secs.usecs based on 'ts-format' - # E.g. filename: pcap.%n.%t - # - # Note that it's possible to use directories, but the directories are not - # created by Suricata. E.g. filename: pcaps/%n/log.%s will log into the - # per thread directory. - # - # Also note that the limit and max-files settings are enforced per thread. - # So the size limit when using 8 threads with 1000mb files and 2000 files - # is: 8*1000*2000 ~ 16TiB. - # - # In Sguil mode "dir" indicates the base directory. In this base dir the - # pcaps are created in th directory structure Sguil expects: - # - # $sguil-base-dir/YYYY-MM-DD/$filename. - # - # By default all packets are logged except: - # - TCP streams beyond stream.reassembly.depth - # - encrypted streams after the key exchange - # - - pcap-log: - enabled: no - filename: log.pcap - - # File size limit. Can be specified in kb, mb, gb. Just a number - # is parsed as bytes. - limit: 1000mb - - # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit" - max-files: 2000 - - # Compression algorithm for pcap files. Possible values: none, lz4. - # Enabling compression is incompatible with the sguil mode. Note also - # that on Windows, enabling compression will *increase* disk I/O. - compression: none - - # Further options for lz4 compression. The compression level can be set - # to a value between 0 and 16, where higher values result in higher - # compression. - #lz4-checksum: no - #lz4-level: 0 - - mode: normal # normal, multi or sguil. - - # Directory to place pcap files. If not provided the default log - # directory will be used. Required for "sguil" mode. - #dir: /nsm_data/ - - #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec - use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets - honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged. - - # a full alerts log containing much information for signature writers - # or for investigating suspected false positives. - - alert-debug: - enabled: no - filename: alert-debug.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # alert output to prelude (https://www.prelude-siem.org/) only - # available if Suricata has been compiled with --enable-prelude - - alert-prelude: - enabled: no - profile: suricata - log-packet-content: no - log-packet-header: yes - - # Stats.log contains data from various counters of the Suricata engine. - - stats: - enabled: yes - filename: stats.log - append: yes # append to file (yes) or overwrite it (no) - totals: yes # stats for all threads merged together - threads: no # per thread stats - null-values: yes # print counters that have value 0 - - # a line based alerts log similar to fast.log into syslog - - syslog: - enabled: no - # reported identity to syslog. If ommited the program name (usually - # suricata) will be used. - #identity: "suricata" - facility: local5 - #level: Info ## possible levels: Emergency, Alert, Critical, - ## Error, Warning, Notice, Info, Debug - - # deprecated a line based information for dropped packets in IPS mode - - drop: - enabled: no - # further options documented at: - # https://suricata.readthedocs.io/en/suricata-5.0.0/configuration/suricata-yaml.html#drop-log-a-line-based-information-for-dropped-packets - - # Output module for storing files on disk. Files are stored in a - # directory names consisting of the first 2 characters of the - # SHA256 of the file. Each file is given its SHA256 as a filename. - # - # When a duplicate file is found, the existing file is touched to - # have its timestamps updated. - # - # Unlike the older filestore, metadata is not written out by default - # as each file should already have a "fileinfo" record in the - # eve.log. If write-fileinfo is set to yes, the each file will have - # one more associated .json files that consists of the fileinfo - # record. A fileinfo file will be written for each occurrence of the - # file seen using a filename suffix to ensure uniqueness. - # - # To prune the filestore directory see the "suricatactl filestore - # prune" command which can delete files over a certain age. - - file-store: - version: 2 - enabled: no - - # Set the directory for the filestore. If the path is not - # absolute will be be relative to the default-log-dir. - #dir: filestore - - # Write out a fileinfo record for each occurrence of a - # file. Disabled by default as each occurrence is already logged - # as a fileinfo record to the main eve-log. - #write-fileinfo: yes - - # Force storing of all files. Default: no. - #force-filestore: yes - - # Override the global stream-depth for sessions in which we want - # to perform file extraction. Set to 0 for unlimited. - #stream-depth: 0 - - # Uncomment the following variable to define how many files can - # remain open for filestore by Suricata. Default value is 0 which - # means files get closed after each write - #max-open-files: 1000 - - # Force logging of checksums, available hash functions are md5, - # sha1 and sha256. Note that SHA256 is automatically forced by - # the use of this output module as it uses the SHA256 as the - # file naming scheme. - #force-hash: [sha1, md5] - # NOTE: X-Forwarded configuration is ignored if write-fileinfo is disabled - # HTTP X-Forwarded-For support by adding an extra field or overwriting - # the source or destination IP address (depending on flow direction) - # with the one reported in the X-Forwarded-For HTTP header. This is - # helpful when reviewing alerts for traffic that is being reverse - # or forward proxied. - xff: - enabled: no - # Two operation modes are available, "extra-data" and "overwrite". - mode: extra-data - # Two proxy deployments are supported, "reverse" and "forward". In - # a "reverse" deployment the IP address used is the last one, in a - # "forward" deployment the first IP address is used. - deployment: reverse - # Header name where the actual IP address will be reported, if more - # than one IP address is present, the last IP address will be the - # one taken into consideration. - header: X-Forwarded-For - - # deprecated - file-store v1 - - file-store: - enabled: no - # further options documented at: - # https://suricata.readthedocs.io/en/suricata-5.0.0/file-extraction/file-extraction.html#file-store-version-1 - - # Log TCP data after stream normalization - # 2 types: file or dir. File logs into a single logfile. Dir creates - # 2 files per TCP session and stores the raw TCP data into them. - # Using 'both' will enable both file and dir modes. - # - # Note: limited by stream.reassembly.depth - - tcp-data: - enabled: no - type: file - filename: tcp-data.log - - # Log HTTP body data after normalization, dechunking and unzipping. - # 2 types: file or dir. File logs into a single logfile. Dir creates - # 2 files per HTTP session and stores the normalized data into them. - # Using 'both' will enable both file and dir modes. - # - # Note: limited by the body limit settings - - http-body-data: - enabled: no - type: file - filename: http-data.log - - # Lua Output Support - execute lua script to generate alert and event - # output. - # Documented at: - # https://suricata.readthedocs.io/en/latest/output/lua-output.html - - lua: - enabled: no - #scripts-dir: /etc/suricata/lua-output/ - scripts: - # - script1.lua - -# Logging configuration. This is not about logging IDS alerts/events, but -# output about what Suricata is doing, like startup messages, errors, etc. -logging: - # The default log level, can be overridden in an output section. - # Note that debug level logging will only be emitted if Suricata was - # compiled with the --enable-debug configure option. - # - # This value is overridden by the SC_LOG_LEVEL env var. - default-log-level: notice - - # The default output format. Optional parameter, should default to - # something reasonable if not provided. Can be overridden in an - # output section. You can leave this out to get the default. - # - # This value is overridden by the SC_LOG_FORMAT env var. - #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " - - # A regex to filter output. Can be overridden in an output section. - # Defaults to empty (no filter). - # - # This value is overridden by the SC_LOG_OP_FILTER env var. - default-output-filter: - - # Define your logging outputs. If none are defined, or they are all - # disabled you will get the default - console output. - outputs: - - console: - enabled: yes - # type: json - - file: - enabled: yes - level: info - filename: suricata.log - # type: json - - syslog: - enabled: no - facility: local5 - format: "[%i] <%d> -- " - # type: json - - -## -## Step 4: configure common capture settings -## -## See "Advanced Capture Options" below for more options, including NETMAP -## and PF_RING. -## - -# Linux high speed capture support -af-packet: - - interface: {{ interface }} - # Number of receive threads. "auto" uses the number of cores - #threads: auto - # Default clusterid. AF_PACKET will load balance packets based on flow. - cluster-id: 59 - # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash. - # This is only supported for Linux kernel > 3.1 - # possible value are: - # * cluster_flow: all packets of a given flow are send to the same socket - # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket - # * cluster_qm: all packets linked by network card to a RSS queue are sent to the same - # socket. Requires at least Linux 3.14. - # * cluster_ebpf: eBPF file load balancing. See doc/userguide/capture-hardware/ebpf-xdp.rst for - # more info. - # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system - # with capture card using RSS (require cpu affinity tuning and system irq tuning) - cluster-type: cluster_flow - # In some fragmentation case, the hash can not be computed. If "defrag" is set - # to yes, the kernel will do the needed defragmentation before sending the packets. - defrag: yes - # To use the ring feature of AF_PACKET, set 'use-mmap' to yes - use-mmap: yes - # Lock memory map to avoid it goes to swap. Be careful that over subscribing could lock - # your system - #mmap-locked: yes - # Use tpacket_v3 capture mode, only active if use-mmap is true - # Don't use it in IPS or TAP mode as it causes severe latency - #tpacket-v3: yes - # Ring size will be computed with respect to max_pending_packets and number - # of threads. You can set manually the ring size in number of packets by setting - # the following value. If you are using flow cluster-type and have really network - # intensive single-flow you could want to set the ring-size independently of the number - # of threads: - #ring-size: 2048 - # Block size is used by tpacket_v3 only. It should set to a value high enough to contain - # a decent number of packets. Size is in bytes so please consider your MTU. It should be - # a power of 2 and it must be multiple of page size (usually 4096). - #block-size: 32768 - # tpacket_v3 block timeout: an open block is passed to userspace if it is not - # filled after block-timeout milliseconds. - #block-timeout: 10 - # On busy system, this could help to set it to yes to recover from a packet drop - # phase. This will result in some packets (at max a ring flush) being non treated. - #use-emergency-flush: yes - # recv buffer size, increase value could improve performance - # buffer-size: 32768 - # Set to yes to disable promiscuous mode - # disable-promisc: no - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - kernel: use indication sent by kernel for each packet (default) - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: suricata uses a statistical approach to detect when - # checksum off-loading is used. - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: kernel - # BPF filter to apply to this interface. The pcap filter syntax apply here. - #bpf-filter: port 80 or udp - # You can use the following variables to activate AF_PACKET tap or IPS mode. - # If copy-mode is set to ips or tap, the traffic coming to the current - # interface will be copied to the copy-iface interface. If 'tap' is set, the - # copy is complete. If 'ips' is set, the packet matching a 'drop' action - # will not be copied. - #copy-mode: ips - #copy-iface: eth1 - # For eBPF and XDP setup including bypass, filter and load balancing, please - # see doc/userguide/capture-hardware/ebpf-xdp.rst for more info. - - # Put default values here. These will be used for an interface that is not - # in the list above. - - interface: default - #threads: auto - #use-mmap: no - #tpacket-v3: yes - -# Cross platform libpcap capture support -pcap: - - interface: eth0 - # On Linux, pcap will try to use mmaped capture and will use buffer-size - # as total of memory used by the ring. So set this to something bigger - # than 1% of your bandwidth. - #buffer-size: 16777216 - #bpf-filter: "tcp and port 25" - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: Suricata uses a statistical approach to detect when - # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: auto - # With some accelerator cards using a modified libpcap (like myricom), you - # may want to have the same number of capture threads as the number of capture - # rings. In this case, set up the threads variable to N to start N threads - # listening on the same interface. - #threads: 16 - # set to no to disable promiscuous mode: - #promisc: no - # set snaplen, if not set it defaults to MTU if MTU can be known - # via ioctl call and to full capture if not. - #snaplen: 1518 - # Put default values here - - interface: default - #checksum-checks: auto - -# Settings for reading pcap files -pcap-file: - # Possible values are: - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: Suricata uses a statistical approach to detect when - # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have checksum tested - checksum-checks: auto - -# See "Advanced Capture Options" below for more options, including NETMAP -# and PF_RING. - - -## -## Step 5: App Layer Protocol Configuration -## - -# Configure the app-layer parsers. The protocols section details each -# protocol. -# -# The option "enabled" takes 3 values - "yes", "no", "detection-only". -# "yes" enables both detection and the parser, "no" disables both, and -# "detection-only" enables protocol detection only (parser disabled). -app-layer: - protocols: - krb5: - enabled: yes - snmp: - enabled: yes - ikev2: - enabled: yes - tls: - enabled: yes - detection-ports: - dp: 443 - - # Generate JA3 fingerprint from client hello. If not specified it - # will be disabled by default, but enabled if rules require it. - #ja3-fingerprints: auto - - # What to do when the encrypted communications start: - # - default: keep tracking TLS session, check for protocol anomalies, - # inspect tls_* keywords. Disables inspection of unmodified - # 'content' signatures. - # - bypass: stop processing this flow as much as possible. No further - # TLS parsing and inspection. Offload flow bypass to kernel - # or hardware if possible. - # - full: keep tracking and inspection as normal. Unmodified content - # keyword signatures are inspected as well. - # - # For best performance, select 'bypass'. - # - #encryption-handling: default - - dcerpc: - enabled: yes - ftp: - enabled: yes - # memcap: 64mb - # RDP, disabled by default. - rdp: - #enabled: no - ssh: - enabled: yes - smtp: - enabled: yes - raw-extraction: no - # Configure SMTP-MIME Decoder - mime: - # Decode MIME messages from SMTP transactions - # (may be resource intensive) - # This field supercedes all others because it turns the entire - # process on or off - decode-mime: yes - - # Decode MIME entity bodies (ie. base64, quoted-printable, etc.) - decode-base64: yes - decode-quoted-printable: yes - - # Maximum bytes per header data value stored in the data structure - # (default is 2000) - header-value-depth: 2000 - - # Extract URLs and save in state data structure - extract-urls: yes - # Set to yes to compute the md5 of the mail body. You will then - # be able to journalize it. - body-md5: no - # Configure inspected-tracker for file_data keyword - inspected-tracker: - content-limit: 100000 - content-inspect-min-size: 32768 - content-inspect-window: 4096 - imap: - enabled: detection-only - smb: - enabled: yes - detection-ports: - dp: 139, 445 - - # Stream reassembly size for SMB streams. By default track it completely. - #stream-depth: 0 - - nfs: - enabled: yes - tftp: - enabled: yes - dns: - # memcaps. Globally and per flow/state. - #global-memcap: 16mb - #state-memcap: 512kb - - # How many unreplied DNS requests are considered a flood. - # If the limit is reached, app-layer-event:dns.flooded; will match. - #request-flood: 500 - - tcp: - enabled: yes - detection-ports: - dp: 53 - udp: - enabled: yes - detection-ports: - dp: 53 - http: - enabled: yes - # memcap: Maximum memory capacity for http - # Default is unlimited, value can be such as 64mb - - # default-config: Used when no server-config matches - # personality: List of personalities used by default - # request-body-limit: Limit reassembly of request body for inspection - # by http_client_body & pcre /P option. - # response-body-limit: Limit reassembly of response body for inspection - # by file_data, http_server_body & pcre /Q option. - # - # For advanced options, see the user guide - - - # server-config: List of server configurations to use if address matches - # address: List of IP addresses or networks for this block - # personalitiy: List of personalities used by this block - # - # Then, all the fields from default-config can be overloaded - # - # Currently Available Personalities: - # Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0, - # IIS_7_0, IIS_7_5, Apache_2 - libhtp: - default-config: - personality: IDS - - # Can be specified in kb, mb, gb. Just a number indicates - # it's in bytes. - request-body-limit: 100kb - response-body-limit: 100kb - - # inspection limits - request-body-minimal-inspect-size: 32kb - request-body-inspect-window: 4kb - response-body-minimal-inspect-size: 40kb - response-body-inspect-window: 16kb - - # response body decompression (0 disables) - response-body-decompress-layer-limit: 2 - - # auto will use http-body-inline mode in IPS mode, yes or no set it statically - http-body-inline: auto - - # Decompress SWF files. - # 2 types: 'deflate', 'lzma', 'both' will decompress deflate and lzma - # compress-depth: - # Specifies the maximum amount of data to decompress, - # set 0 for unlimited. - # decompress-depth: - # Specifies the maximum amount of decompressed data to obtain, - # set 0 for unlimited. - swf-decompression: - enabled: yes - type: both - compress-depth: 0 - decompress-depth: 0 - - # Take a random value for inspection sizes around the specified value. - # This lower the risk of some evasion technics but could lead - # detection change between runs. It is set to 'yes' by default. - #randomize-inspection-sizes: yes - # If randomize-inspection-sizes is active, the value of various - # inspection size will be choosen in the [1 - range%, 1 + range%] - # range - # Default value of randomize-inspection-range is 10. - #randomize-inspection-range: 10 - - # decoding - double-decode-path: no - double-decode-query: no - - # Can disable LZMA decompression - #lzma-enabled: yes - # Memory limit usage for LZMA decompression dictionary - # Data is decompressed until dictionary reaches this size - #lzma-memlimit: 1mb - # Maximum decompressed size with a compression ratio - # above 2048 (only LZMA can reach this ratio, deflate cannot) - #compression-bomb-limit: 1mb - - server-config: - - #- apache: - # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] - # personality: Apache_2 - # # Can be specified in kb, mb, gb. Just a number indicates - # # it's in bytes. - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: no - # double-decode-query: no - - #- iis7: - # address: - # - 192.168.0.0/24 - # - 192.168.10.0/24 - # personality: IIS_7_0 - # # Can be specified in kb, mb, gb. Just a number indicates - # # it's in bytes. - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: no - # double-decode-query: no - - # Note: Modbus probe parser is minimalist due to the poor significant field - # Only Modbus message length (greater than Modbus header length) - # And Protocol ID (equal to 0) are checked in probing parser - # It is important to enable detection port and define Modbus port - # to avoid false positive - modbus: - # How many unreplied Modbus requests are considered a flood. - # If the limit is reached, app-layer-event:modbus.flooded; will match. - #request-flood: 500 - - enabled: no - detection-ports: - dp: 502 - # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it - # is recommended to keep the TCP connection opened with a remote device - # and not to open and close it for each MODBUS/TCP transaction. In that - # case, it is important to set the depth of the stream reassembling as - # unlimited (stream.reassembly.depth: 0) - - # Stream reassembly size for modbus. By default track it completely. - stream-depth: 0 - - # DNP3 - dnp3: - enabled: no - detection-ports: - dp: 20000 - - # SCADA EtherNet/IP and CIP protocol support - enip: - enabled: no - detection-ports: - dp: 44818 - sp: 44818 - - ntp: - enabled: yes - - dhcp: - enabled: yes - - # SIP, disabled by default. - sip: - #enabled: no - -# Limit for the maximum number of asn1 frames to decode (default 256) -asn1-max-frames: 256 - - -############################################################################## -## -## Advanced settings below -## -############################################################################## - -## -## Run Options -## - -# Run suricata as user and group. -run-as: - user: suricata - group: suricata - -# Some logging module will use that name in event as identifier. The default -# value is the hostname -#sensor-name: suricata - -# Default location of the pid file. The pid file is only used in -# daemon mode (start Suricata with -D). If not running in daemon mode -# the --pidfile command line option must be used to create a pid file. -#pid-file: /var/run/suricata.pid - -# Daemon working directory -# Suricata will change directory to this one if provided -# Default: "/" -#daemon-directory: "/" - -# Umask. -# Suricata will use this umask if it is provided. By default it will use the -# umask passed on by the shell. -#umask: 022 - -# Suricata core dump configuration. Limits the size of the core dump file to -# approximately max-dump. The actual core dump size will be a multiple of the -# page size. Core dumps that would be larger than max-dump are truncated. On -# Linux, the actual core dump size may be a few pages larger than max-dump. -# Setting max-dump to 0 disables core dumping. -# Setting max-dump to 'unlimited' will give the full core dump file. -# On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size -# to be 'unlimited'. - -coredump: - max-dump: unlimited - -# If Suricata box is a router for the sniffed networks, set it to 'router'. If -# it is a pure sniffing setup, set it to 'sniffer-only'. -# If set to auto, the variable is internally switch to 'router' in IPS mode -# and 'sniffer-only' in IDS mode. -# This feature is currently only used by the reject* keywords. -host-mode: auto - -# Number of packets preallocated per thread. The default is 1024. A higher number -# will make sure each CPU will be more easily kept busy, but may negatively -# impact caching. -max-pending-packets: 5000 - -# Runmode the engine should use. Please check --list-runmodes to get the available -# runmodes for each packet acquisition method. Default depends on selected capture -# method. 'workers' generally gives best performance. -runmode: workers - -# Specifies the kind of flow load balancer used by the flow pinned autofp mode. -# -# Supported schedulers are: -# -# hash - Flow assigned to threads using the 5-7 tuple hash. -# ippair - Flow assigned to threads using addresses only. -# -#autofp-scheduler: hash - -# Preallocated size for packet. Default is 1514 which is the classical -# size for pcap on ethernet. You should adjust this value to the highest -# packet size (MTU + hardware header) on your system. -default-packet-size: {{ MTU + 15 }} - -# Unix command socket can be used to pass commands to Suricata. -# An external tool can then connect to get information from Suricata -# or trigger some modifications of the engine. Set enabled to yes -# to activate the feature. In auto mode, the feature will only be -# activated in live capture mode. You can use the filename variable to set -# the file name of the socket. -unix-command: - enabled: auto - #filename: custom.socket - -# Magic file. The extension .mgc is added to the value here. -#magic-file: /usr/share/file/magic -#magic-file: - -# GeoIP2 database file. Specify path and filename of GeoIP2 database -# if using rules with "geoip" rule option. -#geoip-database: /usr/local/share/GeoLite2/GeoLite2-Country.mmdb - -legacy: - uricontent: enabled - -## -## Detection settings -## - -# Set the order of alerts based on actions -# The default order is pass, drop, reject, alert -# action-order: -# - pass -# - drop -# - reject -# - alert - -# IP Reputation -#reputation-categories-file: /etc/suricata/iprep/categories.txt -#default-reputation-path: /etc/suricata/iprep -#reputation-files: -# - reputation.list - -# When run with the option --engine-analysis, the engine will read each of -# the parameters below, and print reports for each of the enabled sections -# and exit. The reports are printed to a file in the default log dir -# given by the parameter "default-log-dir", with engine reporting -# subsection below printing reports in its own report file. -engine-analysis: - # enables printing reports for fast-pattern for every rule. - rules-fast-pattern: yes - # enables printing reports for each rule - rules: yes - -#recursion and match limits for PCRE where supported -pcre: - match-limit: 3500 - match-limit-recursion: 1500 - -## -## Advanced Traffic Tracking and Reconstruction Settings -## - -# Host specific policies for defragmentation and TCP stream -# reassembly. The host OS lookup is done using a radix tree, just -# like a routing table so the most specific entry matches. -host-os-policy: - # Make the default policy windows. - windows: [0.0.0.0/0] - bsd: [] - bsd-right: [] - old-linux: [] - linux: [] - old-solaris: [] - solaris: [] - hpux10: [] - hpux11: [] - irix: [] - macos: [] - vista: [] - windows2k3: [] - -# Defrag settings: - -defrag: - memcap: 32mb - hash-size: 65536 - trackers: 65535 # number of defragmented flows to follow - max-frags: 65535 # number of fragments to keep (higher than trackers) - prealloc: yes - timeout: 60 - -# Enable defrag per host settings -# host-config: -# -# - dmz: -# timeout: 30 -# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"] -# -# - lan: -# timeout: 45 -# address: -# - 192.168.0.0/24 -# - 192.168.10.0/24 -# - 172.16.14.0/24 - -# Flow settings: -# By default, the reserved memory (memcap) for flows is 32MB. This is the limit -# for flow allocation inside the engine. You can change this value to allow -# more memory usage for flows. -# The hash-size determine the size of the hash used to identify flows inside -# the engine, and by default the value is 65536. -# At the startup, the engine can preallocate a number of flows, to get a better -# performance. The number of flows preallocated is 10000 by default. -# emergency-recovery is the percentage of flows that the engine need to -# prune before unsetting the emergency state. The emergency state is activated -# when the memcap limit is reached, allowing to create new flows, but -# pruning them with the emergency timeouts (they are defined below). -# If the memcap is reached, the engine will try to prune flows -# with the default timeouts. If it doesn't find a flow to prune, it will set -# the emergency bit and it will try again with more aggressive timeouts. -# If that doesn't work, then it will try to kill the last time seen flows -# not in use. -# The memcap can be specified in kb, mb, gb. Just a number indicates it's -# in bytes. - -flow: - memcap: 128mb - hash-size: 65536 - prealloc: 10000 - emergency-recovery: 30 - #managers: 1 # default to one flow manager - #recyclers: 1 # default to one flow recycler thread - -# This option controls the use of vlan ids in the flow (and defrag) -# hashing. Normally this should be enabled, but in some (broken) -# setups where both sides of a flow are not tagged with the same vlan -# tag, we can ignore the vlan id's in the flow hashing. -vlan: - use-for-tracking: true - -# Specific timeouts for flows. Here you can specify the timeouts that the -# active flows will wait to transit from the current state to another, on each -# protocol. The value of "new" determine the seconds to wait after a handshake or -# stream startup before the engine free the data of that flow it doesn't -# change the state to established (usually if we don't receive more packets -# of that flow). The value of "established" is the amount of -# seconds that the engine will wait to free the flow if it spend that amount -# without receiving new packets or closing the connection. "closed" is the -# amount of time to wait after a flow is closed (usually zero). "bypassed" -# timeout controls locally bypassed flows. For these flows we don't do any other -# tracking. If no packets have been seen after this timeout, the flow is discarded. -# -# There's an emergency mode that will become active under attack circumstances, -# making the engine to check flow status faster. This configuration variables -# use the prefix "emergency-" and work similar as the normal ones. -# Some timeouts doesn't apply to all the protocols, like "closed", for udp and -# icmp. - -flow-timeouts: - - default: - new: 30 - established: 300 - closed: 0 - bypassed: 100 - emergency-new: 10 - emergency-established: 100 - emergency-closed: 0 - emergency-bypassed: 50 - tcp: - new: 60 - established: 600 - closed: 60 - bypassed: 100 - emergency-new: 5 - emergency-established: 100 - emergency-closed: 10 - emergency-bypassed: 50 - udp: - new: 30 - established: 300 - bypassed: 100 - emergency-new: 10 - emergency-established: 100 - emergency-bypassed: 50 - icmp: - new: 30 - established: 300 - bypassed: 100 - emergency-new: 10 - emergency-established: 100 - emergency-bypassed: 50 - -# Stream engine settings. Here the TCP stream tracking and reassembly -# engine is configured. -# -# stream: -# memcap: 32mb # Can be specified in kb, mb, gb. Just a -# # number indicates it's in bytes. -# checksum-validation: yes # To validate the checksum of received -# # packet. If csum validation is specified as -# # "yes", then packet with invalid csum will not -# # be processed by the engine stream/app layer. -# # Warning: locally generated traffic can be -# # generated without checksum due to hardware offload -# # of checksum. You can control the handling of checksum -# # on a per-interface basis via the 'checksum-checks' -# # option -# prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread -# midstream: false # don't allow midstream session pickups -# async-oneside: false # don't enable async stream handling -# inline: no # stream inline mode -# drop-invalid: yes # in inline mode, drop packets that are invalid with regards to streaming engine -# max-synack-queued: 5 # Max different SYN/ACKs to queue -# bypass: no # Bypass packets when stream.reassembly.depth is reached. -# # Warning: first side to reach this triggers -# # the bypass. -# -# reassembly: -# memcap: 64mb # Can be specified in kb, mb, gb. Just a number -# # indicates it's in bytes. -# depth: 1mb # Can be specified in kb, mb, gb. Just a number -# # indicates it's in bytes. -# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least -# # this size. Can be specified in kb, mb, -# # gb. Just a number indicates it's in bytes. -# toclient-chunk-size: 2560 # inspect raw stream in chunks of at least -# # this size. Can be specified in kb, mb, -# # gb. Just a number indicates it's in bytes. -# randomize-chunk-size: yes # Take a random value for chunk size around the specified value. -# # This lower the risk of some evasion technics but could lead -# # detection change between runs. It is set to 'yes' by default. -# randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is -# # a random value between (1 - randomize-chunk-range/100)*toserver-chunk-size -# # and (1 + randomize-chunk-range/100)*toserver-chunk-size and the same -# # calculation for toclient-chunk-size. -# # Default value of randomize-chunk-range is 10. -# -# raw: yes # 'Raw' reassembly enabled or disabled. -# # raw is for content inspection by detection -# # engine. -# -# segment-prealloc: 2048 # number of segments preallocated per thread -# -# check-overlap-different-data: true|false -# # check if a segment contains different data -# # than what we've already seen for that -# # position in the stream. -# # This is enabled automatically if inline mode -# # is used or when stream-event:reassembly_overlap_different_data; -# # is used in a rule. -# -stream: - memcap: 64mb - checksum-validation: yes # reject wrong csums - inline: auto # auto will use inline mode in IPS mode, yes or no set it statically - reassembly: - memcap: 256mb - depth: 1mb # reassemble 1mb into a stream - toserver-chunk-size: 2560 - toclient-chunk-size: 2560 - randomize-chunk-size: yes - #randomize-chunk-range: 10 - #raw: yes - #segment-prealloc: 2048 - #check-overlap-different-data: true - -# Host table: -# -# Host table is used by tagging and per host thresholding subsystems. -# -host: - hash-size: 4096 - prealloc: 1000 - memcap: 32mb - -# IP Pair table: -# -# Used by xbits 'ippair' tracking. -# -#ippair: -# hash-size: 4096 -# prealloc: 1000 -# memcap: 32mb - -# Decoder settings - -decoder: - # Teredo decoder is known to not be completely accurate - # as it will sometimes detect non-teredo as teredo. - teredo: - enabled: true - # ports to look for Teredo. Max 4 ports. If no ports are given, or - # the value is set to 'any', Teredo detection runs on _all_ UDP packets. - ports: $TEREDO_PORTS # syntax: '[3544, 1234]' or '3533' or 'any'. - - # VXLAN decoder is assigned to up to 4 UDP ports. By default only the - # IANA assigned port 4789 is enabled. - vxlan: - enabled: true - ports: $VXLAN_PORTS # syntax: '8472, 4789' - # ERSPAN Type I decode support - erspan: - typeI: - enabled: false - - -## -## Performance tuning and profiling -## - -# The detection engine builds internal groups of signatures. The engine -# allow us to specify the profile to use for them, to manage memory on an -# efficient way keeping a good performance. For the profile keyword you -# can use the words "low", "medium", "high" or "custom". If you use custom -# make sure to define the values at "- custom-values" as your convenience. -# Usually you would prefer medium/high/low. -# -# "sgh mpm-context", indicates how the staging should allot mpm contexts for -# the signature groups. "single" indicates the use of a single context for -# all the signature group heads. "full" indicates a mpm-context for each -# group head. "auto" lets the engine decide the distribution of contexts -# based on the information the engine gathers on the patterns from each -# group head. -# -# The option inspection-recursion-limit is used to limit the recursive calls -# in the content inspection code. For certain payload-sig combinations, we -# might end up taking too much time in the content inspection code. -# If the argument specified is 0, the engine uses an internally defined -# default limit. On not specifying a value, we use no limits on the recursion. -detect: - profile: medium - custom-values: - toclient-groups: 3 - toserver-groups: 25 - sgh-mpm-context: auto - inspection-recursion-limit: 3000 - # If set to yes, the loading of signatures will be made after the capture - # is started. This will limit the downtime in IPS mode. - #delayed-detect: yes - - prefilter: - # default prefiltering setting. "mpm" only creates MPM/fast_pattern - # engines. "auto" also sets up prefilter engines for other keywords. - # Use --list-keywords=all to see which keywords support prefiltering. - default: mpm - - # the grouping values above control how many groups are created per - # direction. Port whitelisting forces that port to get it's own group. - # Very common ports will benefit, as well as ports with many expensive - # rules. - grouping: - #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 - #udp-whitelist: 53, 135, 5060 - - profiling: - # Log the rules that made it past the prefilter stage, per packet - # default is off. The threshold setting determines how many rules - # must have made it past pre-filter for that rule to trigger the - # logging. - #inspect-logging-threshold: 200 - grouping: - dump-to-disk: false - include-rules: false # very verbose - include-mpm-stats: false - -# Select the multi pattern algorithm you want to run for scan/search the -# in the engine. -# -# The supported algorithms are: -# "ac" - Aho-Corasick, default implementation -# "ac-bs" - Aho-Corasick, reduced memory implementation -# "ac-ks" - Aho-Corasick, "Ken Steele" variant -# "hs" - Hyperscan, available when built with Hyperscan support -# -# The default mpm-algo value of "auto" will use "hs" if Hyperscan is -# available, "ac" otherwise. -# -# The mpm you choose also decides the distribution of mpm contexts for -# signature groups, specified by the conf - "detect.sgh-mpm-context". -# Selecting "ac" as the mpm would require "detect.sgh-mpm-context" -# to be set to "single", because of ac's memory requirements, unless the -# ruleset is small enough to fit in one's memory, in which case one can -# use "full" with "ac". Rest of the mpms can be run in "full" mode. - -mpm-algo: auto - -# Select the matching algorithm you want to use for single-pattern searches. -# -# Supported algorithms are "bm" (Boyer-Moore) and "hs" (Hyperscan, only -# available if Suricata has been built with Hyperscan support). -# -# The default of "auto" will use "hs" if available, otherwise "bm". - -spm-algo: auto - -# Suricata is multi-threaded. Here the threading can be influenced. -threading: - set-cpu-affinity: yes - # Tune cpu affinity of threads. Each family of threads can be bound - # on specific CPUs. - # - # These 2 apply to the all runmodes: - # management-cpu-set is used for flow timeout handling, counters - # worker-cpu-set is used for 'worker' threads - # - # Additionally, for autofp these apply: - # receive-cpu-set is used for capture threads - # verdict-cpu-set is used for IPS verdict threads - # - {%- if salt['pillar.get']('sensor:suriprocs') %} - cpu-affinity: - - management-cpu-set: - cpu: [ all ] # include only these CPUs in affinity settings - - receive-cpu-set: - cpu: [ all ] # include only these CPUs in affinity settings - - worker-cpu-set: - cpu: [ "all" ] - mode: "exclusive" - # Use explicitely 3 threads and don't compute number by using - # detect-thread-ratio variable: - # threads: 3 - threads: {{ salt['pillar.get']('sensor:suriprocs') }} - prio: - low: [ 0 ] - medium: [ "1-2" ] - high: [ 3 ] - default: "high" - #- verdict-cpu-set: - # cpu: [ 0 ] - # prio: - # default: "high" - {%- endif -%} - {%- if salt['pillar.get']('sensor:suripins') %} - cpu-affinity: - - management-cpu-set: - cpu: [ {{ salt['pillar.get']('sensor:suripins')|join(",") }} ] # include only these cpus in affinity settings - - receive-cpu-set: - cpu: [ {{ salt['pillar.get']('sensor:suripins')|join(",") }} ] # include only these cpus in affinity settings - - worker-cpu-set: - cpu: [ {{ salt['pillar.get']('sensor:suripins')|join(",") }} ] - mode: "exclusive" - # Use explicitely 3 threads and don't compute number by using - # detect-thread-ratio variable: - threads: {{ salt['pillar.get']('sensor:suripins')|length }} - prio: - default: "high" - {% endif %} - - # - # By default Suricata creates one "detect" thread per available CPU/CPU core. - # This setting allows controlling this behaviour. A ratio setting of 2 will - # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this - # will result in 4 detect threads. If values below 1 are used, less threads - # are created. So on a dual core CPU a setting of 0.5 results in 1 detect - # thread being created. Regardless of the setting at a minimum 1 detect - # thread will always be created. - # - detect-thread-ratio: 1.0 - -# Luajit has a strange memory requirement, it's 'states' need to be in the -# first 2G of the process' memory. -# -# 'luajit.states' is used to control how many states are preallocated. -# State use: per detect script: 1 per detect thread. Per output script: 1 per -# script. -luajit: - states: 128 - -# Profiling settings. Only effective if Suricata has been built with the -# the --enable-profiling configure flag. -# -profiling: - # Run profiling for every xth packet. The default is 1, which means we - # profile every packet. If set to 1000, one packet is profiled for every - # 1000 received. - #sample-rate: 1000 - - # rule profiling - rules: - - # Profiling can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: yes - filename: rule_perf.log - append: yes - - # Sort options: ticks, avgticks, checks, matches, maxticks - # If commented out all the sort options will be used. - #sort: avgticks - - # Limit the number of sids for which stats are shown at exit (per sort). - limit: 10 - - # output to json - json: yes - - # per keyword profiling - keywords: - enabled: yes - filename: keyword_perf.log - append: yes - - prefilter: - enabled: yes - filename: prefilter_perf.log - append: yes - - # per rulegroup profiling - rulegroups: - enabled: yes - filename: rule_group_perf.log - append: yes - - # packet profiling - packets: - - # Profiling can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: yes - filename: packet_stats.log - append: yes - - # per packet csv output - csv: - - # Output can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: no - filename: packet_stats.csv - - # profiling of locking. Only available when Suricata was built with - # --enable-profiling-locks. - locks: - enabled: no - filename: lock_stats.log - append: yes - - pcap-log: - enabled: no - filename: pcaplog_stats.log - append: yes - -## -## Netfilter integration -## - -# When running in NFQ inline mode, it is possible to use a simulated -# non-terminal NFQUEUE verdict. -# This permit to do send all needed packet to Suricata via this a rule: -# iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE -# And below, you can have your standard filtering ruleset. To activate -# this mode, you need to set mode to 'repeat' -# If you want packet to be sent to another queue after an ACCEPT decision -# set mode to 'route' and set next-queue value. -# On linux >= 3.1, you can set batchcount to a value > 1 to improve performance -# by processing several packets before sending a verdict (worker runmode only). -# On linux >= 3.6, you can set the fail-open option to yes to have the kernel -# accept the packet if Suricata is not able to keep pace. -# bypass mark and mask can be used to implement NFQ bypass. If bypass mark is -# set then the NFQ bypass is activated. Suricata will set the bypass mark/mask -# on packet of a flow that need to be bypassed. The Nefilter ruleset has to -# directly accept all packets of a flow once a packet has been marked. -nfq: -# mode: accept -# repeat-mark: 1 -# repeat-mask: 1 -# bypass-mark: 1 -# bypass-mask: 1 -# route-queue: 2 -# batchcount: 20 -# fail-open: yes - -#nflog support -nflog: - # netlink multicast group - # (the same as the iptables --nflog-group param) - # Group 0 is used by the kernel, so you can't use it - - group: 2 - # netlink buffer size - buffer-size: 18432 - # put default value here - - group: default - # set number of packet to queue inside kernel - qthreshold: 1 - # set the delay before flushing packet in the queue inside kernel - qtimeout: 100 - # netlink max buffer size - max-size: 20000 - -## -## Advanced Capture Options -## - -# general settings affecting packet capture -capture: - # disable NIC offloading. It's restored when Suricata exits. - # Enabled by default. - #disable-offloading: false - # - # disable checksum validation. Same as setting '-k none' on the - # commandline. - #checksum-validation: none - -# Netmap support -# -# Netmap operates with NIC directly in driver, so you need FreeBSD 11+ which have -# built-in netmap support or compile and install netmap module and appropriate -# NIC driver on your Linux system. -# To reach maximum throughput disable all receive-, segmentation-, -# checksum- offloadings on NIC. -# Disabling Tx checksum offloading is *required* for connecting OS endpoint -# with NIC endpoint. -# You can find more information at https://github.com/luigirizzo/netmap -# -netmap: - # To specify OS endpoint add plus sign at the end (e.g. "eth0+") - - interface: eth2 - # Number of capture threads. "auto" uses number of RSS queues on interface. - # Warning: unless the RSS hashing is symmetrical, this will lead to - # accuracy issues. - #threads: auto - # You can use the following variables to activate netmap tap or IPS mode. - # If copy-mode is set to ips or tap, the traffic coming to the current - # interface will be copied to the copy-iface interface. If 'tap' is set, the - # copy is complete. If 'ips' is set, the packet matching a 'drop' action - # will not be copied. - # To specify the OS as the copy-iface (so the OS can route packets, or forward - # to a service running on the same machine) add a plus sign at the end - # (e.g. "copy-iface: eth0+"). Don't forget to set up a symmetrical eth0+ -> eth0 - # for return packets. Hardware checksumming must be *off* on the interface if - # using an OS endpoint (e.g. 'ifconfig eth0 -rxcsum -txcsum -rxcsum6 -txcsum6' for FreeBSD - # or 'ethtool -K eth0 tx off rx off' for Linux). - #copy-mode: tap - #copy-iface: eth3 - # Set to yes to disable promiscuous mode - # disable-promisc: no - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: Suricata uses a statistical approach to detect when - # checksum off-loading is used. - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: auto - # BPF filter to apply to this interface. The pcap filter syntax apply here. - #bpf-filter: port 80 or udp - #- interface: eth3 - #threads: auto - #copy-mode: tap - #copy-iface: eth2 - # Put default values here - - interface: default - -# PF_RING configuration. for use with native PF_RING support -# for more info see http://www.ntop.org/products/pf_ring/ -pfring: - - interface: eth0 - # Number of receive threads. If set to 'auto' Suricata will first try - # to use CPU (core) count and otherwise RSS queue count. - threads: auto - - # Default clusterid. PF_RING will load balance packets based on flow. - # All threads/processes that will participate need to have the same - # clusterid. - cluster-id: 99 - - # Default PF_RING cluster type. PF_RING can load balance per flow. - # Possible values are cluster_flow or cluster_round_robin. - cluster-type: cluster_flow - - # bpf filter for this interface - #bpf-filter: tcp - - # If bypass is set then the PF_RING hw bypass is activated, when supported - # by the interface in use. Suricata will instruct the interface to bypass - # all future packets for a flow that need to be bypassed. - #bypass: yes - - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - rxonly: only compute checksum for packets received by network card. - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: Suricata uses a statistical approach to detect when - # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: auto - # Second interface - #- interface: eth1 - # threads: 3 - # cluster-id: 93 - # cluster-type: cluster_flow - # Put default values here - - interface: default - #threads: 2 - -# For FreeBSD ipfw(8) divert(4) support. -# Please make sure you have ipfw_load="YES" and ipdivert_load="YES" -# in /etc/loader.conf or kldload'ing the appropriate kernel modules. -# Additionally, you need to have an ipfw rule for the engine to see -# the packets from ipfw. For Example: -# -# ipfw add 100 divert 8000 ip from any to any -# -# The 8000 above should be the same number you passed on the command -# line, i.e. -d 8000 -# -ipfw: - - # Reinject packets at the specified ipfw rule number. This config - # option is the ipfw rule number AT WHICH rule processing continues - # in the ipfw processing system after the engine has finished - # inspecting the packet for acceptance. If no rule number is specified, - # accepted packets are reinjected at the divert rule which they entered - # and IPFW rule processing continues. No check is done to verify - # this will rule makes sense so care must be taken to avoid loops in ipfw. - # - ## The following example tells the engine to reinject packets - # back into the ipfw firewall AT rule number 5500: - # - # ipfw-reinjection-rule-number: 5500 - - -napatech: - # The Host Buffer Allowance for all streams - # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back) - # This may be enabled when sharing streams with another application. - # Otherwise, it should be turned off. - #hba: -1 - - # When use_all_streams is set to "yes" the initialization code will query - # the Napatech service for all configured streams and listen on all of them. - # When set to "no" the streams config array will be used. - # - # This option necessitates running the appropriate NTPL commands to create - # the desired streams prior to running suricata. - #use-all-streams: no - - # The streams to listen on when auto-config is disabled or when and threading - # cpu-affinity is disabled. This can be either: - # an individual stream (e.g. streams: [0]) - # or - # a range of streams (e.g. streams: ["0-3"]) - # - streams: ["0-3"] - - # When auto-config is enabled the streams will be created and assigned - # automatically to the NUMA node where the thread resides. If cpu-affinity - # is enabled in the threading section. Then the streams will be created - # according to the number of worker threads specified in the worker cpu set. - # Otherwise, the streams array is used to define the streams. - # - # This option cannot be used simultaneous with "use-all-streams". - # - auto-config: yes - - # Ports indicates which napatech ports are to be used in auto-config mode. - # these are the port ID's of the ports that will be merged prior to the - # traffic being distributed to the streams. - # - # This can be specified in any of the following ways: - # - # a list of individual ports (e.g. ports: [0,1,2,3]) - # - # a range of ports (e.g. ports: [0-3]) - # - # "all" to indicate that all ports are to be merged together - # (e.g. ports: [all]) - # - # This has no effect if auto-config is disabled. - # - ports: [all] - - # When auto-config is enabled the hashmode specifies the algorithm for - # determining to which stream a given packet is to be delivered. - # This can be any valid Napatech NTPL hashmode command. - # - # The most common hashmode commands are: hash2tuple, hash2tuplesorted, - # hash5tuple, hash5tuplesorted and roundrobin. - # - # See Napatech NTPL documentation other hashmodes and details on their use. - # - # This has no effect if auto-config is disabled. - # - hashmode: hash5tuplesorted - -## -## Configure Suricata to load Suricata-Update managed rules. -## -## If this section is completely commented out move down to the "Advanced rule -## file configuration". -## - -default-rule-path: /etc/suricata/rules - -rule-files: - - all.rules - -## -## Auxiliary configuration files. -## - -classification-file: /etc/suricata/classification.config -reference-config-file: /etc/suricata/reference.config -# threshold-file: /etc/suricata/threshold.config - -## -## Include other configs -## - -# Includes. Files included here will be handled as if they were -# inlined in this configuration file. -#include: include1.yaml -#include: include2.yaml diff --git a/salt/suricata/files/suricata.yaml.jinja b/salt/suricata/files/suricata.yaml.jinja new file mode 100644 index 000000000..aa4d2e4e2 --- /dev/null +++ b/salt/suricata/files/suricata.yaml.jinja @@ -0,0 +1,3 @@ +%YAML 1.1 +--- +{{ suricata_config | yaml(False) }} \ No newline at end of file diff --git a/salt/suricata/files/suricataMETA.yaml b/salt/suricata/files/suricataMETA.yaml deleted file mode 100644 index 61e3be6ec..000000000 --- a/salt/suricata/files/suricataMETA.yaml +++ /dev/null @@ -1,1883 +0,0 @@ -%YAML 1.1 ---- - {%- set interface = salt['pillar.get']('sensor:interface', 'bond0') %} - {%- if grains['role'] == 'so-eval' %} - {%- set MTU = 1500 %} - {%- elif grains['role'] == 'so-helix' %} - {%- set MTU = 9000 %} - {%- else %} - {%- set MTU = salt['pillar.get']('sensor:mtu', '1500') %} - {%- endif %} - {%- if salt['pillar.get']('sensor:homenet') %} - {%- set homenet = salt['pillar.get']('sensor:hnsensor', '') %} - {%- else %} - {%- set homenet = salt['pillar.get']('static:hnmaster', '') %} - {%- endif %} -# Suricata configuration file. In addition to the comments describing all -# options in this file, full documentation can be found at: -# https://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html - -## -## Step 1: inform Suricata about your network -## - -vars: - # more specific is better for alert accuracy and performance - address-groups: - HOME_NET: "[{{ homenet }}]" - #HOME_NET: "[192.168.0.0/16]" - #HOME_NET: "[10.0.0.0/8]" - #HOME_NET: "[172.16.0.0/12]" - #HOME_NET: "any" - - EXTERNAL_NET: "!$HOME_NET" - #EXTERNAL_NET: "any" - - HTTP_SERVERS: "$HOME_NET" - SMTP_SERVERS: "$HOME_NET" - SQL_SERVERS: "$HOME_NET" - DNS_SERVERS: "$HOME_NET" - TELNET_SERVERS: "$HOME_NET" - AIM_SERVERS: "$EXTERNAL_NET" - DC_SERVERS: "$HOME_NET" - DNP3_SERVER: "$HOME_NET" - DNP3_CLIENT: "$HOME_NET" - MODBUS_CLIENT: "$HOME_NET" - MODBUS_SERVER: "$HOME_NET" - ENIP_CLIENT: "$HOME_NET" - ENIP_SERVER: "$HOME_NET" - - port-groups: - HTTP_PORTS: "80" - SHELLCODE_PORTS: "!80" - ORACLE_PORTS: 1521 - SSH_PORTS: 22 - DNP3_PORTS: 20000 - MODBUS_PORTS: 502 - FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" - FTP_PORTS: 21 - VXLAN_PORTS: 4789 - TEREDO_PORTS: 3544 - -## -## Step 2: select outputs to enable -## - -# The default logging directory. Any log or output file will be -# placed here if its not specified with a full path name. This can be -# overridden with the -l command line parameter. -default-log-dir: /var/log/suricata/ - -# global stats configuration -stats: - enabled: yes - # The interval field (in seconds) controls at what interval - # the loggers are invoked. - interval: 30 - # Add decode events as stats. - #decoder-events: true - # Decoder event prefix in stats. Has been 'decoder' before, but that leads - # to missing events in the eve.stats records. See issue #2225. - #decoder-events-prefix: "decoder.event" - # Add stream events as stats. - #stream-events: false - -# Configure the type of alert (and other) logging you would like. -outputs: - # a line based alerts log similar to Snort's fast.log - - fast: - enabled: no - filename: fast.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # Extensible Event Format (nicknamed EVE) event log in JSON format - - eve-log: - enabled: yes - filetype: regular #regular|syslog|unix_dgram|unix_stream|redis - filename: /nsm/eve-%Y-%m-%d-%H:%M.json - rotate-interval: hour - - #prefix: "@cee: " # prefix to prepend to each log entry - # the following are valid when type: syslog above - #identity: "suricata" - #facility: local5 - #level: Info ## possible levels: Emergency, Alert, Critical, - ## Error, Warning, Notice, Info, Debug - #redis: - # server: 127.0.0.1 - # port: 6379 - # async: true ## if redis replies are read asynchronously - # mode: list ## possible values: list|lpush (default), rpush, channel|publish - # ## lpush and rpush are using a Redis list. "list" is an alias for lpush - # ## publish is using a Redis channel. "channel" is an alias for publish - # key: suricata ## key or channel to use (default to suricata) - # Redis pipelining set up. This will enable to only do a query every - # 'batch-size' events. This should lower the latency induced by network - # connection at the cost of some memory. There is no flushing implemented - # so this setting as to be reserved to high traffic suricata. - # pipelining: - # enabled: yes ## set enable to yes to enable query pipelining - # batch-size: 10 ## number of entry to keep in buffer - - # Include top level metadata. Default yes. - #metadata: no - - # include the name of the input pcap file in pcap file processing mode - pcap-file: false - - # Community Flow ID - # Adds a 'community_id' field to EVE records. These are meant to give - # a records a predictable flow id that can be used to match records to - # output of other tools such as Bro. - # - # Takes a 'seed' that needs to be same across sensors and tools - # to make the id less predictable. - - # enable/disable the community id feature. - community-id: true - # Seed value for the ID output. Valid values are 0-65535. - community-id-seed: 0 - - # HTTP X-Forwarded-For support by adding an extra field or overwriting - # the source or destination IP address (depending on flow direction) - # with the one reported in the X-Forwarded-For HTTP header. This is - # helpful when reviewing alerts for traffic that is being reverse - # or forward proxied. - xff: - enabled: no - # Two operation modes are available, "extra-data" and "overwrite". - mode: extra-data - # Two proxy deployments are supported, "reverse" and "forward". In - # a "reverse" deployment the IP address used is the last one, in a - # "forward" deployment the first IP address is used. - deployment: reverse - # Header name where the actual IP address will be reported, if more - # than one IP address is present, the last IP address will be the - # one taken into consideration. - header: X-Forwarded-For - - types: - - alert: - payload: no # enable dumping payload in Base64 - payload-buffer-size: 4kb # max size of payload buffer to output in eve-log - payload-printable: yes # enable dumping payload in printable (lossy) format - packet: yes # enable dumping of packet (without stream segments) - metadata: - app-layer: false - flow: false - rule: - metadata: true - raw: true - - # http-body: yes # Requires metadata; enable dumping of http body in Base64 - # http-body-printable: yes # Requires metadata; enable dumping of http body in printable format - - # Enable the logging of tagged packets for rules using the - # "tag" keyword. - tagged-packets: no - - anomaly: - # Anomaly log records describe unexpected conditions such - # as truncated packets, packets with invalid IP/UDP/TCP - # length values, and other events that render the packet - # invalid for further processing or describe unexpected - # behavior on an established stream. Networks which - # experience high occurrences of anomalies may experience - # packet processing degradation. - # - # Anomalies are reported for the following: - # 1. Decode: Values and conditions that are detected while - # decoding individual packets. This includes invalid or - # unexpected values for low-level protocol lengths as well - # as stream related events (TCP 3-way handshake issues, - # unexpected sequence number, etc). - # 2. Stream: This includes stream related events (TCP - # 3-way handshake issues, unexpected sequence number, - # etc). - # 3. Application layer: These denote application layer - # specific conditions that are unexpected, invalid or are - # unexpected given the application monitoring state. - # - # By default, anomaly logging is disabled. When anomaly - # logging is enabled, applayer anomaly reporting is - # enabled. - enabled: no - # - # Choose one or more types of anomaly logging and whether to enable - # logging of the packet header for packet anomalies. - types: - decode: no - stream: no - applayer: yes - packethdr: no - - http: - extended: yes # enable this for extended logging information - # custom allows additional http fields to be included in eve-log - # the example below adds three additional fields when uncommented - #custom: [Accept-Encoding, Accept-Language, Authorization] - # set this value to one and only one among {both, request, response} - # to dump all http headers for every http request and/or response - # dump-all-headers: none - - dns: - # This configuration uses the new DNS logging format, - # the old configuration is still available: - # https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format - - # As of Suricata 5.0, version 2 of the eve dns output - # format is the default. - version: 2 - - # Enable/disable this logger. Default: enabled. - enabled: yes - - # Control logging of requests and responses: - # - requests: enable logging of DNS queries - # - responses: enable logging of DNS answers - # By default both requests and responses are logged. - #requests: no - #responses: no - - # Format of answer logging: - # - detailed: array item per answer - # - grouped: answers aggregated by type - # Default: all - #formats: [detailed, grouped] - - # Types to log, based on the query type. - # Default: all. - #types: [a, aaaa, cname, mx, ns, ptr, txt] - - tls: - extended: yes # enable this for extended logging information - # output TLS transaction where the session is resumed using a - # session id - #session-resumption: no - # custom allows to control which tls fields that are included - # in eve-log - #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s] - - files: - force-magic: no # force logging magic on all logged files - # force logging of checksums, available hash functions are md5, - # sha1 and sha256 - #force-hash: [md5] - #- drop: - # alerts: yes # log alerts that caused drops - # flows: all # start or all: 'start' logs only a single drop - # # per flow direction. All logs each dropped pkt. - - smtp: - #extended: yes # enable this for extended logging information - # this includes: bcc, message-id, subject, x_mailer, user-agent - # custom fields logging from the list: - # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, - # x-originating-ip, in-reply-to, references, importance, priority, - # sensitivity, organization, content-md5, date - #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] - # output md5 of fields: body, subject - # for the body you need to set app-layer.protocols.smtp.mime.body-md5 - # to yes - #md5: [body, subject] - - - dnp3 - - ftp - - rdp - - nfs - - smb - - tftp - - ikev2 - - krb5 - - snmp - - sip - - dhcp: - enabled: yes - # When extended mode is on, all DHCP messages are logged - # with full detail. When extended mode is off (the - # default), just enough information to map a MAC address - # to an IP address is logged. - # extended: no - - ssh - #- stats: - # totals: yes # stats for all threads merged together - # threads: no # per thread stats - # deltas: no # include delta values - # bi-directional flows - - flow - # uni-directional flows - #- netflow - - # Metadata event type. Triggered whenever a pktvar is saved - # and will include the pktvars, flowvars, flowbits and - # flowints. - #- metadata - - # deprecated - unified2 alert format for use with Barnyard2 - - unified2-alert: - enabled: no - # for further options see: - # https://suricata.readthedocs.io/en/suricata-5.0.0/configuration/suricata-yaml.html#alert-output-for-use-with-barnyard2-unified2-alert - - # a line based log of HTTP requests (no alerts) - - http-log: - enabled: no - filename: http.log - append: yes - #extended: yes # enable this for extended logging information - #custom: yes # enabled the custom logging format (defined by customformat) - #customformat: "" - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # a line based log of TLS handshake parameters (no alerts) - - tls-log: - enabled: no # Log TLS connections. - filename: tls.log # File to store TLS logs. - append: yes - #extended: yes # Log extended information like fingerprint - #custom: yes # enabled the custom logging format (defined by customformat) - #customformat: "" - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - # output TLS transaction where the session is resumed using a - # session id - #session-resumption: no - - # output module to store certificates chain to disk - - tls-store: - enabled: no - #certs-log-dir: certs # directory to store the certificates files - - # Packet log... log packets in pcap format. 3 modes of operation: "normal" - # "multi" and "sguil". - # - # In normal mode a pcap file "filename" is created in the default-log-dir, - # or are as specified by "dir". - # In multi mode, a file is created per thread. This will perform much - # better, but will create multiple files where 'normal' would create one. - # In multi mode the filename takes a few special variables: - # - %n -- thread number - # - %i -- thread id - # - %t -- timestamp (secs or secs.usecs based on 'ts-format' - # E.g. filename: pcap.%n.%t - # - # Note that it's possible to use directories, but the directories are not - # created by Suricata. E.g. filename: pcaps/%n/log.%s will log into the - # per thread directory. - # - # Also note that the limit and max-files settings are enforced per thread. - # So the size limit when using 8 threads with 1000mb files and 2000 files - # is: 8*1000*2000 ~ 16TiB. - # - # In Sguil mode "dir" indicates the base directory. In this base dir the - # pcaps are created in th directory structure Sguil expects: - # - # $sguil-base-dir/YYYY-MM-DD/$filename. - # - # By default all packets are logged except: - # - TCP streams beyond stream.reassembly.depth - # - encrypted streams after the key exchange - # - - pcap-log: - enabled: no - filename: log.pcap - - # File size limit. Can be specified in kb, mb, gb. Just a number - # is parsed as bytes. - limit: 1000mb - - # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit" - max-files: 2000 - - # Compression algorithm for pcap files. Possible values: none, lz4. - # Enabling compression is incompatible with the sguil mode. Note also - # that on Windows, enabling compression will *increase* disk I/O. - compression: none - - # Further options for lz4 compression. The compression level can be set - # to a value between 0 and 16, where higher values result in higher - # compression. - #lz4-checksum: no - #lz4-level: 0 - - mode: normal # normal, multi or sguil. - - # Directory to place pcap files. If not provided the default log - # directory will be used. Required for "sguil" mode. - #dir: /nsm_data/ - - #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec - use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets - honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged. - - # a full alerts log containing much information for signature writers - # or for investigating suspected false positives. - - alert-debug: - enabled: no - filename: alert-debug.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # alert output to prelude (https://www.prelude-siem.org/) only - # available if Suricata has been compiled with --enable-prelude - - alert-prelude: - enabled: no - profile: suricata - log-packet-content: no - log-packet-header: yes - - # Stats.log contains data from various counters of the Suricata engine. - - stats: - enabled: yes - filename: stats.log - append: yes # append to file (yes) or overwrite it (no) - totals: yes # stats for all threads merged together - threads: no # per thread stats - null-values: yes # print counters that have value 0 - - # a line based alerts log similar to fast.log into syslog - - syslog: - enabled: no - # reported identity to syslog. If ommited the program name (usually - # suricata) will be used. - #identity: "suricata" - facility: local5 - #level: Info ## possible levels: Emergency, Alert, Critical, - ## Error, Warning, Notice, Info, Debug - - # deprecated a line based information for dropped packets in IPS mode - - drop: - enabled: no - # further options documented at: - # https://suricata.readthedocs.io/en/suricata-5.0.0/configuration/suricata-yaml.html#drop-log-a-line-based-information-for-dropped-packets - - # Output module for storing files on disk. Files are stored in a - # directory names consisting of the first 2 characters of the - # SHA256 of the file. Each file is given its SHA256 as a filename. - # - # When a duplicate file is found, the existing file is touched to - # have its timestamps updated. - # - # Unlike the older filestore, metadata is not written out by default - # as each file should already have a "fileinfo" record in the - # eve.log. If write-fileinfo is set to yes, the each file will have - # one more associated .json files that consists of the fileinfo - # record. A fileinfo file will be written for each occurrence of the - # file seen using a filename suffix to ensure uniqueness. - # - # To prune the filestore directory see the "suricatactl filestore - # prune" command which can delete files over a certain age. - - file-store: - version: 2 - enabled: no - - # Set the directory for the filestore. If the path is not - # absolute will be be relative to the default-log-dir. - #dir: filestore - - # Write out a fileinfo record for each occurrence of a - # file. Disabled by default as each occurrence is already logged - # as a fileinfo record to the main eve-log. - #write-fileinfo: yes - - # Force storing of all files. Default: no. - #force-filestore: yes - - # Override the global stream-depth for sessions in which we want - # to perform file extraction. Set to 0 for unlimited. - #stream-depth: 0 - - # Uncomment the following variable to define how many files can - # remain open for filestore by Suricata. Default value is 0 which - # means files get closed after each write - #max-open-files: 1000 - - # Force logging of checksums, available hash functions are md5, - # sha1 and sha256. Note that SHA256 is automatically forced by - # the use of this output module as it uses the SHA256 as the - # file naming scheme. - #force-hash: [sha1, md5] - # NOTE: X-Forwarded configuration is ignored if write-fileinfo is disabled - # HTTP X-Forwarded-For support by adding an extra field or overwriting - # the source or destination IP address (depending on flow direction) - # with the one reported in the X-Forwarded-For HTTP header. This is - # helpful when reviewing alerts for traffic that is being reverse - # or forward proxied. - xff: - enabled: no - # Two operation modes are available, "extra-data" and "overwrite". - mode: extra-data - # Two proxy deployments are supported, "reverse" and "forward". In - # a "reverse" deployment the IP address used is the last one, in a - # "forward" deployment the first IP address is used. - deployment: reverse - # Header name where the actual IP address will be reported, if more - # than one IP address is present, the last IP address will be the - # one taken into consideration. - header: X-Forwarded-For - - # deprecated - file-store v1 - - file-store: - enabled: no - # further options documented at: - # https://suricata.readthedocs.io/en/suricata-5.0.0/file-extraction/file-extraction.html#file-store-version-1 - - # Log TCP data after stream normalization - # 2 types: file or dir. File logs into a single logfile. Dir creates - # 2 files per TCP session and stores the raw TCP data into them. - # Using 'both' will enable both file and dir modes. - # - # Note: limited by stream.reassembly.depth - - tcp-data: - enabled: no - type: file - filename: tcp-data.log - - # Log HTTP body data after normalization, dechunking and unzipping. - # 2 types: file or dir. File logs into a single logfile. Dir creates - # 2 files per HTTP session and stores the normalized data into them. - # Using 'both' will enable both file and dir modes. - # - # Note: limited by the body limit settings - - http-body-data: - enabled: no - type: file - filename: http-data.log - - # Lua Output Support - execute lua script to generate alert and event - # output. - # Documented at: - # https://suricata.readthedocs.io/en/latest/output/lua-output.html - - lua: - enabled: no - #scripts-dir: /etc/suricata/lua-output/ - scripts: - # - script1.lua - -# Logging configuration. This is not about logging IDS alerts/events, but -# output about what Suricata is doing, like startup messages, errors, etc. -logging: - # The default log level, can be overridden in an output section. - # Note that debug level logging will only be emitted if Suricata was - # compiled with the --enable-debug configure option. - # - # This value is overridden by the SC_LOG_LEVEL env var. - default-log-level: notice - - # The default output format. Optional parameter, should default to - # something reasonable if not provided. Can be overridden in an - # output section. You can leave this out to get the default. - # - # This value is overridden by the SC_LOG_FORMAT env var. - #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " - - # A regex to filter output. Can be overridden in an output section. - # Defaults to empty (no filter). - # - # This value is overridden by the SC_LOG_OP_FILTER env var. - default-output-filter: - - # Define your logging outputs. If none are defined, or they are all - # disabled you will get the default - console output. - outputs: - - console: - enabled: yes - # type: json - - file: - enabled: yes - level: info - filename: suricata.log - # type: json - - syslog: - enabled: no - facility: local5 - format: "[%i] <%d> -- " - # type: json - - -## -## Step 4: configure common capture settings -## -## See "Advanced Capture Options" below for more options, including NETMAP -## and PF_RING. -## - -# Linux high speed capture support -af-packet: - - interface: {{ interface }} - # Number of receive threads. "auto" uses the number of cores - #threads: auto - # Default clusterid. AF_PACKET will load balance packets based on flow. - cluster-id: 59 - # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash. - # This is only supported for Linux kernel > 3.1 - # possible value are: - # * cluster_flow: all packets of a given flow are send to the same socket - # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket - # * cluster_qm: all packets linked by network card to a RSS queue are sent to the same - # socket. Requires at least Linux 3.14. - # * cluster_ebpf: eBPF file load balancing. See doc/userguide/capture-hardware/ebpf-xdp.rst for - # more info. - # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system - # with capture card using RSS (require cpu affinity tuning and system irq tuning) - cluster-type: cluster_flow - # In some fragmentation case, the hash can not be computed. If "defrag" is set - # to yes, the kernel will do the needed defragmentation before sending the packets. - defrag: yes - # To use the ring feature of AF_PACKET, set 'use-mmap' to yes - use-mmap: yes - # Lock memory map to avoid it goes to swap. Be careful that over subscribing could lock - # your system - #mmap-locked: yes - # Use tpacket_v3 capture mode, only active if use-mmap is true - # Don't use it in IPS or TAP mode as it causes severe latency - #tpacket-v3: yes - # Ring size will be computed with respect to max_pending_packets and number - # of threads. You can set manually the ring size in number of packets by setting - # the following value. If you are using flow cluster-type and have really network - # intensive single-flow you could want to set the ring-size independently of the number - # of threads: - #ring-size: 2048 - # Block size is used by tpacket_v3 only. It should set to a value high enough to contain - # a decent number of packets. Size is in bytes so please consider your MTU. It should be - # a power of 2 and it must be multiple of page size (usually 4096). - #block-size: 32768 - # tpacket_v3 block timeout: an open block is passed to userspace if it is not - # filled after block-timeout milliseconds. - #block-timeout: 10 - # On busy system, this could help to set it to yes to recover from a packet drop - # phase. This will result in some packets (at max a ring flush) being non treated. - #use-emergency-flush: yes - # recv buffer size, increase value could improve performance - # buffer-size: 32768 - # Set to yes to disable promiscuous mode - # disable-promisc: no - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - kernel: use indication sent by kernel for each packet (default) - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: suricata uses a statistical approach to detect when - # checksum off-loading is used. - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: kernel - # BPF filter to apply to this interface. The pcap filter syntax apply here. - #bpf-filter: port 80 or udp - # You can use the following variables to activate AF_PACKET tap or IPS mode. - # If copy-mode is set to ips or tap, the traffic coming to the current - # interface will be copied to the copy-iface interface. If 'tap' is set, the - # copy is complete. If 'ips' is set, the packet matching a 'drop' action - # will not be copied. - #copy-mode: ips - #copy-iface: eth1 - # For eBPF and XDP setup including bypass, filter and load balancing, please - # see doc/userguide/capture-hardware/ebpf-xdp.rst for more info. - - # Put default values here. These will be used for an interface that is not - # in the list above. - - interface: default - #threads: auto - #use-mmap: no - #tpacket-v3: yes - -# Cross platform libpcap capture support -pcap: - - interface: eth0 - # On Linux, pcap will try to use mmaped capture and will use buffer-size - # as total of memory used by the ring. So set this to something bigger - # than 1% of your bandwidth. - #buffer-size: 16777216 - #bpf-filter: "tcp and port 25" - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: Suricata uses a statistical approach to detect when - # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: auto - # With some accelerator cards using a modified libpcap (like myricom), you - # may want to have the same number of capture threads as the number of capture - # rings. In this case, set up the threads variable to N to start N threads - # listening on the same interface. - #threads: 16 - # set to no to disable promiscuous mode: - #promisc: no - # set snaplen, if not set it defaults to MTU if MTU can be known - # via ioctl call and to full capture if not. - #snaplen: 1518 - # Put default values here - - interface: default - #checksum-checks: auto - -# Settings for reading pcap files -pcap-file: - # Possible values are: - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: Suricata uses a statistical approach to detect when - # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have checksum tested - checksum-checks: auto - -# See "Advanced Capture Options" below for more options, including NETMAP -# and PF_RING. - - -## -## Step 5: App Layer Protocol Configuration -## - -# Configure the app-layer parsers. The protocols section details each -# protocol. -# -# The option "enabled" takes 3 values - "yes", "no", "detection-only". -# "yes" enables both detection and the parser, "no" disables both, and -# "detection-only" enables protocol detection only (parser disabled). -app-layer: - protocols: - krb5: - enabled: yes - snmp: - enabled: yes - ikev2: - enabled: yes - tls: - enabled: yes - detection-ports: - dp: 443 - - # Generate JA3 fingerprint from client hello. If not specified it - # will be disabled by default, but enabled if rules require it. - #ja3-fingerprints: auto - - # What to do when the encrypted communications start: - # - default: keep tracking TLS session, check for protocol anomalies, - # inspect tls_* keywords. Disables inspection of unmodified - # 'content' signatures. - # - bypass: stop processing this flow as much as possible. No further - # TLS parsing and inspection. Offload flow bypass to kernel - # or hardware if possible. - # - full: keep tracking and inspection as normal. Unmodified content - # keyword signatures are inspected as well. - # - # For best performance, select 'bypass'. - # - #encryption-handling: default - - dcerpc: - enabled: yes - ftp: - enabled: yes - # memcap: 64mb - # RDP, disabled by default. - rdp: - #enabled: no - ssh: - enabled: yes - smtp: - enabled: yes - raw-extraction: no - # Configure SMTP-MIME Decoder - mime: - # Decode MIME messages from SMTP transactions - # (may be resource intensive) - # This field supercedes all others because it turns the entire - # process on or off - decode-mime: yes - - # Decode MIME entity bodies (ie. base64, quoted-printable, etc.) - decode-base64: yes - decode-quoted-printable: yes - - # Maximum bytes per header data value stored in the data structure - # (default is 2000) - header-value-depth: 2000 - - # Extract URLs and save in state data structure - extract-urls: yes - # Set to yes to compute the md5 of the mail body. You will then - # be able to journalize it. - body-md5: no - # Configure inspected-tracker for file_data keyword - inspected-tracker: - content-limit: 100000 - content-inspect-min-size: 32768 - content-inspect-window: 4096 - imap: - enabled: detection-only - smb: - enabled: yes - detection-ports: - dp: 139, 445 - - # Stream reassembly size for SMB streams. By default track it completely. - #stream-depth: 0 - - nfs: - enabled: yes - tftp: - enabled: yes - dns: - # memcaps. Globally and per flow/state. - #global-memcap: 16mb - #state-memcap: 512kb - - # How many unreplied DNS requests are considered a flood. - # If the limit is reached, app-layer-event:dns.flooded; will match. - #request-flood: 500 - - tcp: - enabled: yes - detection-ports: - dp: 53 - udp: - enabled: yes - detection-ports: - dp: 53 - http: - enabled: yes - # memcap: Maximum memory capacity for http - # Default is unlimited, value can be such as 64mb - - # default-config: Used when no server-config matches - # personality: List of personalities used by default - # request-body-limit: Limit reassembly of request body for inspection - # by http_client_body & pcre /P option. - # response-body-limit: Limit reassembly of response body for inspection - # by file_data, http_server_body & pcre /Q option. - # - # For advanced options, see the user guide - - - # server-config: List of server configurations to use if address matches - # address: List of IP addresses or networks for this block - # personalitiy: List of personalities used by this block - # - # Then, all the fields from default-config can be overloaded - # - # Currently Available Personalities: - # Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0, - # IIS_7_0, IIS_7_5, Apache_2 - libhtp: - default-config: - personality: IDS - - # Can be specified in kb, mb, gb. Just a number indicates - # it's in bytes. - request-body-limit: 100kb - response-body-limit: 100kb - - # inspection limits - request-body-minimal-inspect-size: 32kb - request-body-inspect-window: 4kb - response-body-minimal-inspect-size: 40kb - response-body-inspect-window: 16kb - - # response body decompression (0 disables) - response-body-decompress-layer-limit: 2 - - # auto will use http-body-inline mode in IPS mode, yes or no set it statically - http-body-inline: auto - - # Decompress SWF files. - # 2 types: 'deflate', 'lzma', 'both' will decompress deflate and lzma - # compress-depth: - # Specifies the maximum amount of data to decompress, - # set 0 for unlimited. - # decompress-depth: - # Specifies the maximum amount of decompressed data to obtain, - # set 0 for unlimited. - swf-decompression: - enabled: yes - type: both - compress-depth: 0 - decompress-depth: 0 - - # Take a random value for inspection sizes around the specified value. - # This lower the risk of some evasion technics but could lead - # detection change between runs. It is set to 'yes' by default. - #randomize-inspection-sizes: yes - # If randomize-inspection-sizes is active, the value of various - # inspection size will be choosen in the [1 - range%, 1 + range%] - # range - # Default value of randomize-inspection-range is 10. - #randomize-inspection-range: 10 - - # decoding - double-decode-path: no - double-decode-query: no - - # Can disable LZMA decompression - #lzma-enabled: yes - # Memory limit usage for LZMA decompression dictionary - # Data is decompressed until dictionary reaches this size - #lzma-memlimit: 1mb - # Maximum decompressed size with a compression ratio - # above 2048 (only LZMA can reach this ratio, deflate cannot) - #compression-bomb-limit: 1mb - - server-config: - - #- apache: - # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] - # personality: Apache_2 - # # Can be specified in kb, mb, gb. Just a number indicates - # # it's in bytes. - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: no - # double-decode-query: no - - #- iis7: - # address: - # - 192.168.0.0/24 - # - 192.168.10.0/24 - # personality: IIS_7_0 - # # Can be specified in kb, mb, gb. Just a number indicates - # # it's in bytes. - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: no - # double-decode-query: no - - # Note: Modbus probe parser is minimalist due to the poor significant field - # Only Modbus message length (greater than Modbus header length) - # And Protocol ID (equal to 0) are checked in probing parser - # It is important to enable detection port and define Modbus port - # to avoid false positive - modbus: - # How many unreplied Modbus requests are considered a flood. - # If the limit is reached, app-layer-event:modbus.flooded; will match. - #request-flood: 500 - - enabled: no - detection-ports: - dp: 502 - # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it - # is recommended to keep the TCP connection opened with a remote device - # and not to open and close it for each MODBUS/TCP transaction. In that - # case, it is important to set the depth of the stream reassembling as - # unlimited (stream.reassembly.depth: 0) - - # Stream reassembly size for modbus. By default track it completely. - stream-depth: 0 - - # DNP3 - dnp3: - enabled: no - detection-ports: - dp: 20000 - - # SCADA EtherNet/IP and CIP protocol support - enip: - enabled: no - detection-ports: - dp: 44818 - sp: 44818 - - ntp: - enabled: yes - - dhcp: - enabled: yes - - # SIP, disabled by default. - sip: - #enabled: no - -# Limit for the maximum number of asn1 frames to decode (default 256) -asn1-max-frames: 256 - - -############################################################################## -## -## Advanced settings below -## -############################################################################## - -## -## Run Options -## - -# Run suricata as user and group. -run-as: - user: suricata - group: suricata - -# Some logging module will use that name in event as identifier. The default -# value is the hostname -#sensor-name: suricata - -# Default location of the pid file. The pid file is only used in -# daemon mode (start Suricata with -D). If not running in daemon mode -# the --pidfile command line option must be used to create a pid file. -#pid-file: /var/run/suricata.pid - -# Daemon working directory -# Suricata will change directory to this one if provided -# Default: "/" -#daemon-directory: "/" - -# Umask. -# Suricata will use this umask if it is provided. By default it will use the -# umask passed on by the shell. -#umask: 022 - -# Suricata core dump configuration. Limits the size of the core dump file to -# approximately max-dump. The actual core dump size will be a multiple of the -# page size. Core dumps that would be larger than max-dump are truncated. On -# Linux, the actual core dump size may be a few pages larger than max-dump. -# Setting max-dump to 0 disables core dumping. -# Setting max-dump to 'unlimited' will give the full core dump file. -# On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size -# to be 'unlimited'. - -coredump: - max-dump: unlimited - -# If Suricata box is a router for the sniffed networks, set it to 'router'. If -# it is a pure sniffing setup, set it to 'sniffer-only'. -# If set to auto, the variable is internally switch to 'router' in IPS mode -# and 'sniffer-only' in IDS mode. -# This feature is currently only used by the reject* keywords. -host-mode: auto - -# Number of packets preallocated per thread. The default is 1024. A higher number -# will make sure each CPU will be more easily kept busy, but may negatively -# impact caching. -max-pending-packets: 5000 - -# Runmode the engine should use. Please check --list-runmodes to get the available -# runmodes for each packet acquisition method. Default depends on selected capture -# method. 'workers' generally gives best performance. -runmode: workers - -# Specifies the kind of flow load balancer used by the flow pinned autofp mode. -# -# Supported schedulers are: -# -# hash - Flow assigned to threads using the 5-7 tuple hash. -# ippair - Flow assigned to threads using addresses only. -# -#autofp-scheduler: hash - -# Preallocated size for packet. Default is 1514 which is the classical -# size for pcap on ethernet. You should adjust this value to the highest -# packet size (MTU + hardware header) on your system. -default-packet-size: {{ MTU + 15 }} - -# Unix command socket can be used to pass commands to Suricata. -# An external tool can then connect to get information from Suricata -# or trigger some modifications of the engine. Set enabled to yes -# to activate the feature. In auto mode, the feature will only be -# activated in live capture mode. You can use the filename variable to set -# the file name of the socket. -unix-command: - enabled: auto - #filename: custom.socket - -# Magic file. The extension .mgc is added to the value here. -#magic-file: /usr/share/file/magic -#magic-file: - -# GeoIP2 database file. Specify path and filename of GeoIP2 database -# if using rules with "geoip" rule option. -#geoip-database: /usr/local/share/GeoLite2/GeoLite2-Country.mmdb - -legacy: - uricontent: enabled - -## -## Detection settings -## - -# Set the order of alerts based on actions -# The default order is pass, drop, reject, alert -# action-order: -# - pass -# - drop -# - reject -# - alert - -# IP Reputation -#reputation-categories-file: /etc/suricata/iprep/categories.txt -#default-reputation-path: /etc/suricata/iprep -#reputation-files: -# - reputation.list - -# When run with the option --engine-analysis, the engine will read each of -# the parameters below, and print reports for each of the enabled sections -# and exit. The reports are printed to a file in the default log dir -# given by the parameter "default-log-dir", with engine reporting -# subsection below printing reports in its own report file. -engine-analysis: - # enables printing reports for fast-pattern for every rule. - rules-fast-pattern: yes - # enables printing reports for each rule - rules: yes - -#recursion and match limits for PCRE where supported -pcre: - match-limit: 3500 - match-limit-recursion: 1500 - -## -## Advanced Traffic Tracking and Reconstruction Settings -## - -# Host specific policies for defragmentation and TCP stream -# reassembly. The host OS lookup is done using a radix tree, just -# like a routing table so the most specific entry matches. -host-os-policy: - # Make the default policy windows. - windows: [0.0.0.0/0] - bsd: [] - bsd-right: [] - old-linux: [] - linux: [] - old-solaris: [] - solaris: [] - hpux10: [] - hpux11: [] - irix: [] - macos: [] - vista: [] - windows2k3: [] - -# Defrag settings: - -defrag: - memcap: 32mb - hash-size: 65536 - trackers: 65535 # number of defragmented flows to follow - max-frags: 65535 # number of fragments to keep (higher than trackers) - prealloc: yes - timeout: 60 - -# Enable defrag per host settings -# host-config: -# -# - dmz: -# timeout: 30 -# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"] -# -# - lan: -# timeout: 45 -# address: -# - 192.168.0.0/24 -# - 192.168.10.0/24 -# - 172.16.14.0/24 - -# Flow settings: -# By default, the reserved memory (memcap) for flows is 32MB. This is the limit -# for flow allocation inside the engine. You can change this value to allow -# more memory usage for flows. -# The hash-size determine the size of the hash used to identify flows inside -# the engine, and by default the value is 65536. -# At the startup, the engine can preallocate a number of flows, to get a better -# performance. The number of flows preallocated is 10000 by default. -# emergency-recovery is the percentage of flows that the engine need to -# prune before unsetting the emergency state. The emergency state is activated -# when the memcap limit is reached, allowing to create new flows, but -# pruning them with the emergency timeouts (they are defined below). -# If the memcap is reached, the engine will try to prune flows -# with the default timeouts. If it doesn't find a flow to prune, it will set -# the emergency bit and it will try again with more aggressive timeouts. -# If that doesn't work, then it will try to kill the last time seen flows -# not in use. -# The memcap can be specified in kb, mb, gb. Just a number indicates it's -# in bytes. - -flow: - memcap: 128mb - hash-size: 65536 - prealloc: 10000 - emergency-recovery: 30 - #managers: 1 # default to one flow manager - #recyclers: 1 # default to one flow recycler thread - -# This option controls the use of vlan ids in the flow (and defrag) -# hashing. Normally this should be enabled, but in some (broken) -# setups where both sides of a flow are not tagged with the same vlan -# tag, we can ignore the vlan id's in the flow hashing. -vlan: - use-for-tracking: true - -# Specific timeouts for flows. Here you can specify the timeouts that the -# active flows will wait to transit from the current state to another, on each -# protocol. The value of "new" determine the seconds to wait after a handshake or -# stream startup before the engine free the data of that flow it doesn't -# change the state to established (usually if we don't receive more packets -# of that flow). The value of "established" is the amount of -# seconds that the engine will wait to free the flow if it spend that amount -# without receiving new packets or closing the connection. "closed" is the -# amount of time to wait after a flow is closed (usually zero). "bypassed" -# timeout controls locally bypassed flows. For these flows we don't do any other -# tracking. If no packets have been seen after this timeout, the flow is discarded. -# -# There's an emergency mode that will become active under attack circumstances, -# making the engine to check flow status faster. This configuration variables -# use the prefix "emergency-" and work similar as the normal ones. -# Some timeouts doesn't apply to all the protocols, like "closed", for udp and -# icmp. - -flow-timeouts: - - default: - new: 30 - established: 300 - closed: 0 - bypassed: 100 - emergency-new: 10 - emergency-established: 100 - emergency-closed: 0 - emergency-bypassed: 50 - tcp: - new: 60 - established: 600 - closed: 60 - bypassed: 100 - emergency-new: 5 - emergency-established: 100 - emergency-closed: 10 - emergency-bypassed: 50 - udp: - new: 30 - established: 300 - bypassed: 100 - emergency-new: 10 - emergency-established: 100 - emergency-bypassed: 50 - icmp: - new: 30 - established: 300 - bypassed: 100 - emergency-new: 10 - emergency-established: 100 - emergency-bypassed: 50 - -# Stream engine settings. Here the TCP stream tracking and reassembly -# engine is configured. -# -# stream: -# memcap: 32mb # Can be specified in kb, mb, gb. Just a -# # number indicates it's in bytes. -# checksum-validation: yes # To validate the checksum of received -# # packet. If csum validation is specified as -# # "yes", then packet with invalid csum will not -# # be processed by the engine stream/app layer. -# # Warning: locally generated traffic can be -# # generated without checksum due to hardware offload -# # of checksum. You can control the handling of checksum -# # on a per-interface basis via the 'checksum-checks' -# # option -# prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread -# midstream: false # don't allow midstream session pickups -# async-oneside: false # don't enable async stream handling -# inline: no # stream inline mode -# drop-invalid: yes # in inline mode, drop packets that are invalid with regards to streaming engine -# max-synack-queued: 5 # Max different SYN/ACKs to queue -# bypass: no # Bypass packets when stream.reassembly.depth is reached. -# # Warning: first side to reach this triggers -# # the bypass. -# -# reassembly: -# memcap: 64mb # Can be specified in kb, mb, gb. Just a number -# # indicates it's in bytes. -# depth: 1mb # Can be specified in kb, mb, gb. Just a number -# # indicates it's in bytes. -# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least -# # this size. Can be specified in kb, mb, -# # gb. Just a number indicates it's in bytes. -# toclient-chunk-size: 2560 # inspect raw stream in chunks of at least -# # this size. Can be specified in kb, mb, -# # gb. Just a number indicates it's in bytes. -# randomize-chunk-size: yes # Take a random value for chunk size around the specified value. -# # This lower the risk of some evasion technics but could lead -# # detection change between runs. It is set to 'yes' by default. -# randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is -# # a random value between (1 - randomize-chunk-range/100)*toserver-chunk-size -# # and (1 + randomize-chunk-range/100)*toserver-chunk-size and the same -# # calculation for toclient-chunk-size. -# # Default value of randomize-chunk-range is 10. -# -# raw: yes # 'Raw' reassembly enabled or disabled. -# # raw is for content inspection by detection -# # engine. -# -# segment-prealloc: 2048 # number of segments preallocated per thread -# -# check-overlap-different-data: true|false -# # check if a segment contains different data -# # than what we've already seen for that -# # position in the stream. -# # This is enabled automatically if inline mode -# # is used or when stream-event:reassembly_overlap_different_data; -# # is used in a rule. -# -stream: - memcap: 64mb - checksum-validation: yes # reject wrong csums - inline: auto # auto will use inline mode in IPS mode, yes or no set it statically - reassembly: - memcap: 256mb - depth: 1mb # reassemble 1mb into a stream - toserver-chunk-size: 2560 - toclient-chunk-size: 2560 - randomize-chunk-size: yes - #randomize-chunk-range: 10 - #raw: yes - #segment-prealloc: 2048 - #check-overlap-different-data: true - -# Host table: -# -# Host table is used by tagging and per host thresholding subsystems. -# -host: - hash-size: 4096 - prealloc: 1000 - memcap: 32mb - -# IP Pair table: -# -# Used by xbits 'ippair' tracking. -# -#ippair: -# hash-size: 4096 -# prealloc: 1000 -# memcap: 32mb - -# Decoder settings - -decoder: - # Teredo decoder is known to not be completely accurate - # as it will sometimes detect non-teredo as teredo. - teredo: - enabled: true - # ports to look for Teredo. Max 4 ports. If no ports are given, or - # the value is set to 'any', Teredo detection runs on _all_ UDP packets. - ports: $TEREDO_PORTS # syntax: '[3544, 1234]' or '3533' or 'any'. - - # VXLAN decoder is assigned to up to 4 UDP ports. By default only the - # IANA assigned port 4789 is enabled. - vxlan: - enabled: true - ports: $VXLAN_PORTS # syntax: '8472, 4789' - # ERSPAN Type I decode support - erspan: - typeI: - enabled: false - - -## -## Performance tuning and profiling -## - -# The detection engine builds internal groups of signatures. The engine -# allow us to specify the profile to use for them, to manage memory on an -# efficient way keeping a good performance. For the profile keyword you -# can use the words "low", "medium", "high" or "custom". If you use custom -# make sure to define the values at "- custom-values" as your convenience. -# Usually you would prefer medium/high/low. -# -# "sgh mpm-context", indicates how the staging should allot mpm contexts for -# the signature groups. "single" indicates the use of a single context for -# all the signature group heads. "full" indicates a mpm-context for each -# group head. "auto" lets the engine decide the distribution of contexts -# based on the information the engine gathers on the patterns from each -# group head. -# -# The option inspection-recursion-limit is used to limit the recursive calls -# in the content inspection code. For certain payload-sig combinations, we -# might end up taking too much time in the content inspection code. -# If the argument specified is 0, the engine uses an internally defined -# default limit. On not specifying a value, we use no limits on the recursion. -detect: - profile: medium - custom-values: - toclient-groups: 3 - toserver-groups: 25 - sgh-mpm-context: auto - inspection-recursion-limit: 3000 - # If set to yes, the loading of signatures will be made after the capture - # is started. This will limit the downtime in IPS mode. - #delayed-detect: yes - - prefilter: - # default prefiltering setting. "mpm" only creates MPM/fast_pattern - # engines. "auto" also sets up prefilter engines for other keywords. - # Use --list-keywords=all to see which keywords support prefiltering. - default: mpm - - # the grouping values above control how many groups are created per - # direction. Port whitelisting forces that port to get it's own group. - # Very common ports will benefit, as well as ports with many expensive - # rules. - grouping: - #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 - #udp-whitelist: 53, 135, 5060 - - profiling: - # Log the rules that made it past the prefilter stage, per packet - # default is off. The threshold setting determines how many rules - # must have made it past pre-filter for that rule to trigger the - # logging. - #inspect-logging-threshold: 200 - grouping: - dump-to-disk: false - include-rules: false # very verbose - include-mpm-stats: false - -# Select the multi pattern algorithm you want to run for scan/search the -# in the engine. -# -# The supported algorithms are: -# "ac" - Aho-Corasick, default implementation -# "ac-bs" - Aho-Corasick, reduced memory implementation -# "ac-ks" - Aho-Corasick, "Ken Steele" variant -# "hs" - Hyperscan, available when built with Hyperscan support -# -# The default mpm-algo value of "auto" will use "hs" if Hyperscan is -# available, "ac" otherwise. -# -# The mpm you choose also decides the distribution of mpm contexts for -# signature groups, specified by the conf - "detect.sgh-mpm-context". -# Selecting "ac" as the mpm would require "detect.sgh-mpm-context" -# to be set to "single", because of ac's memory requirements, unless the -# ruleset is small enough to fit in one's memory, in which case one can -# use "full" with "ac". Rest of the mpms can be run in "full" mode. - -mpm-algo: auto - -# Select the matching algorithm you want to use for single-pattern searches. -# -# Supported algorithms are "bm" (Boyer-Moore) and "hs" (Hyperscan, only -# available if Suricata has been built with Hyperscan support). -# -# The default of "auto" will use "hs" if available, otherwise "bm". - -spm-algo: auto - -# Suricata is multi-threaded. Here the threading can be influenced. -threading: - set-cpu-affinity: yes - # Tune cpu affinity of threads. Each family of threads can be bound - # on specific CPUs. - # - # These 2 apply to the all runmodes: - # management-cpu-set is used for flow timeout handling, counters - # worker-cpu-set is used for 'worker' threads - # - # Additionally, for autofp these apply: - # receive-cpu-set is used for capture threads - # verdict-cpu-set is used for IPS verdict threads - # - {%- if salt['pillar.get']('sensor:suriprocs') %} - cpu-affinity: - - management-cpu-set: - cpu: [ all ] # include only these CPUs in affinity settings - - receive-cpu-set: - cpu: [ all ] # include only these CPUs in affinity settings - - worker-cpu-set: - cpu: [ "all" ] - mode: "exclusive" - # Use explicitely 3 threads and don't compute number by using - # detect-thread-ratio variable: - # threads: 3 - threads: {{ salt['pillar.get']('sensor:suriprocs') }} - prio: - low: [ 0 ] - medium: [ "1-2" ] - high: [ 3 ] - default: "high" - #- verdict-cpu-set: - # cpu: [ 0 ] - # prio: - # default: "high" - {%- endif -%} - {%- if salt['pillar.get']('sensor:suripins') %} - cpu-affinity: - - management-cpu-set: - cpu: [ {{ salt['pillar.get']('sensor:suripins')|join(",") }} ] # include only these cpus in affinity settings - - receive-cpu-set: - cpu: [ {{ salt['pillar.get']('sensor:suripins')|join(",") }} ] # include only these cpus in affinity settings - - worker-cpu-set: - cpu: [ {{ salt['pillar.get']('sensor:suripins')|join(",") }} ] - mode: "exclusive" - # Use explicitely 3 threads and don't compute number by using - # detect-thread-ratio variable: - threads: {{ salt['pillar.get']('sensor:suripins')|length }} - prio: - default: "high" - {% endif %} - - # - # By default Suricata creates one "detect" thread per available CPU/CPU core. - # This setting allows controlling this behaviour. A ratio setting of 2 will - # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this - # will result in 4 detect threads. If values below 1 are used, less threads - # are created. So on a dual core CPU a setting of 0.5 results in 1 detect - # thread being created. Regardless of the setting at a minimum 1 detect - # thread will always be created. - # - detect-thread-ratio: 1.0 - -# Luajit has a strange memory requirement, it's 'states' need to be in the -# first 2G of the process' memory. -# -# 'luajit.states' is used to control how many states are preallocated. -# State use: per detect script: 1 per detect thread. Per output script: 1 per -# script. -luajit: - states: 128 - -# Profiling settings. Only effective if Suricata has been built with the -# the --enable-profiling configure flag. -# -profiling: - # Run profiling for every xth packet. The default is 1, which means we - # profile every packet. If set to 1000, one packet is profiled for every - # 1000 received. - #sample-rate: 1000 - - # rule profiling - rules: - - # Profiling can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: yes - filename: rule_perf.log - append: yes - - # Sort options: ticks, avgticks, checks, matches, maxticks - # If commented out all the sort options will be used. - #sort: avgticks - - # Limit the number of sids for which stats are shown at exit (per sort). - limit: 10 - - # output to json - json: yes - - # per keyword profiling - keywords: - enabled: yes - filename: keyword_perf.log - append: yes - - prefilter: - enabled: yes - filename: prefilter_perf.log - append: yes - - # per rulegroup profiling - rulegroups: - enabled: yes - filename: rule_group_perf.log - append: yes - - # packet profiling - packets: - - # Profiling can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: yes - filename: packet_stats.log - append: yes - - # per packet csv output - csv: - - # Output can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: no - filename: packet_stats.csv - - # profiling of locking. Only available when Suricata was built with - # --enable-profiling-locks. - locks: - enabled: no - filename: lock_stats.log - append: yes - - pcap-log: - enabled: no - filename: pcaplog_stats.log - append: yes - -## -## Netfilter integration -## - -# When running in NFQ inline mode, it is possible to use a simulated -# non-terminal NFQUEUE verdict. -# This permit to do send all needed packet to Suricata via this a rule: -# iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE -# And below, you can have your standard filtering ruleset. To activate -# this mode, you need to set mode to 'repeat' -# If you want packet to be sent to another queue after an ACCEPT decision -# set mode to 'route' and set next-queue value. -# On linux >= 3.1, you can set batchcount to a value > 1 to improve performance -# by processing several packets before sending a verdict (worker runmode only). -# On linux >= 3.6, you can set the fail-open option to yes to have the kernel -# accept the packet if Suricata is not able to keep pace. -# bypass mark and mask can be used to implement NFQ bypass. If bypass mark is -# set then the NFQ bypass is activated. Suricata will set the bypass mark/mask -# on packet of a flow that need to be bypassed. The Nefilter ruleset has to -# directly accept all packets of a flow once a packet has been marked. -nfq: -# mode: accept -# repeat-mark: 1 -# repeat-mask: 1 -# bypass-mark: 1 -# bypass-mask: 1 -# route-queue: 2 -# batchcount: 20 -# fail-open: yes - -#nflog support -nflog: - # netlink multicast group - # (the same as the iptables --nflog-group param) - # Group 0 is used by the kernel, so you can't use it - - group: 2 - # netlink buffer size - buffer-size: 18432 - # put default value here - - group: default - # set number of packet to queue inside kernel - qthreshold: 1 - # set the delay before flushing packet in the queue inside kernel - qtimeout: 100 - # netlink max buffer size - max-size: 20000 - -## -## Advanced Capture Options -## - -# general settings affecting packet capture -capture: - # disable NIC offloading. It's restored when Suricata exits. - # Enabled by default. - #disable-offloading: false - # - # disable checksum validation. Same as setting '-k none' on the - # commandline. - #checksum-validation: none - -# Netmap support -# -# Netmap operates with NIC directly in driver, so you need FreeBSD 11+ which have -# built-in netmap support or compile and install netmap module and appropriate -# NIC driver on your Linux system. -# To reach maximum throughput disable all receive-, segmentation-, -# checksum- offloadings on NIC. -# Disabling Tx checksum offloading is *required* for connecting OS endpoint -# with NIC endpoint. -# You can find more information at https://github.com/luigirizzo/netmap -# -netmap: - # To specify OS endpoint add plus sign at the end (e.g. "eth0+") - - interface: eth2 - # Number of capture threads. "auto" uses number of RSS queues on interface. - # Warning: unless the RSS hashing is symmetrical, this will lead to - # accuracy issues. - #threads: auto - # You can use the following variables to activate netmap tap or IPS mode. - # If copy-mode is set to ips or tap, the traffic coming to the current - # interface will be copied to the copy-iface interface. If 'tap' is set, the - # copy is complete. If 'ips' is set, the packet matching a 'drop' action - # will not be copied. - # To specify the OS as the copy-iface (so the OS can route packets, or forward - # to a service running on the same machine) add a plus sign at the end - # (e.g. "copy-iface: eth0+"). Don't forget to set up a symmetrical eth0+ -> eth0 - # for return packets. Hardware checksumming must be *off* on the interface if - # using an OS endpoint (e.g. 'ifconfig eth0 -rxcsum -txcsum -rxcsum6 -txcsum6' for FreeBSD - # or 'ethtool -K eth0 tx off rx off' for Linux). - #copy-mode: tap - #copy-iface: eth3 - # Set to yes to disable promiscuous mode - # disable-promisc: no - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: Suricata uses a statistical approach to detect when - # checksum off-loading is used. - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: auto - # BPF filter to apply to this interface. The pcap filter syntax apply here. - #bpf-filter: port 80 or udp - #- interface: eth3 - #threads: auto - #copy-mode: tap - #copy-iface: eth2 - # Put default values here - - interface: default - -# PF_RING configuration. for use with native PF_RING support -# for more info see http://www.ntop.org/products/pf_ring/ -pfring: - - interface: eth0 - # Number of receive threads. If set to 'auto' Suricata will first try - # to use CPU (core) count and otherwise RSS queue count. - threads: auto - - # Default clusterid. PF_RING will load balance packets based on flow. - # All threads/processes that will participate need to have the same - # clusterid. - cluster-id: 99 - - # Default PF_RING cluster type. PF_RING can load balance per flow. - # Possible values are cluster_flow or cluster_round_robin. - cluster-type: cluster_flow - - # bpf filter for this interface - #bpf-filter: tcp - - # If bypass is set then the PF_RING hw bypass is activated, when supported - # by the interface in use. Suricata will instruct the interface to bypass - # all future packets for a flow that need to be bypassed. - #bypass: yes - - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - rxonly: only compute checksum for packets received by network card. - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: Suricata uses a statistical approach to detect when - # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: auto - # Second interface - #- interface: eth1 - # threads: 3 - # cluster-id: 93 - # cluster-type: cluster_flow - # Put default values here - - interface: default - #threads: 2 - -# For FreeBSD ipfw(8) divert(4) support. -# Please make sure you have ipfw_load="YES" and ipdivert_load="YES" -# in /etc/loader.conf or kldload'ing the appropriate kernel modules. -# Additionally, you need to have an ipfw rule for the engine to see -# the packets from ipfw. For Example: -# -# ipfw add 100 divert 8000 ip from any to any -# -# The 8000 above should be the same number you passed on the command -# line, i.e. -d 8000 -# -ipfw: - - # Reinject packets at the specified ipfw rule number. This config - # option is the ipfw rule number AT WHICH rule processing continues - # in the ipfw processing system after the engine has finished - # inspecting the packet for acceptance. If no rule number is specified, - # accepted packets are reinjected at the divert rule which they entered - # and IPFW rule processing continues. No check is done to verify - # this will rule makes sense so care must be taken to avoid loops in ipfw. - # - ## The following example tells the engine to reinject packets - # back into the ipfw firewall AT rule number 5500: - # - # ipfw-reinjection-rule-number: 5500 - - -napatech: - # The Host Buffer Allowance for all streams - # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back) - # This may be enabled when sharing streams with another application. - # Otherwise, it should be turned off. - #hba: -1 - - # When use_all_streams is set to "yes" the initialization code will query - # the Napatech service for all configured streams and listen on all of them. - # When set to "no" the streams config array will be used. - # - # This option necessitates running the appropriate NTPL commands to create - # the desired streams prior to running suricata. - #use-all-streams: no - - # The streams to listen on when auto-config is disabled or when and threading - # cpu-affinity is disabled. This can be either: - # an individual stream (e.g. streams: [0]) - # or - # a range of streams (e.g. streams: ["0-3"]) - # - streams: ["0-3"] - - # When auto-config is enabled the streams will be created and assigned - # automatically to the NUMA node where the thread resides. If cpu-affinity - # is enabled in the threading section. Then the streams will be created - # according to the number of worker threads specified in the worker cpu set. - # Otherwise, the streams array is used to define the streams. - # - # This option cannot be used simultaneous with "use-all-streams". - # - auto-config: yes - - # Ports indicates which napatech ports are to be used in auto-config mode. - # these are the port ID's of the ports that will be merged prior to the - # traffic being distributed to the streams. - # - # This can be specified in any of the following ways: - # - # a list of individual ports (e.g. ports: [0,1,2,3]) - # - # a range of ports (e.g. ports: [0-3]) - # - # "all" to indicate that all ports are to be merged together - # (e.g. ports: [all]) - # - # This has no effect if auto-config is disabled. - # - ports: [all] - - # When auto-config is enabled the hashmode specifies the algorithm for - # determining to which stream a given packet is to be delivered. - # This can be any valid Napatech NTPL hashmode command. - # - # The most common hashmode commands are: hash2tuple, hash2tuplesorted, - # hash5tuple, hash5tuplesorted and roundrobin. - # - # See Napatech NTPL documentation other hashmodes and details on their use. - # - # This has no effect if auto-config is disabled. - # - hashmode: hash5tuplesorted - -## -## Configure Suricata to load Suricata-Update managed rules. -## -## If this section is completely commented out move down to the "Advanced rule -## file configuration". -## - -default-rule-path: /etc/suricata/rules - -rule-files: - - all.rules - -## -## Auxiliary configuration files. -## - -classification-file: /etc/suricata/classification.config -reference-config-file: /etc/suricata/reference.config -# threshold-file: /etc/suricata/threshold.config - -## -## Include other configs -## - -# Includes. Files included here will be handled as if they were -# inlined in this configuration file. -#include: include1.yaml -#include: include2.yaml diff --git a/salt/suricata/files/test.jinja b/salt/suricata/files/test.jinja deleted file mode 100644 index 3a024390a..000000000 --- a/salt/suricata/files/test.jinja +++ /dev/null @@ -1 +0,0 @@ -{{ suricata | yaml(False) }} \ No newline at end of file diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index e53b7332b..a71df516b 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -21,7 +21,7 @@ {% set BPF_STATUS = 0 %} {# import_yaml 'suricata/files/defaults2.yaml' as suricata #} -{% from 'suricata/suricata_config.map.jinja' import suricata_defaults as suricata with context %} +{% from 'suricata/suricata_config.map.jinja' import suricata_defaults as suricata_config with context %} # Suricata @@ -74,23 +74,13 @@ surirulesync: suriconfigsync: file.managed: - name: /opt/so/conf/suricata/suricata.yaml - {%- if BROVER != 'SURICATA' %} - - source: salt://suricata/files/suricata.yaml - {%- else %} - - source: salt://suricata/files/suricataMETA.yaml - {%- endif %} + - source: salt://suricata/files/suricata.yaml.jinja + - context: + suricata_config: {{ suricata_config.suricata.config }} - user: 940 - group: 940 - template: jinja -test_suri_config: - file.managed: - - name: /opt/so/conf/suricata/test.yaml - - source: salt://suricata/files/test.jinja - - context: - suricata: {{ suricata|json }} - - template: jinja - surithresholding: file.managed: - name: /opt/so/conf/suricata/threshold.conf diff --git a/salt/suricata/suricata_config.map.jinja b/salt/suricata/suricata_config.map.jinja index 38439e940..3f2a2e3be 100644 --- a/salt/suricata/suricata_config.map.jinja +++ b/salt/suricata/suricata_config.map.jinja @@ -1,36 +1,57 @@ -{% import_yaml 'suricata/defaults3.yaml' as suricata_defaults with context %} +{% import_yaml 'suricata/defaults.yaml' as suricata_defaults with context %} {% import_yaml 'suricata/suricata_meta.yaml' as suricata_meta with context %} +{% from 'suricata/threading.map.jinja' import cpu_affinity with context %} +{% from 'suricata/afpacket.map.jinja' import afpacket %} +{% set suricata_pillar = salt['pillar.get']('suricata:config', {}) %} {% set default_evelog_index = [] %} +{% set surimeta_evelog_index = [] %} + +{% if salt['pillar.get']('sensor:homenet') %} + {% load_yaml as homenet %} +HOME_NET: "[{{salt['pillar.get']('sensor:hnsensor', '')}}]" + {% endload %} +{% else %} + {% load_yaml as homenet %} +HOME_NET: "[{{salt['pillar.get']('static:hnmaster', '')}}]" + {% endload %} +{% endif %} {% set hardware_header = 15 %} {% set default_packet_size = salt['grains.filter_by']({ '*_eval': { - 'default-packet-size': 1500 + hardware_header, + 'default-packet-size': salt['pillar.get']('sensor:mtu', 1500) + hardware_header, }, '*_helix': { - 'default-packet-size': 9000 + hardware_header, + 'default-packet-size': salt['pillar.get']('sensor:mtu', 9000) + hardware_header, }, '*': { - 'default-packet-size': 1500 + hardware_header, + 'default-packet-size': salt['pillar.get']('sensor:mtu', 1500) + hardware_header, }, -},grain='id', merge=salt['pillar.get']('suricata')) %} +},grain='id') %} {# Find the index of eve-log so it can be updated later #} -{% for li in suricata_defaults.suricata.lookup.outputs %} - {% for k, v in li.items() %} - {% if k == 'eve-log' %} - {% do default_evelog_index.append(loop.index) %} - {% endif %} - {% endfor %} +{% for li in suricata_defaults.suricata.config.outputs %} + {% if 'eve-log' in li.keys() %} + {% do default_evelog_index.append(loop.index0) %} + {% endif %} {% endfor %} -{% set default_evelog_index = default_evelog_index[0] %} +{% set default_evelog_index = default_evelog_index[0] %} -{% set meta_data = salt['pillar.filter_by']({ - 'SURICATA': suricata_meta.suricata.lookup.outputs[0], - 'default': suricata_defaults.suricata.lookup.outputs[default_evelog_index] -},pillar='static:broversion', merge=salt['pillar.get']('suricata'), default='default') %} +{# Find the index of eve-log so it can be grabbed later #} +{% for li in suricata_meta.suricata.config.outputs %} + {% if 'eve-log' in li.keys() %} + {% do surimeta_evelog_index.append(loop.index0) %} + {% endif %} +{% endfor %} +{% set surimeta_evelog_index = surimeta_evelog_index[0] %} -{% do suricata_defaults.suricata.lookup.update(default_packet_size) %} -{% do suricata_defaults.suricata.lookup.outputs[default_evelog_index].update(meta_data) %} +{% if salt['pillar.get']('static:broversion', 'ZEEK') == 'SURICATA' %} + {% do suricata_defaults.suricata.config.outputs[default_evelog_index]['eve-log'].types.extend(suricata_meta.suricata.config.outputs[surimeta_evelog_index]['eve-log'].types) %} +{% endif %} -{% set suricata_yaml = salt['pillar.get']('suricata', suricata_defaults, merge=True) %} \ No newline at end of file +{% do suricata_defaults.suricata.config.update(default_packet_size) %} +{% do suricata_defaults.suricata.config.threading.update(cpu_affinity) %} +{% do suricata_defaults.suricata.config.update(afpacket) %} +{% do suricata_defaults.suricata.config.vars['address-groups'].update(homenet) %} + +{% do salt['defaults.merge'](suricata_defaults.suricata.config, suricata_pillar, in_place=True) %} \ No newline at end of file diff --git a/salt/suricata/suricata_meta.yaml b/salt/suricata/suricata_meta.yaml index 747e9b8f9..4cf2530cd 100644 --- a/salt/suricata/suricata_meta.yaml +++ b/salt/suricata/suricata_meta.yaml @@ -1,136 +1,58 @@ suricata: - lookup: + config: outputs: - eve-log: - - anomaly: - # Anomaly log records describe unexpected conditions such - # as truncated packets, packets with invalid IP/UDP/TCP - # length values, and other events that render the packet - # invalid for further processing or describe unexpected - # behavior on an established stream. Networks which - # experience high occurrences of anomalies may experience - # packet processing degradation. - # - # Anomalies are reported for the following: - # 1. Decode: Values and conditions that are detected while - # decoding individual packets. This includes invalid or - # unexpected values for low-level protocol lengths as well - # as stream related events (TCP 3-way handshake issues, - # unexpected sequence number, etc). - # 2. Stream: This includes stream related events (TCP - # 3-way handshake issues, unexpected sequence number, - # etc). - # 3. Application layer: These denote application layer - # specific conditions that are unexpected, invalid or are - # unexpected given the application monitoring state. - # - # By default, anomaly logging is disabled. When anomaly - # logging is enabled, applayer anomaly reporting is - # enabled. - enabled: "no" - # - # Choose one or more types of anomaly logging and whether to enable - # logging of the packet header for packet anomalies. - types: - decode: "no" - stream: "no" - applayer: "yes" - packethdr: "no" - - http: - extended: "yes" # enable this for extended logging information - # custom allows additional http fields to be included in eve-log - # the example below adds three additional fields when uncommented - #custom: [Accept-Encoding, Accept-Language, Authorization] - # set this value to one and only one among {both, request, response} - # to dump all http headers for every http request and/or response - # dump-all-headers: none - - dns: - # This configuration uses the new DNS logging format, - # the old configuration is still available: - # https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format - - # As of Suricata 5.0, version 2 of the eve dns output - # format is the default. - version: 2 - - # Enable/disable this logger. Default: enabled. - enabled: "yes" - - # Control logging of requests and responses: - # - requests: enable logging of DNS queries - # - responses: enable logging of DNS answers - # By default both requests and responses are logged. - #requests: "no" - #responses: "no" - - # Format of answer logging: - # - detailed: array item per answer - # - grouped: answers aggregated by type - # Default: all - #formats: [detailed, grouped] - - # Types to log, based on the query type. - # Default: all. - #types: [a, aaaa, cname, mx, ns, ptr, txt] - - tls: - extended: "yes" # enable this for extended logging information - # output TLS transaction where the session is resumed using a - # session id - #session-resumption: "no" - # custom allows to control which tls fields that are included - # in eve-log - #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s] - - files: - force-magic: "no" # force logging magic on all logged files - # force logging of checksums, available hash functions are md5, - # sha1 and sha256 - #force-hash: [md5] - #- drop: - # alerts: "yes" # log alerts that caused drops - # flows: all # start or all: 'start' logs only a single drop - # # per flow direction. All logs each dropped pkt. - - - smtp: - extended: "yes" # enable this for extended logging information - # this includes: bcc, message-id, subject, x_mailer, user-agent - # custom fields logging from the list: - # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, - # x-originating-ip, in-reply-to, references, importance, priority, - # sensitivity, organization, content-md5, date - #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] - # output md5 of fields: body, subject - # for the body you need to set app-layer.protocols.smtp.mime.body-md5 - # to yes - #md5: [body, subject] - - - dnp3 - - ftp - - rdp - - nfs - - smb - - tftp - - ikev2 - - krb5 - - snmp - - sip - - dhcp: - enabled: "yes" - # When extended mode is on, all DHCP messages are logged - # with full detail. When extended mode is off (the - # default), just enough information to map a MAC address - # to an IP address is logged. - # extended: "no" - - ssh - #- stats: - # totals: "yes" # stats for all threads merged together - # threads: "no" # per thread stats - # deltas: "no" # include delta values - # bi-directional flows - - flow - # uni-directional flows - #- netflow - - # Metadata event type. Triggered whenever a pktvar is saved - # and will include the pktvars, flowvars, flowbits and - # flowints. - #- metadata \ No newline at end of file + types: + - anomaly: + enabled: "no" + types: + decode: "no" + stream: "no" + applayer: "yes" + packethdr: "no" + - http: + extended: "yes" + #custom: [Accept-Encoding, Accept-Language, Authorization] + # dump-all-headers: none + - dns: + version: 2 + enabled: "yes" + #requests: "no" + #responses: "no" + #formats: [detailed, grouped] + #types: [a, aaaa, cname, mx, ns, ptr, txt] + - tls: + extended: "yes" + #session-resumption: "no" + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s] + - files: + force-magic: "no" + #force-hash: [md5] + #- drop: + # alerts: "yes" + # flows: all + - smtp: + extended: "yes" + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + #md5: [body, subject] + - dnp3 + - ftp + - rdp + - nfs + - smb + - tftp + - ikev2 + - krb5 + - snmp + - sip + - dhcp: + enabled: "yes" + # extended: "no" + - ssh + #- stats: + # totals: "yes" + # threads: "no" + # deltas: "no" + - flow + #- netflow + #- metadata \ No newline at end of file diff --git a/salt/suricata/test.sls b/salt/suricata/test.sls deleted file mode 100644 index 118e76950..000000000 --- a/salt/suricata/test.sls +++ /dev/null @@ -1,9 +0,0 @@ -{% from 'suricata/suricata_config.map.jinja' import suricata_defaults as suricata with context %} - -test_suri_config: - file.managed: - - name: /tmp/test.yaml - - source: salt://suricata/files/test.jinja - - context: - suricata: {{ suricata | json }} - - template: jinja \ No newline at end of file diff --git a/salt/suricata/threading.map.jinja b/salt/suricata/threading.map.jinja new file mode 100644 index 000000000..fb9e16d6b --- /dev/null +++ b/salt/suricata/threading.map.jinja @@ -0,0 +1,32 @@ +{% if salt['pillar.get']('sensor:suriprocs') %} + {% load_yaml as cpu_affinity%} +cpu-affinity: + - management-cpu-set: + cpu: [ all ] # include only these CPUs in affinity settings + - receive-cpu-set: + cpu: [ all ] # include only these CPUs in affinity settings + - worker-cpu-set: + cpu: [ "all" ] + mode: "exclusive" + threads: {{ salt['pillar.get']('sensor:suriprocs') }} + prio: + low: [ 0 ] + medium: [ "1-2" ] + high: [ 3 ] + default: "high" + {% endload %} +{% elif salt['pillar.get']('sensor:suripins') %} + {% load_yaml as cpu_affinity%} +cpu-affinity: + - management-cpu-set: + cpu: [ {{ salt['pillar.get']('sensor:suripins')|join(",") }} ] # include only these cpus in affinity settings + - receive-cpu-set: + cpu: [ {{ salt['pillar.get']('sensor:suripins')|join(",") }} ] # include only these cpus in affinity settings + - worker-cpu-set: + cpu: [ {{ salt['pillar.get']('sensor:suripins')|join(",") }} ] + mode: "exclusive" + threads: {{ salt['pillar.get']('sensor:suripins')|length }} + prio: + default: "high" + {% endload %} +{% endif %} \ No newline at end of file From 813c243d3daaf6f46026d21f1bbfe63558a6ec05 Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 26 Jun 2020 13:26:08 -0400 Subject: [PATCH 047/314] Update so-yara-update --- salt/common/tools/sbin/so-yara-update | 32 +++++++++++++++++++++------ 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/salt/common/tools/sbin/so-yara-update b/salt/common/tools/sbin/so-yara-update index e6b682690..884c13728 100755 --- a/salt/common/tools/sbin/so-yara-update +++ b/salt/common/tools/sbin/so-yara-update @@ -1,4 +1,21 @@ #!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +clone_dir="/tmp" output_dir="/opt/so/saltstack/default/salt/strelka/rules" #mkdir -p $output_dir repos="$output_dir/repos.txt" @@ -19,13 +36,14 @@ if [ "$gh_status" == "200" ] || [ "$gh_status" == "301" ]; then [ -d $repo_name ] && rm -rf $repo_name # Clone repo and make appropriate directories for rules - git clone $repo - echo "Analyzing rules from $repo_name..." + + git clone $repo $clone_dir/$repo_name + echo "Analyzing rules from $clone_dir/$repo_name..." mkdir -p $output_dir/$repo_name - [ -f $repo_name/LICENSE ] && cp $repo_name/LICENSE $output_dir/$repo_name + [ -f $clone_dir/$repo_name/LICENSE ] && cp $clone_dir/$repo_name/LICENSE $output_dir/$repo_name # Copy over rules - for i in $(find $repo_name -name "*.yar*"); do + for i in $(find $clone_dir/$repo_name -name "*.yar*"); do rule_name=$(echo $i | awk -F '/' '{print $NF}') repo_sum=$(sha256sum $i | awk '{print $1}') @@ -50,17 +68,17 @@ if [ "$gh_status" == "200" ] || [ "$gh_status" == "301" ]; then fi fi; done - + # Check to see if we have any old rules that need to be removed for i in $(find $output_dir/$repo_name -name "*.yar*" | awk -F '/' '{print $NF}'); do - is_repo_rule=$(find $repo_name -name "$i" | wc -l) + is_repo_rule=$(find $clone_dir/$repo_name -name "$i" | wc -l) if [ $is_repo_rule -eq 0 ]; then echo "Could not find $i in source $repo_name repo...removing from $output_dir/$repo_name..." rm $output_dir/$repo_name/$i ((deletecounter++)) fi done - #rm -rf $repo_name + rm -rf $clone_dir/$repo_name done < $repos echo "Done!" From 0b1a258a4b9b2530214d90a66c56fdc4bf7236d7 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 26 Jun 2020 14:43:27 -0400 Subject: [PATCH 048/314] change sensor homenet map --- salt/suricata/suricata_config.map.jinja | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/suricata/suricata_config.map.jinja b/salt/suricata/suricata_config.map.jinja index 3f2a2e3be..a1d77cb08 100644 --- a/salt/suricata/suricata_config.map.jinja +++ b/salt/suricata/suricata_config.map.jinja @@ -6,9 +6,9 @@ {% set default_evelog_index = [] %} {% set surimeta_evelog_index = [] %} -{% if salt['pillar.get']('sensor:homenet') %} +{% if salt['pillar.get']('sensor:hnsensor') %} {% load_yaml as homenet %} -HOME_NET: "[{{salt['pillar.get']('sensor:hnsensor', '')}}]" +HOME_NET: "[{{salt['pillar.get']('sensor:hnsensor')}}]" {% endload %} {% else %} {% load_yaml as homenet %} From 8c47723bc9f278e7ba907c98b2a387b815a5d8d7 Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 26 Jun 2020 15:45:52 -0400 Subject: [PATCH 049/314] Run YARA update script after applying state --- setup/so-setup | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index bfd3d506c..ff8792e9a 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -257,9 +257,6 @@ if [[ $is_master ]]; then whiptail_enable_components if [[ $STRELKA == 1 ]]; then whiptail_strelka_rules - if [[ $STRELKARULES == 1 ]]; then - strelka_yara_update - fi fi collect_webuser_inputs get_redirect @@ -554,6 +551,9 @@ fi if [[ "$STRELKA" = 1 ]]; then set_progress_str 77 "$(print_salt_state_apply 'strelka')" salt-call state.apply -l info strelka >> $setup_log 2>&1 + if [[ $STRELKARULES == 1 ]]; then + /usr/sbin/so-yara-update >> $setup_log 2>&1 + fi fi if [[ "$PLAYBOOK" = 1 ]]; then From c421bd464a20e32234b85e2b498e929cea5be2bc Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 26 Jun 2020 16:42:44 -0400 Subject: [PATCH 050/314] Remove Strelka function (in favor of direct script execution in so-setup) --- setup/so-functions | 4 ---- 1 file changed, 4 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 0595874ed..37145e12b 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1622,7 +1622,3 @@ es_heapsize() { export NODE_ES_HEAP_SIZE fi } - -strelka_yara_update() { - so-yara-update -} From 9ac85cf6744546daeaa8fd404091785357239dd1 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Mon, 29 Jun 2020 13:09:14 +0000 Subject: [PATCH 051/314] Add Stelka mgmt scripts --- salt/common/tools/sbin/so-strelka-restart | 26 +++++++++++++++++++++++ salt/common/tools/sbin/so-strelka-start | 20 +++++++++++++++++ salt/common/tools/sbin/so-strelka-stop | 25 ++++++++++++++++++++++ 3 files changed, 71 insertions(+) create mode 100755 salt/common/tools/sbin/so-strelka-restart create mode 100755 salt/common/tools/sbin/so-strelka-start create mode 100755 salt/common/tools/sbin/so-strelka-stop diff --git a/salt/common/tools/sbin/so-strelka-restart b/salt/common/tools/sbin/so-strelka-restart new file mode 100755 index 000000000..575517807 --- /dev/null +++ b/salt/common/tools/sbin/so-strelka-restart @@ -0,0 +1,26 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-stop strelka-filestream $1 +/usr/sbin/so-stop strelka-manager $1 +/usr/sbin/so-stop strelka-frontend $1 +/usr/sbin/so-stop strelka-backend $1 +/usr/sbin/so-stop strelka-gatekeeper $1 +/usr/sbin/so-stop strelka-coordinator $1 +/usr/sbin/so-start strelka $1 diff --git a/salt/common/tools/sbin/so-strelka-start b/salt/common/tools/sbin/so-strelka-start new file mode 100755 index 000000000..cecfc0555 --- /dev/null +++ b/salt/common/tools/sbin/so-strelka-start @@ -0,0 +1,20 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-start strelka $1 diff --git a/salt/common/tools/sbin/so-strelka-stop b/salt/common/tools/sbin/so-strelka-stop new file mode 100755 index 000000000..24bd901d6 --- /dev/null +++ b/salt/common/tools/sbin/so-strelka-stop @@ -0,0 +1,25 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-stop strelka-filestream $1 +/usr/sbin/so-stop strelka-manager $1 +/usr/sbin/so-stop strelka-frontend $1 +/usr/sbin/so-stop strelka-backend $1 +/usr/sbin/so-stop strelka-gatekeeper $1 +/usr/sbin/so-stop strelka-coordinator $1 From 378ad97e7ba7a5a139e35459c00ab8814b2982ab Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 29 Jun 2020 11:16:19 -0400 Subject: [PATCH 052/314] Disabled socket listener --- salt/telegraf/etc/telegraf.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/telegraf/etc/telegraf.conf b/salt/telegraf/etc/telegraf.conf index 73cd194e2..3495a0a85 100644 --- a/salt/telegraf/etc/telegraf.conf +++ b/salt/telegraf/etc/telegraf.conf @@ -2063,9 +2063,9 @@ # ## more about them here: # ## https://github.com/influxdata/telegraf/blob/master/docs/DATA_FORMATS_INPUT.md # # data_format = "influx" -[[inputs.socket_listener]] - service_address = "udp://:8094" - data_format = "influx" +#[[inputs.socket_listener]] +# service_address = "udp://:8094" +# data_format = "influx" # # Statsd UDP/TCP Server From 8ee2142de488348e7ceb39b891365c8e61f1e5ae Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 29 Jun 2020 11:21:47 -0400 Subject: [PATCH 053/314] pillarize idstools - https://github.com/Security-Onion-Solutions/securityonion/issues/583 --- salt/idstools/etc/disable.conf | 6 ++++++ salt/idstools/etc/enable.conf | 6 ++++++ salt/idstools/init.sls | 2 ++ 3 files changed, 14 insertions(+) diff --git a/salt/idstools/etc/disable.conf b/salt/idstools/etc/disable.conf index e8928c495..9eb69575e 100644 --- a/salt/idstools/etc/disable.conf +++ b/salt/idstools/etc/disable.conf @@ -1,3 +1,5 @@ +{% set disabled_sids = salt['pillar.get']('idstools:sids:disabled', {}) -%} + # idstools - disable.conf # Example of disabling a rule by signature ID (gid is optional). @@ -8,3 +10,7 @@ # - All regular expression matches are case insensitive. # re:hearbleed # re:MS(0[7-9]|10)-\d+ + +{%- for sid in disabled_sids %} +{{ sid }} +{% endfor -%} \ No newline at end of file diff --git a/salt/idstools/etc/enable.conf b/salt/idstools/etc/enable.conf index b7738677c..3f965541f 100644 --- a/salt/idstools/etc/enable.conf +++ b/salt/idstools/etc/enable.conf @@ -1,3 +1,5 @@ +{% set enabled_sids = salt['pillar.get']('idstools:sids:enabled', {}) -%} + # idstools-rulecat - enable.conf # Example of enabling a rule by signature ID (gid is optional). @@ -8,3 +10,7 @@ # - All regular expression matches are case insensitive. # re:hearbleed # re:MS(0[7-9]|10)-\d+ + +{%- for sid in enabled_sids %} +{{ sid }} +{% endfor -%} \ No newline at end of file diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls index d145a4e15..078cb5b03 100644 --- a/salt/idstools/init.sls +++ b/salt/idstools/init.sls @@ -66,3 +66,5 @@ so-idstools: - binds: - /opt/so/conf/idstools/etc:/opt/so/idstools/etc:ro - /opt/so/rules/nids:/opt/so/rules/nids:rw + - watch: + - file: idstoolsetcsync From b01bdf35f93d69752aaff535cc1cbfcdd79e4a19 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 29 Jun 2020 11:31:44 -0400 Subject: [PATCH 054/314] [fix] Remove port binding from telegraf docker state --- salt/telegraf/init.sls | 2 -- 1 file changed, 2 deletions(-) diff --git a/salt/telegraf/init.sls b/salt/telegraf/init.sls index 834f77bf1..9ae0903b9 100644 --- a/salt/telegraf/init.sls +++ b/salt/telegraf/init.sls @@ -43,8 +43,6 @@ so-telegraf: - HOST_SYS=/host/sys - HOST_MOUNT_PREFIX=/host - network_mode: host - - port_bindings: - - 127.0.0.1:8094:8094 - binds: - /opt/so/log/telegraf:/var/log/telegraf:rw - /opt/so/conf/telegraf/etc/telegraf.conf:/etc/telegraf/telegraf.conf:ro From 8cbccb656ded0a19612a7943029b3ee851226a1c Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 29 Jun 2020 11:32:25 -0400 Subject: [PATCH 055/314] [fix] Apply shellcheck fixes --- salt/common/tools/sbin/so-allow | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow index d273cfce5..f66d398db 100755 --- a/salt/common/tools/sbin/so-allow +++ b/salt/common/tools/sbin/so-allow @@ -15,17 +15,15 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -. /usr/sbin/so-common +source ./so-common -default_salt_dir=/opt/so/saltstack/default local_salt_dir=/opt/so/saltstack/local SKIP=0 -while getopts "abowi:" OPTION +while getopts "ahfsprbowi:" OPTION do case $OPTION in - h) usage exit 0 @@ -38,11 +36,10 @@ do FULLROLE="beats_endpoint" SKIP=1 ;; - f) + f) FULLROLE="strelka_frontend" SKIP=1 ;; - i) IP=$OPTARG ;; o) @@ -65,7 +62,10 @@ do FULLROLE="wazuh_authd" SKIP=1 ;; - + *) + usage + exit 0 + ;; esac done @@ -84,9 +84,9 @@ if [ "$SKIP" -eq 0 ]; then echo "[p] - Wazuh API - port 55000/tcp" echo "[r] - Wazuh registration service - 1515/tcp" echo "Please enter your selection (a - analyst, b - beats, o - osquery, w - wazuh):" - read ROLE + read -r ROLE echo "Enter a single ip address or range to allow (example: 10.10.10.10 or 10.10.0.0/16):" - read IP + read -r IP if [ "$ROLE" == "a" ]; then FULLROLE=analyst @@ -121,10 +121,10 @@ if grep -q -R "wazuh: 1" $local_salt_dir/pillar/*; then if [ "$FULLROLE" == "analyst" ]; then WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf" if ! grep -q "$IP" $WAZUH_MGR_CFG ; then - DATE=`date` + DATE=$(date) sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG sed -i '/^$/N;/^\n$/D' $WAZUH_MGR_CFG - echo -e "\n \n $IP\n \n" >> $WAZUH_MGR_CFG + echo -e "\n \n $IP\n \n" >> $WAZUH_MGR_CFG echo "Added whitelist entry for $IP in $WAZUH_MGR_CFG." echo echo "Restarting OSSEC Server..." From ed60d48c81b09ba2dfcc59214683010e6354907d Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Mon, 29 Jun 2020 18:49:16 +0000 Subject: [PATCH 056/314] Add ES REST API option for so-allow --- files/firewall/hostgroups.local.yaml | 3 +++ salt/common/tools/sbin/so-allow | 9 ++++++++- salt/firewall/assigned_hostgroups.map.yaml | 3 +++ 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/files/firewall/hostgroups.local.yaml b/files/firewall/hostgroups.local.yaml index 27ad40f6e..edb08e195 100644 --- a/files/firewall/hostgroups.local.yaml +++ b/files/firewall/hostgroups.local.yaml @@ -12,6 +12,9 @@ firewall: ips: delete: insert: + elasticsearch_rest: + delete: + insert: fleet: ips: delete: diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow index d273cfce5..e7c7f1e1a 100755 --- a/salt/common/tools/sbin/so-allow +++ b/salt/common/tools/sbin/so-allow @@ -38,7 +38,11 @@ do FULLROLE="beats_endpoint" SKIP=1 ;; - f) + e) + FULLROLE="elasticsearch_rest" + SKIP=1 + ;; + f) FULLROLE="strelka_frontend" SKIP=1 ;; @@ -77,6 +81,7 @@ if [ "$SKIP" -eq 0 ]; then echo "" echo "[a] - Analyst - ports 80/tcp and 443/tcp" echo "[b] - Logstash Beat - port 5044/tcp" + echo "[e] - Elasticsearch REST API - port 9200/tcp" echo "[f] - Strelka frontend - port 57314/tcp" echo "[o] - Osquery endpoint - port 8090/tcp" echo "[s] - Syslog device - 514/tcp/udp" @@ -92,6 +97,8 @@ if [ "$SKIP" -eq 0 ]; then FULLROLE=analyst elif [ "$ROLE" == "b" ]; then FULLROLE=beats_endpoint + elif [ "$ROLE" == "e" ]; then + FULLROLE=elasticsearch_rest elif [ "$ROLE" == "f" ]; then FULLROLE=strelka_frontend elif [ "$ROLE" == "o" ]; then diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index aa41322a3..c16a63c00 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -48,6 +48,9 @@ role: beats_endpoint_ssl: portgroups: - {{ portgroups.beats_5644 }} + elasticsearch_rest: + portgroups: + - {{ portgroups.elasticsearch_rest }} osquery_endpoint: portgroups: - {{ portgroups.fleet_api }} From abe063602b42f65d4b7521774aa13c38389fcff8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 29 Jun 2020 14:57:42 -0400 Subject: [PATCH 057/314] Update whiptail snort Update the user to let them know Snort 3.x won't work. --- setup/so-whiptail | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 43774cc00..2aa7bf10c 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -536,9 +536,10 @@ whiptail_nids() { [ -n "$TESTING" ] && return NIDS=$(whiptail --title "Security Onion Setup" --radiolist \ - "Choose which IDS to run:" 20 75 4 \ + "Choose which IDS to run. \n + Snort 3.0 support will be added once it is out of beta:" 25 75 4 \ "Suricata" "Suricata 4.X" ON \ - "Snort" "Snort 3.0 Beta" OFF 3>&1 1>&2 2>&3 ) + "Snort" "Placeholder for Snort 3.0 " OFF 3>&1 1>&2 2>&3 ) local exitstatus=$? whiptail_check_exitstatus $exitstatus From 53c3b1579bc30d7ebe4bb7d0d36e0b55cc20d3a8 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 29 Jun 2020 15:20:17 -0400 Subject: [PATCH 058/314] [feat] Reformat install type menu --- setup/so-whiptail | 42 ++++++++++++++++++++++++++---------------- 1 file changed, 26 insertions(+), 16 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 2aa7bf10c..2af8db7e3 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -430,27 +430,37 @@ whiptail_install_type() { # What kind of install are we doing? install_type=$(whiptail --title "Security Onion Setup" --radiolist \ - "Choose Install Type:" 20 75 13 \ - "SENSOR" "Create a forward only sensor" ON \ - "SEARCHNODE" "Add a Search Node with parsing" OFF \ - "MASTER" "Start a new grid" OFF \ - "EVAL" "Evaluate all the things" OFF \ - "STANDALONE" "Standalone full install of everything" OFF \ - "MASTERSEARCH" "Master + Search Node" OFF \ - "HEAVYNODE" "Sensor + Search Node" OFF \ - "HELIXSENSOR" "Connect this sensor to FireEye Helix" OFF \ - "FLEET" "Dedicated Fleet Osquery Node" OFF \ - "HOTNODE" "TODO Add Hot Node (Uses Elastic Clustering)" OFF \ - "WARMNODE" "TODO Add Warm Node to existing Hot or Search node" OFF \ - "WAZUH" "TODO Stand Alone Wazuh Server" OFF \ - "STRELKA" "TODO Stand Alone Strelka Node" OFF 3>&1 1>&2 2>&3 ) + "Choose install type:" 10 65 3 \ + "EVAL" "Evaluation mode (not for production) " ON \ + "STANDALONE" "Standalone production install " OFF \ + "DISTRIBUTED" "Distributed install submenu " OFF \ + 3>&1 1>&2 2>&3 + ) + + local exitstatus=$? + whiptail_check_exitstatus $exitstatus + + if [[ $install_type == "DISTRIBUTED" ]]; then + install_type=$(whiptail --title "Security Onion Setup" --radiolist \ + "Choose distributed node type:" 13 60 6 \ + "MASTER" "Start a new grid " ON \ + "SENSOR" "Create a forward only sensor " OFF \ + "SEARCHNODE" "Add a search node with parsing " OFF \ + "MASTERSEARCH" "Master + search node " OFF \ + "FLEET" "Dedicated Fleet Osquery Node " OFF \ + "HEAVYNODE" "Sensor + Search Node " OFF \ + 3>&1 1>&2 2>&3 + # "HOTNODE" "Add Hot Node (Uses Elastic Clustering)" OFF \ # TODO + # "WARMNODE" "Add Warm Node to existing Hot or Search node" OFF \ # TODO + # "WAZUH" "Stand Alone Wazuh Server" OFF \ # TODO + # "STRELKA" "Stand Alone Strelka Node" OFF \ # TODO + ) + fi local exitstatus=$? whiptail_check_exitstatus $exitstatus export install_type - - } whiptail_log_size_limit() { From d7580fe6a05140c4ea265f731f7881fcf2538dab Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 29 Jun 2020 15:38:05 -0400 Subject: [PATCH 059/314] fix suricata state if suripins or suri procs arent set --- salt/suricata/suricata_config.map.jinja | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/salt/suricata/suricata_config.map.jinja b/salt/suricata/suricata_config.map.jinja index a1d77cb08..6260c1ec1 100644 --- a/salt/suricata/suricata_config.map.jinja +++ b/salt/suricata/suricata_config.map.jinja @@ -1,6 +1,5 @@ {% import_yaml 'suricata/defaults.yaml' as suricata_defaults with context %} {% import_yaml 'suricata/suricata_meta.yaml' as suricata_meta with context %} -{% from 'suricata/threading.map.jinja' import cpu_affinity with context %} {% from 'suricata/afpacket.map.jinja' import afpacket %} {% set suricata_pillar = salt['pillar.get']('suricata:config', {}) %} {% set default_evelog_index = [] %} @@ -50,8 +49,11 @@ HOME_NET: "[{{salt['pillar.get']('static:hnmaster', '')}}]" {% endif %} {% do suricata_defaults.suricata.config.update(default_packet_size) %} -{% do suricata_defaults.suricata.config.threading.update(cpu_affinity) %} {% do suricata_defaults.suricata.config.update(afpacket) %} {% do suricata_defaults.suricata.config.vars['address-groups'].update(homenet) %} +{% if salt['pillar.get']('sensor:suriprocs', salt['pillar.get']('sensor:suripins', {})) %} + {% from 'suricata/threading.map.jinja' import cpu_affinity with context %} + {% do suricata_defaults.suricata.config.threading.update(cpu_affinity) %} +{% endif %} {% do salt['defaults.merge'](suricata_defaults.suricata.config, suricata_pillar, in_place=True) %} \ No newline at end of file From 0a97328acca543f5538cfb77063d001bcff74f26 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 29 Jun 2020 15:53:21 -0400 Subject: [PATCH 060/314] [fix] Apply regex filter to hostname input --- setup/so-whiptail | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 2af8db7e3..e5ebb8827 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -961,16 +961,23 @@ whiptail_set_hostname() { HOSTNAME=$(cat /etc/hostname) + if [[ "$HOSTNAME" == *'localhost'* ]]; then HOSTNAME=securityonion; fi + HOSTNAME=$(whiptail --title "Security Onion Setup" --inputbox \ - "Enter the Hostname you would like to set." 10 75 "$HOSTNAME" 3>&1 1>&2 2>&3) + "Enter the hostname (not FQDN) you would like to set." 10 75 "$HOSTNAME" 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus - while [[ "$HOSTNAME" == *'localhost'* ]] ; do - whiptail --title "Security Onion Setup" --msgbox "Please choose a hostname that doesn't contain localhost." 8 75 + while [[ $HOSTNAME == *'localhost'* || ! ( $HOSTNAME =~ ^[a-zA-Z0-9\-]*$ ) ]] ; do + local error_message + error_message=$(echo "Please choose a valid hostname. It cannot contain localhost; and must contain only \ + the ASCII letters 'a' through 'z' (case-insensitive), the digits '0' through '9', \ + and hyphen ('-')" | tr -d '\t') + whiptail --title "Security Onion Setup" \ + --msgbox "$error_message" 10 75 HOSTNAME=$(whiptail --title "Security Onion Setup" --inputbox \ - "Enter the Hostname you would like to set." 10 75 "$HOSTNAME" 3>&1 1>&2 2>&3) + "Enter the hostname (not FQDN) you would like to set." 10 75 "$HOSTNAME" 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus done From 23c036389982ef6f7ed9b61762adddfcfb841aa5 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 29 Jun 2020 15:54:17 -0400 Subject: [PATCH 061/314] [fix] Reference correct directory in nginx sls and remove navigator sls --- salt/navigator/init.sls | 22 ---------------------- salt/soctopus/init.sls | 2 +- 2 files changed, 1 insertion(+), 23 deletions(-) delete mode 100644 salt/navigator/init.sls diff --git a/salt/navigator/init.sls b/salt/navigator/init.sls deleted file mode 100644 index 67c5060f6..000000000 --- a/salt/navigator/init.sls +++ /dev/null @@ -1,22 +0,0 @@ -{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} - -navigatorconfig: - file.managed: - - name: /opt/so/conf/navigator/navigator_config.json - - source: salt://navigator/files/navigator_config.json - - user: 939 - - group: 939 - - makedirs: True - - template: jinja - -so-navigator: - docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-navigator:{{ VERSION }} - - hostname: navigator - - name: so-navigator - - binds: - - /opt/so/conf/navigator/navigator_config.json:/nav-app/src/assets/config.json:ro - - /opt/so/conf/navigator/nav_layer_playbook.json:/nav-app/src/assets/playbook.json:ro - - port_bindings: - - 0.0.0.0:4200:4200 diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls index ff30c3c1a..eb9114c58 100644 --- a/salt/soctopus/init.sls +++ b/salt/soctopus/init.sls @@ -52,7 +52,7 @@ playbookrulessync: navigatordefaultlayer: file.managed: - name: /opt/so/conf/navigator/nav_layer_playbook.json - - source: salt://navigator/files/nav_layer_playbook.json + - source: salt://nginx/files/nav_layer_playbook.json - user: 939 - group: 939 - makedirs: True From fe8df2206309f5ca1a2f7e357978e74cee08a105 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 29 Jun 2020 16:03:14 -0400 Subject: [PATCH 062/314] cleanup whitespace in idstools enable/disable.conf --- salt/idstools/etc/disable.conf | 1 - salt/idstools/etc/enable.conf | 1 - 2 files changed, 2 deletions(-) diff --git a/salt/idstools/etc/disable.conf b/salt/idstools/etc/disable.conf index 9eb69575e..33f7e0ae6 100644 --- a/salt/idstools/etc/disable.conf +++ b/salt/idstools/etc/disable.conf @@ -1,5 +1,4 @@ {% set disabled_sids = salt['pillar.get']('idstools:sids:disabled', {}) -%} - # idstools - disable.conf # Example of disabling a rule by signature ID (gid is optional). diff --git a/salt/idstools/etc/enable.conf b/salt/idstools/etc/enable.conf index 3f965541f..36f95fbc4 100644 --- a/salt/idstools/etc/enable.conf +++ b/salt/idstools/etc/enable.conf @@ -1,5 +1,4 @@ {% set enabled_sids = salt['pillar.get']('idstools:sids:enabled', {}) -%} - # idstools-rulecat - enable.conf # Example of enabling a rule by signature ID (gid is optional). From 67f2eedad1616dfdf6298aa11e5f7df447d39c37 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 29 Jun 2020 16:11:30 -0400 Subject: [PATCH 063/314] cleanup whitespace in idstools enable/disable.conf --- salt/idstools/etc/disable.conf | 2 +- salt/idstools/etc/enable.conf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/idstools/etc/disable.conf b/salt/idstools/etc/disable.conf index 33f7e0ae6..ff7197360 100644 --- a/salt/idstools/etc/disable.conf +++ b/salt/idstools/etc/disable.conf @@ -12,4 +12,4 @@ {%- for sid in disabled_sids %} {{ sid }} -{% endfor -%} \ No newline at end of file +{%- endfor %} \ No newline at end of file diff --git a/salt/idstools/etc/enable.conf b/salt/idstools/etc/enable.conf index 36f95fbc4..c16b25986 100644 --- a/salt/idstools/etc/enable.conf +++ b/salt/idstools/etc/enable.conf @@ -12,4 +12,4 @@ {%- for sid in enabled_sids %} {{ sid }} -{% endfor -%} \ No newline at end of file +{%- endfor %} \ No newline at end of file From efaf41107c87021478ba8a903991edb6f005ec62 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 29 Jun 2020 16:14:36 -0400 Subject: [PATCH 064/314] update description in localrules/local.rules for idstools --- salt/idstools/localrules/local.rules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/idstools/localrules/local.rules b/salt/idstools/localrules/local.rules index e01ea913c..95be9156f 100644 --- a/salt/idstools/localrules/local.rules +++ b/salt/idstools/localrules/local.rules @@ -1 +1 @@ -# Put your own custom Snort/Suricata rules in here. +# Put your own custom Snort/Suricata rules in /opt/so/saltstack/local/salt/idstools/localrules/. \ No newline at end of file From 0f9d8024f853c5a22d93c39bf80b2d578622914c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 29 Jun 2020 16:23:04 -0400 Subject: [PATCH 065/314] add sensoroni to so-status output for sensors - https://github.com/Security-Onion-Solutions/securityonion/issues/878 --- salt/common/maps/eval.map.jinja | 3 ++- salt/common/maps/heavynode.map.jinja | 3 ++- salt/common/maps/sensor.map.jinja | 3 ++- salt/common/maps/standalone.map.jinja | 3 ++- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/salt/common/maps/eval.map.jinja b/salt/common/maps/eval.map.jinja index f868474c5..075344e82 100644 --- a/salt/common/maps/eval.map.jinja +++ b/salt/common/maps/eval.map.jinja @@ -14,6 +14,7 @@ 'so-zeek', 'so-curator', 'so-elastalert', - 'so-soctopus' + 'so-soctopus', + 'so-sensoroni' ] } %} \ No newline at end of file diff --git a/salt/common/maps/heavynode.map.jinja b/salt/common/maps/heavynode.map.jinja index 2b8257a6a..cbd0fc3b0 100644 --- a/salt/common/maps/heavynode.map.jinja +++ b/salt/common/maps/heavynode.map.jinja @@ -9,6 +9,7 @@ 'so-steno', 'so-suricata', 'so-wazuh', - 'so-filebeat + 'so-filebeat', + 'so-sensoroni' ] } %} \ No newline at end of file diff --git a/salt/common/maps/sensor.map.jinja b/salt/common/maps/sensor.map.jinja index f172dd55d..3f5ebe8eb 100644 --- a/salt/common/maps/sensor.map.jinja +++ b/salt/common/maps/sensor.map.jinja @@ -3,6 +3,7 @@ 'so-telegraf', 'so-steno', 'so-suricata', - 'so-filebeat' + 'so-filebeat', + 'so-sensoroni' ] } %} \ No newline at end of file diff --git a/salt/common/maps/standalone.map.jinja b/salt/common/maps/standalone.map.jinja index 3585d0df6..d66cad1f9 100644 --- a/salt/common/maps/standalone.map.jinja +++ b/salt/common/maps/standalone.map.jinja @@ -16,6 +16,7 @@ 'so-suricata', 'so-steno', 'so-dockerregistry', - 'so-soctopus' + 'so-soctopus', + 'so-sensoroni' ] } %} \ No newline at end of file From 8f5da66335285a9536afcc0df23af04a40ae4843 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 30 Jun 2020 03:02:38 +0000 Subject: [PATCH 066/314] Add null safe operator for query name --- salt/elasticsearch/files/ingest/zeek.dns | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/zeek.dns b/salt/elasticsearch/files/ingest/zeek.dns index 050c6d414..09ce7fd9f 100644 --- a/salt/elasticsearch/files/ingest/zeek.dns +++ b/salt/elasticsearch/files/ingest/zeek.dns @@ -23,7 +23,7 @@ { "rename": { "field": "message2.TTLs", "target_field": "dns.ttls", "ignore_missing": true } }, { "rename": { "field": "message2.rejected", "target_field": "dns.query.rejected", "ignore_missing": true } }, { "script": { "lang": "painless", "source": "ctx.dns.query.length = ctx.dns.query.name.length()", "ignore_failure": true } }, - { "pipeline": { "if": "ctx.dns.query.name.contains('.')", "name": "zeek.dns.tld"} }, + { "pipeline": { "if": "ctx.dns.query?.name != null && ctx.dns.query.name.contains('.')", "name": "zeek.dns.tld" } }, { "pipeline": { "name": "zeek.common" } } ] } From bf8798f1d13ee3c5bbf455122c19b0dcfaa6d7c1 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 30 Jun 2020 03:04:01 +0000 Subject: [PATCH 067/314] Fix krb client/server cert subject parsing --- salt/elasticsearch/files/ingest/zeek.kerberos | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/elasticsearch/files/ingest/zeek.kerberos b/salt/elasticsearch/files/ingest/zeek.kerberos index 33381cd2d..917b38b54 100644 --- a/salt/elasticsearch/files/ingest/zeek.kerberos +++ b/salt/elasticsearch/files/ingest/zeek.kerberos @@ -13,9 +13,9 @@ { "rename": { "field": "message2.cipher", "target_field": "kerberos.ticket.cipher", "ignore_missing": true } }, { "rename": { "field": "message2.forwardable", "target_field": "kerberos.ticket.forwardable", "ignore_missing": true } }, { "rename": { "field": "message2.renewable", "target_field": "kerberos.ticket.renewable", "ignore_missing": true } }, - { "rename": { "field": "message2.client_cert_subject", "target_field": "kerberos.client.certificate.subject", "ignore_missing": true } }, + { "rename": { "field": "message2.client_cert_subject", "target_field": "kerberos.client_certificate.subject", "ignore_missing": true } }, { "rename": { "field": "message2.client_cert_fuid", "target_field": "log.id.client_certificate_fuid", "ignore_missing": true } }, - { "rename": { "field": "message2.server_cert_subject", "target_field": "kerberos.server.certificate.subject", "ignore_missing": true } }, + { "rename": { "field": "message2.server_cert_subject", "target_field": "kerberos.server_certificate.subject", "ignore_missing": true } }, { "rename": { "field": "message2.server_cert_fuid", "target_field": "log.id.server_certificate_fuid", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] From 84e2965fef6c1d03c7edba3a116a136113f8f8dc Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 30 Jun 2020 03:06:01 +0000 Subject: [PATCH 068/314] Addl krb fix --- salt/elasticsearch/files/ingest/zeek.kerberos | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/elasticsearch/files/ingest/zeek.kerberos b/salt/elasticsearch/files/ingest/zeek.kerberos index 917b38b54..0b09ebf61 100644 --- a/salt/elasticsearch/files/ingest/zeek.kerberos +++ b/salt/elasticsearch/files/ingest/zeek.kerberos @@ -13,9 +13,9 @@ { "rename": { "field": "message2.cipher", "target_field": "kerberos.ticket.cipher", "ignore_missing": true } }, { "rename": { "field": "message2.forwardable", "target_field": "kerberos.ticket.forwardable", "ignore_missing": true } }, { "rename": { "field": "message2.renewable", "target_field": "kerberos.ticket.renewable", "ignore_missing": true } }, - { "rename": { "field": "message2.client_cert_subject", "target_field": "kerberos.client_certificate.subject", "ignore_missing": true } }, + { "rename": { "field": "message2.client_cert_subject", "target_field": "kerberos.client_certificate_subject", "ignore_missing": true } }, { "rename": { "field": "message2.client_cert_fuid", "target_field": "log.id.client_certificate_fuid", "ignore_missing": true } }, - { "rename": { "field": "message2.server_cert_subject", "target_field": "kerberos.server_certificate.subject", "ignore_missing": true } }, + { "rename": { "field": "message2.server_cert_subject", "target_field": "kerberos.server_certificate_subject", "ignore_missing": true } }, { "rename": { "field": "message2.server_cert_fuid", "target_field": "log.id.server_certificate_fuid", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] From 1c0443458c3515418b5995d727ff47f4aeda9434 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 30 Jun 2020 08:13:00 -0400 Subject: [PATCH 069/314] so-allow spacing fix --- salt/common/tools/sbin/so-allow | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow index e86210874..f069a3e4a 100755 --- a/salt/common/tools/sbin/so-allow +++ b/salt/common/tools/sbin/so-allow @@ -88,6 +88,7 @@ if [ "$SKIP" -eq 0 ]; then echo "[w] - Wazuh agent - port 1514/tcp/udp" echo "[p] - Wazuh API - port 55000/tcp" echo "[r] - Wazuh registration service - 1515/tcp" + echo "" echo "Please enter your selection (a - analyst, b - beats, o - osquery, w - wazuh):" read -r ROLE echo "Enter a single ip address or range to allow (example: 10.10.10.10 or 10.10.0.0/16):" From 9f398751922b7b46ef553678caa49c9171540c64 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 29 Jun 2020 15:53:21 -0400 Subject: [PATCH 070/314] [fix] Apply regex filter to hostname input --- setup/so-whiptail | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 2aa7bf10c..008d24e1f 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -951,16 +951,23 @@ whiptail_set_hostname() { HOSTNAME=$(cat /etc/hostname) + if [[ "$HOSTNAME" == *'localhost'* ]]; then HOSTNAME=securityonion; fi + HOSTNAME=$(whiptail --title "Security Onion Setup" --inputbox \ - "Enter the Hostname you would like to set." 10 75 "$HOSTNAME" 3>&1 1>&2 2>&3) + "Enter the hostname (not FQDN) you would like to set." 10 75 "$HOSTNAME" 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus - while [[ "$HOSTNAME" == *'localhost'* ]] ; do - whiptail --title "Security Onion Setup" --msgbox "Please choose a hostname that doesn't contain localhost." 8 75 + while [[ $HOSTNAME == *'localhost'* || ! ( $HOSTNAME =~ ^[a-zA-Z0-9\-]*$ ) ]] ; do + local error_message + error_message=$(echo "Please choose a valid hostname. It cannot contain localhost; and must contain only \ + the ASCII letters 'a' through 'z' (case-insensitive), the digits '0' through '9', \ + and hyphen ('-')" | tr -d '\t') + whiptail --title "Security Onion Setup" \ + --msgbox "$error_message" 10 75 HOSTNAME=$(whiptail --title "Security Onion Setup" --inputbox \ - "Enter the Hostname you would like to set." 10 75 "$HOSTNAME" 3>&1 1>&2 2>&3) + "Enter the hostname (not FQDN) you would like to set." 10 75 "$HOSTNAME" 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus done From cab232ae9f94c4267a319566fe20514ead9ddedf Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 30 Jun 2020 10:11:02 -0400 Subject: [PATCH 071/314] [feat] Add check for disk space during setup --- setup/so-functions | 30 ++++++++++++++++++++++-------- setup/so-variables | 4 ++++ setup/so-whiptail | 2 +- 3 files changed, 27 insertions(+), 9 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 1359ad66d..3703a3338 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -388,8 +388,6 @@ configure_minion() { printf '%s\n' '----'; cat "$minion_config"; } >> "$setup_log" 2>&1 - - } checkin_at_boot() { @@ -399,27 +397,33 @@ checkin_at_boot() { echo "startup_states: highstate" >> "$minion_config" } - check_requirements() { local eval_or_dist=$1 local node_type=$2 # optional local req_mem local req_cores + local req_storage local nic_list readarray -t nic_list <<< "$(ip link| awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2}' | grep -vwe "bond0" | sed 's/ //g')" local num_nics=${#nic_list[@]} - + if [[ "$eval_or_dist" == 'eval' ]]; then req_mem=12 req_cores=4 req_nics=2 + req_storage=100 elif [[ "$eval_or_dist" == 'dist' ]]; then req_mem=8 req_cores=4 + req_storage=40 if [[ "$node_type" == 'sensor' ]]; then req_nics=2; else req_nics=1; fi if [[ "$node_type" == 'fleet' ]]; then req_mem=4; fi fi + if (( $(echo "$free_space_root < $req_storage" | bc -l) )); then + whiptail_requirements_error "disk space" "${free_space_root} GB" "${req_storage} GB" + fi + if [[ $num_nics -lt $req_nics ]]; then whiptail_requirements_error "NICs" "$num_nics" "$req_nics" fi @@ -429,7 +433,7 @@ check_requirements() { fi if [[ $total_mem_hr -lt $req_mem ]]; then - whiptail_requirements_error "memory" "${total_mem_hr}GB" "${req_mem}GB" + whiptail_requirements_error "memory" "${total_mem_hr} GB" "${req_mem} GB" fi } @@ -565,11 +569,19 @@ detect_os() { exit 1 fi + echo "Installing required packages to run installer" # Install bind-utils so the host command exists if ! command -v host > /dev/null 2>&1; then - echo "Installing required packages to run installer" - yum -y install bind-utils yum-plugin-versionlock >> "$setup_log" 2>&1 + yum -y install bind-utils >> "$setup_log" 2>&1 fi + if ! command -v nmcli > /dev/null 2>&1; then + { + yum -y install NetworkManager; + systemctl enable NetworkManager; + systemctl start NetworkManager; + } >> "$setup_log" 2<&1 + fi + yum -y install yum-plugin-versionlock bc >> "$setup_log" 2>&1 elif [ -f /etc/os-release ]; then @@ -582,15 +594,17 @@ detect_os() { echo "We do not support your current version of Ubuntu." exit 1 fi + + echo "Installing required packages to run installer" # Install network manager so we can do interface stuff if ! command -v nmcli > /dev/null 2>&1; then - echo "Installing required packages to run installer" { apt-get install -y network-manager; systemctl enable NetworkManager; systemctl start NetworkManager; } >> "$setup_log" 2<&1 fi + apt-get install -y bc >> "$setup_log" 2>&1 else echo "We were unable to determine if you are using a supported OS." diff --git a/setup/so-variables b/setup/so-variables index e14a955ab..4e08b2fef 100644 --- a/setup/so-variables +++ b/setup/so-variables @@ -28,6 +28,9 @@ mkdir -p /nsm filesystem_nsm=$(df /nsm | awk '$3 ~ /[0-9]+/ { print $2 * 1000 }') export filesystem_nsm +free_space_root=$(df -Pk / | sed 1d | grep -v used | awk '{ print $4 / 1048576 }' | awk '{ printf("%.0f", $1) }') +export free_space_root + mkdir -p /root/installtmp/pillar/minions export temp_install_dir=/root/installtmp @@ -36,6 +39,7 @@ export percentage_str='Getting started' export DEBIAN_FRONTEND=noninteractive export default_salt_dir=/opt/so/saltstack/default + export local_salt_dir=/opt/so/saltstack/local export SCRIPTDIR=$(cd `dirname $0` && pwd) diff --git a/setup/so-whiptail b/setup/so-whiptail index e5ebb8827..de27b691b 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -292,7 +292,7 @@ whiptail_requirements_error() { [ -n "$TESTING" ] && return whiptail --title "Security Onion Setup" \ - --yesno "This machine currently has $current_val $requirement_needed, but needs $needed_val to meet minimum requirements. Press YES to continue anyway, or press NO to cancel." 8 75 + --yesno "This machine currently has $current_val $requirement_needed, but needs $needed_val to meet minimum requirements. Press YES to continue anyway, or press NO to cancel." 10 75 local exitstatus=$? whiptail_check_exitstatus $exitstatus From 8d624e6adecc91b22cf93a67dd8137dfcf3ea9e8 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 30 Jun 2020 10:53:10 -0400 Subject: [PATCH 072/314] [fix] Move navigatordefaultlayer file.managed state to nginx sls --- salt/nginx/init.sls | 10 ++++++++++ salt/soctopus/init.sls | 10 ---------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls index 2ead5587a..73f14a7ed 100644 --- a/salt/nginx/init.sls +++ b/salt/nginx/init.sls @@ -49,6 +49,16 @@ navigatorconfig: - makedirs: True - template: jinja +navigatordefaultlayer: + file.managed: + - name: /opt/so/conf/navigator/nav_layer_playbook.json + - source: salt://nginx/files/nav_layer_playbook.json + - user: 939 + - group: 939 + - makedirs: True + - replace: False + - template: jinja + so-nginx: docker_container.running: - image: {{ MASTER }}:5000/soshybridhunter/so-nginx:{{ VERSION }} diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls index eb9114c58..6630b32b5 100644 --- a/salt/soctopus/init.sls +++ b/salt/soctopus/init.sls @@ -49,16 +49,6 @@ playbookrulessync: - group: 939 - template: jinja -navigatordefaultlayer: - file.managed: - - name: /opt/so/conf/navigator/nav_layer_playbook.json - - source: salt://nginx/files/nav_layer_playbook.json - - user: 939 - - group: 939 - - makedirs: True - - replace: False - - template: jinja - so-soctopus: docker_container.running: - image: {{ MASTER }}:5000/soshybridhunter/so-soctopus:{{ VERSION }} From ce8a59243c18af9dfa9b5ffd562601c49fc92197 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 30 Jun 2020 14:26:48 -0400 Subject: [PATCH 073/314] [feat] Add grep for "Error" to fail if nmcli fails --- setup/so-setup | 35 +++++++++++++++++++++-------------- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 3b5653cbc..f2f92cf93 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -51,7 +51,7 @@ echo "---- Starting setup at $(date -u) ----" >> $setup_log 2>&1 automated=no function progress() { - if grep -q "ERROR" $setup_log || [[ -s /var/spool/mail/root ]]; then + if grep -q "ERROR" $setup_log || grep -q "Error" $setup_log || [[ -s /var/spool/mail/root ]]; then if [[ -s /var/spool/mail/root ]]; then echo '[ ERROR ] /var/spool/mail/root grew unexpectedly' >> $setup_log 2>&1 fi @@ -341,14 +341,19 @@ if [[ "$setup_type" == 'iso' ]]; then disable_onion_user fi -set_hostname >> $setup_log 2>&1 -set_version >> $setup_log 2>&1 -clear_master >> $setup_log 2>&1 +{ + set_hostname; + set_version; + clear_master; +} >> $setup_log 2>&1 + if [[ $is_master ]]; then - generate_passwords >> $setup_log 2>&1 - secrets_pillar >> $setup_log 2>&1 - add_socore_user_master >> $setup_log 2>&1 + { + generate_passwords; + secrets_pillar; + add_socore_user_master; + } >> $setup_log 2>&1 fi if [[ $is_master && ! $is_eval ]]; then @@ -401,11 +406,13 @@ fi if [[ $is_master || $is_helix ]]; then set_progress_str 10 'Configuring Salt master' - create_local_directories >> $setup_log 2>&1 - addtotab_generate_templates >> $setup_log 2>&1 - copy_master_config >> $setup_log 2>&1 - setup_salt_master_dirs >> $setup_log 2>&1 - firewall_generate_templates >> $setup_log 2>&1 + { + create_local_directories; + addtotab_generate_templates; + copy_master_config; + setup_salt_master_dirs; + firewall_generate_templates; + } >> $setup_log 2>&1 set_progress_str 11 'Updating sudoers file for soremote user' update_sudoers >> $setup_log 2>&1 @@ -540,7 +547,7 @@ fi fi set_progress_str 74 "$(print_salt_state_apply 'so-fleet-setup')" - so-fleet-setup $FLEETNODEUSER $FLEETNODEPASSWD1 >> $setup_log 2>&1 + so-fleet-setup "$FLEETNODEUSER" "$FLEETNODEPASSWD1" >> $setup_log 2>&1 fi @@ -605,7 +612,7 @@ if [[ "$success" = 0 ]]; then if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then export IP=$ALLOW_CIDR - so-allow -$ALLOW_ROLE >> $setup_log 2>&1 + so-allow -"$ALLOW_ROLE" >> $setup_log 2>&1 fi if [[ $THEHIVE == 1 ]]; then From 930f15eea536a433734cb6b3a42ca066a9e244bb Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 30 Jun 2020 14:56:08 -0400 Subject: [PATCH 074/314] Introduce so-import-pcap tool - WIP --- salt/common/tools/sbin/so-import-pcap | 221 ++++++++++++++++++++++++++ salt/filebeat/etc/filebeat.yml | 44 ++++- salt/filebeat/init.sls | 4 +- 3 files changed, 263 insertions(+), 6 deletions(-) create mode 100644 salt/common/tools/sbin/so-import-pcap diff --git a/salt/common/tools/sbin/so-import-pcap b/salt/common/tools/sbin/so-import-pcap new file mode 100644 index 000000000..3ca1f0277 --- /dev/null +++ b/salt/common/tools/sbin/so-import-pcap @@ -0,0 +1,221 @@ +#!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +{% set MASTER = salt['grains.get']('master') %} +{% set VERSION = salt['pillar.get']('static:soversion') %} +{%- set MASTERIP = salt['pillar.get']('static:masterip') -%} + +function usage { + cat << EOF +Usage: +Please supply at least one pcap file. + +For example, to import a single pcap named import.pcap: +so-import-pcap import.pcap + +To import multiple pcaps: +so-import-pcap import1.pcap import2.pcap + +** IMPORTANT ** +Security Onion installations contain processes that automatically discard old data. Therefore, imports of old network traffic might immediately be erased, unless those processes are first disabled. + +EOF +} + +function pcapinfo() { + PCAP=$1 + ARGS=$2 + docker run --rm -v $PCAP:/input.pcap --entrypoint capinfos {{ MASTER }}:5000/soshybridhunter/so-pcaptools:{{ VERSION }} /input.pcap $ARGS +} + +function pcapfix() { + PCAP=$1 + PCAP_OUT=$2 + docker run --rm -v $PCAP:/input.pcap -v $PCAP_OUT:$PCAP_OUT --entrypoint pcapfix {{ MASTER }}:5000/soshybridhunter/so-pcaptools:{{ VERSION }} /input.pcap -o $PCAP_OUT > /dev/null 2>&1 +} + +function suricata() { + PCAP=$1 + HASH=$2 + + NSM_PATH=/nsm/import/${HASH}/suricata + mkdir -p $NSM_PATH + chown suricata:socore $NSM_PATH + LOG_PATH=/opt/so/log/suricata/import/${HASH} + mkdir -p $LOG_PATH + chown suricata:suricata $LOG_PATH + docker run --rm \ + -v /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro \ + -v /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro \ + -v /opt/so/conf/suricata/rules:/etc/suricata/rules:ro \ + -v ${LOG_PATH}:/var/log/suricata/:rw \ + -v ${NSM_PATH}/:/nsm/:rw \ + -v $PCAP:/input.pcap:ro \ + -v /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro \ + {{ MASTER }}:5000/soshybridhunter/so-suricata:{{ VERSION }} \ + --runmode single -k none -r /input.pcap > $LOG_PATH/console.log 2>&1 +} + +function zeek() { + PCAP=$1 + HASH=$2 + + NSM_PATH=/nsm/import/${HASH}/zeek + mkdir -p $NSM_PATH/logs + mkdir -p $NSM_PATH/spool + mkdir -p $NSM_PATH/extracted + chown -R zeek:socore $NSM_PATH + docker run --rm \ + -v $NSM_PATH:/nsm:rw \ + -v $PCAP:/input.pcap:ro \ + -v /opt/so/conf/zeek/local.zeek:/opt/zeek/share/zeek/site/local.zeek:ro \ + -v /opt/so/conf/zeek/node.cfg:/opt/zeek/etc/node.cfg:ro \ + -v /opt/so/conf/zeek/zeekctl.cfg:/opt/zeek/etc/zeekctl.cfg:ro \ + -v /opt/so/conf/zeek/policy/securityonion:/opt/zeek/share/zeek/policy/securityonion:ro \ + -v /opt/so/conf/zeek/policy/custom:/opt/zeek/share/zeek/policy/custom:ro \ + -v /opt/so/conf/zeek/policy/cve-2020-0601:/opt/zeek/share/zeek/policy/cve-2020-0601:ro \ + -v /opt/so/conf/zeek/policy/intel:/opt/zeek/share/zeek/policy/intel:rw \ + -v /opt/so/conf/zeek/bpf:/opt/zeek/etc/bpf:ro \ + --entrypoint /opt/zeek/bin/zeek \ + -w /nsm/zeek/logs \ + {{ MASTER }}:5000/soshybridhunter/so-zeek:{{ VERSION }} \ + -C -r /input.pcap local > $NSM_PATH/logs/console.log 2>&1 +} + +# if no parameters supplied, display usage +if [ $# -eq 0 ]; then + usage + exit +fi + +# ensure this is a manager node +if [ ! -d /opt/so/conf/soc ]; then + echo "This procedure must be run on a manager node." + exit +fi + +# verify that all parameters are files +for i in "$@"; do + if ! [ -f "$i" ]; then + usage + echo "\"$i\" is not a valid file!" + exit + fi +done + +# track if we have any valid or invalid pcaps +INVALID_PCAPS="no" +VALID_PCAPS="no" + +# track oldest start and newest end so that we can generate the Kibana search hyperlink at the end +START_OLDEST="2050-12-31" +END_NEWEST="1971-01-01" + +# paths must be quoted in case they include spaces +for PCAP in "$@"; do + PCAP=$(/usr/bin/realpath "$PCAP") + echo "Processing Import: ${PCAP}" + echo "- verifying file" + if ! pcapinfo "${PCAP}" > /dev/null 2>&1; then + # try to fix pcap and then process the fixed pcap directly + PCAP_FIXED=`mktemp /tmp/so-import-pcap-XXXXXXXXXX.pcap` + echo "- attempting to recover corrupted PCAP file" + pcapfix "${PCAP}" "${PCAP_FIXED}" + PCAP="${PCAP_FIXED}" + TEMP_PCAPS+=(${PCAP_FIXED}) + fi + + # generate a unique hash to assist with dedupe checks + HASH=$(md5sum "${PCAP}" | awk '{ print $1 }') + HASH_DIR=/nsm/import/${HASH} + echo "- assigning unique identifier to import: $HASH" + + if [ -d $HASH_DIR ]; then + echo "- this PCAP has already been imported; skipping" + INVALID_PCAPS="yes" + elif pcapinfo "${PCAP}" |egrep -q "Last packet time: 1970-01-01|Last packet time: n/a"; then + echo "- this PCAP file is invalid; skipping" + INVALID_PCAPS="yes" + else + VALID_PCAPS="yes" + + PCAP_DIR=$HASH_DIR/pcap + mkdir -p $PCAP_DIR + + # generate IDS alerts and write them to standard pipeline + echo "- analyzing traffic with Suricata" + suricata "${PCAP}" $HASH + + # generate Zeek logs and write them to a unique subdirectory in /nsm/import/bro/ + # since each run writes to a unique subdirectory, there is no need for a lock file + echo "- analyzing traffic with Zeek" + zeek "${PCAP}" $HASH + + START=$(pcapinfo "${PCAP}" -a |grep "First packet time:" | awk '{print $4}') + END=$(pcapinfo "${PCAP}" -e |grep "Last packet time:" | awk '{print $4}') + echo "- saving PCAP data spanning dates $START through $END" + + # compare $START to $START_OLDEST + START_COMPARE=$(date -d $START +%s) + START_OLDEST_COMPARE=$(date -d $START_OLDEST +%s) + if [ $START_COMPARE -lt $START_OLDEST_COMPARE ]; then + START_OLDEST=$START + fi + + # compare $ENDNEXT to $END_NEWEST + ENDNEXT=`date +%Y-%m-%d --date="$END 1 day"` + ENDNEXT_COMPARE=$(date -d $ENDNEXT +%s) + END_NEWEST_COMPARE=$(date -d $END_NEWEST +%s) + if [ $ENDNEXT_COMPARE -gt $END_NEWEST_COMPARE ]; then + END_NEWEST=$ENDNEXT + fi + + cp -f "${PCAP}" "${PCAP_DIR}"/data.pcap + + fi # end of valid pcap + + echo + +done # end of for-loop processing pcap files + +# remove temp files +echo "Cleaning up:" +for TEMP_PCAP in ${TEMP_PCAPS[@]}; do + echo "- removing temporary pcap $TEMP_PCAP" + rm -f $TEMP_PCAP +done + +# output final messages +if [ "$INVALID_PCAPS" = "yes" ]; then + echo + echo "Please note! One or more pcaps was invalid! You can scroll up to see which ones were invalid." +fi + +if [ "$VALID_PCAPS" = "yes" ]; then +cat << EOF + +Import complete! + +You can use the following hyperlink to view data in the time range of your import. You can triple-click to quickly highlight the entire hyperlink and you can then copy it into your browser: +https://{{ MASTERIP }}/kibana/app/kibana#/dashboard/a8411b30-6d03-11ea-b301-3d6c35840645?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:'${START_OLDEST}T00:00:00.000Z',mode:absolute,to:'${END_NEWEST}T00:00:00.000Z')) + +or you can manually set your Time Range to be: +From: $START_OLDEST To: $END_NEWEST + +Please note that it may take 30 seconds or more for events to appear in Kibana. +EOF +fi \ No newline at end of file diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index da116cf2c..ac4e0fe6f 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -118,12 +118,31 @@ filebeat.inputs: clean_removed: false close_removed: false + - type: log + paths: + - /nsm/import/*/zeek/logs/{{ LOGNAME }}.log + fields: + module: zeek + dataset: {{ LOGNAME }} + category: network + imported: true + processors: + - dissect: + tokenizer: "/nsm/import/%{import_id}/zeek/logs/%{import_source}" + field: "source" + target_prefix: "" + - drop_fields: + fields: ["source", "prospector", "input", "offset", "beat"] + + fields_under_root: true + clean_removed: false + close_removed: false {%- endfor %} {%- endif %} - type: log paths: - - /suricata/eve*.json + - /nsm/suricata/eve*.json fields: module: suricata dataset: common @@ -137,8 +156,27 @@ filebeat.inputs: clean_removed: false close_removed: false - {%- if STRELKAENABLED == 1 %} + - type: log + paths: + - /nsm/import/*/suricata/eve*.json + fields: + module: suricata + dataset: common + category: network + imported: true + processors: + - dissect: + tokenizer: "/nsm/import/%{import_id}/suricata/%{import_source}" + field: "source" + target_prefix: "" + - drop_fields: + fields: ["source", "prospector", "input", "offset", "beat"] + fields_under_root: true + clean_removed: false + close_removed: false + + {%- if STRELKAENABLED == 1 %} - type: log paths: - /nsm/strelka/log/strelka.log @@ -229,7 +267,7 @@ output.elasticsearch: - index: "so-strelka-%{+yyyy.MM.dd}" when.contains: module: "strelka" - + setup.template.enabled: false {%- else %} diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 897bb3937..8fba7e258 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -55,9 +55,7 @@ so-filebeat: - binds: - /opt/so/log/filebeat:/usr/share/filebeat/logs:rw - /opt/so/conf/filebeat/etc/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro - - /nsm/zeek:/nsm/zeek:ro - - /nsm/strelka/log:/nsm/strelka/log:ro - - /nsm/suricata:/suricata:ro + - /nsm:/nsm:ro - /opt/so/wazuh/logs/alerts:/wazuh/alerts:ro - /opt/so/wazuh/logs/archives:/wazuh/archives:ro - /nsm/osquery/fleet/:/nsm/osquery/fleet:ro From a3deb868ad6b5f1a8b1b7601feb084501c9dc4b8 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 30 Jun 2020 14:57:34 -0400 Subject: [PATCH 075/314] Improve filebeat config indentation --- salt/filebeat/etc/filebeat.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index ac4e0fe6f..9dd00503c 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -128,9 +128,9 @@ filebeat.inputs: imported: true processors: - dissect: - tokenizer: "/nsm/import/%{import_id}/zeek/logs/%{import_source}" - field: "source" - target_prefix: "" + tokenizer: "/nsm/import/%{import_id}/zeek/logs/%{import_source}" + field: "source" + target_prefix: "" - drop_fields: fields: ["source", "prospector", "input", "offset", "beat"] @@ -166,9 +166,9 @@ filebeat.inputs: imported: true processors: - dissect: - tokenizer: "/nsm/import/%{import_id}/suricata/%{import_source}" - field: "source" - target_prefix: "" + tokenizer: "/nsm/import/%{import_id}/suricata/%{import_source}" + field: "source" + target_prefix: "" - drop_fields: fields: ["source", "prospector", "input", "offset", "beat"] From 3a9d252af3d0d0796023f75d547de1931bc9926e Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 1 Jul 2020 09:42:07 -0400 Subject: [PATCH 076/314] [fix] Correct indent in create_local_directories() --- setup/so-functions | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 3703a3338..f8a5230f0 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -485,17 +485,17 @@ copy_ssh_key() { } create_local_directories() { - echo "Creating local pillar and salt directories" - PILLARSALTDIR=${SCRIPTDIR::-5} - for i in "pillar" "salt"; do - for d in `find $PILLARSALTDIR/$i -type d`; do - suffixdir=${d//$PILLARSALTDIR/} - if [ ! -d "$local_salt_dir/$suffixdir" ]; then - mkdir -v "$local_salt_dir$suffixdir" >> "$setup_log" 2>&1 - fi - done - chown -R socore:socore "$local_salt_dir/$i" - done + echo "Creating local pillar and salt directories" + PILLARSALTDIR=${SCRIPTDIR::-5} + for i in "pillar" "salt"; do + for d in $(find $PILLARSALTDIR/$i -type d); do + suffixdir=${d//$PILLARSALTDIR/} + if [ ! -d "$local_salt_dir/$suffixdir" ]; then + mkdir -v "$local_salt_dir$suffixdir" >> "$setup_log" 2>&1 + fi + done + chown -R socore:socore "$local_salt_dir/$i" + done } From c97798b57db036272473f5ea8cd246ab111bd53f Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 1 Jul 2020 09:43:39 -0400 Subject: [PATCH 077/314] [feat] Add check to see if bond nics are managed by Network Manager --- setup/so-variables | 6 +++++- setup/so-whiptail | 14 ++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/setup/so-variables b/setup/so-variables index 4e08b2fef..bd5f8869d 100644 --- a/setup/so-variables +++ b/setup/so-variables @@ -42,4 +42,8 @@ export default_salt_dir=/opt/so/saltstack/default export local_salt_dir=/opt/so/saltstack/local -export SCRIPTDIR=$(cd `dirname $0` && pwd) +SCRIPTDIR=$(cd "$(dirname "$0")" && pwd) +export SCRIPTDIR + +readarray -t nmcli_dev_status_list <<< "$(nmcli -t -f DEVICE,STATE -c no dev status)" +export nmcli_dev_status_list diff --git a/setup/so-whiptail b/setup/so-whiptail index de27b691b..d047f3253 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -92,6 +92,20 @@ whiptail_bond_nics() { BNICS=$(echo "$BNICS" | tr -d '"') IFS=' ' read -ra BNICS <<< "$BNICS" + + local unmanaged_bond=0 + for bond_nic in "${BNICS[@]}"; do + if [[ ! "${nmcli_dev_status_list}" =~ $bond_nic\:unmanaged ]]; then + unmanaged_bond=1 + fi + if [[ "$unmanaged_bond" == 1 ]]; then + whiptail \ + --title "Security Onion Setup" \ + --msgbox "$bond_nic is unmanaged by Network Manager. Please remove it from other network management tools then re-run setup." \ + 8 75 + exit + fi + done } whiptail_bond_nics_mtu() { From 90f4b8e04378749f7edb8711f59f008297b777dd Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 1 Jul 2020 11:03:18 -0400 Subject: [PATCH 078/314] [feat] Add welcome/instruction wording to initial menu --- setup/so-whiptail | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index d047f3253..202053cc0 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -295,8 +295,6 @@ whiptail_fleet_custom_hostname() { whiptail_check_exitstatus $exitstatus } - - whiptail_requirements_error() { local requirement_needed=$1 @@ -1152,7 +1150,20 @@ whiptail_you_sure() { [ -n "$TESTING" ] && return - whiptail --title "Security Onion Setup" --yesno "Are you sure you want to continue a network install of Security Onion?" 8 75 + read -r -d '' you_sure_text <<- EOM + Welcome to Security Onion Setup! + + You can use Setup for lots of different use cases from a small standalone installation to a large distributed deployment for your enterprise. + + Setup uses keyboard navigation and you can use arrow keys to move around. Certain screens may provide a list and ask you to select one or more items from that list. You can use [SPACE] to select items and [ENTER] to proceed to the next screen. + + Would you like to continue? + EOM + + whiptail \ + --title "Security Onion Setup" \ + --yesno "$you_sure_text" \ + 20 75 local exitstatus=$? return $exitstatus From 7bb97f2b2d23c772137c34de7d960af1979c1a35 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 1 Jul 2020 11:12:21 -0400 Subject: [PATCH 079/314] [fix] Remove "Panel Title" from Kibana CPU graph Resolves #874 --- salt/grafana/dashboards/standalone/standalone.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/grafana/dashboards/standalone/standalone.json b/salt/grafana/dashboards/standalone/standalone.json index 7624e72f6..5b11eefb4 100644 --- a/salt/grafana/dashboards/standalone/standalone.json +++ b/salt/grafana/dashboards/standalone/standalone.json @@ -461,7 +461,7 @@ "timeFrom": null, "timeRegions": [], "timeShift": null, - "title": "Panel Title{{ SERVERNAME }} - Kibana CPU", + "title": "{{ SERVERNAME }} - Kibana CPU", "tooltip": { "shared": true, "sort": 0, From db764902c77ea9f06081543cadc6b419ce089406 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 1 Jul 2020 13:05:11 -0400 Subject: [PATCH 080/314] [fix] Change if condition when checking nmcli status --- setup/so-whiptail | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 202053cc0..0ec48f2ae 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -95,7 +95,7 @@ whiptail_bond_nics() { local unmanaged_bond=0 for bond_nic in "${BNICS[@]}"; do - if [[ ! "${nmcli_dev_status_list}" =~ $bond_nic\:unmanaged ]]; then + if [[ "${nmcli_dev_status_list}" =~ $bond_nic\:unmanaged ]]; then unmanaged_bond=1 fi if [[ "$unmanaged_bond" == 1 ]]; then From 4e7e19af54bad60029f285d9bf2dfccc5a0ec887 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 1 Jul 2020 13:26:27 -0400 Subject: [PATCH 081/314] pillarize zeek node.cfg. change reference from bro to zeek. --- salt/deprecated-bro/files/node.cfg | 22 +++++++++++----------- salt/zeek/files/node.cfg | 30 ++++++++++++++++++------------ setup/so-functions | 6 +++--- setup/so-setup | 2 +- setup/so-whiptail | 2 +- 5 files changed, 34 insertions(+), 28 deletions(-) diff --git a/salt/deprecated-bro/files/node.cfg b/salt/deprecated-bro/files/node.cfg index 6f9608113..804771728 100644 --- a/salt/deprecated-bro/files/node.cfg +++ b/salt/deprecated-bro/files/node.cfg @@ -1,13 +1,13 @@ {%- set interface = salt['pillar.get']('sensor:interface', 'bond0') %} -{%- if salt['pillar.get']('sensor:bro_pins') or salt['pillar.get']('sensor:bro_lbprocs') %} -{%- if salt['pillar.get']('sensor:bro_proxies') %} - {%- set proxies = salt['pillar.get']('sensor:bro_proxies', '1') %} +{%- if salt['pillar.get']('sensor:zeek_pins') or salt['pillar.get']('sensor:zeek_lbprocs') %} +{%- if salt['pillar.get']('sensor:zeek_proxies') %} + {%- set proxies = salt['pillar.get']('sensor:zeek_proxies', '1') %} {%- else %} - {%- if salt['pillar.get']('sensor:bro_pins') %} - {%- set proxies = (salt['pillar.get']('sensor:bro_pins')|length/10)|round(0, 'ceil')|int %} + {%- if salt['pillar.get']('sensor:zeek_pins') %} + {%- set proxies = (salt['pillar.get']('sensor:zeek_pins')|length/10)|round(0, 'ceil')|int %} {%- else %} - {%- set proxies = (salt['pillar.get']('sensor:bro_lbprocs')/10)|round(0, 'ceil')|int %} + {%- set proxies = (salt['pillar.get']('sensor:zeek_lbprocs')/10)|round(0, 'ceil')|int %} {%- endif %} {%- endif %} [manager] @@ -28,13 +28,13 @@ host=localhost interface=af_packet::{{ interface }} lb_method=custom -{%- if salt['pillar.get']('sensor:bro_lbprocs') %} -lb_procs={{ salt['pillar.get']('sensor:bro_lbprocs', '1') }} +{%- if salt['pillar.get']('sensor:zeek_lbprocs') %} +lb_procs={{ salt['pillar.get']('sensor:zeek_lbprocs', '1') }} {%- else %} -lb_procs={{ salt['pillar.get']('sensor:bro_pins')|length }} +lb_procs={{ salt['pillar.get']('sensor:zeek_pins')|length }} {%- endif %} -{%- if salt['pillar.get']('sensor:bro_pins') %} -pin_cpus={{ salt['pillar.get']('sensor:bro_pins')|join(", ") }} +{%- if salt['pillar.get']('sensor:zeek_pins') %} +pin_cpus={{ salt['pillar.get']('sensor:zeek_pins')|join(", ") }} {%- endif %} af_packet_fanout_id=23 af_packet_fanout_mode=AF_Packet::FANOUT_HASH diff --git a/salt/zeek/files/node.cfg b/salt/zeek/files/node.cfg index 6f9608113..3ba38cb1b 100644 --- a/salt/zeek/files/node.cfg +++ b/salt/zeek/files/node.cfg @@ -1,15 +1,17 @@ {%- set interface = salt['pillar.get']('sensor:interface', 'bond0') %} -{%- if salt['pillar.get']('sensor:bro_pins') or salt['pillar.get']('sensor:bro_lbprocs') %} -{%- if salt['pillar.get']('sensor:bro_proxies') %} - {%- set proxies = salt['pillar.get']('sensor:bro_proxies', '1') %} +{%- if salt['pillar.get']('sensor:zeek_pins') or salt['pillar.get']('sensor:zeek_lbprocs') %} + +{%- if salt['pillar.get']('sensor:zeek_proxies') %} + {%- set proxies = salt['pillar.get']('sensor:zeek_proxies', '1') %} {%- else %} - {%- if salt['pillar.get']('sensor:bro_pins') %} - {%- set proxies = (salt['pillar.get']('sensor:bro_pins')|length/10)|round(0, 'ceil')|int %} + {%- if salt['pillar.get']('sensor:zeek_pins') %} + {%- set proxies = (salt['pillar.get']('sensor:zeek_pins')|length/10)|round(0, 'ceil')|int %} {%- else %} - {%- set proxies = (salt['pillar.get']('sensor:bro_lbprocs')/10)|round(0, 'ceil')|int %} + {%- set proxies = (salt['pillar.get']('sensor:zeek_lbprocs')/10)|round(0, 'ceil')|int %} {%- endif %} {%- endif %} + [manager] type=manager host=localhost @@ -28,17 +30,21 @@ host=localhost interface=af_packet::{{ interface }} lb_method=custom -{%- if salt['pillar.get']('sensor:bro_lbprocs') %} -lb_procs={{ salt['pillar.get']('sensor:bro_lbprocs', '1') }} +{%- if salt['pillar.get']('sensor:zeek_lbprocs') %} +lb_procs={{ salt['pillar.get']('sensor:zeek_lbprocs', '1') }} {%- else %} -lb_procs={{ salt['pillar.get']('sensor:bro_pins')|length }} +lb_procs={{ salt['pillar.get']('sensor:zeek_pins')|length }} {%- endif %} -{%- if salt['pillar.get']('sensor:bro_pins') %} -pin_cpus={{ salt['pillar.get']('sensor:bro_pins')|join(", ") }} + +{%- if salt['pillar.get']('sensor:zeek_pins') %} +pin_cpus={{ salt['pillar.get']('sensor:zeek_pins')|join(", ") }} {%- endif %} + af_packet_fanout_id=23 af_packet_fanout_mode=AF_Packet::FANOUT_HASH -af_packet_buffer_size=128*1024*1024 +af_packet_buffer_size={{salt['pillar.get']('sensor:zeek_buffer', 128*1024*1024) }} + + {%- else %} [brosa] type=standalone diff --git a/setup/so-functions b/setup/so-functions index 1359ad66d..fdfcf37eb 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1322,7 +1322,7 @@ sensor_pillar() { " mainint: $MNIC" >> "$pillar_file" if [ "$NSMSETUP" = 'ADVANCED' ]; then - echo " bro_pins:" >> "$pillar_file" + echo " zeek_pins:" >> "$pillar_file" for PIN in "${BROPINS[@]}"; do PIN=$(echo "$PIN" | cut -d\" -f2) echo " - $PIN" >> "$pillar_file" @@ -1333,10 +1333,10 @@ sensor_pillar() { echo " - $SPIN" >> "$pillar_file" done elif [ "$install_type" = 'HELIXSENSOR' ]; then - echo " bro_lbprocs: $lb_procs" >> "$pillar_file" + echo " zeek_lbprocs: $lb_procs" >> "$pillar_file" echo " suriprocs: $lb_procs" >> "$pillar_file" else - echo " bro_lbprocs: $BASICBRO" >> "$pillar_file" + echo " zeek_lbprocs: $BASICBRO" >> "$pillar_file" echo " suriprocs: $BASICSURI" >> "$pillar_file" fi printf '%s\n'\ diff --git a/setup/so-setup b/setup/so-setup index a5b57f13d..f2db6775a 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -281,7 +281,7 @@ if [[ $is_sensor && ! $is_eval ]]; then whiptail_homenet_sensor whiptail_sensor_config if [ $NSMSETUP == 'ADVANCED' ]; then - whiptail_bro_pins + whiptail_zeek_pins whiptail_suricata_pins whiptail_bond_nics_mtu else diff --git a/setup/so-whiptail b/setup/so-whiptail index 008d24e1f..ee9ba5b4b 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -42,7 +42,7 @@ whiptail_basic_suri() { } -whiptail_bro_pins() { +whiptail_zeek_pins() { [ -n "$TESTING" ] && return From 38db512edaf93c0bead4403ac2fb68903ae0db29 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 1 Jul 2020 13:29:19 -0400 Subject: [PATCH 082/314] fix spacing --- salt/zeek/files/node.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/zeek/files/node.cfg b/salt/zeek/files/node.cfg index 3ba38cb1b..6cbdf1052 100644 --- a/salt/zeek/files/node.cfg +++ b/salt/zeek/files/node.cfg @@ -42,7 +42,7 @@ pin_cpus={{ salt['pillar.get']('sensor:zeek_pins')|join(", ") }} af_packet_fanout_id=23 af_packet_fanout_mode=AF_Packet::FANOUT_HASH -af_packet_buffer_size={{salt['pillar.get']('sensor:zeek_buffer', 128*1024*1024) }} +af_packet_buffer_size={{ salt['pillar.get']('sensor:zeek_buffer', 128*1024*1024) }} {%- else %} From 3cf79995a24a3e2342dafa5e19406963004ebe6e Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 1 Jul 2020 17:32:43 +0000 Subject: [PATCH 083/314] Modify Whiptail menu for EC2 NIC --- setup/so-whiptail | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/setup/so-whiptail b/setup/so-whiptail index 008d24e1f..a96cbcc83 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -107,6 +107,28 @@ whiptail_bond_nics_mtu() { } +whiptail_ec2_nic() { + + [ -n "$TESTING" ] && return + + filter_unused_nics + + BNICS=$(whiptail --title "NIC Setup" --radiolist "Please select NIC for the Monitor Interface" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3) + local exitstatus=$? + whiptail_check_exitstatus $exitstatus + + while [ -z "$BNICS" ] + do + BNICS=$(whiptail --title "NIC Setup" --radiolist "Please select NIC for the Monitor Interface" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3 ) + local exitstatus=$? + whiptail_check_exitstatus $exitstatus + done + + BNICS=$(echo "$BNICS" | tr -d '"') + + IFS=' ' read -ra BNICS <<< "$BNICS" +} + whiptail_cancel() { whiptail --title "Security Onion Setup" --msgbox "Cancelling Setup. No changes have been made." 8 75 From fd939a06b9bb4ece499068f3502c55aee45814c4 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 1 Jul 2020 13:40:40 -0400 Subject: [PATCH 084/314] whitespace cleanup --- salt/zeek/files/node.cfg | 32 ++++++++++++-------------------- 1 file changed, 12 insertions(+), 20 deletions(-) diff --git a/salt/zeek/files/node.cfg b/salt/zeek/files/node.cfg index 6cbdf1052..6be5aa5b1 100644 --- a/salt/zeek/files/node.cfg +++ b/salt/zeek/files/node.cfg @@ -1,17 +1,14 @@ {%- set interface = salt['pillar.get']('sensor:interface', 'bond0') %} - {%- if salt['pillar.get']('sensor:zeek_pins') or salt['pillar.get']('sensor:zeek_lbprocs') %} - -{%- if salt['pillar.get']('sensor:zeek_proxies') %} - {%- set proxies = salt['pillar.get']('sensor:zeek_proxies', '1') %} -{%- else %} - {%- if salt['pillar.get']('sensor:zeek_pins') %} - {%- set proxies = (salt['pillar.get']('sensor:zeek_pins')|length/10)|round(0, 'ceil')|int %} + {%- if salt['pillar.get']('sensor:zeek_proxies') %} + {%- set proxies = salt['pillar.get']('sensor:zeek_proxies', '1') %} {%- else %} - {%- set proxies = (salt['pillar.get']('sensor:zeek_lbprocs')/10)|round(0, 'ceil')|int %} + {%- if salt['pillar.get']('sensor:zeek_pins') %} + {%- set proxies = (salt['pillar.get']('sensor:zeek_pins')|length/10)|round(0, 'ceil')|int %} + {%- else %} + {%- set proxies = (salt['pillar.get']('sensor:zeek_lbprocs')/10)|round(0, 'ceil')|int %} + {%- endif %} {%- endif %} -{%- endif %} - [manager] type=manager host=localhost @@ -29,22 +26,17 @@ type=worker host=localhost interface=af_packet::{{ interface }} lb_method=custom - -{%- if salt['pillar.get']('sensor:zeek_lbprocs') %} + {%- if salt['pillar.get']('sensor:zeek_lbprocs') %} lb_procs={{ salt['pillar.get']('sensor:zeek_lbprocs', '1') }} -{%- else %} + {%- else %} lb_procs={{ salt['pillar.get']('sensor:zeek_pins')|length }} -{%- endif %} - -{%- if salt['pillar.get']('sensor:zeek_pins') %} + {%- endif %} + {%- if salt['pillar.get']('sensor:zeek_pins') %} pin_cpus={{ salt['pillar.get']('sensor:zeek_pins')|join(", ") }} -{%- endif %} - + {%- endif %} af_packet_fanout_id=23 af_packet_fanout_mode=AF_Packet::FANOUT_HASH af_packet_buffer_size={{ salt['pillar.get']('sensor:zeek_buffer', 128*1024*1024) }} - - {%- else %} [brosa] type=standalone From 26b0daf2dadc3a29d89bac0fc337fc917b963118 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 1 Jul 2020 17:42:51 +0000 Subject: [PATCH 085/314] Add other setup-related items for EC2 interface --- setup/so-functions | 55 +++++++++++++++++++++++++++++++++++++++++----- setup/so-setup | 17 ++++++++++---- 2 files changed, 63 insertions(+), 9 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 1359ad66d..efccdedd5 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -498,6 +498,7 @@ create_local_directories() { create_sensor_bond() { echo "Setting up sensor bond" >> "$setup_log" 2>&1 + INTERFACE="bond0" local nic_error=0 check_network_manager_conf >> "$setup_log" 2>&1 @@ -1317,7 +1318,7 @@ sensor_pillar() { # Create the sensor pillar printf '%s\n'\ "sensor:"\ - " interface: bond0"\ + " interface: $INTERFACE"\ " mainip: $MAINIP"\ " mainint: $MNIC" >> "$pillar_file" @@ -1428,13 +1429,13 @@ set_initial_firewall_policy() { $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP" case "$install_type" in 'EVAL') - $default_salt_dir/pillar/data/addtotab.sh evaltab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0 True + $default_salt_dir/pillar/data/addtotab.sh evaltab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" $INTERFACE True ;; 'MASTERSEARCH') $default_salt_dir/pillar/data/addtotab.sh mastersearchtab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" ;; 'STANDALONE') - $default_salt_dir/pillar/data/addtotab.sh standalonetab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0 + $default_salt_dir/pillar/data/addtotab.sh standalonetab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" $INTERFACE ;; esac ;; @@ -1448,7 +1449,7 @@ set_initial_firewall_policy() { case "$install_type" in 'SENSOR') ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost sensor "$MAINIP" - ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0 + ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" $INTERFACE ;; 'SEARCHNODE') ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP" @@ -1457,7 +1458,7 @@ set_initial_firewall_policy() { 'HEAVYNODE') ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP" ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP" - ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0 + ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" $INTERFACE ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" ;; 'FLEET') @@ -1620,3 +1621,47 @@ es_heapsize() { export NODE_ES_HEAP_SIZE fi } + +is_ec2() { + # Check if EC2 + if curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null;then + is_ec2=1 + else + is_ec2=0 + fi +} + +create_ec2_sniffing() { + echo "Setting up sensor sniffing interface" >> "$setup_log" 2>&1 + + local nic_error=0 + + check_network_manager_conf >> "$setup_log" 2>&1 + + # Set the MTU + if [[ $NSMSETUP != 'ADVANCED' ]]; then + MTU=1575 + fi + + for BNIC in "${BNICS[@]}"; do + # Check if specific offload features are able to be disabled + for string in "generic-segmentation-offload" "generic-receive-offload" "tcp-segmentation-offload"; do + if ethtool -k "$BNIC" | grep $string | grep -q "on [fixed]"; then + echo "The hardware or driver for interface ${BNIC} is not supported, packet capture may not work as expected." >> "$setup_log" 2>&1 + nic_error=1 + break + fi + done + + # Turn off various offloading settings for the interface + for i in rx tx sg tso ufo gso gro lro; do + ethtool -K "$BNIC" $i off >> "$setup_log" 2>&1 + done + done + + INTERFACE=$BNIC + + if [ $nic_error != 0 ]; then + return 1 + fi +} diff --git a/setup/so-setup b/setup/so-setup index a5b57f13d..69b9c3c32 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -100,6 +100,8 @@ got_root detect_os +is_ec2 + if [ "$OS" == ubuntu ]; then update-alternatives --set newt-palette /etc/newt/palette.original >> $setup_log 2>&1 fi @@ -225,7 +227,11 @@ fi # Start user prompts if [[ $is_helix || $is_sensor ]]; then - whiptail_bond_nics + if [ $is_ec2 -eq 1 ]; then + whiptail_ec2_nic + else + whiptail_bond_nics + fi calculate_useable_cores fi @@ -373,9 +379,12 @@ fi update_packages >> $setup_log 2>&1 if [[ $is_sensor || $is_helix ]]; then - set_progress_str 3 'Creating bond interface' - create_sensor_bond >> $setup_log 2>&1 - + set_progress_str 3 'Creating bond/sniffing interface' + if [ $is_ec2 -eq 1 ]; then + create_ec2_sniffing >> $setup_log 2>&1 + else + create_sensor_bond >> $setup_log 2>&1 + fi set_progress_str 4 'Generating sensor pillar' sensor_pillar >> $setup_log 2>&1 fi From f98c497d7963f5822f4c48a003b30371962cd7fa Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 1 Jul 2020 13:43:37 -0400 Subject: [PATCH 086/314] change setup and whiptail back to bro --- setup/so-setup | 2 +- setup/so-whiptail | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index f2db6775a..a5b57f13d 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -281,7 +281,7 @@ if [[ $is_sensor && ! $is_eval ]]; then whiptail_homenet_sensor whiptail_sensor_config if [ $NSMSETUP == 'ADVANCED' ]; then - whiptail_zeek_pins + whiptail_bro_pins whiptail_suricata_pins whiptail_bond_nics_mtu else diff --git a/setup/so-whiptail b/setup/so-whiptail index ee9ba5b4b..008d24e1f 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -42,7 +42,7 @@ whiptail_basic_suri() { } -whiptail_zeek_pins() { +whiptail_bro_pins() { [ -n "$TESTING" ] && return From 44890edc79180b67a6196c3ec926b4d140331b66 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 1 Jul 2020 13:51:54 -0400 Subject: [PATCH 087/314] [refactor] Use regex in error check for setup log --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 769e7e50a..31d894b2e 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -51,7 +51,7 @@ echo "---- Starting setup at $(date -u) ----" >> $setup_log 2>&1 automated=no function progress() { - if grep -q "ERROR" $setup_log || grep -q "Error" $setup_log || [[ -s /var/spool/mail/root ]]; then + if grep -qE "(ERROR|Error)" $setup_log || [[ -s /var/spool/mail/root ]]; then if [[ -s /var/spool/mail/root ]]; then echo '[ ERROR ] /var/spool/mail/root grew unexpectedly' >> $setup_log 2>&1 fi From 4b5571a8d684d88b6619001347ed233c6aff9e22 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 1 Jul 2020 13:56:15 -0400 Subject: [PATCH 088/314] [refactor][fix] Remove unnecessary variable --- setup/so-whiptail | 4 ---- 1 file changed, 4 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 0ec48f2ae..c157d5257 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -93,12 +93,8 @@ whiptail_bond_nics() { IFS=' ' read -ra BNICS <<< "$BNICS" - local unmanaged_bond=0 for bond_nic in "${BNICS[@]}"; do if [[ "${nmcli_dev_status_list}" =~ $bond_nic\:unmanaged ]]; then - unmanaged_bond=1 - fi - if [[ "$unmanaged_bond" == 1 ]]; then whiptail \ --title "Security Onion Setup" \ --msgbox "$bond_nic is unmanaged by Network Manager. Please remove it from other network management tools then re-run setup." \ From 70e4ce3e9894925584737fe7ffb00c13b5c52e8b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 1 Jul 2020 14:38:51 -0400 Subject: [PATCH 089/314] Add batch to output --- .../config/so/9999_output_redis.conf.jinja | 22 +++++-------------- 1 file changed, 5 insertions(+), 17 deletions(-) diff --git a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja index f176e0b94..594917ad6 100644 --- a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja +++ b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja @@ -1,26 +1,14 @@ -{%- if salt['grains.get']('role') == 'so-master' %} -{% set master = salt['pillar.get']('static:masterip', '') %} -{%- set nodetype = 'master' %} -{% elif grains.role == 'so-heavynode' %} -{% set master = salt['pillar.get']('node:mainip', '') %} -{%- set nodetype = salt['pillar.get']('node:node_type', 'search') %} -{%- else %} -{%- set nodetype = salt['pillar.get']('node:node_type', 'storage') %} -{% set master = salt['pillar.get']('static:masterip', '') %} -{%- endif %} - +{% set MASTER = salt['pillar.get']('static:masterip', '') %} +{% set BATCH = salt['pillar.get']('logstash:batch_size', 500) %} output { redis { - host => '{{ master }}' + host => '{{ MASTER }}' data_type => 'list' - {%- if nodetype == 'parser' %} - key => 'logstash:parsed' - {%- else %} key => 'logstash:unparsed' - {%- endif %} congestion_interval => 1 congestion_threshold => 50000000 - # batch_events => 500 + batch ==> True + batch_events => {{ BATCH }} } } From f580da5d563524aed19fbc4695ae945467ba739a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 1 Jul 2020 14:45:54 -0400 Subject: [PATCH 090/314] Update 9999_output_redis.conf.jinja --- salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja index 594917ad6..2a5ede0f4 100644 --- a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja +++ b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja @@ -1,5 +1,5 @@ {% set MASTER = salt['pillar.get']('static:masterip', '') %} -{% set BATCH = salt['pillar.get']('logstash:batch_size', 500) %} +{% set BATCH = salt['pillar.get']('logstash:batch_size', 125) %} output { redis { From 5580f05daf37a829ba226adb71d262d89d43449b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 1 Jul 2020 15:07:00 -0400 Subject: [PATCH 091/314] Add logstash pillar --- setup/so-functions | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index fdfcf37eb..9f2f7edfd 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -873,13 +873,11 @@ master_pillar() { " esheap: $ES_HEAP_SIZE"\ " esclustername: {{ grains.host }}"\ " freq: 0"\ - " domainstats: 0" >> "$pillar_file" + " domainstats: 0" > "$pillar_file" + if [ "$install_type" = 'EVAL' ] || [ "$install_type" = 'HELIXSENSOR' ] || [ "$install_type" = 'MASTERSEARCH' ] || [ "$install_type" = 'STANDALONE' ]; then printf '%s\n'\ - " ls_pipeline_batch_size: 125"\ - " ls_input_threads: 1"\ - " ls_batch_count: 125"\ " mtu: $MTU" >> "$pillar_file" fi @@ -911,6 +909,11 @@ master_pillar() { " playbook: $PLAYBOOK"\ " url_base: $REDIRECTIT"\ ""\ + "logstash:"\ + " ls_pipeline_batch_size: 125"\ + " ls_input_threads: 1"\ + " ls_batch_count: 125"\ + ""\ "kratos:" >> "$pillar_file" printf '%s\n'\ @@ -1007,8 +1010,6 @@ node_pillar() { " esheap: $NODE_ES_HEAP_SIZE"\ " esclustername: {{ grains.host }}"\ " lsheap: $NODE_LS_HEAP_SIZE"\ - " ls_pipeline_workers: $LSPIPELINEWORKERS"\ - " ls_pipeline_batch_size: $LSPIPELINEBATCH"\ " ls_input_threads: $LSINPUTTHREADS"\ " ls_batch_count: $LSINPUTBATCHCOUNT"\ " es_shard_count: $SHARDCOUNT"\ @@ -1016,6 +1017,10 @@ node_pillar() { " es_port: $node_es_port"\ " log_size_limit: $log_size_limit"\ " cur_close_days: $CURCLOSEDAYS"\ + "logstash:"\ + " ls_pipeline_batch_size: $LSPIPELINEBATCH"\ + " ls_input_threads: $LSINPUTTHREADS"\ + " ls_batch_count: $LSINPUTBATCHCOUNT"\ "" >> "$pillar_file" printf '%s\n' '----' >> "$setup_log" 2>&1 From ab42126d8e96bdcf8cf4792ff11b992f28b8351a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 1 Jul 2020 15:25:35 -0400 Subject: [PATCH 092/314] Add logstash_settings pillar --- salt/logstash/init.sls | 9 +-------- .../pipelines/config/so/0900_input_redis.conf.jinja | 10 ++++++---- .../config/so/9999_output_redis.conf.jinja | 2 +- salt/redis/init.sls | 1 - setup/so-functions | 13 +++++-------- 5 files changed, 13 insertions(+), 22 deletions(-) diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index 1118b6807..b42ea4546 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -23,19 +23,12 @@ {% endif %} # Logstash Section - Decide which pillar to use -{% if grains['role'] == 'so-sensor' %} - {% set lsheap = salt['pillar.get']('sensor:lsheap', '') %} - {% set lsaccessip = salt['pillar.get']('sensor:lsaccessip', '') %} -{% elif grains['role'] == 'so-node' or grains['role'] == 'so-heavynode' %} - {% set lsheap = salt['pillar.get']('node:lsheap', '') %} - {% set nodetype = salt['pillar.get']('node:node_type', 'storage') %} +{% set lsheap = salt['pillar.get']('logstash_settings:lsheap', '') %} {% elif grains['role'] in ['so-eval','so-mastersearch', 'so-master', 'so-standalone'] %} - {% set lsheap = salt['pillar.get']('master:lsheap', '') %} {% set freq = salt['pillar.get']('master:freq', '0') %} {% set dstats = salt['pillar.get']('master:domainstats', '0') %} {% set nodetype = salt['grains.get']('role', '') %} {% elif grains['role'] == 'so-helix' %} - {% set lsheap = salt['pillar.get']('master:lsheap', '') %} {% set freq = salt['pillar.get']('master:freq', '0') %} {% set dstats = salt['pillar.get']('master:domainstats', '0') %} {% set nodetype = salt['grains.get']('role', '') %} diff --git a/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja b/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja index ede940367..dc2f7c4ce 100644 --- a/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja +++ b/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja @@ -1,14 +1,16 @@ {%- if grains.role == 'so-heavynode' %} -{%- set master = salt['pillar.get']('node:mainip', '') %} +{%- set MASTER = salt['pillar.get']('node:mainip', '') %} {%- else %} -{%- set master = salt['pillar.get']('static:masterip', '') %} +{%- set MASTER = salt['pillar.get']('static:masterip', '') %} {% endif -%} +{%- set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') %} + input { redis { - host => '{{ master }}' + host => '{{ MASTER }}' data_type => 'list' key => 'logstash:unparsed' type => 'redis-input' - # threads => 1 + threads => {{ THREADS }} } } diff --git a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja index 2a5ede0f4..5bf2512d5 100644 --- a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja +++ b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja @@ -1,5 +1,5 @@ {% set MASTER = salt['pillar.get']('static:masterip', '') %} -{% set BATCH = salt['pillar.get']('logstash:batch_size', 125) %} +{% set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %} output { redis { diff --git a/salt/redis/init.sls b/salt/redis/init.sls index 3b2f662f3..5db53957c 100644 --- a/salt/redis/init.sls +++ b/salt/redis/init.sls @@ -12,7 +12,6 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set lsaccessip = salt['pillar.get']('master:lsaccessip', '') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} {% set MASTER = salt['grains.get']('master') %} diff --git a/setup/so-functions b/setup/so-functions index 9f2f7edfd..0c8296c02 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -894,10 +894,7 @@ master_pillar() { esac printf '%s\n'\ - " lsheap: $LS_HEAP_SIZE"\ - " lsaccessip: 127.0.0.1"\ " elastalert: 1"\ - " ls_pipeline_workers: $num_cpu_cores"\ " nids_rules: $RULESETUP"\ " oinkcode: $OINKCODE"\ " es_port: $node_es_port"\ @@ -909,10 +906,12 @@ master_pillar() { " playbook: $PLAYBOOK"\ " url_base: $REDIRECTIT"\ ""\ - "logstash:"\ + "logstash_settings:"\ " ls_pipeline_batch_size: 125"\ " ls_input_threads: 1"\ " ls_batch_count: 125"\ + " lsheap: $LS_HEAP_SIZE"\ + " ls_pipeline_workers: $num_cpu_cores"\ ""\ "kratos:" >> "$pillar_file" @@ -1009,18 +1008,16 @@ node_pillar() { " mainint: $MNIC"\ " esheap: $NODE_ES_HEAP_SIZE"\ " esclustername: {{ grains.host }}"\ - " lsheap: $NODE_LS_HEAP_SIZE"\ - " ls_input_threads: $LSINPUTTHREADS"\ - " ls_batch_count: $LSINPUTBATCHCOUNT"\ " es_shard_count: $SHARDCOUNT"\ " node_type: $NODETYPE"\ " es_port: $node_es_port"\ " log_size_limit: $log_size_limit"\ " cur_close_days: $CURCLOSEDAYS"\ - "logstash:"\ + "logstash_settings:"\ " ls_pipeline_batch_size: $LSPIPELINEBATCH"\ " ls_input_threads: $LSINPUTTHREADS"\ " ls_batch_count: $LSINPUTBATCHCOUNT"\ + " lsheap: $NODE_LS_HEAP_SIZE"\ "" >> "$pillar_file" printf '%s\n' '----' >> "$setup_log" 2>&1 From d6feafb12a14b471341c6ff8976080ca051b3bbc Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 1 Jul 2020 15:39:23 -0400 Subject: [PATCH 093/314] Correct indentation in filebeat.yaml --- salt/common/tools/sbin/so-import-pcap | 0 salt/filebeat/etc/filebeat.yml | 10 +++++----- 2 files changed, 5 insertions(+), 5 deletions(-) mode change 100644 => 100755 salt/common/tools/sbin/so-import-pcap diff --git a/salt/common/tools/sbin/so-import-pcap b/salt/common/tools/sbin/so-import-pcap old mode 100644 new mode 100755 diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 9dd00503c..9d0889a34 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -127,11 +127,11 @@ filebeat.inputs: category: network imported: true processors: - - dissect: - tokenizer: "/nsm/import/%{import_id}/zeek/logs/%{import_source}" - field: "source" - target_prefix: "" - - drop_fields: + - dissect: + tokenizer: "/nsm/import/%{import_id}/zeek/logs/%{import_source}" + field: "source" + target_prefix: "" + - drop_fields: fields: ["source", "prospector", "input", "offset", "beat"] fields_under_root: true From 54c33272402012b1aceaeec053623ed3b7ca6b16 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 1 Jul 2020 16:23:38 -0400 Subject: [PATCH 094/314] [refactor] Simplify ec2 detection + handling --- .../99-so-checksum-offload-disable | 2 +- setup/so-functions | 111 ++++++++---------- setup/so-setup | 26 ++-- setup/so-whiptail | 34 ++---- 4 files changed, 71 insertions(+), 102 deletions(-) diff --git a/setup/install_scripts/99-so-checksum-offload-disable b/setup/install_scripts/99-so-checksum-offload-disable index b8c21a299..917c0f72b 100755 --- a/setup/install_scripts/99-so-checksum-offload-disable +++ b/setup/install_scripts/99-so-checksum-offload-disable @@ -4,5 +4,5 @@ if [[ "$DEVICE_IFACE" != "$MNIC" && "$DEVICE_IFACE" != *"docker"* ]]; then for i in rx tx sg tso ufo gso gro lro; do ethtool -K "$DEVICE_IFACE" "$i" off; done - ip link set dev "$DEVICE_IFACE" arp off multicast off allmulticast off + ip link set dev "$DEVICE_IFACE" arp off multicast off allmulticast off promisc on fi \ No newline at end of file diff --git a/setup/so-functions b/setup/so-functions index efccdedd5..79ef25a3c 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -495,29 +495,45 @@ create_local_directories() { } -create_sensor_bond() { - echo "Setting up sensor bond" >> "$setup_log" 2>&1 - - INTERFACE="bond0" +configure_network_sensor() { + echo "Setting up sensor interface" >> "$setup_log" 2>&1 local nic_error=0 - check_network_manager_conf >> "$setup_log" 2>&1 - # Set the MTU if [[ $NSMSETUP != 'ADVANCED' ]]; then - MTU=1500 + if [[ $is_ec2 ]]; then MTU=1575; else MTU=1500; fi + fi + + if [[ $is_ec2 ]]; then + INTERFACE=${BNICS[0]} + local nmcli_con_arg="type ethernet" + else + INTERFACE='bond0' + local nmcli_con_arg="type bond mode 0" fi # Create the bond interface only if it doesn't already exist - if ! [[ $(nmcli -f name,uuid -p con | sed -n 's/bond0 //p' | tr -d ' ') ]]; then - nmcli con add ifname bond0 con-name "bond0" type bond mode 0 -- \ + + nmcli -f name,uuid -p con | grep -q "$INTERFACE" + local found_int=$? + + if [[ ! $found_int ]]; then + nmcli con add ifname "$INTERFACE" con-name "$INTERFACE" $nmcli_con_arg -- \ + ipv4.method disabled \ + ipv6.method ignore \ + ethernet.mtu $MTU \ + connection.autoconnect "yes" >> "$setup_log" 2>&1 + else + local int_uuid + int_uuid=$(nmcli -f name,uuid -p con | sed -n "s/$INTERFACE //p" | tr -d ' ') + + nmcli con mod "$int_uuid" \ ipv4.method disabled \ ipv6.method ignore \ ethernet.mtu $MTU \ connection.autoconnect "yes" >> "$setup_log" 2>&1 fi - for BNIC in "${BNICS[@]}"; do # Check if specific offload features are able to be disabled for string in "generic-segmentation-offload" "generic-receive-offload" "tcp-segmentation-offload"; do @@ -533,15 +549,29 @@ create_sensor_bond() { ethtool -K "$BNIC" $i off >> "$setup_log" 2>&1 done - # Check if the bond slave connection has already been created - if ! [[ $(nmcli -f name,uuid -p con | sed -n "s/bond0-slave-$BNIC //p" | tr -d ' ') ]]; then - # Create the slave interface and assign it to the bond - nmcli con add type ethernet ifname "$BNIC" con-name "bond0-slave-$BNIC" master bond0 -- \ - ethernet.mtu $MTU \ - connection.autoconnect "yes" >> "$setup_log" 2>&1 - fi + if [[ $is_ec2 ]]; then + nmcli con up "$BNIC" >> "$setup_log" 2>&1 + else + # Check if the bond slave connection has already been created + nmcli -f name,uuid -p con | grep -q "bond0-slave-$BNIC" + local found_int=$? + + if [[ ! $found_int ]]; then + # Create the slave interface and assign it to the bond + nmcli con add type ethernet ifname "$BNIC" con-name "bond0-slave-$BNIC" master bond0 -- \ + ethernet.mtu $MTU \ + connection.autoconnect "yes" >> "$setup_log" 2>&1 + else + local int_uuid + int_uuid=$(nmcli -f name,uuid -p con | sed -n "s/bond0-slave-$BNIC //p" | tr -d ' ') - nmcli con up "bond0-slave-$BNIC" >> "$setup_log" 2>&1 # Bring the slave interface up + nmcli con mod "$int_uuid" \ + ethernet.mtu $MTU \ + connection.autoconnect "yes" >> "$setup_log" 2>&1 + fi + + nmcli con up "bond0-slave-$BNIC" >> "$setup_log" 2>&1 # Bring the slave interface up + fi done if [ $nic_error != 0 ]; then @@ -1622,46 +1652,9 @@ es_heapsize() { fi } -is_ec2() { +detect_ec2() { # Check if EC2 - if curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null;then - is_ec2=1 - else - is_ec2=0 - fi -} - -create_ec2_sniffing() { - echo "Setting up sensor sniffing interface" >> "$setup_log" 2>&1 - - local nic_error=0 - - check_network_manager_conf >> "$setup_log" 2>&1 - - # Set the MTU - if [[ $NSMSETUP != 'ADVANCED' ]]; then - MTU=1575 - fi - - for BNIC in "${BNICS[@]}"; do - # Check if specific offload features are able to be disabled - for string in "generic-segmentation-offload" "generic-receive-offload" "tcp-segmentation-offload"; do - if ethtool -k "$BNIC" | grep $string | grep -q "on [fixed]"; then - echo "The hardware or driver for interface ${BNIC} is not supported, packet capture may not work as expected." >> "$setup_log" 2>&1 - nic_error=1 - break - fi - done - - # Turn off various offloading settings for the interface - for i in rx tx sg tso ufo gso gro lro; do - ethtool -K "$BNIC" $i off >> "$setup_log" 2>&1 - done - done - - INTERFACE=$BNIC - - if [ $nic_error != 0 ]; then - return 1 - fi + curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null + is_ec2=$? + export is_ec2 } diff --git a/setup/so-setup b/setup/so-setup index 69b9c3c32..733496a95 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -98,9 +98,7 @@ export PATH=$PATH:../salt/common/tools/sbin got_root -detect_os - -is_ec2 +detect_os && detect_ec2 if [ "$OS" == ubuntu ]; then update-alternatives --set newt-palette /etc/newt/palette.original >> $setup_log 2>&1 @@ -227,11 +225,7 @@ fi # Start user prompts if [[ $is_helix || $is_sensor ]]; then - if [ $is_ec2 -eq 1 ]; then - whiptail_ec2_nic - else - whiptail_bond_nics - fi + whiptail_sensor_nics calculate_useable_cores fi @@ -370,21 +364,17 @@ fi # Set initial percentage to 0 export percentage=0 - if [[ $is_minion ]]; then - set_progress_str 1 'Configuring firewall' - set_initial_firewall_policy >> $setup_log 2>&1 - fi + if [[ $is_minion ]]; then + set_progress_str 1 'Configuring firewall' + set_initial_firewall_policy >> $setup_log 2>&1 + fi set_progress_str 2 'Updating packages' update_packages >> $setup_log 2>&1 if [[ $is_sensor || $is_helix ]]; then - set_progress_str 3 'Creating bond/sniffing interface' - if [ $is_ec2 -eq 1 ]; then - create_ec2_sniffing >> $setup_log 2>&1 - else - create_sensor_bond >> $setup_log 2>&1 - fi + set_progress_str 3 'Configuring sensor interface' + configure_network_sensor >> $setup_log 2>&1 set_progress_str 4 'Generating sensor pillar' sensor_pillar >> $setup_log 2>&1 fi diff --git a/setup/so-whiptail b/setup/so-whiptail index a96cbcc83..a8a263f78 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -78,13 +78,21 @@ whiptail_bond_nics() { filter_unused_nics - BNICS=$(whiptail --title "NIC Setup" --checklist "Please add NICs to the Monitor Interface" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3) + if [[ $is_ec2 ]]; then + local menu_text="Please select NIC for the Monitor Interface" + local list_type="radiolist" + else + local menu_text="Please add NICs to the Monitor Interface" + local list_type="checklist" + fi + + BNICS=$(whiptail --title "NIC Setup" --$list_type "$menu_text" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus while [ -z "$BNICS" ] do - BNICS=$(whiptail --title "NIC Setup" --checklist "Please add NICs to the Monitor Interface" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3 ) + BNICS=$(whiptail --title "NIC Setup" --$list_type "$menu_text" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3 ) local exitstatus=$? whiptail_check_exitstatus $exitstatus done @@ -107,28 +115,6 @@ whiptail_bond_nics_mtu() { } -whiptail_ec2_nic() { - - [ -n "$TESTING" ] && return - - filter_unused_nics - - BNICS=$(whiptail --title "NIC Setup" --radiolist "Please select NIC for the Monitor Interface" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3) - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - - while [ -z "$BNICS" ] - do - BNICS=$(whiptail --title "NIC Setup" --radiolist "Please select NIC for the Monitor Interface" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3 ) - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - done - - BNICS=$(echo "$BNICS" | tr -d '"') - - IFS=' ' read -ra BNICS <<< "$BNICS" -} - whiptail_cancel() { whiptail --title "Security Onion Setup" --msgbox "Cancelling Setup. No changes have been made." 8 75 From b4f9fe5f542db747186ac956e860da1e2006d78f Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 1 Jul 2020 16:24:41 -0400 Subject: [PATCH 095/314] [fix] Remove quotes --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 7143abaee..d5541a5b0 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -612,7 +612,7 @@ if [[ "$success" = 0 ]]; then if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then export IP=$ALLOW_CIDR - so-allow -"$ALLOW_ROLE" >> $setup_log 2>&1 + so-allow -$ALLOW_ROLE >> $setup_log 2>&1 fi if [[ $THEHIVE == 1 ]]; then From b671f285621e907858019d83fb0ad73fe5e4fddb Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 1 Jul 2020 16:32:33 -0400 Subject: [PATCH 096/314] [fix] Rename function whiptail_bond_nics to whiptail_sensor_nics --- setup/so-whiptail | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 2e1a0c375..8c84d5345 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -72,7 +72,7 @@ whiptail_bro_version() { } -whiptail_bond_nics() { +whiptail_sensor_nics() { [ -n "$TESTING" ] && return From d893aa00324bfe230b2d55570a99206018195680 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 1 Jul 2020 16:48:07 -0400 Subject: [PATCH 097/314] Playbook Updates --- salt/playbook/files/playbook_db_init.sql | 38 +- .../files/playbook_db_init.sql.backup | 1771 +++++++++++++++++ setup/so-setup | 27 +- 3 files changed, 1802 insertions(+), 34 deletions(-) create mode 100644 salt/playbook/files/playbook_db_init.sql.backup diff --git a/salt/playbook/files/playbook_db_init.sql b/salt/playbook/files/playbook_db_init.sql index 0a10e6eb5..ab3acc1e8 100644 --- a/salt/playbook/files/playbook_db_init.sql +++ b/salt/playbook/files/playbook_db_init.sql @@ -315,7 +315,7 @@ CREATE TABLE `custom_field_enumerations` ( `active` tinyint(1) NOT NULL DEFAULT '1', `position` int(11) NOT NULL DEFAULT '1', PRIMARY KEY (`id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; +) ENGINE=InnoDB AUTO_INCREMENT=3 DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; -- @@ -356,7 +356,7 @@ CREATE TABLE `custom_fields` ( `description` text, PRIMARY KEY (`id`), KEY `index_custom_fields_on_id_and_type` (`id`,`type`) -) ENGINE=InnoDB AUTO_INCREMENT=18 DEFAULT CHARSET=latin1; +) ENGINE=InnoDB AUTO_INCREMENT=27 DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; -- @@ -365,7 +365,7 @@ CREATE TABLE `custom_fields` ( LOCK TABLES `custom_fields` WRITE; /*!40000 ALTER TABLE `custom_fields` DISABLE KEYS */; -INSERT INTO `custom_fields` VALUES (1,'IssueCustomField','Title','string',NULL,'',NULL,NULL,0,1,1,1,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(2,'IssueCustomField','Author','string',NULL,'',NULL,NULL,0,1,1,2,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(3,'IssueCustomField','Objective','text',NULL,'',NULL,NULL,0,1,1,13,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nfull_width_layout: \'1\'\n',''),(4,'IssueCustomField','Operational Notes','text',NULL,'',NULL,NULL,0,1,0,14,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'1\'\n',''),(5,'IssueCustomField','Result Analysis','text',NULL,'',NULL,NULL,0,1,0,15,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'1\'\n',''),(6,'IssueCustomField','ElastAlert Config','text',NULL,'',NULL,NULL,0,1,0,16,0,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'1\'\n',''),(7,'IssueCustomField','HiveID','string',NULL,'',NULL,NULL,0,1,1,12,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(8,'IssueCustomField','References','text',NULL,'',NULL,NULL,0,1,0,6,0,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'0\'\n',''),(9,'IssueCustomField','Sigma','text',NULL,'',NULL,NULL,0,1,0,17,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'1\'\n',''),(10,'IssueCustomField','Level','list','---\n- low\n- medium\n- high\n- critical\n','',NULL,NULL,0,1,1,3,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: \'\'\nedit_tag_style: \'\'\n',''),(11,'IssueCustomField','PlayID','string',NULL,'',NULL,NULL,0,1,1,8,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(12,'IssueCustomField','Signature ID','string',NULL,'',NULL,NULL,0,1,1,9,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(13,'IssueCustomField','Playbook','list','---\n- Internal\n- imported\n- community\n','',NULL,NULL,0,1,1,4,0,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: \'\'\nedit_tag_style: \'\'\n',''),(14,'IssueCustomField','Product','list','---\n- windows\n- linux\n- antivirus\n- osquery\n','',NULL,NULL,0,1,1,5,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: \'\'\nedit_tag_style: \'\'\n',''),(15,'IssueCustomField','ATT&CK Technique','list','---\n- T1001\n- T1002\n- T1003\n- T1004\n- T1005\n- T1006\n- T1007\n- T1008\n- T1009\n- T1010\n- T1011\n- T1012\n- T1013\n- T1014\n- T1015\n- T1016\n- T1017\n- T1018\n- T1019\n- T1020\n- T1021\n- T1022\n- T1023\n- T1024\n- T1025\n- T1026\n- T1027\n- T1028\n- T1029\n- T1030\n- T1031\n- T1032\n- T1033\n- T1034\n- T1035\n- T1036\n- T1037\n- T1038\n- T1039\n- T1040\n- T1041\n- T1042\n- T1043\n- T1044\n- T1045\n- T1046\n- T1047\n- T1048\n- T1049\n- T1050\n- T1051\n- T1052\n- T1053\n- T1054\n- T1055\n- T1056\n- T1057\n- T1058\n- T1059\n- T1060\n- T1061\n- T1062\n- T1063\n- T1064\n- T1065\n- T1066\n- T1067\n- T1068\n- T1069\n- T1070\n- T1071\n- T1072\n- T1073\n- T1074\n- T1075\n- T1076\n- T1077\n- T1078\n- T1079\n- T1080\n- T1081\n- T1082\n- T1083\n- T1084\n- T1085\n- T1086\n- T1087\n- T1088\n- T1089\n- T1090\n- T1091\n- T1092\n- T1093\n- T1094\n- T1095\n- T1096\n- T1097\n- T1098\n- T1099\n- T1100\n- T1101\n- T1102\n- T1103\n- T1104\n- T1105\n- T1106\n- T1107\n- T1108\n- T1109\n- T1110\n- T1111\n- T1112\n- T1113\n- T1114\n- T1115\n- T1116\n- T1117\n- T1118\n- T1119\n- T1120\n- T1121\n- T1122\n- T1123\n- T1124\n- T1125\n- T1126\n- T1127\n- T1128\n- T1129\n- T1130\n- T1131\n- T1132\n- T1133\n- T1134\n- T1135\n- T1136\n- T1137\n- T1138\n- T1139\n- T1140\n- T1141\n- T1142\n- T1143\n- T1144\n- T1145\n- T1146\n- T1147\n- T1148\n- T1149\n- T1150\n- T1151\n- T1152\n- T1153\n- T1154\n- T1155\n- T1156\n- T1157\n- T1158\n- T1159\n- T1160\n- T1161\n- T1162\n- T1163\n- T1164\n- T1165\n- T1166\n- T1167\n- T1168\n- T1169\n- T1170\n- T1171\n- T1172\n- T1173\n- T1174\n- T1175\n- T1176\n- T1177\n- T1178\n- T1179\n- T1180\n- T1181\n- T1182\n- T1183\n- T1184\n- T1185\n- T1186\n- T1187\n- T1188\n- T1189\n- T1190\n- T1191\n- T1192\n- T1193\n- T1194\n- T1195\n- T1196\n- T1197\n- T1198\n- T1199\n- T1200\n- T1201\n- T1202\n- T1203\n- T1204\n- T1205\n- T1206\n- T1207\n- T1208\n- T1209\n- T1210\n- T1211\n- T1212\n- T1213\n- T1214\n- T1215\n- T1216\n- T1217\n- T1218\n- T1219\n- T1220\n- T1221\n- T1222\n- T1223\n- T1224\n- T1225\n- T1226\n- T1227\n- T1228\n- T1229\n- T1230\n- T1231\n- T1232\n- T1233\n- T1234\n- T1235\n- T1236\n- T1237\n- T1238\n- T1239\n- T1240\n- T1241\n- T1242\n- T1243\n- T1244\n- T1245\n- T1246\n- T1247\n- T1248\n- T1249\n- T1250\n- T1251\n- T1252\n- T1253\n- T1254\n- T1255\n- T1256\n- T1257\n- T1258\n- T1259\n- T1260\n- T1261\n- T1262\n- T1263\n- T1264\n- T1265\n- T1266\n- T1267\n- T1268\n- T1269\n- T1270\n- T1271\n- T1272\n- T1273\n- T1274\n- T1275\n- T1276\n- T1277\n- T1278\n- T1279\n- T1280\n- T1281\n- T1282\n- T1283\n- T1284\n- T1285\n- T1286\n- T1287\n- T1288\n- T1289\n- T1290\n- T1291\n- T1292\n- T1293\n- T1294\n- T1295\n- T1296\n- T1297\n- T1298\n- T1299\n- T1300\n- T1301\n- T1302\n- T1303\n- T1304\n- T1305\n- T1306\n- T1307\n- T1308\n- T1309\n- T1310\n- T1311\n- T1312\n- T1313\n- T1314\n- T1315\n- T1316\n- T1317\n- T1318\n- T1319\n- T1320\n- T1321\n- T1322\n- T1323\n- T1324\n- T1325\n- T1326\n- T1327\n- T1328\n- T1329\n- T1330\n- T1331\n- T1332\n- T1333\n- T1334\n- T1335\n- T1336\n- T1337\n- T1338\n- T1339\n- T1340\n- T1341\n- T1342\n- T1343\n- T1344\n- T1345\n- T1346\n- T1347\n- T1348\n- T1349\n- T1350\n- T1351\n- T1352\n- T1353\n- T1354\n- T1355\n- T1356\n- T1357\n- T1358\n- T1359\n- T1360\n- T1361\n- T1362\n- T1363\n- T1364\n- T1365\n- T1366\n- T1367\n- T1368\n- T1369\n- T1370\n- T1371\n- T1372\n- T1373\n- T1374\n- T1375\n- T1376\n- T1377\n- T1378\n- T1379\n- T1380\n- T1381\n- T1382\n- T1383\n- T1384\n- T1385\n- T1386\n- T1387\n- T1388\n- T1389\n- T1390\n- T1391\n- T1392\n- T1393\n- T1394\n- T1395\n- T1396\n- T1397\n- T1398\n- T1399\n- T1400\n- T1401\n- T1402\n- T1403\n- T1404\n- T1405\n- T1406\n- T1407\n- T1408\n- T1409\n- T1410\n- T1411\n- T1412\n- T1413\n- T1414\n- T1415\n- T1416\n- T1417\n- T1418\n- T1419\n- T1420\n- T1421\n- T1422\n- T1423\n- T1424\n- T1425\n- T1426\n- T1427\n- T1428\n- T1429\n- T1430\n- T1431\n- T1432\n- T1433\n- T1434\n- T1435\n- T1436\n- T1437\n- T1438\n- T1439\n- T1440\n- T1441\n- T1442\n- T1443\n- T1444\n- T1445\n- T1446\n- T1447\n- T1448\n- T1449\n- T1450\n- T1451\n- T1452\n- T1453\n- T1454\n- T1455\n- T1456\n- T1457\n- T1458\n- T1459\n- T1460\n- T1461\n- T1462\n- T1463\n- T1464\n- T1465\n- T1466\n- T1467\n- T1468\n- T1469\n- T1470\n- T1471\n- T1472\n- T1473\n- T1474\n- T1475\n- T1476\n- T1477\n- T1478\n- T1479\n- T1480\n- T1481\n- T1482\n- T1483\n- T1484\n- T1485\n- T1486\n- T1487\n- T1488\n- T1489\n- T1490\n- T1491\n- T1492\n- T1493\n- T1494\n- T1495\n- T1496\n- T1497\n- T1498\n- T1499\n- T1500\n- T1501\n- T1502\n- T1503\n- T1504\n- T1505\n- T1506\n- T1507\n- T1508\n- T1509\n- T1510\n- T1511\n- T1512\n- T1513\n- T1514\n- T1515\n- T1516\n- T1517\n- T1518\n- T1519\n- T1520\n- T1521\n- T1522\n- T1523\n- T1524\n- T1525\n- T1526\n- T1527\n- T1528\n- T1529\n- T1530\n- T1531\n- T1532\n- T1533\n- T1534\n- T1535\n- T1536\n- T1537\n- T1538\n- T1539\n- T1540\n- T1541\n- T1542\n- T1543\n- T1544\n- T1545\n- T1546\n- T1547\n- T1548\n- T1549\n- T1550\n- T1551\n- T1552\n- T1553\n','',NULL,NULL,0,1,1,7,0,'',1,1,1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: https://attack.mitre.org/techniques/%value%\nedit_tag_style: \'\'\n',''),(16,'IssueCustomField','Category','list','---\n- win-sysmon\n- win-builtin\n- win-proc\n- win-malware\n- win-other\n- win-powershell\n','',NULL,NULL,0,1,1,10,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: \'\'\nedit_tag_style: \'\'\n',''),(17,'IssueCustomField','Case Analyzers','list','---\n- Urlscan_io_Search - ip,domain,hash,url\n- CERTatPassiveDNS - domain,fqdn,ip\n','',NULL,NULL,0,1,1,11,1,'',1,1,1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: \'\'\nedit_tag_style: \'\'\n',''); +INSERT INTO `custom_fields` VALUES (1,'IssueCustomField','Title','string',NULL,'',NULL,NULL,0,1,1,1,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(2,'IssueCustomField','Author','string',NULL,'',NULL,NULL,0,1,1,2,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(3,'IssueCustomField','Objective','text',NULL,'',NULL,NULL,0,1,1,14,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nfull_width_layout: \'1\'\n',''),(4,'IssueCustomField','Operational Notes','text',NULL,'',NULL,NULL,0,1,0,15,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'1\'\n',''),(5,'IssueCustomField','Result Analysis','text',NULL,'',NULL,NULL,0,1,0,16,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'1\'\n',''),(6,'IssueCustomField','ElastAlert Config','text',NULL,'',NULL,NULL,0,1,0,17,0,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'1\'\n',''),(7,'IssueCustomField','HiveID','string',NULL,'',NULL,NULL,0,1,1,13,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(8,'IssueCustomField','References','text',NULL,'',NULL,NULL,0,1,0,6,0,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'0\'\n',''),(9,'IssueCustomField','Sigma','text',NULL,'',NULL,NULL,0,1,0,18,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'1\'\n',''),(10,'IssueCustomField','Level','list','---\n- low\n- medium\n- high\n- critical\n','',NULL,NULL,0,1,1,3,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: \'\'\nedit_tag_style: \'\'\n',''),(11,'IssueCustomField','PlayID','string',NULL,'',NULL,NULL,0,1,1,8,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(12,'IssueCustomField','Rule ID','string',NULL,'',NULL,NULL,0,1,1,9,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(13,'IssueCustomField','Playbook','list','---\n- Internal\n- imported\n- community\n','',NULL,NULL,0,1,1,4,0,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: \'\'\nedit_tag_style: \'\'\n',''),(15,'IssueCustomField','ATT&CK Technique','list','---\n- T1001\n- T1002\n- T1003\n- T1004\n- T1005\n- T1006\n- T1007\n- T1008\n- T1009\n- T1010\n- T1011\n- T1012\n- T1013\n- T1014\n- T1015\n- T1016\n- T1017\n- T1018\n- T1019\n- T1020\n- T1021\n- T1022\n- T1023\n- T1024\n- T1025\n- T1026\n- T1027\n- T1028\n- T1029\n- T1030\n- T1031\n- T1032\n- T1033\n- T1034\n- T1035\n- T1036\n- T1037\n- T1038\n- T1039\n- T1040\n- T1041\n- T1042\n- T1043\n- T1044\n- T1045\n- T1046\n- T1047\n- T1048\n- T1049\n- T1050\n- T1051\n- T1052\n- T1053\n- T1054\n- T1055\n- T1056\n- T1057\n- T1058\n- T1059\n- T1060\n- T1061\n- T1062\n- T1063\n- T1064\n- T1065\n- T1066\n- T1067\n- T1068\n- T1069\n- T1070\n- T1071\n- T1072\n- T1073\n- T1074\n- T1075\n- T1076\n- T1077\n- T1078\n- T1079\n- T1080\n- T1081\n- T1082\n- T1083\n- T1084\n- T1085\n- T1086\n- T1087\n- T1088\n- T1089\n- T1090\n- T1091\n- T1092\n- T1093\n- T1094\n- T1095\n- T1096\n- T1097\n- T1098\n- T1099\n- T1100\n- T1101\n- T1102\n- T1103\n- T1104\n- T1105\n- T1106\n- T1107\n- T1108\n- T1109\n- T1110\n- T1111\n- T1112\n- T1113\n- T1114\n- T1115\n- T1116\n- T1117\n- T1118\n- T1119\n- T1120\n- T1121\n- T1122\n- T1123\n- T1124\n- T1125\n- T1126\n- T1127\n- T1128\n- T1129\n- T1130\n- T1131\n- T1132\n- T1133\n- T1134\n- T1135\n- T1136\n- T1137\n- T1138\n- T1139\n- T1140\n- T1141\n- T1142\n- T1143\n- T1144\n- T1145\n- T1146\n- T1147\n- T1148\n- T1149\n- T1150\n- T1151\n- T1152\n- T1153\n- T1154\n- T1155\n- T1156\n- T1157\n- T1158\n- T1159\n- T1160\n- T1161\n- T1162\n- T1163\n- T1164\n- T1165\n- T1166\n- T1167\n- T1168\n- T1169\n- T1170\n- T1171\n- T1172\n- T1173\n- T1174\n- T1175\n- T1176\n- T1177\n- T1178\n- T1179\n- T1180\n- T1181\n- T1182\n- T1183\n- T1184\n- T1185\n- T1186\n- T1187\n- T1188\n- T1189\n- T1190\n- T1191\n- T1192\n- T1193\n- T1194\n- T1195\n- T1196\n- T1197\n- T1198\n- T1199\n- T1200\n- T1201\n- T1202\n- T1203\n- T1204\n- T1205\n- T1206\n- T1207\n- T1208\n- T1209\n- T1210\n- T1211\n- T1212\n- T1213\n- T1214\n- T1215\n- T1216\n- T1217\n- T1218\n- T1219\n- T1220\n- T1221\n- T1222\n- T1223\n- T1480\n- T1482\n- T1483\n- T1484\n- T1485\n- T1486\n- T1487\n- T1488\n- T1489\n- T1490\n- T1491\n- T1492\n- T1493\n- T1494\n- T1495\n- T1496\n- T1497\n- T1498\n- T1499\n- T1500\n- T1501\n- T1502\n- T1503\n- T1504\n- T1505\n- T1506\n- T1514\n- T1518\n- T1519\n- T1522\n- T1525\n- T1526\n- T1527\n- T1528\n- T1529\n- T1530\n- T1531\n- T1534\n- T1535\n- T1536\n- T1537\n- T1538\n- T1539\n- T1540\n- T1541\n- T1542\n- T1543\n- T1544\n- T1545\n- T1546\n- T1547\n- T1548\n- T1549\n- T1550\n- T1551\n- T1552\n- T1553\n- T1554\n- T1555\n- T1556\n- T1557\n- T1558\n- T1559\n- T1560\n- T1561\n- T1562\n- T1563\n- T1564\n- T1565\n- T1566\n- T1567\n- T1568\n- T1569\n- T1570\n- T1571\n- T1572\n- T1573\n- T1574\n- T1575\n- T1576\n- T1577\n- T1578\n- T1579\n- T1580\n- T1581\n- T1582\n- T1583\n- T1584\n- T1585\n- T1586\n- T1587\n- T1588\n- T1589\n- T1590\n- T1591\n- T1592\n- T1593\n- T1594\n- T1595\n- T1596\n- T1597\n- T1598\n- T1599\n- T1600\n- T1601\n- T1602\n- T1603\n- T1604\n- T1605\n- T1606\n- T1607\n- T1608\n- T1609\n- T1610\n- T1611\n- T1612\n- T1613\n- T1614\n- T1615\n- T1616\n- T1617\n- T1618\n- T1619\n- T1620\n- T1621\n- T1622\n- T1623\n- T1624\n- T1625\n- T1626\n- T1627\n- T1628\n- T1629\n- T1630\n- T1631\n- T1632\n- T1633\n- T1634\n- T1635\n- T1636\n- T1637\n- T1638\n- T1639\n- T1640\n- T1641\n- T1642\n- T1643\n- T1644\n- T1645\n- T1646\n- T1647\n- T1648\n- T1649\n- T1650\n- T1651\n- T1652\n- T1653\n- T1654\n- T1655\n- T1656\n- T1657\n- T1658\n- T1659\n- T1660\n- T1661\n- T1662\n- T1663\n- T1664\n- T1665\n- T1666\n- T1667\n- T1668\n- T1669\n- T1670\n- T1671\n- T1672\n- T1673\n- T1674\n- T1675\n- T1676\n- T1677\n- T1678\n- T1679\n- T1680\n- T1681\n- T1682\n- T1683\n- T1684\n- T1685\n- T1686\n- T1687\n- T1688\n- T1689\n- T1690\n- T1691\n- T1692\n- T1693\n- T1694\n- T1695\n- T1696\n- T1697\n- T1698\n- T1699\n- T1700\n- T1701\n- T1702\n- T1703\n- T1704\n- T1705\n- T1706\n- T1707\n- T1708\n- T1709\n- T1710\n- T1711\n- T1712\n- T1713\n- T1714\n- T1715\n- T1716\n- T1717\n- T1718\n- T1719\n- T1720\n- T1721\n- T1722\n- T1723\n- T1724\n- T1725\n- T1726\n- T1727\n- T1728\n- T1729\n- T1730\n- T1731\n- T1732\n- T1733\n- T1734\n- T1735\n- T1736\n- T1737\n- T1738\n- T1739\n- T1740\n- T1741\n- T1742\n- T1743\n- T1744\n- T1745\n- T1746\n- T1747\n- T1748\n- T1749\n- T1750\n- T1751\n- T1752\n','',NULL,NULL,0,1,1,7,0,'',1,1,1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: https://attack.mitre.org/techniques/%value%\nedit_tag_style: \'\'\n',''),(17,'IssueCustomField','Case Analyzers','list','---\n- Urlscan_io_Search - ip,domain,hash,url\n- CERTatPassiveDNS - domain,fqdn,ip\n','',NULL,NULL,0,1,1,12,1,'',1,1,1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: \'\'\nedit_tag_style: \'\'\n',''),(18,'IssueCustomField','Ruleset','string',NULL,'',NULL,NULL,0,1,1,10,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(19,'IssueCustomField','Group','string',NULL,'',NULL,NULL,0,1,1,11,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(20,'IssueCustomField','Product','string',NULL,'',NULL,NULL,0,1,1,5,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(21,'IssueCustomField','Target Log','text',NULL,'',NULL,NULL,0,1,0,19,0,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'1\'\n',''),(22,'IssueCustomField','Unit Test','list','---\n- Passed\n- Failed\n','',NULL,NULL,0,1,1,20,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: \'\'\nedit_tag_style: \'\'\n',''),(26,'IssueCustomField','License','list','---\n- Apache-2.0\n- BSD-2-Clause\n- BSD-3-Clause\n- CC0-1.0\n- CC-PDDC\n- DRL-1.0\n- LGPL-3.0-only\n- MIT License\n- GPL-2.0-only\n- GPL-3.0-only\n','',NULL,NULL,0,1,0,21,0,'',1,1,1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: https://spdx.org/licenses/%value%.html\nedit_tag_style: \'\'\n',''); /*!40000 ALTER TABLE `custom_fields` ENABLE KEYS */; UNLOCK TABLES; @@ -435,7 +435,7 @@ CREATE TABLE `custom_fields_trackers` ( LOCK TABLES `custom_fields_trackers` WRITE; /*!40000 ALTER TABLE `custom_fields_trackers` DISABLE KEYS */; -INSERT INTO `custom_fields_trackers` VALUES (1,1),(2,1),(3,1),(4,1),(5,1),(6,1),(7,1),(8,1),(9,1),(10,1),(11,1),(12,1),(13,1),(14,1),(15,1),(16,1),(17,1); +INSERT INTO `custom_fields_trackers` VALUES (1,1),(2,1),(3,1),(4,1),(5,1),(6,1),(7,1),(8,1),(9,1),(10,1),(11,1),(12,1),(13,1),(15,1),(17,1),(18,1),(19,1),(20,1),(21,1),(22,1),(26,1); /*!40000 ALTER TABLE `custom_fields_trackers` ENABLE KEYS */; UNLOCK TABLES; @@ -455,7 +455,7 @@ CREATE TABLE `custom_values` ( PRIMARY KEY (`id`), KEY `custom_values_customized` (`customized_type`,`customized_id`), KEY `index_custom_values_on_custom_field_id` (`custom_field_id`) -) ENGINE=InnoDB AUTO_INCREMENT=11256 DEFAULT CHARSET=latin1; +) ENGINE=InnoDB AUTO_INCREMENT=93998 DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; -- @@ -464,7 +464,6 @@ CREATE TABLE `custom_values` ( LOCK TABLES `custom_values` WRITE; /*!40000 ALTER TABLE `custom_values` DISABLE KEYS */; -INSERT INTO `custom_values` VALUES (5638,'Issue',313,1,'Executable in ADS'),(5639,'Issue',313,2,'Florian Roth, @0xrawsec'),(5640,'Issue',313,8,'https://twitter.com/0xrawsec/status/1002478725605273600?s=21'),(5641,'Issue',313,10,'critical'),(5642,'Issue',313,13,'community'),(5643,'Issue',313,14,'windows'),(5645,'Issue',313,11,'7a9593a8c'),(5646,'Issue',313,12,'b69888d4-380c-45ce-9cf9-d9ce46e67821'),(5647,'Issue',313,16,'win-sysmon'),(5648,'Issue',313,17,''),(5649,'Issue',313,7,''),(5650,'Issue',313,3,'Detects the creation of an ADS data stream that contains an executable (non-empty imphash)'),(5651,'Issue',313,4,''),(5652,'Issue',313,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nTargetFilename\nImage'),(5653,'Issue',313,6,'{{collapse(View ElastAlert Config)\n
\n\n\n
\n}}'),(5654,'Issue',313,9,'{{collapse(View Sigma)\n
\n\ntitle: Executable in ADS\nid: b69888d4-380c-45ce-9cf9-d9ce46e67821\nstatus: experimental\ndescription: Detects the creation of an ADS data stream that contains an executable\n  (non-empty imphash)\nreferences:\n- https://twitter.com/0xrawsec/status/1002478725605273600?s=21\ntags:\n- attack.defense_evasion\n- attack.t1027\n- attack.s0139\nauthor: Florian Roth, @0xrawsec\ndate: 2018/06/03\nlogsource:\n  product: windows\n  service: sysmon\n  definition: \'Requirements: Sysmon config with Imphash logging activated\'\ndetection:\n  selection:\n    EventID: 15\n  filter:\n    Imphash:\n    - \'00000000000000000000000000000000\'\n    - \n  condition: selection and not filter\nfields:\n- TargetFilename\n- Image\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(5655,'Issue',313,15,'T1027'),(5656,'Issue',314,1,'Alternate PowerShell Hosts Module Load'),(5657,'Issue',314,2,'Roberto Rodriguez @Cyb3rWard0g'),(5658,'Issue',314,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md'),(5659,'Issue',314,10,'high'),(5660,'Issue',314,13,'community'),(5661,'Issue',314,14,'windows'),(5663,'Issue',314,11,'2f468dc10'),(5664,'Issue',314,12,'f67f6c57-257d-4919-a416-69cd31f9aac3'),(5665,'Issue',314,16,'win-sysmon'),(5666,'Issue',314,17,''),(5667,'Issue',314,7,''),(5668,'Issue',314,3,'Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe'),(5669,'Issue',314,4,''),(5670,'Issue',314,5,'_False Positives_\nPrograms using PowerShell directly without invocation of a dedicated interpreter.'),(5671,'Issue',314,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"7\" AND process.pe.description:\"system.management.automation\" AND event_data.ImageLoaded.keyword:*system.management.automation*) AND (NOT (process.executable.keyword:*\\\\powershell.exe)))\nindex: so-*\nname: Alternate PowerShell Hosts Module Load\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5672,'Issue',314,9,'{{collapse(View Sigma)\n
\n\ntitle: Alternate PowerShell Hosts Module Load\nid: f67f6c57-257d-4919-a416-69cd31f9aac3\ndescription: Detects alternate PowerShell hosts potentially bypassing detections looking\n  for powershell.exe\nstatus: experimental\ndate: 2019/09/12\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Description: system.management.automation\n    ImageLoaded|contains: system.management.automation\n  filter:\n    Image|endswith: \\powershell.exe\n  condition: selection and not filter\nfalsepositives:\n- Programs using PowerShell directly without invocation of a dedicated interpreter.\nlevel: high\n\n
\n}}'),(5673,'Issue',314,15,'T1086'),(5674,'Issue',315,1,'Alternate PowerShell Hosts Pipe'),(5675,'Issue',315,2,'Roberto Rodriguez @Cyb3rWard0g'),(5676,'Issue',315,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md'),(5677,'Issue',315,10,'medium'),(5678,'Issue',315,13,'community'),(5679,'Issue',315,14,'windows'),(5681,'Issue',315,11,'705958333'),(5682,'Issue',315,12,'58cb02d5-78ce-4692-b3e1-dce850aae41a'),(5683,'Issue',315,16,'win-sysmon'),(5684,'Issue',315,17,''),(5685,'Issue',315,7,''),(5686,'Issue',315,3,'Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe'),(5687,'Issue',315,4,''),(5688,'Issue',315,5,'_False Positives_\nPrograms using PowerShell directly without invocation of a dedicated interpreter.\n\n_Interesting Log Fields_\nComputerName\nUser\nImage\nPipeName'),(5689,'Issue',315,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"17\" AND event_data.PipeName.keyword:\\\\PSHost*) AND (NOT (process.executable.keyword:*\\\\powershell.exe)))\nindex: so-*\nname: Alternate PowerShell Hosts Pipe\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5690,'Issue',315,9,'{{collapse(View Sigma)\n
\n\ntitle: Alternate PowerShell Hosts Pipe\nid: 58cb02d5-78ce-4692-b3e1-dce850aae41a\ndescription: Detects alternate PowerShell hosts potentially bypassing detections looking\n  for powershell.exe\nstatus: experimental\ndate: 2019/09/12\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 17\n    PipeName|startswith: \\PSHost\n  filter:\n    Image|endswith: \\powershell.exe\n  condition: selection and not filter\nfields:\n- ComputerName\n- User\n- Image\n- PipeName\nfalsepositives:\n- Programs using PowerShell directly without invocation of a dedicated interpreter.\nlevel: medium\n\n
\n}}'),(5691,'Issue',315,15,'T1086'),(5692,'Issue',316,1,'OceanLotus Registry Activity'),(5693,'Issue',316,2,'megan201296'),(5694,'Issue',316,8,'https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/'),(5695,'Issue',316,10,'critical'),(5696,'Issue',316,13,'community'),(5697,'Issue',316,14,'windows'),(5699,'Issue',316,11,'515c55bec'),(5700,'Issue',316,12,'4ac5fc44-a601-4c06-955b-309df8c4e9d4'),(5701,'Issue',316,16,'win-sysmon'),(5702,'Issue',316,17,''),(5703,'Issue',316,7,''),(5704,'Issue',316,3,'Detects registry keys created in OceanLotus (also known as APT32) attacks'),(5705,'Issue',316,4,''),(5706,'Issue',316,5,'_False Positives_\nUnknown'),(5707,'Issue',316,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(HKCR\\\\CLSID\\\\\\{E08A0F4B\\-1F65\\-4D4D\\-9A09\\-BD4625B9C5A1\\}\\\\Model OR HKU\\\\*_Classes\\\\CLSID\\\\\\{E08A0F4B\\-1F65\\-4D4D\\-9A09\\-BD4625B9C5A1\\}\\\\Model OR *\\\\SOFTWARE\\\\App\\\\AppXbf13d4ea2945444d8b13e2121cb6b663\\\\Application OR *\\\\SOFTWARE\\\\App\\\\AppXbf13d4ea2945444d8b13e2121cb6b663\\\\DefaultIcon OR *\\\\SOFTWARE\\\\App\\\\AppX70162486c7554f7f80f481985d67586d\\\\Application OR *\\\\SOFTWARE\\\\App\\\\AppX70162486c7554f7f80f481985d67586d\\\\DefaultIcon OR *\\\\SOFTWARE\\\\App\\\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\\\Application OR *\\\\SOFTWARE\\\\App\\\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\\\DefaultIcon OR HKU\\\\*_Classes\\\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\\\* OR HKU\\\\*_Classes\\\\AppX3bbba44c6cae4d9695755183472171e2\\\\* OR HKU\\\\*_Classes\\\\CLSID\\\\\\{E3517E26\\-8E93\\-458D\\-A6DF\\-8030BC80528B\\}\\\\*))\nindex: so-*\nname: OceanLotus Registry Activity\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5708,'Issue',316,9,'{{collapse(View Sigma)\n
\n\ntitle: OceanLotus Registry Activity\nid: 4ac5fc44-a601-4c06-955b-309df8c4e9d4\nstatus: experimental\ndescription: Detects registry keys created in OceanLotus (also known as APT32) attacks\nreferences:\n- https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/\ntags:\n- attack.t1112\nauthor: megan201296\ndate: 2019/04/14\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    TargetObject:\n    - HKCR\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model\n    - HKU\\\\*_Classes\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model\n    - \'*\\SOFTWARE\\App\\AppXbf13d4ea2945444d8b13e2121cb6b663\\Application\'\n    - \'*\\SOFTWARE\\App\\AppXbf13d4ea2945444d8b13e2121cb6b663\\DefaultIcon\'\n    - \'*\\SOFTWARE\\App\\AppX70162486c7554f7f80f481985d67586d\\Application\'\n    - \'*\\SOFTWARE\\App\\AppX70162486c7554f7f80f481985d67586d\\DefaultIcon\'\n    - \'*\\SOFTWARE\\App\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\Application\'\n    - \'*\\SOFTWARE\\App\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\DefaultIcon\'\n    - HKU\\\\*_Classes\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\\\*\n    - HKU\\\\*_Classes\\AppX3bbba44c6cae4d9695755183472171e2\\\\*\n    - HKU\\\\*_Classes\\CLSID\\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\\\*\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(5709,'Issue',316,15,'T1112'),(5710,'Issue',317,1,'Turla Group Named Pipes'),(5711,'Issue',317,2,'Markus Neis'),(5712,'Issue',317,8,'Internal Research'),(5713,'Issue',317,10,'critical'),(5714,'Issue',317,13,'community'),(5715,'Issue',317,14,'windows'),(5716,'Issue',317,15,''),(5717,'Issue',317,11,'9f6d31f18'),(5718,'Issue',317,12,'739915e4-1e70-4778-8b8a-17db02f66db1'),(5719,'Issue',317,16,'win-sysmon'),(5720,'Issue',317,17,''),(5721,'Issue',317,7,''),(5722,'Issue',317,3,'Detects a named pipe used by Turla group samples'),(5723,'Issue',317,4,''),(5724,'Issue',317,5,'_False Positives_\nUnkown'),(5725,'Issue',317,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:(\"17\" OR \"18\") AND event_data.PipeName:(\"\\\\atctl\" OR \"\\\\userpipe\" OR \"\\\\iehelper\" OR \"\\\\sdlrpc\" OR \"\\\\comnap\"))\nindex: so-*\nname: Turla Group Named Pipes\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5726,'Issue',317,9,'{{collapse(View Sigma)\n
\n\ntitle: Turla Group Named Pipes\nid: 739915e4-1e70-4778-8b8a-17db02f66db1\nstatus: experimental\ndescription: Detects a named pipe used by Turla group samples\nreferences:\n- Internal Research\ndate: 2017/11/06\ntags:\n- attack.g0010\nauthor: Markus Neis\nlogsource:\n  product: windows\n  service: sysmon\n  definition: Note that you have to configure logging for PipeEvents in Symson config\ndetection:\n  selection:\n    EventID:\n    - 17\n    - 18\n    PipeName:\n    - \\atctl\n    - \\userpipe\n    - \\iehelper\n    - \\sdlrpc\n    - \\comnap\n  condition: selection\nfalsepositives:\n- Unkown\nlevel: critical\n\n
\n}}'),(5727,'Issue',318,1,'Autorun Keys Modification'),(5728,'Issue',318,2,'Victor Sergeev, Daniil Yugoslavskiy, oscd.community'),(5729,'Issue',318,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml'),(5730,'Issue',318,10,'medium'),(5731,'Issue',318,13,'community'),(5732,'Issue',318,14,'windows'),(5734,'Issue',318,11,'102e8b3e7'),(5735,'Issue',318,12,'17f878b8-9968-4578-b814-c4217fc5768c'),(5736,'Issue',318,16,'win-sysmon'),(5737,'Issue',318,17,''),(5738,'Issue',318,7,''),(5739,'Issue',318,3,'Detects modification of autostart extensibility point (ASEP) in registry'),(5740,'Issue',318,4,''),(5741,'Issue',318,5,'_False Positives_\nLegitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason\nLegitimate administrator sets up autorun keys for legitimate reason'),(5742,'Issue',318,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon\\\\Shell* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User\\ Shell\\ Folders*))\nindex: so-*\nname: Autorun Keys Modification\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5743,'Issue',318,9,'{{collapse(View Sigma)\n
\n\ntitle: Autorun Keys Modification\nid: 17f878b8-9968-4578-b814-c4217fc5768c\ndescription: Detects modification of autostart extensibility point (ASEP) in registry\nstatus: experimental\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml\ntags:\n- attack.persistence\n- attack.t1060\ndate: 2019/10/21\nmodified: 2019/11/10\nauthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    TargetObject|contains:\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\Run\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n    - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit\n    - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\n    - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n  condition: selection\nfalsepositives:\n- Legitimate software automatically (mostly, during installation) sets up autorun\n  keys for legitimate reason\n- Legitimate administrator sets up autorun keys for legitimate reason\nlevel: medium\n\n
\n}}'),(5744,'Issue',318,15,'T1060'),(5745,'Issue',319,1,'CACTUSTORCH Remote Thread Creation'),(5746,'Issue',319,2,'@SBousseaden (detection), Thomas Patzke (rule)'),(5747,'Issue',319,8,'https://twitter.com/SBousseaden/status/1090588499517079552\nhttps://github.com/mdsecactivebreach/CACTUSTORCH'),(5748,'Issue',319,10,'high'),(5749,'Issue',319,13,'community'),(5750,'Issue',319,14,'windows'),(5752,'Issue',319,11,'3ea2f31f8'),(5753,'Issue',319,12,'2e4e488a-6164-4811-9ea1-f960c7359c40'),(5754,'Issue',319,16,'win-sysmon'),(5755,'Issue',319,17,''),(5756,'Issue',319,7,''),(5757,'Issue',319,3,'Detects remote thread creation from CACTUSTORCH as described in references.'),(5758,'Issue',319,4,''),(5759,'Issue',319,5,'_False Positives_\nunknown'),(5760,'Issue',319,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"8\" AND event_data.SourceImage.keyword:(*\\\\System32\\\\cscript.exe OR *\\\\System32\\\\wscript.exe OR *\\\\System32\\\\mshta.exe OR *\\\\winword.exe OR *\\\\excel.exe) AND event_data.TargetImage.keyword:*\\\\SysWOW64\\\\* AND NOT _exists_:event_data.StartModule)\nindex: so-*\nname: CACTUSTORCH Remote Thread Creation\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5761,'Issue',319,9,'{{collapse(View Sigma)\n
\n\ntitle: CACTUSTORCH Remote Thread Creation\nid: 2e4e488a-6164-4811-9ea1-f960c7359c40\ndescription: Detects remote thread creation from CACTUSTORCH as described in references.\nreferences:\n- https://twitter.com/SBousseaden/status/1090588499517079552\n- https://github.com/mdsecactivebreach/CACTUSTORCH\nstatus: experimental\nauthor: \'@SBousseaden (detection), Thomas Patzke (rule)\'\ndate: 2019/02/01\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 8\n    SourceImage:\n    - \'*\\System32\\cscript.exe\'\n    - \'*\\System32\\wscript.exe\'\n    - \'*\\System32\\mshta.exe\'\n    - \'*\\winword.exe\'\n    - \'*\\excel.exe\'\n    TargetImage: \'*\\SysWOW64\\\\*\'\n    StartModule:\n  condition: selection\ntags:\n- attack.execution\n- attack.t1055\n- attack.t1064\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(5762,'Issue',319,15,'T1055'),(5763,'Issue',319,15,'T1064'),(5764,'Issue',320,1,'CobaltStrike Process Injection'),(5765,'Issue',320,2,'Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community'),(5766,'Issue',320,8,'https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f\nhttps://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/'),(5767,'Issue',320,10,'high'),(5768,'Issue',320,13,'community'),(5769,'Issue',320,14,'windows'),(5771,'Issue',320,11,'28d3c60ec'),(5772,'Issue',320,12,'6309645e-122d-4c5b-bb2b-22e4f9c2fa42'),(5773,'Issue',320,16,'win-sysmon'),(5774,'Issue',320,17,''),(5775,'Issue',320,7,''),(5776,'Issue',320,3,'Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons'),(5777,'Issue',320,4,''),(5778,'Issue',320,5,'_False Positives_\nunknown'),(5779,'Issue',320,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"8\" AND TargetProcessAddress.keyword:(*0B80 OR *0C7C OR *0C88))\nindex: so-*\nname: CobaltStrike Process Injection\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5780,'Issue',320,9,'{{collapse(View Sigma)\n
\n\ntitle: CobaltStrike Process Injection\nid: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42\ndescription: Detects a possible remote threat creation with certain characteristics\n  which are typical for Cobalt Strike beacons\nreferences:\n- https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f\n- https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/\ntags:\n- attack.defense_evasion\n- attack.t1055\nstatus: experimental\nauthor: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community\ndate: 2018/11/30\nmodified: 2019/11/08\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 8\n    TargetProcessAddress|endswith:\n    - 0B80\n    - 0C7C\n    - 0C88\n  condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(5781,'Issue',320,15,'T1055'),(5782,'Issue',321,1,'CreateRemoteThread API and LoadLibrary'),(5783,'Issue',321,2,'Roberto Rodriguez @Cyb3rWard0g'),(5784,'Issue',321,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1055_process_injection/dll_injection_createremotethread_loadlibrary.md'),(5785,'Issue',321,10,'critical'),(5786,'Issue',321,13,'community'),(5787,'Issue',321,14,'windows'),(5789,'Issue',321,11,'3325ffed5'),(5790,'Issue',321,12,'052ec6f6-1adc-41e6-907a-f1c813478bee'),(5791,'Issue',321,16,'win-sysmon'),(5792,'Issue',321,17,''),(5793,'Issue',321,7,''),(5794,'Issue',321,3,'Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process'),(5795,'Issue',321,4,''),(5796,'Issue',321,5,'_False Positives_\nUnknown'),(5797,'Issue',321,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"8\" AND event_data.StartModule.keyword:*\\\\kernel32.dll AND StartFunction:\"LoadLibraryA\")\nindex: so-*\nname: CreateRemoteThread API and LoadLibrary\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5798,'Issue',321,9,'{{collapse(View Sigma)\n
\n\ntitle: CreateRemoteThread API and LoadLibrary\nid: 052ec6f6-1adc-41e6-907a-f1c813478bee\ndescription: Detects potential use of CreateRemoteThread api and LoadLibrary function\n  to inject DLL into a process\nstatus: experimental\ndate: 2019/08/11\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1055_process_injection/dll_injection_createremotethread_loadlibrary.md\ntags:\n- attack.defense_evasion\n- attack.t1055\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 8\n    StartModule|endswith: \\kernel32.dll\n    StartFunction: LoadLibraryA\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(5799,'Issue',321,15,'T1055'),(5800,'Issue',322,1,'Credentials Dumping Tools Accessing LSASS Memory'),(5801,'Issue',322,2,'Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update)'),(5802,'Issue',322,8,'https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow\nhttps://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html\nhttps://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nhttp://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf'),(5803,'Issue',322,10,'high'),(5804,'Issue',322,13,'community'),(5805,'Issue',322,14,'windows'),(5807,'Issue',322,11,'38beb365c'),(5808,'Issue',322,12,'32d0d3e2-e58d-4d41-926b-18b520b2b32d'),(5809,'Issue',322,16,'win-sysmon'),(5810,'Issue',322,17,''),(5811,'Issue',322,7,''),(5812,'Issue',322,3,'Detects process access LSASS memory which is typical for credentials dumping tools'),(5813,'Issue',322,4,''),(5814,'Issue',322,5,'_False Positives_\nLegitimate software accessing LSASS process for legitimate reason; update the whitelist with it\n\n_Interesting Log Fields_\nComputerName\nUser\nSourceImage'),(5815,'Issue',322,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"10\" AND event_data.TargetImage.keyword:*\\\\lsass.exe AND event_data.GrantedAccess.keyword:(*0x40* OR *0x1000* OR *0x1400* OR *0x100000* OR *0x1410* OR *0x1010* OR *0x1438* OR *0x143a* OR *0x1418* OR *0x1f0fff* OR *0x1f1fff* OR *0x1f2fff* OR *0x1f3fff*)) AND (NOT (event_data.ProcessName.keyword:(*\\\\wmiprvse.exe OR *\\\\taskmgr.exe OR *\\\\procexp64.exe OR *\\\\procexp.exe OR *\\\\lsm.exe OR *\\\\csrss.exe OR *\\\\wininit.exe OR *\\\\vmtoolsd.exe))))\nindex: so-*\nname: Credentials Dumping Tools Accessing LSASS Memory\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5816,'Issue',322,9,'{{collapse(View Sigma)\n
\n\ntitle: Credentials Dumping Tools Accessing LSASS Memory\nid: 32d0d3e2-e58d-4d41-926b-18b520b2b32d\nstatus: experimental\ndescription: Detects process access LSASS memory which is typical for credentials\n  dumping tools\nauthor: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas\n  Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community\n  (update)\ndate: 2017/02/16\nmodified: 2019/11/08\nreferences:\n- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow\n- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n- http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf\ntags:\n- attack.t1003\n- attack.s0002\n- attack.credential_access\n- car.2019-04-004\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 10\n    TargetImage|endswith: \\lsass.exe\n    GrantedAccess|contains:\n    - \'0x40\'\n    - \'0x1000\'\n    - \'0x1400\'\n    - \'0x100000\'\n    - \'0x1410\'\n    - \'0x1010\'\n    - \'0x1438\'\n    - \'0x143a\'\n    - \'0x1418\'\n    - \'0x1f0fff\'\n    - \'0x1f1fff\'\n    - \'0x1f2fff\'\n    - \'0x1f3fff\'\n  filter:\n    ProcessName|endswith:\n    - \\wmiprvse.exe\n    - \\taskmgr.exe\n    - \\procexp64.exe\n    - \\procexp.exe\n    - \\lsm.exe\n    - \\csrss.exe\n    - \\wininit.exe\n    - \\vmtoolsd.exe\n  condition: selection and not filter\nfields:\n- ComputerName\n- User\n- SourceImage\nfalsepositives:\n- Legitimate software accessing LSASS process for legitimate reason; update the whitelist\n  with it\nlevel: high\n\n
\n}}'),(5817,'Issue',322,15,'T1003'),(5818,'Issue',323,1,'Cred Dump Tools Dropped Files'),(5819,'Issue',323,2,'Teymur Kheirkhabarov, oscd.community'),(5820,'Issue',323,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(5821,'Issue',323,10,'high'),(5822,'Issue',323,13,'community'),(5823,'Issue',323,14,'windows'),(5825,'Issue',323,11,'3205565a1'),(5826,'Issue',323,12,'8fbf3271-1ef6-4e94-8210-03c2317947f6'),(5827,'Issue',323,16,'win-sysmon'),(5828,'Issue',323,17,''),(5829,'Issue',323,7,''),(5830,'Issue',323,3,'Files with well-known filenames (parts of credential dump software or files produced by them) creation'),(5831,'Issue',323,4,''),(5832,'Issue',323,5,'_False Positives_\nLegitimate Administrator using tool for password recovery'),(5833,'Issue',323,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND event_data.TargetFilename.keyword:(*\\\\pwdump* OR *\\\\kirbi* OR *\\\\pwhashes* OR *\\\\wce_ccache* OR *\\\\wce_krbtkts* OR *\\\\fgdump\\-log*) AND event_data.TargetFilename.keyword:(*\\\\test.pwd OR *\\\\lsremora64.dll OR *\\\\lsremora.dll OR *\\\\fgexec.exe OR *\\\\wceaux.dll OR *\\\\SAM.out OR *\\\\SECURITY.out OR *\\\\SYSTEM.out OR *\\\\NTDS.out OR *\\\\DumpExt.dll OR *\\\\DumpSvc.exe OR *\\\\cachedump64.exe OR *\\\\cachedump.exe OR *\\\\pstgdump.exe OR *\\\\servpw.exe OR *\\\\servpw64.exe OR *\\\\pwdump.exe OR *\\\\procdump64.exe))\nindex: so-*\nname: Cred Dump Tools Dropped Files\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5834,'Issue',323,9,'{{collapse(View Sigma)\n
\n\ntitle: Cred Dump Tools Dropped Files\nid: 8fbf3271-1ef6-4e94-8210-03c2317947f6\ndescription: Files with well-known filenames (parts of credential dump software or\n  files produced by them) creation\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/11/01\nmodified: 2019/11/13\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 11\n    TargetFilename|contains:\n    - \\pwdump\n    - \\kirbi\n    - \\pwhashes\n    - \\wce_ccache\n    - \\wce_krbtkts\n    - \\fgdump-log\n    TargetFilename|endswith:\n    - \\test.pwd\n    - \\lsremora64.dll\n    - \\lsremora.dll\n    - \\fgexec.exe\n    - \\wceaux.dll\n    - \\SAM.out\n    - \\SECURITY.out\n    - \\SYSTEM.out\n    - \\NTDS.out\n    - \\DumpExt.dll\n    - \\DumpSvc.exe\n    - \\cachedump64.exe\n    - \\cachedump.exe\n    - \\pstgdump.exe\n    - \\servpw.exe\n    - \\servpw64.exe\n    - \\pwdump.exe\n    - \\procdump64.exe\n  condition: selection\nfalsepositives:\n- Legitimate Administrator using tool for password recovery\nlevel: high\nstatus: experimental\n\n
\n}}'),(5835,'Issue',323,15,'T1003'),(5836,'Issue',324,1,'Cred Dump-Tools Named Pipes'),(5837,'Issue',324,2,'Teymur Kheirkhabarov, oscd.community'),(5838,'Issue',324,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(5839,'Issue',324,10,'critical'),(5840,'Issue',324,13,'community'),(5841,'Issue',324,14,'windows'),(5843,'Issue',324,11,'f819bdb50'),(5844,'Issue',324,12,'961d0ba2-3eea-4303-a930-2cf78bbfcc5e'),(5845,'Issue',324,16,'win-sysmon'),(5846,'Issue',324,17,''),(5847,'Issue',324,7,''),(5848,'Issue',324,3,'Detects well-known credential dumping tools execution via specific named pipes'),(5849,'Issue',324,4,''),(5850,'Issue',324,5,'_False Positives_\nLegitimate Administrator using tool for password recovery'),(5851,'Issue',324,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"17\" AND event_data.PipeName.keyword:(*\\\\lsadump* OR *\\\\cachedump* OR *\\\\wceservicepipe*))\nindex: so-*\nname: Cred Dump-Tools Named Pipes\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5852,'Issue',324,9,'{{collapse(View Sigma)\n
\n\ntitle: Cred Dump-Tools Named Pipes\nid: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e\ndescription: Detects well-known credential dumping tools execution via specific named\n  pipes\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/11/01\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 17\n    PipeName|contains:\n    - \\lsadump\n    - \\cachedump\n    - \\wceservicepipe\n  condition: selection\nfalsepositives:\n- Legitimate Administrator using tool for password recovery\nlevel: critical\nstatus: experimental\n\n
\n}}'),(5853,'Issue',324,15,'T1003'),(5854,'Issue',325,1,'DHCP Callout DLL Installation'),(5855,'Issue',325,2,'Dimitrios Slamaris'),(5856,'Issue',325,8,'https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html\nhttps://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx\nhttps://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx'),(5857,'Issue',325,10,'high'),(5858,'Issue',325,13,'community'),(5859,'Issue',325,14,'windows'),(5861,'Issue',325,11,'6fbe5639d'),(5862,'Issue',325,12,'9d3436ef-9476-4c43-acca-90ce06bdf33a'),(5863,'Issue',325,16,'win-sysmon'),(5864,'Issue',325,17,''),(5865,'Issue',325,7,''),(5866,'Issue',325,3,'Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)'),(5867,'Issue',325,4,''),(5868,'Issue',325,5,'_False Positives_\nunknown'),(5869,'Issue',325,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutDlls OR *\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutEnabled))\nindex: so-*\nname: DHCP Callout DLL Installation\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5870,'Issue',325,9,'{{collapse(View Sigma)\n
\n\ntitle: DHCP Callout DLL Installation\nid: 9d3436ef-9476-4c43-acca-90ce06bdf33a\nstatus: experimental\ndescription: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled\n  parameter in Registry, which can be used to execute code in context of the DHCP\n  server (restart required)\nreferences:\n- https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html\n- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx\n- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx\ndate: 2017/05/15\nauthor: Dimitrios Slamaris\ntags:\n- attack.defense_evasion\n- attack.t1073\n- attack.t1112\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    TargetObject:\n    - \'*\\Services\\DHCPServer\\Parameters\\CalloutDlls\'\n    - \'*\\Services\\DHCPServer\\Parameters\\CalloutEnabled\'\n  condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(5871,'Issue',325,15,'T1073'),(5872,'Issue',325,15,'T1112'),(5873,'Issue',326,1,'Disable Security Events Logging Adding Reg Key MiniNt'),(5874,'Issue',326,2,'Ilyas Ochkov, oscd.community'),(5875,'Issue',326,8,'https://twitter.com/0gtweet/status/1182516740955226112'),(5876,'Issue',326,10,'high'),(5877,'Issue',326,13,'community'),(5878,'Issue',326,14,'windows'),(5880,'Issue',326,11,'685c808fd'),(5881,'Issue',326,12,'919f2ef0-be2d-4a7a-b635-eb2b41fde044'),(5882,'Issue',326,16,'win-sysmon'),(5883,'Issue',326,17,''),(5884,'Issue',326,7,''),(5885,'Issue',326,3,'Detects the addition of a key \'MiniNt\' to the registry. Upon a reboot, Windows Event Log service will stopped write events.'),(5886,'Issue',326,4,''),(5887,'Issue',326,5,'_False Positives_\nUnkown\n\n_Interesting Log Fields_\nEventID\nImage\nTargetObject\nNewName'),(5888,'Issue',326,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:\"12\" AND event_data.TargetObject:\"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt\") OR (event.code:\"14\" AND NewName:\"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt\")))\nindex: so-*\nname: Disable Security Events Logging Adding Reg Key MiniNt\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5889,'Issue',326,9,'{{collapse(View Sigma)\n
\n\ntitle: Disable Security Events Logging Adding Reg Key MiniNt\nid: 919f2ef0-be2d-4a7a-b635-eb2b41fde044\nstatus: experimental\ndescription: Detects the addition of a key \'MiniNt\' to the registry. Upon a reboot,\n  Windows Event Log service will stopped write events.\nreferences:\n- https://twitter.com/0gtweet/status/1182516740955226112\ntags:\n- attack.defense_evasion\n- attack.t1089\nauthor: Ilyas Ochkov, oscd.community\ndate: 2019/10/25\nmodified: 2019/11/13\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n  - EventID: 12\n    TargetObject: HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt\n  - EventID: 14\n    NewName: HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt\n  condition: selection\nfields:\n- EventID\n- Image\n- TargetObject\n- NewName\nfalsepositives:\n- Unkown\nlevel: high\n\n
\n}}'),(5890,'Issue',326,15,'T1089'),(5891,'Issue',327,1,'Detection of SafetyKatz'),(5892,'Issue',327,2,'Markus Neis'),(5893,'Issue',327,8,'https://github.com/GhostPack/SafetyKatz'),(5894,'Issue',327,10,'high'),(5895,'Issue',327,13,'community'),(5896,'Issue',327,14,'windows'),(5898,'Issue',327,11,'de878e0bb'),(5899,'Issue',327,12,'e074832a-eada-4fd7-94a1-10642b130e16'),(5900,'Issue',327,16,'win-sysmon'),(5901,'Issue',327,17,''),(5902,'Issue',327,7,''),(5903,'Issue',327,3,'Detects possible SafetyKatz Behaviour'),(5904,'Issue',327,4,''),(5905,'Issue',327,5,'_False Positives_\nUnknown'),(5906,'Issue',327,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND event_data.TargetFilename.keyword:*\\\\Temp\\\\debug.bin)\nindex: so-*\nname: Detection of SafetyKatz\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5907,'Issue',327,9,'{{collapse(View Sigma)\n
\n\ntitle: Detection of SafetyKatz\nid: e074832a-eada-4fd7-94a1-10642b130e16\nstatus: experimental\ndescription: Detects possible SafetyKatz Behaviour\nreferences:\n- https://github.com/GhostPack/SafetyKatz\ntags:\n- attack.credential_access\n- attack.t1003\nauthor: Markus Neis\ndate: 2018/07/24\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 11\n    TargetFilename: \'*\\Temp\\debug.bin\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(5908,'Issue',327,15,'T1003'),(5909,'Issue',328,1,'Suspicious In-Memory Module Execution'),(5910,'Issue',328,2,'Perez Diego (@darkquassar), oscd.community'),(5911,'Issue',328,8,'https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/'),(5912,'Issue',328,10,'critical'),(5913,'Issue',328,13,'community'),(5914,'Issue',328,14,'windows'),(5916,'Issue',328,11,'0b938deb6'),(5917,'Issue',328,12,'5f113a8f-8b61-41ca-b90f-d374fa7e4a39'),(5918,'Issue',328,16,'win-sysmon'),(5919,'Issue',328,17,''),(5920,'Issue',328,7,''),(5921,'Issue',328,3,'Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display \"UNKNOWN\" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious.'),(5922,'Issue',328,4,''),(5923,'Issue',328,5,'_False Positives_\nLow\n\n_Interesting Log Fields_\nComputerName\nUser\nSourceImage\nTargetImage\nCallTrace'),(5924,'Issue',328,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"10\" AND (event_data.CallTrace.keyword:(C\\:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll\\+*|C\\:\\\\Windows\\\\System32\\\\KERNELBASE.dll\\+*|UNKNOWN\\(*\\) OR *UNKNOWN\\(*\\)|UNKNOWN\\(*\\)) OR (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.CallTrace.keyword:*UNKNOWN* AND event_data.GrantedAccess:(\"0x1F0FFF\" OR \"0x1F1FFF\" OR \"0x143A\" OR \"0x1410\" OR \"0x1010\" OR \"0x1F2FFF\" OR \"0x1F3FFF\" OR \"0x1FFFFF\"))))\nindex: so-*\nname: Suspicious In-Memory Module Execution\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5925,'Issue',328,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious In-Memory Module Execution\nid: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39\ndescription: Detects the access to processes by other suspicious processes which have\n  reflectively loaded libraries in their memory space. An example is SilentTrinity\n  C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack\n  call to a dll loaded from disk (the standard way), it will display \"UNKNOWN\" as\n  the module name. Usually this means the stack call points to a module that was reflectively\n  loaded in memory. Adding to this, it is not common to see such few calls in the\n  stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most\n  of the functions required by the process to execute certain routines are already\n  present in memory, not requiring any calls to external libraries. The latter should\n  also be considered suspicious.\nstatus: experimental\ndate: 2019/10/27\nauthor: Perez Diego (@darkquassar), oscd.community\nreferences:\n- https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/\ntags:\n- attack.privilege_escalation\n- attack.t1055\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection_01:\n    EventID: 10\n    CallTrace:\n    - C:\\Windows\\SYSTEM32\\ntdll.dll+*|C:\\Windows\\System32\\KERNELBASE.dll+*|UNKNOWN(*)\n    - \'*UNKNOWN(*)|UNKNOWN(*)\'\n  selection_02:\n    EventID: 10\n    CallTrace: \'*UNKNOWN*\'\n  granted_access:\n    GrantedAccess:\n    - \'0x1F0FFF\'\n    - \'0x1F1FFF\'\n    - \'0x143A\'\n    - \'0x1410\'\n    - \'0x1010\'\n    - \'0x1F2FFF\'\n    - \'0x1F3FFF\'\n    - \'0x1FFFFF\'\n  condition: selection_01 OR (selection_02 AND granted_access)\nfields:\n- ComputerName\n- User\n- SourceImage\n- TargetImage\n- CallTrace\nlevel: critical\nfalsepositives:\n- Low\n\n
\n}}'),(5926,'Issue',328,15,'T1055'),(5927,'Issue',329,1,'In-memory PowerShell'),(5928,'Issue',329,2,'Tom Kern, oscd.community'),(5929,'Issue',329,8,'https://adsecurity.org/?p=2921\nhttps://github.com/p3nt4/PowerShdll'),(5930,'Issue',329,10,'high'),(5931,'Issue',329,13,'community'),(5932,'Issue',329,14,'windows'),(5934,'Issue',329,11,'442bc82a3'),(5935,'Issue',329,12,'092bc4b9-3d1d-43b4-a6b4-8c8acd83522f'),(5936,'Issue',329,16,'win-sysmon'),(5937,'Issue',329,17,''),(5938,'Issue',329,7,''),(5939,'Issue',329,3,'Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter\'s \"load powershell\" extension.'),(5940,'Issue',329,4,''),(5941,'Issue',329,5,'_False Positives_\nUsed by some .NET binaries, minimal on user workstation.'),(5942,'Issue',329,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"7\" AND event_data.ImageLoaded.keyword:(*\\\\System.Management.Automation.Dll OR *\\\\System.Management.Automation.ni.Dll)) AND (NOT (process.executable.keyword:(*\\\\powershell.exe OR *\\\\WINDOWS\\\\System32\\\\sdiagnhost.exe) AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\")))\nindex: so-*\nname: In-memory PowerShell\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5943,'Issue',329,9,'{{collapse(View Sigma)\n
\n\ntitle: In-memory PowerShell\nid: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f\nstatus: experimental\ndescription: Detects loading of essential DLL used by PowerShell, but not by the process\n  powershell.exe. Detects meterpreter\'s \"load powershell\" extension.\nauthor: Tom Kern, oscd.community\ndate: 2019/11/14\nmodified: 2019/11/30\nreferences:\n- https://adsecurity.org/?p=2921\n- https://github.com/p3nt4/PowerShdll\ntags:\n- attack.t1086\n- attack.execution\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    ImageLoaded|endswith:\n    - \\System.Management.Automation.Dll\n    - \\System.Management.Automation.ni.Dll\n  filter:\n    Image|endswith:\n    - \\powershell.exe\n    - \\WINDOWS\\System32\\sdiagnhost.exe\n    User: NT AUTHORITY\\SYSTEM\n  condition: selection and not filter\nfalsepositives:\n- Used by some .NET binaries, minimal on user workstation.\nlevel: high\nenrichment:\n- EN_0001_cache_sysmon_event_id_1_info\n- EN_0003_enrich_other_sysmon_events_with_event_id_1_data\n\n
\n}}'),(5944,'Issue',329,15,'T1086'),(5945,'Issue',330,1,'Suspect Svchost Memory Asccess'),(5946,'Issue',330,2,'Tim Burrell'),(5947,'Issue',330,8,'https://github.com/hlldz/Invoke-Phant0m\nhttps://twitter.com/timbmsft/status/900724491076214784'),(5948,'Issue',330,10,'high'),(5949,'Issue',330,13,'community'),(5950,'Issue',330,14,'windows'),(5952,'Issue',330,11,'ff9ac8949'),(5953,'Issue',330,12,'166e9c50-8cd9-44af-815d-d1f0c0e90dde'),(5954,'Issue',330,16,'win-sysmon'),(5955,'Issue',330,17,''),(5956,'Issue',330,7,''),(5957,'Issue',330,3,'Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.'),(5958,'Issue',330,4,''),(5959,'Issue',330,5,'_False Positives_\nunknown'),(5960,'Issue',330,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"10\" AND event_data.TargetImage.keyword:*\\\\windows\\\\system32\\\\svchost.exe AND event_data.GrantedAccess:\"0x1f3fff\" AND event_data.CallTrace.keyword:(*unknown*))\nindex: so-*\nname: Suspect Svchost Memory Asccess\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5961,'Issue',330,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspect Svchost Memory Asccess\nid: 166e9c50-8cd9-44af-815d-d1f0c0e90dde\nstatus: experimental\ndescription: Detects suspect access to svchost process memory such as that used by\n  Invoke-Phantom to kill the winRM windows event logging service.\nauthor: Tim Burrell\ndate: 2020/01/02\nreferences:\n- https://github.com/hlldz/Invoke-Phant0m\n- https://twitter.com/timbmsft/status/900724491076214784\ntags:\n- attack.t1089\n- attack.defense_evasion\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 10\n    TargetImage: \'*\\windows\\system32\\svchost.exe\'\n    GrantedAccess: \'0x1f3fff\'\n    CallTrace:\n    - \'*unknown*\'\n  condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(5962,'Issue',330,15,'T1089'),(5963,'Issue',331,1,'LSASS Memory Dump'),(5964,'Issue',331,2,'Samir Bousseaden'),(5965,'Issue',331,8,'https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html'),(5966,'Issue',331,10,'high'),(5967,'Issue',331,13,'community'),(5968,'Issue',331,14,'windows'),(5970,'Issue',331,11,'183b4c501'),(5971,'Issue',331,12,'5ef9853e-4d0e-4a70-846f-a9ca37d876da'),(5972,'Issue',331,16,'win-sysmon'),(5973,'Issue',331,17,''),(5974,'Issue',331,7,''),(5975,'Issue',331,3,'Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10'),(5976,'Issue',331,4,''),(5977,'Issue',331,5,'_False Positives_\nunknown'),(5978,'Issue',331,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"10\" AND event_data.TargetImage:\"C\\:\\\\windows\\\\system32\\\\lsass.exe\" AND event_data.GrantedAccess:\"0x1fffff\" AND event_data.CallTrace.keyword:(*dbghelp.dll* OR *dbgcore.dll*))\nindex: so-*\nname: LSASS Memory Dump\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5979,'Issue',331,9,'{{collapse(View Sigma)\n
\n\ntitle: LSASS Memory Dump\nid: 5ef9853e-4d0e-4a70-846f-a9ca37d876da\nstatus: experimental\ndescription: Detects process LSASS memory dump using procdump or taskmgr based on\n  the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10\nauthor: Samir Bousseaden\ndate: 2019/04/03\nreferences:\n- https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html\ntags:\n- attack.t1003\n- attack.s0002\n- attack.credential_access\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 10\n    TargetImage: C:\\windows\\system32\\lsass.exe\n    GrantedAccess: \'0x1fffff\'\n    CallTrace:\n    - \'*dbghelp.dll*\'\n    - \'*dbgcore.dll*\'\n  condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(5980,'Issue',331,15,'T1003'),(5981,'Issue',332,1,'LSASS Memory Dump File Creation'),(5982,'Issue',332,2,'Teymur Kheirkhabarov, oscd.community'),(5983,'Issue',332,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(5984,'Issue',332,10,'medium'),(5985,'Issue',332,13,'community'),(5986,'Issue',332,14,'windows'),(5988,'Issue',332,11,'d6052fb1a'),(5989,'Issue',332,12,'5e3d3601-0662-4af0-b1d2-36a05e90c40a'),(5990,'Issue',332,16,'win-sysmon'),(5991,'Issue',332,17,''),(5992,'Issue',332,7,''),(5993,'Issue',332,3,'LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified'),(5994,'Issue',332,4,''),(5995,'Issue',332,5,'_False Positives_\nDumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator\n\n_Interesting Log Fields_\nComputerName\nTargetFileName'),(5996,'Issue',332,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND event_data.TargetFilename.keyword:*lsass* AND event_data.TargetFilename.keyword:*dmp)\nindex: so-*\nname: LSASS Memory Dump File Creation\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5997,'Issue',332,9,'{{collapse(View Sigma)\n
\n\ntitle: LSASS Memory Dump File Creation\nid: 5e3d3601-0662-4af0-b1d2-36a05e90c40a\ndescription: LSASS memory dump creation using operating systems utilities. Procdump\n  will use process name in output file if no name is specified\nauthor: Teymur Kheirkhabarov, oscd.community\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ndate: 2019/10/22\nmodified: 2019/11/13\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 11\n    TargetFilename|contains: lsass\n    TargetFilename|endswith: dmp\n  condition: selection\nfields:\n- ComputerName\n- TargetFileName\nfalsepositives:\n- Dumping lsass memory for forensic investigation purposes by legitimate incident\n  responder or forensic invetigator\nlevel: medium\nstatus: experimental\n\n
\n}}'),(5998,'Issue',332,15,'T1003'),(5999,'Issue',333,1,'Malicious Named Pipe'),(6000,'Issue',333,2,'Florian Roth'),(6001,'Issue',333,8,'Various sources'),(6002,'Issue',333,10,'critical'),(6003,'Issue',333,13,'community'),(6004,'Issue',333,14,'windows'),(6006,'Issue',333,11,'192999425'),(6007,'Issue',333,12,'fe3ac066-98bb-432a-b1e7-a5229cb39d4a'),(6008,'Issue',333,16,'win-sysmon'),(6009,'Issue',333,17,''),(6010,'Issue',333,7,''),(6011,'Issue',333,3,'Detects the creation of a named pipe used by known APT malware'),(6012,'Issue',333,4,''),(6013,'Issue',333,5,'_False Positives_\nUnkown'),(6014,'Issue',333,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:(\"17\" OR \"18\") AND event_data.PipeName.keyword:(\\\\isapi_http OR \\\\isapi_dg OR \\\\isapi_dg2 OR \\\\sdlrpc OR \\\\ahexec OR \\\\winsession OR \\\\lsassw OR \\\\46a676ab7f179e511e30dd2dc41bd388 OR \\\\9f81f59bc58452127884ce513865ed20 OR \\\\e710f28d59aa529d6792ca6ff0ca1b34 OR \\\\rpchlp_3 OR \\\\NamePipe_MoreWindows OR \\\\pcheap_reuse OR \\\\msagent_* OR \\\\gruntsvc))\nindex: so-*\nname: Malicious Named Pipe\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6015,'Issue',333,9,'{{collapse(View Sigma)\n
\n\ntitle: Malicious Named Pipe\nid: fe3ac066-98bb-432a-b1e7-a5229cb39d4a\nstatus: experimental\ndescription: Detects the creation of a named pipe used by known APT malware\nreferences:\n- Various sources\ndate: 2017/11/06\nauthor: Florian Roth\nlogsource:\n  product: windows\n  service: sysmon\n  definition: Note that you have to configure logging for PipeEvents in Symson config\ndetection:\n  selection:\n    EventID:\n    - 17\n    - 18\n    PipeName:\n    - \\isapi_http\n    - \\isapi_dg\n    - \\isapi_dg2\n    - \\sdlrpc\n    - \\ahexec\n    - \\winsession\n    - \\lsassw\n    - \\46a676ab7f179e511e30dd2dc41bd388\n    - \\9f81f59bc58452127884ce513865ed20\n    - \\e710f28d59aa529d6792ca6ff0ca1b34\n    - \\rpchlp_3\n    - \\NamePipe_MoreWindows\n    - \\pcheap_reuse\n    - \\msagent_*\n    - \\gruntsvc\n  condition: selection\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1055\nfalsepositives:\n- Unkown\nlevel: critical\n\n
\n}}'),(6016,'Issue',333,15,'T1055'),(6017,'Issue',334,1,'Suspicious Typical Malware Back Connect Ports'),(6018,'Issue',334,2,'Florian Roth'),(6019,'Issue',334,8,'https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo'),(6020,'Issue',334,10,'medium'),(6021,'Issue',334,13,'community'),(6022,'Issue',334,14,'windows'),(6024,'Issue',334,11,'1e14702d5'),(6025,'Issue',334,12,'4b89abaa-99fe-4232-afdd-8f9aa4d20382'),(6026,'Issue',334,16,'win-sysmon'),(6027,'Issue',334,17,''),(6028,'Issue',334,7,''),(6029,'Issue',334,3,'Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases'),(6030,'Issue',334,4,''),(6031,'Issue',334,5,'_False Positives_\nunknown'),(6032,'Issue',334,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"3\" AND event_data.Initiated:\"true\" AND destination_port:(\"4443\" OR \"2448\" OR \"8143\" OR \"1777\" OR \"1443\" OR \"243\" OR \"65535\" OR \"13506\" OR \"3360\" OR \"200\" OR \"198\" OR \"49180\" OR \"13507\" OR \"6625\" OR \"4444\" OR \"4438\" OR \"1904\" OR \"13505\" OR \"13504\" OR \"12102\" OR \"9631\" OR \"5445\" OR \"2443\" OR \"777\" OR \"13394\" OR \"13145\" OR \"12103\" OR \"5552\" OR \"3939\" OR \"3675\" OR \"666\" OR \"473\" OR \"5649\" OR \"4455\" OR \"4433\" OR \"1817\" OR \"100\" OR \"65520\" OR \"1960\" OR \"1515\" OR \"743\" OR \"700\" OR \"14154\" OR \"14103\" OR \"14102\" OR \"12322\" OR \"10101\" OR \"7210\" OR \"4040\" OR \"9943\")) AND (NOT ((event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:*\\\\Program\\ Files* OR (destination_ip.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*) AND event_data.DestinationIsIpv6:\"false\"))))))\nindex: so-*\nname: Suspicious Typical Malware Back Connect Ports\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6033,'Issue',334,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Typical Malware Back Connect Ports\nid: 4b89abaa-99fe-4232-afdd-8f9aa4d20382\nstatus: experimental\ndescription: Detects programs that connect to typical malware back connect ports based\n  on statistical analysis from two different sandbox system databases\nreferences:\n- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo\nauthor: Florian Roth\ndate: 2017/03/19\ntags:\n- attack.command_and_control\n- attack.t1043\nlogsource:\n  product: windows\n  service: sysmon\n  definition: \'Use the following config to generate the necessary Event ID 10 Process\n    Access events: VBE7.DLLUNKNOWN\'\ndetection:\n  selection:\n    EventID: 3\n    Initiated: \'true\'\n    DestinationPort:\n    - \'4443\'\n    - \'2448\'\n    - \'8143\'\n    - \'1777\'\n    - \'1443\'\n    - \'243\'\n    - \'65535\'\n    - \'13506\'\n    - \'3360\'\n    - \'200\'\n    - \'198\'\n    - \'49180\'\n    - \'13507\'\n    - \'6625\'\n    - \'4444\'\n    - \'4438\'\n    - \'1904\'\n    - \'13505\'\n    - \'13504\'\n    - \'12102\'\n    - \'9631\'\n    - \'5445\'\n    - \'2443\'\n    - \'777\'\n    - \'13394\'\n    - \'13145\'\n    - \'12103\'\n    - \'5552\'\n    - \'3939\'\n    - \'3675\'\n    - \'666\'\n    - \'473\'\n    - \'5649\'\n    - \'4455\'\n    - \'4433\'\n    - \'1817\'\n    - \'100\'\n    - \'65520\'\n    - \'1960\'\n    - \'1515\'\n    - \'743\'\n    - \'700\'\n    - \'14154\'\n    - \'14103\'\n    - \'14102\'\n    - \'12322\'\n    - \'10101\'\n    - \'7210\'\n    - \'4040\'\n    - \'9943\'\n  filter1:\n    Image: \'*\\Program Files*\'\n  filter2:\n    DestinationIp:\n    - 10.*\n    - 192.168.*\n    - 172.16.*\n    - 172.17.*\n    - 172.18.*\n    - 172.19.*\n    - 172.20.*\n    - 172.21.*\n    - 172.22.*\n    - 172.23.*\n    - 172.24.*\n    - 172.25.*\n    - 172.26.*\n    - 172.27.*\n    - 172.28.*\n    - 172.29.*\n    - 172.30.*\n    - 172.31.*\n    - 127.*\n    DestinationIsIpv6: \'false\'\n  condition: selection and not ( filter1 or filter2 )\nfalsepositives:\n- unknown\nlevel: medium\n\n
\n}}'),(6034,'Issue',334,15,'T1043'),(6035,'Issue',335,1,'Malware Shellcode in Verclsid Target Process'),(6036,'Issue',335,2,'John Lambert (tech), Florian Roth (rule)'),(6037,'Issue',335,8,'https://twitter.com/JohnLaTwC/status/837743453039534080'),(6038,'Issue',335,10,'high'),(6039,'Issue',335,13,'community'),(6040,'Issue',335,14,'windows'),(6042,'Issue',335,11,'0ff3c02c6'),(6043,'Issue',335,12,'b7967e22-3d7e-409b-9ed5-cdae3f9243a1'),(6044,'Issue',335,16,'win-sysmon'),(6045,'Issue',335,17,''),(6046,'Issue',335,7,''),(6047,'Issue',335,3,'Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro'),(6048,'Issue',335,4,''),(6049,'Issue',335,5,'_False Positives_\nunknown'),(6050,'Issue',335,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"10\" AND event_data.TargetImage.keyword:*\\\\verclsid.exe AND event_data.GrantedAccess:\"0x1FFFFF\") AND (event_data.CallTrace.keyword:*|UNKNOWN\\(*VBE7.DLL* OR (event_data.SourceImage.keyword:*\\\\Microsoft\\ Office\\\\* AND event_data.CallTrace.keyword:*|UNKNOWN*)))\nindex: so-*\nname: Malware Shellcode in Verclsid Target Process\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6051,'Issue',335,9,'{{collapse(View Sigma)\n
\n\ntitle: Malware Shellcode in Verclsid Target Process\nid: b7967e22-3d7e-409b-9ed5-cdae3f9243a1\nstatus: experimental\ndescription: Detects a process access to verclsid.exe that injects shellcode from\n  a Microsoft Office application / VBA macro\nreferences:\n- https://twitter.com/JohnLaTwC/status/837743453039534080\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1055\nauthor: John Lambert (tech), Florian Roth (rule)\ndate: 2017/03/04\nlogsource:\n  product: windows\n  service: sysmon\n  definition: \'Use the following config to generate the necessary Event ID 10 Process\n    Access events: VBE7.DLLUNKNOWN\'\ndetection:\n  selection:\n    EventID: 10\n    TargetImage: \'*\\verclsid.exe\'\n    GrantedAccess: \'0x1FFFFF\'\n  combination1:\n    CallTrace: \'*|UNKNOWN(*VBE7.DLL*\'\n  combination2:\n    SourceImage: \'*\\Microsoft Office\\\\*\'\n    CallTrace: \'*|UNKNOWN*\'\n  condition: selection and 1 of combination*\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6052,'Issue',335,15,'T1055'),(6053,'Issue',336,1,'Mimikatz In-Memory'),(6054,'Issue',336,2,'none'),(6055,'Issue',336,8,'https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/'),(6056,'Issue',336,10,'medium'),(6057,'Issue',336,13,'community'),(6058,'Issue',336,14,'windows'),(6060,'Issue',336,11,'aa5743912'),(6061,'Issue',336,12,'c0478ead-5336-46c2-bd5e-b4c84bc3a36e'),(6062,'Issue',336,16,'win-sysmon'),(6063,'Issue',336,17,''),(6064,'Issue',336,7,''),(6065,'Issue',336,3,'Detects certain DLL loads when Mimikatz gets executed'),(6066,'Issue',336,4,''),(6067,'Issue',336,5,'_False Positives_\nunknown'),(6068,'Issue',336,6,'{{collapse(View ElastAlert Config)\n
\n\n\n
\n}}'),(6069,'Issue',336,9,'{{collapse(View Sigma)\n
\n\ntitle: Mimikatz In-Memory\nid: c0478ead-5336-46c2-bd5e-b4c84bc3a36e\nstatus: experimental\ndescription: Detects certain DLL loads when Mimikatz gets executed\nreferences:\n- https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/\ntags:\n- attack.s0002\n- attack.t1003\n- attack.lateral_movement\n- attack.credential_access\n- car.2019-04-004\nlogsource:\n  product: windows\n  service: sysmon\ndate: 2017/03/13\ndetection:\n  selector:\n    EventID: 7\n    Image: C:\\Windows\\System32\\rundll32.exe\n  dllload1:\n    ImageLoaded: \'*\\vaultcli.dll\'\n  dllload2:\n    ImageLoaded: \'*\\wlanapi.dll\'\n  exclusion:\n    ImageLoaded:\n    - ntdsapi.dll\n    - netapi32.dll\n    - imm32.dll\n    - samlib.dll\n    - combase.dll\n    - srvcli.dll\n    - shcore.dll\n    - ntasn1.dll\n    - cryptdll.dll\n    - logoncli.dll\n  timeframe: 30s\n  condition: selector | near dllload1 and dllload2 and not exclusion\nfalsepositives:\n- unknown\nlevel: medium\n\n
\n}}'),(6070,'Issue',336,15,'T1003'),(6071,'Issue',337,1,'Mimikatz through Windows Remote Management'),(6072,'Issue',337,2,'Patryk Prauze - ING Tech'),(6073,'Issue',337,8,'https://pentestlab.blog/2018/05/15/lateral-movement-winrm/'),(6074,'Issue',337,10,'high'),(6075,'Issue',337,13,'community'),(6076,'Issue',337,14,'windows'),(6078,'Issue',337,11,'e1af444f5'),(6079,'Issue',337,12,'aa35a627-33fb-4d04-a165-d33b4afca3e8'),(6080,'Issue',337,16,'win-sysmon'),(6081,'Issue',337,17,''),(6082,'Issue',337,7,''),(6083,'Issue',337,3,'Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.'),(6084,'Issue',337,4,''),(6085,'Issue',337,5,'_False Positives_\nlow'),(6086,'Issue',337,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"10\" AND event_data.TargetImage:\"C\\:\\\\windows\\\\system32\\\\lsass.exe\" AND event_data.SourceImage:\"C\\:\\\\Windows\\\\system32\\\\wsmprovhost.exe\")\nindex: so-*\nname: Mimikatz through Windows Remote Management\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6087,'Issue',337,9,'{{collapse(View Sigma)\n
\n\ntitle: Mimikatz through Windows Remote Management\nid: aa35a627-33fb-4d04-a165-d33b4afca3e8\ndescription: Detects usage of mimikatz through WinRM protocol by monitoring access\n  to lsass process by wsmprovhost.exe.\nreferences:\n- https://pentestlab.blog/2018/05/15/lateral-movement-winrm/\nstatus: stable\nauthor: Patryk Prauze - ING Tech\ndate: 2019/05/20\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 10\n    TargetImage: C:\\windows\\system32\\lsass.exe\n    SourceImage: C:\\Windows\\system32\\wsmprovhost.exe\n  condition: selection\ntags:\n- attack.credential_access\n- attack.execution\n- attack.t1003\n- attack.t1028\n- attack.s0005\nfalsepositives:\n- low\nlevel: high\n\n
\n}}'),(6088,'Issue',337,15,'T1003'),(6089,'Issue',337,15,'T1028'),(6090,'Issue',338,1,'Dumping Lsass.exe Memory with MiniDumpWriteDump API'),(6091,'Issue',338,2,'Perez Diego (@darkquassar), oscd.community'),(6092,'Issue',338,8,'https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump\nhttps://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html\nhttps://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6'),(6093,'Issue',338,10,'critical'),(6094,'Issue',338,13,'community'),(6095,'Issue',338,14,'windows'),(6097,'Issue',338,11,'465ca35d4'),(6098,'Issue',338,12,'dd5ab153-beaa-4315-9647-65abc5f71541'),(6099,'Issue',338,16,'win-sysmon'),(6100,'Issue',338,17,''),(6101,'Issue',338,7,''),(6102,'Issue',338,3,'Detects the use of MiniDumpWriteDump API for dumping lsass.exe memory in a stealth way. Tools like ProcessHacker and some attacker tradecract use this API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker\'s machine.'),(6103,'Issue',338,4,''),(6104,'Issue',338,5,'_False Positives_\nPenetration tests\n\n_Interesting Log Fields_\nComputerName\nUser\nImage\nImageLoaded'),(6105,'Issue',338,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (((event.code:\"7\" AND event_data.ImageLoaded.keyword:(*\\\\dbghelp.dll OR *\\\\dbgcore.dll) AND process.executable.keyword:(*\\\\msbuild.exe OR *\\\\cmd.exe OR *\\\\svchost.exe OR *\\\\rundll32.exe OR *\\\\powershell.exe OR *\\\\word.exe OR *\\\\excel.exe OR *\\\\powerpnt.exe OR *\\\\outlook.exe OR *\\\\monitoringhost.exe OR *\\\\wmic.exe OR *\\\\msiexec.exe OR *\\\\bash.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\mshta.exe OR *\\\\regsvr32.exe OR *\\\\schtasks.exe OR *\\\\dnx.exe OR *\\\\regsvcs.exe OR *\\\\sc.exe OR *\\\\scriptrunner.exe)) AND (NOT (process.executable.keyword:*Visual\\ Studio*))) OR ((event.code:\"7\" AND event_data.ImageLoaded.keyword:(*\\\\dbghelp.dll OR *\\\\dbgcore.dll) AND Signed:\"FALSE\") AND (NOT (process.executable.keyword:*Visual\\ Studio*)))))\nindex: so-*\nname: Dumping Lsass.exe Memory with MiniDumpWriteDump API\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6106,'Issue',338,9,'{{collapse(View Sigma)\n
\n\ntitle: Dumping Lsass.exe Memory with MiniDumpWriteDump API\nid: dd5ab153-beaa-4315-9647-65abc5f71541\nstatus: experimental\ndescription: Detects the use of MiniDumpWriteDump API for dumping lsass.exe memory\n  in a stealth way. Tools like ProcessHacker and some attacker tradecract use this\n  API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework\n  has a module that leverages this API to dump the contents of Lsass.exe and transfer\n  it over the network back to the attacker\'s machine.\ndate: 2019/10/27\nmodified: 2019/11/13\nauthor: Perez Diego (@darkquassar), oscd.community\nreferences:\n- https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump\n- https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html\n- https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  signedprocess:\n    EventID: 7\n    ImageLoaded|endswith:\n    - \\dbghelp.dll\n    - \\dbgcore.dll\n    Image|endswith:\n    - \\msbuild.exe\n    - \\cmd.exe\n    - \\svchost.exe\n    - \\rundll32.exe\n    - \\powershell.exe\n    - \\word.exe\n    - \\excel.exe\n    - \\powerpnt.exe\n    - \\outlook.exe\n    - \\monitoringhost.exe\n    - \\wmic.exe\n    - \\msiexec.exe\n    - \\bash.exe\n    - \\wscript.exe\n    - \\cscript.exe\n    - \\mshta.exe\n    - \\regsvr32.exe\n    - \\schtasks.exe\n    - \\dnx.exe\n    - \\regsvcs.exe\n    - \\sc.exe\n    - \\scriptrunner.exe\n  unsignedprocess:\n    EventID: 7\n    ImageLoaded|endswith:\n    - \\dbghelp.dll\n    - \\dbgcore.dll\n    Signed: \'FALSE\'\n  filter:\n    Image|contains: Visual Studio\n  condition: (signedprocess AND NOT filter) OR (unsignedprocess AND NOT filter)\nfields:\n- ComputerName\n- User\n- Image\n- ImageLoaded\nfalsepositives:\n- Penetration tests\nlevel: critical\n\n
\n}}'),(6107,'Issue',338,15,'T1003'),(6108,'Issue',339,1,'Narrator\'s Feedback-Hub Persistence'),(6109,'Issue',339,2,'Dmitriy Lifanov, oscd.community'),(6110,'Issue',339,8,'https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html'),(6111,'Issue',339,10,'high'),(6112,'Issue',339,13,'community'),(6113,'Issue',339,14,'windows'),(6115,'Issue',339,11,'cfdda5bc0'),(6116,'Issue',339,12,'f663a6d9-9d1b-49b8-b2b1-0637914d199a'),(6117,'Issue',339,16,'win-sysmon'),(6118,'Issue',339,17,''),(6119,'Issue',339,7,''),(6120,'Issue',339,3,'Detects abusing Windows 10 Narrator\'s Feedback-Hub'),(6121,'Issue',339,4,''),(6122,'Issue',339,5,'_False Positives_\nunknown'),(6123,'Issue',339,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:\"12\" AND event_data.EventType:\"DeleteValue\" AND event_data.TargetObject.keyword:*\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\DelegateExecute) OR (event.code:\"13\" AND event_data.TargetObject.keyword:*\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\\\(Default\\))))\nindex: so-*\nname: Narrator\'s Feedback-Hub Persistence\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6124,'Issue',339,9,'{{collapse(View Sigma)\n
\n\ntitle: Narrator\'s Feedback-Hub Persistence\nid: f663a6d9-9d1b-49b8-b2b1-0637914d199a\ndescription: Detects abusing Windows 10 Narrator\'s Feedback-Hub\nreferences:\n- https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html\ntags:\n- attack.persistence\n- attack.t1060\nauthor: Dmitriy Lifanov, oscd.community\nstatus: experimental\ndate: 2019/10/25\nmodified: 2019/11/10\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection1:\n    EventID: 12\n    EventType: DeleteValue\n    TargetObject|endswith: \\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\DelegateExecute\n  selection2:\n    EventID: 13\n    TargetObject|endswith: \\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\(Default)\n  condition: 1 of them\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6125,'Issue',339,15,'T1060'),(6126,'Issue',340,1,'New DLL Added to AppCertDlls Registry Key'),(6127,'Issue',340,2,'Ilyas Ochkov, oscd.community'),(6128,'Issue',340,8,'http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/\nhttps://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html'),(6129,'Issue',340,10,'medium'),(6130,'Issue',340,13,'community'),(6131,'Issue',340,14,'windows'),(6133,'Issue',340,11,'c62e6aeb2'),(6134,'Issue',340,12,'6aa1d992-5925-4e9f-a49b-845e51d1de01'),(6135,'Issue',340,16,'win-sysmon'),(6136,'Issue',340,17,''),(6137,'Issue',340,7,''),(6138,'Issue',340,3,'Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.'),(6139,'Issue',340,4,''),(6140,'Issue',340,5,'_False Positives_\nUnkown\n\n_Interesting Log Fields_\nEventID\nImage\nTargetObject\nNewName'),(6141,'Issue',340,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:(\"12\" OR \"13\") AND event_data.TargetObject:\"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session\\ Manager\\\\AppCertDlls\") OR (event.code:\"14\" AND NewName:\"HKLM\\\\SYSTEM\\\\CurentControlSet\\\\Control\\\\Session\\ Manager\\\\AppCertDlls\")))\nindex: so-*\nname: New DLL Added to AppCertDlls Registry Key\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6142,'Issue',340,9,'{{collapse(View Sigma)\n
\n\ntitle: New DLL Added to AppCertDlls Registry Key\nid: 6aa1d992-5925-4e9f-a49b-845e51d1de01\nstatus: experimental\ndescription: Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value\n  in the Registry key can be abused to obtain persistence and privilege escalation\n  by causing a malicious DLL to be loaded and run in the context of separate processes\n  on the computer.\nreferences:\n- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/\n- https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html\ntags:\n- attack.persistence\n- attack.t1182\nauthor: Ilyas Ochkov, oscd.community\ndate: 2019/10/25\nmodified: 2019/11/13\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n  - EventID:\n    - 12\n    - 13\n    TargetObject: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls\n  - EventID: 14\n    NewName: HKLM\\SYSTEM\\CurentControlSet\\Control\\Session Manager\\AppCertDlls\n  condition: selection\nfields:\n- EventID\n- Image\n- TargetObject\n- NewName\nfalsepositives:\n- Unkown\nlevel: medium\n\n
\n}}'),(6143,'Issue',340,15,'T1182'),(6144,'Issue',341,1,'New DLL Added to AppInit_DLLs Registry Key'),(6145,'Issue',341,2,'Ilyas Ochkov, oscd.community'),(6146,'Issue',341,8,'https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html'),(6147,'Issue',341,10,'medium'),(6148,'Issue',341,13,'community'),(6149,'Issue',341,14,'windows'),(6151,'Issue',341,11,'2c5115a75'),(6152,'Issue',341,12,'4f84b697-c9ed-4420-8ab5-e09af5b2345d'),(6153,'Issue',341,16,'win-sysmon'),(6154,'Issue',341,17,''),(6155,'Issue',341,7,''),(6156,'Issue',341,3,'DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll'),(6157,'Issue',341,4,''),(6158,'Issue',341,5,'_False Positives_\nUnkown\n\n_Interesting Log Fields_\nEventID\nImage\nTargetObject\nNewName'),(6159,'Issue',341,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:(\"12\" OR \"13\") AND event_data.TargetObject.keyword:(*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls OR *\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls)) OR (event.code:\"14\" AND NewName.keyword:(*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls OR *\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls))))\nindex: so-*\nname: New DLL Added to AppInit_DLLs Registry Key\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6160,'Issue',341,9,'{{collapse(View Sigma)\n
\n\ntitle: New DLL Added to AppInit_DLLs Registry Key\nid: 4f84b697-c9ed-4420-8ab5-e09af5b2345d\nstatus: experimental\ndescription: DLLs that are specified in the AppInit_DLLs value in the Registry key\n  HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll\n  into every process that loads user32.dll\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html\ntags:\n- attack.persistence\n- attack.t1103\nauthor: Ilyas Ochkov, oscd.community\ndate: 2019/10/25\nmodified: 2019/11/13\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n  - EventID:\n    - 12\n    - 13\n    TargetObject:\n    - \'*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls\'\n    - \'*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls\'\n  - EventID: 14\n    NewName:\n    - \'*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls\'\n    - \'*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls\'\n  condition: selection\nfields:\n- EventID\n- Image\n- TargetObject\n- NewName\nfalsepositives:\n- Unkown\nlevel: medium\n\n
\n}}'),(6161,'Issue',341,15,'T1103'),(6162,'Issue',342,1,'Password Dumper Remote Thread in LSASS'),(6163,'Issue',342,2,'Thomas Patzke'),(6164,'Issue',342,8,'https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm'),(6165,'Issue',342,10,'high'),(6166,'Issue',342,13,'community'),(6167,'Issue',342,14,'windows'),(6169,'Issue',342,11,'5c5659709'),(6170,'Issue',342,12,'f239b326-2f41-4d6b-9dfa-c846a60ef505'),(6171,'Issue',342,16,'win-sysmon'),(6172,'Issue',342,17,''),(6173,'Issue',342,7,''),(6174,'Issue',342,3,'Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.'),(6175,'Issue',342,4,''),(6176,'Issue',342,5,'_False Positives_\nunknown'),(6177,'Issue',342,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"8\" AND event_data.TargetImage:\"C\\:\\\\Windows\\\\System32\\\\lsass.exe\" AND NOT _exists_:event_data.StartModule)\nindex: so-*\nname: Password Dumper Remote Thread in LSASS\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6178,'Issue',342,9,'{{collapse(View Sigma)\n
\n\ntitle: Password Dumper Remote Thread in LSASS\nid: f239b326-2f41-4d6b-9dfa-c846a60ef505\ndescription: Detects password dumper activity by monitoring remote thread creation\n  EventID 8 in combination with the lsass.exe process as TargetImage. The process\n  in field Process is the malicious program. A single execution can lead to hundreds\n  of events.\nreferences:\n- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm\nstatus: stable\nauthor: Thomas Patzke\ndate: 2017/02/19\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 8\n    TargetImage: C:\\Windows\\System32\\lsass.exe\n    StartModule:\n  condition: selection\ntags:\n- attack.credential_access\n- attack.t1003\n- attack.s0005\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6179,'Issue',342,15,'T1003'),(6180,'Issue',343,1,'Possible DNS Rebinding'),(6181,'Issue',343,2,'Ilyas Ochkov, oscd.community'),(6182,'Issue',343,8,'https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325'),(6183,'Issue',343,10,'medium'),(6184,'Issue',343,13,'community'),(6185,'Issue',343,14,'windows'),(6187,'Issue',343,11,'238493844'),(6188,'Issue',343,12,'eb07e747-2552-44cd-af36-b659ae0958e4'),(6189,'Issue',343,16,'win-sysmon'),(6190,'Issue',343,17,''),(6191,'Issue',343,7,''),(6192,'Issue',343,3,'Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL).'),(6193,'Issue',343,4,''),(6194,'Issue',343,5,'_False Positives_\n Unknown'),(6195,'Issue',343,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"22\" AND QueryName.keyword:* AND QueryStatus:\"0\" AND QueryResults.keyword:(\\(\\:\\:ffff\\:\\)?10.* OR \\(\\:\\:ffff\\:\\)?192.168.* OR \\(\\:\\:ffff\\:\\)?172.16.* OR \\(\\:\\:ffff\\:\\)?172.17.* OR \\(\\:\\:ffff\\:\\)?172.18.* OR \\(\\:\\:ffff\\:\\)?172.19.* OR \\(\\:\\:ffff\\:\\)?172.20.* OR \\(\\:\\:ffff\\:\\)?172.21.* OR \\(\\:\\:ffff\\:\\)?172.22.* OR \\(\\:\\:ffff\\:\\)?172.23.* OR \\(\\:\\:ffff\\:\\)?172.24.* OR \\(\\:\\:ffff\\:\\)?172.25.* OR \\(\\:\\:ffff\\:\\)?172.26.* OR \\(\\:\\:ffff\\:\\)?172.27.* OR \\(\\:\\:ffff\\:\\)?172.28.* OR \\(\\:\\:ffff\\:\\)?172.29.* OR \\(\\:\\:ffff\\:\\)?172.30.* OR \\(\\:\\:ffff\\:\\)?172.31.* OR \\(\\:\\:ffff\\:\\)?127.*) AND (event.code:\"22\" AND QueryName.keyword:* AND QueryStatus:\"0\") AND (NOT (QueryResults.keyword:(\\(\\:\\:ffff\\:\\)?10.* OR \\(\\:\\:ffff\\:\\)?192.168.* OR \\(\\:\\:ffff\\:\\)?172.16.* OR \\(\\:\\:ffff\\:\\)?172.17.* OR \\(\\:\\:ffff\\:\\)?172.18.* OR \\(\\:\\:ffff\\:\\)?172.19.* OR \\(\\:\\:ffff\\:\\)?172.20.* OR \\(\\:\\:ffff\\:\\)?172.21.* OR \\(\\:\\:ffff\\:\\)?172.22.* OR \\(\\:\\:ffff\\:\\)?172.23.* OR \\(\\:\\:ffff\\:\\)?172.24.* OR \\(\\:\\:ffff\\:\\)?172.25.* OR \\(\\:\\:ffff\\:\\)?172.26.* OR \\(\\:\\:ffff\\:\\)?172.27.* OR \\(\\:\\:ffff\\:\\)?172.28.* OR \\(\\:\\:ffff\\:\\)?172.29.* OR \\(\\:\\:ffff\\:\\)?172.30.* OR \\(\\:\\:ffff\\:\\)?172.31.* OR \\(\\:\\:ffff\\:\\)?127.*))))\nindex: so-*\nmax_threshold: 3\nmetric_agg_key: QueryName.keyword\nmetric_agg_type: cardinality\nname: Possible DNS Rebinding\npriority: 3\nquery_key: event_data.ComputerName.keyword\nrealert:\n  minutes: 0\ntype: metric_aggregation\n
\n}}'),(6196,'Issue',343,9,'{{collapse(View Sigma)\n
\n\ntitle: Possible DNS Rebinding\nid: eb07e747-2552-44cd-af36-b659ae0958e4\nstatus: experimental\ndescription: Detects several different DNS-answers by one domain with IPs from internal\n  and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved\n  in host cache for a while TTL).\ndate: 2019/10/25\nmodified: 2019/11/13\nauthor: Ilyas Ochkov, oscd.community\nreferences:\n- https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325\ntags:\n- attack.command_and_control\n- attack.t1043\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  dns_answer:\n    EventID: 22\n    QueryName: \'*\'\n    QueryStatus: \'0\'\n  filter_int_ip:\n    QueryResults|startswith:\n    - (::ffff:)?10.\n    - (::ffff:)?192.168.\n    - (::ffff:)?172.16.\n    - (::ffff:)?172.17.\n    - (::ffff:)?172.18.\n    - (::ffff:)?172.19.\n    - (::ffff:)?172.20.\n    - (::ffff:)?172.21.\n    - (::ffff:)?172.22.\n    - (::ffff:)?172.23.\n    - (::ffff:)?172.24.\n    - (::ffff:)?172.25.\n    - (::ffff:)?172.26.\n    - (::ffff:)?172.27.\n    - (::ffff:)?172.28.\n    - (::ffff:)?172.29.\n    - (::ffff:)?172.30.\n    - (::ffff:)?172.31.\n    - (::ffff:)?127.\n  timeframe: 30s\n  condition: (dns_answer and filter_int_ip) and (dns_answer and not filter_int_ip)\n    | count(QueryName) by ComputerName > 3\nlevel: medium\n\n
\n}}'),(6197,'Issue',343,15,'T1043'),(6198,'Issue',344,1,'Possible Privilege Escalation via Service Permissions Weakness'),(6199,'Issue',344,2,'Teymur Kheirkhabarov'),(6200,'Issue',344,8,'https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\nhttps://pentestlab.blog/2017/03/31/insecure-registry-permissions/'),(6201,'Issue',344,10,'high'),(6202,'Issue',344,13,'community'),(6203,'Issue',344,14,'windows'),(6205,'Issue',344,11,'ca6038e23'),(6206,'Issue',344,12,'0f9c21f1-6a73-4b0e-9809-cb562cb8d981'),(6207,'Issue',344,16,'win-sysmon'),(6208,'Issue',344,17,''),(6209,'Issue',344,7,''),(6210,'Issue',344,3,'Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level'),(6211,'Issue',344,4,''),(6212,'Issue',344,5,'_False Positives_\nUnknown'),(6213,'Issue',344,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND IntegrityLevel:\"Medium\" AND event_data.TargetObject.keyword:*\\\\services\\* AND event_data.TargetObject.keyword:(*\\\\ImagePath OR *\\\\FailureCommand OR *\\\\Parameters\\\\ServiceDll))\nindex: so-*\nname: Possible Privilege Escalation via Service Permissions Weakness\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6214,'Issue',344,9,'{{collapse(View Sigma)\n
\n\ntitle: Possible Privilege Escalation via Service Permissions Weakness\nid: 0f9c21f1-6a73-4b0e-9809-cb562cb8d981\ndescription: Detect modification of services configuration (ImagePath, FailureCommand\n  and ServiceDLL) in registry by processes with Medium integrity level\nreferences:\n- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\n- https://pentestlab.blog/2017/03/31/insecure-registry-permissions/\ntags:\n- attack.privilege_escalation\n- attack.t1058\nstatus: experimental\nauthor: Teymur Kheirkhabarov\ndate: 2019/10/26\nmodified: 2019/11/11\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    IntegrityLevel: Medium\n    TargetObject|contains: \\services\\\n    TargetObject|endswith:\n    - \\ImagePath\n    - \\FailureCommand\n    - \\Parameters\\ServiceDll\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\nenrichment:\n- EN_0001_cache_sysmon_event_id_1_info\n- EN_0003_enrich_other_sysmon_events_with_event_id_1_data\n\n
\n}}'),(6215,'Issue',344,15,'T1058'),(6216,'Issue',345,1,'PowerShell Execution'),(6217,'Issue',345,2,'Roberto Rodriguez @Cyb3rWard0g'),(6218,'Issue',345,8,'https://github.com/hunters-forge/ThreatHunter-Playbook/blob/8869b7a58dba1cff63bae1d7ab923974b8c0539b/playbooks/WIN-190410151110.yaml'),(6219,'Issue',345,10,'medium'),(6220,'Issue',345,13,'community'),(6221,'Issue',345,14,'windows'),(6223,'Issue',345,11,'b785c06a3'),(6224,'Issue',345,12,'867613fb-fa60-4497-a017-a82df74a172c'),(6225,'Issue',345,16,'win-sysmon'),(6226,'Issue',345,17,''),(6227,'Issue',345,7,''),(6228,'Issue',345,3,'Detects execution of PowerShell'),(6229,'Issue',345,4,''),(6230,'Issue',345,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nComputerName\nImage\nProcessID\nImageLoaded'),(6231,'Issue',345,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.pe.description:\"system.management.automation\" AND event_data.ImageLoaded.keyword:*system.management.automation*)\nindex: so-*\nname: PowerShell Execution\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6232,'Issue',345,9,'{{collapse(View Sigma)\n
\n\ntitle: PowerShell Execution\nid: 867613fb-fa60-4497-a017-a82df74a172c\ndescription: Detects execution of PowerShell\nstatus: experimental\ndate: 2019/09/12\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/hunters-forge/ThreatHunter-Playbook/blob/8869b7a58dba1cff63bae1d7ab923974b8c0539b/playbooks/WIN-190410151110.yaml\nlogsource:\n  product: windows\n  service: sysmon\ntags:\n- attack.execution\n- attack.t1086\ndetection:\n  selection:\n    EventID: 7\n    Description: system.management.automation\n    ImageLoaded|contains: system.management.automation\n  condition: selection\nfields:\n- ComputerName\n- Image\n- ProcessID\n- ImageLoaded\nfalsepositives:\n- Unknown\nlevel: medium\n\n
\n}}'),(6233,'Issue',345,15,'T1086'),(6234,'Issue',346,1,'Malicious PowerShell Commandlet Names'),(6235,'Issue',346,2,'Markus Neis'),(6236,'Issue',346,8,'https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml'),(6237,'Issue',346,10,'high'),(6238,'Issue',346,13,'community'),(6239,'Issue',346,14,'windows'),(6241,'Issue',346,11,'89b3e1259'),(6242,'Issue',346,12,'f331aa1f-8c53-4fc3-b083-cc159bc971cb'),(6243,'Issue',346,16,'win-sysmon'),(6244,'Issue',346,17,''),(6245,'Issue',346,7,''),(6246,'Issue',346,3,'Detects the creation of known powershell scripts for exploitation'),(6247,'Issue',346,4,''),(6248,'Issue',346,5,'_False Positives_\nPenetration Tests'),(6249,'Issue',346,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND event_data.TargetFilename.keyword:(*\\\\Invoke\\-DllInjection.ps1 OR *\\\\Invoke\\-WmiCommand.ps1 OR *\\\\Get\\-GPPPassword.ps1 OR *\\\\Get\\-Keystrokes.ps1 OR *\\\\Get\\-VaultCredential.ps1 OR *\\\\Invoke\\-CredentialInjection.ps1 OR *\\\\Invoke\\-Mimikatz.ps1 OR *\\\\Invoke\\-NinjaCopy.ps1 OR *\\\\Invoke\\-TokenManipulation.ps1 OR *\\\\Out\\-Minidump.ps1 OR *\\\\VolumeShadowCopyTools.ps1 OR *\\\\Invoke\\-ReflectivePEInjection.ps1 OR *\\\\Get\\-TimedScreenshot.ps1 OR *\\\\Invoke\\-UserHunter.ps1 OR *\\\\Find\\-GPOLocation.ps1 OR *\\\\Invoke\\-ACLScanner.ps1 OR *\\\\Invoke\\-DowngradeAccount.ps1 OR *\\\\Get\\-ServiceUnquoted.ps1 OR *\\\\Get\\-ServiceFilePermission.ps1 OR *\\\\Get\\-ServicePermission.ps1 OR *\\\\Invoke\\-ServiceAbuse.ps1 OR *\\\\Install\\-ServiceBinary.ps1 OR *\\\\Get\\-RegAutoLogon.ps1 OR *\\\\Get\\-VulnAutoRun.ps1 OR *\\\\Get\\-VulnSchTask.ps1 OR *\\\\Get\\-UnattendedInstallFile.ps1 OR *\\\\Get\\-WebConfig.ps1 OR *\\\\Get\\-ApplicationHost.ps1 OR *\\\\Get\\-RegAlwaysInstallElevated.ps1 OR *\\\\Get\\-Unconstrained.ps1 OR *\\\\Add\\-RegBackdoor.ps1 OR *\\\\Add\\-ScrnSaveBackdoor.ps1 OR *\\\\Gupt\\-Backdoor.ps1 OR *\\\\Invoke\\-ADSBackdoor.ps1 OR *\\\\Enabled\\-DuplicateToken.ps1 OR *\\\\Invoke\\-PsUaCme.ps1 OR *\\\\Remove\\-Update.ps1 OR *\\\\Check\\-VM.ps1 OR *\\\\Get\\-LSASecret.ps1 OR *\\\\Get\\-PassHashes.ps1 OR *\\\\Show\\-TargetScreen.ps1 OR *\\\\Port\\-Scan.ps1 OR *\\\\Invoke\\-PoshRatHttp.ps1 OR *\\\\Invoke\\-PowerShellTCP.ps1 OR *\\\\Invoke\\-PowerShellWMI.ps1 OR *\\\\Add\\-Exfiltration.ps1 OR *\\\\Add\\-Persistence.ps1 OR *\\\\Do\\-Exfiltration.ps1 OR *\\\\Start\\-CaptureServer.ps1 OR *\\\\Invoke\\-ShellCode.ps1 OR *\\\\Get\\-ChromeDump.ps1 OR *\\\\Get\\-ClipboardContents.ps1 OR *\\\\Get\\-FoxDump.ps1 OR *\\\\Get\\-IndexedItem.ps1 OR *\\\\Get\\-Screenshot.ps1 OR *\\\\Invoke\\-Inveigh.ps1 OR *\\\\Invoke\\-NetRipper.ps1 OR *\\\\Invoke\\-EgressCheck.ps1 OR *\\\\Invoke\\-PostExfil.ps1 OR *\\\\Invoke\\-PSInject.ps1 OR *\\\\Invoke\\-RunAs.ps1 OR *\\\\MailRaider.ps1 OR *\\\\New\\-HoneyHash.ps1 OR *\\\\Set\\-MacAttribute.ps1 OR *\\\\Invoke\\-DCSync.ps1 OR *\\\\Invoke\\-PowerDump.ps1 OR *\\\\Exploit\\-Jboss.ps1 OR *\\\\Invoke\\-ThunderStruck.ps1 OR *\\\\Invoke\\-VoiceTroll.ps1 OR *\\\\Set\\-Wallpaper.ps1 OR *\\\\Invoke\\-InveighRelay.ps1 OR *\\\\Invoke\\-PsExec.ps1 OR *\\\\Invoke\\-SSHCommand.ps1 OR *\\\\Get\\-SecurityPackages.ps1 OR *\\\\Install\\-SSP.ps1 OR *\\\\Invoke\\-BackdoorLNK.ps1 OR *\\\\PowerBreach.ps1 OR *\\\\Get\\-SiteListPassword.ps1 OR *\\\\Get\\-System.ps1 OR *\\\\Invoke\\-BypassUAC.ps1 OR *\\\\Invoke\\-Tater.ps1 OR *\\\\Invoke\\-WScriptBypassUAC.ps1 OR *\\\\PowerUp.ps1 OR *\\\\PowerView.ps1 OR *\\\\Get\\-RickAstley.ps1 OR *\\\\Find\\-Fruit.ps1 OR *\\\\HTTP\\-Login.ps1 OR *\\\\Find\\-TrustedDocuments.ps1 OR *\\\\Invoke\\-Paranoia.ps1 OR *\\\\Invoke\\-WinEnum.ps1 OR *\\\\Invoke\\-ARPScan.ps1 OR *\\\\Invoke\\-PortScan.ps1 OR *\\\\Invoke\\-ReverseDNSLookup.ps1 OR *\\\\Invoke\\-SMBScanner.ps1 OR *\\\\Invoke\\-Mimikittenz.ps1))\nindex: so-*\nname: Malicious PowerShell Commandlet Names\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6250,'Issue',346,9,'{{collapse(View Sigma)\n
\n\ntitle: Malicious PowerShell Commandlet Names\nid: f331aa1f-8c53-4fc3-b083-cc159bc971cb\nstatus: experimental\ndescription: Detects the creation of known powershell scripts for exploitation\nreferences:\n- https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml\ntags:\n- attack.execution\n- attack.t1086\nauthor: Markus Neis\ndate: 2018/04/07\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 11\n    TargetFilename:\n    - \'*\\Invoke-DllInjection.ps1\'\n    - \'*\\Invoke-WmiCommand.ps1\'\n    - \'*\\Get-GPPPassword.ps1\'\n    - \'*\\Get-Keystrokes.ps1\'\n    - \'*\\Get-VaultCredential.ps1\'\n    - \'*\\Invoke-CredentialInjection.ps1\'\n    - \'*\\Invoke-Mimikatz.ps1\'\n    - \'*\\Invoke-NinjaCopy.ps1\'\n    - \'*\\Invoke-TokenManipulation.ps1\'\n    - \'*\\Out-Minidump.ps1\'\n    - \'*\\VolumeShadowCopyTools.ps1\'\n    - \'*\\Invoke-ReflectivePEInjection.ps1\'\n    - \'*\\Get-TimedScreenshot.ps1\'\n    - \'*\\Invoke-UserHunter.ps1\'\n    - \'*\\Find-GPOLocation.ps1\'\n    - \'*\\Invoke-ACLScanner.ps1\'\n    - \'*\\Invoke-DowngradeAccount.ps1\'\n    - \'*\\Get-ServiceUnquoted.ps1\'\n    - \'*\\Get-ServiceFilePermission.ps1\'\n    - \'*\\Get-ServicePermission.ps1\'\n    - \'*\\Invoke-ServiceAbuse.ps1\'\n    - \'*\\Install-ServiceBinary.ps1\'\n    - \'*\\Get-RegAutoLogon.ps1\'\n    - \'*\\Get-VulnAutoRun.ps1\'\n    - \'*\\Get-VulnSchTask.ps1\'\n    - \'*\\Get-UnattendedInstallFile.ps1\'\n    - \'*\\Get-WebConfig.ps1\'\n    - \'*\\Get-ApplicationHost.ps1\'\n    - \'*\\Get-RegAlwaysInstallElevated.ps1\'\n    - \'*\\Get-Unconstrained.ps1\'\n    - \'*\\Add-RegBackdoor.ps1\'\n    - \'*\\Add-ScrnSaveBackdoor.ps1\'\n    - \'*\\Gupt-Backdoor.ps1\'\n    - \'*\\Invoke-ADSBackdoor.ps1\'\n    - \'*\\Enabled-DuplicateToken.ps1\'\n    - \'*\\Invoke-PsUaCme.ps1\'\n    - \'*\\Remove-Update.ps1\'\n    - \'*\\Check-VM.ps1\'\n    - \'*\\Get-LSASecret.ps1\'\n    - \'*\\Get-PassHashes.ps1\'\n    - \'*\\Show-TargetScreen.ps1\'\n    - \'*\\Port-Scan.ps1\'\n    - \'*\\Invoke-PoshRatHttp.ps1\'\n    - \'*\\Invoke-PowerShellTCP.ps1\'\n    - \'*\\Invoke-PowerShellWMI.ps1\'\n    - \'*\\Add-Exfiltration.ps1\'\n    - \'*\\Add-Persistence.ps1\'\n    - \'*\\Do-Exfiltration.ps1\'\n    - \'*\\Start-CaptureServer.ps1\'\n    - \'*\\Invoke-ShellCode.ps1\'\n    - \'*\\Get-ChromeDump.ps1\'\n    - \'*\\Get-ClipboardContents.ps1\'\n    - \'*\\Get-FoxDump.ps1\'\n    - \'*\\Get-IndexedItem.ps1\'\n    - \'*\\Get-Screenshot.ps1\'\n    - \'*\\Invoke-Inveigh.ps1\'\n    - \'*\\Invoke-NetRipper.ps1\'\n    - \'*\\Invoke-EgressCheck.ps1\'\n    - \'*\\Invoke-PostExfil.ps1\'\n    - \'*\\Invoke-PSInject.ps1\'\n    - \'*\\Invoke-RunAs.ps1\'\n    - \'*\\MailRaider.ps1\'\n    - \'*\\New-HoneyHash.ps1\'\n    - \'*\\Set-MacAttribute.ps1\'\n    - \'*\\Invoke-DCSync.ps1\'\n    - \'*\\Invoke-PowerDump.ps1\'\n    - \'*\\Exploit-Jboss.ps1\'\n    - \'*\\Invoke-ThunderStruck.ps1\'\n    - \'*\\Invoke-VoiceTroll.ps1\'\n    - \'*\\Set-Wallpaper.ps1\'\n    - \'*\\Invoke-InveighRelay.ps1\'\n    - \'*\\Invoke-PsExec.ps1\'\n    - \'*\\Invoke-SSHCommand.ps1\'\n    - \'*\\Get-SecurityPackages.ps1\'\n    - \'*\\Install-SSP.ps1\'\n    - \'*\\Invoke-BackdoorLNK.ps1\'\n    - \'*\\PowerBreach.ps1\'\n    - \'*\\Get-SiteListPassword.ps1\'\n    - \'*\\Get-System.ps1\'\n    - \'*\\Invoke-BypassUAC.ps1\'\n    - \'*\\Invoke-Tater.ps1\'\n    - \'*\\Invoke-WScriptBypassUAC.ps1\'\n    - \'*\\PowerUp.ps1\'\n    - \'*\\PowerView.ps1\'\n    - \'*\\Get-RickAstley.ps1\'\n    - \'*\\Find-Fruit.ps1\'\n    - \'*\\HTTP-Login.ps1\'\n    - \'*\\Find-TrustedDocuments.ps1\'\n    - \'*\\Invoke-Paranoia.ps1\'\n    - \'*\\Invoke-WinEnum.ps1\'\n    - \'*\\Invoke-ARPScan.ps1\'\n    - \'*\\Invoke-PortScan.ps1\'\n    - \'*\\Invoke-ReverseDNSLookup.ps1\'\n    - \'*\\Invoke-SMBScanner.ps1\'\n    - \'*\\Invoke-Mimikittenz.ps1\'\n  condition: selection\nfalsepositives:\n- Penetration Tests\nlevel: high\n\n
\n}}'),(6251,'Issue',346,15,'T1086'),(6252,'Issue',347,1,'PowerShell Network Connections'),(6253,'Issue',347,2,'Florian Roth'),(6254,'Issue',347,8,'https://www.youtube.com/watch?v=DLtJTxMWZ2o'),(6255,'Issue',347,10,'low'),(6256,'Issue',347,13,'community'),(6257,'Issue',347,14,'windows'),(6259,'Issue',347,11,'bdecf01db'),(6260,'Issue',347,12,'1f21ec3f-810d-4b0e-8045-322202e22b4b'),(6261,'Issue',347,16,'win-sysmon'),(6262,'Issue',347,17,''),(6263,'Issue',347,7,''),(6264,'Issue',347,3,'Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company\'s ip range\')'),(6265,'Issue',347,4,''),(6266,'Issue',347,5,'_False Positives_\nAdministrative scripts'),(6267,'Issue',347,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"3\" AND process.executable.keyword:*\\\\powershell.exe AND event_data.Initiated:\"true\") AND (NOT (destination_ip.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.0.0.1) AND event_data.DestinationIsIpv6:\"false\" AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\")))\nindex: so-*\nname: PowerShell Network Connections\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6268,'Issue',347,9,'{{collapse(View Sigma)\n
\n\ntitle: PowerShell Network Connections\nid: 1f21ec3f-810d-4b0e-8045-322202e22b4b\nstatus: experimental\ndescription: Detects a Powershell process that opens network connections - check for\n  suspicious target ports and target systems - adjust to your environment (e.g. extend\n  filters with company\'s ip range\')\nauthor: Florian Roth\ndate: 2017/03/13\nreferences:\n- https://www.youtube.com/watch?v=DLtJTxMWZ2o\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 3\n    Image: \'*\\powershell.exe\'\n    Initiated: \'true\'\n  filter:\n    DestinationIp:\n    - 10.*\n    - 192.168.*\n    - 172.16.*\n    - 172.17.*\n    - 172.18.*\n    - 172.19.*\n    - 172.20.*\n    - 172.21.*\n    - 172.22.*\n    - 172.23.*\n    - 172.24.*\n    - 172.25.*\n    - 172.26.*\n    - 172.27.*\n    - 172.28.*\n    - 172.29.*\n    - 172.30.*\n    - 172.31.*\n    - 127.0.0.1\n    DestinationIsIpv6: \'false\'\n    User: NT AUTHORITY\\SYSTEM\n  condition: selection and not filter\nfalsepositives:\n- Administrative scripts\nlevel: low\n\n
\n}}'),(6269,'Issue',347,15,'T1086'),(6270,'Issue',348,1,'QuarksPwDump Dump File'),(6271,'Issue',348,2,'Florian Roth'),(6272,'Issue',348,8,'https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm'),(6273,'Issue',348,10,'critical'),(6274,'Issue',348,13,'community'),(6275,'Issue',348,14,'windows'),(6277,'Issue',348,11,'3ce09ad54'),(6278,'Issue',348,12,'847def9e-924d-4e90-b7c4-5f581395a2b4'),(6279,'Issue',348,16,'win-sysmon'),(6280,'Issue',348,17,''),(6281,'Issue',348,7,''),(6282,'Issue',348,3,'Detects a dump file written by QuarksPwDump password dumper'),(6283,'Issue',348,4,''),(6284,'Issue',348,5,'_False Positives_\nUnknown'),(6285,'Issue',348,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND event_data.TargetFilename.keyword:*\\\\AppData\\\\Local\\\\Temp\\\\SAM\\-*.dmp*)\nindex: so-*\nname: QuarksPwDump Dump File\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6286,'Issue',348,9,'{{collapse(View Sigma)\n
\n\ntitle: QuarksPwDump Dump File\nid: 847def9e-924d-4e90-b7c4-5f581395a2b4\nstatus: experimental\ndescription: Detects a dump file written by QuarksPwDump password dumper\nreferences:\n- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm\nauthor: Florian Roth\ndate: 2018/02/10\ntags:\n- attack.credential_access\n- attack.t1003\nlevel: critical\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 11\n    TargetFilename: \'*\\AppData\\Local\\Temp\\SAM-*.dmp*\'\n  condition: selection\nfalsepositives:\n- Unknown\n\n
\n}}'),(6287,'Issue',348,15,'T1003'),(6288,'Issue',349,1,'Raw Disk Access Using Illegitimate Tools'),(6289,'Issue',349,2,'Teymur Kheirkhabarov, oscd.community'),(6290,'Issue',349,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(6291,'Issue',349,10,'medium'),(6292,'Issue',349,13,'community'),(6293,'Issue',349,14,'windows'),(6295,'Issue',349,11,'979a4709f'),(6296,'Issue',349,12,'db809f10-56ce-4420-8c86-d6a7d793c79c'),(6297,'Issue',349,16,'win-sysmon'),(6298,'Issue',349,17,''),(6299,'Issue',349,7,''),(6300,'Issue',349,3,'Raw disk access using illegitimate tools, possible defence evasion'),(6301,'Issue',349,4,''),(6302,'Issue',349,5,'_False Positives_\nLegitimate Administrator using tool for raw access or ongoing forensic investigation\n\n_Interesting Log Fields_\nComputerName\nImage\nProcessID\nDevice'),(6303,'Issue',349,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"9\" AND (NOT (Device.keyword:*floppy*))) AND (NOT (process.executable.keyword:(*\\\\wmiprvse.exe OR *\\\\sdiagnhost.exe OR *\\\\searchindexer.exe OR *\\\\csrss.exe OR *\\\\defrag.exe OR *\\\\smss.exe OR *\\\\vssvc.exe OR *\\\\compattelrunner.exe OR *\\\\wininit.exe OR *\\\\autochk.exe OR *\\\\taskhost.exe OR *\\\\dfsrs.exe OR *\\\\vds.exe OR *\\\\lsass.exe))))\nindex: so-*\nname: Raw Disk Access Using Illegitimate Tools\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6304,'Issue',349,9,'{{collapse(View Sigma)\n
\n\ntitle: Raw Disk Access Using Illegitimate Tools\nid: db809f10-56ce-4420-8c86-d6a7d793c79c\ndescription: Raw disk access using illegitimate tools, possible defence evasion\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/10/22\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ntags:\n- attack.defense_evasion\n- attack.t1006\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 9\n  filter_1:\n    Device|contains: floppy\n  filter_2:\n  - Image|endswith:\n    - \\wmiprvse.exe\n    - \\sdiagnhost.exe\n    - \\searchindexer.exe\n    - \\csrss.exe\n    - \\defrag.exe\n    - \\smss.exe\n    - \\vssvc.exe\n    - \\compattelrunner.exe\n    - \\wininit.exe\n    - \\autochk.exe\n    - \\taskhost.exe\n    - \\dfsrs.exe\n    - \\vds.exe\n    - \\lsass.exe\n  condition: selection and not filter_1 and not filter_2\nfields:\n- ComputerName\n- Image\n- ProcessID\n- Device\nfalsepositives:\n- Legitimate Administrator using tool for raw access or ongoing forensic investigation\nlevel: medium\nstatus: experimental\n\n
\n}}'),(6305,'Issue',349,15,'T1006'),(6306,'Issue',350,1,'RDP Registry Modification'),(6307,'Issue',350,2,'Roberto Rodriguez @Cyb3rWard0g'),(6308,'Issue',350,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1112_Modify_Registry/enable_rdp_registry.md'),(6309,'Issue',350,10,'high'),(6310,'Issue',350,13,'community'),(6311,'Issue',350,14,'windows'),(6313,'Issue',350,11,'5a3902041'),(6314,'Issue',350,12,'41904ebe-d56c-4904-b9ad-7a77bdf154b3'),(6315,'Issue',350,16,'win-sysmon'),(6316,'Issue',350,17,''),(6317,'Issue',350,7,''),(6318,'Issue',350,3,'Detects potential malicious modification of the property value of fDenyTSConnections and UserAuthentication to enable remote desktop connections.'),(6319,'Issue',350,4,''),(6320,'Issue',350,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nComputerName\nImage\nEventType\nTargetObject'),(6321,'Issue',350,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\CurrentControlSet\\\\Control\\\\Terminal\\ Server\\\\WinStations\\\\RDP\\-Tcp\\\\UserAuthentication OR *\\\\CurrentControlSet\\\\Control\\\\Terminal\\ Server\\\\fDenyTSConnections) AND event_data.Details:\"DWORD\\ \\(0x00000000\\)\")\nindex: so-*\nname: RDP Registry Modification\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6322,'Issue',350,9,'{{collapse(View Sigma)\n
\n\ntitle: RDP Registry Modification\nid: 41904ebe-d56c-4904-b9ad-7a77bdf154b3\ndescription: Detects potential malicious modification of the property value of fDenyTSConnections\n  and UserAuthentication to enable remote desktop connections.\nstatus: experimental\ndate: 2019/09/12\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1112_Modify_Registry/enable_rdp_registry.md\ntags:\n- attack.defense_evasion\n- attack.t1112\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    TargetObject|endswith:\n    - \\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication\n    - \\CurrentControlSet\\Control\\Terminal Server\\fDenyTSConnections\n    Details: DWORD (0x00000000)\n  condition: selection\nfields:\n- ComputerName\n- Image\n- EventType\n- TargetObject\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(6323,'Issue',350,15,'T1112'),(6324,'Issue',351,1,'RDP Over Reverse SSH Tunnel'),(6325,'Issue',351,2,'Samir Bousseaden'),(6326,'Issue',351,8,'https://twitter.com/SBousseaden/status/1096148422984384514'),(6327,'Issue',351,10,'high'),(6328,'Issue',351,13,'community'),(6329,'Issue',351,14,'windows'),(6331,'Issue',351,11,'31989b88d'),(6332,'Issue',351,12,'5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4'),(6333,'Issue',351,16,'win-sysmon'),(6334,'Issue',351,17,''),(6335,'Issue',351,7,''),(6336,'Issue',351,3,'Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389'),(6337,'Issue',351,4,''),(6338,'Issue',351,5,'_False Positives_\nunknown'),(6339,'Issue',351,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"3\" AND process.executable.keyword:*\\\\svchost.exe AND event_data.Initiated:\"true\" AND SourcePort:\"3389\" AND destination_ip.keyword:(127.* OR \\:\\:1))\nindex: so-*\nname: RDP Over Reverse SSH Tunnel\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6340,'Issue',351,9,'{{collapse(View Sigma)\n
\n\ntitle: RDP Over Reverse SSH Tunnel\nid: 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4\nstatus: experimental\ndescription: Detects svchost hosting RDP termsvcs communicating with the loopback\n  address and on TCP port 3389\nreferences:\n- https://twitter.com/SBousseaden/status/1096148422984384514\nauthor: Samir Bousseaden\ndate: 2019/02/16\ntags:\n- attack.defense_evasion\n- attack.command_and_control\n- attack.t1076\n- car.2013-07-002\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 3\n    Image: \'*\\svchost.exe\'\n    Initiated: \'true\'\n    SourcePort: 3389\n    DestinationIp:\n    - 127.*\n    - ::1\n  condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6341,'Issue',351,15,'T1076'),(6342,'Issue',352,1,'RDP Sensitive Settings Changed'),(6343,'Issue',352,2,'Samir Bousseaden'),(6344,'Issue',352,8,'https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html'),(6345,'Issue',352,10,'high'),(6346,'Issue',352,13,'community'),(6347,'Issue',352,14,'windows'),(6348,'Issue',352,15,''),(6349,'Issue',352,11,'548ae70d5'),(6350,'Issue',352,12,'171b67e1-74b4-460e-8d55-b331f3e32d67'),(6351,'Issue',352,16,'win-sysmon'),(6352,'Issue',352,17,''),(6353,'Issue',352,7,''),(6354,'Issue',352,3,'Detects changes to RDP terminal service sensitive settings'),(6355,'Issue',352,4,''),(6356,'Issue',352,5,'_False Positives_\nunknown'),(6357,'Issue',352,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\services\\\\TermService\\\\Parameters\\\\ServiceDll* OR *\\\\Control\\\\Terminal\\ Server\\\\fSingleSessionPerUser* OR *\\\\Control\\\\Terminal\\ Server\\\\fDenyTSConnections*))\nindex: so-*\nname: RDP Sensitive Settings Changed\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6358,'Issue',352,9,'{{collapse(View Sigma)\n
\n\ntitle: RDP Sensitive Settings Changed\nid: 171b67e1-74b4-460e-8d55-b331f3e32d67\ndescription: Detects changes to RDP terminal service sensitive settings\nreferences:\n- https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html\ndate: 2019/04/03\nauthor: Samir Bousseaden\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection_reg:\n    EventID: 13\n    TargetObject:\n    - \'*\\services\\TermService\\Parameters\\ServiceDll*\'\n    - \'*\\Control\\Terminal Server\\fSingleSessionPerUser*\'\n    - \'*\\Control\\Terminal Server\\fDenyTSConnections*\'\n  condition: selection_reg\ntags:\n- attack.defense_evasion\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6359,'Issue',353,1,'Windows Registry Persistence COM Key Linking'),(6360,'Issue',353,2,'Kutepov Anton, oscd.community'),(6361,'Issue',353,8,'https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/'),(6362,'Issue',353,10,'medium'),(6363,'Issue',353,13,'community'),(6364,'Issue',353,14,'windows'),(6366,'Issue',353,11,'6f021fb7c'),(6367,'Issue',353,12,'9b0f8a61-91b2-464f-aceb-0527e0a45020'),(6368,'Issue',353,16,'win-sysmon'),(6369,'Issue',353,17,''),(6370,'Issue',353,7,''),(6371,'Issue',353,3,'Detects COM object hijacking via TreatAs subkey'),(6372,'Issue',353,4,''),(6373,'Issue',353,5,'_False Positives_\nMaybe some system utilities in rare cases use linking keys for backward compability'),(6374,'Issue',353,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"12\" AND event_data.TargetObject.keyword:HKU\\\\*_Classes\\\\CLSID\\\\*\\\\TreatAs)\nindex: so-*\nname: Windows Registry Persistence COM Key Linking\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6375,'Issue',353,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows Registry Persistence COM Key Linking\nid: 9b0f8a61-91b2-464f-aceb-0527e0a45020\nstatus: experimental\ndescription: Detects COM object hijacking via TreatAs subkey\nreferences:\n- https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/\nauthor: Kutepov Anton, oscd.community\ndate: 2019/10/23\nmodified: 2019/11/07\ntags:\n- attack.persistence\n- attack.t1122\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 12\n    TargetObject: HKU\\\\*_Classes\\CLSID\\\\*\\TreatAs\n  condition: selection\nfalsepositives:\n- Maybe some system utilities in rare cases use linking keys for backward compability\nlevel: medium\n\n
\n}}'),(6376,'Issue',353,15,'T1122'),(6377,'Issue',354,1,'Windows Registry Persistence COM Search Order Hijacking'),(6378,'Issue',354,2,'Maxime Thiebaut (@0xThiebaut)'),(6379,'Issue',354,8,'https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/'),(6380,'Issue',354,10,'medium'),(6381,'Issue',354,13,'community'),(6382,'Issue',354,14,'windows'),(6384,'Issue',354,11,'27898e00b'),(6385,'Issue',354,12,'a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12'),(6386,'Issue',354,16,'win-sysmon'),(6387,'Issue',354,17,''),(6388,'Issue',354,7,''),(6389,'Issue',354,3,'Detects potential COM object hijacking leveraging the COM Search Order'),(6390,'Issue',354,4,''),(6391,'Issue',354,5,'_False Positives_\nSome installed utilities (i.e. OneDrive) may serve new COM objects at user-level'),(6392,'Issue',354,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"13\" AND event_data.TargetObject.keyword:HKU\\\\*_Classes\\\\CLSID\\\\*\\\\InProcServer32\\\\\\(Default\\)) AND (NOT (event_data.Details.keyword:(%%systemroot%%\\\\system32\\\\* OR %%systemroot%%\\\\SysWow64\\\\* OR *\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\\FileCoAuthLib64.dll OR *\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\\FileSyncShell64.dll OR *\\\\AppData\\\\Local\\\\Microsoft\\\\TeamsMeetingAddin\\\\*\\\\Microsoft.Teams.AddinLoader.dll))))\nindex: so-*\nname: Windows Registry Persistence COM Search Order Hijacking\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6393,'Issue',354,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows Registry Persistence COM Search Order Hijacking\nid: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12\nstatus: experimental\ndescription: Detects potential COM object hijacking leveraging the COM Search Order\nreferences:\n- https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/\nauthor: Maxime Thiebaut (@0xThiebaut)\ndate: 2020/04/14\ntags:\n- attack.persistence\n- attack.t1038\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    TargetObject: HKU\\\\*_Classes\\CLSID\\\\*\\InProcServer32\\(Default)\n  filter:\n    Details:\n    - \'%%systemroot%%\\system32\\\\*\'\n    - \'%%systemroot%%\\SysWow64\\\\*\'\n    - \'*\\AppData\\Local\\Microsoft\\OneDrive\\\\*\\FileCoAuthLib64.dll\'\n    - \'*\\AppData\\Local\\Microsoft\\OneDrive\\\\*\\FileSyncShell64.dll\'\n    - \'*\\AppData\\Local\\Microsoft\\TeamsMeetingAddin\\\\*\\Microsoft.Teams.AddinLoader.dll\'\n  condition: selection and not filter\nfalsepositives:\n- Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level\nlevel: medium\n\n
\n}}'),(6394,'Issue',354,15,'T1038'),(6395,'Issue',355,1,'Windows Registry Trust Record Modification'),(6396,'Issue',355,2,'Antonlovesdnb'),(6397,'Issue',355,8,'https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/\nhttp://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html'),(6398,'Issue',355,10,'medium'),(6399,'Issue',355,13,'community'),(6400,'Issue',355,14,'windows'),(6402,'Issue',355,11,'ab08d709e'),(6403,'Issue',355,12,'295a59c1-7b79-4b47-a930-df12c15fc9c2'),(6404,'Issue',355,16,'win-sysmon'),(6405,'Issue',355,17,''),(6406,'Issue',355,7,''),(6407,'Issue',355,3,'Alerts on trust record modification within the registry, indicating usage of macros'),(6408,'Issue',355,4,''),(6409,'Issue',355,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6410,'Issue',355,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"12\" AND event_data.TargetObject.keyword:*TrustRecords*)\nindex: so-*\nname: Windows Registry Trust Record Modification\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6411,'Issue',355,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows Registry Trust Record Modification\nid: 295a59c1-7b79-4b47-a930-df12c15fc9c2\nstatus: experimental\ndescription: Alerts on trust record modification within the registry, indicating usage\n  of macros\nreferences:\n- https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/\n- http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html\nauthor: Antonlovesdnb\ndate: 2020/02/19\nmodified: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 12\n    TargetObject|contains: TrustRecords\n  condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: medium\n\n
\n}}'),(6412,'Issue',355,15,'T1193'),(6413,'Issue',356,1,'Regsvr32 Network Activity'),(6414,'Issue',356,2,'Dmitriy Lifanov, oscd.community'),(6415,'Issue',356,8,'https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/\nhttps://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md'),(6416,'Issue',356,10,'high'),(6417,'Issue',356,13,'community'),(6418,'Issue',356,14,'windows'),(6420,'Issue',356,11,'2dae90c53'),(6421,'Issue',356,12,'c7e91a02-d771-4a6d-a700-42587e0b1095'),(6422,'Issue',356,16,'win-sysmon'),(6423,'Issue',356,17,''),(6424,'Issue',356,7,''),(6425,'Issue',356,3,'Detects network connections and DNS queries initiated by Regsvr32.exe'),(6426,'Issue',356,4,''),(6427,'Issue',356,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nComputerName\nUser\nImage\nDestinationIp\nDestinationPort'),(6428,'Issue',356,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:(\"3\" OR \"22\") AND process.executable.keyword:*\\\\regsvr32.exe)\nindex: so-*\nname: Regsvr32 Network Activity\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6429,'Issue',356,9,'{{collapse(View Sigma)\n
\n\ntitle: Regsvr32 Network Activity\nid: c7e91a02-d771-4a6d-a700-42587e0b1095\ndescription: Detects network connections and DNS queries initiated by Regsvr32.exe\nreferences:\n- https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/\n- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1117\nauthor: Dmitriy Lifanov, oscd.community\nstatus: experimental\ndate: 2019/10/25\nmodified: 2019/11/10\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID:\n    - 3\n    - 22\n    Image|endswith: \\regsvr32.exe\n  condition: selection\nfields:\n- ComputerName\n- User\n- Image\n- DestinationIp\n- DestinationPort\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6430,'Issue',356,15,'T1117'),(6431,'Issue',357,1,'Remote PowerShell Session'),(6432,'Issue',357,2,'Roberto Rodriguez @Cyb3rWard0g'),(6433,'Issue',357,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md'),(6434,'Issue',357,10,'high'),(6435,'Issue',357,13,'community'),(6436,'Issue',357,14,'windows'),(6438,'Issue',357,11,'1a8504907'),(6439,'Issue',357,12,'c539afac-c12a-46ed-b1bd-5a5567c9f045'),(6440,'Issue',357,16,'win-sysmon'),(6441,'Issue',357,17,''),(6442,'Issue',357,7,''),(6443,'Issue',357,3,'Detects remote PowerShell connections by monitoring network outbount connections to ports 5985 or 5986 from not network service account'),(6444,'Issue',357,4,''),(6445,'Issue',357,5,'_False Positives_\nLeigitmate usage of remote PowerShell, e.g. remote administration and monitoring.'),(6446,'Issue',357,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"3\" AND destination_port:(\"5985\" OR \"5986\")) AND (NOT (event_data.User:\"NT\\ AUTHORITY\\\\NETWORK\\ SERVICE\")))\nindex: so-*\nname: Remote PowerShell Session\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6447,'Issue',357,9,'{{collapse(View Sigma)\n
\n\ntitle: Remote PowerShell Session\nid: c539afac-c12a-46ed-b1bd-5a5567c9f045\ndescription: Detects remote PowerShell connections by monitoring network outbount\n  connections to ports 5985 or 5986 from not network service account\nstatus: experimental\ndate: 2019/09/12\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 3\n    DestinationPort:\n    - 5985\n    - 5986\n  filter:\n    User: NT AUTHORITY\\NETWORK SERVICE\n  condition: selection and not filter\nfalsepositives:\n- Leigitmate usage of remote PowerShell, e.g. remote administration and monitoring.\nlevel: high\n\n
\n}}'),(6448,'Issue',357,15,'T1086'),(6449,'Issue',358,1,'Renamed jusched.exe'),(6450,'Issue',358,2,'Markus Neis, Swisscom'),(6451,'Issue',358,8,'https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf'),(6452,'Issue',358,10,'high'),(6453,'Issue',358,13,'community'),(6454,'Issue',358,14,'windows'),(6456,'Issue',358,11,'3042f2e24'),(6457,'Issue',358,12,'edd8a48c-1b9f-4ba1-83aa-490338cd1ccb'),(6458,'Issue',358,16,'win-sysmon'),(6459,'Issue',358,17,''),(6460,'Issue',358,7,''),(6461,'Issue',358,3,'Detects renamed jusched.exe used by cobalt group'),(6462,'Issue',358,4,''),(6463,'Issue',358,5,'_False Positives_\npenetration tests, red teaming'),(6464,'Issue',358,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.pe.description:\"Java\\ Update\\ Scheduler\" OR process.pe.description:\"Java\\(TM\\)\\ Update\\ Scheduler\")) AND (NOT (process.executable.keyword:(*\\\\jusched.exe))))\nindex: so-*\nname: Renamed jusched.exe\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6465,'Issue',358,9,'{{collapse(View Sigma)\n
\n\ntitle: Renamed jusched.exe\nstatus: experimental\nid: edd8a48c-1b9f-4ba1-83aa-490338cd1ccb\ndescription: Detects renamed jusched.exe used by cobalt group\nreferences:\n- https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf\ntags:\n- attack.t1036\n- attack.execution\nauthor: Markus Neis, Swisscom\ndate: 2019/06/04\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Description: Java Update Scheduler\n  selection2:\n    Description: Java(TM) Update Scheduler\n  filter:\n    Image|endswith:\n    - \\jusched.exe\n  condition: (selection1 or selection2) and not filter\nfalsepositives:\n- penetration tests, red teaming\nlevel: high\n\n
\n}}'),(6466,'Issue',358,15,'T1036'),(6467,'Issue',359,1,'Renamed PowerShell'),(6468,'Issue',359,2,'Florian Roth'),(6469,'Issue',359,8,'https://twitter.com/christophetd/status/1164506034720952320'),(6470,'Issue',359,10,'critical'),(6471,'Issue',359,13,'community'),(6472,'Issue',359,14,'windows'),(6473,'Issue',359,15,''),(6474,'Issue',359,11,'a6d71f3ed'),(6475,'Issue',359,12,'d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20'),(6476,'Issue',359,16,'win-sysmon'),(6477,'Issue',359,17,''),(6478,'Issue',359,7,''),(6479,'Issue',359,3,'Detects the execution of a renamed PowerShell often used by attackers or malware'),(6480,'Issue',359,4,''),(6481,'Issue',359,5,'_False Positives_\nUnknown'),(6482,'Issue',359,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.pe.description:\"Windows\\ PowerShell\" AND event_data.Company:\"Microsoft\\ Corporation\") AND (NOT (process.executable.keyword:(*\\\\powershell.exe OR *\\\\powershell_ise.exe))))\nindex: so-*\nname: Renamed PowerShell\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6483,'Issue',359,9,'{{collapse(View Sigma)\n
\n\ntitle: Renamed PowerShell\nid: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20\nstatus: experimental\ndescription: Detects the execution of a renamed PowerShell often used by attackers\n  or malware\nreferences:\n- https://twitter.com/christophetd/status/1164506034720952320\nauthor: Florian Roth\ndate: 2019/08/22\ntags:\n- car.2013-05-009\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    Description: Windows PowerShell\n    Company: Microsoft Corporation\n  filter:\n    Image:\n    - \'*\\powershell.exe\'\n    - \'*\\powershell_ise.exe\'\n  condition: selection and not filter\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(6484,'Issue',360,1,'Renamed ProcDump'),(6485,'Issue',360,2,'Florian Roth'),(6486,'Issue',360,8,'https://docs.microsoft.com/en-us/sysinternals/downloads/procdump'),(6487,'Issue',360,10,'critical'),(6488,'Issue',360,13,'community'),(6489,'Issue',360,14,'windows'),(6491,'Issue',360,11,'abbcffccf'),(6492,'Issue',360,12,'4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67'),(6493,'Issue',360,16,'win-sysmon'),(6494,'Issue',360,17,''),(6495,'Issue',360,7,''),(6496,'Issue',360,3,'Detects the execution of a renamed ProcDump executable often used by attackers or malware'),(6497,'Issue',360,4,''),(6498,'Issue',360,5,'_False Positives_\nProcdump illegaly bundled with legitimate software\nWeird admins who renamed binaries'),(6499,'Issue',360,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND OriginalFileName:\"procdump\" AND (NOT (process.executable.keyword:(*\\\\procdump.exe OR *\\\\procdump64.exe))))\nindex: so-*\nname: Renamed ProcDump\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6500,'Issue',360,9,'{{collapse(View Sigma)\n
\n\ntitle: Renamed ProcDump\nid: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67\nstatus: experimental\ndescription: Detects the execution of a renamed ProcDump executable often used by\n  attackers or malware\nreferences:\n- https://docs.microsoft.com/en-us/sysinternals/downloads/procdump\nauthor: Florian Roth\ndate: 2019/11/18\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    OriginalFileName: procdump\n  filter:\n    Image:\n    - \'*\\procdump.exe\'\n    - \'*\\procdump64.exe\'\n  condition: selection and not filter\nfalsepositives:\n- Procdump illegaly bundled with legitimate software\n- Weird admins who renamed binaries\nlevel: critical\n\n
\n}}'),(6501,'Issue',360,15,'T1036'),(6502,'Issue',361,1,'Renamed PsExec'),(6503,'Issue',361,2,'Florian Roth'),(6504,'Issue',361,8,'https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks'),(6505,'Issue',361,10,'high'),(6506,'Issue',361,13,'community'),(6507,'Issue',361,14,'windows'),(6508,'Issue',361,15,''),(6509,'Issue',361,11,'297d076c3'),(6510,'Issue',361,12,'a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2'),(6511,'Issue',361,16,'win-sysmon'),(6512,'Issue',361,17,''),(6513,'Issue',361,7,''),(6514,'Issue',361,3,'Detects the execution of a renamed PsExec often used by attackers or malware'),(6515,'Issue',361,4,''),(6516,'Issue',361,5,'_False Positives_\nSoftware that illegaly integrates PsExec in a renamed form\nAdministrators that have renamed PsExec and no one knows why'),(6517,'Issue',361,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.pe.description:\"Execute\\ processes\\ remotely\" AND process.pe.product:\"Sysinternals\\ PsExec\") AND (NOT (process.executable.keyword:(*\\\\PsExec.exe OR *\\\\PsExec64.exe))))\nindex: so-*\nname: Renamed PsExec\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6518,'Issue',361,9,'{{collapse(View Sigma)\n
\n\ntitle: Renamed PsExec\nid: a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2\nstatus: experimental\ndescription: Detects the execution of a renamed PsExec often used by attackers or\n  malware\nreferences:\n- https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks\nauthor: Florian Roth\ndate: 2019/05/21\ntags:\n- car.2013-05-009\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    Description: Execute processes remotely\n    Product: Sysinternals PsExec\n  filter:\n    Image:\n    - \'*\\PsExec.exe\'\n    - \'*\\PsExec64.exe\'\n  condition: selection and not filter\nfalsepositives:\n- Software that illegaly integrates PsExec in a renamed form\n- Administrators that have renamed PsExec and no one knows why\nlevel: high\n\n
\n}}'),(6519,'Issue',362,1,'Rundll32 Internet Connection'),(6520,'Issue',362,2,'Florian Roth'),(6521,'Issue',362,8,'https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100'),(6522,'Issue',362,10,'medium'),(6523,'Issue',362,13,'community'),(6524,'Issue',362,14,'windows'),(6526,'Issue',362,11,'0381dead4'),(6527,'Issue',362,12,'cdc8da7d-c303-42f8-b08c-b4ab47230263'),(6528,'Issue',362,16,'win-sysmon'),(6529,'Issue',362,17,''),(6530,'Issue',362,7,''),(6531,'Issue',362,3,'Detects a rundll32 that communicates with public IP addresses'),(6532,'Issue',362,4,''),(6533,'Issue',362,5,'_False Positives_\nCommunication to other corporate systems that use IP addresses from public address spaces'),(6534,'Issue',362,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"3\" AND process.executable.keyword:*\\\\rundll32.exe AND event_data.Initiated:\"true\") AND (NOT (destination_ip.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*))))\nindex: so-*\nname: Rundll32 Internet Connection\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6535,'Issue',362,9,'{{collapse(View Sigma)\n
\n\ntitle: Rundll32 Internet Connection\nid: cdc8da7d-c303-42f8-b08c-b4ab47230263\nstatus: experimental\ndescription: Detects a rundll32 that communicates with public IP addresses\nreferences:\n- https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100\nauthor: Florian Roth\ndate: 2017/11/04\ntags:\n- attack.t1085\n- attack.defense_evasion\n- attack.execution\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 3\n    Image: \'*\\rundll32.exe\'\n    Initiated: \'true\'\n  filter:\n    DestinationIp:\n    - 10.*\n    - 192.168.*\n    - 172.16.*\n    - 172.17.*\n    - 172.18.*\n    - 172.19.*\n    - 172.20.*\n    - 172.21.*\n    - 172.22.*\n    - 172.23.*\n    - 172.24.*\n    - 172.25.*\n    - 172.26.*\n    - 172.27.*\n    - 172.28.*\n    - 172.29.*\n    - 172.30.*\n    - 172.31.*\n    - 127.*\n  condition: selection and not filter\nfalsepositives:\n- Communication to other corporate systems that use IP addresses from public address\n  spaces\nlevel: medium\n\n
\n}}'),(6536,'Issue',362,15,'T1085'),(6537,'Issue',363,1,'Security Support Provider (SSP) Added to LSA Configuration'),(6538,'Issue',363,2,'iwillkeepwatch'),(6539,'Issue',363,8,'https://attack.mitre.org/techniques/T1101/\nhttps://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/'),(6540,'Issue',363,10,'critical'),(6541,'Issue',363,13,'community'),(6542,'Issue',363,14,'windows'),(6544,'Issue',363,11,'9bc1e9894'),(6545,'Issue',363,12,'eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc'),(6546,'Issue',363,16,'win-sysmon'),(6547,'Issue',363,17,''),(6548,'Issue',363,7,''),(6549,'Issue',363,3,'Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.'),(6550,'Issue',363,4,''),(6551,'Issue',363,5,'_False Positives_\nUnlikely'),(6552,'Issue',363,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"13\" AND event_data.TargetObject:(\"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security\\ Packages\" OR \"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security\\ Packages\")) AND (NOT (process.executable:\"C\\:\\\\Windows\\\\system32\\\\msiexec.exe\" OR process.executable:\"C\\:\\\\Windows\\\\syswow64\\\\MsiExec.exe\")))\nindex: so-*\nname: Security Support Provider (SSP) Added to LSA Configuration\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6553,'Issue',363,9,'{{collapse(View Sigma)\n
\n\ntitle: Security Support Provider (SSP) Added to LSA Configuration\nid: eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc\nstatus: experimental\ndescription: Detects the addition of a SSP to the registry. Upon a reboot or API call,\n  SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.\nreferences:\n- https://attack.mitre.org/techniques/T1101/\n- https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/\ntags:\n- attack.persistence\n- attack.t1011\nauthor: iwillkeepwatch\ndate: 2019/01/18\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection_registry:\n    EventID: 13\n    TargetObject:\n    - HKLM\\System\\CurrentControlSet\\Control\\Lsa\\Security Packages\n    - HKLM\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages\n  exclusion_images:\n  - Image: C:\\Windows\\system32\\msiexec.exe\n  - Image: C:\\Windows\\syswow64\\MsiExec.exe\n  condition: selection_registry and not exclusion_images\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(6554,'Issue',363,15,'T1011'),(6555,'Issue',364,1,'Suspicious ADSI-Cache Usage By Unknown Tool'),(6556,'Issue',364,2,'xknow @xknow_infosec'),(6557,'Issue',364,8,'https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961\nhttps://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/\nhttps://github.com/fox-it/LDAPFragger'),(6558,'Issue',364,10,'high'),(6559,'Issue',364,13,'community'),(6560,'Issue',364,14,'windows'),(6562,'Issue',364,11,'8268e4aa6'),(6563,'Issue',364,12,'75bf09fa-1dd7-4d18-9af9-dd9e492562eb'),(6564,'Issue',364,16,'win-sysmon'),(6565,'Issue',364,17,''),(6566,'Issue',364,7,''),(6567,'Issue',364,3,'detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.'),(6568,'Issue',364,4,''),(6569,'Issue',364,5,'_False Positives_\nOther legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc.'),(6570,'Issue',364,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"11\" AND event_data.TargetFilename.keyword:*\\\\Local\\\\Microsoft\\\\Windows\\\\SchCache\\*.sch) AND (NOT (process.executable.keyword:(*C\\:\\\\windows\\\\system32\\\\svchost.exe* OR *C\\:\\\\windows\\\\system32\\\\dllhost.exe* OR *C\\:\\\\windows\\\\system32\\\\mmc.exe* OR *C\\:\\\\windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe*))))\nindex: so-*\nname: Suspicious ADSI-Cache Usage By Unknown Tool\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6571,'Issue',364,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious ADSI-Cache Usage By Unknown Tool\nid: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb\ndescription: detects the usage of ADSI (LDAP) operations by tools. This may also detect\n  tools like LDAPFragger.\nstatus: experimental\ndate: 2019/03/24\nauthor: xknow @xknow_infosec\nreferences:\n- https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961\n- https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/\n- https://github.com/fox-it/LDAPFragger\ntags:\n- attack.t1041\n- attack.persistence\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection_1:\n    EventID: 11\n    TargetFilename: \'*\\Local\\Microsoft\\Windows\\SchCache\\*.sch\'\n  selection_2:\n    Image|contains:\n    - C:\\windows\\system32\\svchost.exe\n    - C:\\windows\\system32\\dllhost.exe\n    - C:\\windows\\system32\\mmc.exe\n    - C:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\n  condition: selection_1 and not selection_2\nfalsepositives:\n- Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity\n  by MMC, Powershell, Windows etc.\nlevel: high\n\n
\n}}'),(6572,'Issue',364,15,'T1041'),(6573,'Issue',365,1,'Suspicious desktop.ini Action'),(6574,'Issue',365,2,'Maxime Thiebaut (@0xThiebaut)'),(6575,'Issue',365,8,'https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/'),(6576,'Issue',365,10,'medium'),(6577,'Issue',365,13,'community'),(6578,'Issue',365,14,'windows'),(6580,'Issue',365,11,'370bd2225'),(6581,'Issue',365,12,'81315b50-6b60-4d8f-9928-3466e1022515'),(6582,'Issue',365,16,'win-sysmon'),(6583,'Issue',365,17,''),(6584,'Issue',365,7,''),(6585,'Issue',365,3,'Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder\'s content (i.e. renaming files) without changing them on disk.'),(6586,'Issue',365,4,''),(6587,'Issue',365,5,'_False Positives_\nOperations performed through Windows SCCM or equivalent'),(6588,'Issue',365,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"11\" AND event_data.TargetFilename.keyword:*\\\\desktop.ini) AND (NOT (process.executable:(\"C\\:\\\\Windows\\\\explorer.exe\" OR \"C\\:\\\\Windows\\\\System32\\\\msiexec.exe\" OR \"C\\:\\\\Windows\\\\System32\\\\mmc.exe\"))))\nindex: so-*\nname: Suspicious desktop.ini Action\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6589,'Issue',365,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious desktop.ini Action\nid: 81315b50-6b60-4d8f-9928-3466e1022515\nstatus: experimental\ndescription: Detects unusual processes accessing desktop.ini, which can be leveraged\n  to alter how Explorer displays a folder\'s content (i.e. renaming files) without\n  changing them on disk.\nreferences:\n- https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/\nauthor: Maxime Thiebaut (@0xThiebaut)\ndate: 2020/03/19\ntags:\n- attack.persistence\n- attack.t1023\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  filter:\n    Image:\n    - C:\\Windows\\explorer.exe\n    - C:\\Windows\\System32\\msiexec.exe\n    - C:\\Windows\\System32\\mmc.exe\n  selection:\n    EventID: 11\n    TargetFilename|endswith: \\desktop.ini\n  condition: selection and not filter\nfalsepositives:\n- Operations performed through Windows SCCM or equivalent\nlevel: medium\n\n
\n}}'),(6590,'Issue',365,15,'T1023'),(6591,'Issue',366,1,'Suspicious RUN Key from Download'),(6592,'Issue',366,2,'Florian Roth'),(6593,'Issue',366,8,'https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/'),(6594,'Issue',366,10,'high'),(6595,'Issue',366,13,'community'),(6596,'Issue',366,14,'windows'),(6598,'Issue',366,11,'4a98c6777'),(6599,'Issue',366,12,'9c5037d1-c568-49b3-88c7-9846a5bdc2be'),(6600,'Issue',366,16,'win-sysmon'),(6601,'Issue',366,17,''),(6602,'Issue',366,7,''),(6603,'Issue',366,3,'Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories'),(6604,'Issue',366,4,''),(6605,'Issue',366,5,'_False Positives_\nSoftware installers downloaded and used by users'),(6606,'Issue',366,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND process.executable.keyword:(*\\\\Downloads\\\\* OR *\\\\Temporary\\ Internet\\ Files\\\\Content.Outlook\\\\* OR *\\\\Local\\ Settings\\\\Temporary\\ Internet\\ Files\\\\*) AND event_data.TargetObject.keyword:*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*)\nindex: so-*\nname: Suspicious RUN Key from Download\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6607,'Issue',366,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious RUN Key from Download\nid: 9c5037d1-c568-49b3-88c7-9846a5bdc2be\nstatus: experimental\ndescription: Detects the suspicious RUN keys created by software located in Download\n  or temporary Outlook/Internet Explorer directories\nreferences:\n- https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/\nauthor: Florian Roth\ndate: 2019/10/01\ntags:\n- attack.persistence\n- attack.t1060\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    Image:\n    - \'*\\Downloads\\\\*\'\n    - \'*\\Temporary Internet Files\\Content.Outlook\\\\*\'\n    - \'*\\Local Settings\\Temporary Internet Files\\\\*\'\n    TargetObject: \'*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\\*\'\n  condition: selection\nfalsepositives:\n- Software installers downloaded and used by users\nlevel: high\n\n
\n}}'),(6608,'Issue',366,15,'T1060'),(6609,'Issue',367,1,'Suspicious Driver Load from Temp'),(6610,'Issue',367,2,'Florian Roth'),(6611,'Issue',367,8,'none'),(6612,'Issue',367,10,'medium'),(6613,'Issue',367,13,'community'),(6614,'Issue',367,14,'windows'),(6616,'Issue',367,11,'d9e3b1335'),(6617,'Issue',367,12,'2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75'),(6618,'Issue',367,16,'win-sysmon'),(6619,'Issue',367,17,''),(6620,'Issue',367,7,''),(6621,'Issue',367,3,'Detects a driver load from a temporary directory'),(6622,'Issue',367,4,''),(6623,'Issue',367,5,'_False Positives_\nthere is a relevant set of false positives depending on applications in the environment'),(6624,'Issue',367,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"6\" AND event_data.ImageLoaded.keyword:*\\\\Temp\\\\*)\nindex: so-*\nname: Suspicious Driver Load from Temp\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6625,'Issue',367,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Driver Load from Temp\nid: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75\ndescription: Detects a driver load from a temporary directory\nauthor: Florian Roth\ndate: 2017/02/12\ntags:\n- attack.persistence\n- attack.t1050\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 6\n    ImageLoaded: \'*\\Temp\\\\*\'\n  condition: selection\nfalsepositives:\n- there is a relevant set of false positives depending on applications in the environment\nlevel: medium\n\n
\n}}'),(6626,'Issue',367,15,'T1050'),(6627,'Issue',368,1,'Suspicious File Characteristics Due to Missing Fields'),(6628,'Issue',368,2,'Markus Neis'),(6629,'Issue',368,8,'https://securelist.com/muddywater/88059/\nhttps://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection'),(6630,'Issue',368,10,'medium'),(6631,'Issue',368,13,'community'),(6632,'Issue',368,14,'windows'),(6634,'Issue',368,11,'c82bedced'),(6635,'Issue',368,12,'9637e8a5-7131-4f7f-bdc7-2b05d8670c43'),(6636,'Issue',368,16,'win-sysmon'),(6637,'Issue',368,17,''),(6638,'Issue',368,7,''),(6639,'Issue',368,3,'Detects Executables without FileVersion,Description,Product,Company likely created with py2exe'),(6640,'Issue',368,4,''),(6641,'Issue',368,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(6642,'Issue',368,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.pe.description:\"\\?\" AND (event_data.FileVersion:\"\\?\" OR process.pe.product:\"\\?\" OR event_data.Company:\"\\?\"))\nindex: so-*\nname: Suspicious File Characteristics Due to Missing Fields\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6643,'Issue',368,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious File Characteristics Due to Missing Fields\nid: 9637e8a5-7131-4f7f-bdc7-2b05d8670c43\ndescription: Detects Executables without FileVersion,Description,Product,Company likely\n  created with py2exe\nstatus: experimental\nreferences:\n- https://securelist.com/muddywater/88059/\n- https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection\nauthor: Markus Neis\ndate: 2018/11/22\nmodified: 2019/11/09\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1064\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection1:\n    Description: \\?\n    FileVersion: \\?\n  selection2:\n    Description: \\?\n    Product: \\?\n  selection3:\n    Description: \\?\n    Company: \\?\n  condition: 1 of them\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: medium\n\n
\n}}'),(6644,'Issue',368,15,'T1064'),(6645,'Issue',369,1,'Possible Process Hollowing Image Loading'),(6646,'Issue',369,2,'Markus Neis'),(6647,'Issue',369,8,'https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html'),(6648,'Issue',369,10,'high'),(6649,'Issue',369,13,'community'),(6650,'Issue',369,14,'windows'),(6652,'Issue',369,11,'5e6ed7268'),(6653,'Issue',369,12,'e32ce4f5-46c6-4c47-ba69-5de3c9193cd7'),(6654,'Issue',369,16,'win-sysmon'),(6655,'Issue',369,17,''),(6656,'Issue',369,7,''),(6657,'Issue',369,3,'Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz'),(6658,'Issue',369,4,''),(6659,'Issue',369,5,'_False Positives_\nVery likely, needs more tuning'),(6660,'Issue',369,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\notepad.exe) AND event_data.ImageLoaded.keyword:(*\\\\samlib.dll OR *\\\\WinSCard.dll))\nindex: so-*\nname: Possible Process Hollowing Image Loading\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6661,'Issue',369,9,'{{collapse(View Sigma)\n
\n\ntitle: Possible Process Hollowing Image Loading\nid: e32ce4f5-46c6-4c47-ba69-5de3c9193cd7\nstatus: experimental\ndescription: Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g.\n  through process hollowing by Mimikatz\nreferences:\n- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html\nauthor: Markus Neis\ndate: 2018/01/07\ntags:\n- attack.defense_evasion\n- attack.t1073\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image:\n    - \'*\\notepad.exe\'\n    ImageLoaded:\n    - \'*\\samlib.dll\'\n    - \'*\\WinSCard.dll\'\n  condition: selection\nfalsepositives:\n- Very likely, needs more tuning\nlevel: high\n\n
\n}}'),(6662,'Issue',369,15,'T1073'),(6663,'Issue',370,1,'DLL Load via LSASS'),(6664,'Issue',370,2,'Florian Roth'),(6665,'Issue',370,8,'https://blog.xpnsec.com/exploring-mimikatz-part-1/\nhttps://twitter.com/SBousseaden/status/1183745981189427200'),(6666,'Issue',370,10,'high'),(6667,'Issue',370,13,'community'),(6668,'Issue',370,14,'windows'),(6670,'Issue',370,11,'351d4d774'),(6671,'Issue',370,12,'b3503044-60ce-4bf4-bbcb-e3db98788823'),(6672,'Issue',370,16,'win-sysmon'),(6673,'Issue',370,17,''),(6674,'Issue',370,7,''),(6675,'Issue',370,3,'Detects a method to load DLL via LSASS process using an undocumented Registry key'),(6676,'Issue',370,4,''),(6677,'Issue',370,5,'_False Positives_\nUnknown'),(6678,'Issue',370,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:(\"12\" OR \"13\") AND event_data.TargetObject.keyword:(*\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\DirectoryServiceExtPt* OR *\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\LsaDbExtPt*))\nindex: so-*\nname: DLL Load via LSASS\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6679,'Issue',370,9,'{{collapse(View Sigma)\n
\n\ntitle: DLL Load via LSASS\nid: b3503044-60ce-4bf4-bbcb-e3db98788823\nstatus: experimental\ndescription: Detects a method to load DLL via LSASS process using an undocumented\n  Registry key\nauthor: Florian Roth\ndate: 2019/10/16\nreferences:\n- https://blog.xpnsec.com/exploring-mimikatz-part-1/\n- https://twitter.com/SBousseaden/status/1183745981189427200\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID:\n    - 12\n    - 13\n    TargetObject:\n    - \'*\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt*\'\n    - \'*\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt*\'\n  condition: selection\ntags:\n- attack.execution\n- attack.t1177\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(6680,'Issue',370,15,'T1177'),(6681,'Issue',371,1,'dotNET DLL Loaded Via Office Applications'),(6682,'Issue',371,2,'Antonlovesdnb'),(6683,'Issue',371,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16'),(6684,'Issue',371,10,'high'),(6685,'Issue',371,13,'community'),(6686,'Issue',371,14,'windows'),(6688,'Issue',371,11,'0080b54ee'),(6689,'Issue',371,12,'ff0f2b05-09db-4095-b96d-1b75ca24894a'),(6690,'Issue',371,16,'win-sysmon'),(6691,'Issue',371,17,''),(6692,'Issue',371,7,''),(6693,'Issue',371,3,'Detects any assembly DLL being loaded by an Office Product'),(6694,'Issue',371,4,''),(6695,'Issue',371,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6696,'Issue',371,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe* OR *\\\\powerpnt.exe* OR *\\\\excel.exe* OR *\\\\outlook.exe*) AND event_data.ImageLoaded.keyword:(*C\\:\\\\Windows\\\\assembly\\*))\nindex: so-*\nname: dotNET DLL Loaded Via Office Applications\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6697,'Issue',371,9,'{{collapse(View Sigma)\n
\n\ntitle: dotNET DLL Loaded Via Office Applications\nid: ff0f2b05-09db-4095-b96d-1b75ca24894a\nstatus: experimental\ndescription: Detects any assembly DLL being loaded by an Office Product\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image:\n    - \'*\\winword.exe*\'\n    - \'*\\powerpnt.exe*\'\n    - \'*\\excel.exe*\'\n    - \'*\\outlook.exe*\'\n    ImageLoaded:\n    - \'*C:\\Windows\\assembly\\*\'\n  condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: high\n\n
\n}}'),(6698,'Issue',371,15,'T1193'),(6699,'Issue',372,1,'CLR DLL Loaded Via Office Applications'),(6700,'Issue',372,2,'Antonlovesdnb'),(6701,'Issue',372,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16'),(6702,'Issue',372,10,'high'),(6703,'Issue',372,13,'community'),(6704,'Issue',372,14,'windows'),(6706,'Issue',372,11,'7105151cd'),(6707,'Issue',372,12,'d13c43f0-f66b-4279-8b2c-5912077c1780'),(6708,'Issue',372,16,'win-sysmon'),(6709,'Issue',372,17,''),(6710,'Issue',372,7,''),(6711,'Issue',372,3,'Detects CLR DLL being loaded by an Office Product'),(6712,'Issue',372,4,''),(6713,'Issue',372,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6714,'Issue',372,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe OR *\\\\powerpnt.exe OR *\\\\excel.exe OR *\\\\outlook.exe) AND event_data.ImageLoaded.keyword:(*\\\\clr.dll*))\nindex: so-*\nname: CLR DLL Loaded Via Office Applications\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6715,'Issue',372,9,'{{collapse(View Sigma)\n
\n\ntitle: CLR DLL Loaded Via Office Applications\nid: d13c43f0-f66b-4279-8b2c-5912077c1780\nstatus: experimental\ndescription: Detects CLR DLL being loaded by an Office Product\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image:\n    - \'*\\winword.exe\'\n    - \'*\\powerpnt.exe\'\n    - \'*\\excel.exe\'\n    - \'*\\outlook.exe\'\n    ImageLoaded:\n    - \'*\\clr.dll*\'\n  condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: high\n\n
\n}}'),(6716,'Issue',372,15,'T1193'),(6717,'Issue',373,1,'GAC DLL Loaded Via Office Applications'),(6718,'Issue',373,2,'Antonlovesdnb'),(6719,'Issue',373,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16'),(6720,'Issue',373,10,'high'),(6721,'Issue',373,13,'community'),(6722,'Issue',373,14,'windows'),(6724,'Issue',373,11,'e450b3ce2'),(6725,'Issue',373,12,'90217a70-13fc-48e4-b3db-0d836c5824ac'),(6726,'Issue',373,16,'win-sysmon'),(6727,'Issue',373,17,''),(6728,'Issue',373,7,''),(6729,'Issue',373,3,'Detects any GAC DLL being loaded by an Office Product'),(6730,'Issue',373,4,''),(6731,'Issue',373,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6732,'Issue',373,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe* OR *\\\\powerpnt.exe* OR *\\\\excel.exe* OR *\\\\outlook.exe*) AND event_data.ImageLoaded.keyword:(*C\\:\\\\Windows\\\\Microsoft.NET\\\\assembly\\\\GAC_MSIL*))\nindex: so-*\nname: GAC DLL Loaded Via Office Applications\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6733,'Issue',373,9,'{{collapse(View Sigma)\n
\n\ntitle: GAC DLL Loaded Via Office Applications\nid: 90217a70-13fc-48e4-b3db-0d836c5824ac\nstatus: experimental\ndescription: Detects any GAC DLL being loaded by an Office Product\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image:\n    - \'*\\winword.exe*\'\n    - \'*\\powerpnt.exe*\'\n    - \'*\\excel.exe*\'\n    - \'*\\outlook.exe*\'\n    ImageLoaded:\n    - \'*C:\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL*\'\n  condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: high\n\n
\n}}'),(6734,'Issue',373,15,'T1193'),(6735,'Issue',374,1,'Active Directory Parsing DLL Loaded Via Office Applications'),(6736,'Issue',374,2,'Antonlovesdnb'),(6737,'Issue',374,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16'),(6738,'Issue',374,10,'high'),(6739,'Issue',374,13,'community'),(6740,'Issue',374,14,'windows'),(6742,'Issue',374,11,'203be1d6b'),(6743,'Issue',374,12,'a2a3b925-7bb0-433b-b508-db9003263cc4'),(6744,'Issue',374,16,'win-sysmon'),(6745,'Issue',374,17,''),(6746,'Issue',374,7,''),(6747,'Issue',374,3,'Detects DSParse DLL being loaded by an Office Product'),(6748,'Issue',374,4,''),(6749,'Issue',374,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6750,'Issue',374,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe OR *\\\\powerpnt.exe OR *\\\\excel.exe OR *\\\\outlook.exe) AND event_data.ImageLoaded.keyword:(*\\\\dsparse.dll*))\nindex: so-*\nname: Active Directory Parsing DLL Loaded Via Office Applications\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6751,'Issue',374,9,'{{collapse(View Sigma)\n
\n\ntitle: Active Directory Parsing DLL Loaded Via Office Applications\nid: a2a3b925-7bb0-433b-b508-db9003263cc4\nstatus: experimental\ndescription: Detects DSParse DLL being loaded by an Office Product\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image:\n    - \'*\\winword.exe\'\n    - \'*\\powerpnt.exe\'\n    - \'*\\excel.exe\'\n    - \'*\\outlook.exe\'\n    ImageLoaded:\n    - \'*\\dsparse.dll*\'\n  condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: high\n\n
\n}}'),(6752,'Issue',374,15,'T1193'),(6753,'Issue',375,1,'Active Directory Kerberos DLL Loaded Via Office Applications'),(6754,'Issue',375,2,'Antonlovesdnb'),(6755,'Issue',375,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16'),(6756,'Issue',375,10,'high'),(6757,'Issue',375,13,'community'),(6758,'Issue',375,14,'windows'),(6760,'Issue',375,11,'3ce399676'),(6761,'Issue',375,12,'7417e29e-c2e7-4cf6-a2e8-767228c64837'),(6762,'Issue',375,16,'win-sysmon'),(6763,'Issue',375,17,''),(6764,'Issue',375,7,''),(6765,'Issue',375,3,'Detects Kerberos DLL being loaded by an Office Product'),(6766,'Issue',375,4,''),(6767,'Issue',375,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6768,'Issue',375,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe* OR *\\\\powerpnt.exe* OR *\\\\excel.exe* OR *\\\\outlook.exe*) AND event_data.ImageLoaded.keyword:(*\\\\kerberos.dll*))\nindex: so-*\nname: Active Directory Kerberos DLL Loaded Via Office Applications\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6769,'Issue',375,9,'{{collapse(View Sigma)\n
\n\ntitle: Active Directory Kerberos DLL Loaded Via Office Applications\nid: 7417e29e-c2e7-4cf6-a2e8-767228c64837\nstatus: experimental\ndescription: Detects Kerberos DLL being loaded by an Office Product\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image:\n    - \'*\\winword.exe*\'\n    - \'*\\powerpnt.exe*\'\n    - \'*\\excel.exe*\'\n    - \'*\\outlook.exe*\'\n    ImageLoaded:\n    - \'*\\kerberos.dll*\'\n  condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: high\n\n
\n}}'),(6770,'Issue',375,15,'T1193'),(6771,'Issue',376,1,'PowerShell Rundll32 Remote Thread Creation'),(6772,'Issue',376,2,'Florian Roth'),(6773,'Issue',376,8,'https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html'),(6774,'Issue',376,10,'high'),(6775,'Issue',376,13,'community'),(6776,'Issue',376,14,'windows'),(6778,'Issue',376,11,'037897459'),(6779,'Issue',376,12,'99b97608-3e21-4bfe-8217-2a127c396a0e'),(6780,'Issue',376,16,'win-sysmon'),(6781,'Issue',376,17,''),(6782,'Issue',376,7,''),(6783,'Issue',376,3,'Detects PowerShell remote thread creation in Rundll32.exe'),(6784,'Issue',376,4,''),(6785,'Issue',376,5,'_False Positives_\nUnkown'),(6786,'Issue',376,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"8\" AND event_data.SourceImage.keyword:*\\\\powershell.exe AND event_data.TargetImage.keyword:*\\\\rundll32.exe)\nindex: so-*\nname: PowerShell Rundll32 Remote Thread Creation\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6787,'Issue',376,9,'{{collapse(View Sigma)\n
\n\ntitle: PowerShell Rundll32 Remote Thread Creation\nid: 99b97608-3e21-4bfe-8217-2a127c396a0e\nstatus: experimental\ndescription: Detects PowerShell remote thread creation in Rundll32.exe\nauthor: Florian Roth\nreferences:\n- https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html\ndate: 2018/06/25\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 8\n    SourceImage: \'*\\powershell.exe\'\n    TargetImage: \'*\\rundll32.exe\'\n  condition: selection\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1085\n- attack.t1086\nfalsepositives:\n- Unkown\nlevel: high\n\n
\n}}'),(6788,'Issue',376,15,'T1085'),(6789,'Issue',376,15,'T1086'),(6790,'Issue',377,1,'Suspicious PROCEXP152.sys File Created In TMP'),(6791,'Issue',377,2,'xknow (@xknow_infosec), xorxes (@xor_xes)'),(6792,'Issue',377,8,'https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/'),(6793,'Issue',377,10,'medium'),(6794,'Issue',377,13,'community'),(6795,'Issue',377,14,'windows'),(6797,'Issue',377,11,'9af1e153b'),(6798,'Issue',377,12,'3da70954-0f2c-4103-adff-b7440368f50e'),(6799,'Issue',377,16,'win-sysmon'),(6800,'Issue',377,17,''),(6801,'Issue',377,7,''),(6802,'Issue',377,3,'Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.'),(6803,'Issue',377,4,''),(6804,'Issue',377,5,'_False Positives_\nOther legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don\'t rely on it.'),(6805,'Issue',377,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"11\" AND event_data.TargetFilename.keyword:*\\\\AppData\\\\Local\\\\Temp\\*\\\\PROCEXP152.sys) AND (NOT (process.executable.keyword:(*\\\\procexp64.exe* OR *\\\\procexp.exe* OR *\\\\procmon64.exe* OR *\\\\procmon.exe*))))\nindex: so-*\nname: Suspicious PROCEXP152.sys File Created In TMP\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6806,'Issue',377,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious PROCEXP152.sys File Created In TMP\nid: 3da70954-0f2c-4103-adff-b7440368f50e\ndescription: Detects the creation of the PROCEXP152.sys file in the application-data\n  local temporary folder. This driver is used by Sysinternals Process Explorer but\n  also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs),\n  which uses KDU.\nstatus: experimental\ndate: 2019/04/08\nauthor: xknow (@xknow_infosec), xorxes (@xor_xes)\nreferences:\n- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/\ntags:\n- attack.t1089\n- attack.defense_evasion\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection_1:\n    EventID: 11\n    TargetFilename: \'*\\AppData\\Local\\Temp\\*\\PROCEXP152.sys\'\n  selection_2:\n    Image|contains:\n    - \'*\\procexp64.exe\'\n    - \'*\\procexp.exe\'\n    - \'*\\procmon64.exe\'\n    - \'*\\procmon.exe\'\n  condition: selection_1 and not selection_2\nfalsepositives:\n- Other legimate tools using this driver and filename (like Sysinternals). Note -\n  Clever attackers may easily bypass this detection by just renaming the driver filename.\n  Therefore just Medium-level and don\'t rely on it.\nlevel: medium\n\n
\n}}'),(6807,'Issue',377,15,'T1089'),(6808,'Issue',378,1,'Suspicious Program Location with Network Connections'),(6809,'Issue',378,2,'Florian Roth'),(6810,'Issue',378,8,'https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo'),(6811,'Issue',378,10,'high'),(6812,'Issue',378,13,'community'),(6813,'Issue',378,14,'windows'),(6814,'Issue',378,15,''),(6815,'Issue',378,11,'58575f239'),(6816,'Issue',378,12,'7b434893-c57d-4f41-908d-6a17bf1ae98f'),(6817,'Issue',378,16,'win-sysmon'),(6818,'Issue',378,17,''),(6819,'Issue',378,7,''),(6820,'Issue',378,3,'Detects programs with network connections running in suspicious files system locations'),(6821,'Issue',378,4,''),(6822,'Issue',378,5,'_False Positives_\nunknown'),(6823,'Issue',378,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"3\" AND process.executable.keyword:(*\\\\$Recycle.bin OR *\\\\Users\\\\All\\ Users\\\\* OR *\\\\Users\\\\Default\\\\* OR *\\\\Users\\\\Public\\\\* OR *\\\\Users\\\\Contacts\\\\* OR *\\\\Users\\\\Searches\\\\* OR C\\:\\\\Perflogs\\\\* OR *\\\\config\\\\systemprofile\\\\* OR *\\\\Windows\\\\Fonts\\\\* OR *\\\\Windows\\\\IME\\\\* OR *\\\\Windows\\\\addins\\\\*))\nindex: so-*\nname: Suspicious Program Location with Network Connections\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6824,'Issue',378,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Program Location with Network Connections\nid: 7b434893-c57d-4f41-908d-6a17bf1ae98f\nstatus: experimental\ndescription: Detects programs with network connections running in suspicious files\n  system locations\nreferences:\n- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo\nauthor: Florian Roth\ndate: 2017/03/19\nlogsource:\n  product: windows\n  service: sysmon\n  definition: Use the following config to generate the necessary Event ID 3 Network\n    Connection events\ndetection:\n  selection:\n    EventID: 3\n    Image:\n    - \'*\\$Recycle.bin\'\n    - \'*\\Users\\All Users\\\\*\'\n    - \'*\\Users\\Default\\\\*\'\n    - \'*\\Users\\Public\\\\*\'\n    - \'*\\Users\\Contacts\\\\*\'\n    - \'*\\Users\\Searches\\\\*\'\n    - C:\\Perflogs\\\\*\n    - \'*\\config\\systemprofile\\\\*\'\n    - \'*\\Windows\\Fonts\\\\*\'\n    - \'*\\Windows\\IME\\\\*\'\n    - \'*\\Windows\\addins\\\\*\'\n  condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6825,'Issue',379,1,'Suspicious Outbound RDP Connections'),(6826,'Issue',379,2,'Markus Neis - Swisscom'),(6827,'Issue',379,8,'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708'),(6828,'Issue',379,10,'high'),(6829,'Issue',379,13,'community'),(6830,'Issue',379,14,'windows'),(6832,'Issue',379,11,'9f1b0b238'),(6833,'Issue',379,12,'ed74fe75-7594-4b4b-ae38-e38e3fd2eb23'),(6834,'Issue',379,16,'win-sysmon'),(6835,'Issue',379,17,''),(6836,'Issue',379,7,''),(6837,'Issue',379,3,'Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement'),(6838,'Issue',379,4,''),(6839,'Issue',379,5,'_False Positives_\nOther Remote Desktop RDP tools'),(6840,'Issue',379,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"3\" AND destination_port:\"3389\" AND event_data.Initiated:\"true\") AND (NOT (process.executable.keyword:(*\\\\mstsc.exe OR *\\\\RTSApp.exe OR *\\\\RTS2App.exe OR *\\\\RDCMan.exe OR *\\\\ws_TunnelService.exe OR *\\\\RSSensor.exe OR *\\\\RemoteDesktopManagerFree.exe OR *\\\\RemoteDesktopManager.exe OR *\\\\RemoteDesktopManager64.exe OR *\\\\mRemoteNG.exe OR *\\\\mRemote.exe OR *\\\\Terminals.exe OR *\\\\spiceworks\\-finder.exe OR *\\\\FSDiscovery.exe OR *\\\\FSAssessment.exe OR *\\\\MobaRTE.exe OR *\\\\chrome.exe OR *\\\\thor.exe OR *\\\\thor64.exe))))\nindex: so-*\nname: Suspicious Outbound RDP Connections\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6841,'Issue',379,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Outbound RDP Connections\nid: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23\nstatus: experimental\ndescription: Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible\n  lateral movement\nreferences:\n- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708\nauthor: Markus Neis - Swisscom\ndate: 2019/05/15\ntags:\n- attack.lateral_movement\n- attack.t1210\n- car.2013-07-002\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 3\n    DestinationPort: 3389\n    Initiated: \'true\'\n  filter:\n    Image:\n    - \'*\\mstsc.exe\'\n    - \'*\\RTSApp.exe\'\n    - \'*\\RTS2App.exe\'\n    - \'*\\RDCMan.exe\'\n    - \'*\\ws_TunnelService.exe\'\n    - \'*\\RSSensor.exe\'\n    - \'*\\RemoteDesktopManagerFree.exe\'\n    - \'*\\RemoteDesktopManager.exe\'\n    - \'*\\RemoteDesktopManager64.exe\'\n    - \'*\\mRemoteNG.exe\'\n    - \'*\\mRemote.exe\'\n    - \'*\\Terminals.exe\'\n    - \'*\\spiceworks-finder.exe\'\n    - \'*\\FSDiscovery.exe\'\n    - \'*\\FSAssessment.exe\'\n    - \'*\\MobaRTE.exe\'\n    - \'*\\chrome.exe\'\n    - \'*\\thor.exe\'\n    - \'*\\thor64.exe\'\n  condition: selection and not filter\nfalsepositives:\n- Other Remote Desktop RDP tools\nlevel: high\n\n
\n}}'),(6842,'Issue',379,15,'T1210'),(6843,'Issue',380,1,'Registry Persistence via Explorer Run Key'),(6844,'Issue',380,2,'Florian Roth'),(6845,'Issue',380,8,'https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/'),(6846,'Issue',380,10,'high'),(6847,'Issue',380,13,'community'),(6848,'Issue',380,14,'windows'),(6850,'Issue',380,11,'d976ce159'),(6851,'Issue',380,12,'b7916c2a-fa2f-4795-9477-32b731f70f11'),(6852,'Issue',380,16,'win-sysmon'),(6853,'Issue',380,17,''),(6854,'Issue',380,7,''),(6855,'Issue',380,3,'Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder'),(6856,'Issue',380,4,''),(6857,'Issue',380,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nImage\nParentImage'),(6858,'Issue',380,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run AND event_data.Details.keyword:(C\\:\\\\Windows\\\\Temp\\\\* OR C\\:\\\\ProgramData\\\\* OR *\\\\AppData\\\\* OR C\\:\\\\$Recycle.bin\\\\* OR C\\:\\\\Temp\\\\* OR C\\:\\\\Users\\\\Public\\\\* OR C\\:\\\\Users\\\\Default\\\\*))\nindex: so-*\nname: Registry Persistence via Explorer Run Key\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6859,'Issue',380,9,'{{collapse(View Sigma)\n
\n\ntitle: Registry Persistence via Explorer Run Key\nid: b7916c2a-fa2f-4795-9477-32b731f70f11\nstatus: experimental\ndescription: Detects a possible persistence mechanism using RUN key for Windows Explorer\n  and pointing to a suspicious folder\nauthor: Florian Roth\ndate: 2018/07/18\nreferences:\n- https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    TargetObject: \'*\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\'\n    Details:\n    - C:\\Windows\\Temp\\\\*\n    - C:\\ProgramData\\\\*\n    - \'*\\AppData\\\\*\'\n    - C:\\$Recycle.bin\\\\*\n    - C:\\Temp\\\\*\n    - C:\\Users\\Public\\\\*\n    - C:\\Users\\Default\\\\*\n  condition: selection\ntags:\n- attack.persistence\n- attack.t1060\n- capec.270\nfields:\n- Image\n- ParentImage\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(6860,'Issue',380,15,'T1060'),(6861,'Issue',381,1,'New RUN Key Pointing to Suspicious Folder'),(6862,'Issue',381,2,'Florian Roth, Markus Neis'),(6863,'Issue',381,8,'https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html'),(6864,'Issue',381,10,'high'),(6865,'Issue',381,13,'community'),(6866,'Issue',381,14,'windows'),(6868,'Issue',381,11,'321e02b21'),(6869,'Issue',381,12,'02ee49e2-e294-4d0f-9278-f5b3212fc588'),(6870,'Issue',381,16,'win-sysmon'),(6871,'Issue',381,17,''),(6872,'Issue',381,7,''),(6873,'Issue',381,3,'Detects suspicious new RUN key element pointing to an executable in a suspicious folder'),(6874,'Issue',381,4,''),(6875,'Issue',381,5,'_False Positives_\nSoftware using the AppData folders for updates\n\n_Interesting Log Fields_\nImage'),(6876,'Issue',381,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\* OR *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*) AND event_data.Details.keyword:(*C\\:\\\\Windows\\\\Temp\\\\* OR *\\\\AppData\\\\* OR %AppData%\\\\* OR *C\\:\\\\$Recycle.bin\\\\* OR *C\\:\\\\Temp\\\\* OR *C\\:\\\\Users\\\\Public\\\\* OR %Public%\\\\* OR *C\\:\\\\Users\\\\Default\\\\* OR *C\\:\\\\Users\\\\Desktop\\\\* OR wscript* OR cscript*)) AND (NOT (event_data.Details.keyword:(*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\*))))\nindex: so-*\nname: New RUN Key Pointing to Suspicious Folder\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6877,'Issue',381,9,'{{collapse(View Sigma)\n
\n\ntitle: New RUN Key Pointing to Suspicious Folder\nid: 02ee49e2-e294-4d0f-9278-f5b3212fc588\nstatus: experimental\ndescription: Detects suspicious new RUN key element pointing to an executable in a\n  suspicious folder\nreferences:\n- https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\nauthor: Florian Roth, Markus Neis\ntags:\n- attack.persistence\n- attack.t1060\ndate: 2018/08/25\nmodified: 2020/02/26\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    TargetObject:\n    - \'*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\\*\'\n    - \'*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\\\*\'\n    Details:\n    - \'*C:\\Windows\\Temp\\\\*\'\n    - \'*\\AppData\\\\*\'\n    - \'%AppData%\\\\*\'\n    - \'*C:\\$Recycle.bin\\\\*\'\n    - \'*C:\\Temp\\\\*\'\n    - \'*C:\\Users\\Public\\\\*\'\n    - \'%Public%\\\\*\'\n    - \'*C:\\Users\\Default\\\\*\'\n    - \'*C:\\Users\\Desktop\\\\*\'\n    - wscript*\n    - cscript*\n  filter:\n    Details|contains:\n    - \\AppData\\Local\\Microsoft\\OneDrive\\\n  condition: selection and not filter\nfields:\n- Image\nfalsepositives:\n- Software using the AppData folders for updates\nlevel: high\n\n
\n}}'),(6878,'Issue',381,15,'T1060'),(6879,'Issue',382,1,'Suspicious Service Installed'),(6880,'Issue',382,2,'xknow (@xknow_infosec), xorxes (@xor_xes)'),(6881,'Issue',382,8,'https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/'),(6882,'Issue',382,10,'medium'),(6883,'Issue',382,13,'community'),(6884,'Issue',382,14,'windows'),(6886,'Issue',382,11,'9842ac371'),(6887,'Issue',382,12,'f2485272-a156-4773-82d7-1d178bc4905b'),(6888,'Issue',382,16,'win-sysmon'),(6889,'Issue',382,17,''),(6890,'Issue',382,7,''),(6891,'Issue',382,3,'Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)'),(6892,'Issue',382,4,''),(6893,'Issue',382,5,'_False Positives_\nOther legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don\'t rely on it.'),(6894,'Issue',382,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:\"13\" AND event_data.TargetObject:(\"HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\NalDrv\\\\ImagePath\" OR \"HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PROCEXP152\\\\ImagePath\")) AND (NOT (process.executable.keyword:(*\\\\procexp64.exe* OR *\\\\procexp.exe* OR *\\\\procmon64.exe* OR *\\\\procmon.exe*)))) AND (NOT (event_data.Details.keyword:(*\\\\WINDOWS\\\\system32\\\\Drivers\\\\PROCEXP152.SYS*))))\nindex: so-*\nname: Suspicious Service Installed\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6895,'Issue',382,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Service Installed\nid: f2485272-a156-4773-82d7-1d178bc4905b\ndescription: Detects installation of NalDrv or PROCEXP152 services via registry-keys\n  to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs),\n  which uses KDU (https://github.com/hfiref0x/KDU)\nstatus: experimental\ndate: 2019/04/08\nauthor: xknow (@xknow_infosec), xorxes (@xor_xes)\nreferences:\n- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/\ntags:\n- attack.t1089\n- attack.defense_evasion\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection_1:\n    EventID: 13\n    TargetObject:\n    - HKLM\\System\\CurrentControlSet\\Services\\NalDrv\\ImagePath\n    - HKLM\\System\\CurrentControlSet\\Services\\PROCEXP152\\ImagePath\n  selection_2:\n    Image|contains:\n    - \'*\\procexp64.exe\'\n    - \'*\\procexp.exe\'\n    - \'*\\procmon64.exe\'\n    - \'*\\procmon.exe\'\n  selection_3:\n    Details|contains:\n    - \'*\\WINDOWS\\system32\\Drivers\\PROCEXP152.SYS\'\n  condition: selection_1 and not selection_2 and not selection_3\nfalsepositives:\n- Other legimate tools using this service names and drivers. Note - clever attackers\n  may easily bypass this detection by just renaming the services. Therefore just Medium-level\n  and don\'t rely on it.\nlevel: medium\n\n
\n}}'),(6896,'Issue',382,15,'T1089'),(6897,'Issue',383,1,'VBA DLL Loaded Via Microsoft Word'),(6898,'Issue',383,2,'Antonlovesdnb'),(6899,'Issue',383,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16'),(6900,'Issue',383,10,'high'),(6901,'Issue',383,13,'community'),(6902,'Issue',383,14,'windows'),(6904,'Issue',383,11,'53eb4530b'),(6905,'Issue',383,12,'e6ce8457-68b1-485b-9bdd-3c2b5d679aa9'),(6906,'Issue',383,16,'win-sysmon'),(6907,'Issue',383,17,''),(6908,'Issue',383,7,''),(6909,'Issue',383,3,'Detects DLL\'s Loaded Via Word Containing VBA Macros'),(6910,'Issue',383,4,''),(6911,'Issue',383,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6912,'Issue',383,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe* OR *\\\\powerpnt.exe* OR *\\\\excel.exe* OR *\\\\outlook.exe*) AND event_data.ImageLoaded.keyword:(*\\\\VBE7.DLL* OR *\\\\VBEUI.DLL* OR *\\\\VBE7INTL.DLL*))\nindex: so-*\nname: VBA DLL Loaded Via Microsoft Word\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6913,'Issue',383,9,'{{collapse(View Sigma)\n
\n\ntitle: VBA DLL Loaded Via Microsoft Word\nid: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9\nstatus: experimental\ndescription: Detects DLL\'s Loaded Via Word Containing VBA Macros\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image:\n    - \'*\\winword.exe*\'\n    - \'*\\powerpnt.exe*\'\n    - \'*\\excel.exe*\'\n    - \'*\\outlook.exe*\'\n    ImageLoaded:\n    - \'*\\VBE7.DLL*\'\n    - \'*\\VBEUI.DLL*\'\n    - \'*\\VBE7INTL.DLL*\'\n  condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: high\n\n
\n}}'),(6914,'Issue',383,15,'T1193'),(6915,'Issue',384,1,'Windows Mangement Instrumentation DLL Loaded Via Microsoft Word'),(6916,'Issue',384,2,'Michael R. (@nahamike01)'),(6917,'Issue',384,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nhttps://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/\nhttps://media.cert.europa.eu/static/SecurityAdvisories/2019/CERT-EU-SA2019-021.pdf'),(6918,'Issue',384,10,'high'),(6919,'Issue',384,13,'community'),(6920,'Issue',384,14,'windows'),(6922,'Issue',384,11,'b23e2aa5c'),(6923,'Issue',384,12,'a457f232-7df9-491d-898f-b5aabd2cbe2f'),(6924,'Issue',384,16,'win-sysmon'),(6925,'Issue',384,17,''),(6926,'Issue',384,7,''),(6927,'Issue',384,3,'Detects DLL\'s Loaded Via Word Containing VBA Macros Executing WMI Commands'),(6928,'Issue',384,4,''),(6929,'Issue',384,5,'_False Positives_\nPossible. Requires further testing.'),(6930,'Issue',384,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe OR *\\\\powerpnt.exe OR *\\\\excel.exe OR *\\\\outlook.exe) AND event_data.ImageLoaded.keyword:(*\\\\wmiutils.dll OR *\\\\wbemcomn.dll OR *\\\\wbemprox.dll OR *\\\\wbemdisp.dll OR *\\\\wbemsvc.dll))\nindex: so-*\nname: Windows Mangement Instrumentation DLL Loaded Via Microsoft Word\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6931,'Issue',384,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows Mangement Instrumentation DLL Loaded Via Microsoft Word\nid: a457f232-7df9-491d-898f-b5aabd2cbe2f\nstatus: experimental\ndescription: Detects DLL\'s Loaded Via Word Containing VBA Macros Executing WMI Commands\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\n- https://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/\n- https://media.cert.europa.eu/static/SecurityAdvisories/2019/CERT-EU-SA2019-021.pdf\nauthor: Michael R. (@nahamike01)\ndate: 2019/12/26\ntags:\n- attack.execution\n- attack.t1047\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image:\n    - \'*\\winword.exe\'\n    - \'*\\powerpnt.exe\'\n    - \'*\\excel.exe\'\n    - \'*\\outlook.exe\'\n    ImageLoaded:\n    - \'*\\wmiutils.dll\'\n    - \'*\\wbemcomn.dll\'\n    - \'*\\wbemprox.dll\'\n    - \'*\\wbemdisp.dll\'\n    - \'*\\wbemsvc.dll\'\n  condition: selection\nfalsepositives:\n- Possible. Requires further testing.\nlevel: high\n\n
\n}}'),(6932,'Issue',384,15,'T1047'),(6933,'Issue',385,1,'Suspicious Keyboard Layout Load'),(6934,'Issue',385,2,'Florian Roth'),(6935,'Issue',385,8,'https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index\nhttps://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'),(6936,'Issue',385,10,'medium'),(6937,'Issue',385,13,'community'),(6938,'Issue',385,14,'windows'),(6939,'Issue',385,15,''),(6940,'Issue',385,11,'496ab3e58'),(6941,'Issue',385,12,'34aa0252-6039-40ff-951f-939fd6ce47d8'),(6942,'Issue',385,16,'win-sysmon'),(6943,'Issue',385,17,''),(6944,'Issue',385,7,''),(6945,'Issue',385,3,'Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only'),(6946,'Issue',385,4,''),(6947,'Issue',385,5,'_False Positives_\nAdministrators or users that actually use the selected keyboard layouts (heavily depends on the organisation\'s user base)'),(6948,'Issue',385,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\Keyboard\\ Layout\\\\Preload\\* OR *\\\\Keyboard\\ Layout\\\\Substitutes\\*) AND event_data.Details.keyword:(*00000429* OR *00050429* OR *0000042a*))\nindex: so-*\nname: Suspicious Keyboard Layout Load\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6949,'Issue',385,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Keyboard Layout Load\nid: 34aa0252-6039-40ff-951f-939fd6ce47d8\ndescription: Detects the keyboard preload installation with a suspicious keyboard\n  layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems\n  maintained by US staff only\nreferences:\n- https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index\n- https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files\nauthor: Florian Roth\ndate: 2019/10/12\nmodified: 2019/10/15\nlogsource:\n  product: windows\n  service: sysmon\n  definition: \'Requirements: Sysmon config that monitors \\Keyboard Layout\\Preload\n    subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files\'\ndetection:\n  selection_registry:\n    EventID: 13\n    TargetObject:\n    - \'*\\Keyboard Layout\\Preload\\*\'\n    - \'*\\Keyboard Layout\\Substitutes\\*\'\n    Details|contains:\n    - 429\n    - 50429\n    - 0000042a\n  condition: selection_registry\nfalsepositives:\n- Administrators or users that actually use the selected keyboard layouts (heavily\n  depends on the organisation\'s user base)\nlevel: medium\n\n
\n}}'),(6950,'Issue',386,1,'Suspicious Outbound Kerberos Connection'),(6951,'Issue',386,2,'Ilyas Ochkov, oscd.community'),(6952,'Issue',386,8,'https://github.com/GhostPack/Rubeus8'),(6953,'Issue',386,10,'high'),(6954,'Issue',386,13,'community'),(6955,'Issue',386,14,'windows'),(6957,'Issue',386,11,'b61a1dd2a'),(6958,'Issue',386,12,'e54979bd-c5f9-4d6c-967b-a04b19ac4c74'),(6959,'Issue',386,16,'win-sysmon'),(6960,'Issue',386,17,''),(6961,'Issue',386,7,''),(6962,'Issue',386,3,'Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.'),(6963,'Issue',386,4,''),(6964,'Issue',386,5,'_False Positives_\nOther browsers'),(6965,'Issue',386,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"3\" AND destination_port:\"88\" AND event_data.Initiated:\"true\") AND (NOT (process.executable.keyword:(*\\\\lsass.exe OR *\\\\opera.exe OR *\\\\chrome.exe OR *\\\\firefox.exe))))\nindex: so-*\nname: Suspicious Outbound Kerberos Connection\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6966,'Issue',386,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Outbound Kerberos Connection\nid: e54979bd-c5f9-4d6c-967b-a04b19ac4c74\nstatus: experimental\ndescription: Detects suspicious outbound network activity via kerberos default port\n  indicating possible lateral movement or first stage PrivEsc via delegation.\nreferences:\n- https://github.com/GhostPack/Rubeus8\nauthor: Ilyas Ochkov, oscd.community\ndate: 2019/10/24\nmodified: 2019/11/13\ntags:\n- attack.lateral_movement\n- attack.t1208\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 3\n    DestinationPort: 88\n    Initiated: \'true\'\n  filter:\n    Image|endswith:\n    - \\lsass.exe\n    - \\opera.exe\n    - \\chrome.exe\n    - \\firefox.exe\n  condition: selection and not filter\nfalsepositives:\n- Other browsers\nlevel: high\n\n
\n}}'),(6967,'Issue',386,15,'T1208'),(6968,'Issue',387,1,'Suspicious Remote Thread Created'),(6969,'Issue',387,2,'Perez Diego (@darkquassar), oscd.community'),(6970,'Issue',387,8,'Personal research, statistical analysis\nhttps://lolbas-project.github.io'),(6971,'Issue',387,10,'high'),(6972,'Issue',387,13,'community'),(6973,'Issue',387,14,'windows'),(6975,'Issue',387,11,'d107c9166'),(6976,'Issue',387,12,'66d31e5f-52d6-40a4-9615-002d3789a119'),(6977,'Issue',387,16,'win-sysmon'),(6978,'Issue',387,17,''),(6979,'Issue',387,7,''),(6980,'Issue',387,3,'Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild. This rule aims to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes. It is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.'),(6981,'Issue',387,4,''),(6982,'Issue',387,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nComputerName\nUser\nSourceImage\nTargetImage'),(6983,'Issue',387,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"8\" AND event_data.SourceImage.keyword:(*\\\\bash.exe OR *\\\\cvtres.exe OR *\\\\defrag.exe OR *\\\\dnx.exe OR *\\\\esentutl.exe OR *\\\\excel.exe OR *\\\\expand.exe OR *\\\\explorer.exe OR *\\\\find.exe OR *\\\\findstr.exe OR *\\\\forfiles.exe OR *\\\\git.exe OR *\\\\gpupdate.exe OR *\\\\hh.exe OR *\\\\iexplore.exe OR *\\\\installutil.exe OR *\\\\lync.exe OR *\\\\makecab.exe OR *\\\\mDNSResponder.exe OR *\\\\monitoringhost.exe OR *\\\\msbuild.exe OR *\\\\mshta.exe OR *\\\\msiexec.exe OR *\\\\mspaint.exe OR *\\\\outlook.exe OR *\\\\ping.exe OR *\\\\powerpnt.exe OR *\\\\powershell.exe OR *\\\\provtool.exe OR *\\\\python.exe OR *\\\\regsvr32.exe OR *\\\\robocopy.exe OR *\\\\runonce.exe OR *\\\\sapcimc.exe OR *\\\\schtasks.exe OR *\\\\smartscreen.exe OR *\\\\spoolsv.exe OR *\\\\tstheme.exe OR *\\\\userinit.exe OR *\\\\vssadmin.exe OR *\\\\vssvc.exe OR *\\\\w3wp.exe* OR *\\\\winlogon.exe OR *\\\\winscp.exe OR *\\\\wmic.exe OR *\\\\word.exe OR *\\\\wscript.exe)) AND (NOT (event_data.SourceImage.keyword:*Visual\\ Studio*)))\nindex: so-*\nname: Suspicious Remote Thread Created\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6984,'Issue',387,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Remote Thread Created\nid: 66d31e5f-52d6-40a4-9615-002d3789a119\ndescription: Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\",\n  however, this is still largely observed in the wild. This rule aims to detect suspicious\n  processes (those we would not expect to behave in this way like word.exe or outlook.exe)\n  creating remote threads on other processes. It is a generalistic rule, but it should\n  have a low FP ratio due to the selected range of processes.\nnotes:\n- MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite\n  for process injection for .NET in-memory offensive tools.\nstatus: experimental\ndate: 2019/10/27\nmodified: 2019/11/13\nauthor: Perez Diego (@darkquassar), oscd.community\nreferences:\n- Personal research, statistical analysis\n- https://lolbas-project.github.io\nlogsource:\n  product: windows\n  service: sysmon\ntags:\n- attack.privilege_escalation\n- attack.t1055\ndetection:\n  selection:\n    EventID: 8\n    SourceImage|endswith:\n    - \\bash.exe\n    - \\cvtres.exe\n    - \\defrag.exe\n    - \\dnx.exe\n    - \\esentutl.exe\n    - \\excel.exe\n    - \\expand.exe\n    - \\explorer.exe\n    - \\find.exe\n    - \\findstr.exe\n    - \\forfiles.exe\n    - \\git.exe\n    - \\gpupdate.exe\n    - \\hh.exe\n    - \\iexplore.exe\n    - \\installutil.exe\n    - \\lync.exe\n    - \\makecab.exe\n    - \\mDNSResponder.exe\n    - \\monitoringhost.exe\n    - \\msbuild.exe\n    - \\mshta.exe\n    - \\msiexec.exe\n    - \\mspaint.exe\n    - \\outlook.exe\n    - \\ping.exe\n    - \\powerpnt.exe\n    - \\powershell.exe\n    - \\provtool.exe\n    - \\python.exe\n    - \\regsvr32.exe\n    - \\robocopy.exe\n    - \\runonce.exe\n    - \\sapcimc.exe\n    - \\schtasks.exe\n    - \\smartscreen.exe\n    - \\spoolsv.exe\n    - \\tstheme.exe\n    - \\userinit.exe\n    - \\vssadmin.exe\n    - \\vssvc.exe\n    - \\w3wp.exe*\n    - \\winlogon.exe\n    - \\winscp.exe\n    - \\wmic.exe\n    - \\word.exe\n    - \\wscript.exe\n  filter:\n    SourceImage|contains: Visual Studio\n  condition: selection AND NOT filter\nfields:\n- ComputerName\n- User\n- SourceImage\n- TargetImage\nlevel: high\nfalsepositives:\n- Unknown\n\n
\n}}'),(6985,'Issue',387,15,'T1055'),(6986,'Issue',388,1,'Svchost DLL Search Order Hijack'),(6987,'Issue',388,2,'SBousseaden'),(6988,'Issue',388,8,'https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992'),(6989,'Issue',388,10,'high'),(6990,'Issue',388,13,'community'),(6991,'Issue',388,14,'windows'),(6993,'Issue',388,11,'6ca7b2b85'),(6994,'Issue',388,12,'602a1f13-c640-4d73-b053-be9a2fa58b77'),(6995,'Issue',388,16,'win-sysmon'),(6996,'Issue',388,17,''),(6997,'Issue',388,7,''),(6998,'Issue',388,3,'IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\\Windows\\System32\\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote machine.'),(6999,'Issue',388,4,''),(7000,'Issue',388,5,'_False Positives_\nPentest'),(7001,'Issue',388,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"7\" AND process.executable.keyword:(*\\\\svchost.exe) AND event_data.ImageLoaded.keyword:(*\\\\tsmsisrv.dll OR *\\\\tsvipsrv.dll OR *\\\\wlbsctrl.dll)) AND (NOT (event.code:\"7\" AND process.executable.keyword:(*\\\\svchost.exe) AND event_data.ImageLoaded:(\"C\\:\\\\Windows\\\\WinSxS\\*\"))))\nindex: so-*\nname: Svchost DLL Search Order Hijack\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7002,'Issue',388,9,'{{collapse(View Sigma)\n
\n\ntitle: Svchost DLL Search Order Hijack\nid: 602a1f13-c640-4d73-b053-be9a2fa58b77\nstatus: experimental\ndescription: IKEEXT and SessionEnv service, as they call LoadLibrary on files that\n  do not exist within C:\\Windows\\System32\\ by default. An attacker can place their\n  malicious logic within the PROCESS_ATTACH block of their library and restart the\n  aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote\n  machine.\nreferences:\n- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992\nauthor: SBousseaden\ndate: 2019/10/28\ntags:\n- attack.persistence\n- attack.defense_evasion\n- attack.t1073\n- attack.t1038\n- attack.t1112\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image:\n    - \'*\\svchost.exe\'\n    ImageLoaded:\n    - \'*\\tsmsisrv.dll\'\n    - \'*\\tsvipsrv.dll\'\n    - \'*\\wlbsctrl.dll\'\n  filter:\n    EventID: 7\n    Image:\n    - \'*\\svchost.exe\'\n    ImageLoaded:\n    - C:\\Windows\\WinSxS\\*\n  condition: selection and not filter\nfalsepositives:\n- Pentest\nlevel: high\n\n
\n}}'),(7003,'Issue',388,15,'T1073'),(7004,'Issue',388,15,'T1038'),(7005,'Issue',388,15,'T1112'),(7006,'Issue',389,1,'Hijack Legit RDP Session to Move Laterally'),(7007,'Issue',389,2,'Samir Bousseaden'),(7008,'Issue',389,8,'none'),(7009,'Issue',389,10,'high'),(7010,'Issue',389,13,'community'),(7011,'Issue',389,14,'windows'),(7012,'Issue',389,15,''),(7013,'Issue',389,11,'edf49a6c5'),(7014,'Issue',389,12,'52753ea4-b3a0-4365-910d-36cff487b789'),(7015,'Issue',389,16,'win-sysmon'),(7016,'Issue',389,17,''),(7017,'Issue',389,7,''),(7018,'Issue',389,3,'Detects the usage of tsclient share to place a backdoor on the RDP source machine\'s startup folder'),(7019,'Issue',389,4,''),(7020,'Issue',389,5,'_False Positives_\nunknown'),(7021,'Issue',389,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND process.executable.keyword:*\\\\mstsc.exe AND TargetFileName.keyword:*\\\\Microsoft\\\\Windows\\\\Start\\ Menu\\\\Programs\\\\Startup\\\\*)\nindex: so-*\nname: Hijack Legit RDP Session to Move Laterally\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7022,'Issue',389,9,'{{collapse(View Sigma)\n
\n\ntitle: Hijack Legit RDP Session to Move Laterally\nid: 52753ea4-b3a0-4365-910d-36cff487b789\nstatus: experimental\ndescription: Detects the usage of tsclient share to place a backdoor on the RDP source\n  machine\'s startup folder\ndate: 2019/02/21\nauthor: Samir Bousseaden\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 11\n    Image: \'*\\mstsc.exe\'\n    TargetFileName: \'*\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\\\*\'\n  condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(7023,'Issue',390,1,'UAC Bypass via Event Viewer'),(7024,'Issue',390,2,'Florian Roth'),(7025,'Issue',390,8,'https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\nhttps://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100'),(7026,'Issue',390,10,'critical'),(7027,'Issue',390,13,'community'),(7028,'Issue',390,14,'windows'),(7030,'Issue',390,11,'266938263'),(7031,'Issue',390,12,'7c81fec3-1c1d-43b0-996a-46753041b1b6'),(7032,'Issue',390,16,'win-sysmon'),(7033,'Issue',390,17,''),(7034,'Issue',390,7,''),(7035,'Issue',390,3,'Detects UAC bypass method using Windows event viewer'),(7036,'Issue',390,4,''),(7037,'Issue',390,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7038,'Issue',390,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:\"13\" AND event_data.TargetObject.keyword:HKU\\\\*\\\\mscfile\\\\shell\\\\open\\\\command) OR (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND process.parent.executable.keyword:*\\\\eventvwr.exe) AND (NOT (process.executable.keyword:*\\\\mmc.exe)))))\nindex: so-*\nname: UAC Bypass via Event Viewer\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7039,'Issue',390,9,'{{collapse(View Sigma)\n
\n\ntitle: UAC Bypass via Event Viewer\nid: 7c81fec3-1c1d-43b0-996a-46753041b1b6\nstatus: experimental\ndescription: Detects UAC bypass method using Windows event viewer\nreferences:\n- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\n- https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100\nauthor: Florian Roth\ndate: 2017/03/19\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  methregistry:\n    EventID: 13\n    TargetObject: HKU\\\\*\\mscfile\\shell\\open\\command\n  methprocess:\n    EventID: 1\n    ParentImage: \'*\\eventvwr.exe\'\n  filterprocess:\n    Image: \'*\\mmc.exe\'\n  condition: methregistry or ( methprocess and not filterprocess )\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1088\n- car.2019-04-001\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7040,'Issue',390,15,'T1088'),(7041,'Issue',391,1,'UAC Bypass via Sdclt'),(7042,'Issue',391,2,'Omer Yampel'),(7043,'Issue',391,8,'https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/'),(7044,'Issue',391,10,'high'),(7045,'Issue',391,13,'community'),(7046,'Issue',391,14,'windows'),(7048,'Issue',391,11,'269c211ef'),(7049,'Issue',391,12,'5b872a46-3b90-45c1-8419-f675db8053aa'),(7050,'Issue',391,16,'win-sysmon'),(7051,'Issue',391,17,''),(7052,'Issue',391,7,''),(7053,'Issue',391,3,'Detects changes to HKCU:\\Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand'),(7054,'Issue',391,4,''),(7055,'Issue',391,5,'_False Positives_\nunknown'),(7056,'Issue',391,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:HKU\\\\*_Classes\\\\exefile\\\\shell\\\\runas\\\\command\\\\isolatedCommand)\nindex: so-*\nname: UAC Bypass via Sdclt\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7057,'Issue',391,9,'{{collapse(View Sigma)\n
\n\ntitle: UAC Bypass via Sdclt\nid: 5b872a46-3b90-45c1-8419-f675db8053aa\nstatus: experimental\ndescription: Detects changes to HKCU:\\Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand\nreferences:\n- https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/\nauthor: Omer Yampel\ndate: 2017/03/17\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    TargetObject: HKU\\\\*_Classes\\exefile\\shell\\runas\\command\\isolatedCommand\n  condition: selection\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1088\n- car.2019-04-001\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(7058,'Issue',391,15,'T1088'),(7059,'Issue',392,1,'Unsigned Image Loaded Into LSASS Process'),(7060,'Issue',392,2,'Teymur Kheirkhabarov, oscd.community'),(7061,'Issue',392,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(7062,'Issue',392,10,'medium'),(7063,'Issue',392,13,'community'),(7064,'Issue',392,14,'windows'),(7066,'Issue',392,11,'23f5b5af8'),(7067,'Issue',392,12,'857c8db3-c89b-42fb-882b-f681c7cf4da2'),(7068,'Issue',392,16,'win-sysmon'),(7069,'Issue',392,17,''),(7070,'Issue',392,7,''),(7071,'Issue',392,3,'Loading unsigned image (DLL, EXE) into LSASS process'),(7072,'Issue',392,4,''),(7073,'Issue',392,5,'_False Positives_\nValid user connecting using RDP'),(7074,'Issue',392,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:*\\\\lsass.exe AND Signed:\"false\")\nindex: so-*\nname: Unsigned Image Loaded Into LSASS Process\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7075,'Issue',392,9,'{{collapse(View Sigma)\n
\n\ntitle: Unsigned Image Loaded Into LSASS Process\nid: 857c8db3-c89b-42fb-882b-f681c7cf4da2\ndescription: Loading unsigned image (DLL, EXE) into LSASS process\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/10/22\nmodified: 2019/11/13\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image|endswith: \\lsass.exe\n    Signed: \'false\'\n  condition: selection\nfalsepositives:\n- Valid user connecting using RDP\nstatus: experimental\nlevel: medium\n\n
\n}}'),(7076,'Issue',392,15,'T1003'),(7077,'Issue',393,1,'Windows Webshell Creation'),(7078,'Issue',393,2,'Beyu Denis, oscd.community'),(7079,'Issue',393,8,'PT ESC rule and personal experience'),(7080,'Issue',393,10,'critical'),(7081,'Issue',393,13,'community'),(7082,'Issue',393,14,'windows'),(7084,'Issue',393,11,'2f30d8784'),(7085,'Issue',393,12,'39f1f9f2-9636-45de-98f6-a4046aa8e4b9'),(7086,'Issue',393,16,'win-sysmon'),(7087,'Issue',393,17,''),(7088,'Issue',393,7,''),(7089,'Issue',393,3,'Possible webshell file creation on a static web site'),(7090,'Issue',393,4,''),(7091,'Issue',393,5,'_False Positives_\nLegitimate administrator or developer creating legitimate executable files in a web application folder'),(7092,'Issue',393,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND ((event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event_data.TargetFilename.keyword:*\\\\inetpub\\\\wwwroot\\* AND event_data.TargetFilename.keyword:(*.asp* OR *.ashx* OR *.ph*)) OR (event_data.TargetFilename.keyword:(*\\\\www\\* OR *\\\\htdocs\\* OR *\\\\html\\*) AND event_data.TargetFilename.keyword:*.ph*))) OR (event_data.TargetFilename.keyword:*.jsp OR (event_data.TargetFilename.keyword:*\\\\cgi\\-bin\\* AND event_data.TargetFilename.keyword:*.pl*))))\nindex: so-*\nname: Windows Webshell Creation\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7093,'Issue',393,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows Webshell Creation\nid: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9\nstatus: experimental\ndescription: Possible webshell file creation on a static web site\nreferences:\n- PT ESC rule and personal experience\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/22\nmodified: 2019/11/04\ntags:\n- attack.persistence\n- attack.t1100\nlevel: critical\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection_1:\n    EventID: 11\n  selection_2:\n    TargetFilename|contains: \\inetpub\\wwwroot\\\n  selection_3:\n    TargetFilename|contains:\n    - .asp\n    - .ashx\n    - .ph\n  selection_4:\n    TargetFilename|contains:\n    - \\www\\\n    - \\htdocs\\\n    - \\html\\\n  selection_5:\n    TargetFilename|contains: .ph\n  selection_6:\n  - TargetFilename|endswith: .jsp\n  - TargetFilename|contains|all:\n    - \\cgi-bin\\\n    - .pl\n  condition: selection_1 and ( selection_2 and selection_3 ) or selection_1 and (\n    selection_4 and selection_5 ) or selection_1 and selection_6\nfalsepositives:\n- Legitimate administrator or developer creating legitimate executable files in a\n  web application folder\n\n
\n}}'),(7094,'Issue',393,15,'T1100'),(7095,'Issue',394,1,'Microsoft Binary Github Communication'),(7096,'Issue',394,2,'Michael Haag (idea), Florian Roth (rule)'),(7097,'Issue',394,8,'https://twitter.com/M_haggis/status/900741347035889665\nhttps://twitter.com/M_haggis/status/1032799638213066752'),(7098,'Issue',394,10,'high'),(7099,'Issue',394,13,'community'),(7100,'Issue',394,14,'windows'),(7102,'Issue',394,11,'04a41c5fb'),(7103,'Issue',394,12,'635dbb88-67b3-4b41-9ea5-a3af2dd88153'),(7104,'Issue',394,16,'win-sysmon'),(7105,'Issue',394,17,''),(7106,'Issue',394,7,''),(7107,'Issue',394,3,'Detects an executable in the Windows folder accessing github.com'),(7108,'Issue',394,4,''),(7109,'Issue',394,5,'_False Positives_\nUnknown\n@subTee in your network'),(7110,'Issue',394,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"3\" AND event_data.Initiated:\"true\" AND event_data.DestinationHostname.keyword:(*.github.com OR *.githubusercontent.com) AND process.executable.keyword:C\\:\\\\Windows\\\\*)\nindex: so-*\nname: Microsoft Binary Github Communication\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7111,'Issue',394,9,'{{collapse(View Sigma)\n
\n\ntitle: Microsoft Binary Github Communication\nid: 635dbb88-67b3-4b41-9ea5-a3af2dd88153\nstatus: experimental\ndescription: Detects an executable in the Windows folder accessing github.com\nreferences:\n- https://twitter.com/M_haggis/status/900741347035889665\n- https://twitter.com/M_haggis/status/1032799638213066752\nauthor: Michael Haag (idea), Florian Roth (rule)\ndate: 2017/08/24\ntags:\n- attack.lateral_movement\n- attack.t1105\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 3\n    Initiated: \'true\'\n    DestinationHostname:\n    - \'*.github.com\'\n    - \'*.githubusercontent.com\'\n    Image: C:\\Windows\\\\*\n  condition: selection\nfalsepositives:\n- Unknown\n- \'@subTee in your network\'\nlevel: high\n\n
\n}}'),(7112,'Issue',394,15,'T1105'),(7113,'Issue',395,1,'Microsoft Binary Suspicious Communication Endpoint'),(7114,'Issue',395,2,'Florian Roth'),(7115,'Issue',395,8,'https://twitter.com/M_haggis/status/900741347035889665\nhttps://twitter.com/M_haggis/status/1032799638213066752'),(7116,'Issue',395,10,'high'),(7117,'Issue',395,13,'community'),(7118,'Issue',395,14,'windows'),(7120,'Issue',395,11,'847f9c649'),(7121,'Issue',395,12,'e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97'),(7122,'Issue',395,16,'win-sysmon'),(7123,'Issue',395,17,''),(7124,'Issue',395,7,''),(7125,'Issue',395,3,'Detects an executable in the Windows folder accessing suspicious domains'),(7126,'Issue',395,4,''),(7127,'Issue',395,5,'_False Positives_\nUnknown'),(7128,'Issue',395,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"3\" AND event_data.Initiated:\"true\" AND event_data.DestinationHostname.keyword:(*dl.dropboxusercontent.com OR *.pastebin.com OR *.githubusercontent.com) AND process.executable.keyword:C\\:\\\\Windows\\\\*)\nindex: so-*\nname: Microsoft Binary Suspicious Communication Endpoint\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7129,'Issue',395,9,'{{collapse(View Sigma)\n
\n\ntitle: Microsoft Binary Suspicious Communication Endpoint\nid: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97\nstatus: experimental\ndescription: Detects an executable in the Windows folder accessing suspicious domains\nreferences:\n- https://twitter.com/M_haggis/status/900741347035889665\n- https://twitter.com/M_haggis/status/1032799638213066752\nauthor: Florian Roth\ndate: 2018/08/30\ntags:\n- attack.lateral_movement\n- attack.t1105\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 3\n    Initiated: \'true\'\n    DestinationHostname:\n    - \'*dl.dropboxusercontent.com\'\n    - \'*.pastebin.com\'\n    - \'*.githubusercontent.com\'\n    Image: C:\\Windows\\\\*\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(7130,'Issue',395,15,'T1105'),(7131,'Issue',396,1,'Registry Persistence Mechanisms'),(7132,'Issue',396,2,'Karneades'),(7133,'Issue',396,8,'https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/'),(7134,'Issue',396,10,'critical'),(7135,'Issue',396,13,'community'),(7136,'Issue',396,14,'windows'),(7138,'Issue',396,11,'b6d5e6bc2'),(7139,'Issue',396,12,'36803969-5421-41ec-b92f-8500f79c23b0'),(7140,'Issue',396,16,'win-sysmon'),(7141,'Issue',396,17,''),(7142,'Issue',396,7,''),(7143,'Issue',396,3,'Detects persistence registry keys'),(7144,'Issue',396,4,''),(7145,'Issue',396,5,'_False Positives_\nunknown'),(7146,'Issue',396,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\*\\\\GlobalFlag OR *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\ReportingMode OR *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess) AND event_data.EventType:\"SetValue\")\nindex: so-*\nname: Registry Persistence Mechanisms\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7147,'Issue',396,9,'{{collapse(View Sigma)\n
\n\ntitle: Registry Persistence Mechanisms\nid: 36803969-5421-41ec-b92f-8500f79c23b0\ndescription: Detects persistence registry keys\nreferences:\n- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/\ndate: 2018/04/11\nauthor: Karneades\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection_reg1:\n    EventID: 13\n    TargetObject:\n    - \'*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\\\*\\GlobalFlag\'\n    - \'*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\\\*\\ReportingMode\'\n    - \'*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\\\*\\MonitorProcess\'\n    EventType: SetValue\n  condition: selection_reg1\ntags:\n- attack.privilege_escalation\n- attack.persistence\n- attack.defense_evasion\n- attack.t1183\n- car.2013-01-002\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7148,'Issue',396,15,'T1183'),(7149,'Issue',397,1,'WMI Event Subscription'),(7150,'Issue',397,2,'Tom Ueltschi (@c_APT_ure)'),(7151,'Issue',397,8,'https://attack.mitre.org/techniques/T1084/'),(7152,'Issue',397,10,'high'),(7153,'Issue',397,13,'community'),(7154,'Issue',397,14,'windows'),(7156,'Issue',397,11,'9dd7ef828'),(7157,'Issue',397,12,'0f06a3a5-6a09-413f-8743-e6cf35561297'),(7158,'Issue',397,16,'win-sysmon'),(7159,'Issue',397,17,''),(7160,'Issue',397,7,''),(7161,'Issue',397,3,'Detects creation of WMI event subscription persistence method'),(7162,'Issue',397,4,''),(7163,'Issue',397,5,'_False Positives_\nexclude legitimate (vetted) use of WMI event subscription in your network'),(7164,'Issue',397,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:(\"19\" OR \"20\" OR \"21\"))\nindex: so-*\nname: WMI Event Subscription\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7165,'Issue',397,9,'{{collapse(View Sigma)\n
\n\ntitle: WMI Event Subscription\nid: 0f06a3a5-6a09-413f-8743-e6cf35561297\nstatus: experimental\ndescription: Detects creation of WMI event subscription persistence method\nreferences:\n- https://attack.mitre.org/techniques/T1084/\ntags:\n- attack.t1084\n- attack.persistence\nauthor: Tom Ueltschi (@c_APT_ure)\ndate: 2019/01/12\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selector:\n    EventID:\n    - 19\n    - 20\n    - 21\n  condition: selector\nfalsepositives:\n- exclude legitimate (vetted) use of WMI event subscription in your network\nlevel: high\n\n
\n}}'),(7166,'Issue',397,15,'T1084'),(7167,'Issue',398,1,'WMI Modules Loaded'),(7168,'Issue',398,2,'Roberto Rodriguez @Cyb3rWard0g'),(7169,'Issue',398,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_wmi_module_load.md'),(7170,'Issue',398,10,'high'),(7171,'Issue',398,13,'community'),(7172,'Issue',398,14,'windows'),(7174,'Issue',398,11,'eaf1ac318'),(7175,'Issue',398,12,'671bb7e3-a020-4824-a00e-2ee5b55f385e'),(7176,'Issue',398,16,'win-sysmon'),(7177,'Issue',398,17,''),(7178,'Issue',398,7,''),(7179,'Issue',398,3,'Detects non wmiprvse loading WMI modules'),(7180,'Issue',398,4,''),(7181,'Issue',398,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nComputerName\nUser\nImage\nImageLoaded'),(7182,'Issue',398,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"7\" AND event_data.ImageLoaded.keyword:(*\\\\wmiclnt.dll OR *\\\\WmiApRpl.dll OR *\\\\wmiprov.dll OR *\\\\wmiutils.dll OR *\\\\wbemcomn.dll OR *\\\\wbemprox.dll OR *\\\\WMINet_Utils.dll OR *\\\\wbemsvc.dll OR *\\\\fastprox.dll)) AND (NOT (process.executable.keyword:(*\\\\WmiPrvSe.exe OR *\\\\WmiPrvSE.exe OR *\\\\WmiAPsrv.exe OR *\\\\svchost.exe))))\nindex: so-*\nname: WMI Modules Loaded\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7183,'Issue',398,9,'{{collapse(View Sigma)\n
\n\ntitle: WMI Modules Loaded\nid: 671bb7e3-a020-4824-a00e-2ee5b55f385e\ndescription: Detects non wmiprvse loading WMI modules\nstatus: experimental\ndate: 2019/08/10\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_wmi_module_load.md\ntags:\n- attack.execution\n- attack.t1047\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    ImageLoaded|endswith:\n    - \\wmiclnt.dll\n    - \\WmiApRpl.dll\n    - \\wmiprov.dll\n    - \\wmiutils.dll\n    - \\wbemcomn.dll\n    - \\wbemprox.dll\n    - \\WMINet_Utils.dll\n    - \\wbemsvc.dll\n    - \\fastprox.dll\n  filter:\n    Image|endswith:\n    - \\WmiPrvSe.exe\n    - \\WmiPrvSE.exe\n    - \\WmiAPsrv.exe\n    - \\svchost.exe\n  condition: selection and not filter\nfields:\n- ComputerName\n- User\n- Image\n- ImageLoaded\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(7184,'Issue',398,15,'T1047'),(7185,'Issue',399,1,'WMI Persistence - Command Line Event Consumer'),(7186,'Issue',399,2,'Thomas Patzke'),(7187,'Issue',399,8,'https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/'),(7188,'Issue',399,10,'high'),(7189,'Issue',399,13,'community'),(7190,'Issue',399,14,'windows'),(7192,'Issue',399,11,'9e9efa320'),(7193,'Issue',399,12,'05936ce2-ee05-4dae-9d03-9a391cf2d2c6'),(7194,'Issue',399,16,'win-sysmon'),(7195,'Issue',399,17,''),(7196,'Issue',399,7,''),(7197,'Issue',399,3,'Detects WMI command line event consumers'),(7198,'Issue',399,4,''),(7199,'Issue',399,5,'_False Positives_\nUnknown (data set is too small; further testing needed)'),(7200,'Issue',399,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable:\"C\\:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\" AND event_data.ImageLoaded:\"wbemcons.dll\")\nindex: so-*\nname: WMI Persistence - Command Line Event Consumer\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7201,'Issue',399,9,'{{collapse(View Sigma)\n
\n\ntitle: WMI Persistence - Command Line Event Consumer\nid: 05936ce2-ee05-4dae-9d03-9a391cf2d2c6\nstatus: experimental\ndescription: Detects WMI command line event consumers\nreferences:\n- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/\nauthor: Thomas Patzke\ndate: 2018/03/07\ntags:\n- attack.t1084\n- attack.persistence\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image: C:\\Windows\\System32\\wbem\\WmiPrvSE.exe\n    ImageLoaded: wbemcons.dll\n  condition: selection\nfalsepositives:\n- Unknown (data set is too small; further testing needed)\nlevel: high\n\n
\n}}'),(7202,'Issue',399,15,'T1084'),(7203,'Issue',400,1,'WMI Persistence - Script Event Consumer File Write'),(7204,'Issue',400,2,'Thomas Patzke'),(7205,'Issue',400,8,'https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/'),(7206,'Issue',400,10,'high'),(7207,'Issue',400,13,'community'),(7208,'Issue',400,14,'windows'),(7210,'Issue',400,11,'9ec7edf07'),(7211,'Issue',400,12,'33f41cdd-35ac-4ba8-814b-c6a4244a1ad4'),(7212,'Issue',400,16,'win-sysmon'),(7213,'Issue',400,17,''),(7214,'Issue',400,7,''),(7215,'Issue',400,3,'Detects file writes of WMI script event consumer'),(7216,'Issue',400,4,''),(7217,'Issue',400,5,'_False Positives_\nUnknown (data set is too small; further testing needed)'),(7218,'Issue',400,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND process.executable:\"C\\:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe\")\nindex: so-*\nname: WMI Persistence - Script Event Consumer File Write\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7219,'Issue',400,9,'{{collapse(View Sigma)\n
\n\ntitle: WMI Persistence - Script Event Consumer File Write\nid: 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4\nstatus: experimental\ndescription: Detects file writes of WMI script event consumer\nreferences:\n- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/\nauthor: Thomas Patzke\ndate: 2018/03/07\ntags:\n- attack.t1084\n- attack.persistence\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 11\n    Image: C:\\WINDOWS\\system32\\wbem\\scrcons.exe\n  condition: selection\nfalsepositives:\n- Unknown (data set is too small; further testing needed)\nlevel: high\n\n
\n}}'),(7220,'Issue',400,15,'T1084'),(7221,'Issue',401,1,'Suspicious Scripting in a WMI Consumer'),(7222,'Issue',401,2,'Florian Roth'),(7223,'Issue',401,8,'https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/\nhttps://github.com/Neo23x0/signature-base/blob/master/yara/gen_susp_lnk_files.yar#L19'),(7224,'Issue',401,10,'high'),(7225,'Issue',401,13,'community'),(7226,'Issue',401,14,'windows'),(7228,'Issue',401,11,'5e0c4b4b2'),(7229,'Issue',401,12,'fe21810c-2a8c-478f-8dd3-5a287fb2a0e0'),(7230,'Issue',401,16,'win-sysmon'),(7231,'Issue',401,17,''),(7232,'Issue',401,7,''),(7233,'Issue',401,3,'Detects suspicious scripting in WMI Event Consumers'),(7234,'Issue',401,4,''),(7235,'Issue',401,5,'_False Positives_\nAdministrative scripts\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7236,'Issue',401,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"20\" AND Destination.keyword:(*new\\-object\\ system.net.webclient\\).downloadstring\\(* OR *new\\-object\\ system.net.webclient\\).downloadfile\\(* OR *new\\-object\\ net.webclient\\).downloadstring\\(* OR *new\\-object\\ net.webclient\\).downloadfile\\(* OR *\\ iex\\(* OR *WScript.shell* OR *\\ \\-nop\\ * OR *\\ \\-noprofile\\ * OR *\\ \\-decode\\ * OR *\\ \\-enc\\ *))\nindex: so-*\nname: Suspicious Scripting in a WMI Consumer\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7237,'Issue',401,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Scripting in a WMI Consumer\nid: fe21810c-2a8c-478f-8dd3-5a287fb2a0e0\nstatus: experimental\ndescription: Detects suspicious scripting in WMI Event Consumers\nauthor: Florian Roth\nreferences:\n- https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/\n- https://github.com/Neo23x0/signature-base/blob/master/yara/gen_susp_lnk_files.yar#L19\ndate: 2019/04/15\ntags:\n- attack.t1086\n- attack.execution\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 20\n    Destination:\n    - \'*new-object system.net.webclient).downloadstring(*\'\n    - \'*new-object system.net.webclient).downloadfile(*\'\n    - \'*new-object net.webclient).downloadstring(*\'\n    - \'*new-object net.webclient).downloadfile(*\'\n    - \'* iex(*\'\n    - \'*WScript.shell*\'\n    - \'* -nop *\'\n    - \'* -noprofile *\'\n    - \'* -decode *\'\n    - \'* -enc *\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Administrative scripts\nlevel: high\n\n
\n}}'),(7238,'Issue',401,15,'T1086'),(7239,'Issue',402,1,'APT29'),(7240,'Issue',402,2,'Florian Roth'),(7241,'Issue',402,8,'https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/'),(7242,'Issue',402,10,'critical'),(7243,'Issue',402,13,'community'),(7244,'Issue',402,14,'windows'),(7246,'Issue',402,11,'3eea01490'),(7247,'Issue',402,12,'033fe7d6-66d1-4240-ac6b-28908009c71f'),(7248,'Issue',402,16,'win-proc'),(7249,'Issue',402,17,''),(7250,'Issue',402,7,''),(7251,'Issue',402,3,'This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks'),(7252,'Issue',402,4,''),(7253,'Issue',402,5,'_False Positives_\nunknown'),(7254,'Issue',402,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\-noni\\ \\-ep\\ bypass\\ $*)\nindex: so-*\nname: APT29\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7255,'Issue',402,9,'{{collapse(View Sigma)\n
\n\ntitle: APT29\nid: 033fe7d6-66d1-4240-ac6b-28908009c71f\ndescription: This method detects a suspicious powershell command line combination\n  as used by APT29 in a campaign against US think tanks\nreferences:\n- https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/\ntags:\n- attack.execution\n- attack.g0016\n- attack.t1086\nauthor: Florian Roth\ndate: 2018/12/04\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'*-noni -ep bypass $*\'\n  condition: selection\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7256,'Issue',402,15,'T1086'),(7257,'Issue',403,1,'Baby Shark Activity'),(7258,'Issue',403,2,'Florian Roth'),(7259,'Issue',403,8,'https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/'),(7260,'Issue',403,10,'high'),(7261,'Issue',403,13,'community'),(7262,'Issue',403,14,'windows'),(7264,'Issue',403,11,'e1e3ed75c'),(7265,'Issue',403,12,'2b30fa36-3a18-402f-a22d-bf4ce2189f35'),(7266,'Issue',403,16,'win-proc'),(7267,'Issue',403,17,''),(7268,'Issue',403,7,''),(7269,'Issue',403,3,'Detects activity that could be related to Baby Shark malware'),(7270,'Issue',403,4,''),(7271,'Issue',403,5,'_False Positives_\nunknown'),(7272,'Issue',403,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(reg\\ query\\ \\\"HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Terminal\\ Server\\ Client\\\\Default\\\" OR powershell.exe\\ mshta.exe\\ http* OR cmd.exe\\ \\/c\\ taskkill\\ \\/im\\ cmd.exe))\nindex: so-*\nname: Baby Shark Activity\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7273,'Issue',403,9,'{{collapse(View Sigma)\n
\n\ntitle: Baby Shark Activity\nid: 2b30fa36-3a18-402f-a22d-bf4ce2189f35\nstatus: experimental\ndescription: Detects activity that could be related to Baby Shark malware\nreferences:\n- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/\ntags:\n- attack.execution\n- attack.t1059\n- attack.t1086\n- attack.discovery\n- attack.t1012\n- attack.defense_evasion\n- attack.t1170\nlogsource:\n  category: process_creation\n  product: windows\nauthor: Florian Roth\ndate: 2019/02/24\ndetection:\n  selection:\n    CommandLine:\n    - reg query \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\"\n    - powershell.exe mshta.exe http*\n    - cmd.exe /c taskkill /im cmd.exe\n  condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(7274,'Issue',403,15,'T1059'),(7275,'Issue',403,15,'T1086'),(7276,'Issue',403,15,'T1012'),(7277,'Issue',403,15,'T1170'),(7278,'Issue',404,1,'Judgement Panda Credential Access Activity'),(7279,'Issue',404,2,'Florian Roth'),(7280,'Issue',404,8,'https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/'),(7281,'Issue',404,10,'critical'),(7282,'Issue',404,13,'community'),(7283,'Issue',404,14,'windows'),(7285,'Issue',404,11,'ebeeba7dd'),(7286,'Issue',404,12,'b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee'),(7287,'Issue',404,16,'win-proc'),(7288,'Issue',404,17,''),(7289,'Issue',404,7,''),(7290,'Issue',404,3,'Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike'),(7291,'Issue',404,4,''),(7292,'Issue',404,5,'_False Positives_\nunknown'),(7293,'Issue',404,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\xcopy.exe AND process.command_line.keyword:*\\ \\/S\\ \\/E\\ \\/C\\ \\/Q\\ \\/H\\ \\\\*) OR (process.executable.keyword:*\\\\adexplorer.exe AND process.command_line.keyword:*\\ \\-snapshot\\ \\\"\\\"\\ c\\:\\\\users\\\\*)))\nindex: so-*\nname: Judgement Panda Credential Access Activity\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7294,'Issue',404,9,'{{collapse(View Sigma)\n
\n\ntitle: Judgement Panda Credential Access Activity\nid: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee\ndescription: Detects Russian group activity as described in Global Threat Report 2019\n  by Crowdstrike\nreferences:\n- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/\nauthor: Florian Roth\ndate: 2019/02/21\ntags:\n- attack.credential_access\n- attack.t1081\n- attack.t1003\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image: \'*\\xcopy.exe\'\n    CommandLine: \'* /S /E /C /Q /H \\\\*\'\n  selection2:\n    Image: \'*\\adexplorer.exe\'\n    CommandLine: \'* -snapshot \"\" c:\\users\\\\*\'\n  condition: selection1 or selection2\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7295,'Issue',404,15,'T1081'),(7296,'Issue',404,15,'T1003'),(7297,'Issue',405,1,'BlueMashroom DLL Load'),(7298,'Issue',405,2,'Florian Roth'),(7299,'Issue',405,8,'https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software'),(7300,'Issue',405,10,'critical'),(7301,'Issue',405,13,'community'),(7302,'Issue',405,14,'windows'),(7304,'Issue',405,11,'8bb8cf273'),(7305,'Issue',405,12,'bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0'),(7306,'Issue',405,16,'win-proc'),(7307,'Issue',405,17,''),(7308,'Issue',405,7,''),(7309,'Issue',405,3,'Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report'),(7310,'Issue',405,4,''),(7311,'Issue',405,5,'_False Positives_\nUnlikely'),(7312,'Issue',405,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\regsvr32*\\\\AppData\\\\Local\\\\* OR *\\\\AppData\\\\Local\\\\*,DllEntry*))\nindex: so-*\nname: BlueMashroom DLL Load\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7313,'Issue',405,9,'{{collapse(View Sigma)\n
\n\ntitle: BlueMashroom DLL Load\nid: bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0\nstatus: experimental\ndescription: Detects a suspicious DLL loading from AppData Local path as described\n  in BlueMashroom report\nreferences:\n- https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software\ntags:\n- attack.defense_evasion\n- attack.t1117\nauthor: Florian Roth\ndate: 2019/10/02\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'*\\regsvr32*\\AppData\\Local\\\\*\'\n    - \'*\\AppData\\Local\\\\*,DllEntry*\'\n  condition: selection\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(7314,'Issue',405,15,'T1117'),(7315,'Issue',406,1,'WMIExec VBS Script'),(7316,'Issue',406,2,'Florian Roth'),(7317,'Issue',406,8,'https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf'),(7318,'Issue',406,10,'critical'),(7319,'Issue',406,13,'community'),(7320,'Issue',406,14,'windows'),(7322,'Issue',406,11,'5b1ed0159'),(7323,'Issue',406,12,'966e4016-627f-44f7-8341-f394905c361f'),(7324,'Issue',406,16,'win-proc'),(7325,'Issue',406,17,''),(7326,'Issue',406,7,''),(7327,'Issue',406,3,'Detects suspicious file execution by wscript and cscript'),(7328,'Issue',406,4,''),(7329,'Issue',406,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7330,'Issue',406,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\cscript.exe AND process.command_line.keyword:*.vbs\\ \\/shell\\ *)\nindex: so-*\nname: WMIExec VBS Script\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7331,'Issue',406,9,'{{collapse(View Sigma)\n
\n\ntitle: WMIExec VBS Script\nid: 966e4016-627f-44f7-8341-f394905c361f\ndescription: Detects suspicious file execution by wscript and cscript\nauthor: Florian Roth\ndate: 2017/04/07\nreferences:\n- https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf\ntags:\n- attack.execution\n- attack.g0045\n- attack.t1064\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\cscript.exe\'\n    CommandLine: \'*.vbs /shell *\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(7332,'Issue',406,15,'T1064'),(7333,'Issue',407,1,'CrackMapExecWin'),(7334,'Issue',407,2,'Markus Neis'),(7335,'Issue',407,8,'https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control'),(7336,'Issue',407,10,'critical'),(7337,'Issue',407,13,'community'),(7338,'Issue',407,14,'windows'),(7339,'Issue',407,15,''),(7340,'Issue',407,11,'3fa886226'),(7341,'Issue',407,12,'04d9079e-3905-4b70-ad37-6bdf11304965'),(7342,'Issue',407,16,'win-proc'),(7343,'Issue',407,17,''),(7344,'Issue',407,7,''),(7345,'Issue',407,3,'Detects CrackMapExecWin Activity as Described by NCSC'),(7346,'Issue',407,4,''),(7347,'Issue',407,5,'_False Positives_\nNone'),(7348,'Issue',407,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\crackmapexec.exe))\nindex: so-*\nname: CrackMapExecWin\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7349,'Issue',407,9,'{{collapse(View Sigma)\n
\n\ntitle: CrackMapExecWin\nid: 04d9079e-3905-4b70-ad37-6bdf11304965\ndescription: Detects CrackMapExecWin Activity as Described by NCSC\nstatus: experimental\nreferences:\n- https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control\ntags:\n- attack.g0035\nauthor: Markus Neis\ndate: 2018/04/08\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\crackmapexec.exe\'\n  condition: selection\nfalsepositives:\n- None\nlevel: critical\n\n
\n}}'),(7350,'Issue',408,1,'Elise Backdoor'),(7351,'Issue',408,2,'Florian Roth'),(7352,'Issue',408,8,'https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting'),(7353,'Issue',408,10,'critical'),(7354,'Issue',408,13,'community'),(7355,'Issue',408,14,'windows'),(7356,'Issue',408,15,''),(7357,'Issue',408,11,'c59e20ad4'),(7358,'Issue',408,12,'e507feb7-5f73-4ef6-a970-91bb6f6d744f'),(7359,'Issue',408,16,'win-proc'),(7360,'Issue',408,17,''),(7361,'Issue',408,7,''),(7362,'Issue',408,3,'Detects Elise backdoor acitivty as used by APT32'),(7363,'Issue',408,4,''),(7364,'Issue',408,5,'_False Positives_\nUnknown'),(7365,'Issue',408,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable:\"C\\:\\\\Windows\\\\SysWOW64\\\\cmd.exe\" AND process.command_line.keyword:*\\\\Windows\\\\Caches\\\\NavShExt.dll\\ *) OR process.command_line.keyword:*\\\\AppData\\\\Roaming\\\\MICROS\\~1\\\\Windows\\\\Caches\\\\NavShExt.dll,Setting))\nindex: so-*\nname: Elise Backdoor\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7366,'Issue',408,9,'{{collapse(View Sigma)\n
\n\ntitle: Elise Backdoor\nid: e507feb7-5f73-4ef6-a970-91bb6f6d744f\nstatus: experimental\ndescription: Detects Elise backdoor acitivty as used by APT32\nreferences:\n- https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting\ntags:\n- attack.g0030\n- attack.g0050\n- attack.s0081\nauthor: Florian Roth\ndate: 2018/01/31\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image: C:\\Windows\\SysWOW64\\cmd.exe\n    CommandLine: \'*\\Windows\\Caches\\NavShExt.dll *\'\n  selection2:\n    CommandLine: \'*\\AppData\\Roaming\\MICROS~1\\Windows\\Caches\\NavShExt.dll,Setting\'\n  condition: 1 of them\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7367,'Issue',409,1,'Emissary Panda Malware SLLauncher'),(7368,'Issue',409,2,'Florian Roth'),(7369,'Issue',409,8,'https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965\nhttps://twitter.com/cyb3rops/status/1168863899531132929'),(7370,'Issue',409,10,'critical'),(7371,'Issue',409,13,'community'),(7372,'Issue',409,14,'windows'),(7373,'Issue',409,15,''),(7374,'Issue',409,11,'5e4b7990b'),(7375,'Issue',409,12,'9aa01d62-7667-4d3b-acb8-8cb5103e2014'),(7376,'Issue',409,16,'win-proc'),(7377,'Issue',409,17,''),(7378,'Issue',409,7,''),(7379,'Issue',409,3,'Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27'),(7380,'Issue',409,4,''),(7381,'Issue',409,5,'_False Positives_\nUnknown'),(7382,'Issue',409,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\sllauncher.exe AND process.executable.keyword:*\\\\svchost.exe)\nindex: so-*\nname: Emissary Panda Malware SLLauncher\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7383,'Issue',409,9,'{{collapse(View Sigma)\n
\n\ntitle: Emissary Panda Malware SLLauncher\nid: 9aa01d62-7667-4d3b-acb8-8cb5103e2014\nstatus: experimental\ndescription: Detects the execution of DLL side-loading malware used by threat group\n  Emissary Panda aka APT27\nreferences:\n- https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965\n- https://twitter.com/cyb3rops/status/1168863899531132929\nauthor: Florian Roth\ndate: 2018/09/03\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\sllauncher.exe\'\n    Image: \'*\\svchost.exe\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7384,'Issue',410,1,'Equation Group DLL_U Load'),(7385,'Issue',410,2,'Florian Roth'),(7386,'Issue',410,8,'https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=\nhttps://securelist.com/apt-slingshot/84312/\nhttps://twitter.com/cyb3rops/status/972186477512839170'),(7387,'Issue',410,10,'critical'),(7388,'Issue',410,13,'community'),(7389,'Issue',410,14,'windows'),(7391,'Issue',410,11,'8d87ab96d'),(7392,'Issue',410,12,'d465d1d8-27a2-4cca-9621-a800f37cf72e'),(7393,'Issue',410,16,'win-proc'),(7394,'Issue',410,17,''),(7395,'Issue',410,7,''),(7396,'Issue',410,3,'Detects a specific tool and export used by EquationGroup'),(7397,'Issue',410,4,''),(7398,'Issue',410,5,'_False Positives_\nUnknown'),(7399,'Issue',410,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\rundll32.exe AND process.command_line.keyword:*,dll_u) OR process.command_line.keyword:*\\ \\-export\\ dll_u\\ *))\nindex: so-*\nname: Equation Group DLL_U Load\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7400,'Issue',410,9,'{{collapse(View Sigma)\n
\n\ntitle: Equation Group DLL_U Load\nid: d465d1d8-27a2-4cca-9621-a800f37cf72e\nauthor: Florian Roth\ndate: 2019/03/04\ndescription: Detects a specific tool and export used by EquationGroup\nreferences:\n- https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=\n- https://securelist.com/apt-slingshot/84312/\n- https://twitter.com/cyb3rops/status/972186477512839170\ntags:\n- attack.execution\n- attack.g0020\n- attack.t1059\n- attack.defense_evasion\n- attack.t1085\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image: \'*\\rundll32.exe\'\n    CommandLine: \'*,dll_u\'\n  selection2:\n    CommandLine: \'* -export dll_u *\'\n  condition: 1 of them\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7401,'Issue',410,15,'T1059'),(7402,'Issue',410,15,'T1085'),(7403,'Issue',411,1,'Hurricane Panda Activity'),(7404,'Issue',411,2,'Florian Roth'),(7405,'Issue',411,8,'https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/'),(7406,'Issue',411,10,'high'),(7407,'Issue',411,13,'community'),(7408,'Issue',411,14,'windows'),(7410,'Issue',411,11,'70b43689e'),(7411,'Issue',411,12,'0eb2107b-a596-422e-b123-b389d5594ed7'),(7412,'Issue',411,16,'win-proc'),(7413,'Issue',411,17,''),(7414,'Issue',411,7,''),(7415,'Issue',411,3,'Detects Hurricane Panda Activity'),(7416,'Issue',411,4,''),(7417,'Issue',411,5,'_False Positives_\nUnknown'),(7418,'Issue',411,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ localgroup\\ administrators\\ admin\\ \\/add OR *\\\\Win64.exe*))\nindex: so-*\nname: Hurricane Panda Activity\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7419,'Issue',411,9,'{{collapse(View Sigma)\n
\n\ntitle: Hurricane Panda Activity\nid: 0eb2107b-a596-422e-b123-b389d5594ed7\nauthor: Florian Roth\ndate: 2019/03/04\nstatus: experimental\ndescription: Detects Hurricane Panda Activity\nreferences:\n- https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/\ntags:\n- attack.privilege_escalation\n- attack.g0009\n- attack.t1068\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* localgroup administrators admin /add\'\n    - \'*\\Win64.exe*\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(7420,'Issue',411,15,'T1068'),(7421,'Issue',412,1,'Judgement Panda Exfil Activity'),(7422,'Issue',412,2,'Florian Roth'),(7423,'Issue',412,8,'https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/'),(7424,'Issue',412,10,'critical'),(7425,'Issue',412,13,'community'),(7426,'Issue',412,14,'windows'),(7428,'Issue',412,11,'7b23cf39c'),(7429,'Issue',412,12,'03e2746e-2b31-42f1-ab7a-eb39365b2422'),(7430,'Issue',412,16,'win-proc'),(7431,'Issue',412,17,''),(7432,'Issue',412,7,''),(7433,'Issue',412,3,'Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike'),(7434,'Issue',412,4,''),(7435,'Issue',412,5,'_False Positives_\nunknown'),(7436,'Issue',412,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:(*\\\\ldifde.exe\\ \\-f\\ \\-n\\ * OR *\\\\7za.exe\\ a\\ 1.7z\\ * OR *\\ eprod.ldf OR *\\\\aaaa\\\\procdump64.exe* OR *\\\\aaaa\\\\netsess.exe* OR *\\\\aaaa\\\\7za.exe* OR *copy\\ .\\\\1.7z\\ \\\\* OR *copy\\ \\\\client\\\\c$\\\\aaaa\\\\*) OR process.executable:\"C\\:\\\\Users\\\\Public\\\\7za.exe\"))\nindex: so-*\nname: Judgement Panda Exfil Activity\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7437,'Issue',412,9,'{{collapse(View Sigma)\n
\n\ntitle: Judgement Panda Exfil Activity\nid: 03e2746e-2b31-42f1-ab7a-eb39365b2422\ndescription: Detects Judgement Panda activity as described in Global Threat Report\n  2019 by Crowdstrike\nreferences:\n- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/\nauthor: Florian Roth\ndate: 2019/02/21\ntags:\n- attack.lateral_movement\n- attack.g0010\n- attack.credential_access\n- attack.t1098\n- attack.exfiltration\n- attack.t1002\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine:\n    - \'*\\ldifde.exe -f -n *\'\n    - \'*\\7za.exe a 1.7z *\'\n    - \'* eprod.ldf\'\n    - \'*\\aaaa\\procdump64.exe*\'\n    - \'*\\aaaa\\netsess.exe*\'\n    - \'*\\aaaa\\7za.exe*\'\n    - \'*copy .\\1.7z \\\\*\'\n    - \'*copy \\\\client\\c$\\aaaa\\\\*\'\n  selection2:\n    Image: C:\\Users\\Public\\7za.exe\n  condition: selection1 or selection2\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7438,'Issue',412,15,'T1098'),(7439,'Issue',412,15,'T1002'),(7440,'Issue',413,1,'Mustang Panda Dropper'),(7441,'Issue',413,2,'Florian Roth'),(7442,'Issue',413,8,'https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/\nhttps://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/\nhttps://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations'),(7443,'Issue',413,10,'high'),(7444,'Issue',413,13,'community'),(7445,'Issue',413,14,'windows'),(7446,'Issue',413,15,''),(7447,'Issue',413,11,'aad32826a'),(7448,'Issue',413,12,'2d87d610-d760-45ee-a7e6-7a6f2a65de00'),(7449,'Issue',413,16,'win-proc'),(7450,'Issue',413,17,''),(7451,'Issue',413,7,''),(7452,'Issue',413,3,'Detects specific process parameters as used by Mustang Panda droppers'),(7453,'Issue',413,4,''),(7454,'Issue',413,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7455,'Issue',413,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:(*Temp\\\\wtask.exe\\ \\/create* OR *%windir\\:\\~\\-3,1%%PUBLIC\\:\\~\\-9,1%* OR *\\/E\\:vbscript\\ *\\ C\\:\\\\Users\\*.txt\\\"\\ \\/F OR *\\/tn\\ \\\"Security\\ Script\\ * OR *%windir\\:\\~\\-1,1%*) OR process.executable.keyword:(*Temp\\\\winwsh.exe)))\nindex: so-*\nname: Mustang Panda Dropper\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7456,'Issue',413,9,'{{collapse(View Sigma)\n
\n\ntitle: Mustang Panda Dropper\nid: 2d87d610-d760-45ee-a7e6-7a6f2a65de00\nstatus: experimental\ndescription: Detects specific process parameters as used by Mustang Panda droppers\nauthor: Florian Roth\ndate: 2019/10/30\nreferences:\n- https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/\n- https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/\n- https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine:\n    - \'*Temp\\wtask.exe /create*\'\n    - \'*%windir:~-3,1%%PUBLIC:~-9,1%*\'\n    - \'*/E:vbscript * C:\\Users\\*.txt\" /F\'\n    - \'*/tn \"Security Script *\'\n    - \'*%windir:~-1,1%*\'\n  selection2:\n    Image:\n    - \'*Temp\\winwsh.exe\'\n  condition: 1 of them\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: high\n\n
\n}}'),(7457,'Issue',414,1,'Sofacy Trojan Loader Activity'),(7458,'Issue',414,2,'Florian Roth'),(7459,'Issue',414,8,'https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/\nhttps://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100\nhttps://twitter.com/ClearskySec/status/960924755355369472'),(7460,'Issue',414,10,'critical'),(7461,'Issue',414,13,'community'),(7462,'Issue',414,14,'windows'),(7464,'Issue',414,11,'6b2144b03'),(7465,'Issue',414,12,'ba778144-5e3d-40cf-8af9-e28fb1df1e20'),(7466,'Issue',414,16,'win-proc'),(7467,'Issue',414,17,''),(7468,'Issue',414,7,''),(7469,'Issue',414,3,'Detects Trojan loader acitivty as used by APT28'),(7470,'Issue',414,4,''),(7471,'Issue',414,5,'_False Positives_\nUnknown'),(7472,'Issue',414,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(rundll32.exe\\ %APPDATA%\\\\*.dat\\\",* OR rundll32.exe\\ %APPDATA%\\\\*.dll\\\",#1))\nindex: so-*\nname: Sofacy Trojan Loader Activity\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7473,'Issue',414,9,'{{collapse(View Sigma)\n
\n\ntitle: Sofacy Trojan Loader Activity\nid: ba778144-5e3d-40cf-8af9-e28fb1df1e20\nauthor: Florian Roth\nstatus: experimental\ndate: 2018/03/01\ndescription: Detects Trojan loader acitivty as used by APT28\nreferences:\n- https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/\n- https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100\n- https://twitter.com/ClearskySec/status/960924755355369472\ntags:\n- attack.g0007\n- attack.execution\n- attack.t1059\n- attack.defense_evasion\n- attack.t1085\n- car.2013-10-002\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - rundll32.exe %APPDATA%\\\\*.dat\",*\n    - rundll32.exe %APPDATA%\\\\*.dll\",#1\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7474,'Issue',414,15,'T1059'),(7475,'Issue',414,15,'T1085'),(7476,'Issue',415,1,'Ps.exe Renamed SysInternals Tool'),(7477,'Issue',415,2,'Florian Roth'),(7478,'Issue',415,8,'https://www.us-cert.gov/ncas/alerts/TA17-293A'),(7479,'Issue',415,10,'high'),(7480,'Issue',415,13,'community'),(7481,'Issue',415,14,'windows'),(7483,'Issue',415,11,'0ec020dd0'),(7484,'Issue',415,12,'18da1007-3f26-470f-875d-f77faf1cab31'),(7485,'Issue',415,16,'win-proc'),(7486,'Issue',415,17,''),(7487,'Issue',415,7,''),(7488,'Issue',415,3,'Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report'),(7489,'Issue',415,4,''),(7490,'Issue',415,5,'_False Positives_\nRenamed SysInternals tool'),(7491,'Issue',415,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line:\"ps.exe\\ \\-accepteula\")\nindex: so-*\nname: Ps.exe Renamed SysInternals Tool\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7492,'Issue',415,9,'{{collapse(View Sigma)\n
\n\ntitle: Ps.exe Renamed SysInternals Tool\nid: 18da1007-3f26-470f-875d-f77faf1cab31\ndescription: Detects renamed SysInternals tool execution with a binary named ps.exe\n  as used by Dragonfly APT group and documented in TA17-293A report\nreferences:\n- https://www.us-cert.gov/ncas/alerts/TA17-293A\ntags:\n- attack.defense_evasion\n- attack.g0035\n- attack.t1036\n- car.2013-05-009\nauthor: Florian Roth\ndate: 2017/10/22\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: ps.exe -accepteula\n  condition: selection\nfalsepositives:\n- Renamed SysInternals tool\nlevel: high\n\n
\n}}'),(7493,'Issue',415,15,'T1036'),(7494,'Issue',416,1,'TropicTrooper Campaign November 2018'),(7495,'Issue',416,2,'@41thexplorer, Microsoft Defender ATP'),(7496,'Issue',416,8,'https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/'),(7497,'Issue',416,10,'high'),(7498,'Issue',416,13,'community'),(7499,'Issue',416,14,'windows'),(7501,'Issue',416,11,'95510b4d4'),(7502,'Issue',416,12,'8c7090c3-e0a0-4944-bd08-08c3a0cecf79'),(7503,'Issue',416,16,'win-proc'),(7504,'Issue',416,17,''),(7505,'Issue',416,7,''),(7506,'Issue',416,3,'Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia'),(7507,'Issue',416,4,''),(7508,'Issue',416,5,'_False Positives_\n Unknown'),(7509,'Issue',416,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*)\nindex: so-*\nname: TropicTrooper Campaign November 2018\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7510,'Issue',416,9,'{{collapse(View Sigma)\n
\n\ntitle: TropicTrooper Campaign November 2018\nid: 8c7090c3-e0a0-4944-bd08-08c3a0cecf79\nauthor: \'@41thexplorer, Microsoft Defender ATP\'\nstatus: stable\ndate: 2019/11/12\ndescription: Detects TropicTrooper activity, an actor who targeted high-profile organizations\n  in the energy and food and beverage sectors in Asia\nreferences:\n- https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/\ntags:\n- attack.execution\n- attack.t1085\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*\'\n  condition: selection\nlevel: high\n\n
\n}}'),(7511,'Issue',416,15,'T1085'),(7512,'Issue',417,1,'Winnti Malware HK University Campaign'),(7513,'Issue',417,2,'Florian Roth, Markus Neis'),(7514,'Issue',417,8,'https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/'),(7515,'Issue',417,10,'critical'),(7516,'Issue',417,13,'community'),(7517,'Issue',417,14,'windows'),(7519,'Issue',417,11,'c6c18314b'),(7520,'Issue',417,12,'3121461b-5aa0-4a41-b910-66d25524edbb'),(7521,'Issue',417,16,'win-proc'),(7522,'Issue',417,17,''),(7523,'Issue',417,7,''),(7524,'Issue',417,3,'Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities'),(7525,'Issue',417,4,''),(7526,'Issue',417,5,'_False Positives_\nUnlikely'),(7527,'Issue',417,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.parent.executable.keyword:(*C\\:\\\\Windows\\\\Temp* OR *\\\\hpqhvind.exe*) AND process.executable.keyword:C\\:\\\\ProgramData\\\\DRM*) OR (process.parent.executable.keyword:C\\:\\\\ProgramData\\\\DRM* AND process.executable.keyword:*\\\\wmplayer.exe) OR (process.parent.executable.keyword:*\\\\Test.exe AND process.executable.keyword:*\\\\wmplayer.exe) OR process.executable:\"C\\:\\\\ProgramData\\\\DRM\\\\CLR\\\\CLR.exe\" OR (process.parent.executable.keyword:C\\:\\\\ProgramData\\\\DRM\\\\Windows* AND process.executable.keyword:*\\\\SearchFilterHost.exe)))\nindex: so-*\nname: Winnti Malware HK University Campaign\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7528,'Issue',417,9,'{{collapse(View Sigma)\n
\n\ntitle: Winnti Malware HK University Campaign\nid: 3121461b-5aa0-4a41-b910-66d25524edbb\nstatus: experimental\ndescription: Detects specific process characteristics of Winnti malware noticed in\n  Dec/Jan 2020 in a campaign against Honk Kong universities\nreferences:\n- https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/\ntags:\n- attack.defense_evasion\n- attack.t1073\n- attack.g0044\nauthor: Florian Roth, Markus Neis\ndate: 2020/02/01\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    ParentImage|contains:\n    - C:\\Windows\\Temp\n    - \\hpqhvind.exe\n    Image|startswith: C:\\ProgramData\\DRM\n  selection2:\n    ParentImage|startswith: C:\\ProgramData\\DRM\n    Image|endswith: \\wmplayer.exe\n  selection3:\n    ParentImage|endswith: \\Test.exe\n    Image|endswith: \\wmplayer.exe\n  selection4:\n    Image: C:\\ProgramData\\DRM\\CLR\\CLR.exe\n  selection5:\n    ParentImage|startswith: C:\\ProgramData\\DRM\\Windows\n    Image|endswith: \\SearchFilterHost.exe\n  condition: 1 of them\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(7529,'Issue',417,15,'T1073'),(7530,'Issue',418,1,'ZxShell Malware'),(7531,'Issue',418,2,'Florian Roth'),(7532,'Issue',418,8,'https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100'),(7533,'Issue',418,10,'critical'),(7534,'Issue',418,13,'community'),(7535,'Issue',418,14,'windows'),(7537,'Issue',418,11,'948a1b3c3'),(7538,'Issue',418,12,'f0b70adb-0075-43b0-9745-e82a1c608fcc'),(7539,'Issue',418,16,'win-proc'),(7540,'Issue',418,17,''),(7541,'Issue',418,7,''),(7542,'Issue',418,3,'Detects a ZxShell start by the called and well-known function name'),(7543,'Issue',418,4,''),(7544,'Issue',418,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7545,'Issue',418,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND Command.keyword:(rundll32.exe\\ *,zxFunction* OR rundll32.exe\\ *,RemoteDiskXXXXX))\nindex: so-*\nname: ZxShell Malware\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7546,'Issue',418,9,'{{collapse(View Sigma)\n
\n\ntitle: ZxShell Malware\nid: f0b70adb-0075-43b0-9745-e82a1c608fcc\ndescription: Detects a ZxShell start by the called and well-known function name\nauthor: Florian Roth\ndate: 2017/07/20\nreferences:\n- https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100\ntags:\n- attack.g0001\n- attack.execution\n- attack.t1059\n- attack.defense_evasion\n- attack.t1085\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Command:\n    - rundll32.exe *,zxFunction*\n    - rundll32.exe *,RemoteDiskXXXXX\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(7547,'Issue',418,15,'T1059'),(7548,'Issue',418,15,'T1085'),(7549,'Issue',419,1,'Hiding Files with Attrib.exe'),(7550,'Issue',419,2,'Sami Ruohonen'),(7551,'Issue',419,8,'none'),(7552,'Issue',419,10,'low'),(7553,'Issue',419,13,'community'),(7554,'Issue',419,14,'windows'),(7556,'Issue',419,11,'3ac07f0c1'),(7557,'Issue',419,12,'4281cb20-2994-4580-aa63-c8b86d019934'),(7558,'Issue',419,16,'win-proc'),(7559,'Issue',419,17,''),(7560,'Issue',419,7,''),(7561,'Issue',419,3,'Detects usage of attrib.exe to hide files from users.'),(7562,'Issue',419,4,''),(7563,'Issue',419,5,'_False Positives_\nigfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)\nmsiexec.exe hiding desktop.ini\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine\nUser'),(7564,'Issue',419,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:*\\\\attrib.exe AND process.command_line.keyword:*\\ \\+h\\ *) AND (NOT (((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:*\\\\desktop.ini\\ * OR (process.parent.executable.keyword:*\\\\cmd.exe AND process.command_line.keyword:\\+R\\ \\+H\\ \\+S\\ \\+A\\ \\\\*.cui AND process.parent.command_line.keyword:C\\:\\\\WINDOWS\\\\system32\\\\*.bat))))))\nindex: so-*\nname: Hiding Files with Attrib.exe\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7565,'Issue',419,9,'{{collapse(View Sigma)\n
\n\ntitle: Hiding Files with Attrib.exe\nid: 4281cb20-2994-4580-aa63-c8b86d019934\nstatus: experimental\ndescription: Detects usage of attrib.exe to hide files from users.\nauthor: Sami Ruohonen\ndate: 2019/01/16\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\attrib.exe\'\n    CommandLine: \'* +h *\'\n  ini:\n    CommandLine: \'*\\desktop.ini *\'\n  intel:\n    ParentImage: \'*\\cmd.exe\'\n    CommandLine: +R +H +S +A \\\\*.cui\n    ParentCommandLine: C:\\WINDOWS\\system32\\\\*.bat\n  condition: selection and not (ini or intel)\nfields:\n- CommandLine\n- ParentCommandLine\n- User\ntags:\n- attack.defense_evasion\n- attack.persistence\n- attack.t1158\nfalsepositives:\n- igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe\n  and igfxCUIService.exe is the parent of the cmd.exe)\n- msiexec.exe hiding desktop.ini\nlevel: low\n\n
\n}}'),(7566,'Issue',419,15,'T1158'),(7567,'Issue',420,1,'Modification of Boot Configuration'),(7568,'Issue',420,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(7569,'Issue',420,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html'),(7570,'Issue',420,10,'high'),(7571,'Issue',420,13,'community'),(7572,'Issue',420,14,'windows'),(7574,'Issue',420,11,'af9bb527e'),(7575,'Issue',420,12,'1444443e-6757-43e4-9ea4-c8fc705f79a2'),(7576,'Issue',420,16,'win-proc'),(7577,'Issue',420,17,''),(7578,'Issue',420,7,''),(7579,'Issue',420,3,'Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.'),(7580,'Issue',420,4,''),(7581,'Issue',420,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(7582,'Issue',420,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:*\\\\bcdedit.exe AND process.command_line:\"set\") AND ((process.command_line.keyword:*bootstatuspolicy* AND process.command_line.keyword:*ignoreallfailures*) OR (process.command_line.keyword:*recoveryenabled* AND process.command_line.keyword:*no*)))\nindex: so-*\nname: Modification of Boot Configuration\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7583,'Issue',420,9,'{{collapse(View Sigma)\n
\n\ntitle: Modification of Boot Configuration\nid: 1444443e-6757-43e4-9ea4-c8fc705f79a2\ndescription: Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive\n    technique.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml\n    - https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html\ntags:\n    - attack.impact\n    - attack.t1490\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection1:\n        Image|endswith: \\bcdedit.exe\n        CommandLine|contains: set\n    selection2:\n        - CommandLine|contains|all:\n            - bootstatuspolicy\n            - ignoreallfailures\n        - CommandLine|contains|all:\n            - recoveryenabled\n            - \'no\'\n    condition: selection1 and selection2\nfields:\n    - ComputerName\n    - User\n    - CommandLine\nfalsepositives:\n    - Unlikely\nlevel: high\n\n
\n}}'),(7584,'Issue',420,15,'T1490'),(7585,'Issue',421,1,'SquiblyTwo'),(7586,'Issue',421,2,'Markus Neis / Florian Roth'),(7587,'Issue',421,8,'https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html\nhttps://twitter.com/mattifestation/status/986280382042595328'),(7588,'Issue',421,10,'medium'),(7589,'Issue',421,13,'community'),(7590,'Issue',421,14,'windows'),(7592,'Issue',421,11,'0eab446eb'),(7593,'Issue',421,12,'8d63dadf-b91b-4187-87b6-34a1114577ea'),(7594,'Issue',421,16,'win-proc'),(7595,'Issue',421,17,''),(7596,'Issue',421,7,''),(7597,'Issue',421,3,'Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash'),(7598,'Issue',421,4,''),(7599,'Issue',421,5,'_False Positives_\nUnknown'),(7600,'Issue',421,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:(*\\\\wmic.exe) AND process.command_line.keyword:(wmic\\ *\\ *format\\:\\\\\\\"http* OR wmic\\ *\\ \\/format\\:\'http OR wmic\\ *\\ \\/format\\:http*)) OR (event_data.Imphash:(\"1B1A3F43BF37B5BFE60751F2EE2F326E\" OR \"37777A96245A3C74EB217308F3546F4C\" OR \"9D87C9D67CE724033C0B40CC4CA1B206\") AND process.command_line.keyword:(*\\ *format\\:\\\\\\\"http* OR *\\ \\/format\\:\'http OR *\\ \\/format\\:http*))))\nindex: so-*\nname: SquiblyTwo\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7601,'Issue',421,9,'{{collapse(View Sigma)\n
\n\ntitle: SquiblyTwo\nid: 8d63dadf-b91b-4187-87b6-34a1114577ea\nstatus: experimental\ndescription: Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for\n  imphash\nreferences:\n- https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html\n- https://twitter.com/mattifestation/status/986280382042595328\ntags:\n- attack.defense_evasion\n- attack.t1047\nauthor: Markus Neis / Florian Roth\ndate: 2019/01/16\nfalsepositives:\n- Unknown\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image:\n    - \'*\\wmic.exe\'\n    CommandLine:\n    - wmic * *format:\\\"http*\n    - wmic * /format:\'http\n    - wmic * /format:http*\n  selection2:\n    Imphash:\n    - 1B1A3F43BF37B5BFE60751F2EE2F326E\n    - 37777A96245A3C74EB217308F3546F4C\n    - 9D87C9D67CE724033C0B40CC4CA1B206\n    CommandLine:\n    - \'* *format:\\\"http*\'\n    - \"* /format:\'http\"\n    - \'* /format:http*\'\n  condition: 1 of them\n\n
\n}}'),(7602,'Issue',421,15,'T1047'),(7603,'Issue',422,1,'Change Default File Association'),(7604,'Issue',422,2,'Timur Zinniatullin, oscd.community'),(7605,'Issue',422,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1042/T1042.yaml'),(7606,'Issue',422,10,'low'),(7607,'Issue',422,13,'community'),(7608,'Issue',422,14,'windows'),(7610,'Issue',422,11,'d63bbd05e'),(7611,'Issue',422,12,'3d3aa6cd-6272-44d6-8afc-7e88dfef7061'),(7612,'Issue',422,16,'win-proc'),(7613,'Issue',422,17,''),(7614,'Issue',422,7,''),(7615,'Issue',422,3,'When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.'),(7616,'Issue',422,4,''),(7617,'Issue',422,5,'_False Positives_\nAdmin activity\n\n_Interesting Log Fields_\nImage\nCommandLine\nUser\nLogonGuid\nHashes\nParentProcessGuid\nParentCommandLine'),(7618,'Issue',422,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*cmd* AND process.command_line.keyword:*\\/c* AND process.command_line.keyword:*assoc*)\nindex: so-*\nname: Change Default File Association\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7619,'Issue',422,9,'{{collapse(View Sigma)\n
\n\ntitle: Change Default File Association\nid: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061\nstatus: experimental\ndescription: When a file is opened, the default program used to open the file (also\n  called the file association or handler) is checked. File association selections\n  are stored in the Windows Registry and can be edited by users, administrators, or\n  programs that have Registry access or by administrators using the built-in assoc\n  utility. Applications can modify the file association for a given file extension\n  to call an arbitrary program when a file with the given extension is opened.\nauthor: Timur Zinniatullin, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1042/T1042.yaml\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains|all:\n    - cmd\n    - /c\n    - assoc\n  condition: selection\nfalsepositives:\n- Admin activity\nfields:\n- Image\n- CommandLine\n- User\n- LogonGuid\n- Hashes\n- ParentProcessGuid\n- ParentCommandLine\nlevel: low\ntags:\n- attack.persistence\n- attack.t1042\n\n
\n}}'),(7620,'Issue',422,15,'T1042'),(7621,'Issue',423,1,'Cmdkey Cached Credentials Recon'),(7622,'Issue',423,2,'jmallette'),(7623,'Issue',423,8,'https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation\nhttps://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx'),(7624,'Issue',423,10,'low'),(7625,'Issue',423,13,'community'),(7626,'Issue',423,14,'windows'),(7628,'Issue',423,11,'38a2cfd6c'),(7629,'Issue',423,12,'07f8bdc2-c9b3-472a-9817-5a670b872f53'),(7630,'Issue',423,16,'win-proc'),(7631,'Issue',423,17,''),(7632,'Issue',423,7,''),(7633,'Issue',423,3,'Detects usage of cmdkey to look for cached credentials'),(7634,'Issue',423,4,''),(7635,'Issue',423,5,'_False Positives_\nLegitimate administrative tasks.\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine\nUser'),(7636,'Issue',423,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\cmdkey.exe AND process.command_line.keyword:*\\ \\/list\\ *)\nindex: so-*\nname: Cmdkey Cached Credentials Recon\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7637,'Issue',423,9,'{{collapse(View Sigma)\n
\n\ntitle: Cmdkey Cached Credentials Recon\nid: 07f8bdc2-c9b3-472a-9817-5a670b872f53\nstatus: experimental\ndescription: Detects usage of cmdkey to look for cached credentials\nreferences:\n- https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation\n- https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx\nauthor: jmallette\ndate: 2019/01/16\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\cmdkey.exe\'\n    CommandLine: \'* /list *\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\n- User\nfalsepositives:\n- Legitimate administrative tasks.\nlevel: low\n\n
\n}}'),(7638,'Issue',423,15,'T1003'),(7639,'Issue',424,1,'CMSTP UAC Bypass via COM Object Access'),(7640,'Issue',424,2,'Nik Seetharaman'),(7641,'Issue',424,8,'http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/\nhttps://twitter.com/hFireF0X/status/897640081053364225'),(7642,'Issue',424,10,'high'),(7643,'Issue',424,13,'community'),(7644,'Issue',424,14,'windows'),(7646,'Issue',424,11,'bdaa50dae'),(7647,'Issue',424,12,'4b60e6f2-bf39-47b4-b4ea-398e33cfe253'),(7648,'Issue',424,16,'win-proc'),(7649,'Issue',424,17,''),(7650,'Issue',424,7,''),(7651,'Issue',424,3,'Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects'),(7652,'Issue',424,4,''),(7653,'Issue',424,5,'_False Positives_\nLegitimate CMSTP use (unlikely in modern enterprise environments)\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine\nHashes'),(7654,'Issue',424,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.command_line.keyword:*\\\\DllHost.exe AND process.parent.command_line.keyword:(*\\{3E5FC7F9\\-9A51\\-4367\\-9063\\-A120244FBEC7\\} OR *\\{3E000D72\\-A845\\-4CD9\\-BD83\\-80C07C3B881F\\}))\nindex: so-*\nname: CMSTP UAC Bypass via COM Object Access\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7655,'Issue',424,9,'{{collapse(View Sigma)\n
\n\ntitle: CMSTP UAC Bypass via COM Object Access\nid: 4b60e6f2-bf39-47b4-b4ea-398e33cfe253\nstatus: stable\ndescription: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile\n  Installer Autoelevate-capable COM Objects\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.execution\n- attack.t1088\n- attack.t1191\n- attack.g0069\n- car.2019-04-001\nauthor: Nik Seetharaman\nmodified: 2019/07/31\ndate: 2019/01/16\nreferences:\n- http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/\n- https://twitter.com/hFireF0X/status/897640081053364225\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    ParentCommandLine: \'*\\DllHost.exe\'\n  selection2:\n    ParentCommandLine:\n    - \'*{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\'\n    - \'*{3E000D72-A845-4CD9-BD83-80C07C3B881F}\'\n  condition: selection1 and selection2\nfields:\n- CommandLine\n- ParentCommandLine\n- Hashes\nfalsepositives:\n- Legitimate CMSTP use (unlikely in modern enterprise environments)\nlevel: high\n\n
\n}}'),(7656,'Issue',424,15,'T1088'),(7657,'Issue',424,15,'T1191'),(7658,'Issue',425,1,'Control Panel Items'),(7659,'Issue',425,2,'Kyaw Min Thein'),(7660,'Issue',425,8,'none'),(7661,'Issue',425,10,'critical'),(7662,'Issue',425,13,'community'),(7663,'Issue',425,14,'windows'),(7665,'Issue',425,11,'10df22d5c'),(7666,'Issue',425,12,'0ba863e6-def5-4e50-9cea-4dd8c7dc46a4'),(7667,'Issue',425,16,'win-proc'),(7668,'Issue',425,17,''),(7669,'Issue',425,7,''),(7670,'Issue',425,3,'Detects the use of a control panel item (.cpl) outside of the System32 folder'),(7671,'Issue',425,4,''),(7672,'Issue',425,5,'_False Positives_\nUnknown'),(7673,'Issue',425,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*.cpl AND (NOT (process.command_line.keyword:(*\\\\System32\\\\* OR *%System%*))))\nindex: so-*\nname: Control Panel Items\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7674,'Issue',425,9,'{{collapse(View Sigma)\n
\n\ntitle: Control Panel Items\nid: 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4\nstatus: experimental\ndescription: Detects the use of a control panel item (.cpl) outside of the System32\n  folder\nreference:\n- https://attack.mitre.org/techniques/T1196/\ntags:\n- attack.execution\n- attack.t1196\n- attack.defense_evasion\nauthor: Kyaw Min Thein\ndate: 2019/08/27\nlevel: critical\nlogsource:\n  product: windows\n  category: process_creation\ndetection:\n  selection:\n    CommandLine: \'*.cpl\'\n  filter:\n    CommandLine:\n    - \'*\\System32\\\\*\'\n    - \'*%System%*\'\n  condition: selection and not filter\nfalsepositives:\n- Unknown\n\n
\n}}'),(7675,'Issue',425,15,'T1196'),(7676,'Issue',426,1,'Copying Sensitive Files with Credential Data'),(7677,'Issue',426,2,'Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community'),(7678,'Issue',426,8,'https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/\nhttps://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nhttps://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/'),(7679,'Issue',426,10,'high'),(7680,'Issue',426,13,'community'),(7681,'Issue',426,14,'windows'),(7683,'Issue',426,11,'7971e8131'),(7684,'Issue',426,12,'e7be6119-fc37-43f0-ad4f-1f3f99be2f9f'),(7685,'Issue',426,16,'win-proc'),(7686,'Issue',426,17,''),(7687,'Issue',426,7,''),(7688,'Issue',426,3,'Files with well-known filenames (sensitive files with credential data) copying'),(7689,'Issue',426,4,''),(7690,'Issue',426,5,'_False Positives_\nCopying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator'),(7691,'Issue',426,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\esentutl.exe AND process.command_line.keyword:(*vss* OR *\\ \\/m\\ * OR *\\ \\/y\\ *)) OR process.command_line.keyword:(*\\\\windows\\\\ntds\\\\ntds.dit* OR *\\\\config\\\\sam* OR *\\\\config\\\\security* OR *\\\\config\\\\system\\ * OR *\\\\repair\\\\sam* OR *\\\\repair\\\\system* OR *\\\\repair\\\\security* OR *\\\\config\\\\RegBack\\\\sam* OR *\\\\config\\\\RegBack\\\\system* OR *\\\\config\\\\RegBack\\\\security*)))\nindex: so-*\nname: Copying Sensitive Files with Credential Data\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7692,'Issue',426,9,'{{collapse(View Sigma)\n
\n\ntitle: Copying Sensitive Files with Credential Data\nid: e7be6119-fc37-43f0-ad4f-1f3f99be2f9f\ndescription: Files with well-known filenames (sensitive files with credential data)\n  copying\nstatus: experimental\nauthor: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/22\nmodified: 2019/11/13\nreferences:\n- https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n- https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/\ntags:\n- attack.credential_access\n- attack.t1003\n- car.2013-07-001\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith: \\esentutl.exe\n    CommandLine|contains:\n    - vss\n    - \' /m \'\n    - \' /y \'\n  - CommandLine|contains:\n    - \\windows\\ntds\\ntds.dit\n    - \\config\\sam\n    - \\config\\security\n    - \'\\config\\system \'\n    - \\repair\\sam\n    - \\repair\\system\n    - \\repair\\security\n    - \\config\\RegBack\\sam\n    - \\config\\RegBack\\system\n    - \\config\\RegBack\\security\n  condition: selection\nfalsepositives:\n- Copying sensitive files for legitimate use (eg. backup) or forensic investigation\n  by legitimate incident responder or forensic invetigator\nlevel: high\n\n
\n}}'),(7693,'Issue',426,15,'T1003'),(7694,'Issue',427,1,'Fireball Archer Install'),(7695,'Issue',427,2,'Florian Roth'),(7696,'Issue',427,8,'https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/\nhttps://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100'),(7697,'Issue',427,10,'high'),(7698,'Issue',427,13,'community'),(7699,'Issue',427,14,'windows'),(7701,'Issue',427,11,'7652cf061'),(7702,'Issue',427,12,'3d4aebe0-6d29-45b2-a8a4-3dfde586a26d'),(7703,'Issue',427,16,'win-proc'),(7704,'Issue',427,17,''),(7705,'Issue',427,7,''),(7706,'Issue',427,3,'Detects Archer malware invocation via rundll32'),(7707,'Issue',427,4,''),(7708,'Issue',427,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7709,'Issue',427,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\\\rundll32.exe\\ *,InstallArcherSvc)\nindex: so-*\nname: Fireball Archer Install\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7710,'Issue',427,9,'{{collapse(View Sigma)\n
\n\ntitle: Fireball Archer Install\nid: 3d4aebe0-6d29-45b2-a8a4-3dfde586a26d\nstatus: experimental\ndescription: Detects Archer malware invocation via rundll32\nauthor: Florian Roth\ndate: 2017/06/03\nreferences:\n- https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/\n- https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100\ntags:\n- attack.execution\n- attack.t1059\n- attack.defense_evasion\n- attack.t1085\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'*\\rundll32.exe *,InstallArcherSvc\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(7711,'Issue',427,15,'T1059'),(7712,'Issue',427,15,'T1085'),(7713,'Issue',428,1,'Data Compressed - rar.exe'),(7714,'Issue',428,2,'Timur Zinniatullin, E.M. Anhaus, oscd.community'),(7715,'Issue',428,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html'),(7716,'Issue',428,10,'low'),(7717,'Issue',428,13,'community'),(7718,'Issue',428,14,'windows'),(7720,'Issue',428,11,'d76dd00e5'),(7721,'Issue',428,12,'6f3e2987-db24-4c78-a860-b4f4095a7095'),(7722,'Issue',428,16,'win-proc'),(7723,'Issue',428,17,''),(7724,'Issue',428,7,''),(7725,'Issue',428,3,'An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network'),(7726,'Issue',428,4,''),(7727,'Issue',428,5,'_False Positives_\nhighly likely if rar is default archiver in the monitored environment\n\n_Interesting Log Fields_\nImage\nCommandLine\nUser\nLogonGuid\nHashes\nParentProcessGuid\nParentCommandLine'),(7728,'Issue',428,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\rar.exe AND process.command_line.keyword:*\\ a\\ *)\nindex: so-*\nname: Data Compressed - rar.exe\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7729,'Issue',428,9,'{{collapse(View Sigma)\n
\n\ntitle: Data Compressed - rar.exe\nid: 6f3e2987-db24-4c78-a860-b4f4095a7095\nstatus: experimental\ndescription: An adversary may compress data (e.g., sensitive documents) that is collected\n  prior to exfiltration in order to make it portable and minimize the amount of data\n  sent over the network\nauthor: Timur Zinniatullin, E.M. Anhaus, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\rar.exe\n    CommandLine|contains: \' a \'\n  condition: selection\nfields:\n- Image\n- CommandLine\n- User\n- LogonGuid\n- Hashes\n- ParentProcessGuid\n- ParentCommandLine\nfalsepositives:\n- highly likely if rar is default archiver in the monitored environment\nlevel: low\ntags:\n- attack.exfiltration\n- attack.t1002\n\n
\n}}'),(7730,'Issue',428,15,'T1002'),(7731,'Issue',429,1,'Domain Trust Discovery'),(7732,'Issue',429,2,'Jakob Weinzettl, oscd.community'),(7733,'Issue',429,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.yaml'),(7734,'Issue',429,10,'medium'),(7735,'Issue',429,13,'community'),(7736,'Issue',429,14,'windows'),(7738,'Issue',429,11,'16e2ea51f'),(7739,'Issue',429,12,'77815820-246c-47b8-9741-e0def3f57308'),(7740,'Issue',429,16,'win-proc'),(7741,'Issue',429,17,''),(7742,'Issue',429,7,''),(7743,'Issue',429,3,'Detects a discovery of domain trusts'),(7744,'Issue',429,4,''),(7745,'Issue',429,5,'_False Positives_\nAdministration of systems'),(7746,'Issue',429,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\dsquery.exe AND process.command_line.keyword:*\\-filter* AND process.command_line.keyword:*trustedDomain*) OR (process.executable.keyword:*\\\\nltest.exe AND process.command_line.keyword:*domain_trusts*)))\nindex: so-*\nname: Domain Trust Discovery\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7747,'Issue',429,9,'{{collapse(View Sigma)\n
\n\ntitle: Domain Trust Discovery\nid: 77815820-246c-47b8-9741-e0def3f57308\nstatus: experimental\ndescription: Detects a discovery of domain trusts\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.yaml\nauthor: Jakob Weinzettl, oscd.community\ndate: 2019/10/23\nmodified: 2019/11/08\ntags:\n- attack.discovery\n- attack.t1482\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith: \\dsquery.exe\n    CommandLine|contains|all:\n    - -filter\n    - trustedDomain\n  - Image|endswith: \\nltest.exe\n    CommandLine|contains: domain_trusts\n  condition: selection\nfalsepositives:\n- Administration of systems\nlevel: medium\n\n
\n}}'),(7748,'Issue',429,15,'T1482'),(7749,'Issue',430,1,'Encoded FromBase64String'),(7750,'Issue',430,2,'Florian Roth'),(7751,'Issue',430,8,'none'),(7752,'Issue',430,10,'critical'),(7753,'Issue',430,13,'community'),(7754,'Issue',430,14,'windows'),(7756,'Issue',430,11,'ad3c56884'),(7757,'Issue',430,12,'fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c'),(7758,'Issue',430,16,'win-proc'),(7759,'Issue',430,17,''),(7760,'Issue',430,7,''),(7761,'Issue',430,3,'Detects a base64 encoded FromBase64String keyword in a process command line'),(7762,'Issue',430,4,''),(7763,'Issue',430,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7764,'Issue',430,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*OjpGcm9tQmFzZTY0U3RyaW5n* OR *o6RnJvbUJhc2U2NFN0cmluZ* OR *6OkZyb21CYXNlNjRTdHJpbm*))\nindex: so-*\nname: Encoded FromBase64String\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7765,'Issue',430,9,'{{collapse(View Sigma)\n
\n\ntitle: Encoded FromBase64String\nid: fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c\nstatus: experimental\ndescription: Detects a base64 encoded FromBase64String keyword in a process command\n  line\nauthor: Florian Roth\ndate: 2019/08/24\ntags:\n- attack.t1086\n- attack.t1140\n- attack.execution\n- attack.defense_evasion\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|base64offset|contains: ::FromBase64String\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7766,'Issue',430,15,'T1086'),(7767,'Issue',430,15,'T1140'),(7768,'Issue',431,1,'Encoded IEX'),(7769,'Issue',431,2,'Florian Roth'),(7770,'Issue',431,8,'none'),(7771,'Issue',431,10,'critical'),(7772,'Issue',431,13,'community'),(7773,'Issue',431,14,'windows'),(7775,'Issue',431,11,'111891242'),(7776,'Issue',431,12,'88f680b8-070e-402c-ae11-d2914f2257f1'),(7777,'Issue',431,16,'win-proc'),(7778,'Issue',431,17,''),(7779,'Issue',431,7,''),(7780,'Issue',431,3,'Detects a base64 encoded IEX command string in a process command line'),(7781,'Issue',431,4,''),(7782,'Issue',431,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7783,'Issue',431,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*SUVYIChb* OR *lFWCAoW* OR *JRVggKF* OR *aWV4IChb* OR *lleCAoW* OR *pZXggKF* OR *aWV4IChOZX* OR *lleCAoTmV3* OR *pZXggKE5ld* OR *SUVYIChOZX* OR *lFWCAoTmV3* OR *JRVggKE5ld*))\nindex: so-*\nname: Encoded IEX\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7784,'Issue',431,9,'{{collapse(View Sigma)\n
\n\ntitle: Encoded IEX\nid: 88f680b8-070e-402c-ae11-d2914f2257f1\nstatus: experimental\ndescription: Detects a base64 encoded IEX command string in a process command line\nauthor: Florian Roth\ndate: 2019/08/23\ntags:\n- attack.t1086\n- attack.t1140\n- attack.execution\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|base64offset|contains:\n    - IEX ([\n    - iex ([\n    - iex (New\n    - IEX (New\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7785,'Issue',431,15,'T1086'),(7786,'Issue',431,15,'T1140'),(7787,'Issue',432,1,'Disable of ETW Trace'),(7788,'Issue',432,2,'@neu5ron, Florian Roth'),(7789,'Issue',432,8,'https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mal_lockergoga.yml\nhttps://abuse.io/lockergoga.txt'),(7790,'Issue',432,10,'high'),(7791,'Issue',432,13,'community'),(7792,'Issue',432,14,'windows'),(7794,'Issue',432,11,'f0cec20a1'),(7795,'Issue',432,12,'a238b5d0-ce2d-4414-a676-7a531b3d13d6'),(7796,'Issue',432,16,'win-proc'),(7797,'Issue',432,17,''),(7798,'Issue',432,7,''),(7799,'Issue',432,3,'Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.'),(7800,'Issue',432,4,''),(7801,'Issue',432,5,'_False Positives_\nUnknown'),(7802,'Issue',432,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:*\\ cl\\ *\\/Trace* OR process.command_line.keyword:*\\ clear\\-log\\ *\\/Trace* OR process.command_line.keyword:*\\ sl*\\ \\/e\\:false* OR process.command_line.keyword:*\\ set\\-log*\\ \\/e\\:false*))\nindex: so-*\nname: Disable of ETW Trace\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7803,'Issue',432,9,'{{collapse(View Sigma)\n
\n\ntitle: Disable of ETW Trace\nid: a238b5d0-ce2d-4414-a676-7a531b3d13d6\ndescription: Detects a command that clears or disables any ETW trace log which could\n  indicate a logging evasion.\nstatus: experimental\nreferences:\n- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil\n- https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mal_lockergoga.yml\n- https://abuse.io/lockergoga.txt\nauthor: \'@neu5ron, Florian Roth\'\ndate: 2019/03/22\ntags:\n- attack.execution\n- attack.t1070\n- car.2016-04-002\nlevel: high\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_clear_1:\n    CommandLine: \'* cl */Trace*\'\n  selection_clear_2:\n    CommandLine: \'* clear-log */Trace*\'\n  selection_disable_1:\n    CommandLine: \'* sl* /e:false*\'\n  selection_disable_2:\n    CommandLine: \'* set-log* /e:false*\'\n  condition: selection_clear_1 or selection_clear_2 or selection_disable_1 or selection_disable_2\nfalsepositives:\n- Unknown\n\n
\n}}'),(7804,'Issue',432,15,'T1070'),(7805,'Issue',433,1,'Exfiltration and Tunneling Tools Execution'),(7806,'Issue',433,2,'Daniil Yugoslavskiy, oscd.community'),(7807,'Issue',433,8,'none'),(7808,'Issue',433,10,'medium'),(7809,'Issue',433,13,'community'),(7810,'Issue',433,14,'windows'),(7812,'Issue',433,11,'800c545f1'),(7813,'Issue',433,12,'c75309a3-59f8-4a8d-9c2c-4c927ad50555'),(7814,'Issue',433,16,'win-proc'),(7815,'Issue',433,17,''),(7816,'Issue',433,7,''),(7817,'Issue',433,3,'Execution of well known tools for data exfiltration and tunneling'),(7818,'Issue',433,4,''),(7819,'Issue',433,5,'_False Positives_\nLegitimate Administrator using tools'),(7820,'Issue',433,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.NewProcessName.keyword:(*\\\\plink.exe OR *\\\\socat.exe OR *\\\\stunnel.exe OR *\\\\httptunnel.exe))\nindex: so-*\nname: Exfiltration and Tunneling Tools Execution\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7821,'Issue',433,9,'{{collapse(View Sigma)\n
\n\ntitle: Exfiltration and Tunneling Tools Execution\nid: c75309a3-59f8-4a8d-9c2c-4c927ad50555\ndescription: Execution of well known tools for data exfiltration and tunneling\nstatus: experimental\nauthor: Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/24\ntags:\n- attack.exfiltration\n- attack.t1020\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    NewProcessName|endswith:\n    - \\plink.exe\n    - \\socat.exe\n    - \\stunnel.exe\n    - \\httptunnel.exe\n  condition: selection\nfalsepositives:\n- Legitimate Administrator using tools\nlevel: medium\n\n
\n}}'),(7822,'Issue',433,15,'T1020'),(7823,'Issue',434,1,'Exploit for CVE-2015-1641'),(7824,'Issue',434,2,'Florian Roth'),(7825,'Issue',434,8,'https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/\nhttps://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100'),(7826,'Issue',434,10,'critical'),(7827,'Issue',434,13,'community'),(7828,'Issue',434,14,'windows'),(7830,'Issue',434,11,'e2a1316d4'),(7831,'Issue',434,12,'7993792c-5ce2-4475-a3db-a3a5539827ef'),(7832,'Issue',434,16,'win-proc'),(7833,'Issue',434,17,''),(7834,'Issue',434,7,''),(7835,'Issue',434,3,'Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641'),(7836,'Issue',434,4,''),(7837,'Issue',434,5,'_False Positives_\nUnknown'),(7838,'Issue',434,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\WINWORD.EXE AND process.executable.keyword:*\\\\MicroScMgmt.exe\\ )\nindex: so-*\nname: Exploit for CVE-2015-1641\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7839,'Issue',434,9,'{{collapse(View Sigma)\n
\n\ntitle: Exploit for CVE-2015-1641\nid: 7993792c-5ce2-4475-a3db-a3a5539827ef\nstatus: experimental\ndescription: Detects Winword starting uncommon sub process MicroScMgmt.exe as used\n  in exploits for CVE-2015-1641\nreferences:\n- https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/\n- https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100\nauthor: Florian Roth\ndate: 2018/02/22\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\WINWORD.EXE\'\n    Image: \'*\\MicroScMgmt.exe \'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7840,'Issue',434,15,'T1036'),(7841,'Issue',435,1,'Exploit for CVE-2017-0261'),(7842,'Issue',435,2,'Florian Roth'),(7843,'Issue',435,8,'https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html'),(7844,'Issue',435,10,'medium'),(7845,'Issue',435,13,'community'),(7846,'Issue',435,14,'windows'),(7848,'Issue',435,11,'65dbae284'),(7849,'Issue',435,12,'864403a1-36c9-40a2-a982-4c9a45f7d833'),(7850,'Issue',435,16,'win-proc'),(7851,'Issue',435,17,''),(7852,'Issue',435,7,''),(7853,'Issue',435,3,'Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262'),(7854,'Issue',435,4,''),(7855,'Issue',435,5,'_False Positives_\nSeveral false positives identified, check for suspicious file names or locations (e.g. Temp folders)'),(7856,'Issue',435,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\WINWORD.EXE AND process.executable.keyword:*\\\\FLTLDR.exe*)\nindex: so-*\nname: Exploit for CVE-2017-0261\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7857,'Issue',435,9,'{{collapse(View Sigma)\n
\n\ntitle: Exploit for CVE-2017-0261\nid: 864403a1-36c9-40a2-a982-4c9a45f7d833\nstatus: experimental\ndescription: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits\n  for CVE-2017-0261 and CVE-2017-0262\nreferences:\n- https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html\nauthor: Florian Roth\ndate: 2018/02/22\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1055\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\WINWORD.EXE\'\n    Image: \'*\\FLTLDR.exe*\'\n  condition: selection\nfalsepositives:\n- Several false positives identified, check for suspicious file names or locations\n  (e.g. Temp folders)\nlevel: medium\n\n
\n}}'),(7858,'Issue',435,15,'T1055'),(7859,'Issue',436,1,'Droppers Exploiting CVE-2017-11882'),(7860,'Issue',436,2,'Florian Roth'),(7861,'Issue',436,8,'https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100\nhttps://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw'),(7862,'Issue',436,10,'critical'),(7863,'Issue',436,13,'community'),(7864,'Issue',436,14,'windows'),(7866,'Issue',436,11,'dcfdfd6d6'),(7867,'Issue',436,12,'678eb5f4-8597-4be6-8be7-905e4234b53a'),(7868,'Issue',436,16,'win-proc'),(7869,'Issue',436,17,''),(7870,'Issue',436,7,''),(7871,'Issue',436,3,'Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe'),(7872,'Issue',436,4,''),(7873,'Issue',436,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine'),(7874,'Issue',436,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\EQNEDT32.EXE)\nindex: so-*\nname: Droppers Exploiting CVE-2017-11882\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7875,'Issue',436,9,'{{collapse(View Sigma)\n
\n\ntitle: Droppers Exploiting CVE-2017-11882\nid: 678eb5f4-8597-4be6-8be7-905e4234b53a\nstatus: experimental\ndescription: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other\n  sub processes like mshta.exe\nreferences:\n- https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100\n- https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw\nauthor: Florian Roth\ndate: 2017/11/23\ntags:\n- attack.defense_evasion\n- attack.t1211\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\EQNEDT32.EXE\'\n  condition: selection\nfields:\n- CommandLine\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7876,'Issue',436,15,'T1211'),(7877,'Issue',437,1,'Exploit for CVE-2017-8759'),(7878,'Issue',437,2,'Florian Roth'),(7879,'Issue',437,8,'https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100\nhttps://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100'),(7880,'Issue',437,10,'critical'),(7881,'Issue',437,13,'community'),(7882,'Issue',437,14,'windows'),(7884,'Issue',437,11,'d2eddb460'),(7885,'Issue',437,12,'fdd84c68-a1f6-47c9-9477-920584f94905'),(7886,'Issue',437,16,'win-proc'),(7887,'Issue',437,17,''),(7888,'Issue',437,7,''),(7889,'Issue',437,3,'Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759'),(7890,'Issue',437,4,''),(7891,'Issue',437,5,'_False Positives_\nUnknown'),(7892,'Issue',437,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\WINWORD.EXE AND process.executable.keyword:*\\\\csc.exe)\nindex: so-*\nname: Exploit for CVE-2017-8759\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7893,'Issue',437,9,'{{collapse(View Sigma)\n
\n\ntitle: Exploit for CVE-2017-8759\nid: fdd84c68-a1f6-47c9-9477-920584f94905\ndescription: Detects Winword starting uncommon sub process csc.exe as used in exploits\n  for CVE-2017-8759\nreferences:\n- https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100\n- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100\ntags:\n- attack.execution\n- attack.t1203\nauthor: Florian Roth\ndate: 2017/09/15\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\WINWORD.EXE\'\n    Image: \'*\\csc.exe\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7894,'Issue',437,15,'T1203'),(7895,'Issue',438,1,'Exploiting SetupComplete.cmd CVE-2019-1378'),(7896,'Issue',438,2,'Florian Roth'),(7897,'Issue',438,8,'https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua'),(7898,'Issue',438,10,'high'),(7899,'Issue',438,13,'community'),(7900,'Issue',438,14,'windows'),(7902,'Issue',438,11,'b2c8941b7'),(7903,'Issue',438,12,'1c373b6d-76ce-4553-997d-8c1da9a6b5f5'),(7904,'Issue',438,16,'win-proc'),(7905,'Issue',438,17,''),(7906,'Issue',438,7,''),(7907,'Issue',438,3,'Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd decribed in CVE-2019-1378'),(7908,'Issue',438,4,''),(7909,'Issue',438,5,'_False Positives_\nUnknown'),(7910,'Issue',438,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.command_line.keyword:(*\\\\cmd.exe\\ \\/c\\ C\\:\\\\Windows\\\\Setup\\\\Scripts\\\\SetupComplete.cmd OR *\\\\cmd.exe\\ \\/c\\ C\\:\\\\Windows\\\\Setup\\\\Scripts\\\\PartnerSetupComplete.cmd) AND (NOT (process.executable.keyword:(C\\:\\\\Windows\\\\System32\\\\* OR C\\:\\\\Windows\\\\SysWOW64\\\\* OR C\\:\\\\Windows\\\\WinSxS\\\\* OR C\\:\\\\Windows\\\\Setup\\\\*))))\nindex: so-*\nname: Exploiting SetupComplete.cmd CVE-2019-1378\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7911,'Issue',438,9,'{{collapse(View Sigma)\n
\n\ntitle: Exploiting SetupComplete.cmd CVE-2019-1378\nid: 1c373b6d-76ce-4553-997d-8c1da9a6b5f5\nstatus: experimental\ndescription: Detects exploitation attempt of privilege escalation vulnerability via\n  SetupComplete.cmd and PartnerSetupComplete.cmd decribed in CVE-2019-1378\nreferences:\n- https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua\nauthor: Florian Roth\ndate: 2019/11/15\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1055\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentCommandLine:\n    - \'*\\cmd.exe /c C:\\Windows\\Setup\\Scripts\\SetupComplete.cmd\'\n    - \'*\\cmd.exe /c C:\\Windows\\Setup\\Scripts\\PartnerSetupComplete.cmd\'\n  filter:\n    Image:\n    - C:\\Windows\\System32\\\\*\n    - C:\\Windows\\SysWOW64\\\\*\n    - C:\\Windows\\WinSxS\\\\*\n    - C:\\Windows\\Setup\\\\*\n  condition: selection and not filter\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(7912,'Issue',438,15,'T1055'),(7913,'Issue',439,1,'Exploiting CVE-2019-1388'),(7914,'Issue',439,2,'Florian Roth'),(7915,'Issue',439,8,'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388\nhttps://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege'),(7916,'Issue',439,10,'critical'),(7917,'Issue',439,13,'community'),(7918,'Issue',439,14,'windows'),(7920,'Issue',439,11,'c6eb81dae'),(7921,'Issue',439,12,'02e0b2ea-a597-428e-b04a-af6a1a403e5c'),(7922,'Issue',439,16,'win-proc'),(7923,'Issue',439,17,''),(7924,'Issue',439,7,''),(7925,'Issue',439,3,'Detects an explotation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM'),(7926,'Issue',439,4,''),(7927,'Issue',439,5,'_False Positives_\nUnknown'),(7928,'Issue',439,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\consent.exe AND process.executable.keyword:*\\\\iexplore.exe AND process.command_line.keyword:*\\ http* AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (IntegrityLevel:\"System\" OR event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\"))\nindex: so-*\nname: Exploiting CVE-2019-1388\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7929,'Issue',439,9,'{{collapse(View Sigma)\n
\n\ntitle: Exploiting CVE-2019-1388\nid: 02e0b2ea-a597-428e-b04a-af6a1a403e5c\nstatus: experimental\ndescription: Detects an explotation attempt in which the UAC consent dialogue is used\n  to invoke an Internet Explorer process running as LOCAL_SYSTEM\nreferences:\n- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388\n- https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege\nauthor: Florian Roth\ndate: 2019/11/20\ntags:\n- attack.privilege_escalation\n- attack.t1068\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\consent.exe\'\n    Image: \'*\\iexplore.exe\'\n    CommandLine: \'* http*\'\n  rights1:\n    IntegrityLevel: System\n  rights2:\n    User: NT AUTHORITY\\SYSTEM\n  condition: selection and ( rights1 or rights2 )\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7930,'Issue',439,15,'T1068'),(7931,'Issue',440,1,'Exploited CVE-2020-10189 Zoho ManageEngine'),(7932,'Issue',440,2,'Florian Roth'),(7933,'Issue',440,8,'https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-10189\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189\nhttps://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224'),(7934,'Issue',440,10,'critical'),(7935,'Issue',440,13,'community'),(7936,'Issue',440,14,'windows'),(7938,'Issue',440,11,'06cab2646'),(7939,'Issue',440,12,'846b866e-2a57-46ee-8e16-85fa92759be7'),(7940,'Issue',440,16,'win-proc'),(7941,'Issue',440,17,''),(7942,'Issue',440,7,''),(7943,'Issue',440,3,'Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189'),(7944,'Issue',440,4,''),(7945,'Issue',440,5,'_False Positives_\nUnknown'),(7946,'Issue',440,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*DesktopCentral_Server\\\\jre\\\\bin\\\\java.exe AND process.executable.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\bitsadmin.exe))\nindex: so-*\nname: Exploited CVE-2020-10189 Zoho ManageEngine\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7947,'Issue',440,9,'{{collapse(View Sigma)\n
\n\ntitle: Exploited CVE-2020-10189 Zoho ManageEngine\nid: 846b866e-2a57-46ee-8e16-85fa92759be7\nstatus: experimental\ndescription: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization\n  vulnerability reported as CVE-2020-10189\nreferences:\n- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html\n- https://nvd.nist.gov/vuln/detail/CVE-2020-10189\n- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189\n- https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224\nauthor: Florian Roth\ndate: 2020/03/25\ntags:\n- attack.initial_access\n- attack.t1190\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage|endswith: DesktopCentral_Server\\jre\\bin\\java.exe\n    Image|endswith:\n    - \'*\\cmd.exe\'\n    - \'*\\powershell.exe\'\n    - \'*\\bitsadmin.exe\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7948,'Issue',440,15,'T1190'),(7949,'Issue',441,1,'File or Folder Permissions Modifications'),(7950,'Issue',441,2,'Jakob Weinzettl, oscd.community'),(7951,'Issue',441,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml'),(7952,'Issue',441,10,'medium'),(7953,'Issue',441,13,'community'),(7954,'Issue',441,14,'windows'),(7956,'Issue',441,11,'1c2d67989'),(7957,'Issue',441,12,'37ae075c-271b-459b-8d7b-55ad5f993dd8'),(7958,'Issue',441,16,'win-proc'),(7959,'Issue',441,17,''),(7960,'Issue',441,7,''),(7961,'Issue',441,3,'Detects a file or folder permissions modifications'),(7962,'Issue',441,4,''),(7963,'Issue',441,5,'_False Positives_\nUsers interacting with the files on their own (unlikely unless power users)\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(7964,'Issue',441,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:(*\\\\takeown.exe OR *\\\\cacls.exe OR *\\\\icacls.exe) AND process.command_line.keyword:*\\/grant*) OR (process.executable.keyword:*\\\\attrib.exe AND process.command_line.keyword:*\\-r*)))\nindex: so-*\nname: File or Folder Permissions Modifications\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7965,'Issue',441,9,'{{collapse(View Sigma)\n
\n\ntitle: File or Folder Permissions Modifications\nid: 37ae075c-271b-459b-8d7b-55ad5f993dd8\nstatus: experimental\ndescription: Detects a file or folder permissions modifications\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml\nauthor: Jakob Weinzettl, oscd.community\ndate: 2019/10/23\nmodified: 2019/11/08\ntags:\n- attack.defense_evasion\n- attack.t1222\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith:\n    - \\takeown.exe\n    - \\cacls.exe\n    - \\icacls.exe\n    CommandLine|contains: /grant\n  - Image|endswith: \\attrib.exe\n    CommandLine|contains: -r\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Users interacting with the files on their own (unlikely unless power users)\nlevel: medium\n\n
\n}}'),(7966,'Issue',441,15,'T1222'),(7967,'Issue',442,1,'Grabbing Sensitive Hives via Reg Utility'),(7968,'Issue',442,2,'Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community'),(7969,'Issue',442,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nhttps://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md'),(7970,'Issue',442,10,'medium'),(7971,'Issue',442,13,'community'),(7972,'Issue',442,14,'windows'),(7974,'Issue',442,11,'310cc8a8a'),(7975,'Issue',442,12,'fd877b94-9bb5-4191-bb25-d79cbd93c167'),(7976,'Issue',442,16,'win-proc'),(7977,'Issue',442,17,''),(7978,'Issue',442,7,''),(7979,'Issue',442,3,'Dump sam, system or security hives using REG.exe utility'),(7980,'Issue',442,4,''),(7981,'Issue',442,5,'_False Positives_\nDumping hives for legitimate purpouse i.e. backup or forensic investigation'),(7982,'Issue',442,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.NewProcessName.keyword:*\\\\reg.exe AND process.command_line.keyword:(*save* OR *export*) AND process.command_line.keyword:(*hklm* OR *hkey_local_machine*) AND process.command_line.keyword:(*\\\\system OR *\\\\sam OR *\\\\security))\nindex: so-*\nname: Grabbing Sensitive Hives via Reg Utility\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7983,'Issue',442,9,'{{collapse(View Sigma)\n
\n\ntitle: Grabbing Sensitive Hives via Reg Utility\nid: fd877b94-9bb5-4191-bb25-d79cbd93c167\ndescription: Dump sam, system or security hives using REG.exe utility\nauthor: Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/22\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n- https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md\ntags:\n- attack.credential_access\n- attack.t1003\n- car.2013-07-001\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_1:\n    NewProcessName: \'*\\reg.exe\'\n    CommandLine|contains:\n    - save\n    - export\n  selection_2:\n    CommandLine|contains:\n    - hklm\n    - hkey_local_machine\n  selection_3:\n    CommandLine|endswith:\n    - \\system\n    - \\sam\n    - \\security\n  condition: selection_1 and selection_2 and selection_3\nfalsepositives:\n- Dumping hives for legitimate purpouse i.e. backup or forensic investigation\nlevel: medium\nstatus: experimental\n\n
\n}}'),(7984,'Issue',442,15,'T1003'),(7985,'Issue',443,1,'Bloodhound and Sharphound Hack Tool'),(7986,'Issue',443,2,'Florian Roth'),(7987,'Issue',443,8,'https://github.com/BloodHoundAD/BloodHound\nhttps://github.com/BloodHoundAD/SharpHound'),(7988,'Issue',443,10,'high'),(7989,'Issue',443,13,'community'),(7990,'Issue',443,14,'windows'),(7992,'Issue',443,11,'6b42c6f56'),(7993,'Issue',443,12,'f376c8a7-a2d0-4ddc-aa0c-16c17236d962'),(7994,'Issue',443,16,'win-proc'),(7995,'Issue',443,17,''),(7996,'Issue',443,7,''),(7997,'Issue',443,3,'Detects command line parameters used by Bloodhound and Sharphound hack tools'),(7998,'Issue',443,4,''),(7999,'Issue',443,5,'_False Positives_\nOther programs that use these command line option and accepts an \'All\' parameter'),(8000,'Issue',443,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:(*\\\\Bloodhound.exe* OR *\\\\SharpHound.exe*) OR process.command_line.keyword:(*\\ \\-CollectionMethod\\ All\\ * OR *.exe\\ \\-c\\ All\\ \\-d\\ * OR *Invoke\\-Bloodhound* OR *Get\\-BloodHoundData*) OR (process.command_line.keyword:*\\ \\-JsonFolder\\ * AND process.command_line.keyword:*\\ \\-ZipFileName\\ *) OR (process.command_line.keyword:*\\ DCOnly\\ * AND process.command_line.keyword:*\\ \\-\\-NoSaveCache\\ *)))\nindex: so-*\nname: Bloodhound and Sharphound Hack Tool\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8001,'Issue',443,9,'{{collapse(View Sigma)\n
\n\ntitle: Bloodhound and Sharphound Hack Tool\nid: f376c8a7-a2d0-4ddc-aa0c-16c17236d962\ndescription: Detects command line parameters used by Bloodhound and Sharphound hack\n  tools\nauthor: Florian Roth\nreferences:\n- https://github.com/BloodHoundAD/BloodHound\n- https://github.com/BloodHoundAD/SharpHound\ndate: 2019/12/20\nmodified: 2019/12/21\ntags:\n- attack.discovery\n- attack.t1087\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image|contains:\n    - \\Bloodhound.exe\n    - \\SharpHound.exe\n  selection2:\n    CommandLine|contains:\n    - \' -CollectionMethod All \'\n    - \'.exe -c All -d \'\n    - Invoke-Bloodhound\n    - Get-BloodHoundData\n  selection3:\n    CommandLine|contains|all:\n    - \' -JsonFolder \'\n    - \' -ZipFileName \'\n  selection4:\n    CommandLine|contains|all:\n    - \' DCOnly \'\n    - \' --NoSaveCache \'\n  condition: 1 of them\nfalsepositives:\n- Other programs that use these command line option and accepts an \'All\' parameter\nlevel: high\n\n
\n}}'),(8002,'Issue',443,15,'T1087'),(8003,'Issue',444,1,'Koadic Execution'),(8004,'Issue',444,2,'wagga'),(8005,'Issue',444,8,'https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/\nhttps://github.com/zerosum0x0/koadic/blob/master/data/stager/js/stdlib.js#L955\nhttps://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/'),(8006,'Issue',444,10,'high'),(8007,'Issue',444,13,'community'),(8008,'Issue',444,14,'windows'),(8010,'Issue',444,11,'fa9937192'),(8011,'Issue',444,12,'5cddf373-ef00-4112-ad72-960ac29bac34'),(8012,'Issue',444,16,'win-proc'),(8013,'Issue',444,17,''),(8014,'Issue',444,7,''),(8015,'Issue',444,3,'Detects command line parameters used by Koadic hack tool'),(8016,'Issue',444,4,''),(8017,'Issue',444,5,'_False Positives_\nPentest\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8018,'Issue',444,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*cmd.exe*\\ \\/q\\ \\/c\\ chcp\\ *))\nindex: so-*\nname: Koadic Execution\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8019,'Issue',444,9,'{{collapse(View Sigma)\n
\n\ntitle: Koadic Execution\nid: 5cddf373-ef00-4112-ad72-960ac29bac34\nstatus: experimental\ndescription: Detects command line parameters used by Koadic hack tool\nreferences:\n- https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/\n- https://github.com/zerosum0x0/koadic/blob/master/data/stager/js/stdlib.js#L955\n- https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/\ntags:\n- attack.execution\n- attack.t1170\ndate: 2020/01/12\nauthor: wagga\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine:\n    - \'*cmd.exe* /q /c chcp *\'\n  condition: selection1\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Pentest\nlevel: high\n\n
\n}}'),(8020,'Issue',444,15,'T1170'),(8021,'Issue',445,1,'Rubeus Hack Tool'),(8022,'Issue',445,2,'Florian Roth'),(8023,'Issue',445,8,'https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/'),(8024,'Issue',445,10,'critical'),(8025,'Issue',445,13,'community'),(8026,'Issue',445,14,'windows'),(8028,'Issue',445,11,'ad40ec27e'),(8029,'Issue',445,12,'7ec2c172-dceb-4c10-92c9-87c1881b7e18'),(8030,'Issue',445,16,'win-proc'),(8031,'Issue',445,17,''),(8032,'Issue',445,7,''),(8033,'Issue',445,3,'Detects command line parameters used by Rubeus hack tool'),(8034,'Issue',445,4,''),(8035,'Issue',445,5,'_False Positives_\nunlikely'),(8036,'Issue',445,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ asreproast\\ * OR *\\ dump\\ \\/service\\:krbtgt\\ * OR *\\ kerberoast\\ * OR *\\ createnetonly\\ \\/program\\:* OR *\\ ptt\\ \\/ticket\\:* OR *\\ \\/impersonateuser\\:* OR *\\ renew\\ \\/ticket\\:* OR *\\ asktgt\\ \\/user\\:* OR *\\ harvest\\ \\/interval\\:*))\nindex: so-*\nname: Rubeus Hack Tool\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8037,'Issue',445,9,'{{collapse(View Sigma)\n
\n\ntitle: Rubeus Hack Tool\nid: 7ec2c172-dceb-4c10-92c9-87c1881b7e18\ndescription: Detects command line parameters used by Rubeus hack tool\nauthor: Florian Roth\nreferences:\n- https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/\ndate: 2018/12/19\ntags:\n- attack.credential_access\n- attack.t1003\n- attack.s0005\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* asreproast *\'\n    - \'* dump /service:krbtgt *\'\n    - \'* kerberoast *\'\n    - \'* createnetonly /program:*\'\n    - \'* ptt /ticket:*\'\n    - \'* /impersonateuser:*\'\n    - \'* renew /ticket:*\'\n    - \'* asktgt /user:*\'\n    - \'* harvest /interval:*\'\n  condition: selection\nfalsepositives:\n- unlikely\nlevel: critical\n\n
\n}}'),(8038,'Issue',445,15,'T1003'),(8039,'Issue',446,1,'SecurityXploded Tool'),(8040,'Issue',446,2,'Florian Roth'),(8041,'Issue',446,8,'https://securityxploded.com/\nhttps://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/'),(8042,'Issue',446,10,'critical'),(8043,'Issue',446,13,'community'),(8044,'Issue',446,14,'windows'),(8046,'Issue',446,11,'21368bb4b'),(8047,'Issue',446,12,'7679d464-4f74-45e2-9e01-ac66c5eb041a'),(8048,'Issue',446,16,'win-proc'),(8049,'Issue',446,17,''),(8050,'Issue',446,7,''),(8051,'Issue',446,3,'Detects the execution of SecurityXploded Tools'),(8052,'Issue',446,4,''),(8053,'Issue',446,5,'_False Positives_\nunlikely'),(8054,'Issue',446,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (event_data.Company:\"SecurityXploded\" OR process.executable.keyword:*PasswordDump.exe OR OriginalFilename.keyword:*PasswordDump.exe))\nindex: so-*\nname: SecurityXploded Tool\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8055,'Issue',446,9,'{{collapse(View Sigma)\n
\n\ntitle: SecurityXploded Tool\nid: 7679d464-4f74-45e2-9e01-ac66c5eb041a\ndescription: Detects the execution of SecurityXploded Tools\nauthor: Florian Roth\nreferences:\n- https://securityxploded.com/\n- https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/\ndate: 2018/12/19\ntags:\n- attack.credential_access\n- attack.t1003\n- attack.s0005\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Company: SecurityXploded\n  selection2:\n    Image|endswith: PasswordDump.exe\n  selection3:\n    OriginalFilename|endswith: PasswordDump.exe\n  condition: 1 of them\nfalsepositives:\n- unlikely\nlevel: critical\n\n
\n}}'),(8056,'Issue',446,15,'T1003'),(8057,'Issue',447,1,'HH.exe Execution'),(8058,'Issue',447,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Dan Beavin), oscd.community'),(8059,'Issue',447,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1223/T1223.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html'),(8060,'Issue',447,10,'high'),(8061,'Issue',447,13,'community'),(8062,'Issue',447,14,'windows'),(8064,'Issue',447,11,'0cb0c3bd8'),(8065,'Issue',447,12,'68c8acb4-1b60-4890-8e82-3ddf7a6dba84'),(8066,'Issue',447,16,'win-proc'),(8067,'Issue',447,17,''),(8068,'Issue',447,7,''),(8069,'Issue',447,3,'Identifies usage of hh.exe executing recently modified .chm files.'),(8070,'Issue',447,4,''),(8071,'Issue',447,5,'_False Positives_\nunlike\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8072,'Issue',447,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\hh.exe AND process.command_line.keyword:*.chm*)\nindex: so-*\nname: HH.exe Execution\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8073,'Issue',447,9,'{{collapse(View Sigma)\n
\n\ntitle: HH.exe Execution\nid: 68c8acb4-1b60-4890-8e82-3ddf7a6dba84\ndescription: Identifies usage of hh.exe executing recently modified .chm files.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Dan Beavin), oscd.community\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1223/T1223.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html\ndate: 2019/10/24\nmodified: 2019/11/11\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1223\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\hh.exe\n    CommandLine|contains: .chm\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- unlike\nlevel: high\n\n
\n}}'),(8074,'Issue',447,15,'T1223'),(8075,'Issue',448,1,'HTML Help Shell Spawn'),(8076,'Issue',448,2,'Maxim Pavlunin'),(8077,'Issue',448,8,'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/'),(8078,'Issue',448,10,'high'),(8079,'Issue',448,13,'community'),(8080,'Issue',448,14,'windows'),(8082,'Issue',448,11,'6ba3a1ad3'),(8083,'Issue',448,12,'52cad028-0ff0-4854-8f67-d25dfcbc78b4'),(8084,'Issue',448,16,'win-proc'),(8085,'Issue',448,17,''),(8086,'Issue',448,7,''),(8087,'Issue',448,3,'Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm)'),(8088,'Issue',448,4,''),(8089,'Issue',448,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8090,'Issue',448,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable:\"C\\:\\\\Windows\\\\hh.exe\" AND process.executable.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\regsvr32.exe OR *\\\\wmic.exe OR *\\\\rundll32.exe))\nindex: so-*\nname: HTML Help Shell Spawn\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8091,'Issue',448,9,'{{collapse(View Sigma)\n
\n\ntitle: HTML Help Shell Spawn\nid: 52cad028-0ff0-4854-8f67-d25dfcbc78b4\nstatus: experimental\ndescription: Detects a suspicious child process of a Microsoft HTML Help system when\n  executing compiled HTML files (.chm)\nreferences:\n- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/\nauthor: Maxim Pavlunin\ndate: 2020/04/01\nmodified: 2020/04/03\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1223\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: C:\\Windows\\hh.exe\n    Image|endswith:\n    - \\cmd.exe\n    - \\powershell.exe\n    - \\wscript.exe\n    - \\cscript.exe\n    - \\regsvr32.exe\n    - \\wmic.exe\n    - \\rundll32.exe\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(8092,'Issue',448,15,'T1223'),(8093,'Issue',449,1,'Suspicious HWP Sub Processes'),(8094,'Issue',449,2,'Florian Roth'),(8095,'Issue',449,8,'https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/\nhttps://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1\nhttps://twitter.com/cyberwar_15/status/1187287262054076416\nhttps://blog.alyac.co.kr/1901\nhttps://en.wikipedia.org/wiki/Hangul_(word_processor)'),(8096,'Issue',449,10,'high'),(8097,'Issue',449,13,'community'),(8098,'Issue',449,14,'windows'),(8100,'Issue',449,11,'45f9c4d54'),(8101,'Issue',449,12,'023394c4-29d5-46ab-92b8-6a534c6f447b'),(8102,'Issue',449,16,'win-proc'),(8103,'Issue',449,17,''),(8104,'Issue',449,7,''),(8105,'Issue',449,3,'Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation'),(8106,'Issue',449,4,''),(8107,'Issue',449,5,'_False Positives_\nUnknown'),(8108,'Issue',449,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\Hwp.exe AND process.executable.keyword:*\\\\gbb.exe)\nindex: so-*\nname: Suspicious HWP Sub Processes\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8109,'Issue',449,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious HWP Sub Processes\nid: 023394c4-29d5-46ab-92b8-6a534c6f447b\ndescription: Detects suspicious Hangul Word Processor (Hanword) sub processes that\n  could indicate an exploitation\nstatus: experimental\nreferences:\n- https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/\n- https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1\n- https://twitter.com/cyberwar_15/status/1187287262054076416\n- https://blog.alyac.co.kr/1901\n- https://en.wikipedia.org/wiki/Hangul_(word_processor)\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.initial_access\n- attack.t1059\n- attack.t1202\n- attack.t1193\n- attack.g0032\nauthor: Florian Roth\ndate: 2019/10/24\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\Hwp.exe\'\n    Image: \'*\\gbb.exe\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(8110,'Issue',449,15,'T1059'),(8111,'Issue',449,15,'T1202'),(8112,'Issue',449,15,'T1193'),(8113,'Issue',450,1,'Impacket Lateralization Detection'),(8114,'Issue',450,2,'Ecco'),(8115,'Issue',450,8,'https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py\nhttps://github.com/SecureAuthCorp/impacket/blob/master/examples/atexec.py\nhttps://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py\nhttps://github.com/SecureAuthCorp/impacket/blob/master/examples/dcomexec.py'),(8116,'Issue',450,10,'critical'),(8117,'Issue',450,13,'community'),(8118,'Issue',450,14,'windows'),(8120,'Issue',450,11,'bfb0c817e'),(8121,'Issue',450,12,'10c14723-61c7-4c75-92ca-9af245723ad2'),(8122,'Issue',450,16,'win-proc'),(8123,'Issue',450,17,''),(8124,'Issue',450,7,''),(8125,'Issue',450,3,'Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework'),(8126,'Issue',450,4,''),(8127,'Issue',450,5,'_False Positives_\npentesters\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8128,'Issue',450,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.parent.executable.keyword:(*\\\\wmiprvse.exe OR *\\\\mmc.exe OR *\\\\explorer.exe OR *\\\\services.exe) AND process.command_line.keyword:(*cmd.exe*\\ \\/Q\\ \\/c\\ *\\ \\\\\\\\127.0.0.1\\\\*&1*)) OR (process.parent.command_line.keyword:(*svchost.exe\\ \\-k\\ netsvcs OR taskeng.exe*) AND process.command_line.keyword:(cmd.exe\\ \\/C\\ *Windows\\\\Temp\\\\*&1))))\nindex: so-*\nname: Impacket Lateralization Detection\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8129,'Issue',450,9,'{{collapse(View Sigma)\n
\n\ntitle: Impacket Lateralization Detection\nid: 10c14723-61c7-4c75-92ca-9af245723ad2\nstatus: experimental\ndescription: Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework\nreferences:\n- https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py\n- https://github.com/SecureAuthCorp/impacket/blob/master/examples/atexec.py\n- https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py\n- https://github.com/SecureAuthCorp/impacket/blob/master/examples/dcomexec.py\nauthor: Ecco\ndate: 2019/09/03\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_other:\n    ParentImage:\n    - \'*\\wmiprvse.exe\'\n    - \'*\\mmc.exe\'\n    - \'*\\explorer.exe\'\n    - \'*\\services.exe\'\n    CommandLine:\n    - \'*cmd.exe* /Q /c * \\\\\\\\127.0.0.1\\\\*&1*\'\n  selection_atexec:\n    ParentCommandLine:\n    - \'*svchost.exe -k netsvcs\'\n    - taskeng.exe*\n    CommandLine:\n    - cmd.exe /C *Windows\\\\Temp\\\\*&1\n  condition: (1 of selection_*)\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.lateral_movement\n- attack.t1047\n- attack.t1175\nfalsepositives:\n- pentesters\nlevel: critical\n\n
\n}}'),(8130,'Issue',450,15,'T1047'),(8131,'Issue',450,15,'T1175'),(8132,'Issue',451,1,'Indirect Command Execution'),(8133,'Issue',451,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(8134,'Issue',451,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html'),(8135,'Issue',451,10,'low'),(8136,'Issue',451,13,'community'),(8137,'Issue',451,14,'windows'),(8139,'Issue',451,11,'4448f85f5'),(8140,'Issue',451,12,'fa47597e-90e9-41cd-ab72-c3b74cfb0d02'),(8141,'Issue',451,16,'win-proc'),(8142,'Issue',451,17,''),(8143,'Issue',451,7,''),(8144,'Issue',451,3,'Detect indirect command execution via Program Compatibility Assistant pcalua.exe or forfiles.exe'),(8145,'Issue',451,4,''),(8146,'Issue',451,5,'_False Positives_\nNeed to use extra processing with \'unique_count\' / \'filter\' to focus on outliers as opposed to commonly seen artifacts\nLegit usage of scripts\n\n_Interesting Log Fields_\nComputerName\nUser\nParentCommandLine\nCommandLine'),(8147,'Issue',451,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\pcalua.exe OR *\\\\forfiles.exe))\nindex: so-*\nname: Indirect Command Execution\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8148,'Issue',451,9,'{{collapse(View Sigma)\n
\n\ntitle: Indirect Command Execution\nid: fa47597e-90e9-41cd-ab72-c3b74cfb0d02\ndescription: Detect indirect command execution via Program Compatibility Assistant\n  pcalua.exe or forfiles.exe\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html\ndate: 2019/10/24\nmodified: 2019/11/11\ntags:\n- attack.defense_evasion\n- attack.t1202\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage|endswith:\n    - \\pcalua.exe\n    - \\forfiles.exe\n  condition: selection\nfields:\n- ComputerName\n- User\n- ParentCommandLine\n- CommandLine\nfalsepositives:\n- Need to use extra processing with \'unique_count\' / \'filter\' to focus on outliers\n  as opposed to commonly seen artifacts\n- Legit usage of scripts\nlevel: low\n\n
\n}}'),(8149,'Issue',451,15,'T1202'),(8150,'Issue',452,1,'Suspicious Debugger Registration Cmdline'),(8151,'Issue',452,2,'Florian Roth'),(8152,'Issue',452,8,'https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/'),(8153,'Issue',452,10,'high'),(8154,'Issue',452,13,'community'),(8155,'Issue',452,14,'windows'),(8157,'Issue',452,11,'8447d556d'),(8158,'Issue',452,12,'ae215552-081e-44c7-805f-be16f975c8a2'),(8159,'Issue',452,16,'win-proc'),(8160,'Issue',452,17,''),(8161,'Issue',452,7,''),(8162,'Issue',452,3,'Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).'),(8163,'Issue',452,4,''),(8164,'Issue',452,5,'_False Positives_\nPenetration Tests'),(8165,'Issue',452,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\sethc.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\utilman.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\osk.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\magnify.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\narrator.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\displayswitch.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\atbroker.exe*))\nindex: so-*\nname: Suspicious Debugger Registration Cmdline\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8166,'Issue',452,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Debugger Registration Cmdline\nid: ae215552-081e-44c7-805f-be16f975c8a2\nstatus: experimental\ndescription: Detects the registration of a debugger for a program that is available\n  in the logon screen (sticky key backdoor).\nreferences:\n- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/\ntags:\n- attack.persistence\n- attack.privilege_escalation\n- attack.t1015\nauthor: Florian Roth\ndate: 2019/09/06\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'*\\CurrentVersion\\Image File Execution Options\\sethc.exe*\'\n    - \'*\\CurrentVersion\\Image File Execution Options\\utilman.exe*\'\n    - \'*\\CurrentVersion\\Image File Execution Options\\osk.exe*\'\n    - \'*\\CurrentVersion\\Image File Execution Options\\magnify.exe*\'\n    - \'*\\CurrentVersion\\Image File Execution Options\\narrator.exe*\'\n    - \'*\\CurrentVersion\\Image File Execution Options\\displayswitch.exe*\'\n    - \'*\\CurrentVersion\\Image File Execution Options\\atbroker.exe*\'\n  condition: selection\nfalsepositives:\n- Penetration Tests\nlevel: high\n\n
\n}}'),(8167,'Issue',452,15,'T1015'),(8168,'Issue',453,1,'Interactive AT Job'),(8169,'Issue',453,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(8170,'Issue',453,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html'),(8171,'Issue',453,10,'high'),(8172,'Issue',453,13,'community'),(8173,'Issue',453,14,'windows'),(8175,'Issue',453,11,'deff452c1'),(8176,'Issue',453,12,'60fc936d-2eb0-4543-8a13-911c750a1dfc'),(8177,'Issue',453,16,'win-proc'),(8178,'Issue',453,17,''),(8179,'Issue',453,7,''),(8180,'Issue',453,3,'Detect an interactive AT job, which may be used as a form of privilege escalation'),(8181,'Issue',453,4,''),(8182,'Issue',453,5,'_False Positives_\nUnlikely (at.exe deprecated as of Windows 8)\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8183,'Issue',453,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\at.exe AND process.command_line.keyword:*interactive*)\nindex: so-*\nname: Interactive AT Job\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8184,'Issue',453,9,'{{collapse(View Sigma)\n
\n\ntitle: Interactive AT Job\nid: 60fc936d-2eb0-4543-8a13-911c750a1dfc\ndescription: Detect an interactive AT job, which may be used as a form of privilege\n  escalation\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html\ndate: 2019/10/24\nmodified: 2019/11/11\ntags:\n- attack.privilege_escalation\n- attack.t1053\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\at.exe\n    CommandLine|contains: interactive\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Unlikely (at.exe deprecated as of Windows 8)\nlevel: high\n\n
\n}}'),(8185,'Issue',453,15,'T1053'),(8186,'Issue',454,1,'Invoke-Obfuscation Obfuscated IEX Invocation'),(8187,'Issue',454,2,'Daniel Bohannon (@Mandiant/@FireEye), oscd.community'),(8188,'Issue',454,8,'none'),(8189,'Issue',454,10,'high'),(8190,'Issue',454,13,'community'),(8191,'Issue',454,14,'windows'),(8193,'Issue',454,11,'6d2baff57'),(8194,'Issue',454,12,'4bf943c6-5146-4273-98dd-e958fd1e3abf'),(8195,'Issue',454,16,'win-proc'),(8196,'Issue',454,17,''),(8197,'Issue',454,7,''),(8198,'Issue',454,3,'Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888'),(8199,'Issue',454,4,''),(8200,'Issue',454,5,'_False Positives_\nUnknown'),(8201,'Issue',454,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (process.command_line:/\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[/ OR process.command_line:/\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[/ OR process.command_line:/\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[/ OR process.command_line:/\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}/ OR process.command_line:/\\*mdr\\*\\W\\s*\\)\\.Name/ OR process.command_line:/\\$VerbosePreference\\.ToString\\(/ OR process.command_line:/\\String\\]\\s*\\$VerbosePreference/)\nindex: so-*\nname: Invoke-Obfuscation Obfuscated IEX Invocation\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8202,'Issue',454,9,'{{collapse(View Sigma)\n
\n\ntitle: Invoke-Obfuscation Obfuscated IEX Invocation\nid: 4bf943c6-5146-4273-98dd-e958fd1e3abf\ndescription: Detects all variations of obfuscated powershell IEX invocation code generated\n  by Invoke-Obfuscation framework from the following code block — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888\nstatus: experimental\nauthor: Daniel Bohannon (@Mandiant/@FireEye), oscd.community\ndate: 2019/11/08\ntags:\n- attack.defense_evasion\n- attack.t1027\nlogsource:\n  product: windows\n  service: process_creation\ndetection:\n  selection:\n  - CommandLine|re: \\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[\n  - CommandLine|re: \\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[\n  - CommandLine|re: \\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[\n  - CommandLine|re: \\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}\n  - CommandLine|re: \\*mdr\\*\\W\\s*\\)\\.Name\n  - CommandLine|re: \\$VerbosePreference\\.ToString\\(\n  - CommandLine|re: \\String\\]\\s*\\$VerbosePreference\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(8203,'Issue',454,15,'T1027'),(8204,'Issue',455,1,'Windows Kernel and 3rd-Party Drivers Exploits Token Stealing'),(8205,'Issue',455,2,'Teymur Kheirkhabarov (source), Daniil Yugoslavskiy (rule)'),(8206,'Issue',455,8,'https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment'),(8207,'Issue',455,10,'critical'),(8208,'Issue',455,13,'community'),(8209,'Issue',455,14,'windows'),(8211,'Issue',455,11,'1425eee14'),(8212,'Issue',455,12,'8065b1b4-1778-4427-877f-6bf948b26d38'),(8213,'Issue',455,16,'win-proc'),(8214,'Issue',455,17,''),(8215,'Issue',455,7,''),(8216,'Issue',455,3,'Detection of child processes spawned with SYSTEM privileges by parents with non-SYSTEM privileges and Medium integrity level'),(8217,'Issue',455,4,''),(8218,'Issue',455,5,'_False Positives_\nUnknown'),(8219,'Issue',455,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ParentIntegrityLevel:\"Medium\" AND IntegrityLevel:\"System\" AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\")\nindex: so-*\nname: Windows Kernel and 3rd-Party Drivers Exploits Token Stealing\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8220,'Issue',455,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows Kernel and 3rd-Party Drivers Exploits Token Stealing\nid: 8065b1b4-1778-4427-877f-6bf948b26d38\ndescription: Detection of child processes spawned with SYSTEM privileges by parents\n  with non-SYSTEM privileges and Medium integrity level\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\ntags:\n- attack.privilege_escalation\n- attack.t1068\nstatus: experimental\nauthor: Teymur Kheirkhabarov (source), Daniil Yugoslavskiy (rule)\ndate: 2019/06/03\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentIntegrityLevel: Medium\n    IntegrityLevel: System\n    User: NT AUTHORITY\\SYSTEM\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\nenrichment:\n- EN_0001_cache_sysmon_event_id_1_info\n- EN_0002_enrich_sysmon_event_id_1_with_parent_info\n\n
\n}}'),(8221,'Issue',455,15,'T1068'),(8222,'Issue',456,1,'MSHTA Spwaned by SVCHOST'),(8223,'Issue',456,2,'Markus Neis'),(8224,'Issue',456,8,'https://codewhitesec.blogspot.com/2018/07/lethalhta.html'),(8225,'Issue',456,10,'high'),(8226,'Issue',456,13,'community'),(8227,'Issue',456,14,'windows'),(8229,'Issue',456,11,'f443dd9d3'),(8230,'Issue',456,12,'ed5d72a6-f8f4-479d-ba79-02f6a80d7471'),(8231,'Issue',456,16,'win-proc'),(8232,'Issue',456,17,''),(8233,'Issue',456,7,''),(8234,'Issue',456,3,'Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described in report'),(8235,'Issue',456,4,''),(8236,'Issue',456,5,'_False Positives_\nUnknown'),(8237,'Issue',456,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\svchost.exe AND process.executable.keyword:*\\\\mshta.exe)\nindex: so-*\nname: MSHTA Spwaned by SVCHOST\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8238,'Issue',456,9,'{{collapse(View Sigma)\n
\n\ntitle: MSHTA Spwaned by SVCHOST\nid: ed5d72a6-f8f4-479d-ba79-02f6a80d7471\nstatus: experimental\ndescription: Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described\n  in report\nreferences:\n- https://codewhitesec.blogspot.com/2018/07/lethalhta.html\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1170\nauthor: Markus Neis\ndate: 2018/06/07\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\svchost.exe\'\n    Image: \'*\\mshta.exe\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(8239,'Issue',456,15,'T1170'),(8240,'Issue',457,1,'Local Accounts Discovery'),(8241,'Issue',457,2,'Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community'),(8242,'Issue',457,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml'),(8243,'Issue',457,10,'low'),(8244,'Issue',457,13,'community'),(8245,'Issue',457,14,'windows'),(8247,'Issue',457,11,'94d1a7cce'),(8248,'Issue',457,12,'502b42de-4306-40b4-9596-6f590c81f073'),(8249,'Issue',457,16,'win-proc'),(8250,'Issue',457,17,''),(8251,'Issue',457,7,''),(8252,'Issue',457,3,'Local accounts, System Owner/User discovery using operating systems utilities'),(8253,'Issue',457,4,''),(8254,'Issue',457,5,'_False Positives_\nLegitimate administrator or user enumerates local users for legitimate reason\n\n_Interesting Log Fields_\nImage\nCommandLine\nUser\nLogonGuid\nHashes\nParentProcessGuid\nParentCommandLine'),(8255,'Issue',457,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (((process.executable.keyword:*\\\\whoami.exe OR (process.executable.keyword:*\\\\wmic.exe AND process.command_line.keyword:*useraccount* AND process.command_line.keyword:*get*) OR process.executable.keyword:(*\\\\quser.exe OR *\\\\qwinsta.exe) OR (process.executable.keyword:*\\\\cmdkey.exe AND process.command_line.keyword:*\\/list*) OR (process.executable.keyword:*\\\\cmd.exe AND process.command_line.keyword:*\\/c* AND process.command_line.keyword:*dir\\ * AND process.command_line.keyword:*\\\\Users\\*)) AND (NOT (process.command_line.keyword:(*\\ rmdir\\ *)))) OR ((process.executable.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:*user*) AND (NOT (process.command_line.keyword:(*\\/domain* OR *\\/add* OR *\\/delete* OR *\\/active* OR *\\/expires* OR *\\/passwordreq* OR *\\/scriptpath* OR *\\/times* OR *\\/workstations*))))))\nindex: so-*\nname: Local Accounts Discovery\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8256,'Issue',457,9,'{{collapse(View Sigma)\n
\n\ntitle: Local Accounts Discovery\nid: 502b42de-4306-40b4-9596-6f590c81f073\nstatus: experimental\ndescription: Local accounts, System Owner/User discovery using operating systems utilities\nauthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_1:\n  - Image|endswith: \\whoami.exe\n  - Image|endswith: \\wmic.exe\n    CommandLine|contains|all:\n    - useraccount\n    - get\n  - Image|endswith:\n    - \\quser.exe\n    - \\qwinsta.exe\n  - Image|endswith: \\cmdkey.exe\n    CommandLine|contains: /list\n  - Image|endswith: \\cmd.exe\n    CommandLine|contains|all:\n    - /c\n    - \'dir \'\n    - \\Users\\\n  filter_1:\n    CommandLine|contains:\n    - \' rmdir \'\n  selection_2:\n    Image|endswith:\n    - \\net.exe\n    - \\net1.exe\n    CommandLine|contains: user\n  filter_2:\n    CommandLine|contains:\n    - /domain\n    - /add\n    - /delete\n    - /active\n    - /expires\n    - /passwordreq\n    - /scriptpath\n    - /times\n    - /workstations\n  condition: (selection_1 and not filter_1) or ( selection_2 and not filter_2)\nfields:\n- Image\n- CommandLine\n- User\n- LogonGuid\n- Hashes\n- ParentProcessGuid\n- ParentCommandLine\nfalsepositives:\n- Legitimate administrator or user enumerates local users for legitimate reason\nlevel: low\ntags:\n- attack.discovery\n- attack.t1033\n- attack.t1087\n\n
\n}}'),(8257,'Issue',457,15,'T1033'),(8258,'Issue',457,15,'T1087'),(8259,'Issue',458,1,'LSASS Memory Dumping'),(8260,'Issue',458,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community'),(8261,'Issue',458,8,'https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.yaml'),(8262,'Issue',458,10,'high'),(8263,'Issue',458,13,'community'),(8264,'Issue',458,14,'windows'),(8266,'Issue',458,11,'80532cee2'),(8267,'Issue',458,12,'ffa6861c-4461-4f59-8a41-578c39f3f23e'),(8268,'Issue',458,16,'win-proc'),(8269,'Issue',458,17,''),(8270,'Issue',458,7,''),(8271,'Issue',458,3,'Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.'),(8272,'Issue',458,4,''),(8273,'Issue',458,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8274,'Issue',458,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (((process.command_line.keyword:*lsass* AND process.command_line.keyword:*.dmp*) AND (NOT (process.executable.keyword:*\\\\werfault.exe))) OR (process.executable.keyword:*\\\\procdump* AND process.executable.keyword:*.exe AND process.command_line.keyword:*lsass*)))\nindex: so-*\nname: LSASS Memory Dumping\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8275,'Issue',458,9,'{{collapse(View Sigma)\n
\n\ntitle: LSASS Memory Dumping\nid: ffa6861c-4461-4f59-8a41-578c39f3f23e\ndescription: Detect creation of dump files containing the memory space of lsass.exe,\n  which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe\n  to export the memory space of lsass.exe which contains sensitive credentials.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html\n- https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.yaml\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine|contains|all:\n    - lsass\n    - .dmp\n  selection2:\n    Image|endswith: \\werfault.exe\n  selection3:\n    Image|contains: \\procdump\n    Image|endswith: .exe\n    CommandLine|contains: lsass\n  condition: selection1 and not selection2 or selection3\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Unlikely\nlevel: high\n\n
\n}}'),(8276,'Issue',458,15,'T1003'),(8277,'Issue',459,1,'Dridex Process Pattern'),(8278,'Issue',459,2,'Florian Roth'),(8279,'Issue',459,8,'https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3'),(8280,'Issue',459,10,'critical'),(8281,'Issue',459,13,'community'),(8282,'Issue',459,14,'windows'),(8284,'Issue',459,11,'89a943e8b'),(8285,'Issue',459,12,'e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e'),(8286,'Issue',459,16,'win-proc'),(8287,'Issue',459,17,''),(8288,'Issue',459,7,''),(8289,'Issue',459,3,'Detects typical Dridex process patterns'),(8290,'Issue',459,4,''),(8291,'Issue',459,5,'_False Positives_\nUnlikely'),(8292,'Issue',459,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:*\\\\svchost.exe\\ C\\:\\\\Users\\\\*\\\\Desktop\\\\* OR (process.parent.executable.keyword:*\\\\svchost.exe* AND process.command_line.keyword:(*whoami.exe\\ \\/all OR *net.exe\\ view))))\nindex: so-*\nname: Dridex Process Pattern\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8293,'Issue',459,9,'{{collapse(View Sigma)\n
\n\ntitle: Dridex Process Pattern\nid: e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e\nstatus: experimental\ndescription: Detects typical Dridex process patterns\nreferences:\n- https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3\nauthor: Florian Roth\ndate: 2019/01/10\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1055\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine: \'*\\svchost.exe C:\\Users\\\\*\\Desktop\\\\*\'\n  selection2:\n    ParentImage: \'*\\svchost.exe*\'\n    CommandLine:\n    - \'*whoami.exe /all\'\n    - \'*net.exe view\'\n  condition: 1 of them\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(8294,'Issue',459,15,'T1055'),(8295,'Issue',460,1,'DTRACK Process Creation'),(8296,'Issue',460,2,'Florian Roth'),(8297,'Issue',460,8,'https://securelist.com/my-name-is-dtrack/93338/\nhttps://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/\nhttps://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/'),(8298,'Issue',460,10,'critical'),(8299,'Issue',460,13,'community'),(8300,'Issue',460,14,'windows'),(8301,'Issue',460,15,''),(8302,'Issue',460,11,'1265efdfc'),(8303,'Issue',460,12,'f1531fa4-5b84-4342-8f68-9cf3fdbd83d4'),(8304,'Issue',460,16,'win-proc'),(8305,'Issue',460,17,''),(8306,'Issue',460,7,''),(8307,'Issue',460,3,'Detects specific process parameters as seen in DTRACK infections'),(8308,'Issue',460,4,''),(8309,'Issue',460,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8310,'Issue',460,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\ echo\\ EEEE\\ \\ *)\nindex: so-*\nname: DTRACK Process Creation\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8311,'Issue',460,9,'{{collapse(View Sigma)\n
\n\ntitle: DTRACK Process Creation\nid: f1531fa4-5b84-4342-8f68-9cf3fdbd83d4\nstatus: experimental\ndescription: Detects specific process parameters as seen in DTRACK infections\nauthor: Florian Roth\ndate: 2019/10/30\nreferences:\n- https://securelist.com/my-name-is-dtrack/93338/\n- https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/\n- https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'* echo EEEE > *\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(8312,'Issue',461,1,'Emotet Process Creation'),(8313,'Issue',461,2,'Florian Roth'),(8314,'Issue',461,8,'https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/\nhttps://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/\nhttps://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/\nhttps://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/'),(8315,'Issue',461,10,'critical'),(8316,'Issue',461,13,'community'),(8317,'Issue',461,14,'windows'),(8318,'Issue',461,15,''),(8319,'Issue',461,11,'22693b62c'),(8320,'Issue',461,12,'d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18'),(8321,'Issue',461,16,'win-proc'),(8322,'Issue',461,17,''),(8323,'Issue',461,7,''),(8324,'Issue',461,3,'Detects all Emotet like process executions that are not covered by the more generic rules'),(8325,'Issue',461,4,''),(8326,'Issue',461,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8327,'Issue',461,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-e*\\ PAA* OR *JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ* OR *QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA* OR *kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA* OR *IgAoACcAKgAnACkAOwAkA* OR *IAKAAnACoAJwApADsAJA* OR *iACgAJwAqACcAKQA7ACQA* OR *JABGAGwAeAByAGgAYwBmAGQ*))\nindex: so-*\nname: Emotet Process Creation\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8328,'Issue',461,9,'{{collapse(View Sigma)\n
\n\ntitle: Emotet Process Creation\nid: d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18\nstatus: experimental\ndescription: Detects all Emotet like process executions that are not covered by the\n  more generic rules\nauthor: Florian Roth\ndate: 2019/09/30\nmodified: 2019/10/16\nreferences:\n- https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/\n- https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/\n- https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/\n- https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* -e* PAA*\'\n    - \'*JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ*\'\n    - \'*QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA*\'\n    - \'*kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA*\'\n    - \'*IgAoACcAKgAnACkAOwAkA*\'\n    - \'*IAKAAnACoAJwApADsAJA*\'\n    - \'*iACgAJwAqACcAKQA7ACQA*\'\n    - \'*JABGAGwAeAByAGgAYwBmAGQ*\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(8329,'Issue',462,1,'Formbook Process Creation'),(8330,'Issue',462,2,'Florian Roth'),(8331,'Issue',462,8,'https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer\nhttps://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/\nhttps://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/\nhttps://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/'),(8332,'Issue',462,10,'critical'),(8333,'Issue',462,13,'community'),(8334,'Issue',462,14,'windows'),(8335,'Issue',462,15,''),(8336,'Issue',462,11,'a76fc01e3'),(8337,'Issue',462,12,'032f5fb3-d959-41a5-9263-4173c802dc2b'),(8338,'Issue',462,16,'win-proc'),(8339,'Issue',462,17,''),(8340,'Issue',462,7,''),(8341,'Issue',462,3,'Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.'),(8342,'Issue',462,4,''),(8343,'Issue',462,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8344,'Issue',462,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.command_line.keyword:(C\\:\\\\Windows\\\\System32\\\\*.exe OR C\\:\\\\Windows\\\\SysWOW64\\\\*.exe) AND process.command_line.keyword:(*\\ \\/c\\ del\\ \\\"C\\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*.exe OR *\\ \\/c\\ del\\ \\\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe OR *\\ \\/C\\ type\\ nul\\ \\ \\\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe))\nindex: so-*\nname: Formbook Process Creation\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8345,'Issue',462,9,'{{collapse(View Sigma)\n
\n\ntitle: Formbook Process Creation\nid: 032f5fb3-d959-41a5-9263-4173c802dc2b\nstatus: experimental\ndescription: Detects Formbook like process executions that inject code into a set\n  of files in the System32 folder, which executes a special command command line to\n  delete the dropper from the AppData Temp folder. We avoid false positives by excluding\n  all parent process with command line parameters.\nauthor: Florian Roth\ndate: 2019/09/30\nmodified: 2019/10/31\nreferences:\n- https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer\n- https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/\n- https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/\n- https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentCommandLine:\n    - C:\\Windows\\System32\\\\*.exe\n    - C:\\Windows\\SysWOW64\\\\*.exe\n    CommandLine:\n    - \'* /c del \"C:\\Users\\\\*\\AppData\\Local\\Temp\\\\*.exe\'\n    - \'* /c del \"C:\\Users\\\\*\\Desktop\\\\*.exe\'\n    - \'* /C type nul > \"C:\\Users\\\\*\\Desktop\\\\*.exe\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(8346,'Issue',463,1,'NotPetya Ransomware Activity'),(8347,'Issue',463,2,'Florian Roth, Tom Ueltschi'),(8348,'Issue',463,8,'https://securelist.com/schroedingers-petya/78870/\nhttps://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100'),(8349,'Issue',463,10,'critical'),(8350,'Issue',463,13,'community'),(8351,'Issue',463,14,'windows'),(8353,'Issue',463,11,'f1d5345d2'),(8354,'Issue',463,12,'79aeeb41-8156-4fac-a0cd-076495ab82a1'),(8355,'Issue',463,16,'win-proc'),(8356,'Issue',463,17,''),(8357,'Issue',463,7,''),(8358,'Issue',463,3,'Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil'),(8359,'Issue',463,4,''),(8360,'Issue',463,5,'_False Positives_\nAdmin activity\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8361,'Issue',463,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:*\\\\AppData\\\\Local\\\\Temp\\\\*\\ \\\\.\\\\pipe\\\\* OR (process.executable.keyword:*\\\\rundll32.exe AND process.command_line.keyword:*.dat,#1) OR *\\\\perfc.dat*))\nindex: so-*\nname: NotPetya Ransomware Activity\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8362,'Issue',463,9,'{{collapse(View Sigma)\n
\n\ntitle: NotPetya Ransomware Activity\nid: 79aeeb41-8156-4fac-a0cd-076495ab82a1\nstatus: experimental\ndescription: Detects NotPetya ransomware activity in which the extracted passwords\n  are passed back to the main module via named pipe, the file system journal of drive\n  C is deleted and windows eventlogs are cleared using wevtutil\nauthor: Florian Roth, Tom Ueltschi\ndate: 2019/01/16\nreferences:\n- https://securelist.com/schroedingers-petya/78870/\n- https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100\ntags:\n- attack.execution\n- attack.credential_access\n- attack.defense_evasion\n- attack.t1085\n- attack.t1070\n- attack.t1003\n- car.2016-04-002\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  pipe_com:\n    CommandLine: \'*\\AppData\\Local\\Temp\\\\* \\\\.\\pipe\\\\*\'\n  rundll32_dash1:\n    Image: \'*\\rundll32.exe\'\n    CommandLine: \'*.dat,#1\'\n  perfc_keyword:\n  - \'*\\perfc.dat*\'\n  condition: 1 of them\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Admin activity\nlevel: critical\n\n
\n}}'),(8363,'Issue',463,15,'T1085'),(8364,'Issue',463,15,'T1070'),(8365,'Issue',463,15,'T1003'),(8366,'Issue',464,1,'QBot Process Creation'),(8367,'Issue',464,2,'Florian Roth'),(8368,'Issue',464,8,'https://twitter.com/killamjr/status/1179034907932315648\nhttps://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/'),(8369,'Issue',464,10,'critical'),(8370,'Issue',464,13,'community'),(8371,'Issue',464,14,'windows'),(8372,'Issue',464,15,''),(8373,'Issue',464,11,'046681e0b'),(8374,'Issue',464,12,'4fcac6eb-0287-4090-8eea-2602e4c20040'),(8375,'Issue',464,16,'win-proc'),(8376,'Issue',464,17,''),(8377,'Issue',464,7,''),(8378,'Issue',464,3,'Detects QBot like process executions'),(8379,'Issue',464,4,''),(8380,'Issue',464,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8381,'Issue',464,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.parent.executable.keyword:*\\\\WinRAR.exe AND process.executable.keyword:*\\\\wscript.exe) OR process.command_line.keyword:*\\ \\/c\\ ping.exe\\ \\-n\\ 6\\ 127.0.0.1\\ &\\ type\\ *))\nindex: so-*\nname: QBot Process Creation\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8382,'Issue',464,9,'{{collapse(View Sigma)\n
\n\ntitle: QBot Process Creation\nid: 4fcac6eb-0287-4090-8eea-2602e4c20040\nstatus: experimental\ndescription: Detects QBot like process executions\nauthor: Florian Roth\ndate: 2019/10/01\nreferences:\n- https://twitter.com/killamjr/status/1179034907932315648\n- https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    ParentImage: \'*\\WinRAR.exe\'\n    Image: \'*\\wscript.exe\'\n  selection2:\n    CommandLine: \'* /c ping.exe -n 6 127.0.0.1 & type *\'\n  condition: selection1 or selection2\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(8383,'Issue',465,1,'Ryuk Ransomware'),(8384,'Issue',465,2,'Florian Roth'),(8385,'Issue',465,8,'https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/'),(8386,'Issue',465,10,'critical'),(8387,'Issue',465,13,'community'),(8388,'Issue',465,14,'windows'),(8389,'Issue',465,15,''),(8390,'Issue',465,11,'78f7434fc'),(8391,'Issue',465,12,'c37510b8-2107-4b78-aa32-72f251e7a844'),(8392,'Issue',465,16,'win-proc'),(8393,'Issue',465,17,''),(8394,'Issue',465,7,''),(8395,'Issue',465,3,'Detects Ryuk ransomware activity'),(8396,'Issue',465,4,''),(8397,'Issue',465,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8398,'Issue',465,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*Microsoft\\\\Windows\\\\CurrentVersion\\\\Run* AND process.command_line.keyword:*C\\:\\\\users\\\\Public\\*)\nindex: so-*\nname: Ryuk Ransomware\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8399,'Issue',465,9,'{{collapse(View Sigma)\n
\n\ntitle: Ryuk Ransomware\nid: c37510b8-2107-4b78-aa32-72f251e7a844\nstatus: experimental\ndescription: Detects Ryuk ransomware activity\nauthor: Florian Roth\ndate: 2019/12/16\nreferences:\n- https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains|all:\n    - Microsoft\\Windows\\CurrentVersion\\Run\n    - C:\\users\\Public\\\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(8400,'Issue',466,1,'WScript or CScript Dropper'),(8401,'Issue',466,2,'Margaritis Dimitrios (idea), Florian Roth (rule)'),(8402,'Issue',466,8,'none'),(8403,'Issue',466,10,'high'),(8404,'Issue',466,13,'community'),(8405,'Issue',466,14,'windows'),(8407,'Issue',466,11,'163533995'),(8408,'Issue',466,12,'cea72823-df4d-4567-950c-0b579eaf0846'),(8409,'Issue',466,16,'win-proc'),(8410,'Issue',466,17,''),(8411,'Issue',466,7,''),(8412,'Issue',466,3,'Detects wscript/cscript executions of scripts located in user directories'),(8413,'Issue',466,4,''),(8414,'Issue',466,5,'_False Positives_\nWinzip\nOther self-extractors\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8415,'Issue',466,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:(*\\\\wscript.exe OR *\\\\cscript.exe) AND process.command_line.keyword:(*\\ C\\:\\\\Users\\\\*.jse\\ * OR *\\ C\\:\\\\Users\\\\*.vbe\\ * OR *\\ C\\:\\\\Users\\\\*.js\\ * OR *\\ C\\:\\\\Users\\\\*.vba\\ * OR *\\ C\\:\\\\Users\\\\*.vbs\\ * OR *\\ C\\:\\\\ProgramData\\\\*.jse\\ * OR *\\ C\\:\\\\ProgramData\\\\*.vbe\\ * OR *\\ C\\:\\\\ProgramData\\\\*.js\\ * OR *\\ C\\:\\\\ProgramData\\\\*.vba\\ * OR *\\ C\\:\\\\ProgramData\\\\*.vbs\\ *)) AND (NOT (process.parent.executable.keyword:*\\\\winzip*)))\nindex: so-*\nname: WScript or CScript Dropper\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8416,'Issue',466,9,'{{collapse(View Sigma)\n
\n\ntitle: WScript or CScript Dropper\nid: cea72823-df4d-4567-950c-0b579eaf0846\nstatus: experimental\ndescription: Detects wscript/cscript executions of scripts located in user directories\nauthor: Margaritis Dimitrios (idea), Florian Roth (rule)\ndate: 2019/01/16\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1064\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\wscript.exe\'\n    - \'*\\cscript.exe\'\n    CommandLine:\n    - \'* C:\\Users\\\\*.jse *\'\n    - \'* C:\\Users\\\\*.vbe *\'\n    - \'* C:\\Users\\\\*.js *\'\n    - \'* C:\\Users\\\\*.vba *\'\n    - \'* C:\\Users\\\\*.vbs *\'\n    - \'* C:\\ProgramData\\\\*.jse *\'\n    - \'* C:\\ProgramData\\\\*.vbe *\'\n    - \'* C:\\ProgramData\\\\*.js *\'\n    - \'* C:\\ProgramData\\\\*.vba *\'\n    - \'* C:\\ProgramData\\\\*.vbs *\'\n  falsepositive:\n    ParentImage: \'*\\winzip*\'\n  condition: selection and not falsepositive\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Winzip\n- Other self-extractors\nlevel: high\n\n
\n}}'),(8417,'Issue',466,15,'T1064'),(8418,'Issue',467,1,'Trickbot Malware Recon Activity'),(8419,'Issue',467,2,'David Burkett'),(8420,'Issue',467,8,'https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/'),(8421,'Issue',467,10,'critical'),(8422,'Issue',467,13,'community'),(8423,'Issue',467,14,'windows'),(8425,'Issue',467,11,'1482df18d'),(8426,'Issue',467,12,'410ad193-a728-4107-bc79-4419789fcbf8'),(8427,'Issue',467,16,'win-proc'),(8428,'Issue',467,17,''),(8429,'Issue',467,7,''),(8430,'Issue',467,3,'Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes. This detectors attempts to identify that activity based off a command rarely observed in an enterprise network.'),(8431,'Issue',467,4,''),(8432,'Issue',467,5,'_False Positives_\nRare System Admin Activity\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8433,'Issue',467,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\nltest.exe) AND process.command_line:(\"\\/domain_trusts\\ \\/all_trusts\" OR \"\\/domain_trusts\"))\nindex: so-*\nname: Trickbot Malware Recon Activity\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8434,'Issue',467,9,'{{collapse(View Sigma)\n
\n\ntitle: Trickbot Malware Recon Activity\nid: 410ad193-a728-4107-bc79-4419789fcbf8\nstatus: experimental\ndescription: Trickbot enumerates domain/network topology and executes certain commands\n  automatically every few minutes. This detectors attempts to identify that activity\n  based off a command rarely observed in an enterprise network.\nreferences:\n- https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/\nauthor: David Burkett\ndate: 2019/12/28\ntags:\n- attack.t1482\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\nltest.exe\'\n    CommandLine:\n    - /domain_trusts /all_trusts\n    - /domain_trusts\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Rare System Admin Activity\nlevel: critical\n\n
\n}}'),(8435,'Issue',467,15,'T1482'),(8436,'Issue',468,1,'WannaCry Ransomware'),(8437,'Issue',468,2,'Florian Roth (rule), Tom U. @c_APT_ure (collection)'),(8438,'Issue',468,8,'https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100'),(8439,'Issue',468,10,'critical'),(8440,'Issue',468,13,'community'),(8441,'Issue',468,14,'windows'),(8442,'Issue',468,15,''),(8443,'Issue',468,11,'39c3b0af5'),(8444,'Issue',468,12,'41d40bff-377a-43e2-8e1b-2e543069e079'),(8445,'Issue',468,16,'win-proc'),(8446,'Issue',468,17,''),(8447,'Issue',468,7,''),(8448,'Issue',468,3,'Detects WannaCry ransomware activity'),(8449,'Issue',468,4,''),(8450,'Issue',468,5,'_False Positives_\nDiskpart.exe usage to manage partitions on the local hard drive\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8451,'Issue',468,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:(*\\\\tasksche.exe OR *\\\\mssecsvc.exe OR *\\\\taskdl.exe OR *\\\\@WanaDecryptor@* OR *\\\\WanaDecryptor* OR *\\\\taskhsvc.exe OR *\\\\taskse.exe OR *\\\\111.exe OR *\\\\lhdfrgui.exe OR *\\\\diskpart.exe OR *\\\\linuxnew.exe OR *\\\\wannacry.exe) OR process.command_line.keyword:(*icacls\\ *\\ \\/grant\\ Everyone\\:F\\ \\/T\\ \\/C\\ \\/Q* OR *bcdedit\\ \\/set\\ \\{default\\}\\ recoveryenabled\\ no* OR *wbadmin\\ delete\\ catalog\\ \\-quiet* OR *@Please_Read_Me@.txt*)))\nindex: so-*\nname: WannaCry Ransomware\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8452,'Issue',468,9,'{{collapse(View Sigma)\n
\n\ntitle: WannaCry Ransomware\nid: 41d40bff-377a-43e2-8e1b-2e543069e079\nstatus: experimental\ndescription: Detects WannaCry ransomware activity\nreferences:\n- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100\nauthor: Florian Roth (rule), Tom U. @c_APT_ure (collection)\ndate: 2019/01/16\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image:\n    - \'*\\tasksche.exe\'\n    - \'*\\mssecsvc.exe\'\n    - \'*\\taskdl.exe\'\n    - \'*\\@WanaDecryptor@*\'\n    - \'*\\WanaDecryptor*\'\n    - \'*\\taskhsvc.exe\'\n    - \'*\\taskse.exe\'\n    - \'*\\111.exe\'\n    - \'*\\lhdfrgui.exe\'\n    - \'*\\diskpart.exe\'\n    - \'*\\linuxnew.exe\'\n    - \'*\\wannacry.exe\'\n  selection2:\n    CommandLine:\n    - \'*icacls * /grant Everyone:F /T /C /Q*\'\n    - \'*bcdedit /set {default} recoveryenabled no*\'\n    - \'*wbadmin delete catalog -quiet*\'\n    - \'*@Please_Read_Me@.txt*\'\n  condition: 1 of them\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Diskpart.exe usage to manage partitions on the local hard drive\nlevel: critical\n\n
\n}}'),(8453,'Issue',469,1,'MavInject Process Injection'),(8454,'Issue',469,2,'Florian Roth'),(8455,'Issue',469,8,'https://twitter.com/gN3mes1s/status/941315826107510784\nhttps://reaqta.com/2017/12/mavinject-microsoft-injector/\nhttps://twitter.com/Hexacorn/status/776122138063409152'),(8456,'Issue',469,10,'critical'),(8457,'Issue',469,13,'community'),(8458,'Issue',469,14,'windows'),(8460,'Issue',469,11,'313d39562'),(8461,'Issue',469,12,'17eb8e57-9983-420d-ad8a-2c4976c22eb8'),(8462,'Issue',469,16,'win-proc'),(8463,'Issue',469,17,''),(8464,'Issue',469,7,''),(8465,'Issue',469,3,'Detects process injection using the signed Windows tool Mavinject32.exe'),(8466,'Issue',469,4,''),(8467,'Issue',469,5,'_False Positives_\nunknown'),(8468,'Issue',469,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\ \\/INJECTRUNNING\\ *)\nindex: so-*\nname: MavInject Process Injection\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8469,'Issue',469,9,'{{collapse(View Sigma)\n
\n\ntitle: MavInject Process Injection\nid: 17eb8e57-9983-420d-ad8a-2c4976c22eb8\nstatus: experimental\ndescription: Detects process injection using the signed Windows tool Mavinject32.exe\nreferences:\n- https://twitter.com/gN3mes1s/status/941315826107510784\n- https://reaqta.com/2017/12/mavinject-microsoft-injector/\n- https://twitter.com/Hexacorn/status/776122138063409152\nauthor: Florian Roth\ndate: 2018/12/12\ntags:\n- attack.t1055\n- attack.t1218\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'* /INJECTRUNNING *\'\n  condition: selection\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(8470,'Issue',469,15,'T1055'),(8471,'Issue',469,15,'T1218'),(8472,'Issue',470,1,'Meterpreter or Cobalt Strike Getsystem Service Start'),(8473,'Issue',470,2,'Teymur Kheirkhabarov'),(8474,'Issue',470,8,'https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\nhttps://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/'),(8475,'Issue',470,10,'high'),(8476,'Issue',470,13,'community'),(8477,'Issue',470,14,'windows'),(8479,'Issue',470,11,'faf8435b3'),(8480,'Issue',470,12,'15619216-e993-4721-b590-4c520615a67d'),(8481,'Issue',470,16,'win-proc'),(8482,'Issue',470,17,''),(8483,'Issue',470,7,''),(8484,'Issue',470,3,'Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting'),(8485,'Issue',470,4,''),(8486,'Issue',470,5,'_False Positives_\nCommandlines containing components like cmd accidentally\nJobs and services started with cmd\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8487,'Issue',470,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.parent.executable.keyword:*\\\\services.exe AND (process.command_line.keyword:(*cmd* OR *comspec*) OR (process.command_line.keyword:*cmd* AND process.command_line.keyword:*\\/c* AND process.command_line.keyword:*echo* AND process.command_line.keyword:*\\\\pipe\\*) OR (process.command_line.keyword:*%COMSPEC%* AND process.command_line.keyword:*\\/c* AND process.command_line.keyword:*echo* AND process.command_line.keyword:*\\\\pipe\\*) OR (process.command_line.keyword:*rundll32* AND process.command_line.keyword:*.dll,a* AND process.command_line.keyword:*\\/p\\:*))) AND (NOT (process.command_line.keyword:*MpCmdRun*)))\nindex: so-*\nname: Meterpreter or Cobalt Strike Getsystem Service Start\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8488,'Issue',470,9,'{{collapse(View Sigma)\n
\n\ntitle: Meterpreter or Cobalt Strike Getsystem Service Start\nid: 15619216-e993-4721-b590-4c520615a67d\ndescription: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting\n  a specific service starting\nauthor: Teymur Kheirkhabarov\ndate: 2019/10/26\nmodified: 2019/11/11\nreferences:\n- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\n- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/\ntags:\n- attack.privilege_escalation\n- attack.t1134\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_1:\n    ParentImage|endswith: \\services.exe\n  selection_2:\n  - CommandLine|contains:\n    - cmd\n    - comspec\n  - CommandLine|contains|all:\n    - cmd\n    - /c\n    - echo\n    - \\pipe\\\n  - CommandLine|contains|all:\n    - \'%COMSPEC%\'\n    - /c\n    - echo\n    - \\pipe\\\n  - CommandLine|contains|all:\n    - rundll32\n    - .dll,a\n    - \'/p:\'\n  filter1:\n    CommandLine|contains: MpCmdRun\n  condition: selection_1 and selection_2 and not filter1\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Commandlines containing components like cmd accidentally\n- Jobs and services started with cmd\nlevel: high\n\n
\n}}'),(8489,'Issue',470,15,'T1134'),(8490,'Issue',471,1,'Mimikatz Command Line'),(8491,'Issue',471,2,'Teymur Kheirkhabarov, oscd.community'),(8492,'Issue',471,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(8493,'Issue',471,10,'medium'),(8494,'Issue',471,13,'community'),(8495,'Issue',471,14,'windows'),(8497,'Issue',471,11,'f9e688b06'),(8498,'Issue',471,12,'a642964e-bead-4bed-8910-1bb4d63e3b4d'),(8499,'Issue',471,16,'win-proc'),(8500,'Issue',471,17,''),(8501,'Issue',471,7,''),(8502,'Issue',471,3,'Detection well-known mimikatz command line arguments'),(8503,'Issue',471,4,''),(8504,'Issue',471,5,'_False Positives_\nLegitimate Administrator using tool for password recovery'),(8505,'Issue',471,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:(*DumpCreds* OR *invoke\\-mimikatz*) OR (process.command_line.keyword:(*rpc* OR *token* OR *crypto* OR *dpapi* OR *sekurlsa* OR *kerberos* OR *lsadump* OR *privilege* OR *process*) AND process.command_line.keyword:(*\\:\\:*))))\nindex: so-*\nname: Mimikatz Command Line\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8506,'Issue',471,9,'{{collapse(View Sigma)\n
\n\ntitle: Mimikatz Command Line\nid: a642964e-bead-4bed-8910-1bb4d63e3b4d\ndescription: Detection well-known mimikatz command line arguments\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/10/22\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_1:\n    CommandLine|contains:\n    - DumpCreds\n    - invoke-mimikatz\n  selection_2:\n    CommandLine|contains:\n    - rpc\n    - token\n    - crypto\n    - dpapi\n    - sekurlsa\n    - kerberos\n    - lsadump\n    - privilege\n    - process\n  selection_3:\n    CommandLine|contains:\n    - \'::\'\n  condition: selection_1 or selection_2 and selection_3\nfalsepositives:\n- Legitimate Administrator using tool for password recovery\nlevel: medium\nstatus: experimental\n\n
\n}}'),(8507,'Issue',471,15,'T1003'),(8508,'Issue',472,1,'MMC Spawning Windows Shell'),(8509,'Issue',472,2,'Karneades, Swisscom CSIRT'),(8510,'Issue',472,8,'none'),(8511,'Issue',472,10,'high'),(8512,'Issue',472,13,'community'),(8513,'Issue',472,14,'windows'),(8515,'Issue',472,11,'5af2839b3'),(8516,'Issue',472,12,'05a2ab7e-ce11-4b63-86db-ab32e763e11d'),(8517,'Issue',472,16,'win-proc'),(8518,'Issue',472,17,''),(8519,'Issue',472,7,''),(8520,'Issue',472,3,'Detects a Windows command line executable started from MMC.'),(8521,'Issue',472,4,''),(8522,'Issue',472,5,'_False Positives_\n Unknown\n\n_Interesting Log Fields_\nCommandLine\nImage\nParentCommandLine'),(8523,'Issue',472,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\mmc.exe AND process.executable.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\sh.exe OR *\\\\bash.exe OR *\\\\reg.exe OR *\\\\regsvr32.exe OR *\\\\BITSADMIN*))\nindex: so-*\nname: MMC Spawning Windows Shell\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8524,'Issue',472,9,'{{collapse(View Sigma)\n
\n\ntitle: MMC Spawning Windows Shell\nid: 05a2ab7e-ce11-4b63-86db-ab32e763e11d\nstatus: experimental\ndescription: Detects a Windows command line executable started from MMC.\nauthor: Karneades, Swisscom CSIRT\ndate: 2019/08/05\ntags:\n- attack.lateral_movement\n- attack.t1175\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\mmc.exe\'\n    Image:\n    - \'*\\cmd.exe\'\n    - \'*\\powershell.exe\'\n    - \'*\\wscript.exe\'\n    - \'*\\cscript.exe\'\n    - \'*\\sh.exe\'\n    - \'*\\bash.exe\'\n    - \'*\\reg.exe\'\n    - \'*\\regsvr32.exe\'\n    - \'*\\BITSADMIN*\'\n  condition: selection\nfields:\n- CommandLine\n- Image\n- ParentCommandLine\nlevel: high\n\n
\n}}'),(8525,'Issue',472,15,'T1175'),(8526,'Issue',473,1,'MSHTA Spawning Windows Shell'),(8527,'Issue',473,2,'Michael Haag'),(8528,'Issue',473,8,'https://www.trustedsec.com/july-2015/malicious-htas/'),(8529,'Issue',473,10,'high'),(8530,'Issue',473,13,'community'),(8531,'Issue',473,14,'windows'),(8533,'Issue',473,11,'16c1a6c19'),(8534,'Issue',473,12,'03cc0c25-389f-4bf8-b48d-11878079f1ca'),(8535,'Issue',473,16,'win-proc'),(8536,'Issue',473,17,''),(8537,'Issue',473,7,''),(8538,'Issue',473,3,'Detects a Windows command line executable started from MSHTA.'),(8539,'Issue',473,4,''),(8540,'Issue',473,5,'_False Positives_\nPrinter software / driver installations\nHP software\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8541,'Issue',473,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\mshta.exe AND process.executable.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\sh.exe OR *\\\\bash.exe OR *\\\\reg.exe OR *\\\\regsvr32.exe OR *\\\\BITSADMIN*))\nindex: so-*\nname: MSHTA Spawning Windows Shell\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8542,'Issue',473,9,'{{collapse(View Sigma)\n
\n\ntitle: MSHTA Spawning Windows Shell\nid: 03cc0c25-389f-4bf8-b48d-11878079f1ca\nstatus: experimental\ndescription: Detects a Windows command line executable started from MSHTA.\nreferences:\n- https://www.trustedsec.com/july-2015/malicious-htas/\nauthor: Michael Haag\ndate: 2019/01/16\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\mshta.exe\'\n    Image:\n    - \'*\\cmd.exe\'\n    - \'*\\powershell.exe\'\n    - \'*\\wscript.exe\'\n    - \'*\\cscript.exe\'\n    - \'*\\sh.exe\'\n    - \'*\\bash.exe\'\n    - \'*\\reg.exe\'\n    - \'*\\regsvr32.exe\'\n    - \'*\\BITSADMIN*\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1170\n- car.2013-02-003\n- car.2013-03-001\n- car.2014-04-003\nfalsepositives:\n- Printer software / driver installations\n- HP software\nlevel: high\n\n
\n}}'),(8543,'Issue',473,15,'T1170'),(8544,'Issue',474,1,'Quick Execution of a Series of Suspicious Commands'),(8545,'Issue',474,2,'juju4'),(8546,'Issue',474,8,'https://car.mitre.org/wiki/CAR-2013-04-002'),(8547,'Issue',474,10,'low'),(8548,'Issue',474,13,'community'),(8549,'Issue',474,14,'windows'),(8550,'Issue',474,15,''),(8551,'Issue',474,11,'9a5d32ef1'),(8552,'Issue',474,12,'61ab5496-748e-4818-a92f-de78e20fe7f1'),(8553,'Issue',474,16,'win-proc'),(8554,'Issue',474,17,''),(8555,'Issue',474,7,''),(8556,'Issue',474,3,'Detects multiple suspicious process in a limited timeframe'),(8557,'Issue',474,4,''),(8558,'Issue',474,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(8559,'Issue',474,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line:(\"arp.exe\" OR \"at.exe\" OR \"attrib.exe\" OR \"cscript.exe\" OR \"dsquery.exe\" OR \"hostname.exe\" OR \"ipconfig.exe\" OR \"mimikatz.exe\" OR \"nbtstat.exe\" OR \"net.exe\" OR \"netsh.exe\" OR \"nslookup.exe\" OR \"ping.exe\" OR \"quser.exe\" OR \"qwinsta.exe\" OR \"reg.exe\" OR \"runas.exe\" OR \"sc.exe\" OR \"schtasks.exe\" OR \"ssh.exe\" OR \"systeminfo.exe\" OR \"taskkill.exe\" OR \"telnet.exe\" OR \"tracert.exe\" OR \"wscript.exe\" OR \"xcopy.exe\" OR \"pscp.exe\" OR \"copy.exe\" OR \"robocopy.exe\" OR \"certutil.exe\" OR \"vssadmin.exe\" OR \"powershell.exe\" OR \"wevtutil.exe\" OR \"psexec.exe\" OR \"bcedit.exe\" OR \"wbadmin.exe\" OR \"icacls.exe\" OR \"diskpart.exe\"))\nindex: so-*\nmax_threshold: 5\nmetric_agg_key: _id\nmetric_agg_type: cardinality\nname: Quick Execution of a Series of Suspicious Commands\npriority: 4\nquery_key: MachineName.keyword\nrealert:\n  minutes: 0\ntype: metric_aggregation\n
\n}}'),(8560,'Issue',474,9,'{{collapse(View Sigma)\n
\n\ntitle: Quick Execution of a Series of Suspicious Commands\nid: 61ab5496-748e-4818-a92f-de78e20fe7f1\ndescription: Detects multiple suspicious process in a limited timeframe\nstatus: experimental\nreferences:\n- https://car.mitre.org/wiki/CAR-2013-04-002\nauthor: juju4\ndate: 2019/01/16\ntags:\n- car.2013-04-002\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - arp.exe\n    - at.exe\n    - attrib.exe\n    - cscript.exe\n    - dsquery.exe\n    - hostname.exe\n    - ipconfig.exe\n    - mimikatz.exe\n    - nbtstat.exe\n    - net.exe\n    - netsh.exe\n    - nslookup.exe\n    - ping.exe\n    - quser.exe\n    - qwinsta.exe\n    - reg.exe\n    - runas.exe\n    - sc.exe\n    - schtasks.exe\n    - ssh.exe\n    - systeminfo.exe\n    - taskkill.exe\n    - telnet.exe\n    - tracert.exe\n    - wscript.exe\n    - xcopy.exe\n    - pscp.exe\n    - copy.exe\n    - robocopy.exe\n    - certutil.exe\n    - vssadmin.exe\n    - powershell.exe\n    - wevtutil.exe\n    - psexec.exe\n    - bcedit.exe\n    - wbadmin.exe\n    - icacls.exe\n    - diskpart.exe\n  timeframe: 5m\n  condition: selection | count() by MachineName > 5\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: low\n\n
\n}}'),(8561,'Issue',475,1,'Windows Network Enumeration'),(8562,'Issue',475,2,'Endgame, JHasenbusch (ported for oscd.community)'),(8563,'Issue',475,8,'https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.yaml'),(8564,'Issue',475,10,'low'),(8565,'Issue',475,13,'community'),(8566,'Issue',475,14,'windows'),(8568,'Issue',475,11,'bbe12b620'),(8569,'Issue',475,12,'62510e69-616b-4078-b371-847da438cc03'),(8570,'Issue',475,16,'win-proc'),(8571,'Issue',475,17,''),(8572,'Issue',475,7,''),(8573,'Issue',475,3,'Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.'),(8574,'Issue',475,4,''),(8575,'Issue',475,5,'_False Positives_\nLegitimate use of net.exe utility by legitimate user\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8576,'Issue',475,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:*view*) AND (NOT (process.command_line.keyword:*\\\\*)))\nindex: so-*\nname: Windows Network Enumeration\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8577,'Issue',475,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows Network Enumeration\nid: 62510e69-616b-4078-b371-847da438cc03\nstatus: stable\ndescription: Identifies attempts to enumerate hosts in a network using the built-in\n  Windows net.exe tool.\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.yaml\nauthor: Endgame, JHasenbusch (ported for oscd.community)\ndate: 2018/10/30\nmodified: 2019/11/11\ntags:\n- attack.discovery\n- attack.t1018\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith:\n    - \\net.exe\n    - \\net1.exe\n    CommandLine|contains: view\n  filter:\n    CommandLine|contains: \\\\\n  condition: selection and not filter\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Legitimate use of net.exe utility by legitimate user\nlevel: low\n\n
\n}}'),(8578,'Issue',475,15,'T1018'),(8579,'Issue',476,1,'Net.exe User Account Creation'),(8580,'Issue',476,2,'Endgame, JHasenbusch (adapted to sigma for oscd.community)'),(8581,'Issue',476,8,'https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.yaml'),(8582,'Issue',476,10,'medium'),(8583,'Issue',476,13,'community'),(8584,'Issue',476,14,'windows'),(8586,'Issue',476,11,'c9bfceef1'),(8587,'Issue',476,12,'cd219ff3-fa99-45d4-8380-a7d15116c6dc'),(8588,'Issue',476,16,'win-proc'),(8589,'Issue',476,17,''),(8590,'Issue',476,7,''),(8591,'Issue',476,3,'Identifies creation of local users via the net.exe command'),(8592,'Issue',476,4,''),(8593,'Issue',476,5,'_False Positives_\nLegit user creation\nBetter use event ids for user creation rather than command line rules\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8594,'Issue',476,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:*user* AND process.command_line.keyword:*add*)\nindex: so-*\nname: Net.exe User Account Creation\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8595,'Issue',476,9,'{{collapse(View Sigma)\n
\n\ntitle: Net.exe User Account Creation\nid: cd219ff3-fa99-45d4-8380-a7d15116c6dc\nstatus: experimental\ndescription: Identifies creation of local users via the net.exe command\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.yaml\nauthor: Endgame, JHasenbusch (adapted to sigma for oscd.community)\ndate: 2018/10/30\nmodified: 2019/11/11\ntags:\n- attack.persistence\n- attack.credential_access\n- attack.t1136\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith:\n    - \\net.exe\n    - \\net1.exe\n    CommandLine|contains|all:\n    - user\n    - add\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Legit user creation\n- Better use event ids for user creation rather than command line rules\nlevel: medium\n\n
\n}}'),(8596,'Issue',476,15,'T1136'),(8597,'Issue',477,1,'Netsh'),(8598,'Issue',477,2,'Markus Neis'),(8599,'Issue',477,8,'https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)\nhttps://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf'),(8600,'Issue',477,10,'medium'),(8601,'Issue',477,13,'community'),(8602,'Issue',477,14,'windows'),(8604,'Issue',477,11,'bdbaabb5e'),(8605,'Issue',477,12,'cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c'),(8606,'Issue',477,16,'win-proc'),(8607,'Issue',477,17,''),(8608,'Issue',477,7,''),(8609,'Issue',477,3,'Allow Incoming Connections by Port or Application on Windows Firewall'),(8610,'Issue',477,4,''),(8611,'Issue',477,5,'_False Positives_\nLegitimate administration'),(8612,'Issue',477,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*netsh\\ firewall\\ add*))\nindex: so-*\nname: Netsh\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8613,'Issue',477,9,'{{collapse(View Sigma)\n
\n\ntitle: Netsh\nid: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c\ndescription: Allow Incoming Connections by Port or Application on Windows Firewall\nreferences:\n- https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)\n- https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf\ndate: 2019/01/29\ntags:\n- attack.lateral_movement\n- attack.command_and_control\n- attack.t1090\nstatus: experimental\nauthor: Markus Neis\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'*netsh firewall add*\'\n  condition: selection\nfalsepositives:\n- Legitimate administration\nlevel: medium\n\n
\n}}'),(8614,'Issue',477,15,'T1090'),(8615,'Issue',478,1,'Capture a Network Trace with netsh.exe'),(8616,'Issue',478,2,'Kutepov Anton, oscd.community'),(8617,'Issue',478,8,'https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/'),(8618,'Issue',478,10,'medium'),(8619,'Issue',478,13,'community'),(8620,'Issue',478,14,'windows'),(8622,'Issue',478,11,'0b2f94184'),(8623,'Issue',478,12,'d3c3861d-c504-4c77-ba55-224ba82d0118'),(8624,'Issue',478,16,'win-proc'),(8625,'Issue',478,17,''),(8626,'Issue',478,7,''),(8627,'Issue',478,3,'Detects capture a network trace via netsh.exe trace functionality'),(8628,'Issue',478,4,''),(8629,'Issue',478,5,'_False Positives_\nLegitimate administrator or user uses netsh.exe trace functionality for legitimate reason'),(8630,'Issue',478,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*netsh* AND process.command_line.keyword:*trace* AND process.command_line.keyword:*start*)\nindex: so-*\nname: Capture a Network Trace with netsh.exe\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8631,'Issue',478,9,'{{collapse(View Sigma)\n
\n\ntitle: Capture a Network Trace with netsh.exe\nid: d3c3861d-c504-4c77-ba55-224ba82d0118\nstatus: experimental\ndescription: Detects capture a network trace via netsh.exe trace functionality\nreferences:\n- https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/\nauthor: Kutepov Anton, oscd.community\ndate: 2019/10/24\ntags:\n- attack.discovery\n- attack.t1040\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains|all:\n    - netsh\n    - trace\n    - start\n  condition: selection\nfalsepositives:\n- Legitimate administrator or user uses netsh.exe trace functionality for legitimate\n  reason\nlevel: medium\n\n
\n}}'),(8632,'Issue',478,15,'T1040'),(8633,'Issue',479,1,'Netsh Port Forwarding'),(8634,'Issue',479,2,'Florian Roth'),(8635,'Issue',479,8,'https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html'),(8636,'Issue',479,10,'medium'),(8637,'Issue',479,13,'community'),(8638,'Issue',479,14,'windows'),(8640,'Issue',479,11,'6c81001f0'),(8641,'Issue',479,12,'322ed9ec-fcab-4f67-9a34-e7c6aef43614'),(8642,'Issue',479,16,'win-proc'),(8643,'Issue',479,17,''),(8644,'Issue',479,7,''),(8645,'Issue',479,3,'Detects netsh commands that configure a port forwarding'),(8646,'Issue',479,4,''),(8647,'Issue',479,5,'_False Positives_\nLegitimate administration'),(8648,'Issue',479,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(netsh\\ interface\\ portproxy\\ add\\ v4tov4\\ *))\nindex: so-*\nname: Netsh Port Forwarding\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8649,'Issue',479,9,'{{collapse(View Sigma)\n
\n\ntitle: Netsh Port Forwarding\nid: 322ed9ec-fcab-4f67-9a34-e7c6aef43614\ndescription: Detects netsh commands that configure a port forwarding\nreferences:\n- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html\ndate: 2019/01/29\ntags:\n- attack.lateral_movement\n- attack.command_and_control\n- attack.t1090\nstatus: experimental\nauthor: Florian Roth\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - netsh interface portproxy add v4tov4 *\n  condition: selection\nfalsepositives:\n- Legitimate administration\nlevel: medium\n\n
\n}}'),(8650,'Issue',479,15,'T1090'),(8651,'Issue',480,1,'Netsh RDP Port Forwarding'),(8652,'Issue',480,2,'Florian Roth'),(8653,'Issue',480,8,'https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html'),(8654,'Issue',480,10,'high'),(8655,'Issue',480,13,'community'),(8656,'Issue',480,14,'windows'),(8658,'Issue',480,11,'e26d39913'),(8659,'Issue',480,12,'782d6f3e-4c5d-4b8c-92a3-1d05fed72e63'),(8660,'Issue',480,16,'win-proc'),(8661,'Issue',480,17,''),(8662,'Issue',480,7,''),(8663,'Issue',480,3,'Detects netsh commands that configure a port forwarding of port 3389 used for RDP'),(8664,'Issue',480,4,''),(8665,'Issue',480,5,'_False Positives_\nLegitimate administration'),(8666,'Issue',480,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(netsh\\ i*\\ p*\\=3389\\ c*))\nindex: so-*\nname: Netsh RDP Port Forwarding\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8667,'Issue',480,9,'{{collapse(View Sigma)\n
\n\ntitle: Netsh RDP Port Forwarding\nid: 782d6f3e-4c5d-4b8c-92a3-1d05fed72e63\ndescription: Detects netsh commands that configure a port forwarding of port 3389\n  used for RDP\nreferences:\n- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html\ndate: 2019/01/29\ntags:\n- attack.lateral_movement\n- attack.t1021\n- car.2013-07-002\nstatus: experimental\nauthor: Florian Roth\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - netsh i* p*=3389 c*\n  condition: selection\nfalsepositives:\n- Legitimate administration\nlevel: high\n\n
\n}}'),(8668,'Issue',480,15,'T1021'),(8669,'Issue',481,1,'Network Sniffing'),(8670,'Issue',481,2,'Timur Zinniatullin, oscd.community'),(8671,'Issue',481,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml'),(8672,'Issue',481,10,'low'),(8673,'Issue',481,13,'community'),(8674,'Issue',481,14,'windows'),(8676,'Issue',481,11,'94c26afa0'),(8677,'Issue',481,12,'ba1f7802-adc7-48b4-9ecb-81e227fddfd5'),(8678,'Issue',481,16,'win-proc'),(8679,'Issue',481,17,''),(8680,'Issue',481,7,''),(8681,'Issue',481,3,'Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.'),(8682,'Issue',481,4,''),(8683,'Issue',481,5,'_False Positives_\nAdmin activity\n\n_Interesting Log Fields_\nImage\nCommandLine\nUser\nLogonGuid\nHashes\nParentProcessGuid\nParentCommandLine'),(8684,'Issue',481,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\tshark.exe AND process.command_line.keyword:*\\-i*) OR process.executable.keyword:*\\\\windump.exe))\nindex: so-*\nname: Network Sniffing\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8685,'Issue',481,9,'{{collapse(View Sigma)\n
\n\ntitle: Network Sniffing\nid: ba1f7802-adc7-48b4-9ecb-81e227fddfd5\nstatus: experimental\ndescription: Network sniffing refers to using the network interface on a system to\n  monitor or capture information sent over a wired or wireless connection. An adversary\n  may place a network interface into promiscuous mode to passively access data in\n  transit over the network, or use span ports to capture a larger amount of data.\nauthor: Timur Zinniatullin, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith: \\tshark.exe\n    CommandLine|contains: -i\n  - Image|endswith: \\windump.exe\n  condition: selection\nfalsepositives:\n- Admin activity\nfields:\n- Image\n- CommandLine\n- User\n- LogonGuid\n- Hashes\n- ParentProcessGuid\n- ParentCommandLine\nlevel: low\ntags:\n- attack.credential_access\n- attack.discovery\n- attack.t1040\n\n
\n}}'),(8686,'Issue',481,15,'T1040'),(8687,'Issue',482,1,'New Service Creation'),(8688,'Issue',482,2,'Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community'),(8689,'Issue',482,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1050/T1050.yaml'),(8690,'Issue',482,10,'low'),(8691,'Issue',482,13,'community'),(8692,'Issue',482,14,'windows'),(8694,'Issue',482,11,'6d821e19d'),(8695,'Issue',482,12,'7fe71fc9-de3b-432a-8d57-8c809efc10ab'),(8696,'Issue',482,16,'win-proc'),(8697,'Issue',482,17,''),(8698,'Issue',482,7,''),(8699,'Issue',482,3,'Detects creation if a new service'),(8700,'Issue',482,4,''),(8701,'Issue',482,5,'_False Positives_\nLegitimate administrator or user creates a service for legitimate reason'),(8702,'Issue',482,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\sc.exe AND process.command_line.keyword:*create* AND process.command_line.keyword:*binpath*) OR (process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:*new\\-service*)))\nindex: so-*\nname: New Service Creation\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8703,'Issue',482,9,'{{collapse(View Sigma)\n
\n\ntitle: New Service Creation\nid: 7fe71fc9-de3b-432a-8d57-8c809efc10ab\nstatus: experimental\ndescription: Detects creation if a new service\nauthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\ntags:\n- attack.persistence\n- attack.privilege_escalation\n- attack.t1050\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1050/T1050.yaml\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith: \\sc.exe\n    CommandLine|contains|all:\n    - create\n    - binpath\n  - Image|endswith: \\powershell.exe\n    CommandLine|contains: new-service\n  condition: selection\nfalsepositives:\n- Legitimate administrator or user creates a service for legitimate reason\nlevel: low\n\n
\n}}'),(8704,'Issue',482,15,'T1050'),(8705,'Issue',483,1,'Non Interactive PowerShell'),(8706,'Issue',483,2,'Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)'),(8707,'Issue',483,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md'),(8708,'Issue',483,10,'medium'),(8709,'Issue',483,13,'community'),(8710,'Issue',483,14,'windows'),(8712,'Issue',483,11,'1e5e14278'),(8713,'Issue',483,12,'f4bbd493-b796-416e-bbf2-121235348529'),(8714,'Issue',483,16,'win-proc'),(8715,'Issue',483,17,''),(8716,'Issue',483,7,''),(8717,'Issue',483,3,'Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent.'),(8718,'Issue',483,4,''),(8719,'Issue',483,5,'_False Positives_\nLegitimate programs executing PowerShell scripts'),(8720,'Issue',483,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\powershell.exe AND (NOT (process.parent.executable.keyword:*\\\\explorer.exe)))\nindex: so-*\nname: Non Interactive PowerShell\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8721,'Issue',483,9,'{{collapse(View Sigma)\n
\n\ntitle: Non Interactive PowerShell\nid: f4bbd493-b796-416e-bbf2-121235348529\ndescription: Detects non-interactive PowerShell activity by looking at powershell.exe\n  with not explorer.exe as a parent.\nstatus: experimental\ndate: 2019/09/12\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\powershell.exe\n  filter:\n    ParentImage|endswith: \\explorer.exe\n  condition: selection and not filter\nfalsepositives:\n- Legitimate programs executing PowerShell scripts\nlevel: medium\n\n
\n}}'),(8722,'Issue',483,15,'T1086'),(8723,'Issue',484,1,'Microsoft Office Product Spawning Windows Shell'),(8724,'Issue',484,2,'Michael Haag, Florian Roth, Markus Neis'),(8725,'Issue',484,8,'https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100\nhttps://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html'),(8726,'Issue',484,10,'high'),(8727,'Issue',484,13,'community'),(8728,'Issue',484,14,'windows'),(8730,'Issue',484,11,'6393d359f'),(8731,'Issue',484,12,'438025f9-5856-4663-83f7-52f878a70a50'),(8732,'Issue',484,16,'win-proc'),(8733,'Issue',484,17,''),(8734,'Issue',484,7,''),(8735,'Issue',484,3,'Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio.'),(8736,'Issue',484,4,''),(8737,'Issue',484,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8738,'Issue',484,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\WINWORD.EXE OR *\\\\EXCEL.EXE OR *\\\\POWERPNT.exe OR *\\\\MSPUB.exe OR *\\\\VISIO.exe OR *\\\\OUTLOOK.EXE) AND process.executable.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\sh.exe OR *\\\\bash.exe OR *\\\\scrcons.exe OR *\\\\schtasks.exe OR *\\\\regsvr32.exe OR *\\\\hh.exe OR *\\\\wmic.exe OR *\\\\mshta.exe OR *\\\\rundll32.exe OR *\\\\msiexec.exe OR *\\\\forfiles.exe OR *\\\\scriptrunner.exe OR *\\\\mftrace.exe OR *\\\\AppVLP.exe OR *\\\\svchost.exe))\nindex: so-*\nname: Microsoft Office Product Spawning Windows Shell\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8739,'Issue',484,9,'{{collapse(View Sigma)\n
\n\ntitle: Microsoft Office Product Spawning Windows Shell\nid: 438025f9-5856-4663-83f7-52f878a70a50\nstatus: experimental\ndescription: Detects a Windows command line executable started from Microsoft Word,\n  Excel, Powerpoint, Publisher and Visio.\nreferences:\n- https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100\n- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1059\n- attack.t1202\n- car.2013-02-003\n- car.2014-04-003\nauthor: Michael Haag, Florian Roth, Markus Neis\ndate: 2018/04/06\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage:\n    - \'*\\WINWORD.EXE\'\n    - \'*\\EXCEL.EXE\'\n    - \'*\\POWERPNT.exe\'\n    - \'*\\MSPUB.exe\'\n    - \'*\\VISIO.exe\'\n    - \'*\\OUTLOOK.EXE\'\n    Image:\n    - \'*\\cmd.exe\'\n    - \'*\\powershell.exe\'\n    - \'*\\wscript.exe\'\n    - \'*\\cscript.exe\'\n    - \'*\\sh.exe\'\n    - \'*\\bash.exe\'\n    - \'*\\scrcons.exe\'\n    - \'*\\schtasks.exe\'\n    - \'*\\regsvr32.exe\'\n    - \'*\\hh.exe\'\n    - \'*\\wmic.exe\'\n    - \'*\\mshta.exe\'\n    - \'*\\rundll32.exe\'\n    - \'*\\msiexec.exe\'\n    - \'*\\forfiles.exe\'\n    - \'*\\scriptrunner.exe\'\n    - \'*\\mftrace.exe\'\n    - \'*\\AppVLP.exe\'\n    - \'*\\svchost.exe\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(8740,'Issue',484,15,'T1059'),(8741,'Issue',484,15,'T1202'),(8742,'Issue',485,1,'MS Office Product Spawning Exe in User Dir'),(8743,'Issue',485,2,'Jason Lynch'),(8744,'Issue',485,8,'sha256=23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57c\nhttps://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign'),(8745,'Issue',485,10,'high'),(8746,'Issue',485,13,'community'),(8747,'Issue',485,14,'windows'),(8749,'Issue',485,11,'73473d045'),(8750,'Issue',485,12,'aa3a6f94-890e-4e22-b634-ffdfd54792cc'),(8751,'Issue',485,16,'win-proc'),(8752,'Issue',485,17,''),(8753,'Issue',485,7,''),(8754,'Issue',485,3,'Detects an executable in the users directory started from Microsoft Word, Excel, Powerpoint, Publisher or Visio'),(8755,'Issue',485,4,''),(8756,'Issue',485,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8757,'Issue',485,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\WINWORD.EXE OR *\\\\EXCEL.EXE OR *\\\\POWERPNT.exe OR *\\\\MSPUB.exe OR *\\\\VISIO.exe OR *\\\\OUTLOOK.EXE) AND process.executable.keyword:(C\\:\\\\users\\\\*.exe))\nindex: so-*\nname: MS Office Product Spawning Exe in User Dir\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8758,'Issue',485,9,'{{collapse(View Sigma)\n
\n\ntitle: MS Office Product Spawning Exe in User Dir\nid: aa3a6f94-890e-4e22-b634-ffdfd54792cc\nstatus: experimental\ndescription: Detects an executable in the users directory started from Microsoft Word,\n  Excel, Powerpoint, Publisher or Visio\nreferences:\n- sha256=23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57c\n- https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1059\n- attack.t1202\n- FIN7\n- car.2013-05-002\nauthor: Jason Lynch\ndate: 2019/04/02\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage:\n    - \'*\\WINWORD.EXE\'\n    - \'*\\EXCEL.EXE\'\n    - \'*\\POWERPNT.exe\'\n    - \'*\\MSPUB.exe\'\n    - \'*\\VISIO.exe\'\n    - \'*\\OUTLOOK.EXE\'\n    Image:\n    - C:\\users\\\\*.exe\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(8759,'Issue',485,15,'T1059'),(8760,'Issue',485,15,'T1202'),(8761,'Issue',486,1,'Executable Used by PlugX in Uncommon Location'),(8762,'Issue',486,2,'Florian Roth'),(8763,'Issue',486,8,'http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/\nhttps://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/'),(8764,'Issue',486,10,'high'),(8765,'Issue',486,13,'community'),(8766,'Issue',486,14,'windows'),(8768,'Issue',486,11,'7c4ef5068'),(8769,'Issue',486,12,'aeab5ec5-be14-471a-80e8-e344418305c2'),(8770,'Issue',486,16,'win-proc'),(8771,'Issue',486,17,''),(8772,'Issue',486,7,''),(8773,'Issue',486,3,'Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location'),(8774,'Issue',486,4,''),(8775,'Issue',486,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8776,'Issue',486,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((((((((((((process.executable.keyword:*\\\\CamMute.exe AND (NOT (process.executable.keyword:*\\\\Lenovo\\\\Communication\\ Utility\\\\*))) OR (process.executable.keyword:*\\\\chrome_frame_helper.exe AND (NOT (process.executable.keyword:*\\\\Google\\\\Chrome\\\\application\\\\*)))) OR (process.executable.keyword:*\\\\dvcemumanager.exe AND (NOT (process.executable.keyword:*\\\\Microsoft\\ Device\\ Emulator\\\\*)))) OR (process.executable.keyword:*\\\\Gadget.exe AND (NOT (process.executable.keyword:*\\\\Windows\\ Media\\ Player\\\\*)))) OR (process.executable.keyword:*\\\\hcc.exe AND (NOT (process.executable.keyword:*\\\\HTML\\ Help\\ Workshop\\\\*)))) OR (process.executable.keyword:*\\\\hkcmd.exe AND (NOT (process.executable.keyword:(*\\\\System32\\\\* OR *\\\\SysNative\\\\* OR *\\\\SysWowo64\\\\*))))) OR (process.executable.keyword:*\\\\Mc.exe AND (NOT (process.executable.keyword:(*\\\\Microsoft\\ Visual\\ Studio* OR *\\\\Microsoft\\ SDK* OR *\\\\Windows\\ Kit*))))) OR (process.executable.keyword:*\\\\MsMpEng.exe AND (NOT (process.executable.keyword:(*\\\\Microsoft\\ Security\\ Client\\\\* OR *\\\\Windows\\ Defender\\\\* OR *\\\\AntiMalware\\\\*))))) OR (process.executable.keyword:*\\\\msseces.exe AND (NOT (process.executable.keyword:(*\\\\Microsoft\\ Security\\ Center\\\\* OR *\\\\Microsoft\\ Security\\ Client\\\\* OR *\\\\Microsoft\\ Security\\ Essentials\\\\*))))) OR (process.executable.keyword:*\\\\OInfoP11.exe AND (NOT (process.executable.keyword:*\\\\Common\\ Files\\\\Microsoft\\ Shared\\\\*)))) OR (process.executable.keyword:*\\\\OleView.exe AND (NOT (process.executable.keyword:(*\\\\Microsoft\\ Visual\\ Studio* OR *\\\\Microsoft\\ SDK* OR *\\\\Windows\\ Kit* OR *\\\\Windows\\ Resource\\ Kit\\\\*))))) OR (process.executable.keyword:*\\\\rc.exe AND (NOT (process.executable.keyword:(*\\\\Microsoft\\ Visual\\ Studio* OR *\\\\Microsoft\\ SDK* OR *\\\\Windows\\ Kit* OR *\\\\Windows\\ Resource\\ Kit\\\\* OR *\\\\Microsoft.NET\\\\*))))))\nindex: so-*\nname: Executable Used by PlugX in Uncommon Location\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8777,'Issue',486,9,'{{collapse(View Sigma)\n
\n\ntitle: Executable Used by PlugX in Uncommon Location\nid: aeab5ec5-be14-471a-80e8-e344418305c2\nstatus: experimental\ndescription: Detects the execution of an executable that is typically used by PlugX\n  for DLL side loading started from an uncommon location\nreferences:\n- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/\n- https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/\nauthor: Florian Roth\ndate: 2017/06/12\ntags:\n- attack.s0013\n- attack.defense_evasion\n- attack.t1073\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_cammute:\n    Image: \'*\\CamMute.exe\'\n  filter_cammute:\n    Image: \'*\\Lenovo\\Communication Utility\\\\*\'\n  selection_chrome_frame:\n    Image: \'*\\chrome_frame_helper.exe\'\n  filter_chrome_frame:\n    Image: \'*\\Google\\Chrome\\application\\\\*\'\n  selection_devemu:\n    Image: \'*\\dvcemumanager.exe\'\n  filter_devemu:\n    Image: \'*\\Microsoft Device Emulator\\\\*\'\n  selection_gadget:\n    Image: \'*\\Gadget.exe\'\n  filter_gadget:\n    Image: \'*\\Windows Media Player\\\\*\'\n  selection_hcc:\n    Image: \'*\\hcc.exe\'\n  filter_hcc:\n    Image: \'*\\HTML Help Workshop\\\\*\'\n  selection_hkcmd:\n    Image: \'*\\hkcmd.exe\'\n  filter_hkcmd:\n    Image:\n    - \'*\\System32\\\\*\'\n    - \'*\\SysNative\\\\*\'\n    - \'*\\SysWowo64\\\\*\'\n  selection_mc:\n    Image: \'*\\Mc.exe\'\n  filter_mc:\n    Image:\n    - \'*\\Microsoft Visual Studio*\'\n    - \'*\\Microsoft SDK*\'\n    - \'*\\Windows Kit*\'\n  selection_msmpeng:\n    Image: \'*\\MsMpEng.exe\'\n  filter_msmpeng:\n    Image:\n    - \'*\\Microsoft Security Client\\\\*\'\n    - \'*\\Windows Defender\\\\*\'\n    - \'*\\AntiMalware\\\\*\'\n  selection_msseces:\n    Image: \'*\\msseces.exe\'\n  filter_msseces:\n    Image:\n    - \'*\\Microsoft Security Center\\\\*\'\n    - \'*\\Microsoft Security Client\\\\*\'\n    - \'*\\Microsoft Security Essentials\\\\*\'\n  selection_oinfo:\n    Image: \'*\\OInfoP11.exe\'\n  filter_oinfo:\n    Image: \'*\\Common Files\\Microsoft Shared\\\\*\'\n  selection_oleview:\n    Image: \'*\\OleView.exe\'\n  filter_oleview:\n    Image:\n    - \'*\\Microsoft Visual Studio*\'\n    - \'*\\Microsoft SDK*\'\n    - \'*\\Windows Kit*\'\n    - \'*\\Windows Resource Kit\\\\*\'\n  selection_rc:\n    Image: \'*\\rc.exe\'\n  filter_rc:\n    Image:\n    - \'*\\Microsoft Visual Studio*\'\n    - \'*\\Microsoft SDK*\'\n    - \'*\\Windows Kit*\'\n    - \'*\\Windows Resource Kit\\\\*\'\n    - \'*\\Microsoft.NET\\\\*\'\n  condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame\n    and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) or\n    ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc\n    ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc\n    ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not\n    filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview\n    and not filter_oleview ) or ( selection_rc and not filter_rc )\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(8778,'Issue',486,15,'T1073'),(8779,'Issue',487,1,'Possible Applocker Bypass'),(8780,'Issue',487,2,'juju4'),(8781,'Issue',487,8,'https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt\nhttps://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/'),(8782,'Issue',487,10,'low'),(8783,'Issue',487,13,'community'),(8784,'Issue',487,14,'windows'),(8786,'Issue',487,11,'d4a0bad42'),(8787,'Issue',487,12,'82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719'),(8788,'Issue',487,16,'win-proc'),(8789,'Issue',487,17,''),(8790,'Issue',487,7,''),(8791,'Issue',487,3,'Detects execution of executables that can be used to bypass Applocker whitelisting'),(8792,'Issue',487,4,''),(8793,'Issue',487,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment\nUsing installutil to add features for .NET applications (primarly would occur in developer environments)'),(8794,'Issue',487,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\msdt.exe* OR *\\\\installutil.exe* OR *\\\\regsvcs.exe* OR *\\\\regasm.exe* OR *\\\\msbuild.exe* OR *\\\\ieexec.exe*))\nindex: so-*\nname: Possible Applocker Bypass\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8795,'Issue',487,9,'{{collapse(View Sigma)\n
\n\ntitle: Possible Applocker Bypass\nid: 82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719\ndescription: Detects execution of executables that can be used to bypass Applocker\n  whitelisting\nstatus: experimental\nreferences:\n- https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt\n- https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/\nauthor: juju4\ndate: 2019/01/16\ntags:\n- attack.defense_evasion\n- attack.t1118\n- attack.t1121\n- attack.t1127\n- attack.t1170\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains:\n    - \\msdt.exe\n    - \\installutil.exe\n    - \\regsvcs.exe\n    - \\regasm.exe\n    - \\msbuild.exe\n    - \\ieexec.exe\n  condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\n- Using installutil to add features for .NET applications (primarly would occur in\n  developer environments)\nlevel: low\n\n
\n}}'),(8796,'Issue',487,15,'T1118'),(8797,'Issue',487,15,'T1121'),(8798,'Issue',487,15,'T1127'),(8799,'Issue',487,15,'T1170'),(8800,'Issue',488,1,'Detection of Possible Rotten Potato'),(8801,'Issue',488,2,'Teymur Kheirkhabarov'),(8802,'Issue',488,8,'https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\nhttps://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/'),(8803,'Issue',488,10,'high'),(8804,'Issue',488,13,'community'),(8805,'Issue',488,14,'windows'),(8807,'Issue',488,11,'c3d4efb18'),(8808,'Issue',488,12,'6c5808ee-85a2-4e56-8137-72e5876a5096'),(8809,'Issue',488,16,'win-proc'),(8810,'Issue',488,17,''),(8811,'Issue',488,7,''),(8812,'Issue',488,3,'Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE privileges'),(8813,'Issue',488,4,''),(8814,'Issue',488,5,'_False Positives_\nUnknown'),(8815,'Issue',488,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (ParentUser:(\"NT\\ AUTHORITY\\\\NETWORK\\ SERVICE\" OR \"NT\\ AUTHORITY\\\\LOCAL\\ SERVICE\") AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\") AND (NOT (process.executable.keyword:*\\\\rundll32.exe AND process.command_line.keyword:*DavSetCookie*)))\nindex: so-*\nname: Detection of Possible Rotten Potato\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8816,'Issue',488,9,'{{collapse(View Sigma)\n
\n\ntitle: Detection of Possible Rotten Potato\nid: 6c5808ee-85a2-4e56-8137-72e5876a5096\ndescription: Detection of child processes spawned with SYSTEM privileges by parents\n  with LOCAL SERVICE or NETWORK SERVICE privileges\nreferences:\n- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\n- https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/\ntags:\n- attack.privilege_escalation\n- attack.t1134\nstatus: experimental\nauthor: Teymur Kheirkhabarov\ndate: 2019/10/26\nmodified: 2019/11/11\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentUser:\n    - NT AUTHORITY\\NETWORK SERVICE\n    - NT AUTHORITY\\LOCAL SERVICE\n    User: NT AUTHORITY\\SYSTEM\n  rundllexception:\n    Image|endswith: \\rundll32.exe\n    CommandLine|contains: DavSetCookie\n  condition: selection and not rundllexception\nfalsepositives:\n- Unknown\nlevel: high\nenrichment:\n- EN_0001_cache_sysmon_event_id_1_info\n- EN_0002_enrich_sysmon_event_id_1_with_parent_info\n\n
\n}}'),(8817,'Issue',488,15,'T1134'),(8818,'Issue',489,1,'Powershell AMSI Bypass via .NET Reflection'),(8819,'Issue',489,2,'Markus Neis'),(8820,'Issue',489,8,'https://twitter.com/mattifestation/status/735261176745988096\nhttps://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120'),(8821,'Issue',489,10,'high'),(8822,'Issue',489,13,'community'),(8823,'Issue',489,14,'windows'),(8825,'Issue',489,11,'b5bdb996a'),(8826,'Issue',489,12,'30edb182-aa75-42c0-b0a9-e998bb29067c'),(8827,'Issue',489,16,'win-proc'),(8828,'Issue',489,17,''),(8829,'Issue',489,7,''),(8830,'Issue',489,3,'Detects Request to amsiInitFailed that can be used to disable AMSI Scanning'),(8831,'Issue',489,4,''),(8832,'Issue',489,5,'_False Positives_\nPotential Admin Activity'),(8833,'Issue',489,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*System.Management.Automation.AmsiUtils*) AND process.command_line.keyword:(*amsiInitFailed*))\nindex: so-*\nname: Powershell AMSI Bypass via .NET Reflection\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8834,'Issue',489,9,'{{collapse(View Sigma)\n
\n\ntitle: Powershell AMSI Bypass via .NET Reflection\nid: 30edb182-aa75-42c0-b0a9-e998bb29067c\nstatus: experimental\ndescription: Detects Request to amsiInitFailed that can be used to disable AMSI Scanning\nreferences:\n- https://twitter.com/mattifestation/status/735261176745988096\n- https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1086\nauthor: Markus Neis\ndate: 2018/08/17\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine:\n    - \'*System.Management.Automation.AmsiUtils*\'\n  selection2:\n    CommandLine:\n    - \'*amsiInitFailed*\'\n  condition: selection1 and selection2\nfalsepositives:\n- Potential Admin Activity\nlevel: high\n\n
\n}}'),(8835,'Issue',489,15,'T1086'),(8836,'Issue',490,1,'Audio Capture via PowerShell'),(8837,'Issue',490,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(8838,'Issue',490,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html'),(8839,'Issue',490,10,'medium'),(8840,'Issue',490,13,'community'),(8841,'Issue',490,14,'windows'),(8843,'Issue',490,11,'7f4dc80d2'),(8844,'Issue',490,12,'932fb0d8-692b-4b0f-a26e-5643a50fe7d6'),(8845,'Issue',490,16,'win-proc'),(8846,'Issue',490,17,''),(8847,'Issue',490,7,''),(8848,'Issue',490,3,'Detects audio capture via PowerShell Cmdlet'),(8849,'Issue',490,4,''),(8850,'Issue',490,5,'_False Positives_\nLegitimate audio capture by legitimate user'),(8851,'Issue',490,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*WindowsAudioDevice\\-Powershell\\-Cmdlet*)\nindex: so-*\nname: Audio Capture via PowerShell\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8852,'Issue',490,9,'{{collapse(View Sigma)\n
\n\ntitle: Audio Capture via PowerShell\nid: 932fb0d8-692b-4b0f-a26e-5643a50fe7d6\ndescription: Detects audio capture via PowerShell Cmdlet\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html\ntags:\n- attack.collection\n- attack.t1123\ndetection:\n  selection:\n    CommandLine|contains: WindowsAudioDevice-Powershell-Cmdlet\n  condition: selection\nfalsepositives:\n- Legitimate audio capture by legitimate user\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\n\n
\n}}'),(8853,'Issue',490,15,'T1123'),(8854,'Issue',491,1,'PowerShell Base64 Encoded Shellcode'),(8855,'Issue',491,2,'Florian Roth'),(8856,'Issue',491,8,'https://twitter.com/cyb3rops/status/1063072865992523776'),(8857,'Issue',491,10,'critical'),(8858,'Issue',491,13,'community'),(8859,'Issue',491,14,'windows'),(8861,'Issue',491,11,'5d3447e7d'),(8862,'Issue',491,12,'2d117e49-e626-4c7c-bd1f-c3c0147774c8'),(8863,'Issue',491,16,'win-proc'),(8864,'Issue',491,17,''),(8865,'Issue',491,7,''),(8866,'Issue',491,3,'Detects Base64 encoded Shellcode'),(8867,'Issue',491,4,''),(8868,'Issue',491,5,'_False Positives_\nUnknown'),(8869,'Issue',491,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*AAAAYInlM* AND process.command_line.keyword:(*OiCAAAAYInlM* OR *OiJAAAAYInlM*))\nindex: so-*\nname: PowerShell Base64 Encoded Shellcode\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8870,'Issue',491,9,'{{collapse(View Sigma)\n
\n\ntitle: PowerShell Base64 Encoded Shellcode\nid: 2d117e49-e626-4c7c-bd1f-c3c0147774c8\ndescription: Detects Base64 encoded Shellcode\nstatus: experimental\nreferences:\n- https://twitter.com/cyb3rops/status/1063072865992523776\nauthor: Florian Roth\ndate: 2018/11/17\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine: \'*AAAAYInlM*\'\n  selection2:\n    CommandLine:\n    - \'*OiCAAAAYInlM*\'\n    - \'*OiJAAAAYInlM*\'\n  condition: selection1 and selection2\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(8871,'Issue',491,15,'T1036'),(8872,'Issue',492,1,'Suspicious Bitsadmin Job via PowerShell'),(8873,'Issue',492,2,'Endgame, JHasenbusch (ported to sigma for oscd.community)'),(8874,'Issue',492,8,'https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md'),(8875,'Issue',492,10,'medium'),(8876,'Issue',492,13,'community'),(8877,'Issue',492,14,'windows'),(8879,'Issue',492,11,'8676c64ae'),(8880,'Issue',492,12,'f67dbfce-93bc-440d-86ad-a95ae8858c90'),(8881,'Issue',492,16,'win-proc'),(8882,'Issue',492,17,''),(8883,'Issue',492,7,''),(8884,'Issue',492,3,'Detect download by BITS jobs via PowerShell'),(8885,'Issue',492,4,''),(8886,'Issue',492,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8887,'Issue',492,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:*Start\\-BitsTransfer*)\nindex: so-*\nname: Suspicious Bitsadmin Job via PowerShell\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8888,'Issue',492,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Bitsadmin Job via PowerShell\nid: f67dbfce-93bc-440d-86ad-a95ae8858c90\nstatus: experimental\ndescription: Detect download by BITS jobs via PowerShell\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md\nauthor: Endgame, JHasenbusch (ported to sigma for oscd.community)\ndate: 2018/10/30\nmodified: 2019/11/11\ntags:\n- attack.defense_evasion\n- attack.persistence\n- attack.t1197\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\powershell.exe\n    CommandLine|contains: Start-BitsTransfer\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Unknown\nlevel: medium\n\n
\n}}'),(8889,'Issue',492,15,'T1197'),(8890,'Issue',493,1,'Detection of PowerShell Execution via DLL'),(8891,'Issue',493,2,'Markus Neis'),(8892,'Issue',493,8,'https://github.com/p3nt4/PowerShdll/blob/master/README.md'),(8893,'Issue',493,10,'high'),(8894,'Issue',493,13,'community'),(8895,'Issue',493,14,'windows'),(8897,'Issue',493,11,'35da2d6b7'),(8898,'Issue',493,12,'6812a10b-60ea-420c-832f-dfcc33b646ba'),(8899,'Issue',493,16,'win-proc'),(8900,'Issue',493,17,''),(8901,'Issue',493,7,''),(8902,'Issue',493,3,'Detects PowerShell Strings applied to rundllas seen in PowerShdll.dll'),(8903,'Issue',493,4,''),(8904,'Issue',493,5,'_False Positives_\nUnknown'),(8905,'Issue',493,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:(*\\\\rundll32.exe) OR process.pe.description.keyword:(*Windows\\-Hostprozess\\ \\(Rundll32\\)*)) AND process.command_line.keyword:(*Default.GetString* OR *FromBase64String*))\nindex: so-*\nname: Detection of PowerShell Execution via DLL\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8906,'Issue',493,9,'{{collapse(View Sigma)\n
\n\ntitle: Detection of PowerShell Execution via DLL\nid: 6812a10b-60ea-420c-832f-dfcc33b646ba\nstatus: experimental\ndescription: Detects PowerShell Strings applied to rundllas seen in PowerShdll.dll\nreferences:\n- https://github.com/p3nt4/PowerShdll/blob/master/README.md\ntags:\n- attack.execution\n- attack.t1086\n- car.2014-04-003\nauthor: Markus Neis\ndate: 2018/08/25\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image:\n    - \'*\\rundll32.exe\'\n  selection2:\n    Description:\n    - \'*Windows-Hostprozess (Rundll32)*\'\n  selection3:\n    CommandLine:\n    - \'*Default.GetString*\'\n    - \'*FromBase64String*\'\n  condition: (selection1 or selection2) and selection3\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(8907,'Issue',493,15,'T1086'),(8908,'Issue',494,1,'PowerShell Downgrade Attack'),(8909,'Issue',494,2,'Harish Segar (rule)'),(8910,'Issue',494,8,'http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/'),(8911,'Issue',494,10,'medium'),(8912,'Issue',494,13,'community'),(8913,'Issue',494,14,'windows'),(8915,'Issue',494,11,'7dd8ab307'),(8916,'Issue',494,12,'b3512211-c67e-4707-bedc-66efc7848863'),(8917,'Issue',494,16,'win-proc'),(8918,'Issue',494,17,''),(8919,'Issue',494,7,''),(8920,'Issue',494,3,'Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0'),(8921,'Issue',494,4,''),(8922,'Issue',494,5,'_False Positives_\nPenetration Test\nUnknown'),(8923,'Issue',494,6,'{{collapse(View ElastAlert Config)\n
\n\n\n
\n}}'),(8924,'Issue',494,9,'{{collapse(View Sigma)\n
\n\ntitle: PowerShell Downgrade Attack\nid: b3512211-c67e-4707-bedc-66efc7848863\nrelated:\n  - id: 6331d09b-4785-4c13-980f-f96661356249\n    type: derived\nstatus: experimental\ndescription: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0\nreferences:\n    - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/\ntags:\n    - attack.defense_evasion\n    - attack.execution\n    - attack.t1086\nauthor: Harish Segar (rule)\ndate: 2020/03/20\nfalsepositives:\n    - Penetration Test\n    - Unknown\nlevel: medium\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains: \n            - \' -version 2 \'\n            - \' -versio 2 \'\n            - \' -versi 2 \'\n            - \' -vers 2 \'\n            - \' -ver 2 \'\n            - \' -ve 2 \'        \n        Image|endswith: \'\\powershell.exe\'\n    condition: selection\n\n
\n}}'),(8925,'Issue',494,15,'T1086'),(8926,'Issue',495,1,'PowerShell Download from URL'),(8927,'Issue',495,2,'Florian Roth'),(8928,'Issue',495,8,'none'),(8929,'Issue',495,10,'medium'),(8930,'Issue',495,13,'community'),(8931,'Issue',495,14,'windows'),(8933,'Issue',495,11,'0058be94d'),(8934,'Issue',495,12,'3b6ab547-8ec2-4991-b9d2-2b06702a48d7'),(8935,'Issue',495,16,'win-proc'),(8936,'Issue',495,17,''),(8937,'Issue',495,7,''),(8938,'Issue',495,3,'Detects a Powershell process that contains download commands in its command line string'),(8939,'Issue',495,4,''),(8940,'Issue',495,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8941,'Issue',495,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:(*new\\-object\\ system.net.webclient\\).downloadstring\\(* OR *new\\-object\\ system.net.webclient\\).downloadfile\\(* OR *new\\-object\\ net.webclient\\).downloadstring\\(* OR *new\\-object\\ net.webclient\\).downloadfile\\(*))\nindex: so-*\nname: PowerShell Download from URL\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8942,'Issue',495,9,'{{collapse(View Sigma)\n
\n\ntitle: PowerShell Download from URL\nid: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7\nstatus: experimental\ndescription: Detects a Powershell process that contains download commands in its command\n  line string\nauthor: Florian Roth\ndate: 2019/01/16\ntags:\n- attack.t1086\n- attack.execution\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\powershell.exe\'\n    CommandLine:\n    - \'*new-object system.net.webclient).downloadstring(*\'\n    - \'*new-object system.net.webclient).downloadfile(*\'\n    - \'*new-object net.webclient).downloadstring(*\'\n    - \'*new-object net.webclient).downloadfile(*\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: medium\n\n
\n}}'),(8943,'Issue',495,15,'T1086'),(8944,'Issue',496,1,'FromBase64String Command Line'),(8945,'Issue',496,2,'Florian Roth'),(8946,'Issue',496,8,'https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639'),(8947,'Issue',496,10,'high'),(8948,'Issue',496,13,'community'),(8949,'Issue',496,14,'windows'),(8951,'Issue',496,11,'9f0eefc93'),(8952,'Issue',496,12,'e32d4572-9826-4738-b651-95fa63747e8a'),(8953,'Issue',496,16,'win-proc'),(8954,'Issue',496,17,''),(8955,'Issue',496,7,''),(8956,'Issue',496,3,'Detects suspicious FromBase64String expressions in command line arguments'),(8957,'Issue',496,4,''),(8958,'Issue',496,5,'_False Positives_\nAdministrative script libraries'),(8959,'Issue',496,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\:\\:FromBase64String\\(*)\nindex: so-*\nname: FromBase64String Command Line\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8960,'Issue',496,9,'{{collapse(View Sigma)\n
\n\ntitle: FromBase64String Command Line\nid: e32d4572-9826-4738-b651-95fa63747e8a\nstatus: experimental\ndescription: Detects suspicious FromBase64String expressions in command line arguments\nreferences:\n- https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639\nauthor: Florian Roth\ndate: 2020/01/29\ntags:\n- attack.t1027\n- attack.defense_evasion\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains: ::FromBase64String(\n  condition: selection\nfalsepositives:\n- Administrative script libraries\nlevel: high\n\n
\n}}'),(8961,'Issue',496,15,'T1027'),(8962,'Issue',497,1,'Suspicious PowerShell Parameter Substring'),(8963,'Issue',497,2,'Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)'),(8964,'Issue',497,8,'http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier'),(8965,'Issue',497,10,'high'),(8966,'Issue',497,13,'community'),(8967,'Issue',497,14,'windows'),(8969,'Issue',497,11,'5e2eb5a76'),(8970,'Issue',497,12,'36210e0d-5b19-485d-a087-c096088885f0'),(8971,'Issue',497,16,'win-proc'),(8972,'Issue',497,17,''),(8973,'Issue',497,7,''),(8974,'Issue',497,3,'Detects suspicious PowerShell invocation with a parameter substring'),(8975,'Issue',497,4,''),(8976,'Issue',497,5,'_False Positives_\nPenetration tests'),(8977,'Issue',497,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\Powershell.exe) AND process.command_line:(\"\\ \\-windowstyle\\ h\\ \" OR \"\\ \\-windowstyl\\ h\" OR \"\\ \\-windowsty\\ h\" OR \"\\ \\-windowst\\ h\" OR \"\\ \\-windows\\ h\" OR \"\\ \\-windo\\ h\" OR \"\\ \\-wind\\ h\" OR \"\\ \\-win\\ h\" OR \"\\ \\-wi\\ h\" OR \"\\ \\-win\\ h\\ \" OR \"\\ \\-win\\ hi\\ \" OR \"\\ \\-win\\ hid\\ \" OR \"\\ \\-win\\ hidd\\ \" OR \"\\ \\-win\\ hidde\\ \" OR \"\\ \\-NoPr\\ \" OR \"\\ \\-NoPro\\ \" OR \"\\ \\-NoProf\\ \" OR \"\\ \\-NoProfi\\ \" OR \"\\ \\-NoProfil\\ \" OR \"\\ \\-nonin\\ \" OR \"\\ \\-nonint\\ \" OR \"\\ \\-noninte\\ \" OR \"\\ \\-noninter\\ \" OR \"\\ \\-nonintera\\ \" OR \"\\ \\-noninterac\\ \" OR \"\\ \\-noninteract\\ \" OR \"\\ \\-noninteracti\\ \" OR \"\\ \\-noninteractiv\\ \" OR \"\\ \\-ec\\ \" OR \"\\ \\-encodedComman\\ \" OR \"\\ \\-encodedComma\\ \" OR \"\\ \\-encodedComm\\ \" OR \"\\ \\-encodedCom\\ \" OR \"\\ \\-encodedCo\\ \" OR \"\\ \\-encodedC\\ \" OR \"\\ \\-encoded\\ \" OR \"\\ \\-encode\\ \" OR \"\\ \\-encod\\ \" OR \"\\ \\-enco\\ \" OR \"\\ \\-en\\ \"))\nindex: so-*\nname: Suspicious PowerShell Parameter Substring\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8978,'Issue',497,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious PowerShell Parameter Substring\nid: 36210e0d-5b19-485d-a087-c096088885f0\nstatus: experimental\ndescription: Detects suspicious PowerShell invocation with a parameter substring\nreferences:\n- http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier\ntags:\n- attack.execution\n- attack.t1086\nauthor: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)\ndate: 2019/01/16\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\Powershell.exe\'\n    CommandLine:\n    - \' -windowstyle h \'\n    - \' -windowstyl h\'\n    - \' -windowsty h\'\n    - \' -windowst h\'\n    - \' -windows h\'\n    - \' -windo h\'\n    - \' -wind h\'\n    - \' -win h\'\n    - \' -wi h\'\n    - \' -win h \'\n    - \' -win hi \'\n    - \' -win hid \'\n    - \' -win hidd \'\n    - \' -win hidde \'\n    - \' -NoPr \'\n    - \' -NoPro \'\n    - \' -NoProf \'\n    - \' -NoProfi \'\n    - \' -NoProfil \'\n    - \' -nonin \'\n    - \' -nonint \'\n    - \' -noninte \'\n    - \' -noninter \'\n    - \' -nonintera \'\n    - \' -noninterac \'\n    - \' -noninteract \'\n    - \' -noninteracti \'\n    - \' -noninteractiv \'\n    - \' -ec \'\n    - \' -encodedComman \'\n    - \' -encodedComma \'\n    - \' -encodedComm \'\n    - \' -encodedCom \'\n    - \' -encodedCo \'\n    - \' -encodedC \'\n    - \' -encoded \'\n    - \' -encode \'\n    - \' -encod \'\n    - \' -enco \'\n    - \' -en \'\n  condition: selection\nfalsepositives:\n- Penetration tests\nlevel: high\n\n
\n}}'),(8979,'Issue',497,15,'T1086'),(8980,'Issue',498,1,'Suspicious XOR Encoded PowerShell Command Line'),(8981,'Issue',498,2,'Sami Ruohonen'),(8982,'Issue',498,8,'none'),(8983,'Issue',498,10,'medium'),(8984,'Issue',498,13,'community'),(8985,'Issue',498,14,'windows'),(8987,'Issue',498,11,'4d93efac2'),(8988,'Issue',498,12,'bb780e0c-16cf-4383-8383-1e5471db6cf9'),(8989,'Issue',498,16,'win-proc'),(8990,'Issue',498,17,''),(8991,'Issue',498,7,''),(8992,'Issue',498,3,'Detects suspicious powershell process which includes bxor command, alternatvide obfuscation method to b64 encoded commands.'),(8993,'Issue',498,4,''),(8994,'Issue',498,5,'_False Positives_\nunknown'),(8995,'Issue',498,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-bxor*))\nindex: so-*\nname: Suspicious XOR Encoded PowerShell Command Line\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8996,'Issue',498,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious XOR Encoded PowerShell Command Line\nid: bb780e0c-16cf-4383-8383-1e5471db6cf9\ndescription: Detects suspicious powershell process which includes bxor command, alternatvide\n  obfuscation method to b64 encoded commands.\nstatus: experimental\nauthor: Sami Ruohonen\ndate: 2018/09/05\ntags:\n- attack.execution\n- attack.t1086\ndetection:\n  selection:\n    CommandLine:\n    - \'* -bxor*\'\n  condition: selection\nfalsepositives:\n- unknown\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\n\n
\n}}'),(8997,'Issue',498,15,'T1086'),(8998,'Issue',499,1,'Default PowerSploit and Empire Schtasks Persistence'),(8999,'Issue',499,2,'Markus Neis, @Karneades'),(9000,'Issue',499,8,'https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1\nhttps://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/userland/schtasks.py\nhttps://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/elevated/schtasks.py'),(9001,'Issue',499,10,'high'),(9002,'Issue',499,13,'community'),(9003,'Issue',499,14,'windows'),(9005,'Issue',499,11,'52c48c3b3'),(9006,'Issue',499,12,'56c217c3-2de2-479b-990f-5c109ba8458f'),(9007,'Issue',499,16,'win-proc'),(9008,'Issue',499,17,''),(9009,'Issue',499,7,''),(9010,'Issue',499,3,'Detects the creation of a schtask via PowerSploit or Empire Default Configuration.'),(9011,'Issue',499,4,''),(9012,'Issue',499,5,'_False Positives_\nFalse positives are possible, depends on organisation and processes'),(9013,'Issue',499,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\powershell.exe) AND process.command_line.keyword:(*schtasks*\\/Create*\\/SC\\ *ONLOGON*\\/TN\\ *Updater*\\/TR\\ *powershell* OR *schtasks*\\/Create*\\/SC\\ *DAILY*\\/TN\\ *Updater*\\/TR\\ *powershell* OR *schtasks*\\/Create*\\/SC\\ *ONIDLE*\\/TN\\ *Updater*\\/TR\\ *powershell* OR *schtasks*\\/Create*\\/SC\\ *Updater*\\/TN\\ *Updater*\\/TR\\ *powershell*))\nindex: so-*\nname: Default PowerSploit and Empire Schtasks Persistence\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9014,'Issue',499,9,'{{collapse(View Sigma)\n
\n\ntitle: Default PowerSploit and Empire Schtasks Persistence\nid: 56c217c3-2de2-479b-990f-5c109ba8458f\nstatus: experimental\ndescription: Detects the creation of a schtask via PowerSploit or Empire Default Configuration.\nreferences:\n- https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1\n- https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/userland/schtasks.py\n- https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/elevated/schtasks.py\nauthor: Markus Neis, @Karneades\ndate: 2018/03/06\nlogsource:\n  product: windows\n  category: process_creation\ndetection:\n  selection:\n    ParentImage:\n    - \'*\\powershell.exe\'\n    CommandLine:\n    - \'*schtasks*/Create*/SC *ONLOGON*/TN *Updater*/TR *powershell*\'\n    - \'*schtasks*/Create*/SC *DAILY*/TN *Updater*/TR *powershell*\'\n    - \'*schtasks*/Create*/SC *ONIDLE*/TN *Updater*/TR *powershell*\'\n    - \'*schtasks*/Create*/SC *Updater*/TN *Updater*/TR *powershell*\'\n  condition: selection\ntags:\n- attack.execution\n- attack.persistence\n- attack.privilege_escalation\n- attack.t1053\n- attack.t1086\n- attack.s0111\n- attack.g0022\n- attack.g0060\n- car.2013-08-001\nfalsepositives:\n- False positives are possible, depends on organisation and processes\nlevel: high\n\n
\n}}'),(9015,'Issue',499,15,'T1053'),(9016,'Issue',499,15,'T1086'),(9017,'Issue',500,1,'Windows Processes Suspicious Parent Directory'),(9018,'Issue',500,2,'vburov'),(9019,'Issue',500,8,'https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2\nhttps://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/\nhttps://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf\nhttps://attack.mitre.org/techniques/T1036/'),(9020,'Issue',500,10,'low'),(9021,'Issue',500,13,'community'),(9022,'Issue',500,14,'windows'),(9024,'Issue',500,11,'c9688cc7f'),(9025,'Issue',500,12,'96036718-71cc-4027-a538-d1587e0006a7'),(9026,'Issue',500,16,'win-proc'),(9027,'Issue',500,17,''),(9028,'Issue',500,7,''),(9029,'Issue',500,3,'Detect suspicious parent processes of well-known Windows processes'),(9030,'Issue',500,4,''),(9031,'Issue',500,5,'_False Positives_\nSome security products seem to spawn these'),(9032,'Issue',500,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:(*\\\\svchost.exe OR *\\\\taskhost.exe OR *\\\\lsm.exe OR *\\\\lsass.exe OR *\\\\services.exe OR *\\\\lsaiso.exe OR *\\\\csrss.exe OR *\\\\wininit.exe OR *\\\\winlogon.exe) AND (NOT (process.parent.executable.keyword:(*\\\\System32\\\\* OR *\\\\SysWOW64\\\\* OR *\\\\SavService.exe OR *\\\\Windows\\ Defender\\\\*\\\\MsMpEng.exe)))) AND (NOT (NOT _exists_:process.parent.executable)))\nindex: so-*\nname: Windows Processes Suspicious Parent Directory\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9033,'Issue',500,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows Processes Suspicious Parent Directory\nid: 96036718-71cc-4027-a538-d1587e0006a7\nstatus: experimental\ndescription: Detect suspicious parent processes of well-known Windows processes\nauthor: vburov\nreferences:\n- https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2\n- https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/\n- https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf\n- https://attack.mitre.org/techniques/T1036/\ndate: 2019/02/23\nmodified: 2019/08/20\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\svchost.exe\'\n    - \'*\\taskhost.exe\'\n    - \'*\\lsm.exe\'\n    - \'*\\lsass.exe\'\n    - \'*\\services.exe\'\n    - \'*\\lsaiso.exe\'\n    - \'*\\csrss.exe\'\n    - \'*\\wininit.exe\'\n    - \'*\\winlogon.exe\'\n  filter:\n    ParentImage:\n    - \'*\\System32\\\\*\'\n    - \'*\\SysWOW64\\\\*\'\n    - \'*\\SavService.exe\'\n    - \'*\\Windows Defender\\\\*\\MsMpEng.exe\'\n  filter_null:\n    ParentImage:\n  condition: selection and not filter and not filter_null\nfalsepositives:\n- Some security products seem to spawn these\nlevel: low\n\n
\n}}'),(9034,'Issue',500,15,'T1036'),(9035,'Issue',501,1,'Bitsadmin Download'),(9036,'Issue',501,2,'Michael Haag'),(9037,'Issue',501,8,'https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin\nhttps://isc.sans.edu/diary/22264'),(9038,'Issue',501,10,'medium'),(9039,'Issue',501,13,'community'),(9040,'Issue',501,14,'windows'),(9042,'Issue',501,11,'0859ceb13'),(9043,'Issue',501,12,'d059842b-6b9d-4ed1-b5c3-5b89143c6ede'),(9044,'Issue',501,16,'win-proc'),(9045,'Issue',501,17,''),(9046,'Issue',501,7,''),(9047,'Issue',501,3,'Detects usage of bitsadmin downloading a file'),(9048,'Issue',501,4,''),(9049,'Issue',501,5,'_False Positives_\nSome legitimate apps use this, but limited.\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9050,'Issue',501,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:(*\\\\bitsadmin.exe) AND process.command_line.keyword:(*\\ \\/transfer\\ *)) OR process.command_line.keyword:(*copy\\ bitsadmin.exe*)))\nindex: so-*\nname: Bitsadmin Download\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9051,'Issue',501,9,'{{collapse(View Sigma)\n
\n\ntitle: Bitsadmin Download\nid: d059842b-6b9d-4ed1-b5c3-5b89143c6ede\nstatus: experimental\ndescription: Detects usage of bitsadmin downloading a file\nreferences:\n- https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin\n- https://isc.sans.edu/diary/22264\ntags:\n- attack.defense_evasion\n- attack.persistence\n- attack.t1197\n- attack.s0190\ndate: 2017/03/09\nmodified: 2019/12/06\nauthor: Michael Haag\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image:\n    - \'*\\bitsadmin.exe\'\n    CommandLine:\n    - \'* /transfer *\'\n  selection2:\n    CommandLine:\n    - \'*copy bitsadmin.exe*\'\n  condition: selection1 or selection2\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Some legitimate apps use this, but limited.\nlevel: medium\n\n
\n}}'),(9052,'Issue',501,15,'T1197'),(9053,'Issue',502,1,'Process Dump via Rundll32 and Comsvcs.dll'),(9054,'Issue',502,2,'Florian Roth'),(9055,'Issue',502,8,'https://twitter.com/shantanukhande/status/1229348874298388484'),(9056,'Issue',502,10,'high'),(9057,'Issue',502,13,'community'),(9058,'Issue',502,14,'windows'),(9060,'Issue',502,11,'f4af737c0'),(9061,'Issue',502,12,'646ea171-dded-4578-8a4d-65e9822892e3'),(9062,'Issue',502,16,'win-proc'),(9063,'Issue',502,17,''),(9064,'Issue',502,7,''),(9065,'Issue',502,3,'Detects a process memory dump performed via ordinal function 24 in comsvcs.dll'),(9066,'Issue',502,4,''),(9067,'Issue',502,5,'_False Positives_\nUnlikely, because no one should dump the process memory in that way'),(9068,'Issue',502,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*comsvcs.dll,#24* OR *comsvcs.dll,MiniDump*))\nindex: so-*\nname: Process Dump via Rundll32 and Comsvcs.dll\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9069,'Issue',502,9,'{{collapse(View Sigma)\n
\n\ntitle: Process Dump via Rundll32 and Comsvcs.dll\nid: 646ea171-dded-4578-8a4d-65e9822892e3\ndescription: Detects a process memory dump performed via ordinal function 24 in comsvcs.dll\nstatus: experimental\nreferences:\n- https://twitter.com/shantanukhande/status/1229348874298388484\nauthor: Florian Roth\ndate: 2020/02/18\ntags:\n- attack.defense_evasion\n- attack.t1036\n- attack.credential_access\n- attack.t1003\n- car.2013-05-009\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains:\n    - comsvcs.dll,#24\n    - comsvcs.dll,MiniDump\n  condition: selection\nfalsepositives:\n- Unlikely, because no one should dump the process memory in that way\nlevel: high\n\n
\n}}'),(9070,'Issue',502,15,'T1036'),(9071,'Issue',502,15,'T1003'),(9072,'Issue',503,1,'PsExec Service Start'),(9073,'Issue',503,2,'Florian Roth'),(9074,'Issue',503,8,'none'),(9075,'Issue',503,10,'low'),(9076,'Issue',503,13,'community'),(9077,'Issue',503,14,'windows'),(9079,'Issue',503,11,'15de28714'),(9080,'Issue',503,12,'3ede524d-21cc-472d-a3ce-d21b568d8db7'),(9081,'Issue',503,16,'win-proc'),(9082,'Issue',503,17,''),(9083,'Issue',503,7,''),(9084,'Issue',503,3,'Detects a PsExec service start'),(9085,'Issue',503,4,''),(9086,'Issue',503,5,'_False Positives_\nAdministrative activity'),(9087,'Issue',503,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ProcessCommandLine:\"C\\:\\\\Windows\\\\PSEXESVC.exe\")\nindex: so-*\nname: PsExec Service Start\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9088,'Issue',503,9,'{{collapse(View Sigma)\n
\n\ntitle: PsExec Service Start\nid: 3ede524d-21cc-472d-a3ce-d21b568d8db7\ndescription: Detects a PsExec service start\nauthor: Florian Roth\ndate: 2018/03/13\nmodified: 2012/12/11\ntags:\n- attack.execution\n- attack.t1035\n- attack.s0029\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ProcessCommandLine: C:\\Windows\\PSEXESVC.exe\n  condition: selection\nfalsepositives:\n- Administrative activity\nlevel: low\n\n
\n}}'),(9089,'Issue',503,15,'T1035'),(9090,'Issue',504,1,'Query Registry'),(9091,'Issue',504,2,'Timur Zinniatullin, oscd.community'),(9092,'Issue',504,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.yaml'),(9093,'Issue',504,10,'low'),(9094,'Issue',504,13,'community'),(9095,'Issue',504,14,'windows'),(9097,'Issue',504,11,'05ee88dcb'),(9098,'Issue',504,12,'970007b7-ce32-49d0-a4a4-fbef016950bd'),(9099,'Issue',504,16,'win-proc'),(9100,'Issue',504,17,''),(9101,'Issue',504,7,''),(9102,'Issue',504,3,'Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.'),(9103,'Issue',504,4,''),(9104,'Issue',504,5,'_False Positives_\n Unknown\n\n_Interesting Log Fields_\nImage\nCommandLine\nUser\nLogonGuid\nHashes\nParentProcessGuid\nParentCommandLine'),(9105,'Issue',504,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\reg.exe AND process.command_line.keyword:(*query* OR *save* OR *export*) AND process.command_line.keyword:(*currentVersion\\\\windows* OR *currentVersion\\\\runServicesOnce* OR *currentVersion\\\\runServices* OR *winlogon\\* OR *currentVersion\\\\shellServiceObjectDelayLoad* OR *currentVersion\\\\runOnce* OR *currentVersion\\\\runOnceEx* OR *currentVersion\\\\run* OR *currentVersion\\\\policies\\\\explorer\\\\run* OR *currentcontrolset\\\\services*))\nindex: so-*\nname: Query Registry\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9106,'Issue',504,9,'{{collapse(View Sigma)\n
\n\ntitle: Query Registry\nid: 970007b7-ce32-49d0-a4a4-fbef016950bd\nstatus: experimental\ndescription: Adversaries may interact with the Windows Registry to gather information\n  about the system, configuration, and installed software.\nauthor: Timur Zinniatullin, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.yaml\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_1:\n    Image|endswith: \\reg.exe\n    CommandLine|contains:\n    - query\n    - save\n    - export\n  selection_2:\n    CommandLine|contains:\n    - currentVersion\\windows\n    - currentVersion\\runServicesOnce\n    - currentVersion\\runServices\n    - winlogon\\\n    - currentVersion\\shellServiceObjectDelayLoad\n    - currentVersion\\runOnce\n    - currentVersion\\runOnceEx\n    - currentVersion\\run\n    - currentVersion\\policies\\explorer\\run\n    - currentcontrolset\\services\n  condition: selection_1 and selection_2\nfields:\n- Image\n- CommandLine\n- User\n- LogonGuid\n- Hashes\n- ParentProcessGuid\n- ParentCommandLine\nlevel: low\ntags:\n- attack.discovery\n- attack.t1012\n- attack.t1007\n\n
\n}}'),(9107,'Issue',504,15,'T1012'),(9108,'Issue',504,15,'T1007'),(9109,'Issue',505,1,'MSTSC Shadowing'),(9110,'Issue',505,2,'Florian Roth'),(9111,'Issue',505,8,'https://twitter.com/kmkz_security/status/1220694202301976576\nhttps://github.com/kmkz/Pentesting/blob/master/Post-Exploitation-Cheat-Sheet'),(9112,'Issue',505,10,'high'),(9113,'Issue',505,13,'community'),(9114,'Issue',505,14,'windows'),(9115,'Issue',505,15,''),(9116,'Issue',505,11,'8c3dc3ef9'),(9117,'Issue',505,12,'6ba5a05f-b095-4f0a-8654-b825f4f16334'),(9118,'Issue',505,16,'win-proc'),(9119,'Issue',505,17,''),(9120,'Issue',505,7,''),(9121,'Issue',505,3,'Detects RDP session hijacking by using MSTSC shadowing'),(9122,'Issue',505,4,''),(9123,'Issue',505,5,'_False Positives_\nUnknown'),(9124,'Issue',505,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*noconsentprompt* AND process.command_line.keyword:*shadow\\:*)\nindex: so-*\nname: MSTSC Shadowing\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9125,'Issue',505,9,'{{collapse(View Sigma)\n
\n\ntitle: MSTSC Shadowing\nid: 6ba5a05f-b095-4f0a-8654-b825f4f16334\ndescription: Detects RDP session hijacking by using MSTSC shadowing\nstatus: experimental\nauthor: Florian Roth\ndate: 2020/01/24\nreferences:\n- https://twitter.com/kmkz_security/status/1220694202301976576\n- https://github.com/kmkz/Pentesting/blob/master/Post-Exploitation-Cheat-Sheet\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains|all:\n    - noconsentprompt\n    - \'shadow:\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9126,'Issue',506,1,'Remote PowerShell Session'),(9127,'Issue',506,2,'Roberto Rodriguez @Cyb3rWard0g'),(9128,'Issue',506,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md'),(9129,'Issue',506,10,'medium'),(9130,'Issue',506,13,'community'),(9131,'Issue',506,14,'windows'),(9133,'Issue',506,11,'fe42832a8'),(9134,'Issue',506,12,'734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8'),(9135,'Issue',506,16,'win-proc'),(9136,'Issue',506,17,''),(9137,'Issue',506,7,''),(9138,'Issue',506,3,'Detects remote PowerShell sections by monitoring for wsmprovhost as a parent or child process (sign of an active ps remote session)'),(9139,'Issue',506,4,''),(9140,'Issue',506,5,'_False Positives_\nLegitimate usage of remote Powershell, e.g. for monitoring purposes\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(9141,'Issue',506,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:*\\\\wsmprovhost.exe OR process.parent.executable.keyword:*\\\\wsmprovhost.exe))\nindex: so-*\nname: Remote PowerShell Session\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9142,'Issue',506,9,'{{collapse(View Sigma)\n
\n\ntitle: Remote PowerShell Session\nid: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8\ndescription: Detects remote PowerShell sections by monitoring for wsmprovhost as a\n  parent or child process (sign of an active ps remote session)\nstatus: experimental\ndate: 2019/09/12\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith: \\wsmprovhost.exe\n  - ParentImage|endswith: \\wsmprovhost.exe\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Legitimate usage of remote Powershell, e.g. for monitoring purposes\nlevel: medium\n\n
\n}}'),(9143,'Issue',506,15,'T1086'),(9144,'Issue',507,1,'Discovery of a System Time'),(9145,'Issue',507,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(9146,'Issue',507,8,'https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md'),(9147,'Issue',507,10,'low'),(9148,'Issue',507,13,'community'),(9149,'Issue',507,14,'windows'),(9151,'Issue',507,11,'9639546cc'),(9152,'Issue',507,12,'b243b280-65fe-48df-ba07-6ddea7646427'),(9153,'Issue',507,16,'win-proc'),(9154,'Issue',507,17,''),(9155,'Issue',507,7,''),(9156,'Issue',507,3,'Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.'),(9157,'Issue',507,4,''),(9158,'Issue',507,5,'_False Positives_\nLegitimate use of the system utilities to discover system time for legitimate reason'),(9159,'Issue',507,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:*time*) OR (process.executable.keyword:*\\\\w32tm.exe AND process.command_line.keyword:*tz*) OR (process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:*Get\\-Date*)))\nindex: so-*\nname: Discovery of a System Time\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9160,'Issue',507,9,'{{collapse(View Sigma)\n
\n\ntitle: Discovery of a System Time\nid: b243b280-65fe-48df-ba07-6ddea7646427\ndescription: Identifies use of various commands to query a systems time. This technique\n  may be used before executing a scheduled task or to discover the time zone of a\n  target system.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md\ntags:\n- attack.discovery\n- attack.t1124\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith:\n    - \\net.exe\n    - \\net1.exe\n    CommandLine|contains: time\n  - Image|endswith: \\w32tm.exe\n    CommandLine|contains: tz\n  - Image|endswith: \\powershell.exe\n    CommandLine|contains: Get-Date\n  condition: selection\nfalsepositives:\n- Legitimate use of the system utilities to discover system time for legitimate reason\nlevel: low\n\n
\n}}'),(9161,'Issue',507,15,'T1124'),(9162,'Issue',508,1,'Renamed Binary'),(9163,'Issue',508,2,'Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements)'),(9164,'Issue',508,8,'https://attack.mitre.org/techniques/T1036/\nhttps://mgreen27.github.io/posts/2019/05/12/BinaryRename.html\nhttps://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html'),(9165,'Issue',508,10,'medium'),(9166,'Issue',508,13,'community'),(9167,'Issue',508,14,'windows'),(9169,'Issue',508,11,'b585cbf22'),(9170,'Issue',508,12,'36480ae1-a1cb-4eaa-a0d6-29801d7e9142'),(9171,'Issue',508,16,'win-proc'),(9172,'Issue',508,17,''),(9173,'Issue',508,7,''),(9174,'Issue',508,3,'Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.'),(9175,'Issue',508,4,''),(9176,'Issue',508,5,'_False Positives_\nCustom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist'),(9177,'Issue',508,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND OriginalFileName:(\"cmd.exe\" OR \"powershell.exe\" OR \"powershell_ise.exe\" OR \"psexec.exe\" OR \"psexec.c\" OR \"cscript.exe\" OR \"wscript.exe\" OR \"mshta.exe\" OR \"regsvr32.exe\" OR \"wmic.exe\" OR \"certutil.exe\" OR \"rundll32.exe\" OR \"cmstp.exe\" OR \"msiexec.exe\" OR \"7z.exe\" OR \"winrar.exe\" OR \"wevtutil.exe\" OR \"net.exe\" OR \"net1.exe\") AND (NOT (process.executable.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\powershell_ise.exe OR *\\\\psexec.exe OR *\\\\psexec64.exe OR *\\\\cscript.exe OR *\\\\wscript.exe OR *\\\\mshta.exe OR *\\\\regsvr32.exe OR *\\\\wmic.exe OR *\\\\certutil.exe OR *\\\\rundll32.exe OR *\\\\cmstp.exe OR *\\\\msiexec.exe OR *\\\\7z.exe OR *\\\\winrar.exe OR *\\\\wevtutil.exe OR *\\\\net.exe OR *\\\\net1.exe))))\nindex: so-*\nname: Renamed Binary\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9178,'Issue',508,9,'{{collapse(View Sigma)\n
\n\ntitle: Renamed Binary\nid: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142\nstatus: experimental\ndescription: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.\nauthor: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements), Andreas Hunkeler (@Karneades)\ndate: 2019/06/15\nmodified: 2019/11/11\nreferences:\n    - https://attack.mitre.org/techniques/T1036/\n    - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html\n    - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html\ntags:\n    - attack.t1036\n    - attack.defense_evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        OriginalFileName:\n            - \'cmd.exe\'\n            - \'powershell.exe\'\n            - \'powershell_ise.exe\'\n            - \'psexec.exe\'\n            - \'psexec.c\'  # old versions of psexec (2016 seen)\n            - \'cscript.exe\'\n            - \'wscript.exe\'\n            - \'mshta.exe\'\n            - \'regsvr32.exe\'\n            - \'wmic.exe\'\n            - \'certutil.exe\'\n            - \'rundll32.exe\'\n            - \'cmstp.exe\'\n            - \'msiexec.exe\'\n            - \'7z.exe\'\n            - \'winrar.exe\'\n            - \'wevtutil.exe\'\n            - \'net.exe\'\n            - \'net1.exe\'\n            - \'netsh.exe\'\n    filter:\n        Image|endswith:\n            - \'\\cmd.exe\'\n            - \'\\powershell.exe\'\n            - \'\\powershell_ise.exe\'\n            - \'\\psexec.exe\'\n            - \'\\psexec64.exe\'\n            - \'\\cscript.exe\'\n            - \'\\wscript.exe\'\n            - \'\\mshta.exe\'\n            - \'\\regsvr32.exe\'\n            - \'\\wmic.exe\'\n            - \'\\certutil.exe\'\n            - \'\\rundll32.exe\'\n            - \'\\cmstp.exe\'\n            - \'\\msiexec.exe\'\n            - \'\\7z.exe\'\n            - \'\\winrar.exe\'\n            - \'\\wevtutil.exe\'\n            - \'\\net.exe\'\n            - \'\\net1.exe\'\n            - \'\\netsh.exe\'\n    condition: selection and not filter\nfalsepositives:\n    - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist\nlevel: medium\n\n
\n}}'),(9179,'Issue',508,15,'T1036'),(9180,'Issue',509,1,'Highly Relevant Renamed Binary'),(9181,'Issue',509,2,'Matthew Green - @mgreen27, Florian Roth'),(9182,'Issue',509,8,'https://attack.mitre.org/techniques/T1036/\nhttps://mgreen27.github.io/posts/2019/05/12/BinaryRename.html\nhttps://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html'),(9183,'Issue',509,10,'high'),(9184,'Issue',509,13,'community'),(9185,'Issue',509,14,'windows'),(9187,'Issue',509,11,'11b349716'),(9188,'Issue',509,12,'0ba1da6d-b6ce-4366-828c-18826c9de23e'),(9189,'Issue',509,16,'win-proc'),(9190,'Issue',509,17,''),(9191,'Issue',509,7,''),(9192,'Issue',509,3,'Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.'),(9193,'Issue',509,4,''),(9194,'Issue',509,5,'_False Positives_\nCustom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist'),(9195,'Issue',509,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND OriginalFileName:(\"powershell.exe\" OR \"powershell_ise.exe\" OR \"psexec.exe\" OR \"psexec.c\" OR \"cscript.exe\" OR \"wscript.exe\" OR \"mshta.exe\" OR \"regsvr32.exe\" OR \"wmic.exe\" OR \"certutil.exe\" OR \"rundll32.exe\" OR \"cmstp.exe\" OR \"msiexec.exe\") AND (NOT (process.executable.keyword:(*\\\\powershell.exe OR *\\\\powershell_ise.exe OR *\\\\psexec.exe OR *\\\\psexec64.exe OR *\\\\cscript.exe OR *\\\\wscript.exe OR *\\\\mshta.exe OR *\\\\regsvr32.exe OR *\\\\wmic.exe OR *\\\\certutil.exe OR *\\\\rundll32.exe OR *\\\\cmstp.exe OR *\\\\msiexec.exe))))\nindex: so-*\nname: Highly Relevant Renamed Binary\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9196,'Issue',509,9,'{{collapse(View Sigma)\n
\n\ntitle: Highly Relevant Renamed Binary\nid: 0ba1da6d-b6ce-4366-828c-18826c9de23e\nstatus: experimental\ndescription: Detects the execution of a renamed binary often used by attackers or\n  malware leveraging new Sysmon OriginalFileName datapoint.\nauthor: Matthew Green - @mgreen27, Florian Roth\ndate: 2019/06/15\nreferences:\n- https://attack.mitre.org/techniques/T1036/\n- https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html\n- https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html\ntags:\n- attack.t1036\n- attack.defense_evasion\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    OriginalFileName:\n    - powershell.exe\n    - powershell_ise.exe\n    - psexec.exe\n    - psexec.c\n    - cscript.exe\n    - wscript.exe\n    - mshta.exe\n    - regsvr32.exe\n    - wmic.exe\n    - certutil.exe\n    - rundll32.exe\n    - cmstp.exe\n    - msiexec.exe\n  filter:\n    Image:\n    - \'*\\powershell.exe\'\n    - \'*\\powershell_ise.exe\'\n    - \'*\\psexec.exe\'\n    - \'*\\psexec64.exe\'\n    - \'*\\cscript.exe\'\n    - \'*\\wscript.exe\'\n    - \'*\\mshta.exe\'\n    - \'*\\regsvr32.exe\'\n    - \'*\\wmic.exe\'\n    - \'*\\certutil.exe\'\n    - \'*\\rundll32.exe\'\n    - \'*\\cmstp.exe\'\n    - \'*\\msiexec.exe\'\n  condition: selection and not filter\nfalsepositives:\n- Custom applications use renamed binaries adding slight change to binary name. Typically\n  this is easy to spot and add to whitelist\nlevel: high\n\n
\n}}'),(9197,'Issue',509,15,'T1036'),(9198,'Issue',510,1,'Execution of Renamed PaExec'),(9199,'Issue',510,2,'Jason Lynch'),(9200,'Issue',510,8,'sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc\nhttps://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf'),(9201,'Issue',510,10,'medium'),(9202,'Issue',510,13,'community'),(9203,'Issue',510,14,'windows'),(9205,'Issue',510,11,'53a0f9acd'),(9206,'Issue',510,12,'7b0666ad-3e38-4e3d-9bab-78b06de85f7b'),(9207,'Issue',510,16,'win-proc'),(9208,'Issue',510,17,''),(9209,'Issue',510,7,''),(9210,'Issue',510,3,'Detects execution of renamed paexec via imphash and executable product string'),(9211,'Issue',510,4,''),(9212,'Issue',510,5,'_False Positives_\nUnknown imphashes'),(9213,'Issue',510,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.pe.product.keyword:(*PAExec*) AND event_data.Imphash:(\"11D40A7B7876288F919AB819CC2D9802\" OR \"6444f8a34e99b8f7d9647de66aabe516\" OR \"dfd6aa3f7b2b1035b76b718f1ddc689f\" OR \"1a6cca4d5460b1710a12dea39e4a592c\")) AND (NOT (process.executable.keyword:*paexec*)))\nindex: so-*\nname: Execution of Renamed PaExec\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9214,'Issue',510,9,'{{collapse(View Sigma)\n
\n\ntitle: Execution of Renamed PaExec\nid: 7b0666ad-3e38-4e3d-9bab-78b06de85f7b\nstatus: experimental\ndescription: Detects execution of renamed paexec via imphash and executable product\n  string\nreferences:\n- sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc\n- https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf\ntags:\n- attack.defense_evasion\n- attack.t1036\n- FIN7\n- car.2013-05-009\ndate: 2019/04/17\nauthor: Jason Lynch\nfalsepositives:\n- Unknown imphashes\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Product:\n    - \'*PAExec*\'\n  selection2:\n    Imphash:\n    - 11D40A7B7876288F919AB819CC2D9802\n    - 6444f8a34e99b8f7d9647de66aabe516\n    - dfd6aa3f7b2b1035b76b718f1ddc689f\n    - 1a6cca4d5460b1710a12dea39e4a592c\n  filter1:\n    Image: \'*paexec*\'\n  condition: (selection1 and selection2) and not filter1\n\n
\n}}'),(9215,'Issue',510,15,'T1036'),(9216,'Issue',511,1,'Run PowerShell Script from ADS'),(9217,'Issue',511,2,'Sergey Soldatov, Kaspersky Lab, oscd.community'),(9218,'Issue',511,8,'https://github.com/p0shkatz/Get-ADS/blob/master/Get-ADS.ps1'),(9219,'Issue',511,10,'high'),(9220,'Issue',511,13,'community'),(9221,'Issue',511,14,'windows'),(9223,'Issue',511,11,'3297ebd01'),(9224,'Issue',511,12,'45a594aa-1fbd-4972-a809-ff5a99dd81b8'),(9225,'Issue',511,16,'win-proc'),(9226,'Issue',511,17,''),(9227,'Issue',511,7,''),(9228,'Issue',511,3,'Detects PowerShell script execution from Alternate Data Stream (ADS)'),(9229,'Issue',511,4,''),(9230,'Issue',511,5,'_False Positives_\nUnknown'),(9231,'Issue',511,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\powershell.exe AND process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:*Get\\-Content* AND process.command_line.keyword:*\\-Stream*)\nindex: so-*\nname: Run PowerShell Script from ADS\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9232,'Issue',511,9,'{{collapse(View Sigma)\n
\n\ntitle: Run PowerShell Script from ADS\nid: 45a594aa-1fbd-4972-a809-ff5a99dd81b8\nstatus: experimental\ndescription: Detects PowerShell script execution from Alternate Data Stream (ADS)\nreferences:\n- https://github.com/p0shkatz/Get-ADS/blob/master/Get-ADS.ps1\nauthor: Sergey Soldatov, Kaspersky Lab, oscd.community\ndate: 2019/10/30\ntags:\n- attack.defense_evasion\n- attack.t1096\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage|endswith: \\powershell.exe\n    Image|endswith: \\powershell.exe\n    CommandLine|contains|all:\n    - Get-Content\n    - -Stream\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9233,'Issue',511,15,'T1096'),(9234,'Issue',512,1,'Possible Shim Database Persistence via sdbinst.exe'),(9235,'Issue',512,2,'Markus Neis'),(9236,'Issue',512,8,'https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html'),(9237,'Issue',512,10,'high'),(9238,'Issue',512,13,'community'),(9239,'Issue',512,14,'windows'),(9241,'Issue',512,11,'1f62648d2'),(9242,'Issue',512,12,'517490a7-115a-48c6-8862-1a481504d5a8'),(9243,'Issue',512,16,'win-proc'),(9244,'Issue',512,17,''),(9245,'Issue',512,7,''),(9246,'Issue',512,3,'Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.'),(9247,'Issue',512,4,''),(9248,'Issue',512,5,'_False Positives_\nUnknown'),(9249,'Issue',512,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\sdbinst.exe) AND process.command_line.keyword:(*.sdb*))\nindex: so-*\nname: Possible Shim Database Persistence via sdbinst.exe\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9250,'Issue',512,9,'{{collapse(View Sigma)\n
\n\ntitle: Possible Shim Database Persistence via sdbinst.exe\nid: 517490a7-115a-48c6-8862-1a481504d5a8\nstatus: experimental\ndescription: Detects installation of a new shim using sdbinst.exe. A shim can be used\n  to load malicious DLLs into applications.\nreferences:\n- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html\ntags:\n- attack.persistence\n- attack.t1138\nauthor: Markus Neis\ndate: 2019/01/16\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\sdbinst.exe\'\n    CommandLine:\n    - \'*.sdb*\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9251,'Issue',512,15,'T1138'),(9252,'Issue',513,1,'Service Execution'),(9253,'Issue',513,2,'Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community'),(9254,'Issue',513,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.yaml'),(9255,'Issue',513,10,'low'),(9256,'Issue',513,13,'community'),(9257,'Issue',513,14,'windows'),(9259,'Issue',513,11,'0313836b2'),(9260,'Issue',513,12,'2a072a96-a086-49fa-bcb5-15cc5a619093'),(9261,'Issue',513,16,'win-proc'),(9262,'Issue',513,17,''),(9263,'Issue',513,7,''),(9264,'Issue',513,3,'Detects manual service execution (start) via system utilities'),(9265,'Issue',513,4,''),(9266,'Issue',513,5,'_False Positives_\nLegitimate administrator or user executes a service for legitimate reason'),(9267,'Issue',513,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:*\\ start\\ *)\nindex: so-*\nname: Service Execution\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9268,'Issue',513,9,'{{collapse(View Sigma)\n
\n\ntitle: Service Execution\nid: 2a072a96-a086-49fa-bcb5-15cc5a619093\nstatus: experimental\ndescription: Detects manual service execution (start) via system utilities\nauthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.yaml\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith:\n    - \\net.exe\n    - \\net1.exe\n    CommandLine|contains: \' start \'\n  condition: selection\nfalsepositives:\n- Legitimate administrator or user executes a service for legitimate reason\nlevel: low\ntags:\n- attack.execution\n- attack.t1035\n\n
\n}}'),(9269,'Issue',513,15,'T1035'),(9270,'Issue',514,1,'Stop Windows Service'),(9271,'Issue',514,2,'Jakob Weinzettl, oscd.community'),(9272,'Issue',514,8,'none'),(9273,'Issue',514,10,'low'),(9274,'Issue',514,13,'community'),(9275,'Issue',514,14,'windows'),(9277,'Issue',514,11,'f5cf59506'),(9278,'Issue',514,12,'eb87818d-db5d-49cc-a987-d5da331fbd90'),(9279,'Issue',514,16,'win-proc'),(9280,'Issue',514,17,''),(9281,'Issue',514,7,''),(9282,'Issue',514,3,'Detects a windows service to be stopped'),(9283,'Issue',514,4,''),(9284,'Issue',514,5,'_False Positives_\nAdministrator shutting down the service due to upgrade or removal purposes\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(9285,'Issue',514,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\sc.exe OR *\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:*stop*)\nindex: so-*\nname: Stop Windows Service\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9286,'Issue',514,9,'{{collapse(View Sigma)\n
\n\ntitle: Stop Windows Service\nid: eb87818d-db5d-49cc-a987-d5da331fbd90\ndescription: Detects a windows service to be stopped\nstatus: experimental\nauthor: Jakob Weinzettl, oscd.community\ndate: 2019/10/23\nmodified: 2019/11/08\ntags:\n- attack.impact\n- attack.t1489\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith:\n    - \\sc.exe\n    - \\net.exe\n    - \\net1.exe\n    CommandLine|contains: stop\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Administrator shutting down the service due to upgrade or removal purposes\nlevel: low\n\n
\n}}'),(9287,'Issue',514,15,'T1489'),(9288,'Issue',515,1,'Shadow Copies Access via Symlink'),(9289,'Issue',515,2,'Teymur Kheirkhabarov, oscd.community'),(9290,'Issue',515,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(9291,'Issue',515,10,'medium'),(9292,'Issue',515,13,'community'),(9293,'Issue',515,14,'windows'),(9295,'Issue',515,11,'42af87c98'),(9296,'Issue',515,12,'40b19fa6-d835-400c-b301-41f3a2baacaf'),(9297,'Issue',515,16,'win-proc'),(9298,'Issue',515,17,''),(9299,'Issue',515,7,''),(9300,'Issue',515,3,'Shadow Copies storage symbolic link creation using operating systems utilities'),(9301,'Issue',515,4,''),(9302,'Issue',515,5,'_False Positives_\nLegitimate administrator working with shadow copies, access for backup purposes'),(9303,'Issue',515,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*mklink* AND process.command_line.keyword:*HarddiskVolumeShadowCopy*)\nindex: so-*\nname: Shadow Copies Access via Symlink\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9304,'Issue',515,9,'{{collapse(View Sigma)\n
\n\ntitle: Shadow Copies Access via Symlink\nid: 40b19fa6-d835-400c-b301-41f3a2baacaf\ndescription: Shadow Copies storage symbolic link creation using operating systems\n  utilities\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/10/22\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains|all:\n    - mklink\n    - HarddiskVolumeShadowCopy\n  condition: selection\nfalsepositives:\n- Legitimate administrator working with shadow copies, access for backup purposes\nstatus: experimental\nlevel: medium\n\n
\n}}'),(9305,'Issue',515,15,'T1003'),(9306,'Issue',516,1,'Shadow Copies Creation Using Operating Systems Utilities'),(9307,'Issue',516,2,'Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community'),(9308,'Issue',516,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/'),(9309,'Issue',516,10,'medium'),(9310,'Issue',516,13,'community'),(9311,'Issue',516,14,'windows'),(9313,'Issue',516,11,'8093daa95'),(9314,'Issue',516,12,'b17ea6f7-6e90-447e-a799-e6c0a493d6ce'),(9315,'Issue',516,16,'win-proc'),(9316,'Issue',516,17,''),(9317,'Issue',516,7,''),(9318,'Issue',516,3,'Shadow Copies creation using operating systems utilities, possible credential access'),(9319,'Issue',516,4,''),(9320,'Issue',516,5,'_False Positives_\nLegitimate administrator working with shadow copies, access for backup purposes'),(9321,'Issue',516,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.NewProcessName.keyword:(*\\\\powershell.exe OR *\\\\wmic.exe OR *\\\\vssadmin.exe) AND process.command_line.keyword:*shadow* AND process.command_line.keyword:*create*)\nindex: so-*\nname: Shadow Copies Creation Using Operating Systems Utilities\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9322,'Issue',516,9,'{{collapse(View Sigma)\n
\n\ntitle: Shadow Copies Creation Using Operating Systems Utilities\nid: b17ea6f7-6e90-447e-a799-e6c0a493d6ce\ndescription: Shadow Copies creation using operating systems utilities, possible credential\n  access\nauthor: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/22\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    NewProcessName|endswith:\n    - \\powershell.exe\n    - \\wmic.exe\n    - \\vssadmin.exe\n    CommandLine|contains|all:\n    - shadow\n    - create\n  condition: selection\nfalsepositives:\n- Legitimate administrator working with shadow copies, access for backup purposes\nstatus: experimental\nlevel: medium\n\n
\n}}'),(9323,'Issue',516,15,'T1003'),(9324,'Issue',517,1,'Shadow Copies Deletion Using Operating Systems Utilities'),(9325,'Issue',517,2,'Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community'),(9326,'Issue',517,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nhttps://blog.talosintelligence.com/2017/05/wannacry.html\nhttps://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/\nhttps://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/\nhttps://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100'),(9327,'Issue',517,10,'critical'),(9328,'Issue',517,13,'community'),(9329,'Issue',517,14,'windows'),(9331,'Issue',517,11,'afac78337'),(9332,'Issue',517,12,'c947b146-0abc-4c87-9c64-b17e9d7274a2'),(9333,'Issue',517,16,'win-proc'),(9334,'Issue',517,17,''),(9335,'Issue',517,7,''),(9336,'Issue',517,3,'Shadow Copies deletion using operating systems utilities'),(9337,'Issue',517,4,''),(9338,'Issue',517,5,'_False Positives_\nLegitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9339,'Issue',517,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.NewProcessName.keyword:(*\\\\powershell.exe OR *\\\\wmic.exe OR *\\\\vssadmin.exe) AND process.command_line.keyword:*shadow* AND process.command_line.keyword:*delete*)\nindex: so-*\nname: Shadow Copies Deletion Using Operating Systems Utilities\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9340,'Issue',517,9,'{{collapse(View Sigma)\n
\n\ntitle: Shadow Copies Deletion Using Operating Systems Utilities\nid: c947b146-0abc-4c87-9c64-b17e9d7274a2\nstatus: stable\ndescription: Shadow Copies deletion using operating systems utilities\nauthor: Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/22\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n- https://blog.talosintelligence.com/2017/05/wannacry.html\n- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/\n- https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/\n- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100\ntags:\n- attack.defense_evasion\n- attack.impact\n- attack.t1070\n- attack.t1490\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    NewProcessName|endswith:\n    - \\powershell.exe\n    - \\wmic.exe\n    - \\vssadmin.exe\n    CommandLine|contains|all:\n    - shadow\n    - delete\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Legitimate Administrator deletes Shadow Copies using operating systems utilities\n  for legitimate reason\nlevel: critical\n\n
\n}}'),(9341,'Issue',517,15,'T1070'),(9342,'Issue',517,15,'T1490'),(9343,'Issue',518,1,'Windows Shell Spawning Suspicious Program'),(9344,'Issue',518,2,'Florian Roth'),(9345,'Issue',518,8,'https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html'),(9346,'Issue',518,10,'high'),(9347,'Issue',518,13,'community'),(9348,'Issue',518,14,'windows'),(9350,'Issue',518,11,'cbf52c91d'),(9351,'Issue',518,12,'3a6586ad-127a-4d3b-a677-1e6eacdf8fde'),(9352,'Issue',518,16,'win-proc'),(9353,'Issue',518,17,''),(9354,'Issue',518,7,''),(9355,'Issue',518,3,'Detects a suspicious child process of a Windows shell'),(9356,'Issue',518,4,''),(9357,'Issue',518,5,'_False Positives_\nAdministrative scripts\nMicrosoft SCCM\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9358,'Issue',518,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.parent.executable.keyword:(*\\\\mshta.exe OR *\\\\powershell.exe OR *\\\\rundll32.exe OR *\\\\cscript.exe OR *\\\\wscript.exe OR *\\\\wmiprvse.exe) AND process.executable.keyword:(*\\\\schtasks.exe OR *\\\\nslookup.exe OR *\\\\certutil.exe OR *\\\\bitsadmin.exe OR *\\\\mshta.exe)) AND (NOT (process.working_directory\".keyword:*\\\\ccmcache\\\\*)))\nindex: so-*\nname: Windows Shell Spawning Suspicious Program\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9359,'Issue',518,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows Shell Spawning Suspicious Program\nid: 3a6586ad-127a-4d3b-a677-1e6eacdf8fde\nstatus: experimental\ndescription: Detects a suspicious child process of a Windows shell\nreferences:\n- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html\nauthor: Florian Roth\ndate: 2018/04/06\nmodified: 2019/02/05\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1064\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage:\n    - \'*\\mshta.exe\'\n    - \'*\\powershell.exe\'\n    - \'*\\rundll32.exe\'\n    - \'*\\cscript.exe\'\n    - \'*\\wscript.exe\'\n    - \'*\\wmiprvse.exe\'\n    Image:\n    - \'*\\schtasks.exe\'\n    - \'*\\nslookup.exe\'\n    - \'*\\certutil.exe\'\n    - \'*\\bitsadmin.exe\'\n    - \'*\\mshta.exe\'\n  falsepositives:\n    CurrentDirectory: \'*\\ccmcache\\\\*\'\n  condition: selection and not falsepositives\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Administrative scripts\n- Microsoft SCCM\nlevel: high\n\n
\n}}'),(9360,'Issue',518,15,'T1064'),(9361,'Issue',519,1,'Audio Capture via SoundRecorder'),(9362,'Issue',519,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(9363,'Issue',519,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html'),(9364,'Issue',519,10,'medium'),(9365,'Issue',519,13,'community'),(9366,'Issue',519,14,'windows'),(9368,'Issue',519,11,'cb34e0e58'),(9369,'Issue',519,12,'83865853-59aa-449e-9600-74b9d89a6d6e'),(9370,'Issue',519,16,'win-proc'),(9371,'Issue',519,17,''),(9372,'Issue',519,7,''),(9373,'Issue',519,3,'Detect attacker collecting audio via SoundRecorder application'),(9374,'Issue',519,4,''),(9375,'Issue',519,5,'_False Positives_\nLegitimate audio capture by legitimate user'),(9376,'Issue',519,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\SoundRecorder.exe AND process.command_line.keyword:*\\/FILE*)\nindex: so-*\nname: Audio Capture via SoundRecorder\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9377,'Issue',519,9,'{{collapse(View Sigma)\n
\n\ntitle: Audio Capture via SoundRecorder\nid: 83865853-59aa-449e-9600-74b9d89a6d6e\ndescription: Detect attacker collecting audio via SoundRecorder application\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html\ntags:\n- attack.collection\n- attack.t1123\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\SoundRecorder.exe\n    CommandLine|contains: /FILE\n  condition: selection\nfalsepositives:\n- Legitimate audio capture by legitimate user\nlevel: medium\n\n
\n}}'),(9378,'Issue',519,15,'T1123'),(9379,'Issue',520,1,'Possible SPN Enumeration'),(9380,'Issue',520,2,'Markus Neis, keepwatch'),(9381,'Issue',520,8,'https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation'),(9382,'Issue',520,10,'medium'),(9383,'Issue',520,13,'community'),(9384,'Issue',520,14,'windows'),(9386,'Issue',520,11,'f2f2e56bb'),(9387,'Issue',520,12,'1eeed653-dbc8-4187-ad0c-eeebb20e6599'),(9388,'Issue',520,16,'win-proc'),(9389,'Issue',520,17,''),(9390,'Issue',520,7,''),(9391,'Issue',520,3,'Detects Service Principal Name Enumeration used for Kerberoasting'),(9392,'Issue',520,4,''),(9393,'Issue',520,5,'_False Positives_\nAdministrator Activity'),(9394,'Issue',520,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:*\\\\setspn.exe OR process.pe.description.keyword:*Query\\ or\\ reset\\ the\\ computer*\\ SPN\\ attribute*) AND process.command_line.keyword:*\\-q*)\nindex: so-*\nname: Possible SPN Enumeration\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9395,'Issue',520,9,'{{collapse(View Sigma)\n
\n\ntitle: Possible SPN Enumeration\nid: 1eeed653-dbc8-4187-ad0c-eeebb20e6599\ndescription: Detects Service Principal Name Enumeration used for Kerberoasting\nstatus: experimental\nreferences:\n- https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation\nauthor: Markus Neis, keepwatch\ndate: 2018/11/14\ntags:\n- attack.credential_access\n- attack.t1208\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_image:\n    Image: \'*\\setspn.exe\'\n  selection_desc:\n    Description: \'*Query or reset the computer* SPN attribute*\'\n  cmd:\n    CommandLine: \'*-q*\'\n  condition: (selection_image or selection_desc) and cmd\nfalsepositives:\n- Administrator Activity\nlevel: medium\n\n
\n}}'),(9396,'Issue',520,15,'T1208'),(9397,'Issue',521,1,'Possible Ransomware or Unauthorized MBR Modifications'),(9398,'Issue',521,2,'@neu5ron'),(9399,'Issue',521,8,'https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set'),(9400,'Issue',521,10,'medium'),(9401,'Issue',521,13,'community'),(9402,'Issue',521,14,'windows'),(9404,'Issue',521,11,'09cf8bf91'),(9405,'Issue',521,12,'c9fbe8e9-119d-40a6-9b59-dd58a5d84429'),(9406,'Issue',521,16,'win-proc'),(9407,'Issue',521,17,''),(9408,'Issue',521,7,''),(9409,'Issue',521,3,'Detects, possibly, malicious unauthorized usage of bcdedit.exe'),(9410,'Issue',521,4,''),(9411,'Issue',521,5,'_False Positives_\n Unknown'),(9412,'Issue',521,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.NewProcessName.keyword:*\\\\bcdedit.exe AND ProcessCommandLine.keyword:(*delete* OR *deletevalue* OR *import*))\nindex: so-*\nname: Possible Ransomware or Unauthorized MBR Modifications\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9413,'Issue',521,9,'{{collapse(View Sigma)\n
\n\ntitle: Possible Ransomware or Unauthorized MBR Modifications\nid: c9fbe8e9-119d-40a6-9b59-dd58a5d84429\nstatus: experimental\ndescription: Detects, possibly, malicious unauthorized usage of bcdedit.exe\nreferences:\n- https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set\nauthor: \'@neu5ron\'\ndate: 2019/02/07\ntags:\n- attack.defense_evasion\n- attack.t1070\n- attack.persistence\n- attack.t1067\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    NewProcessName: \'*\\bcdedit.exe\'\n    ProcessCommandLine:\n    - \'*delete*\'\n    - \'*deletevalue*\'\n    - \'*import*\'\n  condition: selection\nlevel: medium\n\n
\n}}'),(9414,'Issue',521,15,'T1070'),(9415,'Issue',521,15,'T1067'),(9416,'Issue',522,1,'Application Whitelisting Bypass via Bginfo'),(9417,'Issue',522,2,'Beyu Denis, oscd.community'),(9418,'Issue',522,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Bginfo.yml\nhttps://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/'),(9419,'Issue',522,10,'medium'),(9420,'Issue',522,13,'community'),(9421,'Issue',522,14,'windows'),(9423,'Issue',522,11,'6fd11c107'),(9424,'Issue',522,12,'aaf46cdc-934e-4284-b329-34aa701e3771'),(9425,'Issue',522,16,'win-proc'),(9426,'Issue',522,17,''),(9427,'Issue',522,7,''),(9428,'Issue',522,3,'Execute VBscript code that is referenced within the *.bgi file.'),(9429,'Issue',522,4,''),(9430,'Issue',522,5,'_False Positives_\nUnknown'),(9431,'Issue',522,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\bginfo.exe AND process.command_line.keyword:*\\/popup* AND process.command_line.keyword:*\\/nolicprompt*)\nindex: so-*\nname: Application Whitelisting Bypass via Bginfo\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9432,'Issue',522,9,'{{collapse(View Sigma)\n
\n\ntitle: Application Whitelisting Bypass via Bginfo\nid: aaf46cdc-934e-4284-b329-34aa701e3771\nstatus: experimental\ndescription: Execute VBscript code that is referenced within the *.bgi file.\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Bginfo.yml\n- https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/26\nmodified: 2019/11/04\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\bginfo.exe\n    CommandLine|contains|all:\n    - /popup\n    - /nolicprompt\n  condition: selection\nfalsepositives:\n- Unknown\n\n
\n}}'),(9433,'Issue',522,15,'T1218'),(9434,'Issue',523,1,'Suspicious Calculator Usage'),(9435,'Issue',523,2,'Florian Roth'),(9436,'Issue',523,8,'https://twitter.com/ItsReallyNick/status/1094080242686312448'),(9437,'Issue',523,10,'high'),(9438,'Issue',523,13,'community'),(9439,'Issue',523,14,'windows'),(9441,'Issue',523,11,'7ea9554ba'),(9442,'Issue',523,12,'737e618a-a410-49b5-bec3-9e55ff7fbc15'),(9443,'Issue',523,16,'win-proc'),(9444,'Issue',523,17,''),(9445,'Issue',523,7,''),(9446,'Issue',523,3,'Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion'),(9447,'Issue',523,4,''),(9448,'Issue',523,5,'_False Positives_\nUnknown'),(9449,'Issue',523,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:*\\\\calc.exe\\ * OR (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\calc.exe AND (NOT (process.executable.keyword:*\\\\Windows\\\\Sys*)))))\nindex: so-*\nname: Suspicious Calculator Usage\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9450,'Issue',523,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Calculator Usage\nid: 737e618a-a410-49b5-bec3-9e55ff7fbc15\ndescription: Detects suspicious use of calc.exe with command line parameters or in\n  a suspicious directory, which is likely caused by some PoC or detection evasion\nstatus: experimental\nreferences:\n- https://twitter.com/ItsReallyNick/status/1094080242686312448\nauthor: Florian Roth\ndate: 2019/02/09\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine: \'*\\calc.exe *\'\n  selection2:\n    Image: \'*\\calc.exe\'\n  filter2:\n    Image: \'*\\Windows\\Sys*\'\n  condition: selection1 or ( selection2 and not filter2 )\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9451,'Issue',523,15,'T1036'),(9452,'Issue',524,1,'Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner'),(9453,'Issue',524,2,'Beyu Denis, oscd.community'),(9454,'Issue',524,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Cdb.yml\nhttp://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html'),(9455,'Issue',524,10,'medium'),(9456,'Issue',524,13,'community'),(9457,'Issue',524,14,'windows'),(9459,'Issue',524,11,'ef8ab8f1c'),(9460,'Issue',524,12,'b5c7395f-e501-4a08-94d4-57fe7a9da9d2'),(9461,'Issue',524,16,'win-proc'),(9462,'Issue',524,17,''),(9463,'Issue',524,7,''),(9464,'Issue',524,3,'Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe.'),(9465,'Issue',524,4,''),(9466,'Issue',524,5,'_False Positives_\nLegitimate use of debugging tools'),(9467,'Issue',524,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\cdb.exe AND process.command_line.keyword:*\\-cf*)\nindex: so-*\nname: Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9468,'Issue',524,9,'{{collapse(View Sigma)\n
\n\ntitle: Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner\nid: b5c7395f-e501-4a08-94d4-57fe7a9da9d2\nstatus: experimental\ndescription: Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe.\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Cdb.yml\n- http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/26\nmodified: 2019/11/04\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\cdb.exe\n    CommandLine|contains: -cf\n  condition: selection\nfalsepositives:\n- Legitimate use of debugging tools\n\n
\n}}'),(9469,'Issue',524,15,'T1218'),(9470,'Issue',525,1,'Suspicious Certutil Command'),(9471,'Issue',525,2,'Florian Roth, juju4, keepwatch'),(9472,'Issue',525,8,'https://twitter.com/JohnLaTwC/status/835149808817991680\nhttps://twitter.com/subTee/status/888102593838362624\nhttps://twitter.com/subTee/status/888071631528235010\nhttps://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/\nhttps://www.trustedsec.com/2017/07/new-tool-release-nps_payload/\nhttps://twitter.com/egre55/status/1087685529016193025\nhttps://lolbas-project.github.io/lolbas/Binaries/Certutil/'),(9473,'Issue',525,10,'high'),(9474,'Issue',525,13,'community'),(9475,'Issue',525,14,'windows'),(9477,'Issue',525,11,'67ceb029c'),(9478,'Issue',525,12,'e011a729-98a6-4139-b5c4-bf6f6dd8239a'),(9479,'Issue',525,16,'win-proc'),(9480,'Issue',525,17,''),(9481,'Issue',525,7,''),(9482,'Issue',525,3,'Detects a suspicious Microsoft certutil execution with sub commands like \'decode\' sub command, which is sometimes used to decode malicious code with the built-in certutil utility'),(9483,'Issue',525,4,''),(9484,'Issue',525,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9485,'Issue',525,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-decode\\ * OR *\\ \\/decode\\ * OR *\\ \\-decodehex\\ * OR *\\ \\/decodehex\\ * OR *\\ \\-urlcache\\ * OR *\\ \\/urlcache\\ * OR *\\ \\-verifyctl\\ * OR *\\ \\/verifyctl\\ * OR *\\ \\-encode\\ * OR *\\ \\/encode\\ * OR *certutil*\\ \\-URL* OR *certutil*\\ \\/URL* OR *certutil*\\ \\-ping* OR *certutil*\\ \\/ping*))\nindex: so-*\nname: Suspicious Certutil Command\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9486,'Issue',525,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Certutil Command\nid: e011a729-98a6-4139-b5c4-bf6f6dd8239a\nstatus: experimental\ndescription: Detects a suspicious Microsoft certutil execution with sub commands like\n  \'decode\' sub command, which is sometimes used to decode malicious code with the\n  built-in certutil utility\nauthor: Florian Roth, juju4, keepwatch\nmodified: 2019/01/22\ndate: 2019/01/16\nreferences:\n- https://twitter.com/JohnLaTwC/status/835149808817991680\n- https://twitter.com/subTee/status/888102593838362624\n- https://twitter.com/subTee/status/888071631528235010\n- https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/\n- https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/\n- https://twitter.com/egre55/status/1087685529016193025\n- https://lolbas-project.github.io/lolbas/Binaries/Certutil/\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* -decode *\'\n    - \'* /decode *\'\n    - \'* -decodehex *\'\n    - \'* /decodehex *\'\n    - \'* -urlcache *\'\n    - \'* /urlcache *\'\n    - \'* -verifyctl *\'\n    - \'* /verifyctl *\'\n    - \'* -encode *\'\n    - \'* /encode *\'\n    - \'*certutil* -URL*\'\n    - \'*certutil* /URL*\'\n    - \'*certutil* -ping*\'\n    - \'*certutil* /ping*\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.defense_evasion\n- attack.t1140\n- attack.t1105\n- attack.s0189\n- attack.g0007\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: high\n\n
\n}}'),(9487,'Issue',525,15,'T1140'),(9488,'Issue',525,15,'T1105'),(9489,'Issue',526,1,'Certutil Encode'),(9490,'Issue',526,2,'Florian Roth'),(9491,'Issue',526,8,'https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil\nhttps://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/'),(9492,'Issue',526,10,'medium'),(9493,'Issue',526,13,'community'),(9494,'Issue',526,14,'windows'),(9495,'Issue',526,15,''),(9496,'Issue',526,11,'8b115c8b1'),(9497,'Issue',526,12,'e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a'),(9498,'Issue',526,16,'win-proc'),(9499,'Issue',526,17,''),(9500,'Issue',526,7,''),(9501,'Issue',526,3,'Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration'),(9502,'Issue',526,4,''),(9503,'Issue',526,5,'_False Positives_\nunknown'),(9504,'Issue',526,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(certutil\\ \\-f\\ \\-encode\\ * OR certutil.exe\\ \\-f\\ \\-encode\\ * OR certutil\\ \\-encode\\ \\-f\\ * OR certutil.exe\\ \\-encode\\ \\-f\\ *))\nindex: so-*\nname: Certutil Encode\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9505,'Issue',526,9,'{{collapse(View Sigma)\n
\n\ntitle: Certutil Encode\nid: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a\nstatus: experimental\ndescription: Detects suspicious a certutil command that used to encode files, which\n  is sometimes used for data exfiltration\nreferences:\n- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil\n- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/\nauthor: Florian Roth\ndate: 2019/02/24\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - certutil -f -encode *\n    - certutil.exe -f -encode *\n    - certutil -encode -f *\n    - certutil.exe -encode -f *\n  condition: selection\nfalsepositives:\n- unknown\nlevel: medium\n\n
\n}}'),(9506,'Issue',527,1,'Suspicious Commandline Escape'),(9507,'Issue',527,2,'juju4'),(9508,'Issue',527,8,'https://twitter.com/vysecurity/status/885545634958385153\nhttps://twitter.com/Hexacorn/status/885553465417756673\nhttps://twitter.com/Hexacorn/status/885570278637678592\nhttps://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html\nhttp://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/'),(9509,'Issue',527,10,'low'),(9510,'Issue',527,13,'community'),(9511,'Issue',527,14,'windows'),(9513,'Issue',527,11,'2267c2557'),(9514,'Issue',527,12,'f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd'),(9515,'Issue',527,16,'win-proc'),(9516,'Issue',527,17,''),(9517,'Issue',527,7,''),(9518,'Issue',527,3,'Detects suspicious process that use escape characters'),(9519,'Issue',527,4,''),(9520,'Issue',527,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(9521,'Issue',527,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*h\\^t\\^t\\^p* OR *h\\\"t\\\"t\\\"p*))\nindex: so-*\nname: Suspicious Commandline Escape\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9522,'Issue',527,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Commandline Escape\nid: f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd\ndescription: Detects suspicious process that use escape characters\nstatus: experimental\nreferences:\n- https://twitter.com/vysecurity/status/885545634958385153\n- https://twitter.com/Hexacorn/status/885553465417756673\n- https://twitter.com/Hexacorn/status/885570278637678592\n- https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html\n- http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/\nauthor: juju4\ndate: 2018/12/11\nmodified: 2020/03/14\ntags:\n- attack.defense_evasion\n- attack.t1140\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'*h^t^t^p*\'\n    - \'*h\"t\"t\"p*\'\n  condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: low\n\n
\n}}'),(9523,'Issue',527,15,'T1140'),(9524,'Issue',528,1,'Command Line Execution with Suspicious URL and AppData Strings'),(9525,'Issue',528,2,'Florian Roth'),(9526,'Issue',528,8,'https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100\nhttps://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100'),(9527,'Issue',528,10,'medium'),(9528,'Issue',528,13,'community'),(9529,'Issue',528,14,'windows'),(9531,'Issue',528,11,'6f1a08e1b'),(9532,'Issue',528,12,'1ac8666b-046f-4201-8aba-1951aaec03a3'),(9533,'Issue',528,16,'win-proc'),(9534,'Issue',528,17,''),(9535,'Issue',528,7,''),(9536,'Issue',528,3,'Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)'),(9537,'Issue',528,4,''),(9538,'Issue',528,5,'_False Positives_\nHigh\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9539,'Issue',528,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(cmd.exe\\ \\/c\\ *http\\:\\/\\/*%AppData% OR cmd.exe\\ \\/c\\ *https\\:\\/\\/*%AppData%))\nindex: so-*\nname: Command Line Execution with Suspicious URL and AppData Strings\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9540,'Issue',528,9,'{{collapse(View Sigma)\n
\n\ntitle: Command Line Execution with Suspicious URL and AppData Strings\nid: 1ac8666b-046f-4201-8aba-1951aaec03a3\nstatus: experimental\ndescription: Detects a suspicious command line execution that includes an URL and\n  AppData string in the command line parameters as used by several droppers (js/vbs\n  > powershell)\nreferences:\n- https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100\n- https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100\nauthor: Florian Roth\ndate: 2019/01/16\ntags:\n- attack.execution\n- attack.t1059\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - cmd.exe /c *http://*%AppData%\n    - cmd.exe /c *https://*%AppData%\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- High\nlevel: medium\n\n
\n}}'),(9541,'Issue',528,15,'T1059'),(9542,'Issue',529,1,'Suspicious Code Page Switch'),(9543,'Issue',529,2,'Florian Roth'),(9544,'Issue',529,8,'https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers\nhttps://twitter.com/cglyer/status/1183756892952248325'),(9545,'Issue',529,10,'medium'),(9546,'Issue',529,13,'community'),(9547,'Issue',529,14,'windows'),(9548,'Issue',529,15,''),(9549,'Issue',529,11,'29f880f96'),(9550,'Issue',529,12,'c7942406-33dd-4377-a564-0f62db0593a3'),(9551,'Issue',529,16,'win-proc'),(9552,'Issue',529,17,''),(9553,'Issue',529,7,''),(9554,'Issue',529,3,'Detects a code page switch in command line or batch scripts to a rare language'),(9555,'Issue',529,4,''),(9556,'Issue',529,5,'_False Positives_\nAdministrative activity (adjust code pages according to your organisation\'s region)\n\n_Interesting Log Fields_\nParentCommandLine'),(9557,'Issue',529,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(chcp*\\ 936 OR chcp*\\ 1258))\nindex: so-*\nname: Suspicious Code Page Switch\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9558,'Issue',529,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Code Page Switch\nid: c7942406-33dd-4377-a564-0f62db0593a3\nstatus: experimental\ndescription: Detects a code page switch in command line or batch scripts to a rare\n  language\nauthor: Florian Roth\ndate: 2019/10/14\nreferences:\n- https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers\n- https://twitter.com/cglyer/status/1183756892952248325\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - chcp* 936\n    - chcp* 1258\n  condition: selection\nfields:\n- ParentCommandLine\nfalsepositives:\n- Administrative activity (adjust code pages according to your organisation\'s region)\nlevel: medium\n\n
\n}}'),(9559,'Issue',530,1,'Reconnaissance Activity with Net Command'),(9560,'Issue',530,2,'Florian Roth, Markus Neis'),(9561,'Issue',530,8,'https://twitter.com/haroonmeer/status/939099379834658817\nhttps://twitter.com/c_APT_ure/status/939475433711722497\nhttps://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html'),(9562,'Issue',530,10,'medium'),(9563,'Issue',530,13,'community'),(9564,'Issue',530,14,'windows'),(9566,'Issue',530,11,'c51af1088'),(9567,'Issue',530,12,'2887e914-ce96-435f-8105-593937e90757'),(9568,'Issue',530,16,'win-proc'),(9569,'Issue',530,17,''),(9570,'Issue',530,7,''),(9571,'Issue',530,3,'Detects a set of commands often used in recon stages by different attack groups'),(9572,'Issue',530,4,''),(9573,'Issue',530,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(9574,'Issue',530,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(tasklist OR net\\ time OR systeminfo OR whoami OR nbtstat OR net\\ start OR *\\\\net1\\ start OR qprocess OR nslookup OR hostname.exe OR *\\\\net1\\ user\\ \\/domain OR *\\\\net1\\ group\\ \\/domain OR *\\\\net1\\ group\\ \\\"domain\\ admins\\\"\\ \\/domain OR *\\\\net1\\ group\\ \\\"Exchange\\ Trusted\\ Subsystem\\\"\\ \\/domain OR *\\\\net1\\ accounts\\ \\/domain OR *\\\\net1\\ user\\ net\\ localgroup\\ administrators OR netstat\\ \\-an))\nindex: so-*\nmax_threshold: 4\nmetric_agg_key: _id\nmetric_agg_type: cardinality\nname: Reconnaissance Activity with Net Command\npriority: 3\nquery_key: process.command_line.keyword\nrealert:\n  minutes: 0\ntype: metric_aggregation\n
\n}}'),(9575,'Issue',530,9,'{{collapse(View Sigma)\n
\n\ntitle: Reconnaissance Activity with Net Command\nid: 2887e914-ce96-435f-8105-593937e90757\nstatus: experimental\ndescription: Detects a set of commands often used in recon stages by different attack\n  groups\nreferences:\n- https://twitter.com/haroonmeer/status/939099379834658817\n- https://twitter.com/c_APT_ure/status/939475433711722497\n- https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html\nauthor: Florian Roth, Markus Neis\ndate: 2018/08/22\nmodified: 2018/12/11\ntags:\n- attack.discovery\n- attack.t1087\n- attack.t1082\n- car.2016-03-001\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - tasklist\n    - net time\n    - systeminfo\n    - whoami\n    - nbtstat\n    - net start\n    - \'*\\net1 start\'\n    - qprocess\n    - nslookup\n    - hostname.exe\n    - \'*\\net1 user /domain\'\n    - \'*\\net1 group /domain\'\n    - \'*\\net1 group \"domain admins\" /domain\'\n    - \'*\\net1 group \"Exchange Trusted Subsystem\" /domain\'\n    - \'*\\net1 accounts /domain\'\n    - \'*\\net1 user net localgroup administrators\'\n    - netstat -an\n  timeframe: 15s\n  condition: selection | count() by CommandLine > 4\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: medium\n\n
\n}}'),(9576,'Issue',530,15,'T1087'),(9577,'Issue',530,15,'T1082'),(9578,'Issue',531,1,'Suspicious Compression Tool Parameters'),(9579,'Issue',531,2,'Florian Roth, Samir Bousseaden'),(9580,'Issue',531,8,'https://twitter.com/SBousseaden/status/1184067445612535811'),(9581,'Issue',531,10,'high'),(9582,'Issue',531,13,'community'),(9583,'Issue',531,14,'windows'),(9585,'Issue',531,11,'ca20cc397'),(9586,'Issue',531,12,'27a72a60-7e5e-47b1-9d17-909c9abafdcd'),(9587,'Issue',531,16,'win-proc'),(9588,'Issue',531,17,''),(9589,'Issue',531,7,''),(9590,'Issue',531,3,'Detects suspicious command line arguments of common data compression tools'),(9591,'Issue',531,4,''),(9592,'Issue',531,5,'_False Positives_\nunknown'),(9593,'Issue',531,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (OriginalFileName.keyword:(7z*.exe OR *rar.exe OR *Command*Line*RAR*) AND process.command_line.keyword:(*\\ \\-p* OR *\\ \\-ta* OR *\\ \\-tb* OR *\\ \\-sdel* OR *\\ \\-dw* OR *\\ \\-hp*)) AND (NOT (process.parent.executable.keyword:C\\:\\\\Program*)))\nindex: so-*\nname: Suspicious Compression Tool Parameters\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9594,'Issue',531,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Compression Tool Parameters\nid: 27a72a60-7e5e-47b1-9d17-909c9abafdcd\nstatus: experimental\ndescription: Detects suspicious command line arguments of common data compression\n  tools\nreferences:\n- https://twitter.com/SBousseaden/status/1184067445612535811\ntags:\n- attack.exfiltration\n- attack.t1020\n- attack.t1002\nauthor: Florian Roth, Samir Bousseaden\ndate: 2019/10/15\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    OriginalFileName:\n    - 7z*.exe\n    - \'*rar.exe\'\n    - \'*Command*Line*RAR*\'\n    CommandLine:\n    - \'* -p*\'\n    - \'* -ta*\'\n    - \'* -tb*\'\n    - \'* -sdel*\'\n    - \'* -dw*\'\n    - \'* -hp*\'\n  falsepositive:\n    ParentImage: C:\\Program*\n  condition: selection and not falsepositive\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(9595,'Issue',531,15,'T1020'),(9596,'Issue',531,15,'T1002'),(9597,'Issue',532,1,'Process Dump via Comsvcs DLL'),(9598,'Issue',532,2,'Modexp (idea)'),(9599,'Issue',532,8,'https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/\nhttps://twitter.com/SBousseaden/status/1167417096374050817'),(9600,'Issue',532,10,'medium'),(9601,'Issue',532,13,'community'),(9602,'Issue',532,14,'windows'),(9604,'Issue',532,11,'01665fd2b'),(9605,'Issue',532,12,'09e6d5c0-05b8-4ff8-9eeb-043046ec774c'),(9606,'Issue',532,16,'win-proc'),(9607,'Issue',532,17,''),(9608,'Issue',532,7,''),(9609,'Issue',532,3,'Detects process memory dump via comsvcs.dll and rundll32'),(9610,'Issue',532,4,''),(9611,'Issue',532,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9612,'Issue',532,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:*\\\\rundll32.exe OR OriginalFileName:\"RUNDLL32.EXE\") AND process.command_line.keyword:(*comsvcs*MiniDump*full* OR *comsvcs*MiniDumpW*full*))\nindex: so-*\nname: Process Dump via Comsvcs DLL\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9613,'Issue',532,9,'{{collapse(View Sigma)\n
\n\ntitle: Process Dump via Comsvcs DLL\nid: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c\nstatus: experimental\ndescription: Detects process memory dump via comsvcs.dll and rundll32\nreferences:\n- https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/\n- https://twitter.com/SBousseaden/status/1167417096374050817\nauthor: Modexp (idea)\ndate: 2019/09/02\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  rundll_image:\n    Image: \'*\\rundll32.exe\'\n  rundll_ofn:\n    OriginalFileName: RUNDLL32.EXE\n  selection:\n    CommandLine:\n    - \'*comsvcs*MiniDump*full*\'\n    - \'*comsvcs*MiniDumpW*full*\'\n  condition: (rundll_image or rundll_ofn) and selection\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.credential_access\n- attack.t1003\nfalsepositives:\n- unknown\nlevel: medium\n\n
\n}}'),(9614,'Issue',532,15,'T1003'),(9615,'Issue',533,1,'Suspicious Control Panel DLL Load'),(9616,'Issue',533,2,'Florian Roth'),(9617,'Issue',533,8,'https://twitter.com/rikvduijn/status/853251879320662017'),(9618,'Issue',533,10,'high'),(9619,'Issue',533,13,'community'),(9620,'Issue',533,14,'windows'),(9622,'Issue',533,11,'7b06179ac'),(9623,'Issue',533,12,'d7eb979b-c2b5-4a6f-a3a7-c87ce6763819'),(9624,'Issue',533,16,'win-proc'),(9625,'Issue',533,17,''),(9626,'Issue',533,7,''),(9627,'Issue',533,3,'Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits'),(9628,'Issue',533,4,''),(9629,'Issue',533,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9630,'Issue',533,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.parent.executable.keyword:*\\\\System32\\\\control.exe AND process.command_line.keyword:*\\\\rundll32.exe\\ *) AND (NOT (process.command_line.keyword:*Shell32.dll*)))\nindex: so-*\nname: Suspicious Control Panel DLL Load\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9631,'Issue',533,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Control Panel DLL Load\nid: d7eb979b-c2b5-4a6f-a3a7-c87ce6763819\nstatus: experimental\ndescription: Detects suspicious Rundll32 execution from control.exe as used by Equation\n  Group and Exploit Kits\nauthor: Florian Roth\ndate: 2017/04/15\nreferences:\n- https://twitter.com/rikvduijn/status/853251879320662017\ntags:\n- attack.defense_evasion\n- attack.t1073\n- attack.t1085\n- car.2013-10-002\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\System32\\control.exe\'\n    CommandLine: \'*\\rundll32.exe *\'\n  filter:\n    CommandLine: \'*Shell32.dll*\'\n  condition: selection and not filter\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9632,'Issue',533,15,'T1073'),(9633,'Issue',533,15,'T1085'),(9634,'Issue',534,1,'Copy from Admin Share'),(9635,'Issue',534,2,'Florian Roth'),(9636,'Issue',534,8,'https://twitter.com/SBousseaden/status/1211636381086339073'),(9637,'Issue',534,10,'high'),(9638,'Issue',534,13,'community'),(9639,'Issue',534,14,'windows'),(9641,'Issue',534,11,'ec9ee9ed7'),(9642,'Issue',534,12,'855bc8b5-2ae8-402e-a9ed-b889e6df1900'),(9643,'Issue',534,16,'win-proc'),(9644,'Issue',534,17,''),(9645,'Issue',534,7,''),(9646,'Issue',534,3,'Detects a suspicious copy command from a remote C$ or ADMIN$ share'),(9647,'Issue',534,4,''),(9648,'Issue',534,5,'_False Positives_\nAdministrative scripts\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9649,'Issue',534,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*copy\\ *\\\\c$* OR *copy\\ *\\\\ADMIN$*))\nindex: so-*\nname: Copy from Admin Share\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9650,'Issue',534,9,'{{collapse(View Sigma)\n
\n\ntitle: Copy from Admin Share\nid: 855bc8b5-2ae8-402e-a9ed-b889e6df1900\nstatus: experimental\ndescription: Detects a suspicious copy command from a remote C$ or ADMIN$ share\nreferences:\n- https://twitter.com/SBousseaden/status/1211636381086339073\nauthor: Florian Roth\ndate: 2019/12/30\ntags:\n- attack.lateral_movement\n- attack.t1077\n- attack.t1105\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains:\n    - copy *\\c$\n    - copy *\\ADMIN$\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Administrative scripts\nlevel: high\n\n
\n}}'),(9651,'Issue',534,15,'T1077'),(9652,'Issue',534,15,'T1105'),(9653,'Issue',535,1,'Suspicious Parent of Csc.exe'),(9654,'Issue',535,2,'Florian Roth'),(9655,'Issue',535,8,'https://twitter.com/SBousseaden/status/1094924091256176641'),(9656,'Issue',535,10,'high'),(9657,'Issue',535,13,'community'),(9658,'Issue',535,14,'windows'),(9660,'Issue',535,11,'2a0ef0717'),(9661,'Issue',535,12,'b730a276-6b63-41b8-bcf8-55930c8fc6ee'),(9662,'Issue',535,16,'win-proc'),(9663,'Issue',535,17,''),(9664,'Issue',535,7,''),(9665,'Issue',535,3,'Detects a suspicious parent of csc.exe, which could by a sign of payload delivery'),(9666,'Issue',535,4,''),(9667,'Issue',535,5,'_False Positives_\nUnkown'),(9668,'Issue',535,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\csc.exe* AND process.parent.executable.keyword:(*\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\mshta.exe))\nindex: so-*\nname: Suspicious Parent of Csc.exe\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9669,'Issue',535,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Parent of Csc.exe\nid: b730a276-6b63-41b8-bcf8-55930c8fc6ee\ndescription: Detects a suspicious parent of csc.exe, which could by a sign of payload\n  delivery\nstatus: experimental\nreferences:\n- https://twitter.com/SBousseaden/status/1094924091256176641\nauthor: Florian Roth\ndate: 2019/02/11\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\csc.exe*\'\n    ParentImage:\n    - \'*\\wscript.exe\'\n    - \'*\\cscript.exe\'\n    - \'*\\mshta.exe\'\n  condition: selection\nfalsepositives:\n- Unkown\nlevel: high\n\n
\n}}'),(9670,'Issue',535,15,'T1036'),(9671,'Issue',536,1,'Suspicious Csc.exe Source File Folder'),(9672,'Issue',536,2,'Florian Roth'),(9673,'Issue',536,8,'https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/\nhttps://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf\nhttps://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/\nhttps://twitter.com/gN3mes1s/status/1206874118282448897'),(9674,'Issue',536,10,'high'),(9675,'Issue',536,13,'community'),(9676,'Issue',536,14,'windows'),(9678,'Issue',536,11,'7da368a8e'),(9679,'Issue',536,12,'dcaa3f04-70c3-427a-80b4-b870d73c94c4'),(9680,'Issue',536,16,'win-proc'),(9681,'Issue',536,17,''),(9682,'Issue',536,7,''),(9683,'Issue',536,3,'Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)'),(9684,'Issue',536,4,''),(9685,'Issue',536,5,'_False Positives_\nhttps://twitter.com/gN3mes1s/status/1206874118282448897\nhttps://twitter.com/gabriele_pippi/status/1206907900268072962'),(9686,'Issue',536,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:*\\\\csc.exe AND process.command_line.keyword:(*\\\\AppData\\\\* OR *\\\\Windows\\\\Temp\\\\*)) AND (NOT (process.parent.executable.keyword:(C\\:\\\\Program\\ Files* OR *\\\\sdiagnhost.exe OR *\\\\w3wp.exe))))\nindex: so-*\nname: Suspicious Csc.exe Source File Folder\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9687,'Issue',536,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Csc.exe Source File Folder\nid: dcaa3f04-70c3-427a-80b4-b870d73c94c4\ndescription: Detects a suspicious execution of csc.exe, which uses a source in a suspicious\n  folder (e.g. AppData)\nstatus: experimental\nreferences:\n- https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/\n- https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf\n- https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/\n- https://twitter.com/gN3mes1s/status/1206874118282448897\nauthor: Florian Roth\ndate: 2019/08/24\nmodified: 2019/12/17\ntags:\n- attack.defense_evasion\n- attack.t1500\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\csc.exe\'\n    CommandLine:\n    - \'*\\AppData\\\\*\'\n    - \'*\\Windows\\Temp\\\\*\'\n  filter:\n    ParentImage:\n    - C:\\Program Files*\n    - \'*\\sdiagnhost.exe\'\n    - \'*\\w3wp.exe\'\n  condition: selection and not filter\nfalsepositives:\n- https://twitter.com/gN3mes1s/status/1206874118282448897\n- https://twitter.com/gabriele_pippi/status/1206907900268072962\nlevel: high\n\n
\n}}'),(9688,'Issue',536,15,'T1500'),(9689,'Issue',537,1,'Curl Start Combination'),(9690,'Issue',537,2,'Sreeman'),(9691,'Issue',537,8,'https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983'),(9692,'Issue',537,10,'medium'),(9693,'Issue',537,13,'community'),(9694,'Issue',537,14,'windows'),(9696,'Issue',537,11,'cba091473'),(9697,'Issue',537,12,'21dd6d38-2b18-4453-9404-a0fe4a0cc288'),(9698,'Issue',537,16,'win-proc'),(9699,'Issue',537,17,''),(9700,'Issue',537,7,''),(9701,'Issue',537,3,'Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.'),(9702,'Issue',537,4,''),(9703,'Issue',537,5,'_False Positives_\nAdministrative scripts (installers)\n\n_Interesting Log Fields_\nParentImage\nCommandLine'),(9704,'Issue',537,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*curl*\\ start\\ *)\nindex: so-*\nname: Curl Start Combination\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9705,'Issue',537,9,'{{collapse(View Sigma)\n
\n\ntitle: Curl Start Combination\nid: 21dd6d38-2b18-4453-9404-a0fe4a0cc288\nstatus: experimental\ndescription: Adversaries can use curl to download payloads remotely and execute them.\n  Curl is included by default in Windows 10 build 17063 and later.\nreferences:\n- https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983\nauthor: Sreeman\ndate: 2020/01/13\ntags:\n- attack.execution\n- attack.t1218\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  condition: selection\n  selection:\n    CommandLine|contains: \'curl* start \'\nfalsepositives:\n- Administrative scripts (installers)\nfields:\n- ParentImage\n- CommandLine\nlevel: medium\n\n
\n}}'),(9706,'Issue',537,15,'T1218'),(9707,'Issue',538,1,'ZOHO Dctask64 Process Injection'),(9708,'Issue',538,2,'Florian Roth'),(9709,'Issue',538,8,'https://twitter.com/gN3mes1s/status/1222088214581825540\nhttps://twitter.com/gN3mes1s/status/1222095963789111296\nhttps://twitter.com/gN3mes1s/status/1222095371175911424'),(9710,'Issue',538,10,'high'),(9711,'Issue',538,13,'community'),(9712,'Issue',538,14,'windows'),(9714,'Issue',538,11,'fe9f76fc8'),(9715,'Issue',538,12,'6345b048-8441-43a7-9bed-541133633d7a'),(9716,'Issue',538,16,'win-proc'),(9717,'Issue',538,17,''),(9718,'Issue',538,7,''),(9719,'Issue',538,3,'Detects suspicious process injection using ZOHO\'s dctask64.exe'),(9720,'Issue',538,4,''),(9721,'Issue',538,5,'_False Positives_\nUnknown yet\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine\nParentImage'),(9722,'Issue',538,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\dctask64.exe) AND (NOT (process.command_line.keyword:(*DesktopCentral_Agent\\\\agent*))))\nindex: so-*\nname: ZOHO Dctask64 Process Injection\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9723,'Issue',538,9,'{{collapse(View Sigma)\n
\n\ntitle: ZOHO Dctask64 Process Injection\nid: 6345b048-8441-43a7-9bed-541133633d7a\nstatus: experimental\ndescription: Detects suspicious process injection using ZOHO\'s dctask64.exe\nreferences:\n- https://twitter.com/gN3mes1s/status/1222088214581825540\n- https://twitter.com/gN3mes1s/status/1222095963789111296\n- https://twitter.com/gN3mes1s/status/1222095371175911424\nauthor: Florian Roth\ndate: 2020/01/28\ntags:\n- attack.defense_evasion\n- attack.t1055\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith:\n    - \\dctask64.exe\n  filter:\n    CommandLine|contains:\n    - DesktopCentral_Agent\\agent\n  condition: selection and not filter\nfields:\n- CommandLine\n- ParentCommandLine\n- ParentImage\nfalsepositives:\n- Unknown yet\nlevel: high\n\n
\n}}'),(9724,'Issue',538,15,'T1055'),(9725,'Issue',539,1,'Devtoolslauncher.exe Executes Specified Binary'),(9726,'Issue',539,2,'Beyu Denis, oscd.community (rule), @_felamos (idea)'),(9727,'Issue',539,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Devtoolslauncher.yml\nhttps://twitter.com/_felamos/status/1179811992841797632'),(9728,'Issue',539,10,'critical'),(9729,'Issue',539,13,'community'),(9730,'Issue',539,14,'windows'),(9732,'Issue',539,11,'8beb4a23d'),(9733,'Issue',539,12,'cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6'),(9734,'Issue',539,16,'win-proc'),(9735,'Issue',539,17,''),(9736,'Issue',539,7,''),(9737,'Issue',539,3,'The Devtoolslauncher.exe executes other binary'),(9738,'Issue',539,4,''),(9739,'Issue',539,5,'_False Positives_\nLegitimate use of devtoolslauncher.exe by legitimate user'),(9740,'Issue',539,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\devtoolslauncher.exe AND process.command_line.keyword:*LaunchForDeploy*)\nindex: so-*\nname: Devtoolslauncher.exe Executes Specified Binary\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9741,'Issue',539,9,'{{collapse(View Sigma)\n
\n\ntitle: Devtoolslauncher.exe Executes Specified Binary\nid: cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6\nstatus: experimental\ndescription: The Devtoolslauncher.exe executes other binary\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Devtoolslauncher.yml\n- https://twitter.com/_felamos/status/1179811992841797632\nauthor: Beyu Denis, oscd.community (rule), @_felamos (idea)\ndate: 2019/10/12\nmodified: 2019/11/04\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlevel: critical\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\devtoolslauncher.exe\n    CommandLine|contains: LaunchForDeploy\n  condition: selection\nfalsepositives:\n- Legitimate use of devtoolslauncher.exe by legitimate user\n\n
\n}}'),(9742,'Issue',539,15,'T1218'),(9743,'Issue',540,1,'Direct Autorun Keys Modification'),(9744,'Issue',540,2,'Victor Sergeev, Daniil Yugoslavskiy, oscd.community'),(9745,'Issue',540,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml'),(9746,'Issue',540,10,'medium'),(9747,'Issue',540,13,'community'),(9748,'Issue',540,14,'windows'),(9750,'Issue',540,11,'8eab5e98e'),(9751,'Issue',540,12,'24357373-078f-44ed-9ac4-6d334a668a11'),(9752,'Issue',540,16,'win-proc'),(9753,'Issue',540,17,''),(9754,'Issue',540,7,''),(9755,'Issue',540,3,'Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.'),(9756,'Issue',540,4,''),(9757,'Issue',540,5,'_False Positives_\nLegitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason\nLegitimate administrator sets up autorun keys for legitimate reason\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9758,'Issue',540,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\reg.exe AND process.command_line.keyword:*add* AND process.command_line.keyword:(*\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon\\\\Shell* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User\\ Shell\\ Folders* OR *\\\\system\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\AlternateShell*))\nindex: so-*\nname: Direct Autorun Keys Modification\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9759,'Issue',540,9,'{{collapse(View Sigma)\n
\n\ntitle: Direct Autorun Keys Modification\nid: 24357373-078f-44ed-9ac4-6d334a668a11\ndescription: Detects direct modification of autostart extensibility point (ASEP) in\n  registry using reg.exe.\nstatus: experimental\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml\ntags:\n- attack.persistence\n- attack.t1060\ndate: 2019/10/25\nmodified: 2019/11/10\nauthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_1:\n    Image|endswith: \'*\\reg.exe\'\n    CommandLine|contains: add\n  selection_2:\n    CommandLine|contains:\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\Run\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n    - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit\n    - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\n    - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n    - \\system\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell\n  condition: selection_1 and selection_2\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Legitimate software automatically (mostly, during installation) sets up autorun\n  keys for legitimate reason\n- Legitimate administrator sets up autorun keys for legitimate reason\nlevel: medium\n\n
\n}}'),(9760,'Issue',540,15,'T1060'),(9761,'Issue',541,1,'Application Whitelisting Bypass via Dnx.exe'),(9762,'Issue',541,2,'Beyu Denis, oscd.community'),(9763,'Issue',541,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml\nhttps://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/'),(9764,'Issue',541,10,'medium'),(9765,'Issue',541,13,'community'),(9766,'Issue',541,14,'windows'),(9768,'Issue',541,11,'4f84e2c15'),(9769,'Issue',541,12,'81ebd28b-9607-4478-bf06-974ed9d53ed7'),(9770,'Issue',541,16,'win-proc'),(9771,'Issue',541,17,''),(9772,'Issue',541,7,''),(9773,'Issue',541,3,'Execute C# code located in the consoleapp folder'),(9774,'Issue',541,4,''),(9775,'Issue',541,5,'_False Positives_\nLegitimate use of dnx.exe by legitimate user'),(9776,'Issue',541,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\dnx.exe)\nindex: so-*\nname: Application Whitelisting Bypass via Dnx.exe\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9777,'Issue',541,9,'{{collapse(View Sigma)\n
\n\ntitle: Application Whitelisting Bypass via Dnx.exe\nid: 81ebd28b-9607-4478-bf06-974ed9d53ed7\nstatus: experimental\ndescription: Execute C# code located in the consoleapp folder\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml\n- https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/26\nmodified: 2019/11/04\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\dnx.exe\n  condition: selection\nfalsepositives:\n- Legitimate use of dnx.exe by legitimate user\n\n
\n}}'),(9778,'Issue',541,15,'T1218'),(9779,'Issue',542,1,'Suspicious Double Extension'),(9780,'Issue',542,2,'Florian Roth (rule), @blu3_team (idea)'),(9781,'Issue',542,8,'https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html\nhttps://twitter.com/blackorbird/status/1140519090961825792'),(9782,'Issue',542,10,'critical'),(9783,'Issue',542,13,'community'),(9784,'Issue',542,14,'windows'),(9786,'Issue',542,11,'17b387ea8'),(9787,'Issue',542,12,'1cdd9a09-06c9-4769-99ff-626e2b3991b8'),(9788,'Issue',542,16,'win-proc'),(9789,'Issue',542,17,''),(9790,'Issue',542,7,''),(9791,'Issue',542,3,'Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns'),(9792,'Issue',542,4,''),(9793,'Issue',542,5,'_False Positives_\nUnknown'),(9794,'Issue',542,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*.doc.exe OR *.docx.exe OR *.xls.exe OR *.xlsx.exe OR *.ppt.exe OR *.pptx.exe OR *.rtf.exe OR *.pdf.exe OR *.txt.exe OR *\\ \\ \\ \\ \\ \\ .exe OR *______.exe))\nindex: so-*\nname: Suspicious Double Extension\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9795,'Issue',542,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Double Extension\nid: 1cdd9a09-06c9-4769-99ff-626e2b3991b8\ndescription: Detects suspicious use of an .exe extension after a non-executable file\n  extension like .pdf.exe, a set of spaces or underlines to cloak the executable file\n  in spear phishing campaigns\nreferences:\n- https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html\n- https://twitter.com/blackorbird/status/1140519090961825792\nauthor: Florian Roth (rule), @blu3_team (idea)\ndate: 2019/06/26\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*.doc.exe\'\n    - \'*.docx.exe\'\n    - \'*.xls.exe\'\n    - \'*.xlsx.exe\'\n    - \'*.ppt.exe\'\n    - \'*.pptx.exe\'\n    - \'*.rtf.exe\'\n    - \'*.pdf.exe\'\n    - \'*.txt.exe\'\n    - \'*      .exe\'\n    - \'*______.exe\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(9796,'Issue',542,15,'T1193'),(9797,'Issue',543,1,'Application Whitelisting Bypass via Dxcap.exe'),(9798,'Issue',543,2,'Beyu Denis, oscd.community'),(9799,'Issue',543,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dxcap.yml\nhttps://twitter.com/harr0ey/status/992008180904419328'),(9800,'Issue',543,10,'medium'),(9801,'Issue',543,13,'community'),(9802,'Issue',543,14,'windows'),(9804,'Issue',543,11,'21213eb67'),(9805,'Issue',543,12,'60f16a96-db70-42eb-8f76-16763e333590'),(9806,'Issue',543,16,'win-proc'),(9807,'Issue',543,17,''),(9808,'Issue',543,7,''),(9809,'Issue',543,3,'Detects execution of of Dxcap.exe'),(9810,'Issue',543,4,''),(9811,'Issue',543,5,'_False Positives_\nLegitimate execution of dxcap.exe by legitimate user'),(9812,'Issue',543,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\dxcap.exe AND process.command_line.keyword:*\\-c* AND process.command_line.keyword:*.exe*)\nindex: so-*\nname: Application Whitelisting Bypass via Dxcap.exe\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9813,'Issue',543,9,'{{collapse(View Sigma)\n
\n\ntitle: Application Whitelisting Bypass via Dxcap.exe\nid: 60f16a96-db70-42eb-8f76-16763e333590\nstatus: experimental\ndescription: Detects execution of of Dxcap.exe\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dxcap.yml\n- https://twitter.com/harr0ey/status/992008180904419328\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/26\nmodified: 2019/11/04\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\dxcap.exe\n    CommandLine|contains|all:\n    - -c\n    - .exe\n  condition: selection\nfalsepositives:\n- Legitimate execution of dxcap.exe by legitimate user\n\n
\n}}'),(9814,'Issue',543,15,'T1218'),(9815,'Issue',544,1,'Suspicious Eventlog Clear or Configuration Using Wevtutil'),(9816,'Issue',544,2,'Ecco, Daniil Yugoslavskiy, oscd.community'),(9817,'Issue',544,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html'),(9818,'Issue',544,10,'high'),(9819,'Issue',544,13,'community'),(9820,'Issue',544,14,'windows'),(9822,'Issue',544,11,'63dddab3d'),(9823,'Issue',544,12,'cc36992a-4671-4f21-a91d-6c2b72a2edf5'),(9824,'Issue',544,16,'win-proc'),(9825,'Issue',544,17,''),(9826,'Issue',544,7,''),(9827,'Issue',544,3,'Detects clearing or configuration of eventlogs uwing wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others)'),(9828,'Issue',544,4,''),(9829,'Issue',544,5,'_False Positives_\nAdmin activity\nScripts and administrative tools used in the monitored environment'),(9830,'Issue',544,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (((process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:(*Clear\\-EventLog* OR *Remove\\-EventLog* OR *Limit\\-EventLog*)) OR (process.executable.keyword:*\\\\wmic.exe AND process.command_line.keyword:*\\ ClearEventLog\\ *)) OR (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\wevtutil.exe AND process.command_line.keyword:(*clear\\-log* OR *\\ cl\\ * OR *set\\-log* OR *\\ sl\\ *))))\nindex: so-*\nname: Suspicious Eventlog Clear or Configuration Using Wevtutil\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9831,'Issue',544,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Eventlog Clear or Configuration Using Wevtutil\nid: cc36992a-4671-4f21-a91d-6c2b72a2edf5\ndescription: Detects clearing or configuration of eventlogs uwing wevtutil, powershell\n  and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others)\nauthor: Ecco, Daniil Yugoslavskiy, oscd.community\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html\ndate: 2019/09/26\nmodified: 2019/11/11\ntags:\n- attack.defense_evasion\n- attack.t1070\n- car.2016-04-002\nlevel: high\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_wevtutil_binary:\n    Image|endswith: \\wevtutil.exe\n  selection_wevtutil_command:\n    CommandLine|contains:\n    - clear-log\n    - \' cl \'\n    - set-log\n    - \' sl \'\n  selection_other_ps:\n    Image|endswith: \\powershell.exe\n    CommandLine|contains:\n    - Clear-EventLog\n    - Remove-EventLog\n    - Limit-EventLog\n  selection_other_wmic:\n    Image|endswith: \\wmic.exe\n    CommandLine|contains: \' ClearEventLog \'\n  condition: 1 of selection_other_* or (selection_wevtutil_binary and selection_wevtutil_command)\nfalsepositives:\n- Admin activity\n- Scripts and administrative tools used in the monitored environment\n\n
\n}}'),(9832,'Issue',544,15,'T1070'),(9833,'Issue',545,1,'Executables Started in Suspicious Folder'),(9834,'Issue',545,2,'Florian Roth'),(9835,'Issue',545,8,'https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt\nhttps://www.secureworks.com/research/bronze-butler-targets-japanese-businesses\nhttps://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/\nhttps://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md'),(9836,'Issue',545,10,'high'),(9837,'Issue',545,13,'community'),(9838,'Issue',545,14,'windows'),(9840,'Issue',545,11,'a3054aa4c'),(9841,'Issue',545,12,'7a38aa19-86a9-4af7-ac51-6bfe4e59f254'),(9842,'Issue',545,16,'win-proc'),(9843,'Issue',545,17,''),(9844,'Issue',545,7,''),(9845,'Issue',545,3,'Detects process starts of binaries from a suspicious folder'),(9846,'Issue',545,4,''),(9847,'Issue',545,5,'_False Positives_\nUnknown'),(9848,'Issue',545,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(C\\:\\\\PerfLogs\\\\* OR C\\:\\\\$Recycle.bin\\\\* OR C\\:\\\\Intel\\\\Logs\\\\* OR C\\:\\\\Users\\\\Default\\\\* OR C\\:\\\\Users\\\\Public\\\\* OR C\\:\\\\Users\\\\NetworkService\\\\* OR C\\:\\\\Windows\\\\Fonts\\\\* OR C\\:\\\\Windows\\\\Debug\\\\* OR C\\:\\\\Windows\\\\Media\\\\* OR C\\:\\\\Windows\\\\Help\\\\* OR C\\:\\\\Windows\\\\addins\\\\* OR C\\:\\\\Windows\\\\repair\\\\* OR C\\:\\\\Windows\\\\security\\\\* OR *\\\\RSA\\\\MachineKeys\\\\* OR C\\:\\\\Windows\\\\system32\\\\config\\\\systemprofile\\\\* OR C\\:\\\\Windows\\\\Tasks\\\\* OR C\\:\\\\Windows\\\\System32\\\\Tasks\\\\*))\nindex: so-*\nname: Executables Started in Suspicious Folder\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9849,'Issue',545,9,'{{collapse(View Sigma)\n
\n\ntitle: Executables Started in Suspicious Folder\nid: 7a38aa19-86a9-4af7-ac51-6bfe4e59f254\nstatus: experimental\ndescription: Detects process starts of binaries from a suspicious folder\nauthor: Florian Roth\ndate: 2017/10/14\nmodified: 2019/02/21\nreferences:\n- https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt\n- https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses\n- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/\n- https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - C:\\PerfLogs\\\\*\n    - C:\\$Recycle.bin\\\\*\n    - C:\\Intel\\Logs\\\\*\n    - C:\\Users\\Default\\\\*\n    - C:\\Users\\Public\\\\*\n    - C:\\Users\\NetworkService\\\\*\n    - C:\\Windows\\Fonts\\\\*\n    - C:\\Windows\\Debug\\\\*\n    - C:\\Windows\\Media\\\\*\n    - C:\\Windows\\Help\\\\*\n    - C:\\Windows\\addins\\\\*\n    - C:\\Windows\\repair\\\\*\n    - C:\\Windows\\security\\\\*\n    - \'*\\RSA\\MachineKeys\\\\*\'\n    - C:\\Windows\\system32\\config\\systemprofile\\\\*\n    - C:\\Windows\\Tasks\\\\*\n    - C:\\Windows\\System32\\Tasks\\\\*\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9850,'Issue',545,15,'T1036'),(9851,'Issue',546,1,'Execution in Non-Executable Folder'),(9852,'Issue',546,2,'Florian Roth'),(9853,'Issue',546,8,'none'),(9854,'Issue',546,10,'high'),(9855,'Issue',546,13,'community'),(9856,'Issue',546,14,'windows'),(9858,'Issue',546,11,'a7b3dd43a'),(9859,'Issue',546,12,'3dfd06d2-eaf4-4532-9555-68aca59f57c4'),(9860,'Issue',546,16,'win-proc'),(9861,'Issue',546,17,''),(9862,'Issue',546,7,''),(9863,'Issue',546,3,'Detects a suspicious exection from an uncommon folder'),(9864,'Issue',546,4,''),(9865,'Issue',546,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9866,'Issue',546,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\$Recycle.bin OR *\\\\Users\\\\All\\ Users\\\\* OR *\\\\Users\\\\Default\\\\* OR *\\\\Users\\\\Public\\\\* OR C\\:\\\\Perflogs\\\\* OR *\\\\config\\\\systemprofile\\\\* OR *\\\\Windows\\\\Fonts\\\\* OR *\\\\Windows\\\\IME\\\\* OR *\\\\Windows\\\\addins\\\\*))\nindex: so-*\nname: Execution in Non-Executable Folder\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9867,'Issue',546,9,'{{collapse(View Sigma)\n
\n\ntitle: Execution in Non-Executable Folder\nid: 3dfd06d2-eaf4-4532-9555-68aca59f57c4\nstatus: experimental\ndescription: Detects a suspicious exection from an uncommon folder\nauthor: Florian Roth\ndate: 2019/01/16\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\$Recycle.bin\'\n    - \'*\\Users\\All Users\\\\*\'\n    - \'*\\Users\\Default\\\\*\'\n    - \'*\\Users\\Public\\\\*\'\n    - C:\\Perflogs\\\\*\n    - \'*\\config\\systemprofile\\\\*\'\n    - \'*\\Windows\\Fonts\\\\*\'\n    - \'*\\Windows\\IME\\\\*\'\n    - \'*\\Windows\\addins\\\\*\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9868,'Issue',546,15,'T1036'),(9869,'Issue',547,1,'Execution in Webserver Root Folder'),(9870,'Issue',547,2,'Florian Roth'),(9871,'Issue',547,8,'none'),(9872,'Issue',547,10,'medium'),(9873,'Issue',547,13,'community'),(9874,'Issue',547,14,'windows'),(9876,'Issue',547,11,'3e95069d6'),(9877,'Issue',547,12,'35efb964-e6a5-47ad-bbcd-19661854018d'),(9878,'Issue',547,16,'win-proc'),(9879,'Issue',547,17,''),(9880,'Issue',547,7,''),(9881,'Issue',547,3,'Detects a suspicious program execution in a web service root folder (filter out false positives)'),(9882,'Issue',547,4,''),(9883,'Issue',547,5,'_False Positives_\nVarious applications\nTools that include ping or nslookup command invocations\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9884,'Issue',547,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\wwwroot\\\\* OR *\\\\wmpub\\\\* OR *\\\\htdocs\\\\*) AND (NOT (process.executable.keyword:(*bin\\\\* OR *\\\\Tools\\\\* OR *\\\\SMSComponent\\\\*) AND process.parent.executable.keyword:(*\\\\services.exe))))\nindex: so-*\nname: Execution in Webserver Root Folder\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9885,'Issue',547,9,'{{collapse(View Sigma)\n
\n\ntitle: Execution in Webserver Root Folder\nid: 35efb964-e6a5-47ad-bbcd-19661854018d\nstatus: experimental\ndescription: Detects a suspicious program execution in a web service root folder (filter\n  out false positives)\nauthor: Florian Roth\ndate: 2019/01/16\ntags:\n- attack.persistence\n- attack.t1100\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\wwwroot\\\\*\'\n    - \'*\\wmpub\\\\*\'\n    - \'*\\htdocs\\\\*\'\n  filter:\n    Image:\n    - \'*bin\\\\*\'\n    - \'*\\Tools\\\\*\'\n    - \'*\\SMSComponent\\\\*\'\n    ParentImage:\n    - \'*\\services.exe\'\n  condition: selection and not filter\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Various applications\n- Tools that include ping or nslookup command invocations\nlevel: medium\n\n
\n}}'),(9886,'Issue',547,15,'T1100'),(9887,'Issue',548,1,'Firewall Disabled via Netsh'),(9888,'Issue',548,2,'Fatih Sirin'),(9889,'Issue',548,8,'https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/\nhttps://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/'),(9890,'Issue',548,10,'medium'),(9891,'Issue',548,13,'community'),(9892,'Issue',548,14,'windows'),(9893,'Issue',548,15,''),(9894,'Issue',548,11,'525bbf871'),(9895,'Issue',548,12,'57c4bf16-227f-4394-8ec7-1b745ee061c3'),(9896,'Issue',548,16,'win-proc'),(9897,'Issue',548,17,''),(9898,'Issue',548,7,''),(9899,'Issue',548,3,'Detects netsh commands that turns off the Windows firewall'),(9900,'Issue',548,4,''),(9901,'Issue',548,5,'_False Positives_\nLegitimate administration'),(9902,'Issue',548,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(netsh\\ firewall\\ set\\ opmode\\ mode\\=disable OR netsh\\ advfirewall\\ set\\ *\\ state\\ off))\nindex: so-*\nname: Firewall Disabled via Netsh\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9903,'Issue',548,9,'{{collapse(View Sigma)\n
\n\ntitle: Firewall Disabled via Netsh\nid: 57c4bf16-227f-4394-8ec7-1b745ee061c3\ndescription: Detects netsh commands that turns off the Windows firewall\nreferences:\n- https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/\n- https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/\ndate: 2019/11/01\nstatus: experimental\nauthor: Fatih Sirin\ntags:\n- attack.defense_evasion\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - netsh firewall set opmode mode=disable\n    - netsh advfirewall set * state off\n  condition: selection\nfalsepositives:\n- Legitimate administration\nlevel: medium\n\n
\n}}'),(9904,'Issue',549,1,'Fsutil Suspicious Invocation'),(9905,'Issue',549,2,'Ecco, E.M. Anhaus, oscd.community'),(9906,'Issue',549,8,'https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html'),(9907,'Issue',549,10,'high'),(9908,'Issue',549,13,'community'),(9909,'Issue',549,14,'windows'),(9911,'Issue',549,11,'b3585220b'),(9912,'Issue',549,12,'add64136-62e5-48ea-807e-88638d02df1e'),(9913,'Issue',549,16,'win-proc'),(9914,'Issue',549,17,''),(9915,'Issue',549,7,''),(9916,'Issue',549,3,'Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size..). Might be used by ransomwares during the attack (seen by NotPetya and others)'),(9917,'Issue',549,4,''),(9918,'Issue',549,5,'_False Positives_\nAdmin activity\nScripts and administrative tools used in the monitored environment'),(9919,'Issue',549,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:*\\\\fsutil.exe OR OriginalFileName:\"fsutil.exe\") AND process.command_line.keyword:(*deletejournal* OR *createjournal*))\nindex: so-*\nname: Fsutil Suspicious Invocation\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9920,'Issue',549,9,'{{collapse(View Sigma)\n
\n\ntitle: Fsutil Suspicious Invocation\nid: add64136-62e5-48ea-807e-88638d02df1e\ndescription: Detects suspicious parameters of fsutil (deleting USN journal, configuring\n  it with small size..). Might be used by ransomwares during the attack (seen by NotPetya\n  and others)\nauthor: Ecco, E.M. Anhaus, oscd.community\ndate: 2019/09/26\nmodified: 2019/11/11\nlevel: high\nreferences:\n- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html\ntags:\n- attack.defense_evasion\n- attack.t1070\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  binary_1:\n    Image|endswith: \\fsutil.exe\n  binary_2:\n    OriginalFileName: fsutil.exe\n  selection:\n    CommandLine|contains:\n    - deletejournal\n    - createjournal\n  condition: (1 of binary_*) and selection\nfalsepositives:\n- Admin activity\n- Scripts and administrative tools used in the monitored environment\n\n
\n}}'),(9921,'Issue',549,15,'T1070'),(9922,'Issue',550,1,'Suspicious GUP Usage'),(9923,'Issue',550,2,'Florian Roth'),(9924,'Issue',550,8,'https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html'),(9925,'Issue',550,10,'high'),(9926,'Issue',550,13,'community'),(9927,'Issue',550,14,'windows'),(9929,'Issue',550,11,'64acf349c'),(9930,'Issue',550,12,'0a4f6091-223b-41f6-8743-f322ec84930b'),(9931,'Issue',550,16,'win-proc'),(9932,'Issue',550,17,''),(9933,'Issue',550,7,''),(9934,'Issue',550,3,'Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks'),(9935,'Issue',550,4,''),(9936,'Issue',550,5,'_False Positives_\nExecution of tools named GUP.exe and located in folders different than Notepad++\\updater'),(9937,'Issue',550,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\GUP.exe AND (NOT (process.executable.keyword:(C\\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Notepad\\+\\+\\\\updater\\\\gup.exe OR C\\:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Notepad\\+\\+\\\\updater\\\\gup.exe OR C\\:\\\\Program\\ Files\\\\Notepad\\+\\+\\\\updater\\\\gup.exe OR C\\:\\\\Program\\ Files\\ \\(x86\\)\\\\Notepad\\+\\+\\\\updater\\\\gup.exe))))\nindex: so-*\nname: Suspicious GUP Usage\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9938,'Issue',550,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious GUP Usage\nid: 0a4f6091-223b-41f6-8743-f322ec84930b\ndescription: Detects execution of the Notepad++ updater in a suspicious directory,\n  which is often used in DLL side-loading attacks\nstatus: experimental\nreferences:\n- https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html\ntags:\n- attack.defense_evasion\n- attack.t1073\nauthor: Florian Roth\ndate: 2019/02/06\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\GUP.exe\'\n  filter:\n    Image:\n    - C:\\Users\\\\*\\AppData\\Local\\Notepad++\\updater\\gup.exe\n    - C:\\Users\\\\*\\AppData\\Roaming\\Notepad++\\updater\\gup.exe\n    - C:\\Program Files\\Notepad++\\updater\\gup.exe\n    - C:\\Program Files (x86)\\Notepad++\\updater\\gup.exe\n  condition: selection and not filter\nfalsepositives:\n- Execution of tools named GUP.exe and located in folders different than Notepad++\\updater\nlevel: high\n\n
\n}}'),(9939,'Issue',550,15,'T1073'),(9940,'Issue',551,1,'IIS Native-Code Module Command Line Installation'),(9941,'Issue',551,2,'Florian Roth'),(9942,'Issue',551,8,'https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/'),(9943,'Issue',551,10,'medium'),(9944,'Issue',551,13,'community'),(9945,'Issue',551,14,'windows'),(9947,'Issue',551,11,'181436e25'),(9948,'Issue',551,12,'9465ddf4-f9e4-4ebd-8d98-702df3a93239'),(9949,'Issue',551,16,'win-proc'),(9950,'Issue',551,17,''),(9951,'Issue',551,7,''),(9952,'Issue',551,3,'Detects suspicious IIS native-code module installations via command line'),(9953,'Issue',551,4,''),(9954,'Issue',551,5,'_False Positives_\nUnknown as it may vary from organisation to arganisation how admins use to install IIS modules'),(9955,'Issue',551,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\APPCMD.EXE\\ install\\ module\\ \\/name\\:*))\nindex: so-*\nname: IIS Native-Code Module Command Line Installation\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9956,'Issue',551,9,'{{collapse(View Sigma)\n
\n\ntitle: IIS Native-Code Module Command Line Installation\nid: 9465ddf4-f9e4-4ebd-8d98-702df3a93239\ndescription: Detects suspicious IIS native-code module installations via command line\nstatus: experimental\nreferences:\n- https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/\nauthor: Florian Roth\ndate: 2012/12/11\ntags:\n- attack.persistence\n- attack.t1100\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'*\\APPCMD.EXE install module /name:*\'\n  condition: selection\nfalsepositives:\n- Unknown as it may vary from organisation to arganisation how admins use to install\n  IIS modules\nlevel: medium\n\n
\n}}'),(9957,'Issue',551,15,'T1100'),(9958,'Issue',552,1,'Suspicious MsiExec Directory'),(9959,'Issue',552,2,'Florian Roth'),(9960,'Issue',552,8,'https://twitter.com/200_okay_/status/1194765831911215104'),(9961,'Issue',552,10,'high'),(9962,'Issue',552,13,'community'),(9963,'Issue',552,14,'windows'),(9965,'Issue',552,11,'37c63b72b'),(9966,'Issue',552,12,'e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144'),(9967,'Issue',552,16,'win-proc'),(9968,'Issue',552,17,''),(9969,'Issue',552,7,''),(9970,'Issue',552,3,'Detects suspicious msiexec process starts in an uncommon directory'),(9971,'Issue',552,4,''),(9972,'Issue',552,5,'_False Positives_\nUnknown'),(9973,'Issue',552,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\msiexec.exe AND (NOT (process.executable.keyword:(C\\:\\\\Windows\\\\System32\\\\* OR C\\:\\\\Windows\\\\SysWOW64\\\\* OR C\\:\\\\Windows\\\\WinSxS\\\\*))))\nindex: so-*\nname: Suspicious MsiExec Directory\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9974,'Issue',552,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious MsiExec Directory\nid: e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144\nstatus: experimental\ndescription: Detects suspicious msiexec process starts in an uncommon directory\nreferences:\n- https://twitter.com/200_okay_/status/1194765831911215104\ntags:\n- attack.defense_evasion\n- attack.t1036\nauthor: Florian Roth\ndate: 2019/11/14\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\msiexec.exe\'\n  filter:\n    Image:\n    - C:\\Windows\\System32\\\\*\n    - C:\\Windows\\SysWOW64\\\\*\n    - C:\\Windows\\WinSxS\\\\*\n  condition: selection and not filter\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9975,'Issue',552,15,'T1036'),(9976,'Issue',553,1,'MsiExec Web Install'),(9977,'Issue',553,2,'Florian Roth'),(9978,'Issue',553,8,'https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/'),(9979,'Issue',553,10,'medium'),(9980,'Issue',553,13,'community'),(9981,'Issue',553,14,'windows'),(9982,'Issue',553,15,''),(9983,'Issue',553,11,'2175aa08b'),(9984,'Issue',553,12,'f7b5f842-a6af-4da5-9e95-e32478f3cd2f'),(9985,'Issue',553,16,'win-proc'),(9986,'Issue',553,17,''),(9987,'Issue',553,7,''),(9988,'Issue',553,3,'Detects suspicious msiexec process starts with web addreses as parameter'),(9989,'Issue',553,4,''),(9990,'Issue',553,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(9991,'Issue',553,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ msiexec*\\:\\/\\/*))\nindex: so-*\nname: MsiExec Web Install\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9992,'Issue',553,9,'{{collapse(View Sigma)\n
\n\ntitle: MsiExec Web Install\nid: f7b5f842-a6af-4da5-9e95-e32478f3cd2f\nstatus: experimental\ndescription: Detects suspicious msiexec process starts with web addreses as parameter\nreferences:\n- https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/\ntags:\n- attack.defense_evasion\nauthor: Florian Roth\ndate: 2018/02/09\nmodified: 2012/12/11\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* msiexec*://*\'\n  condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: medium\n\n
\n}}'),(9993,'Issue',554,1,'Malicious Payload Download via Office Binaries'),(9994,'Issue',554,2,'Beyu Denis, oscd.community'),(9995,'Issue',554,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Powerpnt.yml\nhttps://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191\nReegun J (OCBC Bank)'),(9996,'Issue',554,10,'high'),(9997,'Issue',554,13,'community'),(9998,'Issue',554,14,'windows'),(10000,'Issue',554,11,'8099ea1df'),(10001,'Issue',554,12,'0c79148b-118e-472b-bdb7-9b57b444cc19'),(10002,'Issue',554,16,'win-proc'),(10003,'Issue',554,17,''),(10004,'Issue',554,7,''),(10005,'Issue',554,3,'Downloads payload from remote server'),(10006,'Issue',554,4,''),(10007,'Issue',554,5,'_False Positives_\nUnknown'),(10008,'Issue',554,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\powerpnt.exe OR *\\\\winword.exe OR *\\\\excel.exe) AND process.command_line.keyword:*http*)\nindex: so-*\nname: Malicious Payload Download via Office Binaries\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10009,'Issue',554,9,'{{collapse(View Sigma)\n
\n\ntitle: Malicious Payload Download via Office Binaries\nid: 0c79148b-118e-472b-bdb7-9b57b444cc19\nstatus: experimental\ndescription: Downloads payload from remote server\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Powerpnt.yml\n- https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191\n- Reegun J (OCBC Bank)\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/26\nmodified: 2019/11/04\ntags:\n- attack.command_and_control\n- attack.t1105\nlevel: high\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith:\n    - \\powerpnt.exe\n    - \\winword.exe\n    - \\excel.exe\n    CommandLine|contains: http\n  condition: selection\nfalsepositives:\n- Unknown\n\n
\n}}'),(10010,'Issue',554,15,'T1105'),(10011,'Issue',555,1,'Net.exe Execution'),(10012,'Issue',555,2,'Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements)'),(10013,'Issue',555,8,'https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/\nhttps://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html'),(10014,'Issue',555,10,'low'),(10015,'Issue',555,13,'community'),(10016,'Issue',555,14,'windows'),(10018,'Issue',555,11,'8e384336b'),(10019,'Issue',555,12,'183e7ea8-ac4b-4c23-9aec-b3dac4e401ac'),(10020,'Issue',555,16,'win-proc'),(10021,'Issue',555,17,''),(10022,'Issue',555,7,''),(10023,'Issue',555,3,'Detects execution of Net.exe, whether suspicious or benign.'),(10024,'Issue',555,4,''),(10025,'Issue',555,5,'_False Positives_\nWill need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine.\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine\nParentCommandLine'),(10026,'Issue',555,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:(*\\ group* OR *\\ localgroup* OR *\\ user* OR *\\ view* OR *\\ share OR *\\ accounts* OR *\\ use* OR *\\ stop\\ *))\nindex: so-*\nname: Net.exe Execution\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10027,'Issue',555,9,'{{collapse(View Sigma)\n
\n\ntitle: Net.exe Execution\nid: 183e7ea8-ac4b-4c23-9aec-b3dac4e401ac\nstatus: experimental\ndescription: Detects execution of Net.exe, whether suspicious or benign.\nreferences:\n- https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/\n- https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html\n- https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html\n- https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html\nauthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community\n  (improvements)\ndate: 2019/01/16\ntags:\n- attack.s0039\n- attack.t1027\n- attack.t1049\n- attack.t1077\n- attack.t1135\n- attack.lateral_movement\n- attack.discovery\n- attack.defense_evasion\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\net.exe\'\n    - \'*\\net1.exe\'\n  cmdline:\n    CommandLine:\n    - \'* group*\'\n    - \'* localgroup*\'\n    - \'* user*\'\n    - \'* view*\'\n    - \'* share\'\n    - \'* accounts*\'\n    - \'* use*\'\n    - \'* stop *\'\n  condition: selection and cmdline\nfields:\n- ComputerName\n- User\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine\n  following the search for easy hunting by computer/CommandLine.\nlevel: low\n\n
\n}}'),(10028,'Issue',555,15,'T1027'),(10029,'Issue',555,15,'T1049'),(10030,'Issue',555,15,'T1077'),(10031,'Issue',555,15,'T1135'),(10032,'Issue',556,1,'Suspicious Netsh DLL Persistence'),(10033,'Issue',556,2,'Victor Sergeev, oscd.community'),(10034,'Issue',556,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1128/T1128.md'),(10035,'Issue',556,10,'high'),(10036,'Issue',556,13,'community'),(10037,'Issue',556,14,'windows'),(10039,'Issue',556,11,'bc3cec555'),(10040,'Issue',556,12,'56321594-9087-49d9-bf10-524fe8479452'),(10041,'Issue',556,16,'win-proc'),(10042,'Issue',556,17,''),(10043,'Issue',556,7,''),(10044,'Issue',556,3,'Detects persitence via netsh helper'),(10045,'Issue',556,4,''),(10046,'Issue',556,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine\nParentCommandLine'),(10047,'Issue',556,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\netsh.exe AND process.command_line.keyword:*add* AND process.command_line.keyword:*helper*)\nindex: so-*\nname: Suspicious Netsh DLL Persistence\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10048,'Issue',556,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Netsh DLL Persistence\nid: 56321594-9087-49d9-bf10-524fe8479452\ndescription: Detects persitence via netsh helper\nstatus: testing\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1128/T1128.md\ntags:\n    - attack.persistence\n    - attack.t1128\ndate: 2019/10/25\nmodified: 2019/10/25\nauthor: Victor Sergeev, oscd.community\nlogsource:\n    category: process_creation\n    product: windows   \ndetection:\n    selection:\n        Image|endswith: \'\\netsh.exe\'\n        CommandLine|contains|all:\n            - \'add\'\n            - \'helper\'\n    condition: selection\nfields:\n    - ComputerName\n    - User\n    - CommandLine\n    - ParentCommandLine\nfalsepositives:\n    - Unknown\nlevel: high\n\n
\n}}'),(10049,'Issue',556,15,'T1128'),(10050,'Issue',557,1,'Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)'),(10051,'Issue',557,2,'Thomas Patzke'),(10052,'Issue',557,8,'https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm'),(10053,'Issue',557,10,'high'),(10054,'Issue',557,13,'community'),(10055,'Issue',557,14,'windows'),(10057,'Issue',557,11,'49e9852da'),(10058,'Issue',557,12,'2afafd61-6aae-4df4-baed-139fa1f4c345'),(10059,'Issue',557,16,'win-proc'),(10060,'Issue',557,17,''),(10061,'Issue',557,7,''),(10062,'Issue',557,3,'Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)'),(10063,'Issue',557,4,''),(10064,'Issue',557,5,'_False Positives_\nNTDS maintenance'),(10065,'Issue',557,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\\\ntdsutil*)\nindex: so-*\nname: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10066,'Issue',557,9,'{{collapse(View Sigma)\n
\n\ntitle: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)\nid: 2afafd61-6aae-4df4-baed-139fa1f4c345\ndescription: Detects execution of ntdsutil.exe, which can be used for various attacks\n  against the NTDS database (NTDS.DIT)\nstatus: experimental\nreferences:\n- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm\nauthor: Thomas Patzke\ndate: 2019/01/16\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'*\\ntdsutil*\'\n  condition: selection\nfalsepositives:\n- NTDS maintenance\nlevel: high\n\n
\n}}'),(10067,'Issue',557,15,'T1003'),(10068,'Issue',558,1,'Application Whitelisting Bypass via DLL Loaded by odbcconf.exe'),(10069,'Issue',558,2,'Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community'),(10070,'Issue',558,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Odbcconf.yml\nhttps://twitter.com/Hexacorn/status/1187143326673330176'),(10071,'Issue',558,10,'medium'),(10072,'Issue',558,13,'community'),(10073,'Issue',558,14,'windows'),(10075,'Issue',558,11,'0c974e293'),(10076,'Issue',558,12,'65d2be45-8600-4042-b4c0-577a1ff8a60e'),(10077,'Issue',558,16,'win-proc'),(10078,'Issue',558,17,''),(10079,'Issue',558,7,''),(10080,'Issue',558,3,'Detects defence evasion attempt via odbcconf.exe execution to load DLL'),(10081,'Issue',558,4,''),(10082,'Issue',558,5,'_False Positives_\nLegitimate use of odbcconf.exe by legitimate user'),(10083,'Issue',558,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\odbcconf.exe AND process.command_line.keyword:(*\\-f* OR *regsvr*)) OR (process.parent.executable.keyword:*\\\\odbcconf.exe AND process.executable.keyword:*\\\\rundll32.exe)))\nindex: so-*\nname: Application Whitelisting Bypass via DLL Loaded by odbcconf.exe\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10084,'Issue',558,9,'{{collapse(View Sigma)\n
\n\ntitle: Application Whitelisting Bypass via DLL Loaded by odbcconf.exe\nid: 65d2be45-8600-4042-b4c0-577a1ff8a60e\ndescription: Detects defence evasion attempt via odbcconf.exe execution to load DLL\nstatus: experimental\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Odbcconf.yml\n- https://twitter.com/Hexacorn/status/1187143326673330176\nauthor: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/25\nmodified: 2019/11/07\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_1:\n    Image|endswith: \\odbcconf.exe\n    CommandLine|contains:\n    - -f\n    - regsvr\n  selection_2:\n    ParentImage|endswith: \\odbcconf.exe\n    Image|endswith: \\rundll32.exe\n  condition: selection_1 or selection_2\nlevel: medium\nfalsepositives:\n- Legitimate use of odbcconf.exe by legitimate user\n\n
\n}}'),(10085,'Issue',558,15,'T1218'),(10086,'Issue',559,1,'OpenWith.exe Executes Specified Binary'),(10087,'Issue',559,2,'Beyu Denis, oscd.community (rule), @harr0ey (idea)'),(10088,'Issue',559,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml\nhttps://twitter.com/harr0ey/status/991670870384021504'),(10089,'Issue',559,10,'high'),(10090,'Issue',559,13,'community'),(10091,'Issue',559,14,'windows'),(10093,'Issue',559,11,'1e6152842'),(10094,'Issue',559,12,'cec8e918-30f7-4e2d-9bfa-a59cc97ae60f'),(10095,'Issue',559,16,'win-proc'),(10096,'Issue',559,17,''),(10097,'Issue',559,7,''),(10098,'Issue',559,3,'The OpenWith.exe executes other binary'),(10099,'Issue',559,4,''),(10100,'Issue',559,5,'_False Positives_\nLegitimate use of OpenWith.exe by legitimate user'),(10101,'Issue',559,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\OpenWith.exe AND process.command_line.keyword:*\\/c*)\nindex: so-*\nname: OpenWith.exe Executes Specified Binary\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10102,'Issue',559,9,'{{collapse(View Sigma)\n
\n\ntitle: OpenWith.exe Executes Specified Binary\nid: cec8e918-30f7-4e2d-9bfa-a59cc97ae60f\nstatus: experimental\ndescription: The OpenWith.exe executes other binary\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml\n- https://twitter.com/harr0ey/status/991670870384021504\nauthor: Beyu Denis, oscd.community (rule), @harr0ey (idea)\ndate: 2019/10/12\nmodified: 2019/11/04\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlevel: high\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\OpenWith.exe\n    CommandLine|contains: /c\n  condition: selection\nfalsepositives:\n- Legitimate use of OpenWith.exe by legitimate user\n\n
\n}}'),(10103,'Issue',559,15,'T1218'),(10104,'Issue',560,1,'Suspicious Execution from Outlook'),(10105,'Issue',560,2,'Markus Neis'),(10106,'Issue',560,8,'https://github.com/sensepost/ruler\nhttps://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html'),(10107,'Issue',560,10,'high'),(10108,'Issue',560,13,'community'),(10109,'Issue',560,14,'windows'),(10111,'Issue',560,11,'294e47aa7'),(10112,'Issue',560,12,'e212d415-0e93-435f-9e1a-f29005bb4723'),(10113,'Issue',560,16,'win-proc'),(10114,'Issue',560,17,''),(10115,'Issue',560,7,''),(10116,'Issue',560,3,'Detects EnableUnsafeClientMailRules used for Script Execution from Outlook'),(10117,'Issue',560,4,''),(10118,'Issue',560,5,'_False Positives_\nunknown'),(10119,'Issue',560,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:*EnableUnsafeClientMailRules* OR (process.parent.executable.keyword:*\\\\outlook.exe AND process.command_line.keyword:\\\\\\\\*\\\\*.exe)))\nindex: so-*\nname: Suspicious Execution from Outlook\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10120,'Issue',560,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Execution from Outlook\nid: e212d415-0e93-435f-9e1a-f29005bb4723\nstatus: experimental\ndescription: Detects EnableUnsafeClientMailRules used for Script Execution from Outlook\nreferences:\n- https://github.com/sensepost/ruler\n- https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html\ntags:\n- attack.execution\n- attack.t1059\n- attack.t1202\nauthor: Markus Neis\ndate: 2018/12/27\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  clientMailRules:\n    CommandLine: \'*EnableUnsafeClientMailRules*\'\n  outlookExec:\n    ParentImage: \'*\\outlook.exe\'\n    CommandLine: \\\\\\\\*\\\\*.exe\n  condition: clientMailRules or outlookExec\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(10121,'Issue',560,15,'T1059'),(10122,'Issue',560,15,'T1202'),(10123,'Issue',561,1,'Execution in Outlook Temp Folder'),(10124,'Issue',561,2,'Florian Roth'),(10125,'Issue',561,8,'none'),(10126,'Issue',561,10,'high'),(10127,'Issue',561,13,'community'),(10128,'Issue',561,14,'windows'),(10130,'Issue',561,11,'1162b3913'),(10131,'Issue',561,12,'a018fdc3-46a3-44e5-9afb-2cd4af1d4b39'),(10132,'Issue',561,16,'win-proc'),(10133,'Issue',561,17,''),(10134,'Issue',561,7,''),(10135,'Issue',561,3,'Detects a suspicious program execution in Outlook temp folder'),(10136,'Issue',561,4,''),(10137,'Issue',561,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10138,'Issue',561,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\Temporary\\ Internet\\ Files\\\\Content.Outlook\\\\*)\nindex: so-*\nname: Execution in Outlook Temp Folder\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10139,'Issue',561,9,'{{collapse(View Sigma)\n
\n\ntitle: Execution in Outlook Temp Folder\nid: a018fdc3-46a3-44e5-9afb-2cd4af1d4b39\nstatus: experimental\ndescription: Detects a suspicious program execution in Outlook temp folder\nauthor: Florian Roth\ndate: 2019/10/01\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\Temporary Internet Files\\Content.Outlook\\\\*\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10140,'Issue',561,15,'T1193'),(10141,'Issue',562,1,'Ping Hex IP'),(10142,'Issue',562,2,'Florian Roth'),(10143,'Issue',562,8,'https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna\nhttps://twitter.com/vysecurity/status/977198418354491392'),(10144,'Issue',562,10,'high'),(10145,'Issue',562,13,'community'),(10146,'Issue',562,14,'windows'),(10148,'Issue',562,11,'478a5066b'),(10149,'Issue',562,12,'1a0d4aba-7668-4365-9ce4-6d79ab088dfd'),(10150,'Issue',562,16,'win-proc'),(10151,'Issue',562,17,''),(10152,'Issue',562,7,''),(10153,'Issue',562,3,'Detects a ping command that uses a hex encoded IP address'),(10154,'Issue',562,4,''),(10155,'Issue',562,5,'_False Positives_\nUnlikely, because no sane admin pings IP addresses in a hexadecimal form\n\n_Interesting Log Fields_\nParentCommandLine'),(10156,'Issue',562,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\ping.exe\\ 0x* OR *\\\\ping\\ 0x*))\nindex: so-*\nname: Ping Hex IP\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10157,'Issue',562,9,'{{collapse(View Sigma)\n
\n\ntitle: Ping Hex IP\nid: 1a0d4aba-7668-4365-9ce4-6d79ab088dfd\ndescription: Detects a ping command that uses a hex encoded IP address\nreferences:\n- https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna\n- https://twitter.com/vysecurity/status/977198418354491392\nauthor: Florian Roth\ndate: 2018/03/23\ntags:\n- attack.defense_evasion\n- attack.t1140\n- attack.t1027\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'*\\ping.exe 0x*\'\n    - \'*\\ping 0x*\'\n  condition: selection\nfields:\n- ParentCommandLine\nfalsepositives:\n- Unlikely, because no sane admin pings IP addresses in a hexadecimal form\nlevel: high\n\n
\n}}'),(10158,'Issue',562,15,'T1140'),(10159,'Issue',562,15,'T1027'),(10160,'Issue',563,1,'Empire PowerShell Launch Parameters'),(10161,'Issue',563,2,'Florian Roth'),(10162,'Issue',563,8,'https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165\nhttps://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191\nhttps://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178\nhttps://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64'),(10163,'Issue',563,10,'critical'),(10164,'Issue',563,13,'community'),(10165,'Issue',563,14,'windows'),(10167,'Issue',563,11,'182824220'),(10168,'Issue',563,12,'79f4ede3-402e-41c8-bc3e-ebbf5f162581'),(10169,'Issue',563,16,'win-proc'),(10170,'Issue',563,17,''),(10171,'Issue',563,7,''),(10172,'Issue',563,3,'Detects suspicious powershell command line parameters used in Empire'),(10173,'Issue',563,4,''),(10174,'Issue',563,5,'_False Positives_\n Unknown'),(10175,'Issue',563,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-NoP\\ \\-sta\\ \\-NonI\\ \\-W\\ Hidden\\ \\-Enc\\ * OR *\\ \\-noP\\ \\-sta\\ \\-w\\ 1\\ \\-enc\\ * OR *\\ \\-NoP\\ \\-NonI\\ \\-W\\ Hidden\\ \\-enc\\ *))\nindex: so-*\nname: Empire PowerShell Launch Parameters\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10176,'Issue',563,9,'{{collapse(View Sigma)\n
\n\ntitle: Empire PowerShell Launch Parameters\nid: 79f4ede3-402e-41c8-bc3e-ebbf5f162581\ndescription: Detects suspicious powershell command line parameters used in Empire\nstatus: experimental\nreferences:\n- https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165\n- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191\n- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178\n- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64\nauthor: Florian Roth\ndate: 2019/04/20\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* -NoP -sta -NonI -W Hidden -Enc *\'\n    - \'* -noP -sta -w 1 -enc *\'\n    - \'* -NoP -NonI -W Hidden -enc *\'\n  condition: selection\nlevel: critical\n\n
\n}}'),(10177,'Issue',563,15,'T1086'),(10178,'Issue',564,1,'Empire PowerShell UAC Bypass'),(10179,'Issue',564,2,'Ecco'),(10180,'Issue',564,8,'https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64\nhttps://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64'),(10181,'Issue',564,10,'critical'),(10182,'Issue',564,13,'community'),(10183,'Issue',564,14,'windows'),(10185,'Issue',564,11,'517422778'),(10186,'Issue',564,12,'3268b746-88d8-4cd3-bffc-30077d02c787'),(10187,'Issue',564,16,'win-proc'),(10188,'Issue',564,17,''),(10189,'Issue',564,7,''),(10190,'Issue',564,3,'Detects some Empire PowerShell UAC bypass methods'),(10191,'Issue',564,4,''),(10192,'Issue',564,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10193,'Issue',564,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-NoP\\ \\-NonI\\ \\-w\\ Hidden\\ \\-c\\ $x\\=$\\(\\(gp\\ HKCU\\:Software\\\\Microsoft\\\\Windows\\ Update\\).Update\\)* OR *\\ \\-NoP\\ \\-NonI\\ \\-c\\ $x\\=$\\(\\(gp\\ HKCU\\:Software\\\\Microsoft\\\\Windows\\ Update\\).Update\\);*))\nindex: so-*\nname: Empire PowerShell UAC Bypass\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10194,'Issue',564,9,'{{collapse(View Sigma)\n
\n\ntitle: Empire PowerShell UAC Bypass\nid: 3268b746-88d8-4cd3-bffc-30077d02c787\nstatus: experimental\ndescription: Detects some Empire PowerShell UAC bypass methods\nreferences:\n- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64\n- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64\nauthor: Ecco\ndate: 2019/08/30\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update)*\'\n    - \'* -NoP -NonI -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update);*\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1088\n- car.2019-04-001\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(10195,'Issue',564,15,'T1088'),(10196,'Issue',565,1,'Suspicious Encoded PowerShell Command Line'),(10197,'Issue',565,2,'Florian Roth, Markus Neis'),(10198,'Issue',565,8,'https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e'),(10199,'Issue',565,10,'high'),(10200,'Issue',565,13,'community'),(10201,'Issue',565,14,'windows'),(10203,'Issue',565,11,'9528c3459'),(10204,'Issue',565,12,'ca2092a1-c273-4878-9b4b-0d60115bf5ea'),(10205,'Issue',565,16,'win-proc'),(10206,'Issue',565,17,''),(10207,'Issue',565,7,''),(10208,'Issue',565,3,'Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)'),(10209,'Issue',565,4,''),(10210,'Issue',565,5,'_False Positives_\n Unknown'),(10211,'Issue',565,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-e\\ JAB* OR *\\ \\-e\\ \\ JAB* OR *\\ \\-e\\ \\ \\ JAB* OR *\\ \\-e\\ \\ \\ \\ JAB* OR *\\ \\-e\\ \\ \\ \\ \\ JAB* OR *\\ \\-e\\ \\ \\ \\ \\ \\ JAB* OR *\\ \\-en\\ JAB* OR *\\ \\-enc\\ JAB* OR *\\ \\-enc*\\ JAB* OR *\\ \\-w\\ hidden\\ \\-e*\\ JAB* OR *\\ BA\\^J\\ e\\- OR *\\ \\-e\\ SUVYI* OR *\\ \\-e\\ aWV4I* OR *\\ \\-e\\ SQBFAFgA* OR *\\ \\-e\\ aQBlAHgA* OR *\\ \\-enc\\ SUVYI* OR *\\ \\-enc\\ aWV4I* OR *\\ \\-enc\\ SQBFAFgA* OR *\\ \\-enc\\ aQBlAHgA*) AND (NOT (process.command_line.keyword:*\\ \\-ExecutionPolicy\\ remotesigned\\ *)))\nindex: so-*\nname: Suspicious Encoded PowerShell Command Line\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10212,'Issue',565,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Encoded PowerShell Command Line\nid: ca2092a1-c273-4878-9b4b-0d60115bf5ea\ndescription: Detects suspicious powershell process starts with base64 encoded commands\n  (e.g. Emotet)\nstatus: experimental\nreferences:\n- https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e\nauthor: Florian Roth, Markus Neis\ndate: 2018/09/03\nmodified: 2019/12/16\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* -e JAB*\'\n    - \'* -e  JAB*\'\n    - \'* -e   JAB*\'\n    - \'* -e    JAB*\'\n    - \'* -e     JAB*\'\n    - \'* -e      JAB*\'\n    - \'* -en JAB*\'\n    - \'* -enc JAB*\'\n    - \'* -enc* JAB*\'\n    - \'* -w hidden -e* JAB*\'\n    - \'* BA^J e-\'\n    - \'* -e SUVYI*\'\n    - \'* -e aWV4I*\'\n    - \'* -e SQBFAFgA*\'\n    - \'* -e aQBlAHgA*\'\n    - \'* -enc SUVYI*\'\n    - \'* -enc aWV4I*\'\n    - \'* -enc SQBFAFgA*\'\n    - \'* -enc aQBlAHgA*\'\n  falsepositive1:\n    CommandLine: \'* -ExecutionPolicy remotesigned *\'\n  condition: selection and not falsepositive1\nlevel: high\n\n
\n}}'),(10213,'Issue',565,15,'T1086'),(10214,'Issue',566,1,'Malicious Base64 Encoded PowerShell Keywords in Command Lines'),(10215,'Issue',566,2,'John Lambert (rule)'),(10216,'Issue',566,8,'http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/'),(10217,'Issue',566,10,'high'),(10218,'Issue',566,13,'community'),(10219,'Issue',566,14,'windows'),(10221,'Issue',566,11,'7ae9f0c0e'),(10222,'Issue',566,12,'f26c6093-6f14-4b12-800f-0fcb46f5ffd0'),(10223,'Issue',566,16,'win-proc'),(10224,'Issue',566,17,''),(10225,'Issue',566,7,''),(10226,'Issue',566,3,'Detects base64 encoded strings used in hidden malicious PowerShell command lines'),(10227,'Issue',566,4,''),(10228,'Issue',566,5,'_False Positives_\nPenetration tests'),(10229,'Issue',566,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:*\\ hidden\\ * AND process.command_line.keyword:(*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA* OR *aXRzYWRtaW4gL3RyYW5zZmVy* OR *IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA* OR *JpdHNhZG1pbiAvdHJhbnNmZX* OR *YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg* OR *Yml0c2FkbWluIC90cmFuc2Zlc* OR *AGMAaAB1AG4AawBfAHMAaQB6AGUA* OR *JABjAGgAdQBuAGsAXwBzAGkAegBlA* OR *JGNodW5rX3Npem* OR *QAYwBoAHUAbgBrAF8AcwBpAHoAZQ* OR *RjaHVua19zaXpl* OR *Y2h1bmtfc2l6Z* OR *AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A* OR *kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg* OR *lPLkNvbXByZXNzaW9u* OR *SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA* OR *SU8uQ29tcHJlc3Npb2* OR *Ty5Db21wcmVzc2lvb* OR *AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ* OR *kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA* OR *lPLk1lbW9yeVN0cmVhb* OR *SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A* OR *SU8uTWVtb3J5U3RyZWFt* OR *Ty5NZW1vcnlTdHJlYW* OR *4ARwBlAHQAQwBoAHUAbgBrA* OR *5HZXRDaHVua* OR *AEcAZQB0AEMAaAB1AG4Aaw* OR *LgBHAGUAdABDAGgAdQBuAGsA* OR *LkdldENodW5r* OR *R2V0Q2h1bm* OR *AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A* OR *QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA* OR *RIUkVBRF9JTkZPNj* OR *SFJFQURfSU5GTzY0* OR *VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA* OR *VEhSRUFEX0lORk82N* OR *AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA* OR *cmVhdGVSZW1vdGVUaHJlYW* OR *MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA* OR *NyZWF0ZVJlbW90ZVRocmVhZ* OR *Q3JlYXRlUmVtb3RlVGhyZWFk* OR *QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA* OR *0AZQBtAG0AbwB2AGUA* OR *1lbW1vdm* OR *AGUAbQBtAG8AdgBlA* OR *bQBlAG0AbQBvAHYAZQ* OR *bWVtbW92Z* OR *ZW1tb3Zl*))\nindex: so-*\nname: Malicious Base64 Encoded PowerShell Keywords in Command Lines\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10230,'Issue',566,9,'{{collapse(View Sigma)\n
\n\ntitle: Malicious Base64 Encoded PowerShell Keywords in Command Lines\nid: f26c6093-6f14-4b12-800f-0fcb46f5ffd0\nstatus: experimental\ndescription: Detects base64 encoded strings used in hidden malicious PowerShell command\n  lines\nreferences:\n- http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/\ntags:\n- attack.execution\n- attack.t1086\nauthor: John Lambert (rule)\ndate: 2019/01/16\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  encoded:\n    Image: \'*\\powershell.exe\'\n    CommandLine: \'* hidden *\'\n  selection:\n    CommandLine:\n    - \'*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA*\'\n    - \'*aXRzYWRtaW4gL3RyYW5zZmVy*\'\n    - \'*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA*\'\n    - \'*JpdHNhZG1pbiAvdHJhbnNmZX*\'\n    - \'*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg*\'\n    - \'*Yml0c2FkbWluIC90cmFuc2Zlc*\'\n    - \'*AGMAaAB1AG4AawBfAHMAaQB6AGUA*\'\n    - \'*JABjAGgAdQBuAGsAXwBzAGkAegBlA*\'\n    - \'*JGNodW5rX3Npem*\'\n    - \'*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ*\'\n    - \'*RjaHVua19zaXpl*\'\n    - \'*Y2h1bmtfc2l6Z*\'\n    - \'*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A*\'\n    - \'*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg*\'\n    - \'*lPLkNvbXByZXNzaW9u*\'\n    - \'*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA*\'\n    - \'*SU8uQ29tcHJlc3Npb2*\'\n    - \'*Ty5Db21wcmVzc2lvb*\'\n    - \'*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ*\'\n    - \'*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA*\'\n    - \'*lPLk1lbW9yeVN0cmVhb*\'\n    - \'*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A*\'\n    - \'*SU8uTWVtb3J5U3RyZWFt*\'\n    - \'*Ty5NZW1vcnlTdHJlYW*\'\n    - \'*4ARwBlAHQAQwBoAHUAbgBrA*\'\n    - \'*5HZXRDaHVua*\'\n    - \'*AEcAZQB0AEMAaAB1AG4Aaw*\'\n    - \'*LgBHAGUAdABDAGgAdQBuAGsA*\'\n    - \'*LkdldENodW5r*\'\n    - \'*R2V0Q2h1bm*\'\n    - \'*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A*\'\n    - \'*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA*\'\n    - \'*RIUkVBRF9JTkZPNj*\'\n    - \'*SFJFQURfSU5GTzY0*\'\n    - \'*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA*\'\n    - \'*VEhSRUFEX0lORk82N*\'\n    - \'*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA*\'\n    - \'*cmVhdGVSZW1vdGVUaHJlYW*\'\n    - \'*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA*\'\n    - \'*NyZWF0ZVJlbW90ZVRocmVhZ*\'\n    - \'*Q3JlYXRlUmVtb3RlVGhyZWFk*\'\n    - \'*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA*\'\n    - \'*0AZQBtAG0AbwB2AGUA*\'\n    - \'*1lbW1vdm*\'\n    - \'*AGUAbQBtAG8AdgBlA*\'\n    - \'*bQBlAG0AbQBvAHYAZQ*\'\n    - \'*bWVtbW92Z*\'\n    - \'*ZW1tb3Zl*\'\n  condition: encoded and selection\nfalsepositives:\n- Penetration tests\nlevel: high\n\n
\n}}'),(10231,'Issue',566,15,'T1086'),(10232,'Issue',567,1,'Suspicious PowerShell Invocation Based on Parent Process'),(10233,'Issue',567,2,'Florian Roth'),(10234,'Issue',567,8,'https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/'),(10235,'Issue',567,10,'medium'),(10236,'Issue',567,13,'community'),(10237,'Issue',567,14,'windows'),(10239,'Issue',567,11,'770115f6d'),(10240,'Issue',567,12,'95eadcb2-92e4-4ed1-9031-92547773a6db'),(10241,'Issue',567,16,'win-proc'),(10242,'Issue',567,17,''),(10243,'Issue',567,7,''),(10244,'Issue',567,3,'Detects suspicious powershell invocations from interpreters or unusual programs'),(10245,'Issue',567,4,''),(10246,'Issue',567,5,'_False Positives_\nMicrosoft Operations Manager (MOM)\nOther scripts\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10247,'Issue',567,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.parent.executable.keyword:(*\\\\wscript.exe OR *\\\\cscript.exe) AND process.executable.keyword:(*\\\\powershell.exe)) AND (NOT (process.working_directory\".keyword:*\\\\Health\\ Service\\ State\\\\*)))\nindex: so-*\nname: Suspicious PowerShell Invocation Based on Parent Process\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10248,'Issue',567,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious PowerShell Invocation Based on Parent Process\nid: 95eadcb2-92e4-4ed1-9031-92547773a6db\nstatus: experimental\ndescription: Detects suspicious powershell invocations from interpreters or unusual\n  programs\nauthor: Florian Roth\ndate: 2019/01/16\nreferences:\n- https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage:\n    - \'*\\wscript.exe\'\n    - \'*\\cscript.exe\'\n    Image:\n    - \'*\\powershell.exe\'\n  falsepositive:\n    CurrentDirectory: \'*\\Health Service State\\\\*\'\n  condition: selection and not falsepositive\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Microsoft Operations Manager (MOM)\n- Other scripts\nlevel: medium\n\n
\n}}'),(10249,'Issue',567,15,'T1086'),(10250,'Issue',568,1,'Suspicious Use of Procdump'),(10251,'Issue',568,2,'Florian Roth'),(10252,'Issue',568,8,'Internal Research'),(10253,'Issue',568,10,'high'),(10254,'Issue',568,13,'community'),(10255,'Issue',568,14,'windows'),(10257,'Issue',568,11,'5a6ba744a'),(10258,'Issue',568,12,'5afee48e-67dd-4e03-a783-f74259dcf998'),(10259,'Issue',568,16,'win-proc'),(10260,'Issue',568,17,''),(10261,'Issue',568,7,''),(10262,'Issue',568,3,'Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we\'re also able to catch cases in which the attacker has renamed the procdump executable.'),(10263,'Issue',568,4,''),(10264,'Issue',568,5,'_False Positives_\nUnlikely, because no one should dump an lsass process memory\nAnother tool that uses the command line switches of Procdump'),(10265,'Issue',568,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-ma\\ *) AND process.command_line.keyword:(*\\ lsass*)) OR process.command_line.keyword:(*\\ \\-ma\\ ls*)))\nindex: so-*\nname: Suspicious Use of Procdump\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10266,'Issue',568,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Use of Procdump\nid: 5afee48e-67dd-4e03-a783-f74259dcf998\ndescription: Detects suspicious uses of the SysInternals Procdump utility by using\n  a special command line parameter in combination with the lsass.exe process. This\n  way we\'re also able to catch cases in which the attacker has renamed the procdump\n  executable.\nstatus: experimental\nreferences:\n- Internal Research\nauthor: Florian Roth\ndate: 2018/10/30\nmodified: 2019/10/14\ntags:\n- attack.defense_evasion\n- attack.t1036\n- attack.credential_access\n- attack.t1003\n- car.2013-05-009\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine:\n    - \'* -ma *\'\n  selection2:\n    CommandLine:\n    - \'* lsass*\'\n  selection3:\n    CommandLine:\n    - \'* -ma ls*\'\n  condition: ( selection1 and selection2 ) or selection3\nfalsepositives:\n- Unlikely, because no one should dump an lsass process memory\n- Another tool that uses the command line switches of Procdump\nlevel: high\n\n
\n}}'),(10267,'Issue',568,15,'T1036'),(10268,'Issue',568,15,'T1003'),(10269,'Issue',569,1,'Suspicious Process Creation'),(10270,'Issue',569,2,'Florian Roth, Daniil Yugoslavskiy, oscd.community (update)'),(10271,'Issue',569,8,'https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/\nhttps://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s\nhttps://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/\nhttps://twitter.com/subTee/status/872244674609676288\nhttps://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-tool-examples\nhttps://tyranidslair.blogspot.ca/2017/07/dg-on-windows-10-s-executing-arbitrary.html\nhttps://www.trustedsec.com/2017/07/new-tool-release-nps_payload/\nhttps://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html\nhttps://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat\nhttps://twitter.com/vector_sec/status/896049052642533376\nhttp://security-research.dyndns.org/pub/slides/FIRST-TC-2018/FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf'),(10272,'Issue',569,10,'medium'),(10273,'Issue',569,13,'community'),(10274,'Issue',569,14,'windows'),(10275,'Issue',569,15,''),(10276,'Issue',569,11,'fb8d9b1f4'),(10277,'Issue',569,12,'5f0f47a5-cb16-4dbe-9e31-e8d976d73de3'),(10278,'Issue',569,16,'win-proc'),(10279,'Issue',569,17,''),(10280,'Issue',569,7,''),(10281,'Issue',569,3,'Detects suspicious process starts on Windows systems based on keywords'),(10282,'Issue',569,4,''),(10283,'Issue',569,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(10284,'Issue',569,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ sekurlsa\\:* OR net\\ localgroup\\ administrators\\ *\\ \\/add OR net\\ group\\ \\\"Domain\\ Admins\\\"\\ *\\ \\/ADD\\ \\/DOMAIN OR certutil.exe\\ *\\-urlcache*\\ http* OR certutil.exe\\ *\\-urlcache*\\ ftp* OR netsh\\ advfirewall\\ firewall\\ *\\\\AppData\\\\* OR attrib\\ \\+S\\ \\+H\\ \\+R\\ *\\\\AppData\\\\* OR schtasks*\\ \\/create\\ *\\\\AppData\\\\* OR schtasks*\\ \\/sc\\ minute* OR *\\\\Regasm.exe\\ *\\\\AppData\\\\* OR *\\\\Regasm\\ *\\\\AppData\\\\* OR *\\\\bitsadmin*\\ \\/transfer* OR *\\\\certutil.exe\\ *\\ \\-decode\\ * OR *\\\\certutil.exe\\ *\\ \\-decodehex\\ * OR *\\\\certutil.exe\\ \\-ping\\ * OR icacls\\ *\\ \\/grant\\ Everyone\\:F\\ \\/T\\ \\/C\\ \\/Q OR *\\ wbadmin.exe\\ delete\\ catalog\\ \\-quiet* OR *\\\\wscript.exe\\ *.jse OR *\\\\wscript.exe\\ *.js OR *\\\\wscript.exe\\ *.vba OR *\\\\wscript.exe\\ *.vbe OR *\\\\cscript.exe\\ *.jse OR *\\\\cscript.exe\\ *.js OR *\\\\cscript.exe\\ *.vba OR *\\\\cscript.exe\\ *.vbe OR *\\\\fodhelper.exe OR *waitfor*\\/s* OR *waitfor*\\/si\\ persist* OR *remote*\\/s* OR *remote*\\/c* OR *remote*\\/q* OR *AddInProcess* OR *\\ \\/stext\\ * OR *\\ \\/scomma\\ * OR *\\ \\/stab\\ * OR *\\ \\/stabular\\ * OR *\\ \\/shtml\\ * OR *\\ \\/sverhtml\\ * OR *\\ \\/sxml\\ *))\nindex: so-*\nname: Suspicious Process Creation\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10285,'Issue',569,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Process Creation\nid: 5f0f47a5-cb16-4dbe-9e31-e8d976d73de3\ndescription: Detects suspicious process starts on Windows systems based on keywords\nstatus: experimental\nreferences:\n- https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/\n- https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s\n- https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/\n- https://twitter.com/subTee/status/872244674609676288\n- https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-tool-examples\n- https://tyranidslair.blogspot.ca/2017/07/dg-on-windows-10-s-executing-arbitrary.html\n- https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/\n- https://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html\n- https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat\n- https://twitter.com/vector_sec/status/896049052642533376\n- http://security-research.dyndns.org/pub/slides/FIRST-TC-2018/FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf\nauthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update)\ndate: 2018/01/01\nmodified: 2019/11/01\ntags:\n- car.2013-07-001\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* sekurlsa:*\'\n    - net localgroup administrators * /add\n    - net group \"Domain Admins\" * /ADD /DOMAIN\n    - certutil.exe *-urlcache* http*\n    - certutil.exe *-urlcache* ftp*\n    - netsh advfirewall firewall *\\AppData\\\\*\n    - attrib +S +H +R *\\AppData\\\\*\n    - schtasks* /create *\\AppData\\\\*\n    - schtasks* /sc minute*\n    - \'*\\Regasm.exe *\\AppData\\\\*\'\n    - \'*\\Regasm *\\AppData\\\\*\'\n    - \'*\\bitsadmin* /transfer*\'\n    - \'*\\certutil.exe * -decode *\'\n    - \'*\\certutil.exe * -decodehex *\'\n    - \'*\\certutil.exe -ping *\'\n    - icacls * /grant Everyone:F /T /C /Q\n    - \'* wbadmin.exe delete catalog -quiet*\'\n    - \'*\\wscript.exe *.jse\'\n    - \'*\\wscript.exe *.js\'\n    - \'*\\wscript.exe *.vba\'\n    - \'*\\wscript.exe *.vbe\'\n    - \'*\\cscript.exe *.jse\'\n    - \'*\\cscript.exe *.js\'\n    - \'*\\cscript.exe *.vba\'\n    - \'*\\cscript.exe *.vbe\'\n    - \'*\\fodhelper.exe\'\n    - \'*waitfor*/s*\'\n    - \'*waitfor*/si persist*\'\n    - \'*remote*/s*\'\n    - \'*remote*/c*\'\n    - \'*remote*/q*\'\n    - \'*AddInProcess*\'\n    - \'* /stext *\'\n    - \'* /scomma *\'\n    - \'* /stab *\'\n    - \'* /stabular *\'\n    - \'* /shtml *\'\n    - \'* /sverhtml *\'\n    - \'* /sxml *\'\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: medium\n\n
\n}}'),(10286,'Issue',570,1,'Suspicious Program Location Process Starts'),(10287,'Issue',570,2,'Florian Roth'),(10288,'Issue',570,8,'https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo'),(10289,'Issue',570,10,'high'),(10290,'Issue',570,13,'community'),(10291,'Issue',570,14,'windows'),(10293,'Issue',570,11,'8bd722168'),(10294,'Issue',570,12,'f50bfd8b-e2a3-4c15-9373-7900b5a4c6d5'),(10295,'Issue',570,16,'win-proc'),(10296,'Issue',570,17,''),(10297,'Issue',570,7,''),(10298,'Issue',570,3,'Detects programs running in suspicious files system locations'),(10299,'Issue',570,4,''),(10300,'Issue',570,5,'_False Positives_\nunknown'),(10301,'Issue',570,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\$Recycle.bin OR *\\\\Users\\\\Public\\\\* OR C\\:\\\\Perflogs\\\\* OR *\\\\Windows\\\\Fonts\\\\* OR *\\\\Windows\\\\IME\\\\* OR *\\\\Windows\\\\addins\\\\* OR *\\\\Windows\\\\debug\\\\*))\nindex: so-*\nname: Suspicious Program Location Process Starts\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10302,'Issue',570,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Program Location Process Starts\nid: f50bfd8b-e2a3-4c15-9373-7900b5a4c6d5\nstatus: experimental\ndescription: Detects programs running in suspicious files system locations\nreferences:\n- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo\ntags:\n- attack.defense_evasion\n- attack.t1036\nauthor: Florian Roth\ndate: 2019/01/15\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\$Recycle.bin\'\n    - \'*\\Users\\Public\\\\*\'\n    - C:\\Perflogs\\\\*\n    - \'*\\Windows\\Fonts\\\\*\'\n    - \'*\\Windows\\IME\\\\*\'\n    - \'*\\Windows\\addins\\\\*\'\n    - \'*\\Windows\\debug\\\\*\'\n  condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(10303,'Issue',570,15,'T1036'),(10304,'Issue',571,1,'PowerShell Script Run in AppData'),(10305,'Issue',571,2,'Florian Roth'),(10306,'Issue',571,8,'https://twitter.com/JohnLaTwC/status/1082851155481288706\nhttps://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03'),(10307,'Issue',571,10,'medium'),(10308,'Issue',571,13,'community'),(10309,'Issue',571,14,'windows'),(10311,'Issue',571,11,'42ba455ec'),(10312,'Issue',571,12,'ac175779-025a-4f12-98b0-acdaeb77ea85'),(10313,'Issue',571,16,'win-proc'),(10314,'Issue',571,17,''),(10315,'Issue',571,7,''),(10316,'Issue',571,3,'Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder'),(10317,'Issue',571,4,''),(10318,'Issue',571,5,'_False Positives_\nAdministrative scripts'),(10319,'Issue',571,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\/c\\ powershell*\\\\AppData\\\\Local\\\\* OR *\\ \\/c\\ powershell*\\\\AppData\\\\Roaming\\\\*))\nindex: so-*\nname: PowerShell Script Run in AppData\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10320,'Issue',571,9,'{{collapse(View Sigma)\n
\n\ntitle: PowerShell Script Run in AppData\nid: ac175779-025a-4f12-98b0-acdaeb77ea85\nstatus: experimental\ndescription: Detects a suspicious command line execution that invokes PowerShell with\n  reference to an AppData folder\nreferences:\n- https://twitter.com/JohnLaTwC/status/1082851155481288706\n- https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03\ntags:\n- attack.execution\n- attack.t1086\nauthor: Florian Roth\ndate: 2019/01/09\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* /c powershell*\\AppData\\Local\\\\*\'\n    - \'* /c powershell*\\AppData\\Roaming\\\\*\'\n  condition: selection\nfalsepositives:\n- Administrative scripts\nlevel: medium\n\n
\n}}'),(10321,'Issue',571,15,'T1086'),(10322,'Issue',572,1,'PowerShell DownloadFile'),(10323,'Issue',572,2,'Florian Roth'),(10324,'Issue',572,8,'https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html'),(10325,'Issue',572,10,'high'),(10326,'Issue',572,13,'community'),(10327,'Issue',572,14,'windows'),(10329,'Issue',572,11,'9c624cc24'),(10330,'Issue',572,12,'8f70ac5f-1f6f-4f8e-b454-db19561216c5'),(10331,'Issue',572,16,'win-proc'),(10332,'Issue',572,17,''),(10333,'Issue',572,7,''),(10334,'Issue',572,3,'Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line'),(10335,'Issue',572,4,''),(10336,'Issue',572,5,'_False Positives_\nUnknown'),(10337,'Issue',572,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*powershell* AND process.command_line.keyword:*.DownloadFile* AND process.command_line.keyword:*System.Net.WebClient*)\nindex: so-*\nname: PowerShell DownloadFile\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10338,'Issue',572,9,'{{collapse(View Sigma)\n
\n\ntitle: PowerShell DownloadFile\nid: 8f70ac5f-1f6f-4f8e-b454-db19561216c5\nstatus: experimental\ndescription: Detects the execution of powershell, a WebClient object creation and\n  the invocation of DownloadFile in a single command line\nreferences:\n- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html\nauthor: Florian Roth\ndate: 2020/03/25\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains|all:\n    - powershell\n    - .DownloadFile\n    - System.Net.WebClient\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10339,'Issue',572,15,'T1086'),(10340,'Issue',573,1,'Psr.exe Capture Screenshots'),(10341,'Issue',573,2,'Beyu Denis, oscd.community'),(10342,'Issue',573,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Psr.yml\nhttps://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf'),(10343,'Issue',573,10,'medium'),(10344,'Issue',573,13,'community'),(10345,'Issue',573,14,'windows'),(10347,'Issue',573,11,'5688f942b'),(10348,'Issue',573,12,'2158f96f-43c2-43cb-952a-ab4580f32382'),(10349,'Issue',573,16,'win-proc'),(10350,'Issue',573,17,''),(10351,'Issue',573,7,''),(10352,'Issue',573,3,'The psr.exe captures desktop screenshots and saves them on the local machine'),(10353,'Issue',573,4,''),(10354,'Issue',573,5,'_False Positives_\nUnknown'),(10355,'Issue',573,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\Psr.exe AND process.command_line.keyword:*\\/start*)\nindex: so-*\nname: Psr.exe Capture Screenshots\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10356,'Issue',573,9,'{{collapse(View Sigma)\n
\n\ntitle: Psr.exe Capture Screenshots\nid: 2158f96f-43c2-43cb-952a-ab4580f32382\nstatus: experimental\ndescription: The psr.exe captures desktop screenshots and saves them on the local\n  machine\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Psr.yml\n- https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/12\nmodified: 2019/11/04\ntags:\n- attack.persistence\n- attack.t1218\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\Psr.exe\n    CommandLine|contains: /start\n  condition: selection\nfalsepositives:\n- Unknown\n\n
\n}}'),(10357,'Issue',573,15,'T1218'),(10358,'Issue',574,1,'Suspicious RASdial Activity'),(10359,'Issue',574,2,'juju4'),(10360,'Issue',574,8,'https://twitter.com/subTee/status/891298217907830785'),(10361,'Issue',574,10,'medium'),(10362,'Issue',574,13,'community'),(10363,'Issue',574,14,'windows'),(10365,'Issue',574,11,'5b5babf55'),(10366,'Issue',574,12,'6bba49bf-7f8c-47d6-a1bb-6b4dece4640e'),(10367,'Issue',574,16,'win-proc'),(10368,'Issue',574,17,''),(10369,'Issue',574,7,''),(10370,'Issue',574,3,'Detects suspicious process related to rasdial.exe'),(10371,'Issue',574,4,''),(10372,'Issue',574,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(10373,'Issue',574,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line:(\"rasdial\"))\nindex: so-*\nname: Suspicious RASdial Activity\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10374,'Issue',574,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious RASdial Activity\nid: 6bba49bf-7f8c-47d6-a1bb-6b4dece4640e\ndescription: Detects suspicious process related to rasdial.exe\nstatus: experimental\nreferences:\n- https://twitter.com/subTee/status/891298217907830785\nauthor: juju4\ndate: 2019/01/16\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1064\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - rasdial\n  condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: medium\n\n
\n}}'),(10375,'Issue',574,15,'T1064'),(10376,'Issue',575,1,'Suspicious Reconnaissance Activity'),(10377,'Issue',575,2,'Florian Roth'),(10378,'Issue',575,8,'none'),(10379,'Issue',575,10,'medium'),(10380,'Issue',575,13,'community'),(10381,'Issue',575,14,'windows'),(10383,'Issue',575,11,'b1f48d3a8'),(10384,'Issue',575,12,'d95de845-b83c-4a9a-8a6a-4fc802ebf6c0'),(10385,'Issue',575,16,'win-proc'),(10386,'Issue',575,17,''),(10387,'Issue',575,7,''),(10388,'Issue',575,3,'Detects suspicious command line activity on Windows systems'),(10389,'Issue',575,4,''),(10390,'Issue',575,5,'_False Positives_\nInventory tool runs\nPenetration tests\nAdministrative activity\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10391,'Issue',575,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line:(\"net\\ group\\ \\\"domain\\ admins\\\"\\ \\/domain\" OR \"net\\ localgroup\\ administrators\"))\nindex: so-*\nname: Suspicious Reconnaissance Activity\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10392,'Issue',575,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Reconnaissance Activity\nid: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0\nstatus: experimental\ndescription: Detects suspicious command line activity on Windows systems\nauthor: Florian Roth\ndate: 2019/01/16\ntags:\n- attack.discovery\n- attack.t1087\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - net group \"domain admins\" /domain\n    - net localgroup administrators\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Inventory tool runs\n- Penetration tests\n- Administrative activity\nanalysis:\n  recommendation: Check if the user that executed the commands is suspicious (e.g.\n    service accounts, LOCAL_SYSTEM)\nlevel: medium\n\n
\n}}'),(10393,'Issue',575,15,'T1087'),(10394,'Issue',576,1,'Regsvr32 Anomaly'),(10395,'Issue',576,2,'Florian Roth'),(10396,'Issue',576,8,'https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html'),(10397,'Issue',576,10,'high'),(10398,'Issue',576,13,'community'),(10399,'Issue',576,14,'windows'),(10401,'Issue',576,11,'e316d1d1d'),(10402,'Issue',576,12,'8e2b24c9-4add-46a0-b4bb-0057b4e6187d'),(10403,'Issue',576,16,'win-proc'),(10404,'Issue',576,17,''),(10405,'Issue',576,7,''),(10406,'Issue',576,3,'Detects various anomalies in relation to regsvr32.exe'),(10407,'Issue',576,4,''),(10408,'Issue',576,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10409,'Issue',576,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\regsvr32.exe AND process.command_line.keyword:*\\\\Temp\\\\*) OR (process.executable.keyword:*\\\\regsvr32.exe AND process.parent.executable.keyword:*\\\\powershell.exe) OR (process.executable.keyword:*\\\\regsvr32.exe AND process.parent.executable.keyword:*\\\\cmd.exe) OR (process.executable.keyword:*\\\\regsvr32.exe AND process.command_line.keyword:(*\\/i\\:http*\\ scrobj.dll OR *\\/i\\:ftp*\\ scrobj.dll)) OR (process.executable.keyword:*\\\\wscript.exe AND process.parent.executable.keyword:*\\\\regsvr32.exe) OR (process.executable.keyword:*\\\\EXCEL.EXE AND process.command_line.keyword:*..\\\\..\\\\..\\\\Windows\\\\System32\\\\regsvr32.exe\\ *)))\nindex: so-*\nname: Regsvr32 Anomaly\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10410,'Issue',576,9,'{{collapse(View Sigma)\n
\n\ntitle: Regsvr32 Anomaly\nid: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d\nstatus: experimental\ndescription: Detects various anomalies in relation to regsvr32.exe\nauthor: Florian Roth\ndate: 2019/01/16\nreferences:\n- https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html\ntags:\n- attack.t1117\n- attack.defense_evasion\n- attack.execution\n- car.2019-04-002\n- car.2019-04-003\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image: \'*\\regsvr32.exe\'\n    CommandLine: \'*\\Temp\\\\*\'\n  selection2:\n    Image: \'*\\regsvr32.exe\'\n    ParentImage: \'*\\powershell.exe\'\n  selection3:\n    Image: \'*\\regsvr32.exe\'\n    ParentImage: \'*\\cmd.exe\'\n  selection4:\n    Image: \'*\\regsvr32.exe\'\n    CommandLine:\n    - \'*/i:http* scrobj.dll\'\n    - \'*/i:ftp* scrobj.dll\'\n  selection5:\n    Image: \'*\\wscript.exe\'\n    ParentImage: \'*\\regsvr32.exe\'\n  selection6:\n    Image: \'*\\EXCEL.EXE\'\n    CommandLine: \'*..\\..\\..\\Windows\\System32\\regsvr32.exe *\'\n  condition: 1 of them\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10411,'Issue',576,15,'T1117'),(10412,'Issue',577,1,'Renamed ZOHO Dctask64'),(10413,'Issue',577,2,'Florian Roth'),(10414,'Issue',577,8,'https://twitter.com/gN3mes1s/status/1222088214581825540\nhttps://twitter.com/gN3mes1s/status/1222095963789111296\nhttps://twitter.com/gN3mes1s/status/1222095371175911424'),(10415,'Issue',577,10,'high'),(10416,'Issue',577,13,'community'),(10417,'Issue',577,14,'windows'),(10419,'Issue',577,11,'393865805'),(10420,'Issue',577,12,'340a090b-c4e9-412e-bb36-b4b16fe96f9b'),(10421,'Issue',577,16,'win-proc'),(10422,'Issue',577,17,''),(10423,'Issue',577,7,''),(10424,'Issue',577,3,'Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation'),(10425,'Issue',577,4,''),(10426,'Issue',577,5,'_False Positives_\nUnknown yet\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine\nParentImage'),(10427,'Issue',577,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.Imphash:\"6834B1B94E49701D77CCB3C0895E1AFD\" AND (NOT (process.executable.keyword:*\\\\dctask64.exe)))\nindex: so-*\nname: Renamed ZOHO Dctask64\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10428,'Issue',577,9,'{{collapse(View Sigma)\n
\n\ntitle: Renamed ZOHO Dctask64\nid: 340a090b-c4e9-412e-bb36-b4b16fe96f9b\nstatus: experimental\ndescription: Detects a renamed dctask64.exe used for process injection, command execution,\n  process creation with a signed binary by ZOHO Corporation\nreferences:\n- https://twitter.com/gN3mes1s/status/1222088214581825540\n- https://twitter.com/gN3mes1s/status/1222095963789111296\n- https://twitter.com/gN3mes1s/status/1222095371175911424\nauthor: Florian Roth\ndate: 2020/01/28\ntags:\n- attack.defense_evasion\n- attack.t1055\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Imphash: 6834B1B94E49701D77CCB3C0895E1AFD\n  filter:\n    Image|endswith: \\dctask64.exe\n  condition: selection and not filter\nfields:\n- CommandLine\n- ParentCommandLine\n- ParentImage\nfalsepositives:\n- Unknown yet\nlevel: high\n\n
\n}}'),(10429,'Issue',577,15,'T1055'),(10430,'Issue',578,1,'Suspicious Process Start Locations'),(10431,'Issue',578,2,'juju4'),(10432,'Issue',578,8,'https://car.mitre.org/wiki/CAR-2013-05-002'),(10433,'Issue',578,10,'medium'),(10434,'Issue',578,13,'community'),(10435,'Issue',578,14,'windows'),(10437,'Issue',578,11,'a6272c5e4'),(10438,'Issue',578,12,'15b75071-74cc-47e0-b4c6-b43744a62a2b'),(10439,'Issue',578,16,'win-proc'),(10440,'Issue',578,17,''),(10441,'Issue',578,7,''),(10442,'Issue',578,3,'Detects suspicious process run from unusual locations'),(10443,'Issue',578,4,''),(10444,'Issue',578,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(10445,'Issue',578,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\:\\\\RECYCLER\\\\* OR *\\:\\\\SystemVolumeInformation\\\\* OR C\\:\\\\Windows\\\\Tasks\\\\* OR C\\:\\\\Windows\\\\debug\\\\* OR C\\:\\\\Windows\\\\fonts\\\\* OR C\\:\\\\Windows\\\\help\\\\* OR C\\:\\\\Windows\\\\drivers\\\\* OR C\\:\\\\Windows\\\\addins\\\\* OR C\\:\\\\Windows\\\\cursors\\\\* OR C\\:\\\\Windows\\\\system32\\\\tasks\\\\*))\nindex: so-*\nname: Suspicious Process Start Locations\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10446,'Issue',578,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Process Start Locations\nid: 15b75071-74cc-47e0-b4c6-b43744a62a2b\ndescription: Detects suspicious process run from unusual locations\nstatus: experimental\nreferences:\n- https://car.mitre.org/wiki/CAR-2013-05-002\nauthor: juju4\ndate: 2019/01/16\ntags:\n- attack.defense_evasion\n- attack.t1036\n- car.2013-05-002\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*:\\RECYCLER\\\\*\'\n    - \'*:\\SystemVolumeInformation\\\\*\'\n    - C:\\\\Windows\\\\Tasks\\\\*\n    - C:\\\\Windows\\\\debug\\\\*\n    - C:\\\\Windows\\\\fonts\\\\*\n    - C:\\\\Windows\\\\help\\\\*\n    - C:\\\\Windows\\\\drivers\\\\*\n    - C:\\\\Windows\\\\addins\\\\*\n    - C:\\\\Windows\\\\cursors\\\\*\n    - C:\\\\Windows\\\\system32\\tasks\\\\*\n  condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: medium\n\n
\n}}'),(10447,'Issue',578,15,'T1036'),(10448,'Issue',579,1,'Suspicious Rundll32 Activity'),(10449,'Issue',579,2,'juju4'),(10450,'Issue',579,8,'http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/\nhttps://twitter.com/Hexacorn/status/885258886428725250\nhttps://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52'),(10451,'Issue',579,10,'medium'),(10452,'Issue',579,13,'community'),(10453,'Issue',579,14,'windows'),(10455,'Issue',579,11,'c359373f5'),(10456,'Issue',579,12,'e593cf51-88db-4ee1-b920-37e89012a3c9'),(10457,'Issue',579,16,'win-proc'),(10458,'Issue',579,17,''),(10459,'Issue',579,7,''),(10460,'Issue',579,3,'Detects suspicious process related to rundll32 based on arguments'),(10461,'Issue',579,4,''),(10462,'Issue',579,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(10463,'Issue',579,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\rundll32.exe*\\ url.dll,*OpenURL\\ * OR *\\\\rundll32.exe*\\ url.dll,*OpenURLA\\ * OR *\\\\rundll32.exe*\\ url.dll,*FileProtocolHandler\\ * OR *\\\\rundll32.exe*\\ zipfldr.dll,*RouteTheCall\\ * OR *\\\\rundll32.exe*\\ Shell32.dll,*Control_RunDLL\\ * OR *\\\\rundll32.exe\\ javascript\\:* OR *\\ url.dll,*OpenURL\\ * OR *\\ url.dll,*OpenURLA\\ * OR *\\ url.dll,*FileProtocolHandler\\ * OR *\\ zipfldr.dll,*RouteTheCall\\ * OR *\\ Shell32.dll,*Control_RunDLL\\ * OR *\\ javascript\\:* OR *.RegisterXLL*))\nindex: so-*\nname: Suspicious Rundll32 Activity\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10464,'Issue',579,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Rundll32 Activity\nid: e593cf51-88db-4ee1-b920-37e89012a3c9\ndescription: Detects suspicious process related to rundll32 based on arguments\nstatus: experimental\nreferences:\n- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/\n- https://twitter.com/Hexacorn/status/885258886428725250\n- https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1085\nauthor: juju4\ndate: 2019/01/16\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'*\\rundll32.exe* url.dll,*OpenURL *\'\n    - \'*\\rundll32.exe* url.dll,*OpenURLA *\'\n    - \'*\\rundll32.exe* url.dll,*FileProtocolHandler *\'\n    - \'*\\rundll32.exe* zipfldr.dll,*RouteTheCall *\'\n    - \'*\\rundll32.exe* Shell32.dll,*Control_RunDLL *\'\n    - \'*\\rundll32.exe javascript:*\'\n    - \'* url.dll,*OpenURL *\'\n    - \'* url.dll,*OpenURLA *\'\n    - \'* url.dll,*FileProtocolHandler *\'\n    - \'* zipfldr.dll,*RouteTheCall *\'\n    - \'* Shell32.dll,*Control_RunDLL *\'\n    - \'* javascript:*\'\n    - \'*.RegisterXLL*\'\n  condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: medium\n\n
\n}}'),(10465,'Issue',579,15,'T1085'),(10466,'Issue',580,1,'Suspicious Call by Ordinal'),(10467,'Issue',580,2,'Florian Roth'),(10468,'Issue',580,8,'https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/\nhttps://github.com/Neo23x0/DLLRunner\nhttps://twitter.com/cyb3rops/status/1186631731543236608'),(10469,'Issue',580,10,'high'),(10470,'Issue',580,13,'community'),(10471,'Issue',580,14,'windows'),(10473,'Issue',580,11,'b8fe700a1'),(10474,'Issue',580,12,'e79a9e79-eb72-4e78-a628-0e7e8f59e89c'),(10475,'Issue',580,16,'win-proc'),(10476,'Issue',580,17,''),(10477,'Issue',580,7,''),(10478,'Issue',580,3,'Detects suspicious calls of DLLs in rundll32.dll exports by ordinal'),(10479,'Issue',580,4,''),(10480,'Issue',580,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment\nWindows contol panel elements have been identified as source (mmc)'),(10481,'Issue',580,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\\\rundll32.exe\\ *,#*)\nindex: so-*\nname: Suspicious Call by Ordinal\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10482,'Issue',580,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Call by Ordinal\nid: e79a9e79-eb72-4e78-a628-0e7e8f59e89c\ndescription: Detects suspicious calls of DLLs in rundll32.dll exports by ordinal\nstatus: experimental\nreferences:\n- https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/\n- https://github.com/Neo23x0/DLLRunner\n- https://twitter.com/cyb3rops/status/1186631731543236608\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1085\nauthor: Florian Roth\ndate: 2019/10/22\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'*\\rundll32.exe *,#*\'\n  condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\n- Windows contol panel elements have been identified as source (mmc)\nlevel: high\n\n
\n}}'),(10483,'Issue',580,15,'T1085'),(10484,'Issue',581,1,'Scheduled Task Creation'),(10485,'Issue',581,2,'Florian Roth'),(10486,'Issue',581,8,'none'),(10487,'Issue',581,10,'low'),(10488,'Issue',581,13,'community'),(10489,'Issue',581,14,'windows'),(10491,'Issue',581,11,'337aa5b57'),(10492,'Issue',581,12,'92626ddd-662c-49e3-ac59-f6535f12d189'),(10493,'Issue',581,16,'win-proc'),(10494,'Issue',581,17,''),(10495,'Issue',581,7,''),(10496,'Issue',581,3,'Detects the creation of scheduled tasks in user session'),(10497,'Issue',581,4,''),(10498,'Issue',581,5,'_False Positives_\nAdministrative activity\nSoftware installation\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10499,'Issue',581,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:*\\\\schtasks.exe AND process.command_line.keyword:*\\ \\/create\\ *) AND (NOT (event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\")))\nindex: so-*\nname: Scheduled Task Creation\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10500,'Issue',581,9,'{{collapse(View Sigma)\n
\n\ntitle: Scheduled Task Creation\nid: 92626ddd-662c-49e3-ac59-f6535f12d189\nstatus: experimental\ndescription: Detects the creation of scheduled tasks in user session\nauthor: Florian Roth\ndate: 2019/01/16\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\schtasks.exe\'\n    CommandLine: \'* /create *\'\n  filter:\n    User: NT AUTHORITY\\SYSTEM\n  condition: selection and not filter\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.execution\n- attack.persistence\n- attack.privilege_escalation\n- attack.t1053\n- attack.s0111\n- car.2013-08-001\nfalsepositives:\n- Administrative activity\n- Software installation\nlevel: low\n\n
\n}}'),(10501,'Issue',581,15,'T1053'),(10502,'Issue',582,1,'WSF/JSE/JS/VBA/VBE File Execution'),(10503,'Issue',582,2,'Michael Haag'),(10504,'Issue',582,8,'none'),(10505,'Issue',582,10,'medium'),(10506,'Issue',582,13,'community'),(10507,'Issue',582,14,'windows'),(10509,'Issue',582,11,'6ed3e4c86'),(10510,'Issue',582,12,'1e33157c-53b1-41ad-bbcc-780b80b58288'),(10511,'Issue',582,16,'win-proc'),(10512,'Issue',582,17,''),(10513,'Issue',582,7,''),(10514,'Issue',582,3,'Detects suspicious file execution by wscript and cscript'),(10515,'Issue',582,4,''),(10516,'Issue',582,5,'_False Positives_\nWill need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy.\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10517,'Issue',582,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\wscript.exe OR *\\\\cscript.exe) AND process.command_line.keyword:(*.jse OR *.vbe OR *.js OR *.vba))\nindex: so-*\nname: WSF/JSE/JS/VBA/VBE File Execution\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10518,'Issue',582,9,'{{collapse(View Sigma)\n
\n\ntitle: WSF/JSE/JS/VBA/VBE File Execution\nid: 1e33157c-53b1-41ad-bbcc-780b80b58288\nstatus: experimental\ndescription: Detects suspicious file execution by wscript and cscript\nauthor: Michael Haag\ndate: 2019/01/16\ntags:\n- attack.execution\n- attack.t1064\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\wscript.exe\'\n    - \'*\\cscript.exe\'\n    CommandLine:\n    - \'*.jse\'\n    - \'*.vbe\'\n    - \'*.js\'\n    - \'*.vba\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Will need to be tuned. I recommend adding the user profile path in CommandLine if\n  it is getting too noisy.\nlevel: medium\n\n
\n}}'),(10519,'Issue',582,15,'T1064'),(10520,'Issue',583,1,'Suspicious Service Path Modification'),(10521,'Issue',583,2,'Victor Sergeev, oscd.community'),(10522,'Issue',583,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1031/T1031.yaml'),(10523,'Issue',583,10,'high'),(10524,'Issue',583,13,'community'),(10525,'Issue',583,14,'windows'),(10527,'Issue',583,11,'4809892f5'),(10528,'Issue',583,12,'138d3531-8793-4f50-a2cd-f291b2863d78'),(10529,'Issue',583,16,'win-proc'),(10530,'Issue',583,17,''),(10531,'Issue',583,7,''),(10532,'Issue',583,3,'Detects service path modification to powershell/cmd'),(10533,'Issue',583,4,''),(10534,'Issue',583,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10535,'Issue',583,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\sc.exe AND process.command_line.keyword:*config* AND process.command_line.keyword:*binpath* AND process.command_line.keyword:(*powershell* OR *cmd*))\nindex: so-*\nname: Suspicious Service Path Modification\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10536,'Issue',583,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Service Path Modification\nid: 138d3531-8793-4f50-a2cd-f291b2863d78\ndescription: Detects service path modification to powershell/cmd\nstatus: experimental\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1031/T1031.yaml\ntags:\n- attack.persistence\n- attack.t1031\ndate: 2019/10/21\nmodified: 2019/11/10\nauthor: Victor Sergeev, oscd.community\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_1:\n    Image|endswith: \\sc.exe\n    CommandLine|contains|all:\n    - config\n    - binpath\n  selection_2:\n    CommandLine|contains:\n    - powershell\n    - cmd\n  condition: selection_1 and selection_2\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10537,'Issue',583,15,'T1031'),(10538,'Issue',584,1,'Squirrel Lolbin'),(10539,'Issue',584,2,'Karneades / Markus Neis'),(10540,'Issue',584,8,'http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/\nhttp://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/'),(10541,'Issue',584,10,'high'),(10542,'Issue',584,13,'community'),(10543,'Issue',584,14,'windows'),(10544,'Issue',584,15,''),(10545,'Issue',584,11,'820e704e9'),(10546,'Issue',584,12,'fa4b21c9-0057-4493-b289-2556416ae4d7'),(10547,'Issue',584,16,'win-proc'),(10548,'Issue',584,17,''),(10549,'Issue',584,7,''),(10550,'Issue',584,3,'Detects Possible Squirrel Packages Manager as Lolbin'),(10551,'Issue',584,4,''),(10552,'Issue',584,5,'_False Positives_\n1Clipboard\nBeaker Browser\nCaret\nCollectie\nDiscord\nFigma\nFlow\nGhost\nGitHub Desktop\nGitKraken\nHyper\nInsomnia\nJIBO\nKap\nKitematic\nNow Desktop\nPostman\nPostmanCanary\nRambox\nSimplenote\nSkype\nSlack\nSourceTree\nStride\nSvgsus\nWebTorrent\nWhatsApp\nWordPress.com\natom\ngitkraken\nslack\nteams'),(10553,'Issue',584,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\update.exe) AND process.command_line.keyword:(*\\-\\-processStart*.exe* OR *\\-\\-processStartAndWait*.exe* OR *\\-\\-createShortcut*.exe*))\nindex: so-*\nname: Squirrel Lolbin\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10554,'Issue',584,9,'{{collapse(View Sigma)\n
\n\ntitle: Squirrel Lolbin\nid: fa4b21c9-0057-4493-b289-2556416ae4d7\nstatus: experimental\ndescription: Detects Possible Squirrel Packages Manager as Lolbin\nreferences:\n- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/\n- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/\ntags:\n- attack.execution\nauthor: Karneades / Markus Neis\ndate: 2019/11/12\nfalsepositives:\n- 1Clipboard\n- Beaker Browser\n- Caret\n- Collectie\n- Discord\n- Figma\n- Flow\n- Ghost\n- GitHub Desktop\n- GitKraken\n- Hyper\n- Insomnia\n- JIBO\n- Kap\n- Kitematic\n- Now Desktop\n- Postman\n- PostmanCanary\n- Rambox\n- Simplenote\n- Skype\n- Slack\n- SourceTree\n- Stride\n- Svgsus\n- WebTorrent\n- WhatsApp\n- WordPress.com\n- atom\n- gitkraken\n- slack\n- teams\nlevel: high\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\update.exe\'\n    CommandLine:\n    - \'*--processStart*.exe*\'\n    - \'*--processStartAndWait*.exe*\'\n    - \'*--createShortcut*.exe*\'\n  condition: selection\n\n
\n}}'),(10555,'Issue',585,1,'Suspicious Svchost Process'),(10556,'Issue',585,2,'Florian Roth'),(10557,'Issue',585,8,'none'),(10558,'Issue',585,10,'high'),(10559,'Issue',585,13,'community'),(10560,'Issue',585,14,'windows'),(10562,'Issue',585,11,'e79b5ce03'),(10563,'Issue',585,12,'01d2e2a1-5f09-44f7-9fc1-24faa7479b6d'),(10564,'Issue',585,16,'win-proc'),(10565,'Issue',585,17,''),(10566,'Issue',585,7,''),(10567,'Issue',585,3,'Detects a suspicious svchost process start'),(10568,'Issue',585,4,''),(10569,'Issue',585,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10570,'Issue',585,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:*\\\\svchost.exe AND (NOT (process.parent.executable.keyword:(*\\\\services.exe OR *\\\\MsMpEng.exe OR *\\\\Mrt.exe OR *\\\\rpcnet.exe OR *\\\\svchost.exe)))) AND (NOT (NOT _exists_:process.parent.executable)))\nindex: so-*\nname: Suspicious Svchost Process\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10571,'Issue',585,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Svchost Process\nid: 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d\nstatus: experimental\ndescription: Detects a suspicious svchost process start\ntags:\n- attack.defense_evasion\n- attack.t1036\nauthor: Florian Roth\ndate: 2017/08/15\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\svchost.exe\'\n  filter:\n    ParentImage:\n    - \'*\\services.exe\'\n    - \'*\\MsMpEng.exe\'\n    - \'*\\Mrt.exe\'\n    - \'*\\rpcnet.exe\'\n    - \'*\\svchost.exe\'\n  filter_null:\n    ParentImage:\n  condition: selection and not filter and not filter_null\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10572,'Issue',585,15,'T1036'),(10573,'Issue',586,1,'Suspect Svchost Activity'),(10574,'Issue',586,2,'David Burkett'),(10575,'Issue',586,8,'https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2'),(10576,'Issue',586,10,'critical'),(10577,'Issue',586,13,'community'),(10578,'Issue',586,14,'windows'),(10580,'Issue',586,11,'df188a171'),(10581,'Issue',586,12,'16c37b52-b141-42a5-a3ea-bbe098444397'),(10582,'Issue',586,16,'win-proc'),(10583,'Issue',586,17,''),(10584,'Issue',586,7,''),(10585,'Issue',586,3,'It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.'),(10586,'Issue',586,4,''),(10587,'Issue',586,5,'_False Positives_\nrpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10588,'Issue',586,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND NOT _exists_:process.command_line AND process.executable.keyword:*\\\\svchost.exe) AND (NOT (process.parent.executable.keyword:(*\\\\rpcnet.exe OR *\\\\rpcnetp.exe))))\nindex: so-*\nname: Suspect Svchost Activity\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10589,'Issue',586,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspect Svchost Activity\nid: 16c37b52-b141-42a5-a3ea-bbe098444397\nstatus: experimental\ndescription: It is extremely abnormal for svchost.exe to spawn without any CLI arguments\n  and is normally observed when a malicious process spawns the process and injects\n  code into the process memory space.\nreferences:\n- https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2\nauthor: David Burkett\ndate: 2019/12/28\ntags:\n- attack.t1055\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine:\n  selection2:\n    Image: \'*\\svchost.exe\'\n  filter:\n    ParentImage:\n    - \'*\\rpcnet.exe\'\n    - \'*\\rpcnetp.exe\'\n  condition: (selection1 and selection2) and not filter\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf\nlevel: critical\n\n
\n}}'),(10590,'Issue',586,15,'T1055'),(10591,'Issue',587,1,'Sysprep on AppData Folder'),(10592,'Issue',587,2,'Florian Roth'),(10593,'Issue',587,8,'https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets\nhttps://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b'),(10594,'Issue',587,10,'medium'),(10595,'Issue',587,13,'community'),(10596,'Issue',587,14,'windows'),(10597,'Issue',587,15,''),(10598,'Issue',587,11,'ec7672eaa'),(10599,'Issue',587,12,'d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e'),(10600,'Issue',587,16,'win-proc'),(10601,'Issue',587,17,''),(10602,'Issue',587,7,''),(10603,'Issue',587,3,'Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)'),(10604,'Issue',587,4,''),(10605,'Issue',587,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(10606,'Issue',587,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\sysprep.exe\\ *\\\\AppData\\\\* OR sysprep.exe\\ *\\\\AppData\\\\*))\nindex: so-*\nname: Sysprep on AppData Folder\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10607,'Issue',587,9,'{{collapse(View Sigma)\n
\n\ntitle: Sysprep on AppData Folder\nid: d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e\nstatus: experimental\ndescription: Detects suspicious sysprep process start with AppData folder as target\n  (as used by Trojan Syndicasec in Thrip report by Symantec)\nreferences:\n- https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets\n- https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b\ntags:\n- attack.execution\nauthor: Florian Roth\ndate: 2018/06/22\nmodified: 2018/12/11\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'*\\sysprep.exe *\\AppData\\\\*\'\n    - sysprep.exe *\\AppData\\\\*\n  condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: medium\n\n
\n}}'),(10608,'Issue',588,1,'Suspicious SYSVOL Domain Group Policy Access'),(10609,'Issue',588,2,'Markus Neis'),(10610,'Issue',588,8,'https://adsecurity.org/?p=2288\nhttps://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100'),(10611,'Issue',588,10,'medium'),(10612,'Issue',588,13,'community'),(10613,'Issue',588,14,'windows'),(10615,'Issue',588,11,'3587e5ee1'),(10616,'Issue',588,12,'05f3c945-dcc8-4393-9f3d-af65077a8f86'),(10617,'Issue',588,16,'win-proc'),(10618,'Issue',588,17,''),(10619,'Issue',588,7,''),(10620,'Issue',588,3,'Detects Access to Domain Group Policies stored in SYSVOL'),(10621,'Issue',588,4,''),(10622,'Issue',588,5,'_False Positives_\nadministrative activity'),(10623,'Issue',588,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\\\SYSVOL\\\\*\\\\policies\\\\*)\nindex: so-*\nname: Suspicious SYSVOL Domain Group Policy Access\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10624,'Issue',588,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious SYSVOL Domain Group Policy Access\nid: 05f3c945-dcc8-4393-9f3d-af65077a8f86\nstatus: experimental\ndescription: Detects Access to Domain Group Policies stored in SYSVOL\nreferences:\n- https://adsecurity.org/?p=2288\n- https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100\nauthor: Markus Neis\ndate: 2018/04/09\nmodified: 2018/12/11\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'*\\SYSVOL\\\\*\\policies\\\\*\'\n  condition: selection\nfalsepositives:\n- administrative activity\nlevel: medium\n\n
\n}}'),(10625,'Issue',588,15,'T1003'),(10626,'Issue',589,1,'Taskmgr as LOCAL_SYSTEM'),(10627,'Issue',589,2,'Florian Roth'),(10628,'Issue',589,8,'none'),(10629,'Issue',589,10,'high'),(10630,'Issue',589,13,'community'),(10631,'Issue',589,14,'windows'),(10633,'Issue',589,11,'6bcf5f333'),(10634,'Issue',589,12,'9fff585c-c33e-4a86-b3cd-39312079a65f'),(10635,'Issue',589,16,'win-proc'),(10636,'Issue',589,17,''),(10637,'Issue',589,7,''),(10638,'Issue',589,3,'Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM'),(10639,'Issue',589,4,''),(10640,'Issue',589,5,'_False Positives_\nUnkown'),(10641,'Issue',589,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\" AND process.executable.keyword:*\\\\taskmgr.exe)\nindex: so-*\nname: Taskmgr as LOCAL_SYSTEM\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10642,'Issue',589,9,'{{collapse(View Sigma)\n
\n\ntitle: Taskmgr as LOCAL_SYSTEM\nid: 9fff585c-c33e-4a86-b3cd-39312079a65f\nstatus: experimental\ndescription: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM\ntags:\n- attack.defense_evasion\n- attack.t1036\nauthor: Florian Roth\ndate: 2018/03/18\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    User: NT AUTHORITY\\SYSTEM\n    Image: \'*\\taskmgr.exe\'\n  condition: selection\nfalsepositives:\n- Unkown\nlevel: high\n\n
\n}}'),(10643,'Issue',589,15,'T1036'),(10644,'Issue',590,1,'Taskmgr as Parent'),(10645,'Issue',590,2,'Florian Roth'),(10646,'Issue',590,8,'none'),(10647,'Issue',590,10,'low'),(10648,'Issue',590,13,'community'),(10649,'Issue',590,14,'windows'),(10651,'Issue',590,11,'0181905d0'),(10652,'Issue',590,12,'3d7679bd-0c00-440c-97b0-3f204273e6c7'),(10653,'Issue',590,16,'win-proc'),(10654,'Issue',590,17,''),(10655,'Issue',590,7,''),(10656,'Issue',590,3,'Detects the creation of a process from Windows task manager'),(10657,'Issue',590,4,''),(10658,'Issue',590,5,'_False Positives_\nAdministrative activity\n\n_Interesting Log Fields_\nImage\nCommandLine\nParentCommandLine'),(10659,'Issue',590,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\taskmgr.exe AND (NOT (process.executable.keyword:(*\\\\resmon.exe OR *\\\\mmc.exe OR *\\\\taskmgr.exe))))\nindex: so-*\nname: Taskmgr as Parent\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10660,'Issue',590,9,'{{collapse(View Sigma)\n
\n\ntitle: Taskmgr as Parent\nid: 3d7679bd-0c00-440c-97b0-3f204273e6c7\nstatus: experimental\ndescription: Detects the creation of a process from Windows task manager\ntags:\n- attack.defense_evasion\n- attack.t1036\nauthor: Florian Roth\ndate: 2018/03/13\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\taskmgr.exe\'\n  filter:\n    Image:\n    - \'*\\resmon.exe\'\n    - \'*\\mmc.exe\'\n    - \'*\\taskmgr.exe\'\n  condition: selection and not filter\nfields:\n- Image\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Administrative activity\nlevel: low\n\n
\n}}'),(10661,'Issue',590,15,'T1036'),(10662,'Issue',591,1,'Suspicious TSCON Start'),(10663,'Issue',591,2,'Florian Roth'),(10664,'Issue',591,8,'http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html\nhttps://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6'),(10665,'Issue',591,10,'high'),(10666,'Issue',591,13,'community'),(10667,'Issue',591,14,'windows'),(10669,'Issue',591,11,'884abbf53'),(10670,'Issue',591,12,'9847f263-4a81-424f-970c-875dab15b79b'),(10671,'Issue',591,16,'win-proc'),(10672,'Issue',591,17,''),(10673,'Issue',591,7,''),(10674,'Issue',591,3,'Detects a tscon.exe start as LOCAL SYSTEM'),(10675,'Issue',591,4,''),(10676,'Issue',591,5,'_False Positives_\nUnknown'),(10677,'Issue',591,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\" AND process.executable.keyword:*\\\\tscon.exe)\nindex: so-*\nname: Suspicious TSCON Start\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10678,'Issue',591,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious TSCON Start\nid: 9847f263-4a81-424f-970c-875dab15b79b\nstatus: experimental\ndescription: Detects a tscon.exe start as LOCAL SYSTEM\nreferences:\n- http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html\n- https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6\nauthor: Florian Roth\ndate: 2018/03/17\ntags:\n- attack.command_and_control\n- attack.t1219\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    User: NT AUTHORITY\\SYSTEM\n    Image: \'*\\tscon.exe\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10679,'Issue',591,15,'T1219'),(10680,'Issue',592,1,'Suspicious RDP Redirect Using TSCON'),(10681,'Issue',592,2,'Florian Roth'),(10682,'Issue',592,8,'http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html\nhttps://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6'),(10683,'Issue',592,10,'high'),(10684,'Issue',592,13,'community'),(10685,'Issue',592,14,'windows'),(10687,'Issue',592,11,'0ad8fd2d6'),(10688,'Issue',592,12,'f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb'),(10689,'Issue',592,16,'win-proc'),(10690,'Issue',592,17,''),(10691,'Issue',592,7,''),(10692,'Issue',592,3,'Detects a suspicious RDP session redirect using tscon.exe'),(10693,'Issue',592,4,''),(10694,'Issue',592,5,'_False Positives_\nUnknown'),(10695,'Issue',592,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\ \\/dest\\:rdp\\-tcp\\:*)\nindex: so-*\nname: Suspicious RDP Redirect Using TSCON\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10696,'Issue',592,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious RDP Redirect Using TSCON\nid: f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb\nstatus: experimental\ndescription: Detects a suspicious RDP session redirect using tscon.exe\nreferences:\n- http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html\n- https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6\ntags:\n- attack.lateral_movement\n- attack.privilege_escalation\n- attack.t1076\n- car.2013-07-002\nauthor: Florian Roth\ndate: 2018/03/17\nmodified: 2018/12/11\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'* /dest:rdp-tcp:*\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10697,'Issue',592,15,'T1076'),(10698,'Issue',593,1,'Suspicious Use of CSharp Interactive Console'),(10699,'Issue',593,2,'Michael R. (@nahamike01)'),(10700,'Issue',593,8,'https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/'),(10701,'Issue',593,10,'high'),(10702,'Issue',593,13,'community'),(10703,'Issue',593,14,'windows'),(10705,'Issue',593,11,'b2533edff'),(10706,'Issue',593,12,'a9e416a8-e613-4f8b-88b8-a7d1d1af2f61'),(10707,'Issue',593,16,'win-proc'),(10708,'Issue',593,17,''),(10709,'Issue',593,7,''),(10710,'Issue',593,3,'Detects the execution of CSharp interactive console by PowerShell'),(10711,'Issue',593,4,''),(10712,'Issue',593,5,'_False Positives_\nPossible depending on environment. Pair with other factors such as net connections, command-line args, etc.'),(10713,'Issue',593,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\csi.exe AND process.parent.executable.keyword:*\\\\powershell.exe AND OriginalFileName:\"csi.exe\")\nindex: so-*\nname: Suspicious Use of CSharp Interactive Console\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10714,'Issue',593,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Use of CSharp Interactive Console\nid: a9e416a8-e613-4f8b-88b8-a7d1d1af2f61\nstatus: experimental\ndescription: Detects the execution of CSharp interactive console by PowerShell\nreferences:\n- https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/\nauthor: Michael R. (@nahamike01)\ndate: 2020/03/08\ntags:\n- attack.execution\n- attack.t1127\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\csi.exe\n    ParentImage|endswith: \\powershell.exe\n    OriginalFileName: csi.exe\n  condition: selection\nfalsepositives:\n- Possible depending on environment. Pair with other factors such as net connections,\n  command-line args, etc.\nlevel: high\n\n
\n}}'),(10715,'Issue',593,15,'T1127'),(10716,'Issue',594,1,'Suspicious Userinit Child Process'),(10717,'Issue',594,2,'Florian Roth (rule), Samir Bousseaden (idea)'),(10718,'Issue',594,8,'https://twitter.com/SBousseaden/status/1139811587760562176'),(10719,'Issue',594,10,'medium'),(10720,'Issue',594,13,'community'),(10721,'Issue',594,14,'windows'),(10722,'Issue',594,15,''),(10723,'Issue',594,11,'afd4cadf2'),(10724,'Issue',594,12,'b655a06a-31c0-477a-95c2-3726b83d649d'),(10725,'Issue',594,16,'win-proc'),(10726,'Issue',594,17,''),(10727,'Issue',594,7,''),(10728,'Issue',594,3,'Detects a suspicious child process of userinit'),(10729,'Issue',594,4,''),(10730,'Issue',594,5,'_False Positives_\nAdministrative scripts\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10731,'Issue',594,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.parent.executable.keyword:*\\\\userinit.exe AND (NOT (process.command_line.keyword:*\\\\netlogon\\\\*))) AND (NOT (process.executable.keyword:*\\\\explorer.exe)))\nindex: so-*\nname: Suspicious Userinit Child Process\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10732,'Issue',594,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Userinit Child Process\nid: b655a06a-31c0-477a-95c2-3726b83d649d\nstatus: experimental\ndescription: Detects a suspicious child process of userinit\nreferences:\n- https://twitter.com/SBousseaden/status/1139811587760562176\nauthor: Florian Roth (rule), Samir Bousseaden (idea)\ndate: 2019/06/17\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\userinit.exe\'\n  filter1:\n    CommandLine: \'*\\\\netlogon\\\\*\'\n  filter2:\n    Image: \'*\\explorer.exe\'\n  condition: selection and not filter1 and not filter2\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Administrative scripts\nlevel: medium\n\n
\n}}'),(10733,'Issue',595,1,'Whoami Execution'),(10734,'Issue',595,2,'Florian Roth'),(10735,'Issue',595,8,'https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/\nhttps://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/'),(10736,'Issue',595,10,'high'),(10737,'Issue',595,13,'community'),(10738,'Issue',595,14,'windows'),(10740,'Issue',595,11,'28ff9a2dc'),(10741,'Issue',595,12,'e28a5a99-da44-436d-b7a0-2afc20a5f413'),(10742,'Issue',595,16,'win-proc'),(10743,'Issue',595,17,''),(10744,'Issue',595,7,''),(10745,'Issue',595,3,'Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators'),(10746,'Issue',595,4,''),(10747,'Issue',595,5,'_False Positives_\nAdmin activity\nScripts and administrative tools used in the monitored environment'),(10748,'Issue',595,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:*\\\\whoami.exe OR OriginalFileName:\"whoami.exe\"))\nindex: so-*\nname: Whoami Execution\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10749,'Issue',595,9,'{{collapse(View Sigma)\n
\n\ntitle: Whoami Execution\nid: e28a5a99-da44-436d-b7a0-2afc20a5f413\nstatus: experimental\ndescription: Detects the execution of whoami, which is often used by attackers after\n  exloitation / privilege escalation but rarely used by administrators\nreferences:\n- https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/\n- https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/\nauthor: Florian Roth\ndate: 2018/08/13\ntags:\n- attack.discovery\n- attack.t1033\n- car.2016-03-001\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\whoami.exe\'\n  selection2:\n    OriginalFileName: whoami.exe\n  condition: selection or selection2\nfalsepositives:\n- Admin activity\n- Scripts and administrative tools used in the monitored environment\nlevel: high\n\n
\n}}'),(10750,'Issue',595,15,'T1033'),(10751,'Issue',596,1,'Suspicious WMI Execution'),(10752,'Issue',596,2,'Michael Haag, Florian Roth, juju4'),(10753,'Issue',596,8,'https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/\nhttps://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1\nhttps://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/'),(10754,'Issue',596,10,'medium'),(10755,'Issue',596,13,'community'),(10756,'Issue',596,14,'windows'),(10758,'Issue',596,11,'c641d0d76'),(10759,'Issue',596,12,'526be59f-a573-4eea-b5f7-f0973207634d'),(10760,'Issue',596,16,'win-proc'),(10761,'Issue',596,17,''),(10762,'Issue',596,7,''),(10763,'Issue',596,3,'Detects WMI executing suspicious commands'),(10764,'Issue',596,4,''),(10765,'Issue',596,5,'_False Positives_\nWill need to be tuned\nIf using Splunk, I recommend | stats count by Computer,CommandLine following for easy hunting by Computer/CommandLine.\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10766,'Issue',596,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\wmic.exe) AND process.command_line.keyword:(*\\/NODE\\:*process\\ call\\ create\\ * OR *\\ path\\ AntiVirusProduct\\ get\\ * OR *\\ path\\ FirewallProduct\\ get\\ * OR *\\ shadowcopy\\ delete\\ *))\nindex: so-*\nname: Suspicious WMI Execution\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10767,'Issue',596,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious WMI Execution\nid: 526be59f-a573-4eea-b5f7-f0973207634d\nstatus: experimental\ndescription: Detects WMI executing suspicious commands\nreferences:\n- https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/\n- https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1\n- https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/\nauthor: Michael Haag, Florian Roth, juju4\ndate: 2019/01/16\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\wmic.exe\'\n    CommandLine:\n    - \'*/NODE:*process call create *\'\n    - \'* path AntiVirusProduct get *\'\n    - \'* path FirewallProduct get *\'\n    - \'* shadowcopy delete *\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.execution\n- attack.t1047\n- car.2016-03-002\nfalsepositives:\n- Will need to be tuned\n- If using Splunk, I recommend | stats count by Computer,CommandLine following for\n  easy hunting by Computer/CommandLine.\nlevel: medium\n\n
\n}}'),(10768,'Issue',596,15,'T1047'),(10769,'Issue',597,1,'Sysmon Driver Unload'),(10770,'Issue',597,2,'Kirill Kiryanov, oscd.community'),(10771,'Issue',597,8,'https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon'),(10772,'Issue',597,10,'high'),(10773,'Issue',597,13,'community'),(10774,'Issue',597,14,'windows'),(10775,'Issue',597,15,''),(10776,'Issue',597,11,'d7439c16c'),(10777,'Issue',597,12,'4d7cda18-1b12-4e52-b45c-d28653210df8'),(10778,'Issue',597,16,'win-proc'),(10779,'Issue',597,17,''),(10780,'Issue',597,7,''),(10781,'Issue',597,3,'Detect possible Sysmon driver unload'),(10782,'Issue',597,4,''),(10783,'Issue',597,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nDetails'),(10784,'Issue',597,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\fltmc.exe AND process.command_line.keyword:*unload* AND process.command_line.keyword:*sys*)\nindex: so-*\nname: Sysmon Driver Unload\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10785,'Issue',597,9,'{{collapse(View Sigma)\n
\n\ntitle: Sysmon Driver Unload\nid: 4d7cda18-1b12-4e52-b45c-d28653210df8\nstatus: experimental\nauthor: Kirill Kiryanov, oscd.community\ndescription: Detect possible Sysmon driver unload\ndate: 2019/10/23\nmodified: 2019/11/07\nreferences:\n- https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon\nlogsource:\n  product: windows\n  category: process_creation\ndetection:\n  selection:\n    Image|endswith: \\fltmc.exe\n    CommandLine|contains|all:\n    - unload\n    - sys\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\nfields:\n- CommandLine\n- Details\n\n
\n}}'),(10786,'Issue',598,1,'System File Execution Location Anomaly'),(10787,'Issue',598,2,'Florian Roth, Patrick Bareiss'),(10788,'Issue',598,8,'https://twitter.com/GelosSnake/status/934900723426439170'),(10789,'Issue',598,10,'high'),(10790,'Issue',598,13,'community'),(10791,'Issue',598,14,'windows'),(10793,'Issue',598,11,'c8ddca7b8'),(10794,'Issue',598,12,'e4a6b256-3e47-40fc-89d2-7a477edd6915'),(10795,'Issue',598,16,'win-proc'),(10796,'Issue',598,17,''),(10797,'Issue',598,7,''),(10798,'Issue',598,3,'Detects a Windows program executable started in a suspicious folder'),(10799,'Issue',598,4,''),(10800,'Issue',598,5,'_False Positives_\nExotic software\n\n_Interesting Log Fields_\nComputerName\nUser\nImage'),(10801,'Issue',598,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\svchost.exe OR *\\\\rundll32.exe OR *\\\\services.exe OR *\\\\powershell.exe OR *\\\\regsvr32.exe OR *\\\\spoolsv.exe OR *\\\\lsass.exe OR *\\\\smss.exe OR *\\\\csrss.exe OR *\\\\conhost.exe OR *\\\\wininit.exe OR *\\\\lsm.exe OR *\\\\winlogon.exe OR *\\\\explorer.exe OR *\\\\taskhost.exe) AND (NOT (process.executable.keyword:(C\\:\\\\Windows\\\\System32\\\\* OR C\\:\\\\Windows\\\\system32\\\\* OR C\\:\\\\Windows\\\\SysWow64\\\\* OR C\\:\\\\Windows\\\\SysWOW64\\\\* OR C\\:\\\\Windows\\\\explorer.exe OR C\\:\\\\Windows\\\\winsxs\\\\* OR C\\:\\\\Windows\\\\WinSxS\\\\* OR \\\\SystemRoot\\\\System32\\\\*))))\nindex: so-*\nname: System File Execution Location Anomaly\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10802,'Issue',598,9,'{{collapse(View Sigma)\n
\n\ntitle: System File Execution Location Anomaly\nid: e4a6b256-3e47-40fc-89d2-7a477edd6915\nstatus: experimental\ndescription: Detects a Windows program executable started in a suspicious folder\nreferences:\n- https://twitter.com/GelosSnake/status/934900723426439170\nauthor: Florian Roth, Patrick Bareiss\ndate: 2017/11/27\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\svchost.exe\'\n    - \'*\\rundll32.exe\'\n    - \'*\\services.exe\'\n    - \'*\\powershell.exe\'\n    - \'*\\regsvr32.exe\'\n    - \'*\\spoolsv.exe\'\n    - \'*\\lsass.exe\'\n    - \'*\\smss.exe\'\n    - \'*\\csrss.exe\'\n    - \'*\\conhost.exe\'\n    - \'*\\wininit.exe\'\n    - \'*\\lsm.exe\'\n    - \'*\\winlogon.exe\'\n    - \'*\\explorer.exe\'\n    - \'*\\taskhost.exe\'\n  filter:\n    Image:\n    - C:\\Windows\\System32\\\\*\n    - C:\\Windows\\system32\\\\*\n    - C:\\Windows\\SysWow64\\\\*\n    - C:\\Windows\\SysWOW64\\\\*\n    - C:\\Windows\\explorer.exe\n    - C:\\Windows\\winsxs\\\\*\n    - C:\\Windows\\WinSxS\\\\*\n    - \\SystemRoot\\System32\\\\*\n  condition: selection and not filter\nfields:\n- ComputerName\n- User\n- Image\nfalsepositives:\n- Exotic software\nlevel: high\n\n
\n}}'),(10803,'Issue',598,15,'T1036'),(10804,'Issue',599,1,'Tap Installer Execution'),(10805,'Issue',599,2,'Daniil Yugoslavskiy, Ian Davis, oscd.community'),(10806,'Issue',599,8,'none'),(10807,'Issue',599,10,'medium'),(10808,'Issue',599,13,'community'),(10809,'Issue',599,14,'windows'),(10811,'Issue',599,11,'f0f415f09'),(10812,'Issue',599,12,'99793437-3e16-439b-be0f-078782cf953d'),(10813,'Issue',599,16,'win-proc'),(10814,'Issue',599,17,''),(10815,'Issue',599,7,''),(10816,'Issue',599,3,'Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques'),(10817,'Issue',599,4,''),(10818,'Issue',599,5,'_False Positives_\nLegitimate OpenVPN TAP insntallation'),(10819,'Issue',599,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\tapinstall.exe)\nindex: so-*\nname: Tap Installer Execution\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10820,'Issue',599,9,'{{collapse(View Sigma)\n
\n\ntitle: Tap Installer Execution\nid: 99793437-3e16-439b-be0f-078782cf953d\ndescription: Well-known TAP software installation. Possible preparation for data exfiltration\n  using tunneling techniques\nstatus: experimental\nauthor: Daniil Yugoslavskiy, Ian Davis, oscd.community\ndate: 2019/10/24\ntags:\n- attack.exfiltration\n- attack.t1048\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\tapinstall.exe\n  condition: selection\nfalsepositives:\n- Legitimate OpenVPN TAP insntallation\nlevel: medium\n\n
\n}}'),(10821,'Issue',599,15,'T1048'),(10822,'Issue',600,1,'Tasks Folder Evasion'),(10823,'Issue',600,2,'Sreeman'),(10824,'Issue',600,8,'https://twitter.com/subTee/status/1216465628946563073\nhttps://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26'),(10825,'Issue',600,10,'high'),(10826,'Issue',600,13,'community'),(10827,'Issue',600,14,'windows'),(10829,'Issue',600,11,'0eb37ce7b'),(10830,'Issue',600,12,'cc4e02ba-9c06-48e2-b09e-2500cace9ae0'),(10831,'Issue',600,16,'win-proc'),(10832,'Issue',600,17,''),(10833,'Issue',600,7,''),(10834,'Issue',600,3,'The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr'),(10835,'Issue',600,4,''),(10836,'Issue',600,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentProcess\nCommandLine'),(10837,'Issue',600,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (process.command_line.keyword:(*echo\\ * OR *copy\\ * OR *type\\ * OR *file\\ createnew*) AND process.command_line.keyword:(*\\ C\\:\\\\Windows\\\\System32\\\\Tasks\\* OR *\\ C\\:\\\\Windows\\\\SysWow64\\\\Tasks\\*))\nindex: so-*\nname: Tasks Folder Evasion\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10838,'Issue',600,9,'{{collapse(View Sigma)\n
\n\ntitle: Tasks Folder Evasion\nid: cc4e02ba-9c06-48e2-b09e-2500cace9ae0\nstatus: experimental\ndescription: The Tasks folder in system32 and syswow64 are globally writable paths.\n  Adversaries can take advantage of this and load or influence any script hosts or\n  ANY .NET Application in Tasks to load and execute a custom assembly into cscript,\n  wscript, regsvr32, mshta, eventvwr\nreferences:\n- https://twitter.com/subTee/status/1216465628946563073\n- https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26\ndate: 2020/01/13\nauthor: Sreeman\ntags:\n- attack.t1064\n- attack.t1211\n- attack.t1059\n- attack.defense_evasion\n- attack.persistence\nlogsource:\n  product: Windows\ndetection:\n  selection1:\n    CommandLine|contains:\n    - \'echo \'\n    - \'copy \'\n    - \'type \'\n    - file createnew\n  selection2:\n    CommandLine|contains:\n    - \' C:\\Windows\\System32\\Tasks\\\'\n    - \' C:\\Windows\\SysWow64\\Tasks\\\'\n  condition: selection1 and selection2\nfields:\n- CommandLine\n- ParentProcess\n- CommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10839,'Issue',600,15,'T1064'),(10840,'Issue',600,15,'T1211'),(10841,'Issue',600,15,'T1059'),(10842,'Issue',601,1,'Terminal Service Process Spawn'),(10843,'Issue',601,2,'Florian Roth'),(10844,'Issue',601,8,'https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/'),(10845,'Issue',601,10,'high'),(10846,'Issue',601,13,'community'),(10847,'Issue',601,14,'windows'),(10848,'Issue',601,15,''),(10849,'Issue',601,11,'b5e174d1b'),(10850,'Issue',601,12,'1012f107-b8f1-4271-af30-5aed2de89b39'),(10851,'Issue',601,16,'win-proc'),(10852,'Issue',601,17,''),(10853,'Issue',601,7,''),(10854,'Issue',601,3,'Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)'),(10855,'Issue',601,4,''),(10856,'Issue',601,5,'_False Positives_\nUnknown'),(10857,'Issue',601,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.command_line.keyword:*\\\\svchost.exe*termsvcs AND (NOT (process.executable.keyword:*\\\\rdpclip.exe)))\nindex: so-*\nname: Terminal Service Process Spawn\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10858,'Issue',601,9,'{{collapse(View Sigma)\n
\n\ntitle: Terminal Service Process Spawn\nid: 1012f107-b8f1-4271-af30-5aed2de89b39\nstatus: experimental\ndescription: Detects a process spawned by the terminal service server process (this\n  could be an indicator for an exploitation of CVE-2019-0708)\nreferences:\n- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/\nauthor: Florian Roth\ndate: 2019/05/22\ntags:\n- car.2013-07-002\nlogsource:\n  product: windows\n  category: process_creation\ndetection:\n  selection:\n    ParentCommandLine: \'*\\svchost.exe*termsvcs\'\n  filter:\n    Image: \'*\\rdpclip.exe\'\n  condition: selection and not filter\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10859,'Issue',602,1,'Domain Trust Discovery'),(10860,'Issue',602,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community'),(10861,'Issue',602,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md\nhttps://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html'),(10862,'Issue',602,10,'medium'),(10863,'Issue',602,13,'community'),(10864,'Issue',602,14,'windows'),(10866,'Issue',602,11,'c1662fb6e'),(10867,'Issue',602,12,'3bad990e-4848-4a78-9530-b427d854aac0'),(10868,'Issue',602,16,'win-proc'),(10869,'Issue',602,17,''),(10870,'Issue',602,7,''),(10871,'Issue',602,3,'Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts.'),(10872,'Issue',602,4,''),(10873,'Issue',602,5,'_False Positives_\nLegitimate use of the utilities by legitimate user for legitimate reason'),(10874,'Issue',602,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\nltest.exe AND process.command_line.keyword:*domain_trusts*) OR (process.executable.keyword:*\\\\dsquery.exe AND process.command_line.keyword:*trustedDomain*)))\nindex: so-*\nname: Domain Trust Discovery\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10875,'Issue',602,9,'{{collapse(View Sigma)\n
\n\ntitle: Domain Trust Discovery\nid: 3bad990e-4848-4a78-9530-b427d854aac0\ndescription: Identifies execution of nltest.exe and dsquery.exe for domain trust discovery.\n  This technique is used by attackers to enumerate Active Directory trusts.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md\n- https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html\ntags:\n- attack.discovery\n- attack.t1482\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith: \\nltest.exe\n    CommandLine|contains: domain_trusts\n  - Image|endswith: \\dsquery.exe\n    CommandLine|contains: trustedDomain\n  condition: selection\nfalsepositives:\n- Legitimate use of the utilities by legitimate user for legitimate reason\nlevel: medium\n\n
\n}}'),(10876,'Issue',602,15,'T1482'),(10877,'Issue',603,1,'Bypass UAC via CMSTP'),(10878,'Issue',603,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(10879,'Issue',603,8,'https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1191/T1191.md'),(10880,'Issue',603,10,'high'),(10881,'Issue',603,13,'community'),(10882,'Issue',603,14,'windows'),(10884,'Issue',603,11,'7c2726c72'),(10885,'Issue',603,12,'e66779cc-383e-4224-a3a4-267eeb585c40'),(10886,'Issue',603,16,'win-proc'),(10887,'Issue',603,17,''),(10888,'Issue',603,7,''),(10889,'Issue',603,3,'Detect child processes of automatically elevated instances of Microsoft Connection Manager Profile Installer (cmstp.exe).'),(10890,'Issue',603,4,''),(10891,'Issue',603,5,'_False Positives_\nLegitimate use of cmstp.exe utility by legitimate user\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(10892,'Issue',603,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\cmstp.exe AND process.command_line.keyword:(*\\/s* OR *\\/au*))\nindex: so-*\nname: Bypass UAC via CMSTP\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10893,'Issue',603,9,'{{collapse(View Sigma)\n
\n\ntitle: Bypass UAC via CMSTP\nid: e66779cc-383e-4224-a3a4-267eeb585c40\ndescription: Detect child processes of automatically elevated instances of Microsoft\n  Connection Manager Profile Installer (cmstp.exe).\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\nmodified: 2019/11/11\ndate: 2019/10/24\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1191/T1191.md\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1191\n- attack.t1088\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\cmstp.exe\n    CommandLine|contains:\n    - /s\n    - /au\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Legitimate use of cmstp.exe utility by legitimate user\nlevel: high\n\n
\n}}'),(10894,'Issue',603,15,'T1191'),(10895,'Issue',603,15,'T1088'),(10896,'Issue',604,1,'Bypass UAC via Fodhelper.exe'),(10897,'Issue',604,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community'),(10898,'Issue',604,8,'https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1088/T1088.md'),(10899,'Issue',604,10,'high'),(10900,'Issue',604,13,'community'),(10901,'Issue',604,14,'windows'),(10903,'Issue',604,11,'b29738791'),(10904,'Issue',604,12,'7f741dcf-fc22-4759-87b4-9ae8376676a2'),(10905,'Issue',604,16,'win-proc'),(10906,'Issue',604,17,''),(10907,'Issue',604,7,''),(10908,'Issue',604,3,'Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.'),(10909,'Issue',604,4,''),(10910,'Issue',604,5,'_False Positives_\nLegitimate use of fodhelper.exe utility by legitimate user\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(10911,'Issue',604,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\fodhelper.exe)\nindex: so-*\nname: Bypass UAC via Fodhelper.exe\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10912,'Issue',604,9,'{{collapse(View Sigma)\n
\n\ntitle: Bypass UAC via Fodhelper.exe\nid: 7f741dcf-fc22-4759-87b4-9ae8376676a2\ndescription: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries\n  use this technique to execute privileged processes.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1088/T1088.md\ntags:\n- attack.privilege_escalation\n- attack.t1088\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage|endswith: \\fodhelper.exe\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Legitimate use of fodhelper.exe utility by legitimate user\nlevel: high\n\n
\n}}'),(10913,'Issue',604,15,'T1088'),(10914,'Issue',605,1,'Bypass UAC via WSReset.exe'),(10915,'Issue',605,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community'),(10916,'Issue',605,8,'https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html'),(10917,'Issue',605,10,'high'),(10918,'Issue',605,13,'community'),(10919,'Issue',605,14,'windows'),(10921,'Issue',605,11,'88c9a0107'),(10922,'Issue',605,12,'d797268e-28a9-49a7-b9a8-2f5039011c5c'),(10923,'Issue',605,16,'win-proc'),(10924,'Issue',605,17,''),(10925,'Issue',605,7,''),(10926,'Issue',605,3,'Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.'),(10927,'Issue',605,4,''),(10928,'Issue',605,5,'_False Positives_\nUnknown'),(10929,'Issue',605,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\wsreset.exe AND (NOT (process.executable.keyword:*\\\\conhost.exe)))\nindex: so-*\nname: Bypass UAC via WSReset.exe\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10930,'Issue',605,9,'{{collapse(View Sigma)\n
\n\ntitle: Bypass UAC via WSReset.exe\nid: d797268e-28a9-49a7-b9a8-2f5039011c5c\ndescription: Identifies use of WSReset.exe to bypass User Account Control. Adversaries\n  use this technique to execute privileged processes.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html\ntags:\n- attack.privilege_escalation\n- attack.t1088\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage|endswith: \\wsreset.exe\n  filter:\n    Image|endswith: \\conhost.exe\n  condition: selection and not filter\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10931,'Issue',605,15,'T1088'),(10932,'Issue',606,1,'Possible Privilege Escalation via Weak Service Permissions'),(10933,'Issue',606,2,'Teymur Kheirkhabarov'),(10934,'Issue',606,8,'https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\nhttps://pentestlab.blog/2017/03/30/weak-service-permissions/'),(10935,'Issue',606,10,'high'),(10936,'Issue',606,13,'community'),(10937,'Issue',606,14,'windows'),(10939,'Issue',606,11,'20df1ec32'),(10940,'Issue',606,12,'d937b75f-a665-4480-88a5-2f20e9f9b22a'),(10941,'Issue',606,16,'win-proc'),(10942,'Issue',606,17,''),(10943,'Issue',606,7,''),(10944,'Issue',606,3,'Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand'),(10945,'Issue',606,4,''),(10946,'Issue',606,5,'_False Positives_\nUnknown'),(10947,'Issue',606,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\sc.exe AND IntegrityLevel:\"Medium\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.command_line.keyword:*config* AND process.command_line.keyword:*binPath*) OR (process.command_line.keyword:*failure* AND process.command_line.keyword:*command*)))\nindex: so-*\nname: Possible Privilege Escalation via Weak Service Permissions\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10948,'Issue',606,9,'{{collapse(View Sigma)\n
\n\ntitle: Possible Privilege Escalation via Weak Service Permissions\nid: d937b75f-a665-4480-88a5-2f20e9f9b22a\ndescription: Detection of sc.exe utility spawning by user with Medium integrity level\n  to change service ImagePath or FailureCommand\nreferences:\n- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\n- https://pentestlab.blog/2017/03/30/weak-service-permissions/\ntags:\n- attack.privilege_escalation\n- attack.t1134\nstatus: experimental\nauthor: Teymur Kheirkhabarov\ndate: 2019/10/26\nmodified: 2019/11/11\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  scbynonadmin:\n    Image|endswith: \\sc.exe\n    IntegrityLevel: Medium\n  binpath:\n    CommandLine|contains|all:\n    - config\n    - binPath\n  failurecommand:\n    CommandLine|contains|all:\n    - failure\n    - command\n  condition: scbynonadmin and (binpath or failurecommand)\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10949,'Issue',606,15,'T1134'),(10950,'Issue',607,1,'Java Running with Remote Debugging'),(10951,'Issue',607,2,'Florian Roth'),(10952,'Issue',607,8,'none'),(10953,'Issue',607,10,'medium'),(10954,'Issue',607,13,'community'),(10955,'Issue',607,14,'windows'),(10957,'Issue',607,11,'b24838b11'),(10958,'Issue',607,12,'8f88e3f6-2a49-48f5-a5c4-2f7eedf78710'),(10959,'Issue',607,16,'win-proc'),(10960,'Issue',607,17,''),(10961,'Issue',607,7,''),(10962,'Issue',607,3,'Detects a JAVA process running with remote debugging allowing more than just localhost to connect'),(10963,'Issue',607,4,''),(10964,'Issue',607,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10965,'Issue',607,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*transport\\=dt_socket,address\\=* AND (NOT (process.command_line.keyword:*address\\=127.0.0.1* OR process.command_line.keyword:*address\\=localhost*)))\nindex: so-*\nname: Java Running with Remote Debugging\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10966,'Issue',607,9,'{{collapse(View Sigma)\n
\n\ntitle: Java Running with Remote Debugging\nid: 8f88e3f6-2a49-48f5-a5c4-2f7eedf78710\ndescription: Detects a JAVA process running with remote debugging allowing more than\n  just localhost to connect\nauthor: Florian Roth\ndate: 2019/01/16\ntags:\n- attack.discovery\n- attack.t1046\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'*transport=dt_socket,address=*\'\n  exclusion:\n  - CommandLine: \'*address=127.0.0.1*\'\n  - CommandLine: \'*address=localhost*\'\n  condition: selection and not exclusion\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: medium\n\n
\n}}'),(10967,'Issue',607,15,'T1046'),(10968,'Issue',608,1,'Webshell Detection With Command Line Keywords'),(10969,'Issue',608,2,'Florian Roth'),(10970,'Issue',608,8,'none'),(10971,'Issue',608,10,'high'),(10972,'Issue',608,13,'community'),(10973,'Issue',608,14,'windows'),(10975,'Issue',608,11,'8d70dcff6'),(10976,'Issue',608,12,'bed2a484-9348-4143-8a8a-b801c979301c'),(10977,'Issue',608,16,'win-proc'),(10978,'Issue',608,17,''),(10979,'Issue',608,7,''),(10980,'Issue',608,3,'Detects certain command line parameters often used during reconnaissance activity via web shells'),(10981,'Issue',608,4,''),(10982,'Issue',608,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10983,'Issue',608,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\apache* OR *\\\\tomcat* OR *\\\\w3wp.exe OR *\\\\php\\-cgi.exe OR *\\\\nginx.exe OR *\\\\httpd.exe) AND process.command_line.keyword:(*whoami* OR *net\\ user\\ * OR *ping\\ \\-n\\ * OR *systeminfo OR *&cd&echo* OR *cd\\ \\/d*))\nindex: so-*\nname: Webshell Detection With Command Line Keywords\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10984,'Issue',608,9,'{{collapse(View Sigma)\n
\n\ntitle: Webshell Detection With Command Line Keywords\nid: bed2a484-9348-4143-8a8a-b801c979301c\ndescription: Detects certain command line parameters often used during reconnaissance\n  activity via web shells\nauthor: Florian Roth\nreference:\n- https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html\ndate: 2017/01/01\nmodified: 2019/10/26\ntags:\n- attack.privilege_escalation\n- attack.persistence\n- attack.t1100\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage:\n    - \'*\\apache*\'\n    - \'*\\tomcat*\'\n    - \'*\\w3wp.exe\'\n    - \'*\\php-cgi.exe\'\n    - \'*\\nginx.exe\'\n    - \'*\\httpd.exe\'\n    CommandLine:\n    - \'*whoami*\'\n    - \'*net user *\'\n    - \'*ping -n *\'\n    - \'*systeminfo\'\n    - \'*&cd&echo*\'\n    - \'*cd /d*\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(10985,'Issue',608,15,'T1100'),(10986,'Issue',609,1,'Shells Spawned by Web Servers'),(10987,'Issue',609,2,'Thomas Patzke'),(10988,'Issue',609,8,'none'),(10989,'Issue',609,10,'high'),(10990,'Issue',609,13,'community'),(10991,'Issue',609,14,'windows'),(10993,'Issue',609,11,'f05538a42'),(10994,'Issue',609,12,'8202070f-edeb-4d31-a010-a26c72ac5600'),(10995,'Issue',609,16,'win-proc'),(10996,'Issue',609,17,''),(10997,'Issue',609,7,''),(10998,'Issue',609,3,'Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack'),(10999,'Issue',609,4,''),(11000,'Issue',609,5,'_False Positives_\nParticular web applications may spawn a shell process legitimately\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(11001,'Issue',609,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\w3wp.exe OR *\\\\httpd.exe OR *\\\\nginx.exe OR *\\\\php\\-cgi.exe OR *\\\\tomcat.exe) AND process.executable.keyword:(*\\\\cmd.exe OR *\\\\sh.exe OR *\\\\bash.exe OR *\\\\powershell.exe OR *\\\\bitsadmin.exe))\nindex: so-*\nname: Shells Spawned by Web Servers\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11002,'Issue',609,9,'{{collapse(View Sigma)\n
\n\ntitle: Shells Spawned by Web Servers\nid: 8202070f-edeb-4d31-a010-a26c72ac5600\nstatus: experimental\ndescription: Web servers that spawn shell processes could be the result of a successfully\n  placed web shell or an other attack\nauthor: Thomas Patzke\ndate: 2019/01/16\nmodified: 2020/03/25\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage:\n    - \'*\\w3wp.exe\'\n    - \'*\\httpd.exe\'\n    - \'*\\nginx.exe\'\n    - \'*\\php-cgi.exe\'\n    - \'*\\tomcat.exe\'\n    Image:\n    - \'*\\cmd.exe\'\n    - \'*\\sh.exe\'\n    - \'*\\bash.exe\'\n    - \'*\\powershell.exe\'\n    - \'*\\bitsadmin.exe\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.privilege_escalation\n- attack.persistence\n- attack.t1100\nfalsepositives:\n- Particular web applications may spawn a shell process legitimately\nlevel: high\n\n
\n}}'),(11003,'Issue',609,15,'T1100'),(11004,'Issue',610,1,'Run Whoami as SYSTEM'),(11005,'Issue',610,2,'Teymur Kheirkhabarov'),(11006,'Issue',610,8,'https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment'),(11007,'Issue',610,10,'high'),(11008,'Issue',610,13,'community'),(11009,'Issue',610,14,'windows'),(11011,'Issue',610,11,'4e41dd00b'),(11012,'Issue',610,12,'80167ada-7a12-41ed-b8e9-aa47195c66a1'),(11013,'Issue',610,16,'win-proc'),(11014,'Issue',610,17,''),(11015,'Issue',610,7,''),(11016,'Issue',610,3,'Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation.'),(11017,'Issue',610,4,''),(11018,'Issue',610,5,'_False Positives_\nUnknown'),(11019,'Issue',610,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\" AND process.executable.keyword:*\\\\whoami.exe)\nindex: so-*\nname: Run Whoami as SYSTEM\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11020,'Issue',610,9,'{{collapse(View Sigma)\n
\n\ntitle: Run Whoami as SYSTEM\nid: 80167ada-7a12-41ed-b8e9-aa47195c66a1\nstatus: experimental\ndescription: Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of\n  a successful local privilege escalation.\nreferences:\n- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\nauthor: Teymur Kheirkhabarov\ndate: 2019/10/23\nmodified: 2019/11/11\ntags:\n- attack.discovery\n- attack.privilege_escalation\n- attack.t1033\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    User: NT AUTHORITY\\SYSTEM\n    Image|endswith: \\whoami.exe\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(11021,'Issue',610,15,'T1033'),(11022,'Issue',611,1,'Windows 10 Scheduled Task SandboxEscaper 0-day'),(11023,'Issue',611,2,'Olaf Hartong'),(11024,'Issue',611,8,'https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe'),(11025,'Issue',611,10,'high'),(11026,'Issue',611,13,'community'),(11027,'Issue',611,14,'windows'),(11029,'Issue',611,11,'3ff4919f0'),(11030,'Issue',611,12,'931b6802-d6a6-4267-9ffa-526f57f22aaf'),(11031,'Issue',611,16,'win-proc'),(11032,'Issue',611,17,''),(11033,'Issue',611,7,''),(11034,'Issue',611,3,'Detects Task Scheduler .job import arbitrary DACL write\\par'),(11035,'Issue',611,4,''),(11036,'Issue',611,5,'_False Positives_\nUnknown'),(11037,'Issue',611,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable:\"schtasks.exe\" AND process.command_line.keyword:*\\/change*\\/TN*\\/RU*\\/RP*)\nindex: so-*\nname: Windows 10 Scheduled Task SandboxEscaper 0-day\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11038,'Issue',611,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows 10 Scheduled Task SandboxEscaper 0-day\nid: 931b6802-d6a6-4267-9ffa-526f57f22aaf\nstatus: experimental\ndescription: Detects Task Scheduler .job import arbitrary DACL write\\par\nreferences:\n- https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe\nauthor: Olaf Hartong\ndate: 2019/05/22\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: schtasks.exe\n    CommandLine: \'*/change*/TN*/RU*/RP*\'\n  condition: selection\nfalsepositives:\n- Unknown\ntags:\n- attack.privilege_escalation\n- attack.execution\n- attack.t1053\n- car.2013-08-001\nlevel: high\n\n
\n}}'),(11039,'Issue',611,15,'T1053'),(11040,'Issue',612,1,'WMI Backdoor Exchange Transport Agent'),(11041,'Issue',612,2,'Florian Roth'),(11042,'Issue',612,8,'https://twitter.com/cglyer/status/1182389676876980224\nhttps://twitter.com/cglyer/status/1182391019633029120'),(11043,'Issue',612,10,'critical'),(11044,'Issue',612,13,'community'),(11045,'Issue',612,14,'windows'),(11047,'Issue',612,11,'a650229e3'),(11048,'Issue',612,12,'797011dc-44f4-4e6f-9f10-a8ceefbe566b'),(11049,'Issue',612,16,'win-proc'),(11050,'Issue',612,17,''),(11051,'Issue',612,7,''),(11052,'Issue',612,3,'Detects a WMi backdoor in Exchange Transport Agents via WMi event filters'),(11053,'Issue',612,4,''),(11054,'Issue',612,5,'_False Positives_\nUnknown'),(11055,'Issue',612,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\EdgeTransport.exe)\nindex: so-*\nname: WMI Backdoor Exchange Transport Agent\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11056,'Issue',612,9,'{{collapse(View Sigma)\n
\n\ntitle: WMI Backdoor Exchange Transport Agent\nid: 797011dc-44f4-4e6f-9f10-a8ceefbe566b\nstatus: experimental\ndescription: Detects a WMi backdoor in Exchange Transport Agents via WMi event filters\nauthor: Florian Roth\ndate: 2019/10/11\nreferences:\n- https://twitter.com/cglyer/status/1182389676876980224\n- https://twitter.com/cglyer/status/1182391019633029120\nlogsource:\n  category: process_creation\n  product: windows\ntags:\n- attack.persistence\n- attack.t1084\ndetection:\n  selection:\n    ParentImage: \'*\\EdgeTransport.exe\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(11057,'Issue',612,15,'T1084'),(11058,'Issue',613,1,'WMI Persistence - Script Event Consumer'),(11059,'Issue',613,2,'Thomas Patzke'),(11060,'Issue',613,8,'https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/'),(11061,'Issue',613,10,'high'),(11062,'Issue',613,13,'community'),(11063,'Issue',613,14,'windows'),(11065,'Issue',613,11,'8e6b7ecfd'),(11066,'Issue',613,12,'ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e'),(11067,'Issue',613,16,'win-proc'),(11068,'Issue',613,17,''),(11069,'Issue',613,7,''),(11070,'Issue',613,3,'Detects WMI script event consumers'),(11071,'Issue',613,4,''),(11072,'Issue',613,5,'_False Positives_\nLegitimate event consumers'),(11073,'Issue',613,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable:\"C\\:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe\" AND process.parent.executable:\"C\\:\\\\Windows\\\\System32\\\\svchost.exe\")\nindex: so-*\nname: WMI Persistence - Script Event Consumer\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11074,'Issue',613,9,'{{collapse(View Sigma)\n
\n\ntitle: WMI Persistence - Script Event Consumer\nid: ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e\nstatus: experimental\ndescription: Detects WMI script event consumers\nreferences:\n- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/\nauthor: Thomas Patzke\ndate: 2018/03/07\ntags:\n- attack.execution\n- attack.persistence\n- attack.t1047\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: C:\\WINDOWS\\system32\\wbem\\scrcons.exe\n    ParentImage: C:\\Windows\\System32\\svchost.exe\n  condition: selection\nfalsepositives:\n- Legitimate event consumers\nlevel: high\n\n
\n}}'),(11075,'Issue',613,15,'T1047'),(11076,'Issue',614,1,'WMI Spawning Windows PowerShell'),(11077,'Issue',614,2,'Markus Neis / @Karneades'),(11078,'Issue',614,8,'https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_shell_spawn_susp_program.yml\nhttps://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e'),(11079,'Issue',614,10,'high'),(11080,'Issue',614,13,'community'),(11081,'Issue',614,14,'windows'),(11083,'Issue',614,11,'127d6cb16'),(11084,'Issue',614,12,'692f0bec-83ba-4d04-af7e-e884a96059b6'),(11085,'Issue',614,16,'win-proc'),(11086,'Issue',614,17,''),(11087,'Issue',614,7,''),(11088,'Issue',614,3,'Detects WMI spawning PowerShell'),(11089,'Issue',614,4,''),(11090,'Issue',614,5,'_False Positives_\nAppvClient\nCCM'),(11091,'Issue',614,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\wmiprvse.exe) AND process.executable.keyword:(*\\\\powershell.exe))\nindex: so-*\nname: WMI Spawning Windows PowerShell\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11092,'Issue',614,9,'{{collapse(View Sigma)\n
\n\ntitle: WMI Spawning Windows PowerShell\nid: 692f0bec-83ba-4d04-af7e-e884a96059b6\nstatus: experimental\ndescription: Detects WMI spawning PowerShell\nreferences:\n- https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_shell_spawn_susp_program.yml\n- https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e\nauthor: Markus Neis / @Karneades\ndate: 2019/04/03\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1064\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage:\n    - \'*\\wmiprvse.exe\'\n    Image:\n    - \'*\\powershell.exe\'\n  condition: selection\nfalsepositives:\n- AppvClient\n- CCM\nlevel: high\n\n
\n}}'),(11093,'Issue',614,15,'T1064'),(11094,'Issue',615,1,'Wmiprvse Spawning Process'),(11095,'Issue',615,2,'Roberto Rodriguez @Cyb3rWard0g'),(11096,'Issue',615,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_win32_process_create_remote.md'),(11097,'Issue',615,10,'critical'),(11098,'Issue',615,13,'community'),(11099,'Issue',615,14,'windows'),(11101,'Issue',615,11,'eab53c8fb'),(11102,'Issue',615,12,'d21374ff-f574-44a7-9998-4a8c8bf33d7d'),(11103,'Issue',615,16,'win-proc'),(11104,'Issue',615,17,''),(11105,'Issue',615,7,''),(11106,'Issue',615,3,'Detects wmiprvse spawning processes'),(11107,'Issue',615,4,''),(11108,'Issue',615,5,'_False Positives_\nUnknown'),(11109,'Issue',615,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\WmiPrvSe.exe AND (NOT (LogonId:\"0x3e7\" OR Username:\"NT\\ AUTHORITY\\\\SYSTEM\")))\nindex: so-*\nname: Wmiprvse Spawning Process\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11110,'Issue',615,9,'{{collapse(View Sigma)\n
\n\ntitle: Wmiprvse Spawning Process\nid: d21374ff-f574-44a7-9998-4a8c8bf33d7d\ndescription: Detects wmiprvse spawning processes\nstatus: experimental\ndate: 2019/08/15\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_win32_process_create_remote.md\ntags:\n- attack.execution\n- attack.t1047\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage|endswith: \\WmiPrvSe.exe\n  filter:\n  - LogonId: \'0x3e7\'\n  - Username: NT AUTHORITY\\SYSTEM\n  condition: selection and not filter\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(11111,'Issue',615,15,'T1047'),(11112,'Issue',616,1,'Microsoft Workflow Compiler'),(11113,'Issue',616,2,'Nik Seetharaman'),(11114,'Issue',616,8,'https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb'),(11115,'Issue',616,10,'high'),(11116,'Issue',616,13,'community'),(11117,'Issue',616,14,'windows'),(11119,'Issue',616,11,'b7e329a1b'),(11120,'Issue',616,12,'419dbf2b-8a9b-4bea-bf99-7544b050ec8d'),(11121,'Issue',616,16,'win-proc'),(11122,'Issue',616,17,''),(11123,'Issue',616,7,''),(11124,'Issue',616,3,'Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.'),(11125,'Issue',616,4,''),(11126,'Issue',616,5,'_False Positives_\nLegitimate MWC use (unlikely in modern enterprise environments)\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(11127,'Issue',616,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\Microsoft.Workflow.Compiler.exe)\nindex: so-*\nname: Microsoft Workflow Compiler\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11128,'Issue',616,9,'{{collapse(View Sigma)\n
\n\ntitle: Microsoft Workflow Compiler\nid: 419dbf2b-8a9b-4bea-bf99-7544b050ec8d\nstatus: experimental\ndescription: Detects invocation of Microsoft Workflow Compiler, which may permit the\n  execution of arbitrary unsigned code.\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1127\nauthor: Nik Seetharaman\ndate: 2019/01/16\nreferences:\n- https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\Microsoft.Workflow.Compiler.exe\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Legitimate MWC use (unlikely in modern enterprise environments)\nlevel: high\n\n
\n}}'),(11129,'Issue',616,15,'T1127'),(11130,'Issue',617,1,'Wsreset UAC Bypass'),(11131,'Issue',617,2,'Florian Roth'),(11132,'Issue',617,8,'https://lolbas-project.github.io/lolbas/Binaries/Wsreset/\nhttps://www.activecyber.us/activelabs/windows-uac-bypass\nhttps://twitter.com/ReaQta/status/1222548288731217921'),(11133,'Issue',617,10,'high'),(11134,'Issue',617,13,'community'),(11135,'Issue',617,14,'windows'),(11137,'Issue',617,11,'a20c95e40'),(11138,'Issue',617,12,'bdc8918e-a1d5-49d1-9db7-ea0fd91aa2ae'),(11139,'Issue',617,16,'win-proc'),(11140,'Issue',617,17,''),(11141,'Issue',617,7,''),(11142,'Issue',617,3,'Detects a method that uses Wsreset.exe tool that can be used to reset the Windows Store to bypass UAC'),(11143,'Issue',617,4,''),(11144,'Issue',617,5,'_False Positives_\nUnknown sub processes of Wsreset.exe\n\n_Interesting Log Fields_\nCommandLine'),(11145,'Issue',617,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\WSreset.exe))\nindex: so-*\nname: Wsreset UAC Bypass\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11146,'Issue',617,9,'{{collapse(View Sigma)\n
\n\ntitle: Wsreset UAC Bypass\nid: bdc8918e-a1d5-49d1-9db7-ea0fd91aa2ae\nstatus: experimental\ndescription: Detects a method that uses Wsreset.exe tool that can be used to reset\n  the Windows Store to bypass UAC\nreferences:\n- https://lolbas-project.github.io/lolbas/Binaries/Wsreset/\n- https://www.activecyber.us/activelabs/windows-uac-bypass\n- https://twitter.com/ReaQta/status/1222548288731217921\nauthor: Florian Roth\ndate: 2020/01/30\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1088\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage|endswith:\n    - \\WSreset.exe\n  condition: selection\nfields:\n- CommandLine\nfalsepositives:\n- Unknown sub processes of Wsreset.exe\nlevel: high\n\n
\n}}'),(11147,'Issue',617,15,'T1088'),(11148,'Issue',618,1,'XSL Script Processing'),(11149,'Issue',618,2,'Timur Zinniatullin, oscd.community'),(11150,'Issue',618,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml'),(11151,'Issue',618,10,'medium'),(11152,'Issue',618,13,'community'),(11153,'Issue',618,14,'windows'),(11155,'Issue',618,11,'53788ea86'),(11156,'Issue',618,12,'05c36dd6-79d6-4a9a-97da-3db20298ab2d'),(11157,'Issue',618,16,'win-proc'),(11158,'Issue',618,17,''),(11159,'Issue',618,7,'gVP62XEBH72G5DlCexmq'),(11160,'Issue',618,3,'Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files, rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses'),(11161,'Issue',618,4,''),(11162,'Issue',618,5,'_False Positives_\nWMIC.exe FP depend on scripts and administrative methods used in the monitored environment\nmsxsl.exe is not installed by default so unlikely.'),(11163,'Issue',618,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\wmic.exe AND process.command_line.keyword:*\\/format*) OR process.executable.keyword:*\\\\msxsl.exe))\nindex: so-*\nname: XSL Script Processing\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11164,'Issue',618,9,'{{collapse(View Sigma)\r\n
\r\n\r\ntitle: XSL Script Processing\r\nid: 05c36dd6-79d6-4a9a-97da-3db20298ab2d\r\nstatus: experimental\r\ndescription: Extensible Stylesheet Language (XSL) files are commonly used to describe\r\n  the processing and rendering of data within XML files, rule detects when adversaries\r\n  abuse this functionality to execute arbitrary files while potentially bypassing\r\n  application whitelisting defenses\r\nauthor: Timur Zinniatullin, oscd.community\r\ndate: 2019/10/21\r\nmodified: 2019/11/04\r\nreferences:\r\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml\r\nlogsource:\r\n  category: process_creation\r\n  product: windows\r\ndetection:\r\n  selection:\r\n  - Image|endswith: \\wmic.exe\r\n    CommandLine|contains: /format\r\n  - Image|endswith: \\msxsl.exe\r\n  condition: selection\r\nfalsepositives:\r\n- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment\r\n- msxsl.exe is not installed by default so unlikely.\r\nlevel: medium\r\ntags:\r\n- attack.execution\r\n- attack.t1220\r\n\r\n
\r\n}}'),(11165,'Issue',618,15,'T1220'),(11184,'Issue',620,1,'New Sensitive Shared Resource'),(11185,'Issue',620,2,'Josh Brower'),(11186,'Issue',620,10,'medium'),(11187,'Issue',620,13,'imported'),(11188,'Issue',620,14,'osquery'),(11189,'Issue',620,8,'none'),(11191,'Issue',620,11,'8a0e88be7'),(11192,'Issue',620,12,'none'),(11193,'Issue',620,16,''),(11194,'Issue',620,17,''),(11195,'Issue',620,7,''),(11196,'Issue',620,3,'Network shares with loose access controls are common places that leak sensitive information. This play proactively looks for newly shared resources that likely contain sensitive data. Follow-up will be needed to confirm that appropriate access control is in place.'),(11197,'Issue',620,4,''),(11198,'Issue',620,5,'_False Positives_\nunknown'),(11199,'Issue',620,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((osquery.columns.qid:\"601\" AND osquery.columns.name.keyword:(*hr* OR *finance* OR *backup* OR *www* OR *scan*)) AND (NOT (osquery.result.counter:\"0\")))\nindex: so-osquery-*\nname: New Sensitive Shared Resource\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11200,'Issue',620,9,'{{collapse(View Sigma)\n
\n\ntitle: New Sensitive Shared Resource\ndescription: Network shares with loose access controls are common places that leak\n  sensitive information. This play proactively looks for newly shared resources that\n  likely contain sensitive data. Follow-up will be needed to confirm that appropriate\n  access control is in place.\nstatus: experimental\nauthor: Josh Brower\ntags:\n- attack.discovery\n- attack.t1135\nlogsource:\n  product: osquery\n  definition: select Description,Name,Path, \"601\" AS qid  from shared_resources where\n    type = 0 AND name <> \"print$\";\n  qid: 601\ndetection:\n  selection:\n    qid: 601\n    column_name:\n    - \'*hr*\'\n    - \'*finance*\'\n    - \'*backup*\'\n    - \'*www*\'\n    - \'*scan*\'\n  filter:\n    counter: 0\n  condition: selection and not filter\nfalsepositives:\n- unknown\nlevel: medium\ntasks:\n  1 - Check Share Permissions: Are share permissions set to an appropriate level?\n    They should be tied to the relevant AD Security Group.\n  2 - Contact System/Service Owner: If share permissions are not appropriate, contact\n    the system/service owner for remediation.\n\n
\n}}'),(11201,'Issue',620,15,'T1135'),(11202,'Issue',621,1,'Whoami Execution'),(11203,'Issue',621,2,'Florian Roth'),(11204,'Issue',621,10,'high'),(11205,'Issue',621,13,'imported'),(11206,'Issue',621,14,'windows'),(11207,'Issue',621,8,'https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/\nhttps://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/'),(11209,'Issue',621,11,'b2904c00a'),(11210,'Issue',621,12,'e28a5a99-da44-436d-b7a0-2afc20a5f413'),(11211,'Issue',621,16,''),(11212,'Issue',621,17,''),(11213,'Issue',621,7,''),(11214,'Issue',621,3,'Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators'),(11215,'Issue',621,4,''),(11216,'Issue',621,5,'_False Positives_\nAdmin activity\nScripts and administrative tools used in the monitored environment'),(11217,'Issue',621,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:*\\\\whoami.exe OR OriginalFileName:\"whoami.exe\"))\nindex: so-*\nname: Whoami Execution\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11218,'Issue',621,9,'{{collapse(View Sigma)\n
\n\ntitle: Whoami Execution\nid: e28a5a99-da44-436d-b7a0-2afc20a5f413\nstatus: experimental\ndescription: Detects the execution of whoami, which is often used by attackers after\n  exloitation / privilege escalation but rarely used by administrators\nreferences:\n- https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/\n- https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/\nauthor: Florian Roth\ndate: 2018/08/13\ntags:\n- attack.discovery\n- attack.t1033\n- car.2016-03-001\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\whoami.exe\'\n  selection2:\n    OriginalFileName: whoami.exe\n  condition: selection or selection2\nfalsepositives:\n- Admin activity\n- Scripts and administrative tools used in the monitored environment\nlevel: high\n\n
\n}}'),(11219,'Issue',621,15,'T1033'),(11220,'Issue',622,1,'Advanced IP Scanner'),(11221,'Issue',622,2,'@ROxPinTeddy'),(11222,'Issue',622,10,'medium'),(11223,'Issue',622,13,'community'),(11224,'Issue',622,14,'windows'),(11225,'Issue',622,8,'https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/\nhttps://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html'),(11227,'Issue',622,11,'28e0c60a4'),(11228,'Issue',622,12,'bef37fa2-f205-4a7b-b484-0759bfd5f86f'),(11229,'Issue',622,16,'win-proc'),(11230,'Issue',622,17,''),(11231,'Issue',622,7,''),(11232,'Issue',622,3,'Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.'),(11233,'Issue',622,4,''),(11234,'Issue',622,5,'_False Positives_\nLegitimate administrative use'),(11235,'Issue',622,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\advanced_ip_scanner*)\nindex: so-*\nname: Advanced IP Scanner\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11236,'Issue',622,9,'{{collapse(View Sigma)\n
\n\ntitle: Advanced IP Scanner\nid: bef37fa2-f205-4a7b-b484-0759bfd5f86f\nstatus: experimental\ndescription: Detects the use of Advanced IP Scanner. Seems to be a popular tool for\n  ransomware groups.\nreferences:\n- https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/\n- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\nauthor: \'@ROxPinTeddy\'\ndate: 2020/05/12\ntags:\n- attack.discovery\n- attack.t1046\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|contains: \\advanced_ip_scanner\n  condition: selection\nfalsepositives:\n- Legitimate administrative use\nlevel: medium\n\n
\n}}'),(11237,'Issue',622,15,'T1046'),(11238,'Issue',623,1,'Harvesting of Wifi Credentials Using netsh.exe'),(11239,'Issue',623,2,'Andreas Hunkeler (@Karneades)'),(11240,'Issue',623,10,'medium'),(11241,'Issue',623,13,'community'),(11242,'Issue',623,14,'windows'),(11243,'Issue',623,8,'https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/'),(11245,'Issue',623,11,'c7fcf9aee'),(11246,'Issue',623,12,'42b1a5b8-353f-4f10-b256-39de4467faff'),(11247,'Issue',623,16,'win-proc'),(11248,'Issue',623,17,''),(11249,'Issue',623,7,''),(11250,'Issue',623,3,'Detect the harvesting of wifi credentials using netsh.exe'),(11251,'Issue',623,4,''),(11252,'Issue',623,5,'_False Positives_\nLegitimate administrator or user uses netsh.exe wlan functionality for legitimate reason'),(11253,'Issue',623,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(netsh\\ wlan\\ s*\\ p*\\ k*\\=clear))\nindex: so-*\nname: Harvesting of Wifi Credentials Using netsh.exe\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11254,'Issue',623,9,'{{collapse(View Sigma)\n
\n\ntitle: Harvesting of Wifi Credentials Using netsh.exe\nid: 42b1a5b8-353f-4f10-b256-39de4467faff\nstatus: experimental\ndescription: Detect the harvesting of wifi credentials using netsh.exe\nreferences:\n- https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\nauthor: Andreas Hunkeler (@Karneades)\ndate: 2020/04/20\ntags:\n- attack.discovery\n- attack.t1040\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - netsh wlan s* p* k*=clear\n  condition: selection\nfalsepositives:\n- Legitimate administrator or user uses netsh.exe wlan functionality for legitimate\n  reason\nlevel: medium\n\n
\n}}'),(11255,'Issue',623,15,'T1040'); /*!40000 ALTER TABLE `custom_values` ENABLE KEYS */; UNLOCK TABLES; @@ -798,7 +797,7 @@ CREATE TABLE `issues` ( KEY `index_issues_on_created_on` (`created_on`), KEY `index_issues_on_root_id_and_lft_and_rgt` (`root_id`,`lft`,`rgt`), KEY `index_issues_on_parent_id` (`parent_id`) -) ENGINE=InnoDB AUTO_INCREMENT=624 DEFAULT CHARSET=latin1; +) ENGINE=InnoDB DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; -- @@ -807,7 +806,6 @@ CREATE TABLE `issues` ( LOCK TABLES `issues` WRITE; /*!40000 ALTER TABLE `issues` DISABLE KEYS */; -INSERT INTO `issues` VALUES (313,1,1,'Executable in ADS',NULL,NULL,NULL,6,NULL,1,NULL,9,0,'2020-05-01 20:55:14','2020-05-01 20:55:14',NULL,0,NULL,NULL,313,1,2,0,NULL),(314,1,1,'Alternate PowerShell Hosts Module Load',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:15','2020-05-01 20:55:15',NULL,0,NULL,NULL,314,1,2,0,NULL),(315,1,1,'Alternate PowerShell Hosts Pipe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:15','2020-05-01 20:55:15',NULL,0,NULL,NULL,315,1,2,0,NULL),(316,1,1,'OceanLotus Registry Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:16','2020-05-01 20:55:16',NULL,0,NULL,NULL,316,1,2,0,NULL),(317,1,1,'Turla Group Named Pipes',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:16','2020-05-01 20:55:16',NULL,0,NULL,NULL,317,1,2,0,NULL),(318,1,1,'Autorun Keys Modification',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:17','2020-05-01 20:55:17',NULL,0,NULL,NULL,318,1,2,0,NULL),(319,1,1,'CACTUSTORCH Remote Thread Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:17','2020-05-01 20:55:17',NULL,0,NULL,NULL,319,1,2,0,NULL),(320,1,1,'CobaltStrike Process Injection',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:18','2020-05-01 20:55:18',NULL,0,NULL,NULL,320,1,2,0,NULL),(321,1,1,'CreateRemoteThread API and LoadLibrary',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:18','2020-05-01 20:55:19',NULL,0,NULL,NULL,321,1,2,0,NULL),(322,1,1,'Credentials Dumping Tools Accessing LSASS Memory',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:19','2020-05-01 20:55:19',NULL,0,NULL,NULL,322,1,2,0,NULL),(323,1,1,'Cred Dump Tools Dropped Files',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:20','2020-05-01 20:55:20',NULL,0,NULL,NULL,323,1,2,0,NULL),(324,1,1,'Cred Dump-Tools Named Pipes',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:20','2020-05-01 20:55:20',NULL,0,NULL,NULL,324,1,2,0,NULL),(325,1,1,'DHCP Callout DLL Installation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:21','2020-05-01 20:55:21',NULL,0,NULL,NULL,325,1,2,0,NULL),(326,1,1,'Disable Security Events Logging Adding Reg Key MiniNt',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:21','2020-05-01 20:55:21',NULL,0,NULL,NULL,326,1,2,0,NULL),(327,1,1,'Detection of SafetyKatz',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:22','2020-05-01 20:55:22',NULL,0,NULL,NULL,327,1,2,0,NULL),(328,1,1,'Suspicious In-Memory Module Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:22','2020-05-01 20:55:22',NULL,0,NULL,NULL,328,1,2,0,NULL),(329,1,1,'In-memory PowerShell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:23','2020-05-01 20:55:23',NULL,0,NULL,NULL,329,1,2,0,NULL),(330,1,1,'Suspect Svchost Memory Asccess',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:23','2020-05-01 20:55:24',NULL,0,NULL,NULL,330,1,2,0,NULL),(331,1,1,'LSASS Memory Dump',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:24','2020-05-01 20:55:24',NULL,0,NULL,NULL,331,1,2,0,NULL),(332,1,1,'LSASS Memory Dump File Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:24','2020-05-01 20:55:25',NULL,0,NULL,NULL,332,1,2,0,NULL),(333,1,1,'Malicious Named Pipe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:25','2020-05-01 20:55:25',NULL,0,NULL,NULL,333,1,2,0,NULL),(334,1,1,'Suspicious Typical Malware Back Connect Ports',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:26','2020-05-01 20:55:26',NULL,0,NULL,NULL,334,1,2,0,NULL),(335,1,1,'Malware Shellcode in Verclsid Target Process',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:27','2020-05-01 20:55:27',NULL,0,NULL,NULL,335,1,2,0,NULL),(336,1,1,'Mimikatz In-Memory',NULL,NULL,NULL,6,NULL,1,NULL,9,1,'2020-05-01 20:55:27','2020-05-01 20:55:28',NULL,0,NULL,NULL,336,1,2,0,NULL),(337,1,1,'Mimikatz through Windows Remote Management',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:28','2020-05-01 20:55:28',NULL,0,NULL,NULL,337,1,2,0,NULL),(338,1,1,'Dumping Lsass.exe Memory with MiniDumpWriteDump API',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:29','2020-05-01 20:55:29',NULL,0,NULL,NULL,338,1,2,0,NULL),(339,1,1,'Narrator\'s Feedback-Hub Persistence',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:29','2020-05-01 20:55:29',NULL,0,NULL,NULL,339,1,2,0,NULL),(340,1,1,'New DLL Added to AppCertDlls Registry Key',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:30','2020-05-01 20:55:30',NULL,0,NULL,NULL,340,1,2,0,NULL),(341,1,1,'New DLL Added to AppInit_DLLs Registry Key',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:30','2020-05-01 20:55:30',NULL,0,NULL,NULL,341,1,2,0,NULL),(342,1,1,'Password Dumper Remote Thread in LSASS',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:31','2020-05-01 20:55:31',NULL,0,NULL,NULL,342,1,2,0,NULL),(343,1,1,'Possible DNS Rebinding',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:31','2020-05-01 20:55:31',NULL,0,NULL,NULL,343,1,2,0,NULL),(344,1,1,'Possible Privilege Escalation via Service Permissions Weakness',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:32','2020-05-01 20:55:32',NULL,0,NULL,NULL,344,1,2,0,NULL),(345,1,1,'PowerShell Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:32','2020-05-01 20:55:33',NULL,0,NULL,NULL,345,1,2,0,NULL),(346,1,1,'Malicious PowerShell Commandlet Names',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:33','2020-05-01 20:55:33',NULL,0,NULL,NULL,346,1,2,0,NULL),(347,1,1,'PowerShell Network Connections',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:34','2020-05-01 20:55:34',NULL,0,NULL,NULL,347,1,2,0,NULL),(348,1,1,'QuarksPwDump Dump File',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:34','2020-05-01 20:55:34',NULL,0,NULL,NULL,348,1,2,0,NULL),(349,1,1,'Raw Disk Access Using Illegitimate Tools',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:35','2020-05-01 20:55:35',NULL,0,NULL,NULL,349,1,2,0,NULL),(350,1,1,'RDP Registry Modification',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:35','2020-05-01 20:55:36',NULL,0,NULL,NULL,350,1,2,0,NULL),(351,1,1,'RDP Over Reverse SSH Tunnel',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:36','2020-05-01 20:55:36',NULL,0,NULL,NULL,351,1,2,0,NULL),(352,1,1,'RDP Sensitive Settings Changed',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:37','2020-05-01 20:55:37',NULL,0,NULL,NULL,352,1,2,0,NULL),(353,1,1,'Windows Registry Persistence COM Key Linking',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:37','2020-05-01 20:55:37',NULL,0,NULL,NULL,353,1,2,0,NULL),(354,1,1,'Windows Registry Persistence COM Search Order Hijacking',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:38','2020-05-01 20:55:38',NULL,0,NULL,NULL,354,1,2,0,NULL),(355,1,1,'Windows Registry Trust Record Modification',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:38','2020-05-01 20:55:38',NULL,0,NULL,NULL,355,1,2,0,NULL),(356,1,1,'Regsvr32 Network Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:39','2020-05-01 20:55:39',NULL,0,NULL,NULL,356,1,2,0,NULL),(357,1,1,'Remote PowerShell Session',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:39','2020-05-01 20:55:39',NULL,0,NULL,NULL,357,1,2,0,NULL),(358,1,1,'Renamed jusched.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:40','2020-05-01 20:55:40',NULL,0,NULL,NULL,358,1,2,0,NULL),(359,1,1,'Renamed PowerShell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:40','2020-05-01 20:55:40',NULL,0,NULL,NULL,359,1,2,0,NULL),(360,1,1,'Renamed ProcDump',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:41','2020-05-01 20:55:41',NULL,0,NULL,NULL,360,1,2,0,NULL),(361,1,1,'Renamed PsExec',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:41','2020-05-01 20:55:42',NULL,0,NULL,NULL,361,1,2,0,NULL),(362,1,1,'Rundll32 Internet Connection',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:42','2020-05-01 20:55:42',NULL,0,NULL,NULL,362,1,2,0,NULL),(363,1,1,'Security Support Provider (SSP) Added to LSA Configuration',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:43','2020-05-01 20:55:43',NULL,0,NULL,NULL,363,1,2,0,NULL),(364,1,1,'Suspicious ADSI-Cache Usage By Unknown Tool',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:43','2020-05-01 20:55:43',NULL,0,NULL,NULL,364,1,2,0,NULL),(365,1,1,'Suspicious desktop.ini Action',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:44','2020-05-01 20:55:44',NULL,0,NULL,NULL,365,1,2,0,NULL),(366,1,1,'Suspicious RUN Key from Download',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:44','2020-05-01 20:55:44',NULL,0,NULL,NULL,366,1,2,0,NULL),(367,1,1,'Suspicious Driver Load from Temp',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:45','2020-05-01 20:55:45',NULL,0,NULL,NULL,367,1,2,0,NULL),(368,1,1,'Suspicious File Characteristics Due to Missing Fields',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:45','2020-05-01 20:55:45',NULL,0,NULL,NULL,368,1,2,0,NULL),(369,1,1,'Possible Process Hollowing Image Loading',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:46','2020-05-01 20:55:46',NULL,0,NULL,NULL,369,1,2,0,NULL),(370,1,1,'DLL Load via LSASS',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:46','2020-05-01 20:55:46',NULL,0,NULL,NULL,370,1,2,0,NULL),(371,1,1,'dotNET DLL Loaded Via Office Applications',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:47','2020-05-01 20:55:47',NULL,0,NULL,NULL,371,1,2,0,NULL),(372,1,1,'CLR DLL Loaded Via Office Applications',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:47','2020-05-01 20:55:47',NULL,0,NULL,NULL,372,1,2,0,NULL),(373,1,1,'GAC DLL Loaded Via Office Applications',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:48','2020-05-01 20:55:48',NULL,0,NULL,NULL,373,1,2,0,NULL),(374,1,1,'Active Directory Parsing DLL Loaded Via Office Applications',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:48','2020-05-01 20:55:49',NULL,0,NULL,NULL,374,1,2,0,NULL),(375,1,1,'Active Directory Kerberos DLL Loaded Via Office Applications',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:49','2020-05-01 20:55:49',NULL,0,NULL,NULL,375,1,2,0,NULL),(376,1,1,'PowerShell Rundll32 Remote Thread Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:49','2020-05-01 20:55:50',NULL,0,NULL,NULL,376,1,2,0,NULL),(377,1,1,'Suspicious PROCEXP152.sys File Created In TMP',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:50','2020-05-01 20:55:50',NULL,0,NULL,NULL,377,1,2,0,NULL),(378,1,1,'Suspicious Program Location with Network Connections',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:51','2020-05-01 20:55:51',NULL,0,NULL,NULL,378,1,2,0,NULL),(379,1,1,'Suspicious Outbound RDP Connections',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:51','2020-05-01 20:55:51',NULL,0,NULL,NULL,379,1,2,0,NULL),(380,1,1,'Registry Persistence via Explorer Run Key',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:52','2020-05-01 20:55:52',NULL,0,NULL,NULL,380,1,2,0,NULL),(381,1,1,'New RUN Key Pointing to Suspicious Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:52','2020-05-01 20:55:52',NULL,0,NULL,NULL,381,1,2,0,NULL),(382,1,1,'Suspicious Service Installed',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:53','2020-05-01 20:55:53',NULL,0,NULL,NULL,382,1,2,0,NULL),(383,1,1,'VBA DLL Loaded Via Microsoft Word',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:53','2020-05-01 20:55:53',NULL,0,NULL,NULL,383,1,2,0,NULL),(384,1,1,'Windows Mangement Instrumentation DLL Loaded Via Microsoft Word',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:54','2020-05-01 20:55:54',NULL,0,NULL,NULL,384,1,2,0,NULL),(385,1,1,'Suspicious Keyboard Layout Load',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:54','2020-05-01 20:55:54',NULL,0,NULL,NULL,385,1,2,0,NULL),(386,1,1,'Suspicious Outbound Kerberos Connection',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:55','2020-05-01 20:55:55',NULL,0,NULL,NULL,386,1,2,0,NULL),(387,1,1,'Suspicious Remote Thread Created',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:55','2020-05-01 20:55:55',NULL,0,NULL,NULL,387,1,2,0,NULL),(388,1,1,'Svchost DLL Search Order Hijack',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:56','2020-05-01 20:55:56',NULL,0,NULL,NULL,388,1,2,0,NULL),(389,1,1,'Hijack Legit RDP Session to Move Laterally',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:56','2020-05-01 20:55:57',NULL,0,NULL,NULL,389,1,2,0,NULL),(390,1,1,'UAC Bypass via Event Viewer',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:57','2020-05-01 20:55:57',NULL,0,NULL,NULL,390,1,2,0,NULL),(391,1,1,'UAC Bypass via Sdclt',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:57','2020-05-01 20:55:58',NULL,0,NULL,NULL,391,1,2,0,NULL),(392,1,1,'Unsigned Image Loaded Into LSASS Process',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:58','2020-05-01 20:55:58',NULL,0,NULL,NULL,392,1,2,0,NULL),(393,1,1,'Windows Webshell Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:59','2020-05-01 20:55:59',NULL,0,NULL,NULL,393,1,2,0,NULL),(394,1,1,'Microsoft Binary Github Communication',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:59','2020-05-01 20:55:59',NULL,0,NULL,NULL,394,1,2,0,NULL),(395,1,1,'Microsoft Binary Suspicious Communication Endpoint',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:00','2020-05-01 20:56:00',NULL,0,NULL,NULL,395,1,2,0,NULL),(396,1,1,'Registry Persistence Mechanisms',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:00','2020-05-01 20:56:00',NULL,0,NULL,NULL,396,1,2,0,NULL),(397,1,1,'WMI Event Subscription',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:01','2020-05-01 20:56:01',NULL,0,NULL,NULL,397,1,2,0,NULL),(398,1,1,'WMI Modules Loaded',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:01','2020-05-01 20:56:01',NULL,0,NULL,NULL,398,1,2,0,NULL),(399,1,1,'WMI Persistence - Command Line Event Consumer',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:02','2020-05-01 20:56:02',NULL,0,NULL,NULL,399,1,2,0,NULL),(400,1,1,'WMI Persistence - Script Event Consumer File Write',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:02','2020-05-01 20:56:02',NULL,0,NULL,NULL,400,1,2,0,NULL),(401,1,1,'Suspicious Scripting in a WMI Consumer',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:03','2020-05-01 20:56:03',NULL,0,NULL,NULL,401,1,2,0,NULL),(402,1,1,'APT29',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:03','2020-05-01 20:56:03',NULL,0,NULL,NULL,402,1,2,0,NULL),(403,1,1,'Baby Shark Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:04','2020-05-01 20:56:04',NULL,0,NULL,NULL,403,1,2,0,NULL),(404,1,1,'Judgement Panda Credential Access Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:04','2020-05-01 20:56:04',NULL,0,NULL,NULL,404,1,2,0,NULL),(405,1,1,'BlueMashroom DLL Load',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:05','2020-05-01 20:56:05',NULL,0,NULL,NULL,405,1,2,0,NULL),(406,1,1,'WMIExec VBS Script',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:05','2020-05-01 20:56:06',NULL,0,NULL,NULL,406,1,2,0,NULL),(407,1,1,'CrackMapExecWin',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:06','2020-05-01 20:56:06',NULL,0,NULL,NULL,407,1,2,0,NULL),(408,1,1,'Elise Backdoor',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:06','2020-05-01 20:56:07',NULL,0,NULL,NULL,408,1,2,0,NULL),(409,1,1,'Emissary Panda Malware SLLauncher',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:07','2020-05-01 20:56:07',NULL,0,NULL,NULL,409,1,2,0,NULL),(410,1,1,'Equation Group DLL_U Load',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:08','2020-05-01 20:56:08',NULL,0,NULL,NULL,410,1,2,0,NULL),(411,1,1,'Hurricane Panda Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:08','2020-05-01 20:56:08',NULL,0,NULL,NULL,411,1,2,0,NULL),(412,1,1,'Judgement Panda Exfil Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:09','2020-05-01 20:56:09',NULL,0,NULL,NULL,412,1,2,0,NULL),(413,1,1,'Mustang Panda Dropper',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:09','2020-05-01 20:56:09',NULL,0,NULL,NULL,413,1,2,0,NULL),(414,1,1,'Sofacy Trojan Loader Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:10','2020-05-01 20:56:10',NULL,0,NULL,NULL,414,1,2,0,NULL),(415,1,1,'Ps.exe Renamed SysInternals Tool',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:11','2020-05-01 20:56:11',NULL,0,NULL,NULL,415,1,2,0,NULL),(416,1,1,'TropicTrooper Campaign November 2018',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:11','2020-05-01 20:56:11',NULL,0,NULL,NULL,416,1,2,0,NULL),(417,1,1,'Winnti Malware HK University Campaign',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:12','2020-05-01 20:56:12',NULL,0,NULL,NULL,417,1,2,0,NULL),(418,1,1,'ZxShell Malware',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:12','2020-05-01 20:56:13',NULL,0,NULL,NULL,418,1,2,0,NULL),(419,1,1,'Hiding Files with Attrib.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:13','2020-05-01 20:56:13',NULL,0,NULL,NULL,419,1,2,0,NULL),(420,1,1,'Modification of Boot Configuration',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:14','2020-05-13 14:07:10',NULL,0,NULL,NULL,420,1,2,0,NULL),(421,1,1,'SquiblyTwo',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:14','2020-05-01 20:56:15',NULL,0,NULL,NULL,421,1,2,0,NULL),(422,1,1,'Change Default File Association',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:15','2020-05-01 20:56:15',NULL,0,NULL,NULL,422,1,2,0,NULL),(423,1,1,'Cmdkey Cached Credentials Recon',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:16','2020-05-01 20:56:16',NULL,0,NULL,NULL,423,1,2,0,NULL),(424,1,1,'CMSTP UAC Bypass via COM Object Access',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:16','2020-05-01 20:56:16',NULL,0,NULL,NULL,424,1,2,0,NULL),(425,1,1,'Control Panel Items',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:17','2020-05-01 20:56:17',NULL,0,NULL,NULL,425,1,2,0,NULL),(426,1,1,'Copying Sensitive Files with Credential Data',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:17','2020-05-01 20:56:17',NULL,0,NULL,NULL,426,1,2,0,NULL),(427,1,1,'Fireball Archer Install',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:18','2020-05-01 20:56:18',NULL,0,NULL,NULL,427,1,2,0,NULL),(428,1,1,'Data Compressed - rar.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:18','2020-05-01 20:56:19',NULL,0,NULL,NULL,428,1,2,0,NULL),(429,1,1,'Domain Trust Discovery',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:19','2020-05-01 20:56:19',NULL,0,NULL,NULL,429,1,2,0,NULL),(430,1,1,'Encoded FromBase64String',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:20','2020-05-01 20:56:20',NULL,0,NULL,NULL,430,1,2,0,NULL),(431,1,1,'Encoded IEX',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:20','2020-05-01 20:56:20',NULL,0,NULL,NULL,431,1,2,0,NULL),(432,1,1,'Disable of ETW Trace',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:21','2020-05-01 20:56:21',NULL,0,NULL,NULL,432,1,2,0,NULL),(433,1,1,'Exfiltration and Tunneling Tools Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:21','2020-05-01 20:56:21',NULL,0,NULL,NULL,433,1,2,0,NULL),(434,1,1,'Exploit for CVE-2015-1641',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:22','2020-05-01 20:56:22',NULL,0,NULL,NULL,434,1,2,0,NULL),(435,1,1,'Exploit for CVE-2017-0261',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:22','2020-05-01 20:56:22',NULL,0,NULL,NULL,435,1,2,0,NULL),(436,1,1,'Droppers Exploiting CVE-2017-11882',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:23','2020-05-01 20:56:23',NULL,0,NULL,NULL,436,1,2,0,NULL),(437,1,1,'Exploit for CVE-2017-8759',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:23','2020-05-01 20:56:24',NULL,0,NULL,NULL,437,1,2,0,NULL),(438,1,1,'Exploiting SetupComplete.cmd CVE-2019-1378',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:24','2020-05-01 20:56:24',NULL,0,NULL,NULL,438,1,2,0,NULL),(439,1,1,'Exploiting CVE-2019-1388',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:25','2020-05-01 20:56:25',NULL,0,NULL,NULL,439,1,2,0,NULL),(440,1,1,'Exploited CVE-2020-10189 Zoho ManageEngine',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:25','2020-05-01 20:56:25',NULL,0,NULL,NULL,440,1,2,0,NULL),(441,1,1,'File or Folder Permissions Modifications',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:26','2020-05-01 20:56:26',NULL,0,NULL,NULL,441,1,2,0,NULL),(442,1,1,'Grabbing Sensitive Hives via Reg Utility',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:26','2020-05-01 20:56:26',NULL,0,NULL,NULL,442,1,2,0,NULL),(443,1,1,'Bloodhound and Sharphound Hack Tool',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:27','2020-05-01 20:56:27',NULL,0,NULL,NULL,443,1,2,0,NULL),(444,1,1,'Koadic Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:27','2020-05-01 20:56:27',NULL,0,NULL,NULL,444,1,2,0,NULL),(445,1,1,'Rubeus Hack Tool',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:28','2020-05-01 20:56:28',NULL,0,NULL,NULL,445,1,2,0,NULL),(446,1,1,'SecurityXploded Tool',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:28','2020-05-01 20:56:28',NULL,0,NULL,NULL,446,1,2,0,NULL),(447,1,1,'HH.exe Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:29','2020-05-01 20:56:29',NULL,0,NULL,NULL,447,1,2,0,NULL),(448,1,1,'HTML Help Shell Spawn',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:29','2020-05-01 20:56:29',NULL,0,NULL,NULL,448,1,2,0,NULL),(449,1,1,'Suspicious HWP Sub Processes',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:30','2020-05-01 20:56:30',NULL,0,NULL,NULL,449,1,2,0,NULL),(450,1,1,'Impacket Lateralization Detection',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:30','2020-05-01 20:56:30',NULL,0,NULL,NULL,450,1,2,0,NULL),(451,1,1,'Indirect Command Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:31','2020-05-01 20:56:31',NULL,0,NULL,NULL,451,1,2,0,NULL),(452,1,1,'Suspicious Debugger Registration Cmdline',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:31','2020-05-01 20:56:31',NULL,0,NULL,NULL,452,1,2,0,NULL),(453,1,1,'Interactive AT Job',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:32','2020-05-01 20:56:32',NULL,0,NULL,NULL,453,1,2,0,NULL),(454,1,1,'Invoke-Obfuscation Obfuscated IEX Invocation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:32','2020-05-01 20:56:32',NULL,0,NULL,NULL,454,1,2,0,NULL),(455,1,1,'Windows Kernel and 3rd-Party Drivers Exploits Token Stealing',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:33','2020-05-01 20:56:33',NULL,0,NULL,NULL,455,1,2,0,NULL),(456,1,1,'MSHTA Spwaned by SVCHOST',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:33','2020-05-01 20:56:34',NULL,0,NULL,NULL,456,1,2,0,NULL),(457,1,1,'Local Accounts Discovery',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:34','2020-05-01 20:56:34',NULL,0,NULL,NULL,457,1,2,0,NULL),(458,1,1,'LSASS Memory Dumping',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:35','2020-05-01 20:56:35',NULL,0,NULL,NULL,458,1,2,0,NULL),(459,1,1,'Dridex Process Pattern',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:35','2020-05-01 20:56:35',NULL,0,NULL,NULL,459,1,2,0,NULL),(460,1,1,'DTRACK Process Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:36','2020-05-01 20:56:36',NULL,0,NULL,NULL,460,1,2,0,NULL),(461,1,1,'Emotet Process Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:36','2020-05-01 20:56:36',NULL,0,NULL,NULL,461,1,2,0,NULL),(462,1,1,'Formbook Process Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:37','2020-05-01 20:56:37',NULL,0,NULL,NULL,462,1,2,0,NULL),(463,1,1,'NotPetya Ransomware Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:37','2020-05-01 20:56:37',NULL,0,NULL,NULL,463,1,2,0,NULL),(464,1,1,'QBot Process Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:38','2020-05-01 20:56:38',NULL,0,NULL,NULL,464,1,2,0,NULL),(465,1,1,'Ryuk Ransomware',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:38','2020-05-01 20:56:38',NULL,0,NULL,NULL,465,1,2,0,NULL),(466,1,1,'WScript or CScript Dropper',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:39','2020-05-01 20:56:39',NULL,0,NULL,NULL,466,1,2,0,NULL),(467,1,1,'Trickbot Malware Recon Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:39','2020-05-01 20:56:39',NULL,0,NULL,NULL,467,1,2,0,NULL),(468,1,1,'WannaCry Ransomware',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:40','2020-05-01 20:56:40',NULL,0,NULL,NULL,468,1,2,0,NULL),(469,1,1,'MavInject Process Injection',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:40','2020-05-01 20:56:41',NULL,0,NULL,NULL,469,1,2,0,NULL),(470,1,1,'Meterpreter or Cobalt Strike Getsystem Service Start',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:41','2020-05-01 20:56:41',NULL,0,NULL,NULL,470,1,2,0,NULL),(471,1,1,'Mimikatz Command Line',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:42','2020-05-01 20:56:42',NULL,0,NULL,NULL,471,1,2,0,NULL),(472,1,1,'MMC Spawning Windows Shell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:42','2020-05-01 20:56:42',NULL,0,NULL,NULL,472,1,2,0,NULL),(473,1,1,'MSHTA Spawning Windows Shell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:43','2020-05-01 20:56:43',NULL,0,NULL,NULL,473,1,2,0,NULL),(474,1,1,'Quick Execution of a Series of Suspicious Commands',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:43','2020-05-01 20:56:43',NULL,0,NULL,NULL,474,1,2,0,NULL),(475,1,1,'Windows Network Enumeration',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:44','2020-05-01 20:56:44',NULL,0,NULL,NULL,475,1,2,0,NULL),(476,1,1,'Net.exe User Account Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:44','2020-05-01 20:56:44',NULL,0,NULL,NULL,476,1,2,0,NULL),(477,1,1,'Netsh',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:45','2020-05-01 20:56:45',NULL,0,NULL,NULL,477,1,2,0,NULL),(478,1,1,'Capture a Network Trace with netsh.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:45','2020-05-01 20:56:45',NULL,0,NULL,NULL,478,1,2,0,NULL),(479,1,1,'Netsh Port Forwarding',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:46','2020-05-01 20:56:46',NULL,0,NULL,NULL,479,1,2,0,NULL),(480,1,1,'Netsh RDP Port Forwarding',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:46','2020-05-01 20:56:46',NULL,0,NULL,NULL,480,1,2,0,NULL),(481,1,1,'Network Sniffing',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:47','2020-05-01 20:56:47',NULL,0,NULL,NULL,481,1,2,0,NULL),(482,1,1,'New Service Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:47','2020-05-01 20:56:48',NULL,0,NULL,NULL,482,1,2,0,NULL),(483,1,1,'Non Interactive PowerShell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:48','2020-05-01 20:56:48',NULL,0,NULL,NULL,483,1,2,0,NULL),(484,1,1,'Microsoft Office Product Spawning Windows Shell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:49','2020-05-01 20:56:49',NULL,0,NULL,NULL,484,1,2,0,NULL),(485,1,1,'MS Office Product Spawning Exe in User Dir',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:49','2020-05-01 20:56:49',NULL,0,NULL,NULL,485,1,2,0,NULL),(486,1,1,'Executable Used by PlugX in Uncommon Location',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:50','2020-05-01 20:56:50',NULL,0,NULL,NULL,486,1,2,0,NULL),(487,1,1,'Possible Applocker Bypass',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:50','2020-05-01 20:56:50',NULL,0,NULL,NULL,487,1,2,0,NULL),(488,1,1,'Detection of Possible Rotten Potato',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:51','2020-05-01 20:56:51',NULL,0,NULL,NULL,488,1,2,0,NULL),(489,1,1,'Powershell AMSI Bypass via .NET Reflection',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:51','2020-05-01 20:56:51',NULL,0,NULL,NULL,489,1,2,0,NULL),(490,1,1,'Audio Capture via PowerShell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:52','2020-05-01 20:56:52',NULL,0,NULL,NULL,490,1,2,0,NULL),(491,1,1,'PowerShell Base64 Encoded Shellcode',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:52','2020-05-01 20:56:52',NULL,0,NULL,NULL,491,1,2,0,NULL),(492,1,1,'Suspicious Bitsadmin Job via PowerShell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:53','2020-05-01 20:56:53',NULL,0,NULL,NULL,492,1,2,0,NULL),(493,1,1,'Detection of PowerShell Execution via DLL',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:53','2020-05-01 20:56:53',NULL,0,NULL,NULL,493,1,2,0,NULL),(494,1,1,'PowerShell Downgrade Attack',NULL,NULL,NULL,6,NULL,1,NULL,9,1,'2020-05-01 20:56:54','2020-05-13 14:07:11',NULL,0,NULL,NULL,494,1,2,0,NULL),(495,1,1,'PowerShell Download from URL',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:54','2020-05-01 20:56:54',NULL,0,NULL,NULL,495,1,2,0,NULL),(496,1,1,'FromBase64String Command Line',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:55','2020-05-01 20:56:55',NULL,0,NULL,NULL,496,1,2,0,NULL),(497,1,1,'Suspicious PowerShell Parameter Substring',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:55','2020-05-01 20:56:56',NULL,0,NULL,NULL,497,1,2,0,NULL),(498,1,1,'Suspicious XOR Encoded PowerShell Command Line',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:56','2020-05-01 20:56:56',NULL,0,NULL,NULL,498,1,2,0,NULL),(499,1,1,'Default PowerSploit and Empire Schtasks Persistence',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:56','2020-05-01 20:56:57',NULL,0,NULL,NULL,499,1,2,0,NULL),(500,1,1,'Windows Processes Suspicious Parent Directory',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:57','2020-05-01 20:56:57',NULL,0,NULL,NULL,500,1,2,0,NULL),(501,1,1,'Bitsadmin Download',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:58','2020-05-01 20:56:58',NULL,0,NULL,NULL,501,1,2,0,NULL),(502,1,1,'Process Dump via Rundll32 and Comsvcs.dll',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:58','2020-05-01 20:56:58',NULL,0,NULL,NULL,502,1,2,0,NULL),(503,1,1,'PsExec Service Start',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:59','2020-05-01 20:56:59',NULL,0,NULL,NULL,503,1,2,0,NULL),(504,1,1,'Query Registry',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:59','2020-05-01 20:56:59',NULL,0,NULL,NULL,504,1,2,0,NULL),(505,1,1,'MSTSC Shadowing',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:00','2020-05-01 20:57:00',NULL,0,NULL,NULL,505,1,2,0,NULL),(506,1,1,'Remote PowerShell Session',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:00','2020-05-01 20:57:00',NULL,0,NULL,NULL,506,1,2,0,NULL),(507,1,1,'Discovery of a System Time',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:01','2020-05-01 20:57:01',NULL,0,NULL,NULL,507,1,2,0,NULL),(508,1,1,'Renamed Binary',NULL,NULL,NULL,2,NULL,1,NULL,9,2,'2020-05-01 20:57:01','2020-05-13 14:07:11',NULL,0,NULL,NULL,508,1,2,0,NULL),(509,1,1,'Highly Relevant Renamed Binary',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:02','2020-05-01 20:57:02',NULL,0,NULL,NULL,509,1,2,0,NULL),(510,1,1,'Execution of Renamed PaExec',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:03','2020-05-01 20:57:03',NULL,0,NULL,NULL,510,1,2,0,NULL),(511,1,1,'Run PowerShell Script from ADS',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:03','2020-05-01 20:57:03',NULL,0,NULL,NULL,511,1,2,0,NULL),(512,1,1,'Possible Shim Database Persistence via sdbinst.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:04','2020-05-01 20:57:04',NULL,0,NULL,NULL,512,1,2,0,NULL),(513,1,1,'Service Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:04','2020-05-01 20:57:04',NULL,0,NULL,NULL,513,1,2,0,NULL),(514,1,1,'Stop Windows Service',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:05','2020-05-01 20:57:05',NULL,0,NULL,NULL,514,1,2,0,NULL),(515,1,1,'Shadow Copies Access via Symlink',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:05','2020-05-01 20:57:05',NULL,0,NULL,NULL,515,1,2,0,NULL),(516,1,1,'Shadow Copies Creation Using Operating Systems Utilities',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:06','2020-05-01 20:57:06',NULL,0,NULL,NULL,516,1,2,0,NULL),(517,1,1,'Shadow Copies Deletion Using Operating Systems Utilities',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:06','2020-05-01 20:57:06',NULL,0,NULL,NULL,517,1,2,0,NULL),(518,1,1,'Windows Shell Spawning Suspicious Program',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:07','2020-05-01 20:57:07',NULL,0,NULL,NULL,518,1,2,0,NULL),(519,1,1,'Audio Capture via SoundRecorder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:07','2020-05-01 20:57:07',NULL,0,NULL,NULL,519,1,2,0,NULL),(520,1,1,'Possible SPN Enumeration',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:08','2020-05-01 20:57:08',NULL,0,NULL,NULL,520,1,2,0,NULL),(521,1,1,'Possible Ransomware or Unauthorized MBR Modifications',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:08','2020-05-01 20:57:08',NULL,0,NULL,NULL,521,1,2,0,NULL),(522,1,1,'Application Whitelisting Bypass via Bginfo',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:09','2020-05-01 20:57:09',NULL,0,NULL,NULL,522,1,2,0,NULL),(523,1,1,'Suspicious Calculator Usage',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:09','2020-05-01 20:57:09',NULL,0,NULL,NULL,523,1,2,0,NULL),(524,1,1,'Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:10','2020-05-01 20:57:10',NULL,0,NULL,NULL,524,1,2,0,NULL),(525,1,1,'Suspicious Certutil Command',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:10','2020-05-01 20:57:10',NULL,0,NULL,NULL,525,1,2,0,NULL),(526,1,1,'Certutil Encode',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:11','2020-05-01 20:57:11',NULL,0,NULL,NULL,526,1,2,0,NULL),(527,1,1,'Suspicious Commandline Escape',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:11','2020-05-01 20:57:12',NULL,0,NULL,NULL,527,1,2,0,NULL),(528,1,1,'Command Line Execution with Suspicious URL and AppData Strings',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:12','2020-05-01 20:57:12',NULL,0,NULL,NULL,528,1,2,0,NULL),(529,1,1,'Suspicious Code Page Switch',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:12','2020-05-01 20:57:13',NULL,0,NULL,NULL,529,1,2,0,NULL),(530,1,1,'Reconnaissance Activity with Net Command',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:13','2020-05-01 20:57:13',NULL,0,NULL,NULL,530,1,2,0,NULL),(531,1,1,'Suspicious Compression Tool Parameters',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:14','2020-05-01 20:57:14',NULL,0,NULL,NULL,531,1,2,0,NULL),(532,1,1,'Process Dump via Comsvcs DLL',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:14','2020-05-01 20:57:14',NULL,0,NULL,NULL,532,1,2,0,NULL),(533,1,1,'Suspicious Control Panel DLL Load',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:15','2020-05-01 20:57:15',NULL,0,NULL,NULL,533,1,2,0,NULL),(534,1,1,'Copy from Admin Share',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:15','2020-05-01 20:57:15',NULL,0,NULL,NULL,534,1,2,0,NULL),(535,1,1,'Suspicious Parent of Csc.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:16','2020-05-01 20:57:16',NULL,0,NULL,NULL,535,1,2,0,NULL),(536,1,1,'Suspicious Csc.exe Source File Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:16','2020-05-01 20:57:16',NULL,0,NULL,NULL,536,1,2,0,NULL),(537,1,1,'Curl Start Combination',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:17','2020-05-01 20:57:17',NULL,0,NULL,NULL,537,1,2,0,NULL),(538,1,1,'ZOHO Dctask64 Process Injection',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:17','2020-05-01 20:57:17',NULL,0,NULL,NULL,538,1,2,0,NULL),(539,1,1,'Devtoolslauncher.exe Executes Specified Binary',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:18','2020-05-01 20:57:18',NULL,0,NULL,NULL,539,1,2,0,NULL),(540,1,1,'Direct Autorun Keys Modification',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:18','2020-05-01 20:57:18',NULL,0,NULL,NULL,540,1,2,0,NULL),(541,1,1,'Application Whitelisting Bypass via Dnx.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:19','2020-05-01 20:57:19',NULL,0,NULL,NULL,541,1,2,0,NULL),(542,1,1,'Suspicious Double Extension',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:19','2020-05-01 20:57:20',NULL,0,NULL,NULL,542,1,2,0,NULL),(543,1,1,'Application Whitelisting Bypass via Dxcap.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:20','2020-05-01 20:57:20',NULL,0,NULL,NULL,543,1,2,0,NULL),(544,1,1,'Suspicious Eventlog Clear or Configuration Using Wevtutil',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:21','2020-05-01 20:57:21',NULL,0,NULL,NULL,544,1,2,0,NULL),(545,1,1,'Executables Started in Suspicious Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:21','2020-05-01 20:57:21',NULL,0,NULL,NULL,545,1,2,0,NULL),(546,1,1,'Execution in Non-Executable Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:22','2020-05-01 20:57:22',NULL,0,NULL,NULL,546,1,2,0,NULL),(547,1,1,'Execution in Webserver Root Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:22','2020-05-01 20:57:22',NULL,0,NULL,NULL,547,1,2,0,NULL),(548,1,1,'Firewall Disabled via Netsh',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:23','2020-05-01 20:57:23',NULL,0,NULL,NULL,548,1,2,0,NULL),(549,1,1,'Fsutil Suspicious Invocation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:23','2020-05-01 20:57:23',NULL,0,NULL,NULL,549,1,2,0,NULL),(550,1,1,'Suspicious GUP Usage',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:24','2020-05-01 20:57:24',NULL,0,NULL,NULL,550,1,2,0,NULL),(551,1,1,'IIS Native-Code Module Command Line Installation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:24','2020-05-01 20:57:24',NULL,0,NULL,NULL,551,1,2,0,NULL),(552,1,1,'Suspicious MsiExec Directory',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:25','2020-05-01 20:57:25',NULL,0,NULL,NULL,552,1,2,0,NULL),(553,1,1,'MsiExec Web Install',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:25','2020-05-01 20:57:26',NULL,0,NULL,NULL,553,1,2,0,NULL),(554,1,1,'Malicious Payload Download via Office Binaries',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:26','2020-05-01 20:57:26',NULL,0,NULL,NULL,554,1,2,0,NULL),(555,1,1,'Net.exe Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:27','2020-05-01 20:57:27',NULL,0,NULL,NULL,555,1,2,0,NULL),(556,1,1,'Suspicious Netsh DLL Persistence',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:27','2020-05-13 14:07:11',NULL,0,NULL,NULL,556,1,2,0,NULL),(557,1,1,'Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:28','2020-05-01 20:57:28',NULL,0,NULL,NULL,557,1,2,0,NULL),(558,1,1,'Application Whitelisting Bypass via DLL Loaded by odbcconf.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:28','2020-05-01 20:57:28',NULL,0,NULL,NULL,558,1,2,0,NULL),(559,1,1,'OpenWith.exe Executes Specified Binary',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:29','2020-05-01 20:57:29',NULL,0,NULL,NULL,559,1,2,0,NULL),(560,1,1,'Suspicious Execution from Outlook',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:29','2020-05-01 20:57:29',NULL,0,NULL,NULL,560,1,2,0,NULL),(561,1,1,'Execution in Outlook Temp Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:30','2020-05-01 20:57:30',NULL,0,NULL,NULL,561,1,2,0,NULL),(562,1,1,'Ping Hex IP',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:30','2020-05-01 20:57:30',NULL,0,NULL,NULL,562,1,2,0,NULL),(563,1,1,'Empire PowerShell Launch Parameters',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:31','2020-05-01 20:57:31',NULL,0,NULL,NULL,563,1,2,0,NULL),(564,1,1,'Empire PowerShell UAC Bypass',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:31','2020-05-01 20:57:31',NULL,0,NULL,NULL,564,1,2,0,NULL),(565,1,1,'Suspicious Encoded PowerShell Command Line',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:32','2020-05-01 20:57:32',NULL,0,NULL,NULL,565,1,2,0,NULL),(566,1,1,'Malicious Base64 Encoded PowerShell Keywords in Command Lines',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:32','2020-05-01 20:57:33',NULL,0,NULL,NULL,566,1,2,0,NULL),(567,1,1,'Suspicious PowerShell Invocation Based on Parent Process',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:33','2020-05-01 20:57:33',NULL,0,NULL,NULL,567,1,2,0,NULL),(568,1,1,'Suspicious Use of Procdump',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:34','2020-05-01 20:57:34',NULL,0,NULL,NULL,568,1,2,0,NULL),(569,1,1,'Suspicious Process Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:34','2020-05-01 20:57:34',NULL,0,NULL,NULL,569,1,2,0,NULL),(570,1,1,'Suspicious Program Location Process Starts',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:35','2020-05-01 20:57:35',NULL,0,NULL,NULL,570,1,2,0,NULL),(571,1,1,'PowerShell Script Run in AppData',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:35','2020-05-01 20:57:35',NULL,0,NULL,NULL,571,1,2,0,NULL),(572,1,1,'PowerShell DownloadFile',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:36','2020-05-01 20:57:36',NULL,0,NULL,NULL,572,1,2,0,NULL),(573,1,1,'Psr.exe Capture Screenshots',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:36','2020-05-01 20:57:36',NULL,0,NULL,NULL,573,1,2,0,NULL),(574,1,1,'Suspicious RASdial Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:37','2020-05-01 20:57:37',NULL,0,NULL,NULL,574,1,2,0,NULL),(575,1,1,'Suspicious Reconnaissance Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:37','2020-05-01 20:57:37',NULL,0,NULL,NULL,575,1,2,0,NULL),(576,1,1,'Regsvr32 Anomaly',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:38','2020-05-01 20:57:38',NULL,0,NULL,NULL,576,1,2,0,NULL),(577,1,1,'Renamed ZOHO Dctask64',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:38','2020-05-01 20:57:38',NULL,0,NULL,NULL,577,1,2,0,NULL),(578,1,1,'Suspicious Process Start Locations',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:39','2020-05-01 20:57:39',NULL,0,NULL,NULL,578,1,2,0,NULL),(579,1,1,'Suspicious Rundll32 Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:39','2020-05-01 20:57:40',NULL,0,NULL,NULL,579,1,2,0,NULL),(580,1,1,'Suspicious Call by Ordinal',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:40','2020-05-01 20:57:40',NULL,0,NULL,NULL,580,1,2,0,NULL),(581,1,1,'Scheduled Task Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:41','2020-05-01 20:57:41',NULL,0,NULL,NULL,581,1,2,0,NULL),(582,1,1,'WSF/JSE/JS/VBA/VBE File Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:41','2020-05-01 20:57:41',NULL,0,NULL,NULL,582,1,2,0,NULL),(583,1,1,'Suspicious Service Path Modification',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:42','2020-05-01 20:57:42',NULL,0,NULL,NULL,583,1,2,0,NULL),(584,1,1,'Squirrel Lolbin',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:42','2020-05-01 20:57:42',NULL,0,NULL,NULL,584,1,2,0,NULL),(585,1,1,'Suspicious Svchost Process',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:43','2020-05-01 20:57:43',NULL,0,NULL,NULL,585,1,2,0,NULL),(586,1,1,'Suspect Svchost Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:43','2020-05-01 20:57:43',NULL,0,NULL,NULL,586,1,2,0,NULL),(587,1,1,'Sysprep on AppData Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:44','2020-05-01 20:57:44',NULL,0,NULL,NULL,587,1,2,0,NULL),(588,1,1,'Suspicious SYSVOL Domain Group Policy Access',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:44','2020-05-01 20:57:44',NULL,0,NULL,NULL,588,1,2,0,NULL),(589,1,1,'Taskmgr as LOCAL_SYSTEM',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:45','2020-05-01 20:57:45',NULL,0,NULL,NULL,589,1,2,0,NULL),(590,1,1,'Taskmgr as Parent',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:45','2020-05-01 20:57:45',NULL,0,NULL,NULL,590,1,2,0,NULL),(591,1,1,'Suspicious TSCON Start',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:46','2020-05-01 20:57:46',NULL,0,NULL,NULL,591,1,2,0,NULL),(592,1,1,'Suspicious RDP Redirect Using TSCON',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:46','2020-05-01 20:57:47',NULL,0,NULL,NULL,592,1,2,0,NULL),(593,1,1,'Suspicious Use of CSharp Interactive Console',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:47','2020-05-01 20:57:47',NULL,0,NULL,NULL,593,1,2,0,NULL),(594,1,1,'Suspicious Userinit Child Process',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:47','2020-05-01 20:57:48',NULL,0,NULL,NULL,594,1,2,0,NULL),(595,1,1,'Whoami Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:48','2020-05-01 20:57:48',NULL,0,NULL,NULL,595,1,2,0,NULL),(596,1,1,'Suspicious WMI Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:49','2020-05-01 20:57:49',NULL,0,NULL,NULL,596,1,2,0,NULL),(597,1,1,'Sysmon Driver Unload',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:49','2020-05-01 20:57:49',NULL,0,NULL,NULL,597,1,2,0,NULL),(598,1,1,'System File Execution Location Anomaly',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:50','2020-05-01 20:57:50',NULL,0,NULL,NULL,598,1,2,0,NULL),(599,1,1,'Tap Installer Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:50','2020-05-01 20:57:50',NULL,0,NULL,NULL,599,1,2,0,NULL),(600,1,1,'Tasks Folder Evasion',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:51','2020-05-01 20:57:51',NULL,0,NULL,NULL,600,1,2,0,NULL),(601,1,1,'Terminal Service Process Spawn',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:51','2020-05-01 20:57:51',NULL,0,NULL,NULL,601,1,2,0,NULL),(602,1,1,'Domain Trust Discovery',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:52','2020-05-01 20:57:52',NULL,0,NULL,NULL,602,1,2,0,NULL),(603,1,1,'Bypass UAC via CMSTP',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:52','2020-05-01 20:57:52',NULL,0,NULL,NULL,603,1,2,0,NULL),(604,1,1,'Bypass UAC via Fodhelper.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:53','2020-05-01 20:57:53',NULL,0,NULL,NULL,604,1,2,0,NULL),(605,1,1,'Bypass UAC via WSReset.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:53','2020-05-01 20:57:53',NULL,0,NULL,NULL,605,1,2,0,NULL),(606,1,1,'Possible Privilege Escalation via Weak Service Permissions',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:54','2020-05-01 20:57:54',NULL,0,NULL,NULL,606,1,2,0,NULL),(607,1,1,'Java Running with Remote Debugging',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:54','2020-05-01 20:57:55',NULL,0,NULL,NULL,607,1,2,0,NULL),(608,1,1,'Webshell Detection With Command Line Keywords',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:55','2020-05-01 20:57:55',NULL,0,NULL,NULL,608,1,2,0,NULL),(609,1,1,'Shells Spawned by Web Servers',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:55','2020-05-01 20:57:56',NULL,0,NULL,NULL,609,1,2,0,NULL),(610,1,1,'Run Whoami as SYSTEM',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:56','2020-05-01 20:57:56',NULL,0,NULL,NULL,610,1,2,0,NULL),(611,1,1,'Windows 10 Scheduled Task SandboxEscaper 0-day',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:57','2020-05-01 20:57:57',NULL,0,NULL,NULL,611,1,2,0,NULL),(612,1,1,'WMI Backdoor Exchange Transport Agent',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:57','2020-05-01 20:57:57',NULL,0,NULL,NULL,612,1,2,0,NULL),(613,1,1,'WMI Persistence - Script Event Consumer',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:58','2020-05-01 20:57:58',NULL,0,NULL,NULL,613,1,2,0,NULL),(614,1,1,'WMI Spawning Windows PowerShell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:58','2020-05-01 20:57:58',NULL,0,NULL,NULL,614,1,2,0,NULL),(615,1,1,'Wmiprvse Spawning Process',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:59','2020-05-01 20:57:59',NULL,0,NULL,NULL,615,1,2,0,NULL),(616,1,1,'Microsoft Workflow Compiler',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:59','2020-05-01 20:57:59',NULL,0,NULL,NULL,616,1,2,0,NULL),(617,1,1,'Wsreset UAC Bypass',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:58:00','2020-05-01 20:58:00',NULL,0,NULL,NULL,617,1,2,0,NULL),(618,1,1,'XSL Script Processing',NULL,NULL,NULL,4,NULL,1,NULL,9,3,'2020-05-01 20:58:00','2020-05-03 10:00:57',NULL,0,NULL,NULL,618,1,2,0,NULL),(620,1,1,'New Sensitive Shared Resource',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-13 13:30:57','2020-05-13 13:30:57',NULL,0,NULL,NULL,620,1,2,0,NULL),(621,1,1,'Whoami Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-13 14:05:41','2020-05-13 14:05:41',NULL,0,NULL,NULL,621,1,2,0,NULL),(622,1,1,'Advanced IP Scanner',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-13 14:07:09','2020-05-13 14:07:09',NULL,0,NULL,NULL,622,1,2,0,NULL),(623,1,1,'Harvesting of Wifi Credentials Using netsh.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-13 14:07:11','2020-05-13 14:07:11',NULL,0,NULL,NULL,623,1,2,0,NULL); /*!40000 ALTER TABLE `issues` ENABLE KEYS */; UNLOCK TABLES; @@ -827,7 +825,7 @@ CREATE TABLE `journal_details` ( `value` longtext, PRIMARY KEY (`id`), KEY `journal_details_journal_id` (`journal_id`) -) ENGINE=InnoDB AUTO_INCREMENT=14 DEFAULT CHARSET=latin1; +) ENGINE=InnoDB AUTO_INCREMENT=901 DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; -- @@ -836,7 +834,6 @@ CREATE TABLE `journal_details` ( LOCK TABLES `journal_details` WRITE; /*!40000 ALTER TABLE `journal_details` DISABLE KEYS */; -INSERT INTO `journal_details` VALUES (5,621,'attr','status_id','2','3'),(6,621,'cf','9','{{collapse(View Sigma)\n
\n\ntitle: XSL Script Processing\nid: 05c36dd6-79d6-4a9a-97da-3db20298ab2d\nstatus: experimental\ndescription: Extensible Stylesheet Language (XSL) files are commonly used to describe\n  the processing and rendering of data within XML files, rule detects when adversaries\n  abuse this functionality to execute arbitrary files while potentially bypassing\n  application whitelisting defenses\nauthor: Timur Zinniatullin, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith: \\wmic.exe\n    CommandLine|contains: /format\n  - Image|endswith: \\msxsl.exe\n  condition: selection\nfalsepositives:\n- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment\n- msxsl.exe is not installed by default so unlikely.\nlevel: medium\ntags:\n- attack.execution\n- attack.t1220\n\n
\n}}','{{collapse(View Sigma)\r\n
\r\n\r\ntitle: XSL Script Processing\r\nid: 05c36dd6-79d6-4a9a-97da-3db20298ab2d\r\nstatus: experimental\r\ndescription: Extensible Stylesheet Language (XSL) files are commonly used to describe\r\n  the processing and rendering of data within XML files, rule detects when adversaries\r\n  abuse this functionality to execute arbitrary files while potentially bypassing\r\n  application whitelisting defenses\r\nauthor: Timur Zinniatullin, oscd.community\r\ndate: 2019/10/21\r\nmodified: 2019/11/04\r\nreferences:\r\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml\r\nlogsource:\r\n  category: process_creation\r\n  product: windows\r\ndetection:\r\n  selection:\r\n  - Image|endswith: \\wmic.exe\r\n    CommandLine|contains: /format\r\n  - Image|endswith: \\msxsl.exe\r\n  condition: selection\r\nfalsepositives:\r\n- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment\r\n- msxsl.exe is not installed by default so unlikely.\r\nlevel: medium\r\ntags:\r\n- attack.execution\r\n- attack.t1220\r\n\r\n
\r\n}}'),(7,622,'cf','7','','gVP62XEBH72G5DlCexmq'),(8,623,'attr','status_id','3','4'),(9,627,'cf','9','{{collapse(View Sigma)\n
\n\ntitle: Modification of Boot Configuration\nid: 1444443e-6757-43e4-9ea4-c8fc705f79a2\ndescription: Identifies use of the bcdedit command to delete boot configuration data.\n  This tactic is sometimes used as by malware or an attacker as a destructive technique.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html\ntags:\n- attack.impact\n- attack.t1490\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image|endswith: \\bcdedit.exe\n    CommandLine: set\n  selection2:\n  - CommandLine|contains|all:\n    - bootstatuspolicy\n    - ignoreallfailures\n  - CommandLine|contains|all:\n    - recoveryenabled\n    - no\n  condition: selection1 and selection2\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Unlikely\nlevel: high\n\n
\n}}','{{collapse(View Sigma)\n
\n\ntitle: Modification of Boot Configuration\nid: 1444443e-6757-43e4-9ea4-c8fc705f79a2\ndescription: Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive\n    technique.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml\n    - https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html\ntags:\n    - attack.impact\n    - attack.t1490\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection1:\n        Image|endswith: \\bcdedit.exe\n        CommandLine|contains: set\n    selection2:\n        - CommandLine|contains|all:\n            - bootstatuspolicy\n            - ignoreallfailures\n        - CommandLine|contains|all:\n            - recoveryenabled\n            - \'no\'\n    condition: selection1 and selection2\nfields:\n    - ComputerName\n    - User\n    - CommandLine\nfalsepositives:\n    - Unlikely\nlevel: high\n\n
\n}}'),(10,629,'cf','9','{{collapse(View Sigma)\n
\n\naction: global\ntitle: PowerShell Downgrade Attack\nid: b3512211-c67e-4707-bedc-66efc7848863\nrelated:\n- id: 6331d09b-4785-4c13-980f-f96661356249\n  type: derived\nstatus: experimental\ndescription: Detects PowerShell downgrade attack by comparing the host versions with\n  the actually used engine version 2.0\nreferences:\n- http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1086\nauthor: Harish Segar (rule)\ndate: 2020/03/20\nfalsepositives:\n- Penetration Test\n- Unknown\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains:\n    - \' -version 2 \'\n    - \' -versio 2 \'\n    - \' -versi 2 \'\n    - \' -vers 2 \'\n    - \' -ver 2 \'\n    - \' -ve 2 \'\n    Image|endswith: \\powershell.exe\n  condition: selection\n\n
\n}}','{{collapse(View Sigma)\n
\n\ntitle: PowerShell Downgrade Attack\nid: b3512211-c67e-4707-bedc-66efc7848863\nrelated:\n  - id: 6331d09b-4785-4c13-980f-f96661356249\n    type: derived\nstatus: experimental\ndescription: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0\nreferences:\n    - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/\ntags:\n    - attack.defense_evasion\n    - attack.execution\n    - attack.t1086\nauthor: Harish Segar (rule)\ndate: 2020/03/20\nfalsepositives:\n    - Penetration Test\n    - Unknown\nlevel: medium\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains: \n            - \' -version 2 \'\n            - \' -versio 2 \'\n            - \' -versi 2 \'\n            - \' -vers 2 \'\n            - \' -ver 2 \'\n            - \' -ve 2 \'        \n        Image|endswith: \'\\powershell.exe\'\n    condition: selection\n\n
\n}}'),(11,630,'cf','9','{{collapse(View Sigma)\n
\n\ntitle: Renamed Binary\nid: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142\nstatus: experimental\ndescription: Detects the execution of a renamed binary often used by attackers or\n  malware leveraging new Sysmon OriginalFileName datapoint.\nauthor: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community\n  (improvements)\ndate: 2019/06/15\nmodified: 2019/11/11\nreferences:\n- https://attack.mitre.org/techniques/T1036/\n- https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html\n- https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html\ntags:\n- attack.t1036\n- attack.defense_evasion\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    OriginalFileName:\n    - cmd.exe\n    - powershell.exe\n    - powershell_ise.exe\n    - psexec.exe\n    - psexec.c\n    - cscript.exe\n    - wscript.exe\n    - mshta.exe\n    - regsvr32.exe\n    - wmic.exe\n    - certutil.exe\n    - rundll32.exe\n    - cmstp.exe\n    - msiexec.exe\n    - 7z.exe\n    - winrar.exe\n    - wevtutil.exe\n    - net.exe\n    - net1.exe\n  filter:\n    Image|endswith:\n    - \\cmd.exe\n    - \\powershell.exe\n    - \\powershell_ise.exe\n    - \\psexec.exe\n    - \\psexec64.exe\n    - \\cscript.exe\n    - \\wscript.exe\n    - \\mshta.exe\n    - \\regsvr32.exe\n    - \\wmic.exe\n    - \\certutil.exe\n    - \\rundll32.exe\n    - \\cmstp.exe\n    - \\msiexec.exe\n    - \\7z.exe\n    - \\winrar.exe\n    - \\wevtutil.exe\n    - \\net.exe\n    - \\net1.exe\n  condition: selection and not filter\nfalsepositives:\n- Custom applications use renamed binaries adding slight change to binary name. Typically\n  this is easy to spot and add to whitelist\nlevel: medium\n\n
\n}}','{{collapse(View Sigma)\n
\n\ntitle: Renamed Binary\nid: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142\nstatus: experimental\ndescription: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.\nauthor: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements), Andreas Hunkeler (@Karneades)\ndate: 2019/06/15\nmodified: 2019/11/11\nreferences:\n    - https://attack.mitre.org/techniques/T1036/\n    - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html\n    - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html\ntags:\n    - attack.t1036\n    - attack.defense_evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        OriginalFileName:\n            - \'cmd.exe\'\n            - \'powershell.exe\'\n            - \'powershell_ise.exe\'\n            - \'psexec.exe\'\n            - \'psexec.c\'  # old versions of psexec (2016 seen)\n            - \'cscript.exe\'\n            - \'wscript.exe\'\n            - \'mshta.exe\'\n            - \'regsvr32.exe\'\n            - \'wmic.exe\'\n            - \'certutil.exe\'\n            - \'rundll32.exe\'\n            - \'cmstp.exe\'\n            - \'msiexec.exe\'\n            - \'7z.exe\'\n            - \'winrar.exe\'\n            - \'wevtutil.exe\'\n            - \'net.exe\'\n            - \'net1.exe\'\n            - \'netsh.exe\'\n    filter:\n        Image|endswith:\n            - \'\\cmd.exe\'\n            - \'\\powershell.exe\'\n            - \'\\powershell_ise.exe\'\n            - \'\\psexec.exe\'\n            - \'\\psexec64.exe\'\n            - \'\\cscript.exe\'\n            - \'\\wscript.exe\'\n            - \'\\mshta.exe\'\n            - \'\\regsvr32.exe\'\n            - \'\\wmic.exe\'\n            - \'\\certutil.exe\'\n            - \'\\rundll32.exe\'\n            - \'\\cmstp.exe\'\n            - \'\\msiexec.exe\'\n            - \'\\7z.exe\'\n            - \'\\winrar.exe\'\n            - \'\\wevtutil.exe\'\n            - \'\\net.exe\'\n            - \'\\net1.exe\'\n            - \'\\netsh.exe\'\n    condition: selection and not filter\nfalsepositives:\n    - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist\nlevel: medium\n\n
\n}}'),(12,631,'cf','9','{{collapse(View Sigma)\n
\n\ntitle: Suspicious Netsh DLL Persistence\nid: 56321594-9087-49d9-bf10-524fe8479452\ndescription: Detects persitence via netsh helper\nstatus: test\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1128/T1128.md\ntags:\n- attack.persistence\n- attack.t1128\ndate: 2019/10/25\nmodified: 2019/10/25\nauthor: Victor Sergeev, oscd.community\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\netsh.exe\n    CommandLine|contains|all:\n    - add\n    - helper\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}','{{collapse(View Sigma)\n
\n\ntitle: Suspicious Netsh DLL Persistence\nid: 56321594-9087-49d9-bf10-524fe8479452\ndescription: Detects persitence via netsh helper\nstatus: testing\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1128/T1128.md\ntags:\n    - attack.persistence\n    - attack.t1128\ndate: 2019/10/25\nmodified: 2019/10/25\nauthor: Victor Sergeev, oscd.community\nlogsource:\n    category: process_creation\n    product: windows   \ndetection:\n    selection:\n        Image|endswith: \'\\netsh.exe\'\n        CommandLine|contains|all:\n            - \'add\'\n            - \'helper\'\n    condition: selection\nfields:\n    - ComputerName\n    - User\n    - CommandLine\n    - ParentCommandLine\nfalsepositives:\n    - Unknown\nlevel: high\n\n
\n}}'); /*!40000 ALTER TABLE `journal_details` ENABLE KEYS */; UNLOCK TABLES; @@ -860,7 +857,7 @@ CREATE TABLE `journals` ( KEY `index_journals_on_user_id` (`user_id`), KEY `index_journals_on_journalized_id` (`journalized_id`), KEY `index_journals_on_created_on` (`created_on`) -) ENGINE=InnoDB AUTO_INCREMENT=633 DEFAULT CHARSET=latin1; +) ENGINE=InnoDB AUTO_INCREMENT=5047 DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; -- @@ -869,7 +866,6 @@ CREATE TABLE `journals` ( LOCK TABLES `journals` WRITE; /*!40000 ALTER TABLE `journals` DISABLE KEYS */; -INSERT INTO `journals` VALUES (311,313,'Issue',9,'Play status set to Disabled - Sigmac error when generating ElastAlert config.','2020-05-01 20:55:14',0),(312,314,'Issue',9,'Play imported successfully.','2020-05-01 20:55:15',0),(313,315,'Issue',9,'Play imported successfully.','2020-05-01 20:55:15',0),(314,316,'Issue',9,'Play imported successfully.','2020-05-01 20:55:16',0),(315,317,'Issue',9,'Play imported successfully.','2020-05-01 20:55:16',0),(316,318,'Issue',9,'Play imported successfully.','2020-05-01 20:55:17',0),(317,319,'Issue',9,'Play imported successfully.','2020-05-01 20:55:17',0),(318,320,'Issue',9,'Play imported successfully.','2020-05-01 20:55:18',0),(319,321,'Issue',9,'Play imported successfully.','2020-05-01 20:55:19',0),(320,322,'Issue',9,'Play imported successfully.','2020-05-01 20:55:19',0),(321,323,'Issue',9,'Play imported successfully.','2020-05-01 20:55:20',0),(322,324,'Issue',9,'Play imported successfully.','2020-05-01 20:55:20',0),(323,325,'Issue',9,'Play imported successfully.','2020-05-01 20:55:21',0),(324,326,'Issue',9,'Play imported successfully.','2020-05-01 20:55:21',0),(325,327,'Issue',9,'Play imported successfully.','2020-05-01 20:55:22',0),(326,328,'Issue',9,'Play imported successfully.','2020-05-01 20:55:22',0),(327,329,'Issue',9,'Play imported successfully.','2020-05-01 20:55:23',0),(328,330,'Issue',9,'Play imported successfully.','2020-05-01 20:55:24',0),(329,331,'Issue',9,'Play imported successfully.','2020-05-01 20:55:24',0),(330,332,'Issue',9,'Play imported successfully.','2020-05-01 20:55:25',0),(331,333,'Issue',9,'Play imported successfully.','2020-05-01 20:55:25',0),(332,334,'Issue',9,'Play imported successfully.','2020-05-01 20:55:26',0),(333,335,'Issue',9,'Play imported successfully.','2020-05-01 20:55:27',0),(334,336,'Issue',9,'Play status set to Disabled - Sigmac error when generating ElastAlert config.','2020-05-01 20:55:28',0),(335,337,'Issue',9,'Play imported successfully.','2020-05-01 20:55:28',0),(336,338,'Issue',9,'Play imported successfully.','2020-05-01 20:55:29',0),(337,339,'Issue',9,'Play imported successfully.','2020-05-01 20:55:29',0),(338,340,'Issue',9,'Play imported successfully.','2020-05-01 20:55:30',0),(339,341,'Issue',9,'Play imported successfully.','2020-05-01 20:55:30',0),(340,342,'Issue',9,'Play imported successfully.','2020-05-01 20:55:31',0),(341,343,'Issue',9,'Play imported successfully.','2020-05-01 20:55:31',0),(342,344,'Issue',9,'Play imported successfully.','2020-05-01 20:55:32',0),(343,345,'Issue',9,'Play imported successfully.','2020-05-01 20:55:33',0),(344,346,'Issue',9,'Play imported successfully.','2020-05-01 20:55:33',0),(345,347,'Issue',9,'Play imported successfully.','2020-05-01 20:55:34',0),(346,348,'Issue',9,'Play imported successfully.','2020-05-01 20:55:34',0),(347,349,'Issue',9,'Play imported successfully.','2020-05-01 20:55:35',0),(348,350,'Issue',9,'Play imported successfully.','2020-05-01 20:55:36',0),(349,351,'Issue',9,'Play imported successfully.','2020-05-01 20:55:36',0),(350,352,'Issue',9,'Play imported successfully.','2020-05-01 20:55:37',0),(351,353,'Issue',9,'Play imported successfully.','2020-05-01 20:55:37',0),(352,354,'Issue',9,'Play imported successfully.','2020-05-01 20:55:38',0),(353,355,'Issue',9,'Play imported successfully.','2020-05-01 20:55:38',0),(354,356,'Issue',9,'Play imported successfully.','2020-05-01 20:55:39',0),(355,357,'Issue',9,'Play imported successfully.','2020-05-01 20:55:39',0),(356,358,'Issue',9,'Play imported successfully.','2020-05-01 20:55:40',0),(357,359,'Issue',9,'Play imported successfully.','2020-05-01 20:55:40',0),(358,360,'Issue',9,'Play imported successfully.','2020-05-01 20:55:41',0),(359,361,'Issue',9,'Play imported successfully.','2020-05-01 20:55:42',0),(360,362,'Issue',9,'Play imported successfully.','2020-05-01 20:55:42',0),(361,363,'Issue',9,'Play imported successfully.','2020-05-01 20:55:43',0),(362,364,'Issue',9,'Play imported successfully.','2020-05-01 20:55:43',0),(363,365,'Issue',9,'Play imported successfully.','2020-05-01 20:55:44',0),(364,366,'Issue',9,'Play imported successfully.','2020-05-01 20:55:44',0),(365,367,'Issue',9,'Play imported successfully.','2020-05-01 20:55:45',0),(366,368,'Issue',9,'Play imported successfully.','2020-05-01 20:55:45',0),(367,369,'Issue',9,'Play imported successfully.','2020-05-01 20:55:46',0),(368,370,'Issue',9,'Play imported successfully.','2020-05-01 20:55:46',0),(369,371,'Issue',9,'Play imported successfully.','2020-05-01 20:55:47',0),(370,372,'Issue',9,'Play imported successfully.','2020-05-01 20:55:47',0),(371,373,'Issue',9,'Play imported successfully.','2020-05-01 20:55:48',0),(372,374,'Issue',9,'Play imported successfully.','2020-05-01 20:55:49',0),(373,375,'Issue',9,'Play imported successfully.','2020-05-01 20:55:49',0),(374,376,'Issue',9,'Play imported successfully.','2020-05-01 20:55:50',0),(375,377,'Issue',9,'Play imported successfully.','2020-05-01 20:55:50',0),(376,378,'Issue',9,'Play imported successfully.','2020-05-01 20:55:51',0),(377,379,'Issue',9,'Play imported successfully.','2020-05-01 20:55:51',0),(378,380,'Issue',9,'Play imported successfully.','2020-05-01 20:55:52',0),(379,381,'Issue',9,'Play imported successfully.','2020-05-01 20:55:52',0),(380,382,'Issue',9,'Play imported successfully.','2020-05-01 20:55:53',0),(381,383,'Issue',9,'Play imported successfully.','2020-05-01 20:55:53',0),(382,384,'Issue',9,'Play imported successfully.','2020-05-01 20:55:54',0),(383,385,'Issue',9,'Play imported successfully.','2020-05-01 20:55:54',0),(384,386,'Issue',9,'Play imported successfully.','2020-05-01 20:55:55',0),(385,387,'Issue',9,'Play imported successfully.','2020-05-01 20:55:55',0),(386,388,'Issue',9,'Play imported successfully.','2020-05-01 20:55:56',0),(387,389,'Issue',9,'Play imported successfully.','2020-05-01 20:55:57',0),(388,390,'Issue',9,'Play imported successfully.','2020-05-01 20:55:57',0),(389,391,'Issue',9,'Play imported successfully.','2020-05-01 20:55:58',0),(390,392,'Issue',9,'Play imported successfully.','2020-05-01 20:55:58',0),(391,393,'Issue',9,'Play imported successfully.','2020-05-01 20:55:59',0),(392,394,'Issue',9,'Play imported successfully.','2020-05-01 20:55:59',0),(393,395,'Issue',9,'Play imported successfully.','2020-05-01 20:56:00',0),(394,396,'Issue',9,'Play imported successfully.','2020-05-01 20:56:00',0),(395,397,'Issue',9,'Play imported successfully.','2020-05-01 20:56:01',0),(396,398,'Issue',9,'Play imported successfully.','2020-05-01 20:56:01',0),(397,399,'Issue',9,'Play imported successfully.','2020-05-01 20:56:02',0),(398,400,'Issue',9,'Play imported successfully.','2020-05-01 20:56:02',0),(399,401,'Issue',9,'Play imported successfully.','2020-05-01 20:56:03',0),(400,402,'Issue',9,'Play imported successfully.','2020-05-01 20:56:03',0),(401,403,'Issue',9,'Play imported successfully.','2020-05-01 20:56:04',0),(402,404,'Issue',9,'Play imported successfully.','2020-05-01 20:56:04',0),(403,405,'Issue',9,'Play imported successfully.','2020-05-01 20:56:05',0),(404,406,'Issue',9,'Play imported successfully.','2020-05-01 20:56:06',0),(405,407,'Issue',9,'Play imported successfully.','2020-05-01 20:56:06',0),(406,408,'Issue',9,'Play imported successfully.','2020-05-01 20:56:07',0),(407,409,'Issue',9,'Play imported successfully.','2020-05-01 20:56:07',0),(408,410,'Issue',9,'Play imported successfully.','2020-05-01 20:56:08',0),(409,411,'Issue',9,'Play imported successfully.','2020-05-01 20:56:08',0),(410,412,'Issue',9,'Play imported successfully.','2020-05-01 20:56:09',0),(411,413,'Issue',9,'Play imported successfully.','2020-05-01 20:56:09',0),(412,414,'Issue',9,'Play imported successfully.','2020-05-01 20:56:10',0),(413,415,'Issue',9,'Play imported successfully.','2020-05-01 20:56:11',0),(414,416,'Issue',9,'Play imported successfully.','2020-05-01 20:56:11',0),(415,417,'Issue',9,'Play imported successfully.','2020-05-01 20:56:12',0),(416,418,'Issue',9,'Play imported successfully.','2020-05-01 20:56:13',0),(417,419,'Issue',9,'Play imported successfully.','2020-05-01 20:56:13',0),(418,420,'Issue',9,'Play imported successfully.','2020-05-01 20:56:14',0),(419,421,'Issue',9,'Play imported successfully.','2020-05-01 20:56:15',0),(420,422,'Issue',9,'Play imported successfully.','2020-05-01 20:56:15',0),(421,423,'Issue',9,'Play imported successfully.','2020-05-01 20:56:16',0),(422,424,'Issue',9,'Play imported successfully.','2020-05-01 20:56:16',0),(423,425,'Issue',9,'Play imported successfully.','2020-05-01 20:56:17',0),(424,426,'Issue',9,'Play imported successfully.','2020-05-01 20:56:17',0),(425,427,'Issue',9,'Play imported successfully.','2020-05-01 20:56:18',0),(426,428,'Issue',9,'Play imported successfully.','2020-05-01 20:56:19',0),(427,429,'Issue',9,'Play imported successfully.','2020-05-01 20:56:19',0),(428,430,'Issue',9,'Play imported successfully.','2020-05-01 20:56:20',0),(429,431,'Issue',9,'Play imported successfully.','2020-05-01 20:56:20',0),(430,432,'Issue',9,'Play imported successfully.','2020-05-01 20:56:21',0),(431,433,'Issue',9,'Play imported successfully.','2020-05-01 20:56:21',0),(432,434,'Issue',9,'Play imported successfully.','2020-05-01 20:56:22',0),(433,435,'Issue',9,'Play imported successfully.','2020-05-01 20:56:22',0),(434,436,'Issue',9,'Play imported successfully.','2020-05-01 20:56:23',0),(435,437,'Issue',9,'Play imported successfully.','2020-05-01 20:56:24',0),(436,438,'Issue',9,'Play imported successfully.','2020-05-01 20:56:24',0),(437,439,'Issue',9,'Play imported successfully.','2020-05-01 20:56:25',0),(438,440,'Issue',9,'Play imported successfully.','2020-05-01 20:56:25',0),(439,441,'Issue',9,'Play imported successfully.','2020-05-01 20:56:26',0),(440,442,'Issue',9,'Play imported successfully.','2020-05-01 20:56:26',0),(441,443,'Issue',9,'Play imported successfully.','2020-05-01 20:56:27',0),(442,444,'Issue',9,'Play imported successfully.','2020-05-01 20:56:27',0),(443,445,'Issue',9,'Play imported successfully.','2020-05-01 20:56:28',0),(444,446,'Issue',9,'Play imported successfully.','2020-05-01 20:56:28',0),(445,447,'Issue',9,'Play imported successfully.','2020-05-01 20:56:29',0),(446,448,'Issue',9,'Play imported successfully.','2020-05-01 20:56:29',0),(447,449,'Issue',9,'Play imported successfully.','2020-05-01 20:56:30',0),(448,450,'Issue',9,'Play imported successfully.','2020-05-01 20:56:30',0),(449,451,'Issue',9,'Play imported successfully.','2020-05-01 20:56:31',0),(450,452,'Issue',9,'Play imported successfully.','2020-05-01 20:56:31',0),(451,453,'Issue',9,'Play imported successfully.','2020-05-01 20:56:32',0),(452,454,'Issue',9,'Play imported successfully.','2020-05-01 20:56:32',0),(453,455,'Issue',9,'Play imported successfully.','2020-05-01 20:56:33',0),(454,456,'Issue',9,'Play imported successfully.','2020-05-01 20:56:34',0),(455,457,'Issue',9,'Play imported successfully.','2020-05-01 20:56:34',0),(456,458,'Issue',9,'Play imported successfully.','2020-05-01 20:56:35',0),(457,459,'Issue',9,'Play imported successfully.','2020-05-01 20:56:35',0),(458,460,'Issue',9,'Play imported successfully.','2020-05-01 20:56:36',0),(459,461,'Issue',9,'Play imported successfully.','2020-05-01 20:56:36',0),(460,462,'Issue',9,'Play imported successfully.','2020-05-01 20:56:37',0),(461,463,'Issue',9,'Play imported successfully.','2020-05-01 20:56:37',0),(462,464,'Issue',9,'Play imported successfully.','2020-05-01 20:56:38',0),(463,465,'Issue',9,'Play imported successfully.','2020-05-01 20:56:38',0),(464,466,'Issue',9,'Play imported successfully.','2020-05-01 20:56:39',0),(465,467,'Issue',9,'Play imported successfully.','2020-05-01 20:56:39',0),(466,468,'Issue',9,'Play imported successfully.','2020-05-01 20:56:40',0),(467,469,'Issue',9,'Play imported successfully.','2020-05-01 20:56:41',0),(468,470,'Issue',9,'Play imported successfully.','2020-05-01 20:56:41',0),(469,471,'Issue',9,'Play imported successfully.','2020-05-01 20:56:42',0),(470,472,'Issue',9,'Play imported successfully.','2020-05-01 20:56:42',0),(471,473,'Issue',9,'Play imported successfully.','2020-05-01 20:56:43',0),(472,474,'Issue',9,'Play imported successfully.','2020-05-01 20:56:43',0),(473,475,'Issue',9,'Play imported successfully.','2020-05-01 20:56:44',0),(474,476,'Issue',9,'Play imported successfully.','2020-05-01 20:56:44',0),(475,477,'Issue',9,'Play imported successfully.','2020-05-01 20:56:45',0),(476,478,'Issue',9,'Play imported successfully.','2020-05-01 20:56:45',0),(477,479,'Issue',9,'Play imported successfully.','2020-05-01 20:56:46',0),(478,480,'Issue',9,'Play imported successfully.','2020-05-01 20:56:46',0),(479,481,'Issue',9,'Play imported successfully.','2020-05-01 20:56:47',0),(480,482,'Issue',9,'Play imported successfully.','2020-05-01 20:56:48',0),(481,483,'Issue',9,'Play imported successfully.','2020-05-01 20:56:48',0),(482,484,'Issue',9,'Play imported successfully.','2020-05-01 20:56:49',0),(483,485,'Issue',9,'Play imported successfully.','2020-05-01 20:56:49',0),(484,486,'Issue',9,'Play imported successfully.','2020-05-01 20:56:50',0),(485,487,'Issue',9,'Play imported successfully.','2020-05-01 20:56:50',0),(486,488,'Issue',9,'Play imported successfully.','2020-05-01 20:56:51',0),(487,489,'Issue',9,'Play imported successfully.','2020-05-01 20:56:51',0),(488,490,'Issue',9,'Play imported successfully.','2020-05-01 20:56:52',0),(489,491,'Issue',9,'Play imported successfully.','2020-05-01 20:56:52',0),(490,492,'Issue',9,'Play imported successfully.','2020-05-01 20:56:53',0),(491,493,'Issue',9,'Play imported successfully.','2020-05-01 20:56:53',0),(492,494,'Issue',9,'Play status set to Disabled - Sigmac error when generating ElastAlert config.','2020-05-01 20:56:54',0),(493,495,'Issue',9,'Play imported successfully.','2020-05-01 20:56:54',0),(494,496,'Issue',9,'Play imported successfully.','2020-05-01 20:56:55',0),(495,497,'Issue',9,'Play imported successfully.','2020-05-01 20:56:56',0),(496,498,'Issue',9,'Play imported successfully.','2020-05-01 20:56:56',0),(497,499,'Issue',9,'Play imported successfully.','2020-05-01 20:56:57',0),(498,500,'Issue',9,'Play imported successfully.','2020-05-01 20:56:57',0),(499,501,'Issue',9,'Play imported successfully.','2020-05-01 20:56:58',0),(500,502,'Issue',9,'Play imported successfully.','2020-05-01 20:56:58',0),(501,503,'Issue',9,'Play imported successfully.','2020-05-01 20:56:59',0),(502,504,'Issue',9,'Play imported successfully.','2020-05-01 20:56:59',0),(503,505,'Issue',9,'Play imported successfully.','2020-05-01 20:57:00',0),(504,506,'Issue',9,'Play imported successfully.','2020-05-01 20:57:00',0),(505,507,'Issue',9,'Play imported successfully.','2020-05-01 20:57:01',0),(506,508,'Issue',9,'Play imported successfully.','2020-05-01 20:57:02',0),(507,509,'Issue',9,'Play imported successfully.','2020-05-01 20:57:02',0),(508,510,'Issue',9,'Play imported successfully.','2020-05-01 20:57:03',0),(509,511,'Issue',9,'Play imported successfully.','2020-05-01 20:57:03',0),(510,512,'Issue',9,'Play imported successfully.','2020-05-01 20:57:04',0),(511,513,'Issue',9,'Play imported successfully.','2020-05-01 20:57:04',0),(512,514,'Issue',9,'Play imported successfully.','2020-05-01 20:57:05',0),(513,515,'Issue',9,'Play imported successfully.','2020-05-01 20:57:05',0),(514,516,'Issue',9,'Play imported successfully.','2020-05-01 20:57:06',0),(515,517,'Issue',9,'Play imported successfully.','2020-05-01 20:57:06',0),(516,518,'Issue',9,'Play imported successfully.','2020-05-01 20:57:07',0),(517,519,'Issue',9,'Play imported successfully.','2020-05-01 20:57:07',0),(518,520,'Issue',9,'Play imported successfully.','2020-05-01 20:57:08',0),(519,521,'Issue',9,'Play imported successfully.','2020-05-01 20:57:08',0),(520,522,'Issue',9,'Play imported successfully.','2020-05-01 20:57:09',0),(521,523,'Issue',9,'Play imported successfully.','2020-05-01 20:57:09',0),(522,524,'Issue',9,'Play imported successfully.','2020-05-01 20:57:10',0),(523,525,'Issue',9,'Play imported successfully.','2020-05-01 20:57:11',0),(524,526,'Issue',9,'Play imported successfully.','2020-05-01 20:57:11',0),(525,527,'Issue',9,'Play imported successfully.','2020-05-01 20:57:12',0),(526,528,'Issue',9,'Play imported successfully.','2020-05-01 20:57:12',0),(527,529,'Issue',9,'Play imported successfully.','2020-05-01 20:57:13',0),(528,530,'Issue',9,'Play imported successfully.','2020-05-01 20:57:13',0),(529,531,'Issue',9,'Play imported successfully.','2020-05-01 20:57:14',0),(530,532,'Issue',9,'Play imported successfully.','2020-05-01 20:57:14',0),(531,533,'Issue',9,'Play imported successfully.','2020-05-01 20:57:15',0),(532,534,'Issue',9,'Play imported successfully.','2020-05-01 20:57:15',0),(533,535,'Issue',9,'Play imported successfully.','2020-05-01 20:57:16',0),(534,536,'Issue',9,'Play imported successfully.','2020-05-01 20:57:16',0),(535,537,'Issue',9,'Play imported successfully.','2020-05-01 20:57:17',0),(536,538,'Issue',9,'Play imported successfully.','2020-05-01 20:57:17',0),(537,539,'Issue',9,'Play imported successfully.','2020-05-01 20:57:18',0),(538,540,'Issue',9,'Play imported successfully.','2020-05-01 20:57:18',0),(539,541,'Issue',9,'Play imported successfully.','2020-05-01 20:57:19',0),(540,542,'Issue',9,'Play imported successfully.','2020-05-01 20:57:20',0),(541,543,'Issue',9,'Play imported successfully.','2020-05-01 20:57:20',0),(542,544,'Issue',9,'Play imported successfully.','2020-05-01 20:57:21',0),(543,545,'Issue',9,'Play imported successfully.','2020-05-01 20:57:21',0),(544,546,'Issue',9,'Play imported successfully.','2020-05-01 20:57:22',0),(545,547,'Issue',9,'Play imported successfully.','2020-05-01 20:57:22',0),(546,548,'Issue',9,'Play imported successfully.','2020-05-01 20:57:23',0),(547,549,'Issue',9,'Play imported successfully.','2020-05-01 20:57:23',0),(548,550,'Issue',9,'Play imported successfully.','2020-05-01 20:57:24',0),(549,551,'Issue',9,'Play imported successfully.','2020-05-01 20:57:24',0),(550,552,'Issue',9,'Play imported successfully.','2020-05-01 20:57:25',0),(551,553,'Issue',9,'Play imported successfully.','2020-05-01 20:57:26',0),(552,554,'Issue',9,'Play imported successfully.','2020-05-01 20:57:26',0),(553,555,'Issue',9,'Play imported successfully.','2020-05-01 20:57:27',0),(554,556,'Issue',9,'Play imported successfully.','2020-05-01 20:57:27',0),(555,557,'Issue',9,'Play imported successfully.','2020-05-01 20:57:28',0),(556,558,'Issue',9,'Play imported successfully.','2020-05-01 20:57:28',0),(557,559,'Issue',9,'Play imported successfully.','2020-05-01 20:57:29',0),(558,560,'Issue',9,'Play imported successfully.','2020-05-01 20:57:29',0),(559,561,'Issue',9,'Play imported successfully.','2020-05-01 20:57:30',0),(560,562,'Issue',9,'Play imported successfully.','2020-05-01 20:57:30',0),(561,563,'Issue',9,'Play imported successfully.','2020-05-01 20:57:31',0),(562,564,'Issue',9,'Play imported successfully.','2020-05-01 20:57:31',0),(563,565,'Issue',9,'Play imported successfully.','2020-05-01 20:57:32',0),(564,566,'Issue',9,'Play imported successfully.','2020-05-01 20:57:33',0),(565,567,'Issue',9,'Play imported successfully.','2020-05-01 20:57:33',0),(566,568,'Issue',9,'Play imported successfully.','2020-05-01 20:57:34',0),(567,569,'Issue',9,'Play imported successfully.','2020-05-01 20:57:34',0),(568,570,'Issue',9,'Play imported successfully.','2020-05-01 20:57:35',0),(569,571,'Issue',9,'Play imported successfully.','2020-05-01 20:57:35',0),(570,572,'Issue',9,'Play imported successfully.','2020-05-01 20:57:36',0),(571,573,'Issue',9,'Play imported successfully.','2020-05-01 20:57:36',0),(572,574,'Issue',9,'Play imported successfully.','2020-05-01 20:57:37',0),(573,575,'Issue',9,'Play imported successfully.','2020-05-01 20:57:37',0),(574,576,'Issue',9,'Play imported successfully.','2020-05-01 20:57:38',0),(575,577,'Issue',9,'Play imported successfully.','2020-05-01 20:57:38',0),(576,578,'Issue',9,'Play imported successfully.','2020-05-01 20:57:39',0),(577,579,'Issue',9,'Play imported successfully.','2020-05-01 20:57:40',0),(578,580,'Issue',9,'Play imported successfully.','2020-05-01 20:57:40',0),(579,581,'Issue',9,'Play imported successfully.','2020-05-01 20:57:41',0),(580,582,'Issue',9,'Play imported successfully.','2020-05-01 20:57:41',0),(581,583,'Issue',9,'Play imported successfully.','2020-05-01 20:57:42',0),(582,584,'Issue',9,'Play imported successfully.','2020-05-01 20:57:42',0),(583,585,'Issue',9,'Play imported successfully.','2020-05-01 20:57:43',0),(584,586,'Issue',9,'Play imported successfully.','2020-05-01 20:57:43',0),(585,587,'Issue',9,'Play imported successfully.','2020-05-01 20:57:44',0),(586,588,'Issue',9,'Play imported successfully.','2020-05-01 20:57:44',0),(587,589,'Issue',9,'Play imported successfully.','2020-05-01 20:57:45',0),(588,590,'Issue',9,'Play imported successfully.','2020-05-01 20:57:45',0),(589,591,'Issue',9,'Play imported successfully.','2020-05-01 20:57:46',0),(590,592,'Issue',9,'Play imported successfully.','2020-05-01 20:57:47',0),(591,593,'Issue',9,'Play imported successfully.','2020-05-01 20:57:47',0),(592,594,'Issue',9,'Play imported successfully.','2020-05-01 20:57:48',0),(593,595,'Issue',9,'Play imported successfully.','2020-05-01 20:57:48',0),(594,596,'Issue',9,'Play imported successfully.','2020-05-01 20:57:49',0),(595,597,'Issue',9,'Play imported successfully.','2020-05-01 20:57:49',0),(596,598,'Issue',9,'Play imported successfully.','2020-05-01 20:57:50',0),(597,599,'Issue',9,'Play imported successfully.','2020-05-01 20:57:50',0),(598,600,'Issue',9,'Play imported successfully.','2020-05-01 20:57:51',0),(599,601,'Issue',9,'Play imported successfully.','2020-05-01 20:57:51',0),(600,602,'Issue',9,'Play imported successfully.','2020-05-01 20:57:52',0),(601,603,'Issue',9,'Play imported successfully.','2020-05-01 20:57:52',0),(602,604,'Issue',9,'Play imported successfully.','2020-05-01 20:57:53',0),(603,605,'Issue',9,'Play imported successfully.','2020-05-01 20:57:53',0),(604,606,'Issue',9,'Play imported successfully.','2020-05-01 20:57:54',0),(605,607,'Issue',9,'Play imported successfully.','2020-05-01 20:57:55',0),(606,608,'Issue',9,'Play imported successfully.','2020-05-01 20:57:55',0),(607,609,'Issue',9,'Play imported successfully.','2020-05-01 20:57:56',0),(608,610,'Issue',9,'Play imported successfully.','2020-05-01 20:57:56',0),(609,611,'Issue',9,'Play imported successfully.','2020-05-01 20:57:57',0),(610,612,'Issue',9,'Play imported successfully.','2020-05-01 20:57:57',0),(611,613,'Issue',9,'Play imported successfully.','2020-05-01 20:57:58',0),(612,614,'Issue',9,'Play imported successfully.','2020-05-01 20:57:58',0),(613,615,'Issue',9,'Play imported successfully.','2020-05-01 20:57:59',0),(614,616,'Issue',9,'Play imported successfully.','2020-05-01 20:57:59',0),(615,617,'Issue',9,'Play imported successfully.','2020-05-01 20:58:00',0),(616,618,'Issue',9,'Play imported successfully.','2020-05-01 20:58:00',0),(621,618,'Issue',8,'','2020-05-03 09:59:49',0),(622,618,'Issue',9,'','2020-05-03 10:00:04',0),(623,618,'Issue',8,'','2020-05-03 10:00:57',0),(624,620,'Issue',9,'Play imported successfully.','2020-05-13 13:30:57',0),(625,621,'Issue',9,'Play imported successfully.','2020-05-13 14:05:41',0),(626,622,'Issue',9,'Play imported successfully.','2020-05-13 14:07:09',0),(627,420,'Issue',9,'','2020-05-13 14:07:10',0),(628,623,'Issue',9,'Play imported successfully.','2020-05-13 14:07:11',0),(629,494,'Issue',9,'','2020-05-13 14:07:11',0),(630,508,'Issue',9,'','2020-05-13 14:07:11',0),(631,556,'Issue',9,'','2020-05-13 14:07:11',0); /*!40000 ALTER TABLE `journals` ENABLE KEYS */; UNLOCK TABLES; @@ -1150,7 +1146,7 @@ CREATE TABLE `queries` ( LOCK TABLES `queries` WRITE; /*!40000 ALTER TABLE `queries` DISABLE KEYS */; -INSERT INTO `queries` VALUES (3,1,'All Plays','---\ntracker_id:\n :operator: \"=\"\n :values:\n - \'1\'\n',1,NULL,'---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(4,NULL,'Disabled Plays','---\nstatus_id:\n :operator: \"=\"\n :values:\n - \'6\'\n',1,NULL,'---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(5,NULL,'Draft Plays','---\nstatus_id:\n :operator: \"=\"\n :values:\n - \'2\'\n',1,NULL,'---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(6,NULL,'Playbook - Community Sigma','---\ncf_13:\n :operator: \"=\"\n :values:\n - community\n',1,'---\n- :status\n- :cf_10\n- :cf_14\n- :cf_16\n- :cf_1\n- :updated_on\n','---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(8,NULL,'Playbook - Internal','---\ncf_13:\n :operator: \"=\"\n :values:\n - Internal\n',1,'---\n- :status\n- :cf_10\n- :cf_14\n- :cf_16\n- :cf_1\n- :updated_on\n','---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'); +INSERT INTO `queries` VALUES (3,1,'All Plays','---\ntracker_id:\n :operator: \"=\"\n :values:\n - \'1\'\n',1,NULL,'---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(4,NULL,'Disabled Plays','---\nstatus_id:\n :operator: \"=\"\n :values:\n - \'6\'\n',1,NULL,'---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(5,NULL,'Draft Plays','---\nstatus_id:\n :operator: \"=\"\n :values:\n - \'2\'\n',1,NULL,'---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(6,NULL,'Playbook - Community Sigma','---\ncf_13:\n :operator: \"=\"\n :values:\n - community\n',1,'---\n- :status\n- :cf_10\n- :cf_18\n- :cf_19\n- :cf_20\n- :cf_1\n- :updated_on\n','---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(8,NULL,'Playbook - Internal','---\ncf_13:\n :operator: \"=\"\n :values:\n - Internal\n',1,'---\n- :status\n- :cf_10\n- :cf_14\n- :cf_16\n- :cf_1\n- :updated_on\n','---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'); /*!40000 ALTER TABLE `queries` ENABLE KEYS */; UNLOCK TABLES; @@ -1314,7 +1310,7 @@ CREATE TABLE `settings` ( LOCK TABLES `settings` WRITE; /*!40000 ALTER TABLE `settings` DISABLE KEYS */; -INSERT INTO `settings` VALUES (1,'ui_theme','circle','2020-04-26 13:11:26'),(2,'default_language','en','2020-04-26 13:11:26'),(3,'force_default_language_for_anonymous','0','2020-04-26 13:11:26'),(4,'force_default_language_for_loggedin','0','2020-04-26 13:11:26'),(5,'start_of_week','','2020-04-26 13:11:26'),(6,'date_format','','2020-04-26 13:11:26'),(7,'time_format','','2020-04-26 13:11:26'),(8,'timespan_format','decimal','2020-04-26 13:11:26'),(9,'user_format','firstname_lastname','2020-05-02 12:45:00'),(10,'gravatar_enabled','1','2020-05-02 12:41:07'),(11,'thumbnails_enabled','1','2020-04-26 13:11:26'),(12,'thumbnails_size','100','2020-04-26 13:11:26'),(13,'new_item_menu_tab','0','2020-04-26 13:11:30'),(14,'login_required','1','2020-04-26 13:11:54'),(15,'autologin','0','2020-04-26 13:11:54'),(16,'self_registration','0','2020-04-26 13:11:54'),(17,'show_custom_fields_on_registration','0','2020-04-26 13:11:54'),(18,'password_min_length','8','2020-04-26 13:11:54'),(19,'password_required_char_classes','--- []\n','2020-04-26 13:11:54'),(20,'password_max_age','0','2020-04-26 13:11:54'),(21,'lost_password','1','2020-04-26 13:11:54'),(22,'openid','0','2020-04-26 13:11:55'),(23,'session_lifetime','0','2020-04-26 13:11:55'),(24,'session_timeout','0','2020-04-26 13:11:55'),(25,'rest_api_enabled','1','2020-04-26 13:11:58'),(26,'jsonp_enabled','0','2020-04-26 13:11:58'),(27,'default_projects_public','0','2020-04-26 13:12:21'),(28,'default_projects_modules','---\n- sigma_editor\n','2020-04-26 13:12:21'),(29,'default_projects_tracker_ids','--- []\n','2020-04-26 13:12:21'),(30,'sequential_project_identifiers','0','2020-04-26 13:12:21'),(31,'project_list_defaults','---\n:column_names:\n- name\n- identifier\n- short_description\n','2020-04-26 13:12:21'),(32,'app_title','Playbook','2020-04-26 18:17:51'),(33,'welcome_text','','2020-04-26 18:17:51'),(34,'per_page_options','25,75,150','2020-05-02 12:41:38'),(35,'search_results_per_page','10','2020-04-26 18:17:51'),(36,'activity_days_default','30','2020-04-26 18:17:51'),(37,'host_name','localhost:3000','2020-04-26 18:17:51'),(38,'protocol','http','2020-04-26 18:17:51'),(39,'text_formatting','textile','2020-04-26 18:17:51'),(40,'cache_formatted_text','0','2020-04-26 18:17:51'),(41,'wiki_compression','','2020-04-26 18:17:51'),(42,'feeds_limit','15','2020-04-26 18:17:51'),(43,'plugin_redmine_playbook','--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nproject: \'1\'\nconvert_url: http://10.66.166.178:7000/playbook/sigmac\ncreate_url: http://10.66.166.178:7000/playbook/play','2020-05-02 12:39:20'),(44,'cross_project_issue_relations','0','2020-05-01 16:27:33'),(45,'link_copied_issue','no','2020-05-01 16:27:33'),(46,'cross_project_subtasks','','2020-05-01 16:27:33'),(47,'close_duplicate_issues','0','2020-05-01 16:27:33'),(48,'issue_group_assignment','0','2020-05-01 16:27:33'),(49,'default_issue_start_date_to_creation_date','1','2020-05-01 16:27:33'),(50,'display_subprojects_issues','0','2020-05-01 16:27:33'),(51,'issue_done_ratio','issue_field','2020-05-01 16:27:33'),(52,'non_working_week_days','---\n- \'6\'\n- \'7\'\n','2020-05-01 16:27:33'),(53,'issues_export_limit','500','2020-05-01 16:27:33'),(54,'gantt_items_limit','500','2020-05-01 16:27:33'),(55,'gantt_months_limit','24','2020-05-01 16:27:33'),(56,'parent_issue_dates','derived','2020-05-01 16:27:33'),(57,'parent_issue_priority','derived','2020-05-01 16:27:33'),(58,'parent_issue_done_ratio','derived','2020-05-01 16:27:33'),(59,'issue_list_default_columns','---\n- status\n- cf_10\n- cf_13\n- cf_14\n- cf_1\n- updated_on\n','2020-05-01 19:32:13'),(60,'issue_list_default_totals','--- []\n','2020-05-01 16:27:33'),(61,'enabled_scm','--- []\n','2020-05-01 16:27:47'),(62,'autofetch_changesets','0','2020-05-01 16:27:47'),(63,'sys_api_enabled','0','2020-05-01 16:27:47'),(64,'repository_log_display_limit','100','2020-05-01 16:27:47'),(65,'commit_logs_formatting','1','2020-05-01 16:27:47'),(66,'commit_ref_keywords','refs,references,IssueID','2020-05-01 16:27:47'),(67,'commit_cross_project_ref','0','2020-05-01 16:27:47'),(68,'commit_logtime_enabled','0','2020-05-01 16:27:47'),(69,'commit_update_keywords','--- []\n','2020-05-01 16:27:47'),(70,'gravatar_default','','2020-05-02 12:41:07'); +INSERT INTO `settings` VALUES (1,'ui_theme','circle','2020-04-26 13:11:26'),(2,'default_language','en','2020-04-26 13:11:26'),(3,'force_default_language_for_anonymous','0','2020-04-26 13:11:26'),(4,'force_default_language_for_loggedin','0','2020-04-26 13:11:26'),(5,'start_of_week','','2020-04-26 13:11:26'),(6,'date_format','','2020-04-26 13:11:26'),(7,'time_format','','2020-04-26 13:11:26'),(8,'timespan_format','decimal','2020-04-26 13:11:26'),(9,'user_format','firstname_lastname','2020-05-02 12:45:00'),(10,'gravatar_enabled','1','2020-05-02 12:41:07'),(11,'thumbnails_enabled','1','2020-04-26 13:11:26'),(12,'thumbnails_size','100','2020-04-26 13:11:26'),(13,'new_item_menu_tab','0','2020-04-26 13:11:30'),(14,'login_required','1','2020-04-26 13:11:54'),(15,'autologin','0','2020-04-26 13:11:54'),(16,'self_registration','0','2020-04-26 13:11:54'),(17,'show_custom_fields_on_registration','0','2020-04-26 13:11:54'),(18,'password_min_length','8','2020-04-26 13:11:54'),(19,'password_required_char_classes','--- []\n','2020-04-26 13:11:54'),(20,'password_max_age','0','2020-04-26 13:11:54'),(21,'lost_password','1','2020-04-26 13:11:54'),(22,'openid','0','2020-04-26 13:11:55'),(23,'session_lifetime','0','2020-04-26 13:11:55'),(24,'session_timeout','0','2020-04-26 13:11:55'),(25,'rest_api_enabled','1','2020-04-26 13:11:58'),(26,'jsonp_enabled','0','2020-04-26 13:11:58'),(27,'default_projects_public','0','2020-04-26 13:12:21'),(28,'default_projects_modules','---\n- sigma_editor\n','2020-04-26 13:12:21'),(29,'default_projects_tracker_ids','--- []\n','2020-04-26 13:12:21'),(30,'sequential_project_identifiers','0','2020-04-26 13:12:21'),(31,'project_list_defaults','---\n:column_names:\n- name\n- identifier\n- short_description\n','2020-04-26 13:12:21'),(32,'app_title','Playbook','2020-04-26 18:17:51'),(33,'welcome_text','','2020-04-26 18:17:51'),(34,'per_page_options','25,75,150','2020-05-02 12:41:38'),(35,'search_results_per_page','10','2020-04-26 18:17:51'),(36,'activity_days_default','30','2020-04-26 18:17:51'),(37,'host_name','localhost:3000','2020-04-26 18:17:51'),(38,'protocol','http','2020-04-26 18:17:51'),(39,'text_formatting','textile','2020-04-26 18:17:51'),(40,'cache_formatted_text','0','2020-04-26 18:17:51'),(41,'wiki_compression','','2020-04-26 18:17:51'),(42,'feeds_limit','15','2020-04-26 18:17:51'),(43,'plugin_redmine_playbook','--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nproject: \'1\'\nconvert_url: http://192.168.15.120:7000/playbook/sigmac\ncreate_url: http://192.168.15.120:7000/playbook/play','2020-05-02 12:39:20'),(44,'cross_project_issue_relations','0','2020-05-01 16:27:33'),(45,'link_copied_issue','no','2020-05-01 16:27:33'),(46,'cross_project_subtasks','','2020-05-01 16:27:33'),(47,'close_duplicate_issues','0','2020-05-01 16:27:33'),(48,'issue_group_assignment','0','2020-05-01 16:27:33'),(49,'default_issue_start_date_to_creation_date','1','2020-05-01 16:27:33'),(50,'display_subprojects_issues','0','2020-05-01 16:27:33'),(51,'issue_done_ratio','issue_field','2020-05-01 16:27:33'),(52,'non_working_week_days','---\n- \'6\'\n- \'7\'\n','2020-05-01 16:27:33'),(53,'issues_export_limit','500','2020-05-01 16:27:33'),(54,'gantt_items_limit','500','2020-05-01 16:27:33'),(55,'gantt_months_limit','24','2020-05-01 16:27:33'),(56,'parent_issue_dates','derived','2020-05-01 16:27:33'),(57,'parent_issue_priority','derived','2020-05-01 16:27:33'),(58,'parent_issue_done_ratio','derived','2020-05-01 16:27:33'),(59,'issue_list_default_columns','---\n- status\n- cf_10\n- cf_13\n- cf_14\n- cf_1\n- updated_on\n','2020-05-01 19:32:13'),(60,'issue_list_default_totals','--- []\n','2020-05-01 16:27:33'),(61,'enabled_scm','--- []\n','2020-05-01 16:27:47'),(62,'autofetch_changesets','0','2020-05-01 16:27:47'),(63,'sys_api_enabled','0','2020-05-01 16:27:47'),(64,'repository_log_display_limit','100','2020-05-01 16:27:47'),(65,'commit_logs_formatting','1','2020-05-01 16:27:47'),(66,'commit_ref_keywords','refs,references,IssueID','2020-05-01 16:27:47'),(67,'commit_cross_project_ref','0','2020-05-01 16:27:47'),(68,'commit_logtime_enabled','0','2020-05-01 16:27:47'),(69,'commit_update_keywords','--- []\n','2020-05-01 16:27:47'),(70,'gravatar_default','','2020-05-02 12:41:07'); /*!40000 ALTER TABLE `settings` ENABLE KEYS */; UNLOCK TABLES; @@ -1375,7 +1371,7 @@ CREATE TABLE `tokens` ( PRIMARY KEY (`id`), UNIQUE KEY `tokens_value` (`value`), KEY `index_tokens_on_user_id` (`user_id`) -) ENGINE=InnoDB AUTO_INCREMENT=55 DEFAULT CHARSET=latin1; +) ENGINE=InnoDB AUTO_INCREMENT=60 DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; -- @@ -1384,7 +1380,7 @@ CREATE TABLE `tokens` ( LOCK TABLES `tokens` WRITE; /*!40000 ALTER TABLE `tokens` DISABLE KEYS */; -INSERT INTO `tokens` VALUES (3,1,'feeds','6e5575602e1227c188cd85ef6d12608bb8701193','2020-04-26 13:10:46','2020-04-26 13:10:46'),(4,1,'session','999412fa9badda7423c6c654d6364c32c20b3eac','2020-04-26 18:07:03','2020-04-26 18:12:02'),(5,1,'session','124ad4acbf87a942426350e7ad028c1d119c3851','2020-04-26 18:17:11','2020-04-26 18:19:24'),(8,8,'feeds','1f28542e983dc0a3abfc81013ff7f008f1cb6800','2020-04-26 18:50:50','2020-04-26 18:50:50'),(9,1,'session','2890c663e0552f26ddb92acad6ab3b6d05b92915','2020-04-26 18:51:15','2020-04-26 18:51:15'),(19,1,'session','b7ffb106ea0b34650dd9c1770f74c2b0ffe166b2','2020-05-01 16:52:33','2020-05-01 18:02:30'),(20,1,'session','f44cfcf918eef59ffda47991c431d9c2b2ac6113','2020-05-01 18:05:56','2020-05-01 18:05:56'),(23,9,'feeds','211918c9d7168979b5dc19bebb14573b928a5067','2020-05-01 18:26:17','2020-05-01 18:26:17'),(25,9,'api','de6639318502476f2fa5aa06f43f51fb389a3d7f','2020-05-01 18:26:31','2020-05-01 18:26:31'),(36,8,'session','47616205d262d3e3f05665038888edc463b872d9','2020-05-01 19:41:12','2020-05-01 19:44:24'),(39,8,'session','a4d98ddceb539f8a5d2f99ee4f4274f711f6dc14','2020-05-01 20:40:23','2020-05-01 20:40:27'),(45,8,'session','b7346c8089e9b6237d9438f7c08ce014ad46d5d2','2020-05-03 09:13:00','2020-05-03 10:01:34'),(46,1,'session','2d0c8f8ae641c06d8c2362746846440d465d53c0','2020-05-06 20:48:01','2020-05-06 20:48:07'),(47,8,'session','1adb4bf696b7a4eafedf633cef7dee28e138ec01','2020-05-06 20:52:43','2020-05-06 20:52:48'),(54,8,'session','c1d788feea4bc194f6b24005943807b477bc1fb8','2020-05-13 14:23:44','2020-05-13 14:29:25'); +INSERT INTO `tokens` VALUES (3,1,'feeds','6e5575602e1227c188cd85ef6d12608bb8701193','2020-04-26 13:10:46','2020-04-26 13:10:46'),(4,1,'session','999412fa9badda7423c6c654d6364c32c20b3eac','2020-04-26 18:07:03','2020-04-26 18:12:02'),(5,1,'session','124ad4acbf87a942426350e7ad028c1d119c3851','2020-04-26 18:17:11','2020-04-26 18:19:24'),(8,8,'feeds','1f28542e983dc0a3abfc81013ff7f008f1cb6800','2020-04-26 18:50:50','2020-04-26 18:50:50'),(9,1,'session','2890c663e0552f26ddb92acad6ab3b6d05b92915','2020-04-26 18:51:15','2020-04-26 18:51:15'),(19,1,'session','b7ffb106ea0b34650dd9c1770f74c2b0ffe166b2','2020-05-01 16:52:33','2020-05-01 18:02:30'),(20,1,'session','f44cfcf918eef59ffda47991c431d9c2b2ac6113','2020-05-01 18:05:56','2020-05-01 18:05:56'),(23,9,'feeds','211918c9d7168979b5dc19bebb14573b928a5067','2020-05-01 18:26:17','2020-05-01 18:26:17'),(25,9,'api','de6639318502476f2fa5aa06f43f51fb389a3d7f','2020-05-01 18:26:31','2020-05-01 18:26:31'),(36,8,'session','47616205d262d3e3f05665038888edc463b872d9','2020-05-01 19:41:12','2020-05-01 19:44:24'),(39,8,'session','a4d98ddceb539f8a5d2f99ee4f4274f711f6dc14','2020-05-01 20:40:23','2020-05-01 20:40:27'),(45,8,'session','b7346c8089e9b6237d9438f7c08ce014ad46d5d2','2020-05-03 09:13:00','2020-05-03 10:01:34'),(46,1,'session','2d0c8f8ae641c06d8c2362746846440d465d53c0','2020-05-06 20:48:01','2020-05-06 20:48:07'),(47,8,'session','1adb4bf696b7a4eafedf633cef7dee28e138ec01','2020-05-06 20:52:43','2020-05-06 20:52:48'),(54,8,'session','c1d788feea4bc194f6b24005943807b477bc1fb8','2020-05-13 14:23:44','2020-05-13 14:29:25'),(59,1,'session','2afe6590653d59a697d1436729c64f322a2eff82','2020-07-01 18:11:07','2020-07-01 20:30:43'); /*!40000 ALTER TABLE `tokens` ENABLE KEYS */; UNLOCK TABLES; @@ -1485,7 +1481,7 @@ CREATE TABLE `users` ( LOCK TABLES `users` WRITE; /*!40000 ALTER TABLE `users` DISABLE KEYS */; -INSERT INTO `users` VALUES (1,'admin','95535e9f7a386c412f20134ebb869c00cf346477','Admin','Admin',1,1,'2020-05-13 14:22:22','',NULL,'2020-04-26 13:08:34','2020-04-26 13:10:45','User',NULL,'all','5ceb2c95ce1593d4ba034d385ceefb2f',0,'2020-04-26 13:10:27'),(2,'','','','Anonymous users',0,1,NULL,'',NULL,'2020-04-26 13:08:38','2020-04-26 13:08:38','GroupAnonymous',NULL,'',NULL,0,NULL),(3,'','','','Non member users',0,1,NULL,'',NULL,'2020-04-26 13:08:38','2020-04-26 13:08:38','GroupNonMember',NULL,'',NULL,0,NULL),(4,'','','','Anonymous',0,0,NULL,'',NULL,'2020-04-26 13:09:44','2020-04-26 13:09:44','AnonymousUser',NULL,'only_my_events',NULL,0,NULL),(5,'','','','Analysts',0,1,NULL,'',NULL,'2020-04-26 18:43:40','2020-04-26 18:43:40','Group',NULL,'',NULL,0,NULL),(6,'','','','Automation',0,1,NULL,'',NULL,'2020-04-26 18:43:47','2020-04-26 18:43:47','Group',NULL,'',NULL,0,NULL),(7,'','','','Admins',0,1,NULL,'',NULL,'2020-04-26 18:43:58','2020-04-26 18:43:58','Group',NULL,'',NULL,0,NULL),(8,'analyst','adfc2e9391aa2ce34a02ce5bcc225efe853ee6cc','analyst','analyst',0,1,'2020-05-13 14:23:44','en',NULL,'2020-04-26 18:46:48','2020-04-26 18:46:48','User',NULL,'none','6b5dc1c8429a1c7d69375d723f7e3207',0,'2020-04-26 18:46:48'),(9,'automation','d2e7d78af1f0c0637765ae8cf1a359c4a30034c9','SecOps','Automation',0,1,'2020-05-01 18:26:17','en',NULL,'2020-04-26 18:47:46','2020-05-01 18:26:10','User',NULL,'none','41043e596f70e327e34fc99c861f5b31',0,'2020-05-01 18:26:10'); +INSERT INTO `users` VALUES (1,'admin','95535e9f7a386c412f20134ebb869c00cf346477','Admin','Admin',1,1,'2020-07-01 18:11:07','',NULL,'2020-04-26 13:08:34','2020-04-26 13:10:45','User',NULL,'all','5ceb2c95ce1593d4ba034d385ceefb2f',0,'2020-04-26 13:10:27'),(2,'','','','Anonymous users',0,1,NULL,'',NULL,'2020-04-26 13:08:38','2020-04-26 13:08:38','GroupAnonymous',NULL,'',NULL,0,NULL),(3,'','','','Non member users',0,1,NULL,'',NULL,'2020-04-26 13:08:38','2020-04-26 13:08:38','GroupNonMember',NULL,'',NULL,0,NULL),(4,'','','','Anonymous',0,0,NULL,'',NULL,'2020-04-26 13:09:44','2020-04-26 13:09:44','AnonymousUser',NULL,'only_my_events',NULL,0,NULL),(5,'','','','Analysts',0,1,NULL,'',NULL,'2020-04-26 18:43:40','2020-04-26 18:43:40','Group',NULL,'',NULL,0,NULL),(6,'','','','Automation',0,1,NULL,'',NULL,'2020-04-26 18:43:47','2020-04-26 18:43:47','Group',NULL,'',NULL,0,NULL),(7,'','','','Admins',0,1,NULL,'',NULL,'2020-04-26 18:43:58','2020-04-26 18:43:58','Group',NULL,'',NULL,0,NULL),(8,'analyst','adfc2e9391aa2ce34a02ce5bcc225efe853ee6cc','analyst','analyst',0,1,'2020-07-01 17:54:37','en',NULL,'2020-04-26 18:46:48','2020-04-26 18:46:48','User',NULL,'none','6b5dc1c8429a1c7d69375d723f7e3207',0,'2020-04-26 18:46:48'),(9,'automation','d2e7d78af1f0c0637765ae8cf1a359c4a30034c9','SecOps','Automation',0,1,'2020-05-01 18:26:17','en',NULL,'2020-04-26 18:47:46','2020-05-01 18:26:10','User',NULL,'none','41043e596f70e327e34fc99c861f5b31',0,'2020-05-01 18:26:10'); /*!40000 ALTER TABLE `users` ENABLE KEYS */; UNLOCK TABLES; @@ -1571,7 +1567,7 @@ CREATE TABLE `webhooks` ( LOCK TABLES `webhooks` WRITE; /*!40000 ALTER TABLE `webhooks` DISABLE KEYS */; -INSERT INTO `webhooks` VALUES (1,'http://10.66.166.178:7000/playbook/webhook',1); +INSERT INTO `webhooks` VALUES (1,'http://192.168.15.120:7000/playbook/webhook',1); /*!40000 ALTER TABLE `webhooks` ENABLE KEYS */; UNLOCK TABLES; @@ -1746,7 +1742,7 @@ CREATE TABLE `workflows` ( KEY `index_workflows_on_role_id` (`role_id`), KEY `index_workflows_on_new_status_id` (`new_status_id`), KEY `index_workflows_on_tracker_id` (`tracker_id`) -) ENGINE=InnoDB AUTO_INCREMENT=247 DEFAULT CHARSET=latin1; +) ENGINE=InnoDB AUTO_INCREMENT=452 DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; -- @@ -1755,7 +1751,7 @@ CREATE TABLE `workflows` ( LOCK TABLES `workflows` WRITE; /*!40000 ALTER TABLE `workflows` DISABLE KEYS */; -INSERT INTO `workflows` VALUES (116,1,2,0,3,0,0,'WorkflowPermission','project_id','readonly'),(117,1,2,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(118,1,2,0,3,0,0,'WorkflowPermission','subject','readonly'),(119,1,2,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(120,1,2,0,3,0,0,'WorkflowPermission','is_private','readonly'),(121,1,2,0,3,0,0,'WorkflowPermission','description','readonly'),(122,1,2,0,3,0,0,'WorkflowPermission','1','readonly'),(123,1,2,0,3,0,0,'WorkflowPermission','2','readonly'),(124,1,2,0,3,0,0,'WorkflowPermission','3','readonly'),(125,1,2,0,3,0,0,'WorkflowPermission','5','readonly'),(126,1,2,0,3,0,0,'WorkflowPermission','6','readonly'),(127,1,2,0,3,0,0,'WorkflowPermission','7','readonly'),(128,1,2,0,3,0,0,'WorkflowPermission','8','readonly'),(129,1,2,0,3,0,0,'WorkflowPermission','10','readonly'),(130,1,2,0,3,0,0,'WorkflowPermission','11','readonly'),(131,1,2,0,3,0,0,'WorkflowPermission','12','readonly'),(132,1,2,0,3,0,0,'WorkflowPermission','14','readonly'),(133,1,2,0,3,0,0,'WorkflowPermission','15','readonly'),(134,1,2,0,3,0,0,'WorkflowPermission','16','readonly'),(135,1,3,0,3,0,0,'WorkflowPermission','project_id','readonly'),(136,1,3,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(137,1,3,0,3,0,0,'WorkflowPermission','subject','readonly'),(138,1,3,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(139,1,3,0,3,0,0,'WorkflowPermission','is_private','readonly'),(140,1,3,0,3,0,0,'WorkflowPermission','description','readonly'),(141,1,3,0,3,0,0,'WorkflowPermission','1','readonly'),(142,1,3,0,3,0,0,'WorkflowPermission','2','readonly'),(143,1,3,0,3,0,0,'WorkflowPermission','3','readonly'),(144,1,3,0,3,0,0,'WorkflowPermission','5','readonly'),(145,1,3,0,3,0,0,'WorkflowPermission','6','readonly'),(146,1,3,0,3,0,0,'WorkflowPermission','7','readonly'),(147,1,3,0,3,0,0,'WorkflowPermission','8','readonly'),(148,1,3,0,3,0,0,'WorkflowPermission','10','readonly'),(149,1,3,0,3,0,0,'WorkflowPermission','11','readonly'),(150,1,3,0,3,0,0,'WorkflowPermission','12','readonly'),(151,1,3,0,3,0,0,'WorkflowPermission','14','readonly'),(152,1,3,0,3,0,0,'WorkflowPermission','15','readonly'),(153,1,3,0,3,0,0,'WorkflowPermission','16','readonly'),(154,1,4,0,3,0,0,'WorkflowPermission','project_id','readonly'),(155,1,4,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(156,1,4,0,3,0,0,'WorkflowPermission','subject','readonly'),(157,1,4,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(158,1,4,0,3,0,0,'WorkflowPermission','is_private','readonly'),(159,1,4,0,3,0,0,'WorkflowPermission','description','readonly'),(160,1,4,0,3,0,0,'WorkflowPermission','1','readonly'),(161,1,4,0,3,0,0,'WorkflowPermission','2','readonly'),(162,1,4,0,3,0,0,'WorkflowPermission','3','readonly'),(163,1,4,0,3,0,0,'WorkflowPermission','5','readonly'),(164,1,4,0,3,0,0,'WorkflowPermission','6','readonly'),(165,1,4,0,3,0,0,'WorkflowPermission','7','readonly'),(166,1,4,0,3,0,0,'WorkflowPermission','8','readonly'),(167,1,4,0,3,0,0,'WorkflowPermission','10','readonly'),(168,1,4,0,3,0,0,'WorkflowPermission','11','readonly'),(169,1,4,0,3,0,0,'WorkflowPermission','12','readonly'),(170,1,4,0,3,0,0,'WorkflowPermission','14','readonly'),(171,1,4,0,3,0,0,'WorkflowPermission','15','readonly'),(172,1,4,0,3,0,0,'WorkflowPermission','16','readonly'),(173,1,5,0,3,0,0,'WorkflowPermission','project_id','readonly'),(174,1,5,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(175,1,5,0,3,0,0,'WorkflowPermission','subject','readonly'),(176,1,5,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(177,1,5,0,3,0,0,'WorkflowPermission','is_private','readonly'),(178,1,5,0,3,0,0,'WorkflowPermission','description','readonly'),(179,1,5,0,3,0,0,'WorkflowPermission','1','readonly'),(180,1,5,0,3,0,0,'WorkflowPermission','2','readonly'),(181,1,5,0,3,0,0,'WorkflowPermission','3','readonly'),(182,1,5,0,3,0,0,'WorkflowPermission','5','readonly'),(183,1,5,0,3,0,0,'WorkflowPermission','6','readonly'),(184,1,5,0,3,0,0,'WorkflowPermission','7','readonly'),(185,1,5,0,3,0,0,'WorkflowPermission','8','readonly'),(186,1,5,0,3,0,0,'WorkflowPermission','10','readonly'),(187,1,5,0,3,0,0,'WorkflowPermission','11','readonly'),(188,1,5,0,3,0,0,'WorkflowPermission','12','readonly'),(189,1,5,0,3,0,0,'WorkflowPermission','14','readonly'),(190,1,5,0,3,0,0,'WorkflowPermission','15','readonly'),(191,1,5,0,3,0,0,'WorkflowPermission','16','readonly'),(192,1,6,0,3,0,0,'WorkflowPermission','project_id','readonly'),(193,1,6,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(194,1,6,0,3,0,0,'WorkflowPermission','subject','readonly'),(195,1,6,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(196,1,6,0,3,0,0,'WorkflowPermission','is_private','readonly'),(197,1,6,0,3,0,0,'WorkflowPermission','description','readonly'),(198,1,6,0,3,0,0,'WorkflowPermission','1','readonly'),(199,1,6,0,3,0,0,'WorkflowPermission','2','readonly'),(200,1,6,0,3,0,0,'WorkflowPermission','3','readonly'),(201,1,6,0,3,0,0,'WorkflowPermission','5','readonly'),(202,1,6,0,3,0,0,'WorkflowPermission','6','readonly'),(203,1,6,0,3,0,0,'WorkflowPermission','7','readonly'),(204,1,6,0,3,0,0,'WorkflowPermission','8','readonly'),(205,1,6,0,3,0,0,'WorkflowPermission','10','readonly'),(206,1,6,0,3,0,0,'WorkflowPermission','11','readonly'),(207,1,6,0,3,0,0,'WorkflowPermission','12','readonly'),(208,1,6,0,3,0,0,'WorkflowPermission','14','readonly'),(209,1,6,0,3,0,0,'WorkflowPermission','15','readonly'),(210,1,6,0,3,0,0,'WorkflowPermission','16','readonly'),(220,1,2,3,3,0,0,'WorkflowTransition',NULL,NULL),(221,1,2,3,4,0,0,'WorkflowTransition',NULL,NULL),(222,1,2,3,5,0,0,'WorkflowTransition',NULL,NULL),(223,1,2,6,3,0,0,'WorkflowTransition',NULL,NULL),(224,1,2,6,4,0,0,'WorkflowTransition',NULL,NULL),(225,1,2,6,5,0,0,'WorkflowTransition',NULL,NULL),(226,1,3,4,3,0,0,'WorkflowTransition',NULL,NULL),(227,1,3,4,4,0,0,'WorkflowTransition',NULL,NULL),(228,1,3,4,5,0,0,'WorkflowTransition',NULL,NULL),(229,1,4,5,3,0,0,'WorkflowTransition',NULL,NULL),(230,1,4,5,4,0,0,'WorkflowTransition',NULL,NULL),(231,1,4,5,5,0,0,'WorkflowTransition',NULL,NULL),(232,1,4,6,3,0,0,'WorkflowTransition',NULL,NULL),(233,1,4,6,4,0,0,'WorkflowTransition',NULL,NULL),(234,1,4,6,5,0,0,'WorkflowTransition',NULL,NULL),(235,1,6,3,3,0,0,'WorkflowTransition',NULL,NULL),(236,1,6,3,4,0,0,'WorkflowTransition',NULL,NULL),(237,1,6,3,5,0,0,'WorkflowTransition',NULL,NULL),(239,1,2,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(240,1,3,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(241,1,4,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(242,1,5,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(243,1,6,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(244,1,0,2,5,0,0,'WorkflowTransition',NULL,NULL),(245,1,0,2,4,0,0,'WorkflowTransition',NULL,NULL),(246,1,0,6,5,0,0,'WorkflowTransition',NULL,NULL); +INSERT INTO `workflows` VALUES (132,1,2,0,3,0,0,'WorkflowPermission','14','readonly'),(134,1,2,0,3,0,0,'WorkflowPermission','16','readonly'),(151,1,3,0,3,0,0,'WorkflowPermission','14','readonly'),(153,1,3,0,3,0,0,'WorkflowPermission','16','readonly'),(170,1,4,0,3,0,0,'WorkflowPermission','14','readonly'),(172,1,4,0,3,0,0,'WorkflowPermission','16','readonly'),(189,1,5,0,3,0,0,'WorkflowPermission','14','readonly'),(191,1,5,0,3,0,0,'WorkflowPermission','16','readonly'),(208,1,6,0,3,0,0,'WorkflowPermission','14','readonly'),(210,1,6,0,3,0,0,'WorkflowPermission','16','readonly'),(220,1,2,3,3,0,0,'WorkflowTransition',NULL,NULL),(221,1,2,3,4,0,0,'WorkflowTransition',NULL,NULL),(222,1,2,3,5,0,0,'WorkflowTransition',NULL,NULL),(223,1,2,6,3,0,0,'WorkflowTransition',NULL,NULL),(224,1,2,6,4,0,0,'WorkflowTransition',NULL,NULL),(225,1,2,6,5,0,0,'WorkflowTransition',NULL,NULL),(226,1,3,4,3,0,0,'WorkflowTransition',NULL,NULL),(227,1,3,4,4,0,0,'WorkflowTransition',NULL,NULL),(228,1,3,4,5,0,0,'WorkflowTransition',NULL,NULL),(229,1,4,5,3,0,0,'WorkflowTransition',NULL,NULL),(230,1,4,5,4,0,0,'WorkflowTransition',NULL,NULL),(231,1,4,5,5,0,0,'WorkflowTransition',NULL,NULL),(232,1,4,6,3,0,0,'WorkflowTransition',NULL,NULL),(233,1,4,6,4,0,0,'WorkflowTransition',NULL,NULL),(234,1,4,6,5,0,0,'WorkflowTransition',NULL,NULL),(235,1,6,3,3,0,0,'WorkflowTransition',NULL,NULL),(236,1,6,3,4,0,0,'WorkflowTransition',NULL,NULL),(237,1,6,3,5,0,0,'WorkflowTransition',NULL,NULL),(239,1,2,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(240,1,3,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(241,1,4,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(242,1,5,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(243,1,6,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(244,1,0,2,5,0,0,'WorkflowTransition',NULL,NULL),(245,1,0,2,4,0,0,'WorkflowTransition',NULL,NULL),(246,1,0,6,5,0,0,'WorkflowTransition',NULL,NULL),(352,1,2,0,3,0,0,'WorkflowPermission','project_id','readonly'),(353,1,2,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(354,1,2,0,3,0,0,'WorkflowPermission','subject','readonly'),(355,1,2,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(356,1,2,0,3,0,0,'WorkflowPermission','is_private','readonly'),(357,1,2,0,3,0,0,'WorkflowPermission','description','readonly'),(358,1,2,0,3,0,0,'WorkflowPermission','1','readonly'),(359,1,2,0,3,0,0,'WorkflowPermission','2','readonly'),(360,1,2,0,3,0,0,'WorkflowPermission','10','readonly'),(361,1,2,0,3,0,0,'WorkflowPermission','20','readonly'),(362,1,2,0,3,0,0,'WorkflowPermission','8','readonly'),(363,1,2,0,3,0,0,'WorkflowPermission','15','readonly'),(364,1,2,0,3,0,0,'WorkflowPermission','11','readonly'),(365,1,2,0,3,0,0,'WorkflowPermission','12','readonly'),(366,1,2,0,3,0,0,'WorkflowPermission','19','readonly'),(367,1,2,0,3,0,0,'WorkflowPermission','7','readonly'),(368,1,2,0,3,0,0,'WorkflowPermission','3','readonly'),(369,1,2,0,3,0,0,'WorkflowPermission','5','readonly'),(370,1,2,0,3,0,0,'WorkflowPermission','6','readonly'),(371,1,2,0,3,0,0,'WorkflowPermission','22','readonly'),(372,1,3,0,3,0,0,'WorkflowPermission','project_id','readonly'),(373,1,3,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(374,1,3,0,3,0,0,'WorkflowPermission','subject','readonly'),(375,1,3,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(376,1,3,0,3,0,0,'WorkflowPermission','is_private','readonly'),(377,1,3,0,3,0,0,'WorkflowPermission','description','readonly'),(378,1,3,0,3,0,0,'WorkflowPermission','1','readonly'),(379,1,3,0,3,0,0,'WorkflowPermission','2','readonly'),(380,1,3,0,3,0,0,'WorkflowPermission','10','readonly'),(381,1,3,0,3,0,0,'WorkflowPermission','20','readonly'),(382,1,3,0,3,0,0,'WorkflowPermission','8','readonly'),(383,1,3,0,3,0,0,'WorkflowPermission','15','readonly'),(384,1,3,0,3,0,0,'WorkflowPermission','11','readonly'),(385,1,3,0,3,0,0,'WorkflowPermission','12','readonly'),(386,1,3,0,3,0,0,'WorkflowPermission','19','readonly'),(387,1,3,0,3,0,0,'WorkflowPermission','7','readonly'),(388,1,3,0,3,0,0,'WorkflowPermission','3','readonly'),(389,1,3,0,3,0,0,'WorkflowPermission','5','readonly'),(390,1,3,0,3,0,0,'WorkflowPermission','6','readonly'),(391,1,3,0,3,0,0,'WorkflowPermission','22','readonly'),(392,1,4,0,3,0,0,'WorkflowPermission','project_id','readonly'),(393,1,4,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(394,1,4,0,3,0,0,'WorkflowPermission','subject','readonly'),(395,1,4,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(396,1,4,0,3,0,0,'WorkflowPermission','is_private','readonly'),(397,1,4,0,3,0,0,'WorkflowPermission','description','readonly'),(398,1,4,0,3,0,0,'WorkflowPermission','1','readonly'),(399,1,4,0,3,0,0,'WorkflowPermission','2','readonly'),(400,1,4,0,3,0,0,'WorkflowPermission','10','readonly'),(401,1,4,0,3,0,0,'WorkflowPermission','20','readonly'),(402,1,4,0,3,0,0,'WorkflowPermission','8','readonly'),(403,1,4,0,3,0,0,'WorkflowPermission','15','readonly'),(404,1,4,0,3,0,0,'WorkflowPermission','11','readonly'),(405,1,4,0,3,0,0,'WorkflowPermission','12','readonly'),(406,1,4,0,3,0,0,'WorkflowPermission','19','readonly'),(407,1,4,0,3,0,0,'WorkflowPermission','7','readonly'),(408,1,4,0,3,0,0,'WorkflowPermission','3','readonly'),(409,1,4,0,3,0,0,'WorkflowPermission','5','readonly'),(410,1,4,0,3,0,0,'WorkflowPermission','6','readonly'),(411,1,4,0,3,0,0,'WorkflowPermission','22','readonly'),(412,1,5,0,3,0,0,'WorkflowPermission','project_id','readonly'),(413,1,5,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(414,1,5,0,3,0,0,'WorkflowPermission','subject','readonly'),(415,1,5,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(416,1,5,0,3,0,0,'WorkflowPermission','is_private','readonly'),(417,1,5,0,3,0,0,'WorkflowPermission','description','readonly'),(418,1,5,0,3,0,0,'WorkflowPermission','1','readonly'),(419,1,5,0,3,0,0,'WorkflowPermission','2','readonly'),(420,1,5,0,3,0,0,'WorkflowPermission','10','readonly'),(421,1,5,0,3,0,0,'WorkflowPermission','20','readonly'),(422,1,5,0,3,0,0,'WorkflowPermission','8','readonly'),(423,1,5,0,3,0,0,'WorkflowPermission','15','readonly'),(424,1,5,0,3,0,0,'WorkflowPermission','11','readonly'),(425,1,5,0,3,0,0,'WorkflowPermission','12','readonly'),(426,1,5,0,3,0,0,'WorkflowPermission','19','readonly'),(427,1,5,0,3,0,0,'WorkflowPermission','7','readonly'),(428,1,5,0,3,0,0,'WorkflowPermission','3','readonly'),(429,1,5,0,3,0,0,'WorkflowPermission','5','readonly'),(430,1,5,0,3,0,0,'WorkflowPermission','6','readonly'),(431,1,5,0,3,0,0,'WorkflowPermission','22','readonly'),(432,1,6,0,3,0,0,'WorkflowPermission','project_id','readonly'),(433,1,6,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(434,1,6,0,3,0,0,'WorkflowPermission','subject','readonly'),(435,1,6,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(436,1,6,0,3,0,0,'WorkflowPermission','is_private','readonly'),(437,1,6,0,3,0,0,'WorkflowPermission','description','readonly'),(438,1,6,0,3,0,0,'WorkflowPermission','1','readonly'),(439,1,6,0,3,0,0,'WorkflowPermission','2','readonly'),(440,1,6,0,3,0,0,'WorkflowPermission','10','readonly'),(441,1,6,0,3,0,0,'WorkflowPermission','20','readonly'),(442,1,6,0,3,0,0,'WorkflowPermission','8','readonly'),(443,1,6,0,3,0,0,'WorkflowPermission','15','readonly'),(444,1,6,0,3,0,0,'WorkflowPermission','11','readonly'),(445,1,6,0,3,0,0,'WorkflowPermission','12','readonly'),(446,1,6,0,3,0,0,'WorkflowPermission','19','readonly'),(447,1,6,0,3,0,0,'WorkflowPermission','7','readonly'),(448,1,6,0,3,0,0,'WorkflowPermission','3','readonly'),(449,1,6,0,3,0,0,'WorkflowPermission','5','readonly'),(450,1,6,0,3,0,0,'WorkflowPermission','6','readonly'),(451,1,6,0,3,0,0,'WorkflowPermission','22','readonly'); /*!40000 ALTER TABLE `workflows` ENABLE KEYS */; UNLOCK TABLES; /*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */; @@ -1768,4 +1764,4 @@ UNLOCK TABLES; /*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */; /*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */; --- Dump completed on 2020-05-13 15:01:33 +-- Dump completed on 2020-07-01 20:41:10 diff --git a/salt/playbook/files/playbook_db_init.sql.backup b/salt/playbook/files/playbook_db_init.sql.backup new file mode 100644 index 000000000..0a10e6eb5 --- /dev/null +++ b/salt/playbook/files/playbook_db_init.sql.backup @@ -0,0 +1,1771 @@ +-- MySQL dump 10.13 Distrib 5.7.24, for Linux (x86_64) +-- +-- Host: localhost Database: playbook +-- ------------------------------------------------------ +-- Server version 5.7.24 + +/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */; +/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */; +/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */; +/*!40101 SET NAMES utf8 */; +/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */; +/*!40103 SET TIME_ZONE='+00:00' */; +/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */; +/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */; +/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */; +/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */; + +-- +-- Current Database: `playbook` +-- + +CREATE DATABASE /*!32312 IF NOT EXISTS*/ `playbook` /*!40100 DEFAULT CHARACTER SET latin1 */; + +USE `playbook`; + +-- +-- Table structure for table `ar_internal_metadata` +-- + +DROP TABLE IF EXISTS `ar_internal_metadata`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `ar_internal_metadata` ( + `key` varchar(255) NOT NULL, + `value` varchar(255) DEFAULT NULL, + `created_at` datetime NOT NULL, + `updated_at` datetime NOT NULL, + PRIMARY KEY (`key`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `ar_internal_metadata` +-- + +LOCK TABLES `ar_internal_metadata` WRITE; +/*!40000 ALTER TABLE `ar_internal_metadata` DISABLE KEYS */; +INSERT INTO `ar_internal_metadata` VALUES ('environment','production','2020-04-26 13:08:38','2020-04-26 13:08:38'); +/*!40000 ALTER TABLE `ar_internal_metadata` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `attachments` +-- + +DROP TABLE IF EXISTS `attachments`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `attachments` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `container_id` int(11) DEFAULT NULL, + `container_type` varchar(30) DEFAULT NULL, + `filename` varchar(255) NOT NULL DEFAULT '', + `disk_filename` varchar(255) NOT NULL DEFAULT '', + `filesize` bigint(20) NOT NULL DEFAULT '0', + `content_type` varchar(255) DEFAULT '', + `digest` varchar(64) NOT NULL DEFAULT '', + `downloads` int(11) NOT NULL DEFAULT '0', + `author_id` int(11) NOT NULL DEFAULT '0', + `created_on` timestamp NULL DEFAULT NULL, + `description` varchar(255) DEFAULT NULL, + `disk_directory` varchar(255) DEFAULT NULL, + PRIMARY KEY (`id`), + KEY `index_attachments_on_author_id` (`author_id`), + KEY `index_attachments_on_created_on` (`created_on`), + KEY `index_attachments_on_container_id_and_container_type` (`container_id`,`container_type`), + KEY `index_attachments_on_disk_filename` (`disk_filename`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `attachments` +-- + +LOCK TABLES `attachments` WRITE; +/*!40000 ALTER TABLE `attachments` DISABLE KEYS */; +/*!40000 ALTER TABLE `attachments` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `auth_sources` +-- + +DROP TABLE IF EXISTS `auth_sources`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `auth_sources` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `type` varchar(30) NOT NULL DEFAULT '', + `name` varchar(60) NOT NULL DEFAULT '', + `host` varchar(60) DEFAULT NULL, + `port` int(11) DEFAULT NULL, + `account` varchar(255) DEFAULT NULL, + `account_password` varchar(255) DEFAULT '', + `base_dn` varchar(255) DEFAULT NULL, + `attr_login` varchar(30) DEFAULT NULL, + `attr_firstname` varchar(30) DEFAULT NULL, + `attr_lastname` varchar(30) DEFAULT NULL, + `attr_mail` varchar(30) DEFAULT NULL, + `onthefly_register` tinyint(1) NOT NULL DEFAULT '0', + `tls` tinyint(1) NOT NULL DEFAULT '0', + `filter` text, + `timeout` int(11) DEFAULT NULL, + `verify_peer` tinyint(1) NOT NULL DEFAULT '1', + PRIMARY KEY (`id`), + KEY `index_auth_sources_on_id_and_type` (`id`,`type`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `auth_sources` +-- + +LOCK TABLES `auth_sources` WRITE; +/*!40000 ALTER TABLE `auth_sources` DISABLE KEYS */; +/*!40000 ALTER TABLE `auth_sources` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `boards` +-- + +DROP TABLE IF EXISTS `boards`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `boards` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `project_id` int(11) NOT NULL, + `name` varchar(255) NOT NULL DEFAULT '', + `description` varchar(255) DEFAULT NULL, + `position` int(11) DEFAULT NULL, + `topics_count` int(11) NOT NULL DEFAULT '0', + `messages_count` int(11) NOT NULL DEFAULT '0', + `last_message_id` int(11) DEFAULT NULL, + `parent_id` int(11) DEFAULT NULL, + PRIMARY KEY (`id`), + KEY `boards_project_id` (`project_id`), + KEY `index_boards_on_last_message_id` (`last_message_id`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `boards` +-- + +LOCK TABLES `boards` WRITE; +/*!40000 ALTER TABLE `boards` DISABLE KEYS */; +/*!40000 ALTER TABLE `boards` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `changes` +-- + +DROP TABLE IF EXISTS `changes`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `changes` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `changeset_id` int(11) NOT NULL, + `action` varchar(1) NOT NULL DEFAULT '', + `path` text NOT NULL, + `from_path` text, + `from_revision` varchar(255) DEFAULT NULL, + `revision` varchar(255) DEFAULT NULL, + `branch` varchar(255) DEFAULT NULL, + PRIMARY KEY (`id`), + KEY `changesets_changeset_id` (`changeset_id`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `changes` +-- + +LOCK TABLES `changes` WRITE; +/*!40000 ALTER TABLE `changes` DISABLE KEYS */; +/*!40000 ALTER TABLE `changes` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `changeset_parents` +-- + +DROP TABLE IF EXISTS `changeset_parents`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `changeset_parents` ( + `changeset_id` int(11) NOT NULL, + `parent_id` int(11) NOT NULL, + KEY `changeset_parents_changeset_ids` (`changeset_id`), + KEY `changeset_parents_parent_ids` (`parent_id`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `changeset_parents` +-- + +LOCK TABLES `changeset_parents` WRITE; +/*!40000 ALTER TABLE `changeset_parents` DISABLE KEYS */; +/*!40000 ALTER TABLE `changeset_parents` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `changesets` +-- + +DROP TABLE IF EXISTS `changesets`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `changesets` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `repository_id` int(11) NOT NULL, + `revision` varchar(255) NOT NULL, + `committer` varchar(255) DEFAULT NULL, + `committed_on` datetime NOT NULL, + `comments` longtext, + `commit_date` date DEFAULT NULL, + `scmid` varchar(255) DEFAULT NULL, + `user_id` int(11) DEFAULT NULL, + PRIMARY KEY (`id`), + UNIQUE KEY `changesets_repos_rev` (`repository_id`,`revision`), + KEY `index_changesets_on_user_id` (`user_id`), + KEY `index_changesets_on_repository_id` (`repository_id`), + KEY `index_changesets_on_committed_on` (`committed_on`), + KEY `changesets_repos_scmid` (`repository_id`,`scmid`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `changesets` +-- + +LOCK TABLES `changesets` WRITE; +/*!40000 ALTER TABLE `changesets` DISABLE KEYS */; +/*!40000 ALTER TABLE `changesets` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `changesets_issues` +-- + +DROP TABLE IF EXISTS `changesets_issues`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `changesets_issues` ( + `changeset_id` int(11) NOT NULL, + `issue_id` int(11) NOT NULL, + UNIQUE KEY `changesets_issues_ids` (`changeset_id`,`issue_id`), + KEY `index_changesets_issues_on_issue_id` (`issue_id`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `changesets_issues` +-- + +LOCK TABLES `changesets_issues` WRITE; +/*!40000 ALTER TABLE `changesets_issues` DISABLE KEYS */; +/*!40000 ALTER TABLE `changesets_issues` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `comments` +-- + +DROP TABLE IF EXISTS `comments`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `comments` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `commented_type` varchar(30) NOT NULL DEFAULT '', + `commented_id` int(11) NOT NULL DEFAULT '0', + `author_id` int(11) NOT NULL DEFAULT '0', + `content` text, + `created_on` datetime NOT NULL, + `updated_on` datetime NOT NULL, + PRIMARY KEY (`id`), + KEY `index_comments_on_commented_id_and_commented_type` (`commented_id`,`commented_type`), + KEY `index_comments_on_author_id` (`author_id`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `comments` +-- + +LOCK TABLES `comments` WRITE; +/*!40000 ALTER TABLE `comments` DISABLE KEYS */; +/*!40000 ALTER TABLE `comments` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `custom_field_enumerations` +-- + +DROP TABLE IF EXISTS `custom_field_enumerations`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `custom_field_enumerations` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `custom_field_id` int(11) NOT NULL, + `name` varchar(255) NOT NULL, + `active` tinyint(1) NOT NULL DEFAULT '1', + `position` int(11) NOT NULL DEFAULT '1', + PRIMARY KEY (`id`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `custom_field_enumerations` +-- + +LOCK TABLES `custom_field_enumerations` WRITE; +/*!40000 ALTER TABLE `custom_field_enumerations` DISABLE KEYS */; +/*!40000 ALTER TABLE `custom_field_enumerations` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `custom_fields` +-- + +DROP TABLE IF EXISTS `custom_fields`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `custom_fields` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `type` varchar(30) NOT NULL DEFAULT '', + `name` varchar(30) NOT NULL DEFAULT '', + `field_format` varchar(30) NOT NULL DEFAULT '', + `possible_values` text, + `regexp` varchar(255) DEFAULT '', + `min_length` int(11) DEFAULT NULL, + `max_length` int(11) DEFAULT NULL, + `is_required` tinyint(1) NOT NULL DEFAULT '0', + `is_for_all` tinyint(1) NOT NULL DEFAULT '0', + `is_filter` tinyint(1) NOT NULL DEFAULT '0', + `position` int(11) DEFAULT NULL, + `searchable` tinyint(1) DEFAULT '0', + `default_value` text, + `editable` tinyint(1) DEFAULT '1', + `visible` tinyint(1) NOT NULL DEFAULT '1', + `multiple` tinyint(1) DEFAULT '0', + `format_store` text, + `description` text, + PRIMARY KEY (`id`), + KEY `index_custom_fields_on_id_and_type` (`id`,`type`) +) ENGINE=InnoDB AUTO_INCREMENT=18 DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `custom_fields` +-- + +LOCK TABLES `custom_fields` WRITE; +/*!40000 ALTER TABLE `custom_fields` DISABLE KEYS */; +INSERT INTO `custom_fields` VALUES (1,'IssueCustomField','Title','string',NULL,'',NULL,NULL,0,1,1,1,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(2,'IssueCustomField','Author','string',NULL,'',NULL,NULL,0,1,1,2,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(3,'IssueCustomField','Objective','text',NULL,'',NULL,NULL,0,1,1,13,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nfull_width_layout: \'1\'\n',''),(4,'IssueCustomField','Operational Notes','text',NULL,'',NULL,NULL,0,1,0,14,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'1\'\n',''),(5,'IssueCustomField','Result Analysis','text',NULL,'',NULL,NULL,0,1,0,15,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'1\'\n',''),(6,'IssueCustomField','ElastAlert Config','text',NULL,'',NULL,NULL,0,1,0,16,0,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'1\'\n',''),(7,'IssueCustomField','HiveID','string',NULL,'',NULL,NULL,0,1,1,12,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(8,'IssueCustomField','References','text',NULL,'',NULL,NULL,0,1,0,6,0,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'0\'\n',''),(9,'IssueCustomField','Sigma','text',NULL,'',NULL,NULL,0,1,0,17,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'1\'\n',''),(10,'IssueCustomField','Level','list','---\n- low\n- medium\n- high\n- critical\n','',NULL,NULL,0,1,1,3,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: \'\'\nedit_tag_style: \'\'\n',''),(11,'IssueCustomField','PlayID','string',NULL,'',NULL,NULL,0,1,1,8,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(12,'IssueCustomField','Signature ID','string',NULL,'',NULL,NULL,0,1,1,9,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(13,'IssueCustomField','Playbook','list','---\n- Internal\n- imported\n- community\n','',NULL,NULL,0,1,1,4,0,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: \'\'\nedit_tag_style: \'\'\n',''),(14,'IssueCustomField','Product','list','---\n- windows\n- linux\n- antivirus\n- osquery\n','',NULL,NULL,0,1,1,5,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: \'\'\nedit_tag_style: \'\'\n',''),(15,'IssueCustomField','ATT&CK Technique','list','---\n- T1001\n- T1002\n- T1003\n- T1004\n- T1005\n- T1006\n- T1007\n- T1008\n- T1009\n- T1010\n- T1011\n- T1012\n- T1013\n- T1014\n- T1015\n- T1016\n- T1017\n- T1018\n- T1019\n- T1020\n- T1021\n- T1022\n- T1023\n- T1024\n- T1025\n- T1026\n- T1027\n- T1028\n- T1029\n- T1030\n- T1031\n- T1032\n- T1033\n- T1034\n- T1035\n- T1036\n- T1037\n- T1038\n- T1039\n- T1040\n- T1041\n- T1042\n- T1043\n- T1044\n- T1045\n- T1046\n- T1047\n- T1048\n- T1049\n- T1050\n- T1051\n- T1052\n- T1053\n- T1054\n- T1055\n- T1056\n- T1057\n- T1058\n- T1059\n- T1060\n- T1061\n- T1062\n- T1063\n- T1064\n- T1065\n- T1066\n- T1067\n- T1068\n- T1069\n- T1070\n- T1071\n- T1072\n- T1073\n- T1074\n- T1075\n- T1076\n- T1077\n- T1078\n- T1079\n- T1080\n- T1081\n- T1082\n- T1083\n- T1084\n- T1085\n- T1086\n- T1087\n- T1088\n- T1089\n- T1090\n- T1091\n- T1092\n- T1093\n- T1094\n- T1095\n- T1096\n- T1097\n- T1098\n- T1099\n- T1100\n- T1101\n- T1102\n- T1103\n- T1104\n- T1105\n- T1106\n- T1107\n- T1108\n- T1109\n- T1110\n- T1111\n- T1112\n- T1113\n- T1114\n- T1115\n- T1116\n- T1117\n- T1118\n- T1119\n- T1120\n- T1121\n- T1122\n- T1123\n- T1124\n- T1125\n- T1126\n- T1127\n- T1128\n- T1129\n- T1130\n- T1131\n- T1132\n- T1133\n- T1134\n- T1135\n- T1136\n- T1137\n- T1138\n- T1139\n- T1140\n- T1141\n- T1142\n- T1143\n- T1144\n- T1145\n- T1146\n- T1147\n- T1148\n- T1149\n- T1150\n- T1151\n- T1152\n- T1153\n- T1154\n- T1155\n- T1156\n- T1157\n- T1158\n- T1159\n- T1160\n- T1161\n- T1162\n- T1163\n- T1164\n- T1165\n- T1166\n- T1167\n- T1168\n- T1169\n- T1170\n- T1171\n- T1172\n- T1173\n- T1174\n- T1175\n- T1176\n- T1177\n- T1178\n- T1179\n- T1180\n- T1181\n- T1182\n- T1183\n- T1184\n- T1185\n- T1186\n- T1187\n- T1188\n- T1189\n- T1190\n- T1191\n- T1192\n- T1193\n- T1194\n- T1195\n- T1196\n- T1197\n- T1198\n- T1199\n- T1200\n- T1201\n- T1202\n- T1203\n- T1204\n- T1205\n- T1206\n- T1207\n- T1208\n- T1209\n- T1210\n- T1211\n- T1212\n- T1213\n- T1214\n- T1215\n- T1216\n- T1217\n- T1218\n- T1219\n- T1220\n- T1221\n- T1222\n- T1223\n- T1224\n- T1225\n- T1226\n- T1227\n- T1228\n- T1229\n- T1230\n- T1231\n- T1232\n- T1233\n- T1234\n- T1235\n- T1236\n- T1237\n- T1238\n- T1239\n- T1240\n- T1241\n- T1242\n- T1243\n- T1244\n- T1245\n- T1246\n- T1247\n- T1248\n- T1249\n- T1250\n- T1251\n- T1252\n- T1253\n- T1254\n- T1255\n- T1256\n- T1257\n- T1258\n- T1259\n- T1260\n- T1261\n- T1262\n- T1263\n- T1264\n- T1265\n- T1266\n- T1267\n- T1268\n- T1269\n- T1270\n- T1271\n- T1272\n- T1273\n- T1274\n- T1275\n- T1276\n- T1277\n- T1278\n- T1279\n- T1280\n- T1281\n- T1282\n- T1283\n- T1284\n- T1285\n- T1286\n- T1287\n- T1288\n- T1289\n- T1290\n- T1291\n- T1292\n- T1293\n- T1294\n- T1295\n- T1296\n- T1297\n- T1298\n- T1299\n- T1300\n- T1301\n- T1302\n- T1303\n- T1304\n- T1305\n- T1306\n- T1307\n- T1308\n- T1309\n- T1310\n- T1311\n- T1312\n- T1313\n- T1314\n- T1315\n- T1316\n- T1317\n- T1318\n- T1319\n- T1320\n- T1321\n- T1322\n- T1323\n- T1324\n- T1325\n- T1326\n- T1327\n- T1328\n- T1329\n- T1330\n- T1331\n- T1332\n- T1333\n- T1334\n- T1335\n- T1336\n- T1337\n- T1338\n- T1339\n- T1340\n- T1341\n- T1342\n- T1343\n- T1344\n- T1345\n- T1346\n- T1347\n- T1348\n- T1349\n- T1350\n- T1351\n- T1352\n- T1353\n- T1354\n- T1355\n- T1356\n- T1357\n- T1358\n- T1359\n- T1360\n- T1361\n- T1362\n- T1363\n- T1364\n- T1365\n- T1366\n- T1367\n- T1368\n- T1369\n- T1370\n- T1371\n- T1372\n- T1373\n- T1374\n- T1375\n- T1376\n- T1377\n- T1378\n- T1379\n- T1380\n- T1381\n- T1382\n- T1383\n- T1384\n- T1385\n- T1386\n- T1387\n- T1388\n- T1389\n- T1390\n- T1391\n- T1392\n- T1393\n- T1394\n- T1395\n- T1396\n- T1397\n- T1398\n- T1399\n- T1400\n- T1401\n- T1402\n- T1403\n- T1404\n- T1405\n- T1406\n- T1407\n- T1408\n- T1409\n- T1410\n- T1411\n- T1412\n- T1413\n- T1414\n- T1415\n- T1416\n- T1417\n- T1418\n- T1419\n- T1420\n- T1421\n- T1422\n- T1423\n- T1424\n- T1425\n- T1426\n- T1427\n- T1428\n- T1429\n- T1430\n- T1431\n- T1432\n- T1433\n- T1434\n- T1435\n- T1436\n- T1437\n- T1438\n- T1439\n- T1440\n- T1441\n- T1442\n- T1443\n- T1444\n- T1445\n- T1446\n- T1447\n- T1448\n- T1449\n- T1450\n- T1451\n- T1452\n- T1453\n- T1454\n- T1455\n- T1456\n- T1457\n- T1458\n- T1459\n- T1460\n- T1461\n- T1462\n- T1463\n- T1464\n- T1465\n- T1466\n- T1467\n- T1468\n- T1469\n- T1470\n- T1471\n- T1472\n- T1473\n- T1474\n- T1475\n- T1476\n- T1477\n- T1478\n- T1479\n- T1480\n- T1481\n- T1482\n- T1483\n- T1484\n- T1485\n- T1486\n- T1487\n- T1488\n- T1489\n- T1490\n- T1491\n- T1492\n- T1493\n- T1494\n- T1495\n- T1496\n- T1497\n- T1498\n- T1499\n- T1500\n- T1501\n- T1502\n- T1503\n- T1504\n- T1505\n- T1506\n- T1507\n- T1508\n- T1509\n- T1510\n- T1511\n- T1512\n- T1513\n- T1514\n- T1515\n- T1516\n- T1517\n- T1518\n- T1519\n- T1520\n- T1521\n- T1522\n- T1523\n- T1524\n- T1525\n- T1526\n- T1527\n- T1528\n- T1529\n- T1530\n- T1531\n- T1532\n- T1533\n- T1534\n- T1535\n- T1536\n- T1537\n- T1538\n- T1539\n- T1540\n- T1541\n- T1542\n- T1543\n- T1544\n- T1545\n- T1546\n- T1547\n- T1548\n- T1549\n- T1550\n- T1551\n- T1552\n- T1553\n','',NULL,NULL,0,1,1,7,0,'',1,1,1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: https://attack.mitre.org/techniques/%value%\nedit_tag_style: \'\'\n',''),(16,'IssueCustomField','Category','list','---\n- win-sysmon\n- win-builtin\n- win-proc\n- win-malware\n- win-other\n- win-powershell\n','',NULL,NULL,0,1,1,10,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: \'\'\nedit_tag_style: \'\'\n',''),(17,'IssueCustomField','Case Analyzers','list','---\n- Urlscan_io_Search - ip,domain,hash,url\n- CERTatPassiveDNS - domain,fqdn,ip\n','',NULL,NULL,0,1,1,11,1,'',1,1,1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: \'\'\nedit_tag_style: \'\'\n',''); +/*!40000 ALTER TABLE `custom_fields` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `custom_fields_projects` +-- + +DROP TABLE IF EXISTS `custom_fields_projects`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `custom_fields_projects` ( + `custom_field_id` int(11) NOT NULL DEFAULT '0', + `project_id` int(11) NOT NULL DEFAULT '0', + UNIQUE KEY `index_custom_fields_projects_on_custom_field_id_and_project_id` (`custom_field_id`,`project_id`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `custom_fields_projects` +-- + +LOCK TABLES `custom_fields_projects` WRITE; +/*!40000 ALTER TABLE `custom_fields_projects` DISABLE KEYS */; +/*!40000 ALTER TABLE `custom_fields_projects` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `custom_fields_roles` +-- + +DROP TABLE IF EXISTS `custom_fields_roles`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `custom_fields_roles` ( + `custom_field_id` int(11) NOT NULL, + `role_id` int(11) NOT NULL, + UNIQUE KEY `custom_fields_roles_ids` (`custom_field_id`,`role_id`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `custom_fields_roles` +-- + +LOCK TABLES `custom_fields_roles` WRITE; +/*!40000 ALTER TABLE `custom_fields_roles` DISABLE KEYS */; +/*!40000 ALTER TABLE `custom_fields_roles` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `custom_fields_trackers` +-- + +DROP TABLE IF EXISTS `custom_fields_trackers`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `custom_fields_trackers` ( + `custom_field_id` int(11) NOT NULL DEFAULT '0', + `tracker_id` int(11) NOT NULL DEFAULT '0', + UNIQUE KEY `index_custom_fields_trackers_on_custom_field_id_and_tracker_id` (`custom_field_id`,`tracker_id`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `custom_fields_trackers` +-- + +LOCK TABLES `custom_fields_trackers` WRITE; +/*!40000 ALTER TABLE `custom_fields_trackers` DISABLE KEYS */; +INSERT INTO `custom_fields_trackers` VALUES (1,1),(2,1),(3,1),(4,1),(5,1),(6,1),(7,1),(8,1),(9,1),(10,1),(11,1),(12,1),(13,1),(14,1),(15,1),(16,1),(17,1); +/*!40000 ALTER TABLE `custom_fields_trackers` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `custom_values` +-- + +DROP TABLE IF EXISTS `custom_values`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `custom_values` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `customized_type` varchar(30) NOT NULL DEFAULT '', + `customized_id` int(11) NOT NULL DEFAULT '0', + `custom_field_id` int(11) NOT NULL DEFAULT '0', + `value` longtext, + PRIMARY KEY (`id`), + KEY `custom_values_customized` (`customized_type`,`customized_id`), + KEY `index_custom_values_on_custom_field_id` (`custom_field_id`) +) ENGINE=InnoDB AUTO_INCREMENT=11256 DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `custom_values` +-- + +LOCK TABLES `custom_values` WRITE; +/*!40000 ALTER TABLE `custom_values` DISABLE KEYS */; +INSERT INTO `custom_values` VALUES (5638,'Issue',313,1,'Executable in ADS'),(5639,'Issue',313,2,'Florian Roth, @0xrawsec'),(5640,'Issue',313,8,'https://twitter.com/0xrawsec/status/1002478725605273600?s=21'),(5641,'Issue',313,10,'critical'),(5642,'Issue',313,13,'community'),(5643,'Issue',313,14,'windows'),(5645,'Issue',313,11,'7a9593a8c'),(5646,'Issue',313,12,'b69888d4-380c-45ce-9cf9-d9ce46e67821'),(5647,'Issue',313,16,'win-sysmon'),(5648,'Issue',313,17,''),(5649,'Issue',313,7,''),(5650,'Issue',313,3,'Detects the creation of an ADS data stream that contains an executable (non-empty imphash)'),(5651,'Issue',313,4,''),(5652,'Issue',313,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nTargetFilename\nImage'),(5653,'Issue',313,6,'{{collapse(View ElastAlert Config)\n
\n\n\n
\n}}'),(5654,'Issue',313,9,'{{collapse(View Sigma)\n
\n\ntitle: Executable in ADS\nid: b69888d4-380c-45ce-9cf9-d9ce46e67821\nstatus: experimental\ndescription: Detects the creation of an ADS data stream that contains an executable\n  (non-empty imphash)\nreferences:\n- https://twitter.com/0xrawsec/status/1002478725605273600?s=21\ntags:\n- attack.defense_evasion\n- attack.t1027\n- attack.s0139\nauthor: Florian Roth, @0xrawsec\ndate: 2018/06/03\nlogsource:\n  product: windows\n  service: sysmon\n  definition: \'Requirements: Sysmon config with Imphash logging activated\'\ndetection:\n  selection:\n    EventID: 15\n  filter:\n    Imphash:\n    - \'00000000000000000000000000000000\'\n    - \n  condition: selection and not filter\nfields:\n- TargetFilename\n- Image\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(5655,'Issue',313,15,'T1027'),(5656,'Issue',314,1,'Alternate PowerShell Hosts Module Load'),(5657,'Issue',314,2,'Roberto Rodriguez @Cyb3rWard0g'),(5658,'Issue',314,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md'),(5659,'Issue',314,10,'high'),(5660,'Issue',314,13,'community'),(5661,'Issue',314,14,'windows'),(5663,'Issue',314,11,'2f468dc10'),(5664,'Issue',314,12,'f67f6c57-257d-4919-a416-69cd31f9aac3'),(5665,'Issue',314,16,'win-sysmon'),(5666,'Issue',314,17,''),(5667,'Issue',314,7,''),(5668,'Issue',314,3,'Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe'),(5669,'Issue',314,4,''),(5670,'Issue',314,5,'_False Positives_\nPrograms using PowerShell directly without invocation of a dedicated interpreter.'),(5671,'Issue',314,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"7\" AND process.pe.description:\"system.management.automation\" AND event_data.ImageLoaded.keyword:*system.management.automation*) AND (NOT (process.executable.keyword:*\\\\powershell.exe)))\nindex: so-*\nname: Alternate PowerShell Hosts Module Load\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5672,'Issue',314,9,'{{collapse(View Sigma)\n
\n\ntitle: Alternate PowerShell Hosts Module Load\nid: f67f6c57-257d-4919-a416-69cd31f9aac3\ndescription: Detects alternate PowerShell hosts potentially bypassing detections looking\n  for powershell.exe\nstatus: experimental\ndate: 2019/09/12\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Description: system.management.automation\n    ImageLoaded|contains: system.management.automation\n  filter:\n    Image|endswith: \\powershell.exe\n  condition: selection and not filter\nfalsepositives:\n- Programs using PowerShell directly without invocation of a dedicated interpreter.\nlevel: high\n\n
\n}}'),(5673,'Issue',314,15,'T1086'),(5674,'Issue',315,1,'Alternate PowerShell Hosts Pipe'),(5675,'Issue',315,2,'Roberto Rodriguez @Cyb3rWard0g'),(5676,'Issue',315,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md'),(5677,'Issue',315,10,'medium'),(5678,'Issue',315,13,'community'),(5679,'Issue',315,14,'windows'),(5681,'Issue',315,11,'705958333'),(5682,'Issue',315,12,'58cb02d5-78ce-4692-b3e1-dce850aae41a'),(5683,'Issue',315,16,'win-sysmon'),(5684,'Issue',315,17,''),(5685,'Issue',315,7,''),(5686,'Issue',315,3,'Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe'),(5687,'Issue',315,4,''),(5688,'Issue',315,5,'_False Positives_\nPrograms using PowerShell directly without invocation of a dedicated interpreter.\n\n_Interesting Log Fields_\nComputerName\nUser\nImage\nPipeName'),(5689,'Issue',315,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"17\" AND event_data.PipeName.keyword:\\\\PSHost*) AND (NOT (process.executable.keyword:*\\\\powershell.exe)))\nindex: so-*\nname: Alternate PowerShell Hosts Pipe\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5690,'Issue',315,9,'{{collapse(View Sigma)\n
\n\ntitle: Alternate PowerShell Hosts Pipe\nid: 58cb02d5-78ce-4692-b3e1-dce850aae41a\ndescription: Detects alternate PowerShell hosts potentially bypassing detections looking\n  for powershell.exe\nstatus: experimental\ndate: 2019/09/12\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 17\n    PipeName|startswith: \\PSHost\n  filter:\n    Image|endswith: \\powershell.exe\n  condition: selection and not filter\nfields:\n- ComputerName\n- User\n- Image\n- PipeName\nfalsepositives:\n- Programs using PowerShell directly without invocation of a dedicated interpreter.\nlevel: medium\n\n
\n}}'),(5691,'Issue',315,15,'T1086'),(5692,'Issue',316,1,'OceanLotus Registry Activity'),(5693,'Issue',316,2,'megan201296'),(5694,'Issue',316,8,'https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/'),(5695,'Issue',316,10,'critical'),(5696,'Issue',316,13,'community'),(5697,'Issue',316,14,'windows'),(5699,'Issue',316,11,'515c55bec'),(5700,'Issue',316,12,'4ac5fc44-a601-4c06-955b-309df8c4e9d4'),(5701,'Issue',316,16,'win-sysmon'),(5702,'Issue',316,17,''),(5703,'Issue',316,7,''),(5704,'Issue',316,3,'Detects registry keys created in OceanLotus (also known as APT32) attacks'),(5705,'Issue',316,4,''),(5706,'Issue',316,5,'_False Positives_\nUnknown'),(5707,'Issue',316,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(HKCR\\\\CLSID\\\\\\{E08A0F4B\\-1F65\\-4D4D\\-9A09\\-BD4625B9C5A1\\}\\\\Model OR HKU\\\\*_Classes\\\\CLSID\\\\\\{E08A0F4B\\-1F65\\-4D4D\\-9A09\\-BD4625B9C5A1\\}\\\\Model OR *\\\\SOFTWARE\\\\App\\\\AppXbf13d4ea2945444d8b13e2121cb6b663\\\\Application OR *\\\\SOFTWARE\\\\App\\\\AppXbf13d4ea2945444d8b13e2121cb6b663\\\\DefaultIcon OR *\\\\SOFTWARE\\\\App\\\\AppX70162486c7554f7f80f481985d67586d\\\\Application OR *\\\\SOFTWARE\\\\App\\\\AppX70162486c7554f7f80f481985d67586d\\\\DefaultIcon OR *\\\\SOFTWARE\\\\App\\\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\\\Application OR *\\\\SOFTWARE\\\\App\\\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\\\DefaultIcon OR HKU\\\\*_Classes\\\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\\\* OR HKU\\\\*_Classes\\\\AppX3bbba44c6cae4d9695755183472171e2\\\\* OR HKU\\\\*_Classes\\\\CLSID\\\\\\{E3517E26\\-8E93\\-458D\\-A6DF\\-8030BC80528B\\}\\\\*))\nindex: so-*\nname: OceanLotus Registry Activity\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5708,'Issue',316,9,'{{collapse(View Sigma)\n
\n\ntitle: OceanLotus Registry Activity\nid: 4ac5fc44-a601-4c06-955b-309df8c4e9d4\nstatus: experimental\ndescription: Detects registry keys created in OceanLotus (also known as APT32) attacks\nreferences:\n- https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/\ntags:\n- attack.t1112\nauthor: megan201296\ndate: 2019/04/14\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    TargetObject:\n    - HKCR\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model\n    - HKU\\\\*_Classes\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model\n    - \'*\\SOFTWARE\\App\\AppXbf13d4ea2945444d8b13e2121cb6b663\\Application\'\n    - \'*\\SOFTWARE\\App\\AppXbf13d4ea2945444d8b13e2121cb6b663\\DefaultIcon\'\n    - \'*\\SOFTWARE\\App\\AppX70162486c7554f7f80f481985d67586d\\Application\'\n    - \'*\\SOFTWARE\\App\\AppX70162486c7554f7f80f481985d67586d\\DefaultIcon\'\n    - \'*\\SOFTWARE\\App\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\Application\'\n    - \'*\\SOFTWARE\\App\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\DefaultIcon\'\n    - HKU\\\\*_Classes\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\\\*\n    - HKU\\\\*_Classes\\AppX3bbba44c6cae4d9695755183472171e2\\\\*\n    - HKU\\\\*_Classes\\CLSID\\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\\\*\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(5709,'Issue',316,15,'T1112'),(5710,'Issue',317,1,'Turla Group Named Pipes'),(5711,'Issue',317,2,'Markus Neis'),(5712,'Issue',317,8,'Internal Research'),(5713,'Issue',317,10,'critical'),(5714,'Issue',317,13,'community'),(5715,'Issue',317,14,'windows'),(5716,'Issue',317,15,''),(5717,'Issue',317,11,'9f6d31f18'),(5718,'Issue',317,12,'739915e4-1e70-4778-8b8a-17db02f66db1'),(5719,'Issue',317,16,'win-sysmon'),(5720,'Issue',317,17,''),(5721,'Issue',317,7,''),(5722,'Issue',317,3,'Detects a named pipe used by Turla group samples'),(5723,'Issue',317,4,''),(5724,'Issue',317,5,'_False Positives_\nUnkown'),(5725,'Issue',317,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:(\"17\" OR \"18\") AND event_data.PipeName:(\"\\\\atctl\" OR \"\\\\userpipe\" OR \"\\\\iehelper\" OR \"\\\\sdlrpc\" OR \"\\\\comnap\"))\nindex: so-*\nname: Turla Group Named Pipes\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5726,'Issue',317,9,'{{collapse(View Sigma)\n
\n\ntitle: Turla Group Named Pipes\nid: 739915e4-1e70-4778-8b8a-17db02f66db1\nstatus: experimental\ndescription: Detects a named pipe used by Turla group samples\nreferences:\n- Internal Research\ndate: 2017/11/06\ntags:\n- attack.g0010\nauthor: Markus Neis\nlogsource:\n  product: windows\n  service: sysmon\n  definition: Note that you have to configure logging for PipeEvents in Symson config\ndetection:\n  selection:\n    EventID:\n    - 17\n    - 18\n    PipeName:\n    - \\atctl\n    - \\userpipe\n    - \\iehelper\n    - \\sdlrpc\n    - \\comnap\n  condition: selection\nfalsepositives:\n- Unkown\nlevel: critical\n\n
\n}}'),(5727,'Issue',318,1,'Autorun Keys Modification'),(5728,'Issue',318,2,'Victor Sergeev, Daniil Yugoslavskiy, oscd.community'),(5729,'Issue',318,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml'),(5730,'Issue',318,10,'medium'),(5731,'Issue',318,13,'community'),(5732,'Issue',318,14,'windows'),(5734,'Issue',318,11,'102e8b3e7'),(5735,'Issue',318,12,'17f878b8-9968-4578-b814-c4217fc5768c'),(5736,'Issue',318,16,'win-sysmon'),(5737,'Issue',318,17,''),(5738,'Issue',318,7,''),(5739,'Issue',318,3,'Detects modification of autostart extensibility point (ASEP) in registry'),(5740,'Issue',318,4,''),(5741,'Issue',318,5,'_False Positives_\nLegitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason\nLegitimate administrator sets up autorun keys for legitimate reason'),(5742,'Issue',318,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon\\\\Shell* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User\\ Shell\\ Folders*))\nindex: so-*\nname: Autorun Keys Modification\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5743,'Issue',318,9,'{{collapse(View Sigma)\n
\n\ntitle: Autorun Keys Modification\nid: 17f878b8-9968-4578-b814-c4217fc5768c\ndescription: Detects modification of autostart extensibility point (ASEP) in registry\nstatus: experimental\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml\ntags:\n- attack.persistence\n- attack.t1060\ndate: 2019/10/21\nmodified: 2019/11/10\nauthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    TargetObject|contains:\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\Run\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n    - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit\n    - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\n    - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n  condition: selection\nfalsepositives:\n- Legitimate software automatically (mostly, during installation) sets up autorun\n  keys for legitimate reason\n- Legitimate administrator sets up autorun keys for legitimate reason\nlevel: medium\n\n
\n}}'),(5744,'Issue',318,15,'T1060'),(5745,'Issue',319,1,'CACTUSTORCH Remote Thread Creation'),(5746,'Issue',319,2,'@SBousseaden (detection), Thomas Patzke (rule)'),(5747,'Issue',319,8,'https://twitter.com/SBousseaden/status/1090588499517079552\nhttps://github.com/mdsecactivebreach/CACTUSTORCH'),(5748,'Issue',319,10,'high'),(5749,'Issue',319,13,'community'),(5750,'Issue',319,14,'windows'),(5752,'Issue',319,11,'3ea2f31f8'),(5753,'Issue',319,12,'2e4e488a-6164-4811-9ea1-f960c7359c40'),(5754,'Issue',319,16,'win-sysmon'),(5755,'Issue',319,17,''),(5756,'Issue',319,7,''),(5757,'Issue',319,3,'Detects remote thread creation from CACTUSTORCH as described in references.'),(5758,'Issue',319,4,''),(5759,'Issue',319,5,'_False Positives_\nunknown'),(5760,'Issue',319,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"8\" AND event_data.SourceImage.keyword:(*\\\\System32\\\\cscript.exe OR *\\\\System32\\\\wscript.exe OR *\\\\System32\\\\mshta.exe OR *\\\\winword.exe OR *\\\\excel.exe) AND event_data.TargetImage.keyword:*\\\\SysWOW64\\\\* AND NOT _exists_:event_data.StartModule)\nindex: so-*\nname: CACTUSTORCH Remote Thread Creation\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5761,'Issue',319,9,'{{collapse(View Sigma)\n
\n\ntitle: CACTUSTORCH Remote Thread Creation\nid: 2e4e488a-6164-4811-9ea1-f960c7359c40\ndescription: Detects remote thread creation from CACTUSTORCH as described in references.\nreferences:\n- https://twitter.com/SBousseaden/status/1090588499517079552\n- https://github.com/mdsecactivebreach/CACTUSTORCH\nstatus: experimental\nauthor: \'@SBousseaden (detection), Thomas Patzke (rule)\'\ndate: 2019/02/01\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 8\n    SourceImage:\n    - \'*\\System32\\cscript.exe\'\n    - \'*\\System32\\wscript.exe\'\n    - \'*\\System32\\mshta.exe\'\n    - \'*\\winword.exe\'\n    - \'*\\excel.exe\'\n    TargetImage: \'*\\SysWOW64\\\\*\'\n    StartModule:\n  condition: selection\ntags:\n- attack.execution\n- attack.t1055\n- attack.t1064\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(5762,'Issue',319,15,'T1055'),(5763,'Issue',319,15,'T1064'),(5764,'Issue',320,1,'CobaltStrike Process Injection'),(5765,'Issue',320,2,'Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community'),(5766,'Issue',320,8,'https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f\nhttps://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/'),(5767,'Issue',320,10,'high'),(5768,'Issue',320,13,'community'),(5769,'Issue',320,14,'windows'),(5771,'Issue',320,11,'28d3c60ec'),(5772,'Issue',320,12,'6309645e-122d-4c5b-bb2b-22e4f9c2fa42'),(5773,'Issue',320,16,'win-sysmon'),(5774,'Issue',320,17,''),(5775,'Issue',320,7,''),(5776,'Issue',320,3,'Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons'),(5777,'Issue',320,4,''),(5778,'Issue',320,5,'_False Positives_\nunknown'),(5779,'Issue',320,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"8\" AND TargetProcessAddress.keyword:(*0B80 OR *0C7C OR *0C88))\nindex: so-*\nname: CobaltStrike Process Injection\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5780,'Issue',320,9,'{{collapse(View Sigma)\n
\n\ntitle: CobaltStrike Process Injection\nid: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42\ndescription: Detects a possible remote threat creation with certain characteristics\n  which are typical for Cobalt Strike beacons\nreferences:\n- https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f\n- https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/\ntags:\n- attack.defense_evasion\n- attack.t1055\nstatus: experimental\nauthor: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community\ndate: 2018/11/30\nmodified: 2019/11/08\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 8\n    TargetProcessAddress|endswith:\n    - 0B80\n    - 0C7C\n    - 0C88\n  condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(5781,'Issue',320,15,'T1055'),(5782,'Issue',321,1,'CreateRemoteThread API and LoadLibrary'),(5783,'Issue',321,2,'Roberto Rodriguez @Cyb3rWard0g'),(5784,'Issue',321,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1055_process_injection/dll_injection_createremotethread_loadlibrary.md'),(5785,'Issue',321,10,'critical'),(5786,'Issue',321,13,'community'),(5787,'Issue',321,14,'windows'),(5789,'Issue',321,11,'3325ffed5'),(5790,'Issue',321,12,'052ec6f6-1adc-41e6-907a-f1c813478bee'),(5791,'Issue',321,16,'win-sysmon'),(5792,'Issue',321,17,''),(5793,'Issue',321,7,''),(5794,'Issue',321,3,'Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process'),(5795,'Issue',321,4,''),(5796,'Issue',321,5,'_False Positives_\nUnknown'),(5797,'Issue',321,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"8\" AND event_data.StartModule.keyword:*\\\\kernel32.dll AND StartFunction:\"LoadLibraryA\")\nindex: so-*\nname: CreateRemoteThread API and LoadLibrary\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5798,'Issue',321,9,'{{collapse(View Sigma)\n
\n\ntitle: CreateRemoteThread API and LoadLibrary\nid: 052ec6f6-1adc-41e6-907a-f1c813478bee\ndescription: Detects potential use of CreateRemoteThread api and LoadLibrary function\n  to inject DLL into a process\nstatus: experimental\ndate: 2019/08/11\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1055_process_injection/dll_injection_createremotethread_loadlibrary.md\ntags:\n- attack.defense_evasion\n- attack.t1055\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 8\n    StartModule|endswith: \\kernel32.dll\n    StartFunction: LoadLibraryA\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(5799,'Issue',321,15,'T1055'),(5800,'Issue',322,1,'Credentials Dumping Tools Accessing LSASS Memory'),(5801,'Issue',322,2,'Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update)'),(5802,'Issue',322,8,'https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow\nhttps://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html\nhttps://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nhttp://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf'),(5803,'Issue',322,10,'high'),(5804,'Issue',322,13,'community'),(5805,'Issue',322,14,'windows'),(5807,'Issue',322,11,'38beb365c'),(5808,'Issue',322,12,'32d0d3e2-e58d-4d41-926b-18b520b2b32d'),(5809,'Issue',322,16,'win-sysmon'),(5810,'Issue',322,17,''),(5811,'Issue',322,7,''),(5812,'Issue',322,3,'Detects process access LSASS memory which is typical for credentials dumping tools'),(5813,'Issue',322,4,''),(5814,'Issue',322,5,'_False Positives_\nLegitimate software accessing LSASS process for legitimate reason; update the whitelist with it\n\n_Interesting Log Fields_\nComputerName\nUser\nSourceImage'),(5815,'Issue',322,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"10\" AND event_data.TargetImage.keyword:*\\\\lsass.exe AND event_data.GrantedAccess.keyword:(*0x40* OR *0x1000* OR *0x1400* OR *0x100000* OR *0x1410* OR *0x1010* OR *0x1438* OR *0x143a* OR *0x1418* OR *0x1f0fff* OR *0x1f1fff* OR *0x1f2fff* OR *0x1f3fff*)) AND (NOT (event_data.ProcessName.keyword:(*\\\\wmiprvse.exe OR *\\\\taskmgr.exe OR *\\\\procexp64.exe OR *\\\\procexp.exe OR *\\\\lsm.exe OR *\\\\csrss.exe OR *\\\\wininit.exe OR *\\\\vmtoolsd.exe))))\nindex: so-*\nname: Credentials Dumping Tools Accessing LSASS Memory\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5816,'Issue',322,9,'{{collapse(View Sigma)\n
\n\ntitle: Credentials Dumping Tools Accessing LSASS Memory\nid: 32d0d3e2-e58d-4d41-926b-18b520b2b32d\nstatus: experimental\ndescription: Detects process access LSASS memory which is typical for credentials\n  dumping tools\nauthor: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas\n  Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community\n  (update)\ndate: 2017/02/16\nmodified: 2019/11/08\nreferences:\n- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow\n- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n- http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf\ntags:\n- attack.t1003\n- attack.s0002\n- attack.credential_access\n- car.2019-04-004\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 10\n    TargetImage|endswith: \\lsass.exe\n    GrantedAccess|contains:\n    - \'0x40\'\n    - \'0x1000\'\n    - \'0x1400\'\n    - \'0x100000\'\n    - \'0x1410\'\n    - \'0x1010\'\n    - \'0x1438\'\n    - \'0x143a\'\n    - \'0x1418\'\n    - \'0x1f0fff\'\n    - \'0x1f1fff\'\n    - \'0x1f2fff\'\n    - \'0x1f3fff\'\n  filter:\n    ProcessName|endswith:\n    - \\wmiprvse.exe\n    - \\taskmgr.exe\n    - \\procexp64.exe\n    - \\procexp.exe\n    - \\lsm.exe\n    - \\csrss.exe\n    - \\wininit.exe\n    - \\vmtoolsd.exe\n  condition: selection and not filter\nfields:\n- ComputerName\n- User\n- SourceImage\nfalsepositives:\n- Legitimate software accessing LSASS process for legitimate reason; update the whitelist\n  with it\nlevel: high\n\n
\n}}'),(5817,'Issue',322,15,'T1003'),(5818,'Issue',323,1,'Cred Dump Tools Dropped Files'),(5819,'Issue',323,2,'Teymur Kheirkhabarov, oscd.community'),(5820,'Issue',323,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(5821,'Issue',323,10,'high'),(5822,'Issue',323,13,'community'),(5823,'Issue',323,14,'windows'),(5825,'Issue',323,11,'3205565a1'),(5826,'Issue',323,12,'8fbf3271-1ef6-4e94-8210-03c2317947f6'),(5827,'Issue',323,16,'win-sysmon'),(5828,'Issue',323,17,''),(5829,'Issue',323,7,''),(5830,'Issue',323,3,'Files with well-known filenames (parts of credential dump software or files produced by them) creation'),(5831,'Issue',323,4,''),(5832,'Issue',323,5,'_False Positives_\nLegitimate Administrator using tool for password recovery'),(5833,'Issue',323,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND event_data.TargetFilename.keyword:(*\\\\pwdump* OR *\\\\kirbi* OR *\\\\pwhashes* OR *\\\\wce_ccache* OR *\\\\wce_krbtkts* OR *\\\\fgdump\\-log*) AND event_data.TargetFilename.keyword:(*\\\\test.pwd OR *\\\\lsremora64.dll OR *\\\\lsremora.dll OR *\\\\fgexec.exe OR *\\\\wceaux.dll OR *\\\\SAM.out OR *\\\\SECURITY.out OR *\\\\SYSTEM.out OR *\\\\NTDS.out OR *\\\\DumpExt.dll OR *\\\\DumpSvc.exe OR *\\\\cachedump64.exe OR *\\\\cachedump.exe OR *\\\\pstgdump.exe OR *\\\\servpw.exe OR *\\\\servpw64.exe OR *\\\\pwdump.exe OR *\\\\procdump64.exe))\nindex: so-*\nname: Cred Dump Tools Dropped Files\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5834,'Issue',323,9,'{{collapse(View Sigma)\n
\n\ntitle: Cred Dump Tools Dropped Files\nid: 8fbf3271-1ef6-4e94-8210-03c2317947f6\ndescription: Files with well-known filenames (parts of credential dump software or\n  files produced by them) creation\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/11/01\nmodified: 2019/11/13\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 11\n    TargetFilename|contains:\n    - \\pwdump\n    - \\kirbi\n    - \\pwhashes\n    - \\wce_ccache\n    - \\wce_krbtkts\n    - \\fgdump-log\n    TargetFilename|endswith:\n    - \\test.pwd\n    - \\lsremora64.dll\n    - \\lsremora.dll\n    - \\fgexec.exe\n    - \\wceaux.dll\n    - \\SAM.out\n    - \\SECURITY.out\n    - \\SYSTEM.out\n    - \\NTDS.out\n    - \\DumpExt.dll\n    - \\DumpSvc.exe\n    - \\cachedump64.exe\n    - \\cachedump.exe\n    - \\pstgdump.exe\n    - \\servpw.exe\n    - \\servpw64.exe\n    - \\pwdump.exe\n    - \\procdump64.exe\n  condition: selection\nfalsepositives:\n- Legitimate Administrator using tool for password recovery\nlevel: high\nstatus: experimental\n\n
\n}}'),(5835,'Issue',323,15,'T1003'),(5836,'Issue',324,1,'Cred Dump-Tools Named Pipes'),(5837,'Issue',324,2,'Teymur Kheirkhabarov, oscd.community'),(5838,'Issue',324,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(5839,'Issue',324,10,'critical'),(5840,'Issue',324,13,'community'),(5841,'Issue',324,14,'windows'),(5843,'Issue',324,11,'f819bdb50'),(5844,'Issue',324,12,'961d0ba2-3eea-4303-a930-2cf78bbfcc5e'),(5845,'Issue',324,16,'win-sysmon'),(5846,'Issue',324,17,''),(5847,'Issue',324,7,''),(5848,'Issue',324,3,'Detects well-known credential dumping tools execution via specific named pipes'),(5849,'Issue',324,4,''),(5850,'Issue',324,5,'_False Positives_\nLegitimate Administrator using tool for password recovery'),(5851,'Issue',324,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"17\" AND event_data.PipeName.keyword:(*\\\\lsadump* OR *\\\\cachedump* OR *\\\\wceservicepipe*))\nindex: so-*\nname: Cred Dump-Tools Named Pipes\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5852,'Issue',324,9,'{{collapse(View Sigma)\n
\n\ntitle: Cred Dump-Tools Named Pipes\nid: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e\ndescription: Detects well-known credential dumping tools execution via specific named\n  pipes\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/11/01\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 17\n    PipeName|contains:\n    - \\lsadump\n    - \\cachedump\n    - \\wceservicepipe\n  condition: selection\nfalsepositives:\n- Legitimate Administrator using tool for password recovery\nlevel: critical\nstatus: experimental\n\n
\n}}'),(5853,'Issue',324,15,'T1003'),(5854,'Issue',325,1,'DHCP Callout DLL Installation'),(5855,'Issue',325,2,'Dimitrios Slamaris'),(5856,'Issue',325,8,'https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html\nhttps://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx\nhttps://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx'),(5857,'Issue',325,10,'high'),(5858,'Issue',325,13,'community'),(5859,'Issue',325,14,'windows'),(5861,'Issue',325,11,'6fbe5639d'),(5862,'Issue',325,12,'9d3436ef-9476-4c43-acca-90ce06bdf33a'),(5863,'Issue',325,16,'win-sysmon'),(5864,'Issue',325,17,''),(5865,'Issue',325,7,''),(5866,'Issue',325,3,'Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)'),(5867,'Issue',325,4,''),(5868,'Issue',325,5,'_False Positives_\nunknown'),(5869,'Issue',325,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutDlls OR *\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutEnabled))\nindex: so-*\nname: DHCP Callout DLL Installation\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5870,'Issue',325,9,'{{collapse(View Sigma)\n
\n\ntitle: DHCP Callout DLL Installation\nid: 9d3436ef-9476-4c43-acca-90ce06bdf33a\nstatus: experimental\ndescription: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled\n  parameter in Registry, which can be used to execute code in context of the DHCP\n  server (restart required)\nreferences:\n- https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html\n- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx\n- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx\ndate: 2017/05/15\nauthor: Dimitrios Slamaris\ntags:\n- attack.defense_evasion\n- attack.t1073\n- attack.t1112\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    TargetObject:\n    - \'*\\Services\\DHCPServer\\Parameters\\CalloutDlls\'\n    - \'*\\Services\\DHCPServer\\Parameters\\CalloutEnabled\'\n  condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(5871,'Issue',325,15,'T1073'),(5872,'Issue',325,15,'T1112'),(5873,'Issue',326,1,'Disable Security Events Logging Adding Reg Key MiniNt'),(5874,'Issue',326,2,'Ilyas Ochkov, oscd.community'),(5875,'Issue',326,8,'https://twitter.com/0gtweet/status/1182516740955226112'),(5876,'Issue',326,10,'high'),(5877,'Issue',326,13,'community'),(5878,'Issue',326,14,'windows'),(5880,'Issue',326,11,'685c808fd'),(5881,'Issue',326,12,'919f2ef0-be2d-4a7a-b635-eb2b41fde044'),(5882,'Issue',326,16,'win-sysmon'),(5883,'Issue',326,17,''),(5884,'Issue',326,7,''),(5885,'Issue',326,3,'Detects the addition of a key \'MiniNt\' to the registry. Upon a reboot, Windows Event Log service will stopped write events.'),(5886,'Issue',326,4,''),(5887,'Issue',326,5,'_False Positives_\nUnkown\n\n_Interesting Log Fields_\nEventID\nImage\nTargetObject\nNewName'),(5888,'Issue',326,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:\"12\" AND event_data.TargetObject:\"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt\") OR (event.code:\"14\" AND NewName:\"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt\")))\nindex: so-*\nname: Disable Security Events Logging Adding Reg Key MiniNt\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5889,'Issue',326,9,'{{collapse(View Sigma)\n
\n\ntitle: Disable Security Events Logging Adding Reg Key MiniNt\nid: 919f2ef0-be2d-4a7a-b635-eb2b41fde044\nstatus: experimental\ndescription: Detects the addition of a key \'MiniNt\' to the registry. Upon a reboot,\n  Windows Event Log service will stopped write events.\nreferences:\n- https://twitter.com/0gtweet/status/1182516740955226112\ntags:\n- attack.defense_evasion\n- attack.t1089\nauthor: Ilyas Ochkov, oscd.community\ndate: 2019/10/25\nmodified: 2019/11/13\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n  - EventID: 12\n    TargetObject: HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt\n  - EventID: 14\n    NewName: HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt\n  condition: selection\nfields:\n- EventID\n- Image\n- TargetObject\n- NewName\nfalsepositives:\n- Unkown\nlevel: high\n\n
\n}}'),(5890,'Issue',326,15,'T1089'),(5891,'Issue',327,1,'Detection of SafetyKatz'),(5892,'Issue',327,2,'Markus Neis'),(5893,'Issue',327,8,'https://github.com/GhostPack/SafetyKatz'),(5894,'Issue',327,10,'high'),(5895,'Issue',327,13,'community'),(5896,'Issue',327,14,'windows'),(5898,'Issue',327,11,'de878e0bb'),(5899,'Issue',327,12,'e074832a-eada-4fd7-94a1-10642b130e16'),(5900,'Issue',327,16,'win-sysmon'),(5901,'Issue',327,17,''),(5902,'Issue',327,7,''),(5903,'Issue',327,3,'Detects possible SafetyKatz Behaviour'),(5904,'Issue',327,4,''),(5905,'Issue',327,5,'_False Positives_\nUnknown'),(5906,'Issue',327,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND event_data.TargetFilename.keyword:*\\\\Temp\\\\debug.bin)\nindex: so-*\nname: Detection of SafetyKatz\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5907,'Issue',327,9,'{{collapse(View Sigma)\n
\n\ntitle: Detection of SafetyKatz\nid: e074832a-eada-4fd7-94a1-10642b130e16\nstatus: experimental\ndescription: Detects possible SafetyKatz Behaviour\nreferences:\n- https://github.com/GhostPack/SafetyKatz\ntags:\n- attack.credential_access\n- attack.t1003\nauthor: Markus Neis\ndate: 2018/07/24\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 11\n    TargetFilename: \'*\\Temp\\debug.bin\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(5908,'Issue',327,15,'T1003'),(5909,'Issue',328,1,'Suspicious In-Memory Module Execution'),(5910,'Issue',328,2,'Perez Diego (@darkquassar), oscd.community'),(5911,'Issue',328,8,'https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/'),(5912,'Issue',328,10,'critical'),(5913,'Issue',328,13,'community'),(5914,'Issue',328,14,'windows'),(5916,'Issue',328,11,'0b938deb6'),(5917,'Issue',328,12,'5f113a8f-8b61-41ca-b90f-d374fa7e4a39'),(5918,'Issue',328,16,'win-sysmon'),(5919,'Issue',328,17,''),(5920,'Issue',328,7,''),(5921,'Issue',328,3,'Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display \"UNKNOWN\" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious.'),(5922,'Issue',328,4,''),(5923,'Issue',328,5,'_False Positives_\nLow\n\n_Interesting Log Fields_\nComputerName\nUser\nSourceImage\nTargetImage\nCallTrace'),(5924,'Issue',328,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"10\" AND (event_data.CallTrace.keyword:(C\\:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll\\+*|C\\:\\\\Windows\\\\System32\\\\KERNELBASE.dll\\+*|UNKNOWN\\(*\\) OR *UNKNOWN\\(*\\)|UNKNOWN\\(*\\)) OR (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.CallTrace.keyword:*UNKNOWN* AND event_data.GrantedAccess:(\"0x1F0FFF\" OR \"0x1F1FFF\" OR \"0x143A\" OR \"0x1410\" OR \"0x1010\" OR \"0x1F2FFF\" OR \"0x1F3FFF\" OR \"0x1FFFFF\"))))\nindex: so-*\nname: Suspicious In-Memory Module Execution\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5925,'Issue',328,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious In-Memory Module Execution\nid: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39\ndescription: Detects the access to processes by other suspicious processes which have\n  reflectively loaded libraries in their memory space. An example is SilentTrinity\n  C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack\n  call to a dll loaded from disk (the standard way), it will display \"UNKNOWN\" as\n  the module name. Usually this means the stack call points to a module that was reflectively\n  loaded in memory. Adding to this, it is not common to see such few calls in the\n  stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most\n  of the functions required by the process to execute certain routines are already\n  present in memory, not requiring any calls to external libraries. The latter should\n  also be considered suspicious.\nstatus: experimental\ndate: 2019/10/27\nauthor: Perez Diego (@darkquassar), oscd.community\nreferences:\n- https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/\ntags:\n- attack.privilege_escalation\n- attack.t1055\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection_01:\n    EventID: 10\n    CallTrace:\n    - C:\\Windows\\SYSTEM32\\ntdll.dll+*|C:\\Windows\\System32\\KERNELBASE.dll+*|UNKNOWN(*)\n    - \'*UNKNOWN(*)|UNKNOWN(*)\'\n  selection_02:\n    EventID: 10\n    CallTrace: \'*UNKNOWN*\'\n  granted_access:\n    GrantedAccess:\n    - \'0x1F0FFF\'\n    - \'0x1F1FFF\'\n    - \'0x143A\'\n    - \'0x1410\'\n    - \'0x1010\'\n    - \'0x1F2FFF\'\n    - \'0x1F3FFF\'\n    - \'0x1FFFFF\'\n  condition: selection_01 OR (selection_02 AND granted_access)\nfields:\n- ComputerName\n- User\n- SourceImage\n- TargetImage\n- CallTrace\nlevel: critical\nfalsepositives:\n- Low\n\n
\n}}'),(5926,'Issue',328,15,'T1055'),(5927,'Issue',329,1,'In-memory PowerShell'),(5928,'Issue',329,2,'Tom Kern, oscd.community'),(5929,'Issue',329,8,'https://adsecurity.org/?p=2921\nhttps://github.com/p3nt4/PowerShdll'),(5930,'Issue',329,10,'high'),(5931,'Issue',329,13,'community'),(5932,'Issue',329,14,'windows'),(5934,'Issue',329,11,'442bc82a3'),(5935,'Issue',329,12,'092bc4b9-3d1d-43b4-a6b4-8c8acd83522f'),(5936,'Issue',329,16,'win-sysmon'),(5937,'Issue',329,17,''),(5938,'Issue',329,7,''),(5939,'Issue',329,3,'Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter\'s \"load powershell\" extension.'),(5940,'Issue',329,4,''),(5941,'Issue',329,5,'_False Positives_\nUsed by some .NET binaries, minimal on user workstation.'),(5942,'Issue',329,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"7\" AND event_data.ImageLoaded.keyword:(*\\\\System.Management.Automation.Dll OR *\\\\System.Management.Automation.ni.Dll)) AND (NOT (process.executable.keyword:(*\\\\powershell.exe OR *\\\\WINDOWS\\\\System32\\\\sdiagnhost.exe) AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\")))\nindex: so-*\nname: In-memory PowerShell\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5943,'Issue',329,9,'{{collapse(View Sigma)\n
\n\ntitle: In-memory PowerShell\nid: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f\nstatus: experimental\ndescription: Detects loading of essential DLL used by PowerShell, but not by the process\n  powershell.exe. Detects meterpreter\'s \"load powershell\" extension.\nauthor: Tom Kern, oscd.community\ndate: 2019/11/14\nmodified: 2019/11/30\nreferences:\n- https://adsecurity.org/?p=2921\n- https://github.com/p3nt4/PowerShdll\ntags:\n- attack.t1086\n- attack.execution\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    ImageLoaded|endswith:\n    - \\System.Management.Automation.Dll\n    - \\System.Management.Automation.ni.Dll\n  filter:\n    Image|endswith:\n    - \\powershell.exe\n    - \\WINDOWS\\System32\\sdiagnhost.exe\n    User: NT AUTHORITY\\SYSTEM\n  condition: selection and not filter\nfalsepositives:\n- Used by some .NET binaries, minimal on user workstation.\nlevel: high\nenrichment:\n- EN_0001_cache_sysmon_event_id_1_info\n- EN_0003_enrich_other_sysmon_events_with_event_id_1_data\n\n
\n}}'),(5944,'Issue',329,15,'T1086'),(5945,'Issue',330,1,'Suspect Svchost Memory Asccess'),(5946,'Issue',330,2,'Tim Burrell'),(5947,'Issue',330,8,'https://github.com/hlldz/Invoke-Phant0m\nhttps://twitter.com/timbmsft/status/900724491076214784'),(5948,'Issue',330,10,'high'),(5949,'Issue',330,13,'community'),(5950,'Issue',330,14,'windows'),(5952,'Issue',330,11,'ff9ac8949'),(5953,'Issue',330,12,'166e9c50-8cd9-44af-815d-d1f0c0e90dde'),(5954,'Issue',330,16,'win-sysmon'),(5955,'Issue',330,17,''),(5956,'Issue',330,7,''),(5957,'Issue',330,3,'Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.'),(5958,'Issue',330,4,''),(5959,'Issue',330,5,'_False Positives_\nunknown'),(5960,'Issue',330,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"10\" AND event_data.TargetImage.keyword:*\\\\windows\\\\system32\\\\svchost.exe AND event_data.GrantedAccess:\"0x1f3fff\" AND event_data.CallTrace.keyword:(*unknown*))\nindex: so-*\nname: Suspect Svchost Memory Asccess\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5961,'Issue',330,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspect Svchost Memory Asccess\nid: 166e9c50-8cd9-44af-815d-d1f0c0e90dde\nstatus: experimental\ndescription: Detects suspect access to svchost process memory such as that used by\n  Invoke-Phantom to kill the winRM windows event logging service.\nauthor: Tim Burrell\ndate: 2020/01/02\nreferences:\n- https://github.com/hlldz/Invoke-Phant0m\n- https://twitter.com/timbmsft/status/900724491076214784\ntags:\n- attack.t1089\n- attack.defense_evasion\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 10\n    TargetImage: \'*\\windows\\system32\\svchost.exe\'\n    GrantedAccess: \'0x1f3fff\'\n    CallTrace:\n    - \'*unknown*\'\n  condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(5962,'Issue',330,15,'T1089'),(5963,'Issue',331,1,'LSASS Memory Dump'),(5964,'Issue',331,2,'Samir Bousseaden'),(5965,'Issue',331,8,'https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html'),(5966,'Issue',331,10,'high'),(5967,'Issue',331,13,'community'),(5968,'Issue',331,14,'windows'),(5970,'Issue',331,11,'183b4c501'),(5971,'Issue',331,12,'5ef9853e-4d0e-4a70-846f-a9ca37d876da'),(5972,'Issue',331,16,'win-sysmon'),(5973,'Issue',331,17,''),(5974,'Issue',331,7,''),(5975,'Issue',331,3,'Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10'),(5976,'Issue',331,4,''),(5977,'Issue',331,5,'_False Positives_\nunknown'),(5978,'Issue',331,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"10\" AND event_data.TargetImage:\"C\\:\\\\windows\\\\system32\\\\lsass.exe\" AND event_data.GrantedAccess:\"0x1fffff\" AND event_data.CallTrace.keyword:(*dbghelp.dll* OR *dbgcore.dll*))\nindex: so-*\nname: LSASS Memory Dump\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5979,'Issue',331,9,'{{collapse(View Sigma)\n
\n\ntitle: LSASS Memory Dump\nid: 5ef9853e-4d0e-4a70-846f-a9ca37d876da\nstatus: experimental\ndescription: Detects process LSASS memory dump using procdump or taskmgr based on\n  the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10\nauthor: Samir Bousseaden\ndate: 2019/04/03\nreferences:\n- https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html\ntags:\n- attack.t1003\n- attack.s0002\n- attack.credential_access\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 10\n    TargetImage: C:\\windows\\system32\\lsass.exe\n    GrantedAccess: \'0x1fffff\'\n    CallTrace:\n    - \'*dbghelp.dll*\'\n    - \'*dbgcore.dll*\'\n  condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(5980,'Issue',331,15,'T1003'),(5981,'Issue',332,1,'LSASS Memory Dump File Creation'),(5982,'Issue',332,2,'Teymur Kheirkhabarov, oscd.community'),(5983,'Issue',332,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(5984,'Issue',332,10,'medium'),(5985,'Issue',332,13,'community'),(5986,'Issue',332,14,'windows'),(5988,'Issue',332,11,'d6052fb1a'),(5989,'Issue',332,12,'5e3d3601-0662-4af0-b1d2-36a05e90c40a'),(5990,'Issue',332,16,'win-sysmon'),(5991,'Issue',332,17,''),(5992,'Issue',332,7,''),(5993,'Issue',332,3,'LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified'),(5994,'Issue',332,4,''),(5995,'Issue',332,5,'_False Positives_\nDumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator\n\n_Interesting Log Fields_\nComputerName\nTargetFileName'),(5996,'Issue',332,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND event_data.TargetFilename.keyword:*lsass* AND event_data.TargetFilename.keyword:*dmp)\nindex: so-*\nname: LSASS Memory Dump File Creation\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5997,'Issue',332,9,'{{collapse(View Sigma)\n
\n\ntitle: LSASS Memory Dump File Creation\nid: 5e3d3601-0662-4af0-b1d2-36a05e90c40a\ndescription: LSASS memory dump creation using operating systems utilities. Procdump\n  will use process name in output file if no name is specified\nauthor: Teymur Kheirkhabarov, oscd.community\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ndate: 2019/10/22\nmodified: 2019/11/13\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 11\n    TargetFilename|contains: lsass\n    TargetFilename|endswith: dmp\n  condition: selection\nfields:\n- ComputerName\n- TargetFileName\nfalsepositives:\n- Dumping lsass memory for forensic investigation purposes by legitimate incident\n  responder or forensic invetigator\nlevel: medium\nstatus: experimental\n\n
\n}}'),(5998,'Issue',332,15,'T1003'),(5999,'Issue',333,1,'Malicious Named Pipe'),(6000,'Issue',333,2,'Florian Roth'),(6001,'Issue',333,8,'Various sources'),(6002,'Issue',333,10,'critical'),(6003,'Issue',333,13,'community'),(6004,'Issue',333,14,'windows'),(6006,'Issue',333,11,'192999425'),(6007,'Issue',333,12,'fe3ac066-98bb-432a-b1e7-a5229cb39d4a'),(6008,'Issue',333,16,'win-sysmon'),(6009,'Issue',333,17,''),(6010,'Issue',333,7,''),(6011,'Issue',333,3,'Detects the creation of a named pipe used by known APT malware'),(6012,'Issue',333,4,''),(6013,'Issue',333,5,'_False Positives_\nUnkown'),(6014,'Issue',333,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:(\"17\" OR \"18\") AND event_data.PipeName.keyword:(\\\\isapi_http OR \\\\isapi_dg OR \\\\isapi_dg2 OR \\\\sdlrpc OR \\\\ahexec OR \\\\winsession OR \\\\lsassw OR \\\\46a676ab7f179e511e30dd2dc41bd388 OR \\\\9f81f59bc58452127884ce513865ed20 OR \\\\e710f28d59aa529d6792ca6ff0ca1b34 OR \\\\rpchlp_3 OR \\\\NamePipe_MoreWindows OR \\\\pcheap_reuse OR \\\\msagent_* OR \\\\gruntsvc))\nindex: so-*\nname: Malicious Named Pipe\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6015,'Issue',333,9,'{{collapse(View Sigma)\n
\n\ntitle: Malicious Named Pipe\nid: fe3ac066-98bb-432a-b1e7-a5229cb39d4a\nstatus: experimental\ndescription: Detects the creation of a named pipe used by known APT malware\nreferences:\n- Various sources\ndate: 2017/11/06\nauthor: Florian Roth\nlogsource:\n  product: windows\n  service: sysmon\n  definition: Note that you have to configure logging for PipeEvents in Symson config\ndetection:\n  selection:\n    EventID:\n    - 17\n    - 18\n    PipeName:\n    - \\isapi_http\n    - \\isapi_dg\n    - \\isapi_dg2\n    - \\sdlrpc\n    - \\ahexec\n    - \\winsession\n    - \\lsassw\n    - \\46a676ab7f179e511e30dd2dc41bd388\n    - \\9f81f59bc58452127884ce513865ed20\n    - \\e710f28d59aa529d6792ca6ff0ca1b34\n    - \\rpchlp_3\n    - \\NamePipe_MoreWindows\n    - \\pcheap_reuse\n    - \\msagent_*\n    - \\gruntsvc\n  condition: selection\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1055\nfalsepositives:\n- Unkown\nlevel: critical\n\n
\n}}'),(6016,'Issue',333,15,'T1055'),(6017,'Issue',334,1,'Suspicious Typical Malware Back Connect Ports'),(6018,'Issue',334,2,'Florian Roth'),(6019,'Issue',334,8,'https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo'),(6020,'Issue',334,10,'medium'),(6021,'Issue',334,13,'community'),(6022,'Issue',334,14,'windows'),(6024,'Issue',334,11,'1e14702d5'),(6025,'Issue',334,12,'4b89abaa-99fe-4232-afdd-8f9aa4d20382'),(6026,'Issue',334,16,'win-sysmon'),(6027,'Issue',334,17,''),(6028,'Issue',334,7,''),(6029,'Issue',334,3,'Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases'),(6030,'Issue',334,4,''),(6031,'Issue',334,5,'_False Positives_\nunknown'),(6032,'Issue',334,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"3\" AND event_data.Initiated:\"true\" AND destination_port:(\"4443\" OR \"2448\" OR \"8143\" OR \"1777\" OR \"1443\" OR \"243\" OR \"65535\" OR \"13506\" OR \"3360\" OR \"200\" OR \"198\" OR \"49180\" OR \"13507\" OR \"6625\" OR \"4444\" OR \"4438\" OR \"1904\" OR \"13505\" OR \"13504\" OR \"12102\" OR \"9631\" OR \"5445\" OR \"2443\" OR \"777\" OR \"13394\" OR \"13145\" OR \"12103\" OR \"5552\" OR \"3939\" OR \"3675\" OR \"666\" OR \"473\" OR \"5649\" OR \"4455\" OR \"4433\" OR \"1817\" OR \"100\" OR \"65520\" OR \"1960\" OR \"1515\" OR \"743\" OR \"700\" OR \"14154\" OR \"14103\" OR \"14102\" OR \"12322\" OR \"10101\" OR \"7210\" OR \"4040\" OR \"9943\")) AND (NOT ((event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:*\\\\Program\\ Files* OR (destination_ip.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*) AND event_data.DestinationIsIpv6:\"false\"))))))\nindex: so-*\nname: Suspicious Typical Malware Back Connect Ports\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6033,'Issue',334,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Typical Malware Back Connect Ports\nid: 4b89abaa-99fe-4232-afdd-8f9aa4d20382\nstatus: experimental\ndescription: Detects programs that connect to typical malware back connect ports based\n  on statistical analysis from two different sandbox system databases\nreferences:\n- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo\nauthor: Florian Roth\ndate: 2017/03/19\ntags:\n- attack.command_and_control\n- attack.t1043\nlogsource:\n  product: windows\n  service: sysmon\n  definition: \'Use the following config to generate the necessary Event ID 10 Process\n    Access events: VBE7.DLLUNKNOWN\'\ndetection:\n  selection:\n    EventID: 3\n    Initiated: \'true\'\n    DestinationPort:\n    - \'4443\'\n    - \'2448\'\n    - \'8143\'\n    - \'1777\'\n    - \'1443\'\n    - \'243\'\n    - \'65535\'\n    - \'13506\'\n    - \'3360\'\n    - \'200\'\n    - \'198\'\n    - \'49180\'\n    - \'13507\'\n    - \'6625\'\n    - \'4444\'\n    - \'4438\'\n    - \'1904\'\n    - \'13505\'\n    - \'13504\'\n    - \'12102\'\n    - \'9631\'\n    - \'5445\'\n    - \'2443\'\n    - \'777\'\n    - \'13394\'\n    - \'13145\'\n    - \'12103\'\n    - \'5552\'\n    - \'3939\'\n    - \'3675\'\n    - \'666\'\n    - \'473\'\n    - \'5649\'\n    - \'4455\'\n    - \'4433\'\n    - \'1817\'\n    - \'100\'\n    - \'65520\'\n    - \'1960\'\n    - \'1515\'\n    - \'743\'\n    - \'700\'\n    - \'14154\'\n    - \'14103\'\n    - \'14102\'\n    - \'12322\'\n    - \'10101\'\n    - \'7210\'\n    - \'4040\'\n    - \'9943\'\n  filter1:\n    Image: \'*\\Program Files*\'\n  filter2:\n    DestinationIp:\n    - 10.*\n    - 192.168.*\n    - 172.16.*\n    - 172.17.*\n    - 172.18.*\n    - 172.19.*\n    - 172.20.*\n    - 172.21.*\n    - 172.22.*\n    - 172.23.*\n    - 172.24.*\n    - 172.25.*\n    - 172.26.*\n    - 172.27.*\n    - 172.28.*\n    - 172.29.*\n    - 172.30.*\n    - 172.31.*\n    - 127.*\n    DestinationIsIpv6: \'false\'\n  condition: selection and not ( filter1 or filter2 )\nfalsepositives:\n- unknown\nlevel: medium\n\n
\n}}'),(6034,'Issue',334,15,'T1043'),(6035,'Issue',335,1,'Malware Shellcode in Verclsid Target Process'),(6036,'Issue',335,2,'John Lambert (tech), Florian Roth (rule)'),(6037,'Issue',335,8,'https://twitter.com/JohnLaTwC/status/837743453039534080'),(6038,'Issue',335,10,'high'),(6039,'Issue',335,13,'community'),(6040,'Issue',335,14,'windows'),(6042,'Issue',335,11,'0ff3c02c6'),(6043,'Issue',335,12,'b7967e22-3d7e-409b-9ed5-cdae3f9243a1'),(6044,'Issue',335,16,'win-sysmon'),(6045,'Issue',335,17,''),(6046,'Issue',335,7,''),(6047,'Issue',335,3,'Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro'),(6048,'Issue',335,4,''),(6049,'Issue',335,5,'_False Positives_\nunknown'),(6050,'Issue',335,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"10\" AND event_data.TargetImage.keyword:*\\\\verclsid.exe AND event_data.GrantedAccess:\"0x1FFFFF\") AND (event_data.CallTrace.keyword:*|UNKNOWN\\(*VBE7.DLL* OR (event_data.SourceImage.keyword:*\\\\Microsoft\\ Office\\\\* AND event_data.CallTrace.keyword:*|UNKNOWN*)))\nindex: so-*\nname: Malware Shellcode in Verclsid Target Process\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6051,'Issue',335,9,'{{collapse(View Sigma)\n
\n\ntitle: Malware Shellcode in Verclsid Target Process\nid: b7967e22-3d7e-409b-9ed5-cdae3f9243a1\nstatus: experimental\ndescription: Detects a process access to verclsid.exe that injects shellcode from\n  a Microsoft Office application / VBA macro\nreferences:\n- https://twitter.com/JohnLaTwC/status/837743453039534080\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1055\nauthor: John Lambert (tech), Florian Roth (rule)\ndate: 2017/03/04\nlogsource:\n  product: windows\n  service: sysmon\n  definition: \'Use the following config to generate the necessary Event ID 10 Process\n    Access events: VBE7.DLLUNKNOWN\'\ndetection:\n  selection:\n    EventID: 10\n    TargetImage: \'*\\verclsid.exe\'\n    GrantedAccess: \'0x1FFFFF\'\n  combination1:\n    CallTrace: \'*|UNKNOWN(*VBE7.DLL*\'\n  combination2:\n    SourceImage: \'*\\Microsoft Office\\\\*\'\n    CallTrace: \'*|UNKNOWN*\'\n  condition: selection and 1 of combination*\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6052,'Issue',335,15,'T1055'),(6053,'Issue',336,1,'Mimikatz In-Memory'),(6054,'Issue',336,2,'none'),(6055,'Issue',336,8,'https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/'),(6056,'Issue',336,10,'medium'),(6057,'Issue',336,13,'community'),(6058,'Issue',336,14,'windows'),(6060,'Issue',336,11,'aa5743912'),(6061,'Issue',336,12,'c0478ead-5336-46c2-bd5e-b4c84bc3a36e'),(6062,'Issue',336,16,'win-sysmon'),(6063,'Issue',336,17,''),(6064,'Issue',336,7,''),(6065,'Issue',336,3,'Detects certain DLL loads when Mimikatz gets executed'),(6066,'Issue',336,4,''),(6067,'Issue',336,5,'_False Positives_\nunknown'),(6068,'Issue',336,6,'{{collapse(View ElastAlert Config)\n
\n\n\n
\n}}'),(6069,'Issue',336,9,'{{collapse(View Sigma)\n
\n\ntitle: Mimikatz In-Memory\nid: c0478ead-5336-46c2-bd5e-b4c84bc3a36e\nstatus: experimental\ndescription: Detects certain DLL loads when Mimikatz gets executed\nreferences:\n- https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/\ntags:\n- attack.s0002\n- attack.t1003\n- attack.lateral_movement\n- attack.credential_access\n- car.2019-04-004\nlogsource:\n  product: windows\n  service: sysmon\ndate: 2017/03/13\ndetection:\n  selector:\n    EventID: 7\n    Image: C:\\Windows\\System32\\rundll32.exe\n  dllload1:\n    ImageLoaded: \'*\\vaultcli.dll\'\n  dllload2:\n    ImageLoaded: \'*\\wlanapi.dll\'\n  exclusion:\n    ImageLoaded:\n    - ntdsapi.dll\n    - netapi32.dll\n    - imm32.dll\n    - samlib.dll\n    - combase.dll\n    - srvcli.dll\n    - shcore.dll\n    - ntasn1.dll\n    - cryptdll.dll\n    - logoncli.dll\n  timeframe: 30s\n  condition: selector | near dllload1 and dllload2 and not exclusion\nfalsepositives:\n- unknown\nlevel: medium\n\n
\n}}'),(6070,'Issue',336,15,'T1003'),(6071,'Issue',337,1,'Mimikatz through Windows Remote Management'),(6072,'Issue',337,2,'Patryk Prauze - ING Tech'),(6073,'Issue',337,8,'https://pentestlab.blog/2018/05/15/lateral-movement-winrm/'),(6074,'Issue',337,10,'high'),(6075,'Issue',337,13,'community'),(6076,'Issue',337,14,'windows'),(6078,'Issue',337,11,'e1af444f5'),(6079,'Issue',337,12,'aa35a627-33fb-4d04-a165-d33b4afca3e8'),(6080,'Issue',337,16,'win-sysmon'),(6081,'Issue',337,17,''),(6082,'Issue',337,7,''),(6083,'Issue',337,3,'Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.'),(6084,'Issue',337,4,''),(6085,'Issue',337,5,'_False Positives_\nlow'),(6086,'Issue',337,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"10\" AND event_data.TargetImage:\"C\\:\\\\windows\\\\system32\\\\lsass.exe\" AND event_data.SourceImage:\"C\\:\\\\Windows\\\\system32\\\\wsmprovhost.exe\")\nindex: so-*\nname: Mimikatz through Windows Remote Management\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6087,'Issue',337,9,'{{collapse(View Sigma)\n
\n\ntitle: Mimikatz through Windows Remote Management\nid: aa35a627-33fb-4d04-a165-d33b4afca3e8\ndescription: Detects usage of mimikatz through WinRM protocol by monitoring access\n  to lsass process by wsmprovhost.exe.\nreferences:\n- https://pentestlab.blog/2018/05/15/lateral-movement-winrm/\nstatus: stable\nauthor: Patryk Prauze - ING Tech\ndate: 2019/05/20\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 10\n    TargetImage: C:\\windows\\system32\\lsass.exe\n    SourceImage: C:\\Windows\\system32\\wsmprovhost.exe\n  condition: selection\ntags:\n- attack.credential_access\n- attack.execution\n- attack.t1003\n- attack.t1028\n- attack.s0005\nfalsepositives:\n- low\nlevel: high\n\n
\n}}'),(6088,'Issue',337,15,'T1003'),(6089,'Issue',337,15,'T1028'),(6090,'Issue',338,1,'Dumping Lsass.exe Memory with MiniDumpWriteDump API'),(6091,'Issue',338,2,'Perez Diego (@darkquassar), oscd.community'),(6092,'Issue',338,8,'https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump\nhttps://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html\nhttps://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6'),(6093,'Issue',338,10,'critical'),(6094,'Issue',338,13,'community'),(6095,'Issue',338,14,'windows'),(6097,'Issue',338,11,'465ca35d4'),(6098,'Issue',338,12,'dd5ab153-beaa-4315-9647-65abc5f71541'),(6099,'Issue',338,16,'win-sysmon'),(6100,'Issue',338,17,''),(6101,'Issue',338,7,''),(6102,'Issue',338,3,'Detects the use of MiniDumpWriteDump API for dumping lsass.exe memory in a stealth way. Tools like ProcessHacker and some attacker tradecract use this API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker\'s machine.'),(6103,'Issue',338,4,''),(6104,'Issue',338,5,'_False Positives_\nPenetration tests\n\n_Interesting Log Fields_\nComputerName\nUser\nImage\nImageLoaded'),(6105,'Issue',338,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (((event.code:\"7\" AND event_data.ImageLoaded.keyword:(*\\\\dbghelp.dll OR *\\\\dbgcore.dll) AND process.executable.keyword:(*\\\\msbuild.exe OR *\\\\cmd.exe OR *\\\\svchost.exe OR *\\\\rundll32.exe OR *\\\\powershell.exe OR *\\\\word.exe OR *\\\\excel.exe OR *\\\\powerpnt.exe OR *\\\\outlook.exe OR *\\\\monitoringhost.exe OR *\\\\wmic.exe OR *\\\\msiexec.exe OR *\\\\bash.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\mshta.exe OR *\\\\regsvr32.exe OR *\\\\schtasks.exe OR *\\\\dnx.exe OR *\\\\regsvcs.exe OR *\\\\sc.exe OR *\\\\scriptrunner.exe)) AND (NOT (process.executable.keyword:*Visual\\ Studio*))) OR ((event.code:\"7\" AND event_data.ImageLoaded.keyword:(*\\\\dbghelp.dll OR *\\\\dbgcore.dll) AND Signed:\"FALSE\") AND (NOT (process.executable.keyword:*Visual\\ Studio*)))))\nindex: so-*\nname: Dumping Lsass.exe Memory with MiniDumpWriteDump API\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6106,'Issue',338,9,'{{collapse(View Sigma)\n
\n\ntitle: Dumping Lsass.exe Memory with MiniDumpWriteDump API\nid: dd5ab153-beaa-4315-9647-65abc5f71541\nstatus: experimental\ndescription: Detects the use of MiniDumpWriteDump API for dumping lsass.exe memory\n  in a stealth way. Tools like ProcessHacker and some attacker tradecract use this\n  API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework\n  has a module that leverages this API to dump the contents of Lsass.exe and transfer\n  it over the network back to the attacker\'s machine.\ndate: 2019/10/27\nmodified: 2019/11/13\nauthor: Perez Diego (@darkquassar), oscd.community\nreferences:\n- https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump\n- https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html\n- https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  signedprocess:\n    EventID: 7\n    ImageLoaded|endswith:\n    - \\dbghelp.dll\n    - \\dbgcore.dll\n    Image|endswith:\n    - \\msbuild.exe\n    - \\cmd.exe\n    - \\svchost.exe\n    - \\rundll32.exe\n    - \\powershell.exe\n    - \\word.exe\n    - \\excel.exe\n    - \\powerpnt.exe\n    - \\outlook.exe\n    - \\monitoringhost.exe\n    - \\wmic.exe\n    - \\msiexec.exe\n    - \\bash.exe\n    - \\wscript.exe\n    - \\cscript.exe\n    - \\mshta.exe\n    - \\regsvr32.exe\n    - \\schtasks.exe\n    - \\dnx.exe\n    - \\regsvcs.exe\n    - \\sc.exe\n    - \\scriptrunner.exe\n  unsignedprocess:\n    EventID: 7\n    ImageLoaded|endswith:\n    - \\dbghelp.dll\n    - \\dbgcore.dll\n    Signed: \'FALSE\'\n  filter:\n    Image|contains: Visual Studio\n  condition: (signedprocess AND NOT filter) OR (unsignedprocess AND NOT filter)\nfields:\n- ComputerName\n- User\n- Image\n- ImageLoaded\nfalsepositives:\n- Penetration tests\nlevel: critical\n\n
\n}}'),(6107,'Issue',338,15,'T1003'),(6108,'Issue',339,1,'Narrator\'s Feedback-Hub Persistence'),(6109,'Issue',339,2,'Dmitriy Lifanov, oscd.community'),(6110,'Issue',339,8,'https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html'),(6111,'Issue',339,10,'high'),(6112,'Issue',339,13,'community'),(6113,'Issue',339,14,'windows'),(6115,'Issue',339,11,'cfdda5bc0'),(6116,'Issue',339,12,'f663a6d9-9d1b-49b8-b2b1-0637914d199a'),(6117,'Issue',339,16,'win-sysmon'),(6118,'Issue',339,17,''),(6119,'Issue',339,7,''),(6120,'Issue',339,3,'Detects abusing Windows 10 Narrator\'s Feedback-Hub'),(6121,'Issue',339,4,''),(6122,'Issue',339,5,'_False Positives_\nunknown'),(6123,'Issue',339,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:\"12\" AND event_data.EventType:\"DeleteValue\" AND event_data.TargetObject.keyword:*\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\DelegateExecute) OR (event.code:\"13\" AND event_data.TargetObject.keyword:*\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\\\(Default\\))))\nindex: so-*\nname: Narrator\'s Feedback-Hub Persistence\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6124,'Issue',339,9,'{{collapse(View Sigma)\n
\n\ntitle: Narrator\'s Feedback-Hub Persistence\nid: f663a6d9-9d1b-49b8-b2b1-0637914d199a\ndescription: Detects abusing Windows 10 Narrator\'s Feedback-Hub\nreferences:\n- https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html\ntags:\n- attack.persistence\n- attack.t1060\nauthor: Dmitriy Lifanov, oscd.community\nstatus: experimental\ndate: 2019/10/25\nmodified: 2019/11/10\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection1:\n    EventID: 12\n    EventType: DeleteValue\n    TargetObject|endswith: \\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\DelegateExecute\n  selection2:\n    EventID: 13\n    TargetObject|endswith: \\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\(Default)\n  condition: 1 of them\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6125,'Issue',339,15,'T1060'),(6126,'Issue',340,1,'New DLL Added to AppCertDlls Registry Key'),(6127,'Issue',340,2,'Ilyas Ochkov, oscd.community'),(6128,'Issue',340,8,'http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/\nhttps://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html'),(6129,'Issue',340,10,'medium'),(6130,'Issue',340,13,'community'),(6131,'Issue',340,14,'windows'),(6133,'Issue',340,11,'c62e6aeb2'),(6134,'Issue',340,12,'6aa1d992-5925-4e9f-a49b-845e51d1de01'),(6135,'Issue',340,16,'win-sysmon'),(6136,'Issue',340,17,''),(6137,'Issue',340,7,''),(6138,'Issue',340,3,'Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.'),(6139,'Issue',340,4,''),(6140,'Issue',340,5,'_False Positives_\nUnkown\n\n_Interesting Log Fields_\nEventID\nImage\nTargetObject\nNewName'),(6141,'Issue',340,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:(\"12\" OR \"13\") AND event_data.TargetObject:\"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session\\ Manager\\\\AppCertDlls\") OR (event.code:\"14\" AND NewName:\"HKLM\\\\SYSTEM\\\\CurentControlSet\\\\Control\\\\Session\\ Manager\\\\AppCertDlls\")))\nindex: so-*\nname: New DLL Added to AppCertDlls Registry Key\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6142,'Issue',340,9,'{{collapse(View Sigma)\n
\n\ntitle: New DLL Added to AppCertDlls Registry Key\nid: 6aa1d992-5925-4e9f-a49b-845e51d1de01\nstatus: experimental\ndescription: Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value\n  in the Registry key can be abused to obtain persistence and privilege escalation\n  by causing a malicious DLL to be loaded and run in the context of separate processes\n  on the computer.\nreferences:\n- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/\n- https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html\ntags:\n- attack.persistence\n- attack.t1182\nauthor: Ilyas Ochkov, oscd.community\ndate: 2019/10/25\nmodified: 2019/11/13\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n  - EventID:\n    - 12\n    - 13\n    TargetObject: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls\n  - EventID: 14\n    NewName: HKLM\\SYSTEM\\CurentControlSet\\Control\\Session Manager\\AppCertDlls\n  condition: selection\nfields:\n- EventID\n- Image\n- TargetObject\n- NewName\nfalsepositives:\n- Unkown\nlevel: medium\n\n
\n}}'),(6143,'Issue',340,15,'T1182'),(6144,'Issue',341,1,'New DLL Added to AppInit_DLLs Registry Key'),(6145,'Issue',341,2,'Ilyas Ochkov, oscd.community'),(6146,'Issue',341,8,'https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html'),(6147,'Issue',341,10,'medium'),(6148,'Issue',341,13,'community'),(6149,'Issue',341,14,'windows'),(6151,'Issue',341,11,'2c5115a75'),(6152,'Issue',341,12,'4f84b697-c9ed-4420-8ab5-e09af5b2345d'),(6153,'Issue',341,16,'win-sysmon'),(6154,'Issue',341,17,''),(6155,'Issue',341,7,''),(6156,'Issue',341,3,'DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll'),(6157,'Issue',341,4,''),(6158,'Issue',341,5,'_False Positives_\nUnkown\n\n_Interesting Log Fields_\nEventID\nImage\nTargetObject\nNewName'),(6159,'Issue',341,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:(\"12\" OR \"13\") AND event_data.TargetObject.keyword:(*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls OR *\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls)) OR (event.code:\"14\" AND NewName.keyword:(*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls OR *\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls))))\nindex: so-*\nname: New DLL Added to AppInit_DLLs Registry Key\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6160,'Issue',341,9,'{{collapse(View Sigma)\n
\n\ntitle: New DLL Added to AppInit_DLLs Registry Key\nid: 4f84b697-c9ed-4420-8ab5-e09af5b2345d\nstatus: experimental\ndescription: DLLs that are specified in the AppInit_DLLs value in the Registry key\n  HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll\n  into every process that loads user32.dll\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html\ntags:\n- attack.persistence\n- attack.t1103\nauthor: Ilyas Ochkov, oscd.community\ndate: 2019/10/25\nmodified: 2019/11/13\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n  - EventID:\n    - 12\n    - 13\n    TargetObject:\n    - \'*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls\'\n    - \'*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls\'\n  - EventID: 14\n    NewName:\n    - \'*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls\'\n    - \'*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls\'\n  condition: selection\nfields:\n- EventID\n- Image\n- TargetObject\n- NewName\nfalsepositives:\n- Unkown\nlevel: medium\n\n
\n}}'),(6161,'Issue',341,15,'T1103'),(6162,'Issue',342,1,'Password Dumper Remote Thread in LSASS'),(6163,'Issue',342,2,'Thomas Patzke'),(6164,'Issue',342,8,'https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm'),(6165,'Issue',342,10,'high'),(6166,'Issue',342,13,'community'),(6167,'Issue',342,14,'windows'),(6169,'Issue',342,11,'5c5659709'),(6170,'Issue',342,12,'f239b326-2f41-4d6b-9dfa-c846a60ef505'),(6171,'Issue',342,16,'win-sysmon'),(6172,'Issue',342,17,''),(6173,'Issue',342,7,''),(6174,'Issue',342,3,'Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.'),(6175,'Issue',342,4,''),(6176,'Issue',342,5,'_False Positives_\nunknown'),(6177,'Issue',342,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"8\" AND event_data.TargetImage:\"C\\:\\\\Windows\\\\System32\\\\lsass.exe\" AND NOT _exists_:event_data.StartModule)\nindex: so-*\nname: Password Dumper Remote Thread in LSASS\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6178,'Issue',342,9,'{{collapse(View Sigma)\n
\n\ntitle: Password Dumper Remote Thread in LSASS\nid: f239b326-2f41-4d6b-9dfa-c846a60ef505\ndescription: Detects password dumper activity by monitoring remote thread creation\n  EventID 8 in combination with the lsass.exe process as TargetImage. The process\n  in field Process is the malicious program. A single execution can lead to hundreds\n  of events.\nreferences:\n- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm\nstatus: stable\nauthor: Thomas Patzke\ndate: 2017/02/19\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 8\n    TargetImage: C:\\Windows\\System32\\lsass.exe\n    StartModule:\n  condition: selection\ntags:\n- attack.credential_access\n- attack.t1003\n- attack.s0005\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6179,'Issue',342,15,'T1003'),(6180,'Issue',343,1,'Possible DNS Rebinding'),(6181,'Issue',343,2,'Ilyas Ochkov, oscd.community'),(6182,'Issue',343,8,'https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325'),(6183,'Issue',343,10,'medium'),(6184,'Issue',343,13,'community'),(6185,'Issue',343,14,'windows'),(6187,'Issue',343,11,'238493844'),(6188,'Issue',343,12,'eb07e747-2552-44cd-af36-b659ae0958e4'),(6189,'Issue',343,16,'win-sysmon'),(6190,'Issue',343,17,''),(6191,'Issue',343,7,''),(6192,'Issue',343,3,'Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL).'),(6193,'Issue',343,4,''),(6194,'Issue',343,5,'_False Positives_\n Unknown'),(6195,'Issue',343,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"22\" AND QueryName.keyword:* AND QueryStatus:\"0\" AND QueryResults.keyword:(\\(\\:\\:ffff\\:\\)?10.* OR \\(\\:\\:ffff\\:\\)?192.168.* OR \\(\\:\\:ffff\\:\\)?172.16.* OR \\(\\:\\:ffff\\:\\)?172.17.* OR \\(\\:\\:ffff\\:\\)?172.18.* OR \\(\\:\\:ffff\\:\\)?172.19.* OR \\(\\:\\:ffff\\:\\)?172.20.* OR \\(\\:\\:ffff\\:\\)?172.21.* OR \\(\\:\\:ffff\\:\\)?172.22.* OR \\(\\:\\:ffff\\:\\)?172.23.* OR \\(\\:\\:ffff\\:\\)?172.24.* OR \\(\\:\\:ffff\\:\\)?172.25.* OR \\(\\:\\:ffff\\:\\)?172.26.* OR \\(\\:\\:ffff\\:\\)?172.27.* OR \\(\\:\\:ffff\\:\\)?172.28.* OR \\(\\:\\:ffff\\:\\)?172.29.* OR \\(\\:\\:ffff\\:\\)?172.30.* OR \\(\\:\\:ffff\\:\\)?172.31.* OR \\(\\:\\:ffff\\:\\)?127.*) AND (event.code:\"22\" AND QueryName.keyword:* AND QueryStatus:\"0\") AND (NOT (QueryResults.keyword:(\\(\\:\\:ffff\\:\\)?10.* OR \\(\\:\\:ffff\\:\\)?192.168.* OR \\(\\:\\:ffff\\:\\)?172.16.* OR \\(\\:\\:ffff\\:\\)?172.17.* OR \\(\\:\\:ffff\\:\\)?172.18.* OR \\(\\:\\:ffff\\:\\)?172.19.* OR \\(\\:\\:ffff\\:\\)?172.20.* OR \\(\\:\\:ffff\\:\\)?172.21.* OR \\(\\:\\:ffff\\:\\)?172.22.* OR \\(\\:\\:ffff\\:\\)?172.23.* OR \\(\\:\\:ffff\\:\\)?172.24.* OR \\(\\:\\:ffff\\:\\)?172.25.* OR \\(\\:\\:ffff\\:\\)?172.26.* OR \\(\\:\\:ffff\\:\\)?172.27.* OR \\(\\:\\:ffff\\:\\)?172.28.* OR \\(\\:\\:ffff\\:\\)?172.29.* OR \\(\\:\\:ffff\\:\\)?172.30.* OR \\(\\:\\:ffff\\:\\)?172.31.* OR \\(\\:\\:ffff\\:\\)?127.*))))\nindex: so-*\nmax_threshold: 3\nmetric_agg_key: QueryName.keyword\nmetric_agg_type: cardinality\nname: Possible DNS Rebinding\npriority: 3\nquery_key: event_data.ComputerName.keyword\nrealert:\n  minutes: 0\ntype: metric_aggregation\n
\n}}'),(6196,'Issue',343,9,'{{collapse(View Sigma)\n
\n\ntitle: Possible DNS Rebinding\nid: eb07e747-2552-44cd-af36-b659ae0958e4\nstatus: experimental\ndescription: Detects several different DNS-answers by one domain with IPs from internal\n  and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved\n  in host cache for a while TTL).\ndate: 2019/10/25\nmodified: 2019/11/13\nauthor: Ilyas Ochkov, oscd.community\nreferences:\n- https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325\ntags:\n- attack.command_and_control\n- attack.t1043\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  dns_answer:\n    EventID: 22\n    QueryName: \'*\'\n    QueryStatus: \'0\'\n  filter_int_ip:\n    QueryResults|startswith:\n    - (::ffff:)?10.\n    - (::ffff:)?192.168.\n    - (::ffff:)?172.16.\n    - (::ffff:)?172.17.\n    - (::ffff:)?172.18.\n    - (::ffff:)?172.19.\n    - (::ffff:)?172.20.\n    - (::ffff:)?172.21.\n    - (::ffff:)?172.22.\n    - (::ffff:)?172.23.\n    - (::ffff:)?172.24.\n    - (::ffff:)?172.25.\n    - (::ffff:)?172.26.\n    - (::ffff:)?172.27.\n    - (::ffff:)?172.28.\n    - (::ffff:)?172.29.\n    - (::ffff:)?172.30.\n    - (::ffff:)?172.31.\n    - (::ffff:)?127.\n  timeframe: 30s\n  condition: (dns_answer and filter_int_ip) and (dns_answer and not filter_int_ip)\n    | count(QueryName) by ComputerName > 3\nlevel: medium\n\n
\n}}'),(6197,'Issue',343,15,'T1043'),(6198,'Issue',344,1,'Possible Privilege Escalation via Service Permissions Weakness'),(6199,'Issue',344,2,'Teymur Kheirkhabarov'),(6200,'Issue',344,8,'https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\nhttps://pentestlab.blog/2017/03/31/insecure-registry-permissions/'),(6201,'Issue',344,10,'high'),(6202,'Issue',344,13,'community'),(6203,'Issue',344,14,'windows'),(6205,'Issue',344,11,'ca6038e23'),(6206,'Issue',344,12,'0f9c21f1-6a73-4b0e-9809-cb562cb8d981'),(6207,'Issue',344,16,'win-sysmon'),(6208,'Issue',344,17,''),(6209,'Issue',344,7,''),(6210,'Issue',344,3,'Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level'),(6211,'Issue',344,4,''),(6212,'Issue',344,5,'_False Positives_\nUnknown'),(6213,'Issue',344,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND IntegrityLevel:\"Medium\" AND event_data.TargetObject.keyword:*\\\\services\\* AND event_data.TargetObject.keyword:(*\\\\ImagePath OR *\\\\FailureCommand OR *\\\\Parameters\\\\ServiceDll))\nindex: so-*\nname: Possible Privilege Escalation via Service Permissions Weakness\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6214,'Issue',344,9,'{{collapse(View Sigma)\n
\n\ntitle: Possible Privilege Escalation via Service Permissions Weakness\nid: 0f9c21f1-6a73-4b0e-9809-cb562cb8d981\ndescription: Detect modification of services configuration (ImagePath, FailureCommand\n  and ServiceDLL) in registry by processes with Medium integrity level\nreferences:\n- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\n- https://pentestlab.blog/2017/03/31/insecure-registry-permissions/\ntags:\n- attack.privilege_escalation\n- attack.t1058\nstatus: experimental\nauthor: Teymur Kheirkhabarov\ndate: 2019/10/26\nmodified: 2019/11/11\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    IntegrityLevel: Medium\n    TargetObject|contains: \\services\\\n    TargetObject|endswith:\n    - \\ImagePath\n    - \\FailureCommand\n    - \\Parameters\\ServiceDll\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\nenrichment:\n- EN_0001_cache_sysmon_event_id_1_info\n- EN_0003_enrich_other_sysmon_events_with_event_id_1_data\n\n
\n}}'),(6215,'Issue',344,15,'T1058'),(6216,'Issue',345,1,'PowerShell Execution'),(6217,'Issue',345,2,'Roberto Rodriguez @Cyb3rWard0g'),(6218,'Issue',345,8,'https://github.com/hunters-forge/ThreatHunter-Playbook/blob/8869b7a58dba1cff63bae1d7ab923974b8c0539b/playbooks/WIN-190410151110.yaml'),(6219,'Issue',345,10,'medium'),(6220,'Issue',345,13,'community'),(6221,'Issue',345,14,'windows'),(6223,'Issue',345,11,'b785c06a3'),(6224,'Issue',345,12,'867613fb-fa60-4497-a017-a82df74a172c'),(6225,'Issue',345,16,'win-sysmon'),(6226,'Issue',345,17,''),(6227,'Issue',345,7,''),(6228,'Issue',345,3,'Detects execution of PowerShell'),(6229,'Issue',345,4,''),(6230,'Issue',345,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nComputerName\nImage\nProcessID\nImageLoaded'),(6231,'Issue',345,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.pe.description:\"system.management.automation\" AND event_data.ImageLoaded.keyword:*system.management.automation*)\nindex: so-*\nname: PowerShell Execution\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6232,'Issue',345,9,'{{collapse(View Sigma)\n
\n\ntitle: PowerShell Execution\nid: 867613fb-fa60-4497-a017-a82df74a172c\ndescription: Detects execution of PowerShell\nstatus: experimental\ndate: 2019/09/12\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/hunters-forge/ThreatHunter-Playbook/blob/8869b7a58dba1cff63bae1d7ab923974b8c0539b/playbooks/WIN-190410151110.yaml\nlogsource:\n  product: windows\n  service: sysmon\ntags:\n- attack.execution\n- attack.t1086\ndetection:\n  selection:\n    EventID: 7\n    Description: system.management.automation\n    ImageLoaded|contains: system.management.automation\n  condition: selection\nfields:\n- ComputerName\n- Image\n- ProcessID\n- ImageLoaded\nfalsepositives:\n- Unknown\nlevel: medium\n\n
\n}}'),(6233,'Issue',345,15,'T1086'),(6234,'Issue',346,1,'Malicious PowerShell Commandlet Names'),(6235,'Issue',346,2,'Markus Neis'),(6236,'Issue',346,8,'https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml'),(6237,'Issue',346,10,'high'),(6238,'Issue',346,13,'community'),(6239,'Issue',346,14,'windows'),(6241,'Issue',346,11,'89b3e1259'),(6242,'Issue',346,12,'f331aa1f-8c53-4fc3-b083-cc159bc971cb'),(6243,'Issue',346,16,'win-sysmon'),(6244,'Issue',346,17,''),(6245,'Issue',346,7,''),(6246,'Issue',346,3,'Detects the creation of known powershell scripts for exploitation'),(6247,'Issue',346,4,''),(6248,'Issue',346,5,'_False Positives_\nPenetration Tests'),(6249,'Issue',346,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND event_data.TargetFilename.keyword:(*\\\\Invoke\\-DllInjection.ps1 OR *\\\\Invoke\\-WmiCommand.ps1 OR *\\\\Get\\-GPPPassword.ps1 OR *\\\\Get\\-Keystrokes.ps1 OR *\\\\Get\\-VaultCredential.ps1 OR *\\\\Invoke\\-CredentialInjection.ps1 OR *\\\\Invoke\\-Mimikatz.ps1 OR *\\\\Invoke\\-NinjaCopy.ps1 OR *\\\\Invoke\\-TokenManipulation.ps1 OR *\\\\Out\\-Minidump.ps1 OR *\\\\VolumeShadowCopyTools.ps1 OR *\\\\Invoke\\-ReflectivePEInjection.ps1 OR *\\\\Get\\-TimedScreenshot.ps1 OR *\\\\Invoke\\-UserHunter.ps1 OR *\\\\Find\\-GPOLocation.ps1 OR *\\\\Invoke\\-ACLScanner.ps1 OR *\\\\Invoke\\-DowngradeAccount.ps1 OR *\\\\Get\\-ServiceUnquoted.ps1 OR *\\\\Get\\-ServiceFilePermission.ps1 OR *\\\\Get\\-ServicePermission.ps1 OR *\\\\Invoke\\-ServiceAbuse.ps1 OR *\\\\Install\\-ServiceBinary.ps1 OR *\\\\Get\\-RegAutoLogon.ps1 OR *\\\\Get\\-VulnAutoRun.ps1 OR *\\\\Get\\-VulnSchTask.ps1 OR *\\\\Get\\-UnattendedInstallFile.ps1 OR *\\\\Get\\-WebConfig.ps1 OR *\\\\Get\\-ApplicationHost.ps1 OR *\\\\Get\\-RegAlwaysInstallElevated.ps1 OR *\\\\Get\\-Unconstrained.ps1 OR *\\\\Add\\-RegBackdoor.ps1 OR *\\\\Add\\-ScrnSaveBackdoor.ps1 OR *\\\\Gupt\\-Backdoor.ps1 OR *\\\\Invoke\\-ADSBackdoor.ps1 OR *\\\\Enabled\\-DuplicateToken.ps1 OR *\\\\Invoke\\-PsUaCme.ps1 OR *\\\\Remove\\-Update.ps1 OR *\\\\Check\\-VM.ps1 OR *\\\\Get\\-LSASecret.ps1 OR *\\\\Get\\-PassHashes.ps1 OR *\\\\Show\\-TargetScreen.ps1 OR *\\\\Port\\-Scan.ps1 OR *\\\\Invoke\\-PoshRatHttp.ps1 OR *\\\\Invoke\\-PowerShellTCP.ps1 OR *\\\\Invoke\\-PowerShellWMI.ps1 OR *\\\\Add\\-Exfiltration.ps1 OR *\\\\Add\\-Persistence.ps1 OR *\\\\Do\\-Exfiltration.ps1 OR *\\\\Start\\-CaptureServer.ps1 OR *\\\\Invoke\\-ShellCode.ps1 OR *\\\\Get\\-ChromeDump.ps1 OR *\\\\Get\\-ClipboardContents.ps1 OR *\\\\Get\\-FoxDump.ps1 OR *\\\\Get\\-IndexedItem.ps1 OR *\\\\Get\\-Screenshot.ps1 OR *\\\\Invoke\\-Inveigh.ps1 OR *\\\\Invoke\\-NetRipper.ps1 OR *\\\\Invoke\\-EgressCheck.ps1 OR *\\\\Invoke\\-PostExfil.ps1 OR *\\\\Invoke\\-PSInject.ps1 OR *\\\\Invoke\\-RunAs.ps1 OR *\\\\MailRaider.ps1 OR *\\\\New\\-HoneyHash.ps1 OR *\\\\Set\\-MacAttribute.ps1 OR *\\\\Invoke\\-DCSync.ps1 OR *\\\\Invoke\\-PowerDump.ps1 OR *\\\\Exploit\\-Jboss.ps1 OR *\\\\Invoke\\-ThunderStruck.ps1 OR *\\\\Invoke\\-VoiceTroll.ps1 OR *\\\\Set\\-Wallpaper.ps1 OR *\\\\Invoke\\-InveighRelay.ps1 OR *\\\\Invoke\\-PsExec.ps1 OR *\\\\Invoke\\-SSHCommand.ps1 OR *\\\\Get\\-SecurityPackages.ps1 OR *\\\\Install\\-SSP.ps1 OR *\\\\Invoke\\-BackdoorLNK.ps1 OR *\\\\PowerBreach.ps1 OR *\\\\Get\\-SiteListPassword.ps1 OR *\\\\Get\\-System.ps1 OR *\\\\Invoke\\-BypassUAC.ps1 OR *\\\\Invoke\\-Tater.ps1 OR *\\\\Invoke\\-WScriptBypassUAC.ps1 OR *\\\\PowerUp.ps1 OR *\\\\PowerView.ps1 OR *\\\\Get\\-RickAstley.ps1 OR *\\\\Find\\-Fruit.ps1 OR *\\\\HTTP\\-Login.ps1 OR *\\\\Find\\-TrustedDocuments.ps1 OR *\\\\Invoke\\-Paranoia.ps1 OR *\\\\Invoke\\-WinEnum.ps1 OR *\\\\Invoke\\-ARPScan.ps1 OR *\\\\Invoke\\-PortScan.ps1 OR *\\\\Invoke\\-ReverseDNSLookup.ps1 OR *\\\\Invoke\\-SMBScanner.ps1 OR *\\\\Invoke\\-Mimikittenz.ps1))\nindex: so-*\nname: Malicious PowerShell Commandlet Names\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6250,'Issue',346,9,'{{collapse(View Sigma)\n
\n\ntitle: Malicious PowerShell Commandlet Names\nid: f331aa1f-8c53-4fc3-b083-cc159bc971cb\nstatus: experimental\ndescription: Detects the creation of known powershell scripts for exploitation\nreferences:\n- https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml\ntags:\n- attack.execution\n- attack.t1086\nauthor: Markus Neis\ndate: 2018/04/07\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 11\n    TargetFilename:\n    - \'*\\Invoke-DllInjection.ps1\'\n    - \'*\\Invoke-WmiCommand.ps1\'\n    - \'*\\Get-GPPPassword.ps1\'\n    - \'*\\Get-Keystrokes.ps1\'\n    - \'*\\Get-VaultCredential.ps1\'\n    - \'*\\Invoke-CredentialInjection.ps1\'\n    - \'*\\Invoke-Mimikatz.ps1\'\n    - \'*\\Invoke-NinjaCopy.ps1\'\n    - \'*\\Invoke-TokenManipulation.ps1\'\n    - \'*\\Out-Minidump.ps1\'\n    - \'*\\VolumeShadowCopyTools.ps1\'\n    - \'*\\Invoke-ReflectivePEInjection.ps1\'\n    - \'*\\Get-TimedScreenshot.ps1\'\n    - \'*\\Invoke-UserHunter.ps1\'\n    - \'*\\Find-GPOLocation.ps1\'\n    - \'*\\Invoke-ACLScanner.ps1\'\n    - \'*\\Invoke-DowngradeAccount.ps1\'\n    - \'*\\Get-ServiceUnquoted.ps1\'\n    - \'*\\Get-ServiceFilePermission.ps1\'\n    - \'*\\Get-ServicePermission.ps1\'\n    - \'*\\Invoke-ServiceAbuse.ps1\'\n    - \'*\\Install-ServiceBinary.ps1\'\n    - \'*\\Get-RegAutoLogon.ps1\'\n    - \'*\\Get-VulnAutoRun.ps1\'\n    - \'*\\Get-VulnSchTask.ps1\'\n    - \'*\\Get-UnattendedInstallFile.ps1\'\n    - \'*\\Get-WebConfig.ps1\'\n    - \'*\\Get-ApplicationHost.ps1\'\n    - \'*\\Get-RegAlwaysInstallElevated.ps1\'\n    - \'*\\Get-Unconstrained.ps1\'\n    - \'*\\Add-RegBackdoor.ps1\'\n    - \'*\\Add-ScrnSaveBackdoor.ps1\'\n    - \'*\\Gupt-Backdoor.ps1\'\n    - \'*\\Invoke-ADSBackdoor.ps1\'\n    - \'*\\Enabled-DuplicateToken.ps1\'\n    - \'*\\Invoke-PsUaCme.ps1\'\n    - \'*\\Remove-Update.ps1\'\n    - \'*\\Check-VM.ps1\'\n    - \'*\\Get-LSASecret.ps1\'\n    - \'*\\Get-PassHashes.ps1\'\n    - \'*\\Show-TargetScreen.ps1\'\n    - \'*\\Port-Scan.ps1\'\n    - \'*\\Invoke-PoshRatHttp.ps1\'\n    - \'*\\Invoke-PowerShellTCP.ps1\'\n    - \'*\\Invoke-PowerShellWMI.ps1\'\n    - \'*\\Add-Exfiltration.ps1\'\n    - \'*\\Add-Persistence.ps1\'\n    - \'*\\Do-Exfiltration.ps1\'\n    - \'*\\Start-CaptureServer.ps1\'\n    - \'*\\Invoke-ShellCode.ps1\'\n    - \'*\\Get-ChromeDump.ps1\'\n    - \'*\\Get-ClipboardContents.ps1\'\n    - \'*\\Get-FoxDump.ps1\'\n    - \'*\\Get-IndexedItem.ps1\'\n    - \'*\\Get-Screenshot.ps1\'\n    - \'*\\Invoke-Inveigh.ps1\'\n    - \'*\\Invoke-NetRipper.ps1\'\n    - \'*\\Invoke-EgressCheck.ps1\'\n    - \'*\\Invoke-PostExfil.ps1\'\n    - \'*\\Invoke-PSInject.ps1\'\n    - \'*\\Invoke-RunAs.ps1\'\n    - \'*\\MailRaider.ps1\'\n    - \'*\\New-HoneyHash.ps1\'\n    - \'*\\Set-MacAttribute.ps1\'\n    - \'*\\Invoke-DCSync.ps1\'\n    - \'*\\Invoke-PowerDump.ps1\'\n    - \'*\\Exploit-Jboss.ps1\'\n    - \'*\\Invoke-ThunderStruck.ps1\'\n    - \'*\\Invoke-VoiceTroll.ps1\'\n    - \'*\\Set-Wallpaper.ps1\'\n    - \'*\\Invoke-InveighRelay.ps1\'\n    - \'*\\Invoke-PsExec.ps1\'\n    - \'*\\Invoke-SSHCommand.ps1\'\n    - \'*\\Get-SecurityPackages.ps1\'\n    - \'*\\Install-SSP.ps1\'\n    - \'*\\Invoke-BackdoorLNK.ps1\'\n    - \'*\\PowerBreach.ps1\'\n    - \'*\\Get-SiteListPassword.ps1\'\n    - \'*\\Get-System.ps1\'\n    - \'*\\Invoke-BypassUAC.ps1\'\n    - \'*\\Invoke-Tater.ps1\'\n    - \'*\\Invoke-WScriptBypassUAC.ps1\'\n    - \'*\\PowerUp.ps1\'\n    - \'*\\PowerView.ps1\'\n    - \'*\\Get-RickAstley.ps1\'\n    - \'*\\Find-Fruit.ps1\'\n    - \'*\\HTTP-Login.ps1\'\n    - \'*\\Find-TrustedDocuments.ps1\'\n    - \'*\\Invoke-Paranoia.ps1\'\n    - \'*\\Invoke-WinEnum.ps1\'\n    - \'*\\Invoke-ARPScan.ps1\'\n    - \'*\\Invoke-PortScan.ps1\'\n    - \'*\\Invoke-ReverseDNSLookup.ps1\'\n    - \'*\\Invoke-SMBScanner.ps1\'\n    - \'*\\Invoke-Mimikittenz.ps1\'\n  condition: selection\nfalsepositives:\n- Penetration Tests\nlevel: high\n\n
\n}}'),(6251,'Issue',346,15,'T1086'),(6252,'Issue',347,1,'PowerShell Network Connections'),(6253,'Issue',347,2,'Florian Roth'),(6254,'Issue',347,8,'https://www.youtube.com/watch?v=DLtJTxMWZ2o'),(6255,'Issue',347,10,'low'),(6256,'Issue',347,13,'community'),(6257,'Issue',347,14,'windows'),(6259,'Issue',347,11,'bdecf01db'),(6260,'Issue',347,12,'1f21ec3f-810d-4b0e-8045-322202e22b4b'),(6261,'Issue',347,16,'win-sysmon'),(6262,'Issue',347,17,''),(6263,'Issue',347,7,''),(6264,'Issue',347,3,'Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company\'s ip range\')'),(6265,'Issue',347,4,''),(6266,'Issue',347,5,'_False Positives_\nAdministrative scripts'),(6267,'Issue',347,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"3\" AND process.executable.keyword:*\\\\powershell.exe AND event_data.Initiated:\"true\") AND (NOT (destination_ip.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.0.0.1) AND event_data.DestinationIsIpv6:\"false\" AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\")))\nindex: so-*\nname: PowerShell Network Connections\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6268,'Issue',347,9,'{{collapse(View Sigma)\n
\n\ntitle: PowerShell Network Connections\nid: 1f21ec3f-810d-4b0e-8045-322202e22b4b\nstatus: experimental\ndescription: Detects a Powershell process that opens network connections - check for\n  suspicious target ports and target systems - adjust to your environment (e.g. extend\n  filters with company\'s ip range\')\nauthor: Florian Roth\ndate: 2017/03/13\nreferences:\n- https://www.youtube.com/watch?v=DLtJTxMWZ2o\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 3\n    Image: \'*\\powershell.exe\'\n    Initiated: \'true\'\n  filter:\n    DestinationIp:\n    - 10.*\n    - 192.168.*\n    - 172.16.*\n    - 172.17.*\n    - 172.18.*\n    - 172.19.*\n    - 172.20.*\n    - 172.21.*\n    - 172.22.*\n    - 172.23.*\n    - 172.24.*\n    - 172.25.*\n    - 172.26.*\n    - 172.27.*\n    - 172.28.*\n    - 172.29.*\n    - 172.30.*\n    - 172.31.*\n    - 127.0.0.1\n    DestinationIsIpv6: \'false\'\n    User: NT AUTHORITY\\SYSTEM\n  condition: selection and not filter\nfalsepositives:\n- Administrative scripts\nlevel: low\n\n
\n}}'),(6269,'Issue',347,15,'T1086'),(6270,'Issue',348,1,'QuarksPwDump Dump File'),(6271,'Issue',348,2,'Florian Roth'),(6272,'Issue',348,8,'https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm'),(6273,'Issue',348,10,'critical'),(6274,'Issue',348,13,'community'),(6275,'Issue',348,14,'windows'),(6277,'Issue',348,11,'3ce09ad54'),(6278,'Issue',348,12,'847def9e-924d-4e90-b7c4-5f581395a2b4'),(6279,'Issue',348,16,'win-sysmon'),(6280,'Issue',348,17,''),(6281,'Issue',348,7,''),(6282,'Issue',348,3,'Detects a dump file written by QuarksPwDump password dumper'),(6283,'Issue',348,4,''),(6284,'Issue',348,5,'_False Positives_\nUnknown'),(6285,'Issue',348,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND event_data.TargetFilename.keyword:*\\\\AppData\\\\Local\\\\Temp\\\\SAM\\-*.dmp*)\nindex: so-*\nname: QuarksPwDump Dump File\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6286,'Issue',348,9,'{{collapse(View Sigma)\n
\n\ntitle: QuarksPwDump Dump File\nid: 847def9e-924d-4e90-b7c4-5f581395a2b4\nstatus: experimental\ndescription: Detects a dump file written by QuarksPwDump password dumper\nreferences:\n- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm\nauthor: Florian Roth\ndate: 2018/02/10\ntags:\n- attack.credential_access\n- attack.t1003\nlevel: critical\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 11\n    TargetFilename: \'*\\AppData\\Local\\Temp\\SAM-*.dmp*\'\n  condition: selection\nfalsepositives:\n- Unknown\n\n
\n}}'),(6287,'Issue',348,15,'T1003'),(6288,'Issue',349,1,'Raw Disk Access Using Illegitimate Tools'),(6289,'Issue',349,2,'Teymur Kheirkhabarov, oscd.community'),(6290,'Issue',349,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(6291,'Issue',349,10,'medium'),(6292,'Issue',349,13,'community'),(6293,'Issue',349,14,'windows'),(6295,'Issue',349,11,'979a4709f'),(6296,'Issue',349,12,'db809f10-56ce-4420-8c86-d6a7d793c79c'),(6297,'Issue',349,16,'win-sysmon'),(6298,'Issue',349,17,''),(6299,'Issue',349,7,''),(6300,'Issue',349,3,'Raw disk access using illegitimate tools, possible defence evasion'),(6301,'Issue',349,4,''),(6302,'Issue',349,5,'_False Positives_\nLegitimate Administrator using tool for raw access or ongoing forensic investigation\n\n_Interesting Log Fields_\nComputerName\nImage\nProcessID\nDevice'),(6303,'Issue',349,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"9\" AND (NOT (Device.keyword:*floppy*))) AND (NOT (process.executable.keyword:(*\\\\wmiprvse.exe OR *\\\\sdiagnhost.exe OR *\\\\searchindexer.exe OR *\\\\csrss.exe OR *\\\\defrag.exe OR *\\\\smss.exe OR *\\\\vssvc.exe OR *\\\\compattelrunner.exe OR *\\\\wininit.exe OR *\\\\autochk.exe OR *\\\\taskhost.exe OR *\\\\dfsrs.exe OR *\\\\vds.exe OR *\\\\lsass.exe))))\nindex: so-*\nname: Raw Disk Access Using Illegitimate Tools\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6304,'Issue',349,9,'{{collapse(View Sigma)\n
\n\ntitle: Raw Disk Access Using Illegitimate Tools\nid: db809f10-56ce-4420-8c86-d6a7d793c79c\ndescription: Raw disk access using illegitimate tools, possible defence evasion\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/10/22\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ntags:\n- attack.defense_evasion\n- attack.t1006\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 9\n  filter_1:\n    Device|contains: floppy\n  filter_2:\n  - Image|endswith:\n    - \\wmiprvse.exe\n    - \\sdiagnhost.exe\n    - \\searchindexer.exe\n    - \\csrss.exe\n    - \\defrag.exe\n    - \\smss.exe\n    - \\vssvc.exe\n    - \\compattelrunner.exe\n    - \\wininit.exe\n    - \\autochk.exe\n    - \\taskhost.exe\n    - \\dfsrs.exe\n    - \\vds.exe\n    - \\lsass.exe\n  condition: selection and not filter_1 and not filter_2\nfields:\n- ComputerName\n- Image\n- ProcessID\n- Device\nfalsepositives:\n- Legitimate Administrator using tool for raw access or ongoing forensic investigation\nlevel: medium\nstatus: experimental\n\n
\n}}'),(6305,'Issue',349,15,'T1006'),(6306,'Issue',350,1,'RDP Registry Modification'),(6307,'Issue',350,2,'Roberto Rodriguez @Cyb3rWard0g'),(6308,'Issue',350,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1112_Modify_Registry/enable_rdp_registry.md'),(6309,'Issue',350,10,'high'),(6310,'Issue',350,13,'community'),(6311,'Issue',350,14,'windows'),(6313,'Issue',350,11,'5a3902041'),(6314,'Issue',350,12,'41904ebe-d56c-4904-b9ad-7a77bdf154b3'),(6315,'Issue',350,16,'win-sysmon'),(6316,'Issue',350,17,''),(6317,'Issue',350,7,''),(6318,'Issue',350,3,'Detects potential malicious modification of the property value of fDenyTSConnections and UserAuthentication to enable remote desktop connections.'),(6319,'Issue',350,4,''),(6320,'Issue',350,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nComputerName\nImage\nEventType\nTargetObject'),(6321,'Issue',350,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\CurrentControlSet\\\\Control\\\\Terminal\\ Server\\\\WinStations\\\\RDP\\-Tcp\\\\UserAuthentication OR *\\\\CurrentControlSet\\\\Control\\\\Terminal\\ Server\\\\fDenyTSConnections) AND event_data.Details:\"DWORD\\ \\(0x00000000\\)\")\nindex: so-*\nname: RDP Registry Modification\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6322,'Issue',350,9,'{{collapse(View Sigma)\n
\n\ntitle: RDP Registry Modification\nid: 41904ebe-d56c-4904-b9ad-7a77bdf154b3\ndescription: Detects potential malicious modification of the property value of fDenyTSConnections\n  and UserAuthentication to enable remote desktop connections.\nstatus: experimental\ndate: 2019/09/12\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1112_Modify_Registry/enable_rdp_registry.md\ntags:\n- attack.defense_evasion\n- attack.t1112\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    TargetObject|endswith:\n    - \\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication\n    - \\CurrentControlSet\\Control\\Terminal Server\\fDenyTSConnections\n    Details: DWORD (0x00000000)\n  condition: selection\nfields:\n- ComputerName\n- Image\n- EventType\n- TargetObject\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(6323,'Issue',350,15,'T1112'),(6324,'Issue',351,1,'RDP Over Reverse SSH Tunnel'),(6325,'Issue',351,2,'Samir Bousseaden'),(6326,'Issue',351,8,'https://twitter.com/SBousseaden/status/1096148422984384514'),(6327,'Issue',351,10,'high'),(6328,'Issue',351,13,'community'),(6329,'Issue',351,14,'windows'),(6331,'Issue',351,11,'31989b88d'),(6332,'Issue',351,12,'5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4'),(6333,'Issue',351,16,'win-sysmon'),(6334,'Issue',351,17,''),(6335,'Issue',351,7,''),(6336,'Issue',351,3,'Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389'),(6337,'Issue',351,4,''),(6338,'Issue',351,5,'_False Positives_\nunknown'),(6339,'Issue',351,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"3\" AND process.executable.keyword:*\\\\svchost.exe AND event_data.Initiated:\"true\" AND SourcePort:\"3389\" AND destination_ip.keyword:(127.* OR \\:\\:1))\nindex: so-*\nname: RDP Over Reverse SSH Tunnel\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6340,'Issue',351,9,'{{collapse(View Sigma)\n
\n\ntitle: RDP Over Reverse SSH Tunnel\nid: 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4\nstatus: experimental\ndescription: Detects svchost hosting RDP termsvcs communicating with the loopback\n  address and on TCP port 3389\nreferences:\n- https://twitter.com/SBousseaden/status/1096148422984384514\nauthor: Samir Bousseaden\ndate: 2019/02/16\ntags:\n- attack.defense_evasion\n- attack.command_and_control\n- attack.t1076\n- car.2013-07-002\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 3\n    Image: \'*\\svchost.exe\'\n    Initiated: \'true\'\n    SourcePort: 3389\n    DestinationIp:\n    - 127.*\n    - ::1\n  condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6341,'Issue',351,15,'T1076'),(6342,'Issue',352,1,'RDP Sensitive Settings Changed'),(6343,'Issue',352,2,'Samir Bousseaden'),(6344,'Issue',352,8,'https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html'),(6345,'Issue',352,10,'high'),(6346,'Issue',352,13,'community'),(6347,'Issue',352,14,'windows'),(6348,'Issue',352,15,''),(6349,'Issue',352,11,'548ae70d5'),(6350,'Issue',352,12,'171b67e1-74b4-460e-8d55-b331f3e32d67'),(6351,'Issue',352,16,'win-sysmon'),(6352,'Issue',352,17,''),(6353,'Issue',352,7,''),(6354,'Issue',352,3,'Detects changes to RDP terminal service sensitive settings'),(6355,'Issue',352,4,''),(6356,'Issue',352,5,'_False Positives_\nunknown'),(6357,'Issue',352,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\services\\\\TermService\\\\Parameters\\\\ServiceDll* OR *\\\\Control\\\\Terminal\\ Server\\\\fSingleSessionPerUser* OR *\\\\Control\\\\Terminal\\ Server\\\\fDenyTSConnections*))\nindex: so-*\nname: RDP Sensitive Settings Changed\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6358,'Issue',352,9,'{{collapse(View Sigma)\n
\n\ntitle: RDP Sensitive Settings Changed\nid: 171b67e1-74b4-460e-8d55-b331f3e32d67\ndescription: Detects changes to RDP terminal service sensitive settings\nreferences:\n- https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html\ndate: 2019/04/03\nauthor: Samir Bousseaden\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection_reg:\n    EventID: 13\n    TargetObject:\n    - \'*\\services\\TermService\\Parameters\\ServiceDll*\'\n    - \'*\\Control\\Terminal Server\\fSingleSessionPerUser*\'\n    - \'*\\Control\\Terminal Server\\fDenyTSConnections*\'\n  condition: selection_reg\ntags:\n- attack.defense_evasion\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6359,'Issue',353,1,'Windows Registry Persistence COM Key Linking'),(6360,'Issue',353,2,'Kutepov Anton, oscd.community'),(6361,'Issue',353,8,'https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/'),(6362,'Issue',353,10,'medium'),(6363,'Issue',353,13,'community'),(6364,'Issue',353,14,'windows'),(6366,'Issue',353,11,'6f021fb7c'),(6367,'Issue',353,12,'9b0f8a61-91b2-464f-aceb-0527e0a45020'),(6368,'Issue',353,16,'win-sysmon'),(6369,'Issue',353,17,''),(6370,'Issue',353,7,''),(6371,'Issue',353,3,'Detects COM object hijacking via TreatAs subkey'),(6372,'Issue',353,4,''),(6373,'Issue',353,5,'_False Positives_\nMaybe some system utilities in rare cases use linking keys for backward compability'),(6374,'Issue',353,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"12\" AND event_data.TargetObject.keyword:HKU\\\\*_Classes\\\\CLSID\\\\*\\\\TreatAs)\nindex: so-*\nname: Windows Registry Persistence COM Key Linking\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6375,'Issue',353,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows Registry Persistence COM Key Linking\nid: 9b0f8a61-91b2-464f-aceb-0527e0a45020\nstatus: experimental\ndescription: Detects COM object hijacking via TreatAs subkey\nreferences:\n- https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/\nauthor: Kutepov Anton, oscd.community\ndate: 2019/10/23\nmodified: 2019/11/07\ntags:\n- attack.persistence\n- attack.t1122\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 12\n    TargetObject: HKU\\\\*_Classes\\CLSID\\\\*\\TreatAs\n  condition: selection\nfalsepositives:\n- Maybe some system utilities in rare cases use linking keys for backward compability\nlevel: medium\n\n
\n}}'),(6376,'Issue',353,15,'T1122'),(6377,'Issue',354,1,'Windows Registry Persistence COM Search Order Hijacking'),(6378,'Issue',354,2,'Maxime Thiebaut (@0xThiebaut)'),(6379,'Issue',354,8,'https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/'),(6380,'Issue',354,10,'medium'),(6381,'Issue',354,13,'community'),(6382,'Issue',354,14,'windows'),(6384,'Issue',354,11,'27898e00b'),(6385,'Issue',354,12,'a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12'),(6386,'Issue',354,16,'win-sysmon'),(6387,'Issue',354,17,''),(6388,'Issue',354,7,''),(6389,'Issue',354,3,'Detects potential COM object hijacking leveraging the COM Search Order'),(6390,'Issue',354,4,''),(6391,'Issue',354,5,'_False Positives_\nSome installed utilities (i.e. OneDrive) may serve new COM objects at user-level'),(6392,'Issue',354,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"13\" AND event_data.TargetObject.keyword:HKU\\\\*_Classes\\\\CLSID\\\\*\\\\InProcServer32\\\\\\(Default\\)) AND (NOT (event_data.Details.keyword:(%%systemroot%%\\\\system32\\\\* OR %%systemroot%%\\\\SysWow64\\\\* OR *\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\\FileCoAuthLib64.dll OR *\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\\FileSyncShell64.dll OR *\\\\AppData\\\\Local\\\\Microsoft\\\\TeamsMeetingAddin\\\\*\\\\Microsoft.Teams.AddinLoader.dll))))\nindex: so-*\nname: Windows Registry Persistence COM Search Order Hijacking\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6393,'Issue',354,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows Registry Persistence COM Search Order Hijacking\nid: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12\nstatus: experimental\ndescription: Detects potential COM object hijacking leveraging the COM Search Order\nreferences:\n- https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/\nauthor: Maxime Thiebaut (@0xThiebaut)\ndate: 2020/04/14\ntags:\n- attack.persistence\n- attack.t1038\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    TargetObject: HKU\\\\*_Classes\\CLSID\\\\*\\InProcServer32\\(Default)\n  filter:\n    Details:\n    - \'%%systemroot%%\\system32\\\\*\'\n    - \'%%systemroot%%\\SysWow64\\\\*\'\n    - \'*\\AppData\\Local\\Microsoft\\OneDrive\\\\*\\FileCoAuthLib64.dll\'\n    - \'*\\AppData\\Local\\Microsoft\\OneDrive\\\\*\\FileSyncShell64.dll\'\n    - \'*\\AppData\\Local\\Microsoft\\TeamsMeetingAddin\\\\*\\Microsoft.Teams.AddinLoader.dll\'\n  condition: selection and not filter\nfalsepositives:\n- Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level\nlevel: medium\n\n
\n}}'),(6394,'Issue',354,15,'T1038'),(6395,'Issue',355,1,'Windows Registry Trust Record Modification'),(6396,'Issue',355,2,'Antonlovesdnb'),(6397,'Issue',355,8,'https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/\nhttp://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html'),(6398,'Issue',355,10,'medium'),(6399,'Issue',355,13,'community'),(6400,'Issue',355,14,'windows'),(6402,'Issue',355,11,'ab08d709e'),(6403,'Issue',355,12,'295a59c1-7b79-4b47-a930-df12c15fc9c2'),(6404,'Issue',355,16,'win-sysmon'),(6405,'Issue',355,17,''),(6406,'Issue',355,7,''),(6407,'Issue',355,3,'Alerts on trust record modification within the registry, indicating usage of macros'),(6408,'Issue',355,4,''),(6409,'Issue',355,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6410,'Issue',355,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"12\" AND event_data.TargetObject.keyword:*TrustRecords*)\nindex: so-*\nname: Windows Registry Trust Record Modification\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6411,'Issue',355,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows Registry Trust Record Modification\nid: 295a59c1-7b79-4b47-a930-df12c15fc9c2\nstatus: experimental\ndescription: Alerts on trust record modification within the registry, indicating usage\n  of macros\nreferences:\n- https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/\n- http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html\nauthor: Antonlovesdnb\ndate: 2020/02/19\nmodified: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 12\n    TargetObject|contains: TrustRecords\n  condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: medium\n\n
\n}}'),(6412,'Issue',355,15,'T1193'),(6413,'Issue',356,1,'Regsvr32 Network Activity'),(6414,'Issue',356,2,'Dmitriy Lifanov, oscd.community'),(6415,'Issue',356,8,'https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/\nhttps://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md'),(6416,'Issue',356,10,'high'),(6417,'Issue',356,13,'community'),(6418,'Issue',356,14,'windows'),(6420,'Issue',356,11,'2dae90c53'),(6421,'Issue',356,12,'c7e91a02-d771-4a6d-a700-42587e0b1095'),(6422,'Issue',356,16,'win-sysmon'),(6423,'Issue',356,17,''),(6424,'Issue',356,7,''),(6425,'Issue',356,3,'Detects network connections and DNS queries initiated by Regsvr32.exe'),(6426,'Issue',356,4,''),(6427,'Issue',356,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nComputerName\nUser\nImage\nDestinationIp\nDestinationPort'),(6428,'Issue',356,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:(\"3\" OR \"22\") AND process.executable.keyword:*\\\\regsvr32.exe)\nindex: so-*\nname: Regsvr32 Network Activity\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6429,'Issue',356,9,'{{collapse(View Sigma)\n
\n\ntitle: Regsvr32 Network Activity\nid: c7e91a02-d771-4a6d-a700-42587e0b1095\ndescription: Detects network connections and DNS queries initiated by Regsvr32.exe\nreferences:\n- https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/\n- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1117\nauthor: Dmitriy Lifanov, oscd.community\nstatus: experimental\ndate: 2019/10/25\nmodified: 2019/11/10\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID:\n    - 3\n    - 22\n    Image|endswith: \\regsvr32.exe\n  condition: selection\nfields:\n- ComputerName\n- User\n- Image\n- DestinationIp\n- DestinationPort\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6430,'Issue',356,15,'T1117'),(6431,'Issue',357,1,'Remote PowerShell Session'),(6432,'Issue',357,2,'Roberto Rodriguez @Cyb3rWard0g'),(6433,'Issue',357,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md'),(6434,'Issue',357,10,'high'),(6435,'Issue',357,13,'community'),(6436,'Issue',357,14,'windows'),(6438,'Issue',357,11,'1a8504907'),(6439,'Issue',357,12,'c539afac-c12a-46ed-b1bd-5a5567c9f045'),(6440,'Issue',357,16,'win-sysmon'),(6441,'Issue',357,17,''),(6442,'Issue',357,7,''),(6443,'Issue',357,3,'Detects remote PowerShell connections by monitoring network outbount connections to ports 5985 or 5986 from not network service account'),(6444,'Issue',357,4,''),(6445,'Issue',357,5,'_False Positives_\nLeigitmate usage of remote PowerShell, e.g. remote administration and monitoring.'),(6446,'Issue',357,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"3\" AND destination_port:(\"5985\" OR \"5986\")) AND (NOT (event_data.User:\"NT\\ AUTHORITY\\\\NETWORK\\ SERVICE\")))\nindex: so-*\nname: Remote PowerShell Session\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6447,'Issue',357,9,'{{collapse(View Sigma)\n
\n\ntitle: Remote PowerShell Session\nid: c539afac-c12a-46ed-b1bd-5a5567c9f045\ndescription: Detects remote PowerShell connections by monitoring network outbount\n  connections to ports 5985 or 5986 from not network service account\nstatus: experimental\ndate: 2019/09/12\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 3\n    DestinationPort:\n    - 5985\n    - 5986\n  filter:\n    User: NT AUTHORITY\\NETWORK SERVICE\n  condition: selection and not filter\nfalsepositives:\n- Leigitmate usage of remote PowerShell, e.g. remote administration and monitoring.\nlevel: high\n\n
\n}}'),(6448,'Issue',357,15,'T1086'),(6449,'Issue',358,1,'Renamed jusched.exe'),(6450,'Issue',358,2,'Markus Neis, Swisscom'),(6451,'Issue',358,8,'https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf'),(6452,'Issue',358,10,'high'),(6453,'Issue',358,13,'community'),(6454,'Issue',358,14,'windows'),(6456,'Issue',358,11,'3042f2e24'),(6457,'Issue',358,12,'edd8a48c-1b9f-4ba1-83aa-490338cd1ccb'),(6458,'Issue',358,16,'win-sysmon'),(6459,'Issue',358,17,''),(6460,'Issue',358,7,''),(6461,'Issue',358,3,'Detects renamed jusched.exe used by cobalt group'),(6462,'Issue',358,4,''),(6463,'Issue',358,5,'_False Positives_\npenetration tests, red teaming'),(6464,'Issue',358,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.pe.description:\"Java\\ Update\\ Scheduler\" OR process.pe.description:\"Java\\(TM\\)\\ Update\\ Scheduler\")) AND (NOT (process.executable.keyword:(*\\\\jusched.exe))))\nindex: so-*\nname: Renamed jusched.exe\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6465,'Issue',358,9,'{{collapse(View Sigma)\n
\n\ntitle: Renamed jusched.exe\nstatus: experimental\nid: edd8a48c-1b9f-4ba1-83aa-490338cd1ccb\ndescription: Detects renamed jusched.exe used by cobalt group\nreferences:\n- https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf\ntags:\n- attack.t1036\n- attack.execution\nauthor: Markus Neis, Swisscom\ndate: 2019/06/04\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Description: Java Update Scheduler\n  selection2:\n    Description: Java(TM) Update Scheduler\n  filter:\n    Image|endswith:\n    - \\jusched.exe\n  condition: (selection1 or selection2) and not filter\nfalsepositives:\n- penetration tests, red teaming\nlevel: high\n\n
\n}}'),(6466,'Issue',358,15,'T1036'),(6467,'Issue',359,1,'Renamed PowerShell'),(6468,'Issue',359,2,'Florian Roth'),(6469,'Issue',359,8,'https://twitter.com/christophetd/status/1164506034720952320'),(6470,'Issue',359,10,'critical'),(6471,'Issue',359,13,'community'),(6472,'Issue',359,14,'windows'),(6473,'Issue',359,15,''),(6474,'Issue',359,11,'a6d71f3ed'),(6475,'Issue',359,12,'d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20'),(6476,'Issue',359,16,'win-sysmon'),(6477,'Issue',359,17,''),(6478,'Issue',359,7,''),(6479,'Issue',359,3,'Detects the execution of a renamed PowerShell often used by attackers or malware'),(6480,'Issue',359,4,''),(6481,'Issue',359,5,'_False Positives_\nUnknown'),(6482,'Issue',359,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.pe.description:\"Windows\\ PowerShell\" AND event_data.Company:\"Microsoft\\ Corporation\") AND (NOT (process.executable.keyword:(*\\\\powershell.exe OR *\\\\powershell_ise.exe))))\nindex: so-*\nname: Renamed PowerShell\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6483,'Issue',359,9,'{{collapse(View Sigma)\n
\n\ntitle: Renamed PowerShell\nid: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20\nstatus: experimental\ndescription: Detects the execution of a renamed PowerShell often used by attackers\n  or malware\nreferences:\n- https://twitter.com/christophetd/status/1164506034720952320\nauthor: Florian Roth\ndate: 2019/08/22\ntags:\n- car.2013-05-009\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    Description: Windows PowerShell\n    Company: Microsoft Corporation\n  filter:\n    Image:\n    - \'*\\powershell.exe\'\n    - \'*\\powershell_ise.exe\'\n  condition: selection and not filter\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(6484,'Issue',360,1,'Renamed ProcDump'),(6485,'Issue',360,2,'Florian Roth'),(6486,'Issue',360,8,'https://docs.microsoft.com/en-us/sysinternals/downloads/procdump'),(6487,'Issue',360,10,'critical'),(6488,'Issue',360,13,'community'),(6489,'Issue',360,14,'windows'),(6491,'Issue',360,11,'abbcffccf'),(6492,'Issue',360,12,'4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67'),(6493,'Issue',360,16,'win-sysmon'),(6494,'Issue',360,17,''),(6495,'Issue',360,7,''),(6496,'Issue',360,3,'Detects the execution of a renamed ProcDump executable often used by attackers or malware'),(6497,'Issue',360,4,''),(6498,'Issue',360,5,'_False Positives_\nProcdump illegaly bundled with legitimate software\nWeird admins who renamed binaries'),(6499,'Issue',360,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND OriginalFileName:\"procdump\" AND (NOT (process.executable.keyword:(*\\\\procdump.exe OR *\\\\procdump64.exe))))\nindex: so-*\nname: Renamed ProcDump\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6500,'Issue',360,9,'{{collapse(View Sigma)\n
\n\ntitle: Renamed ProcDump\nid: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67\nstatus: experimental\ndescription: Detects the execution of a renamed ProcDump executable often used by\n  attackers or malware\nreferences:\n- https://docs.microsoft.com/en-us/sysinternals/downloads/procdump\nauthor: Florian Roth\ndate: 2019/11/18\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    OriginalFileName: procdump\n  filter:\n    Image:\n    - \'*\\procdump.exe\'\n    - \'*\\procdump64.exe\'\n  condition: selection and not filter\nfalsepositives:\n- Procdump illegaly bundled with legitimate software\n- Weird admins who renamed binaries\nlevel: critical\n\n
\n}}'),(6501,'Issue',360,15,'T1036'),(6502,'Issue',361,1,'Renamed PsExec'),(6503,'Issue',361,2,'Florian Roth'),(6504,'Issue',361,8,'https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks'),(6505,'Issue',361,10,'high'),(6506,'Issue',361,13,'community'),(6507,'Issue',361,14,'windows'),(6508,'Issue',361,15,''),(6509,'Issue',361,11,'297d076c3'),(6510,'Issue',361,12,'a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2'),(6511,'Issue',361,16,'win-sysmon'),(6512,'Issue',361,17,''),(6513,'Issue',361,7,''),(6514,'Issue',361,3,'Detects the execution of a renamed PsExec often used by attackers or malware'),(6515,'Issue',361,4,''),(6516,'Issue',361,5,'_False Positives_\nSoftware that illegaly integrates PsExec in a renamed form\nAdministrators that have renamed PsExec and no one knows why'),(6517,'Issue',361,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.pe.description:\"Execute\\ processes\\ remotely\" AND process.pe.product:\"Sysinternals\\ PsExec\") AND (NOT (process.executable.keyword:(*\\\\PsExec.exe OR *\\\\PsExec64.exe))))\nindex: so-*\nname: Renamed PsExec\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6518,'Issue',361,9,'{{collapse(View Sigma)\n
\n\ntitle: Renamed PsExec\nid: a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2\nstatus: experimental\ndescription: Detects the execution of a renamed PsExec often used by attackers or\n  malware\nreferences:\n- https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks\nauthor: Florian Roth\ndate: 2019/05/21\ntags:\n- car.2013-05-009\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    Description: Execute processes remotely\n    Product: Sysinternals PsExec\n  filter:\n    Image:\n    - \'*\\PsExec.exe\'\n    - \'*\\PsExec64.exe\'\n  condition: selection and not filter\nfalsepositives:\n- Software that illegaly integrates PsExec in a renamed form\n- Administrators that have renamed PsExec and no one knows why\nlevel: high\n\n
\n}}'),(6519,'Issue',362,1,'Rundll32 Internet Connection'),(6520,'Issue',362,2,'Florian Roth'),(6521,'Issue',362,8,'https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100'),(6522,'Issue',362,10,'medium'),(6523,'Issue',362,13,'community'),(6524,'Issue',362,14,'windows'),(6526,'Issue',362,11,'0381dead4'),(6527,'Issue',362,12,'cdc8da7d-c303-42f8-b08c-b4ab47230263'),(6528,'Issue',362,16,'win-sysmon'),(6529,'Issue',362,17,''),(6530,'Issue',362,7,''),(6531,'Issue',362,3,'Detects a rundll32 that communicates with public IP addresses'),(6532,'Issue',362,4,''),(6533,'Issue',362,5,'_False Positives_\nCommunication to other corporate systems that use IP addresses from public address spaces'),(6534,'Issue',362,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"3\" AND process.executable.keyword:*\\\\rundll32.exe AND event_data.Initiated:\"true\") AND (NOT (destination_ip.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*))))\nindex: so-*\nname: Rundll32 Internet Connection\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6535,'Issue',362,9,'{{collapse(View Sigma)\n
\n\ntitle: Rundll32 Internet Connection\nid: cdc8da7d-c303-42f8-b08c-b4ab47230263\nstatus: experimental\ndescription: Detects a rundll32 that communicates with public IP addresses\nreferences:\n- https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100\nauthor: Florian Roth\ndate: 2017/11/04\ntags:\n- attack.t1085\n- attack.defense_evasion\n- attack.execution\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 3\n    Image: \'*\\rundll32.exe\'\n    Initiated: \'true\'\n  filter:\n    DestinationIp:\n    - 10.*\n    - 192.168.*\n    - 172.16.*\n    - 172.17.*\n    - 172.18.*\n    - 172.19.*\n    - 172.20.*\n    - 172.21.*\n    - 172.22.*\n    - 172.23.*\n    - 172.24.*\n    - 172.25.*\n    - 172.26.*\n    - 172.27.*\n    - 172.28.*\n    - 172.29.*\n    - 172.30.*\n    - 172.31.*\n    - 127.*\n  condition: selection and not filter\nfalsepositives:\n- Communication to other corporate systems that use IP addresses from public address\n  spaces\nlevel: medium\n\n
\n}}'),(6536,'Issue',362,15,'T1085'),(6537,'Issue',363,1,'Security Support Provider (SSP) Added to LSA Configuration'),(6538,'Issue',363,2,'iwillkeepwatch'),(6539,'Issue',363,8,'https://attack.mitre.org/techniques/T1101/\nhttps://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/'),(6540,'Issue',363,10,'critical'),(6541,'Issue',363,13,'community'),(6542,'Issue',363,14,'windows'),(6544,'Issue',363,11,'9bc1e9894'),(6545,'Issue',363,12,'eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc'),(6546,'Issue',363,16,'win-sysmon'),(6547,'Issue',363,17,''),(6548,'Issue',363,7,''),(6549,'Issue',363,3,'Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.'),(6550,'Issue',363,4,''),(6551,'Issue',363,5,'_False Positives_\nUnlikely'),(6552,'Issue',363,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"13\" AND event_data.TargetObject:(\"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security\\ Packages\" OR \"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security\\ Packages\")) AND (NOT (process.executable:\"C\\:\\\\Windows\\\\system32\\\\msiexec.exe\" OR process.executable:\"C\\:\\\\Windows\\\\syswow64\\\\MsiExec.exe\")))\nindex: so-*\nname: Security Support Provider (SSP) Added to LSA Configuration\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6553,'Issue',363,9,'{{collapse(View Sigma)\n
\n\ntitle: Security Support Provider (SSP) Added to LSA Configuration\nid: eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc\nstatus: experimental\ndescription: Detects the addition of a SSP to the registry. Upon a reboot or API call,\n  SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.\nreferences:\n- https://attack.mitre.org/techniques/T1101/\n- https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/\ntags:\n- attack.persistence\n- attack.t1011\nauthor: iwillkeepwatch\ndate: 2019/01/18\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection_registry:\n    EventID: 13\n    TargetObject:\n    - HKLM\\System\\CurrentControlSet\\Control\\Lsa\\Security Packages\n    - HKLM\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages\n  exclusion_images:\n  - Image: C:\\Windows\\system32\\msiexec.exe\n  - Image: C:\\Windows\\syswow64\\MsiExec.exe\n  condition: selection_registry and not exclusion_images\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(6554,'Issue',363,15,'T1011'),(6555,'Issue',364,1,'Suspicious ADSI-Cache Usage By Unknown Tool'),(6556,'Issue',364,2,'xknow @xknow_infosec'),(6557,'Issue',364,8,'https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961\nhttps://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/\nhttps://github.com/fox-it/LDAPFragger'),(6558,'Issue',364,10,'high'),(6559,'Issue',364,13,'community'),(6560,'Issue',364,14,'windows'),(6562,'Issue',364,11,'8268e4aa6'),(6563,'Issue',364,12,'75bf09fa-1dd7-4d18-9af9-dd9e492562eb'),(6564,'Issue',364,16,'win-sysmon'),(6565,'Issue',364,17,''),(6566,'Issue',364,7,''),(6567,'Issue',364,3,'detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.'),(6568,'Issue',364,4,''),(6569,'Issue',364,5,'_False Positives_\nOther legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc.'),(6570,'Issue',364,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"11\" AND event_data.TargetFilename.keyword:*\\\\Local\\\\Microsoft\\\\Windows\\\\SchCache\\*.sch) AND (NOT (process.executable.keyword:(*C\\:\\\\windows\\\\system32\\\\svchost.exe* OR *C\\:\\\\windows\\\\system32\\\\dllhost.exe* OR *C\\:\\\\windows\\\\system32\\\\mmc.exe* OR *C\\:\\\\windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe*))))\nindex: so-*\nname: Suspicious ADSI-Cache Usage By Unknown Tool\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6571,'Issue',364,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious ADSI-Cache Usage By Unknown Tool\nid: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb\ndescription: detects the usage of ADSI (LDAP) operations by tools. This may also detect\n  tools like LDAPFragger.\nstatus: experimental\ndate: 2019/03/24\nauthor: xknow @xknow_infosec\nreferences:\n- https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961\n- https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/\n- https://github.com/fox-it/LDAPFragger\ntags:\n- attack.t1041\n- attack.persistence\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection_1:\n    EventID: 11\n    TargetFilename: \'*\\Local\\Microsoft\\Windows\\SchCache\\*.sch\'\n  selection_2:\n    Image|contains:\n    - C:\\windows\\system32\\svchost.exe\n    - C:\\windows\\system32\\dllhost.exe\n    - C:\\windows\\system32\\mmc.exe\n    - C:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\n  condition: selection_1 and not selection_2\nfalsepositives:\n- Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity\n  by MMC, Powershell, Windows etc.\nlevel: high\n\n
\n}}'),(6572,'Issue',364,15,'T1041'),(6573,'Issue',365,1,'Suspicious desktop.ini Action'),(6574,'Issue',365,2,'Maxime Thiebaut (@0xThiebaut)'),(6575,'Issue',365,8,'https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/'),(6576,'Issue',365,10,'medium'),(6577,'Issue',365,13,'community'),(6578,'Issue',365,14,'windows'),(6580,'Issue',365,11,'370bd2225'),(6581,'Issue',365,12,'81315b50-6b60-4d8f-9928-3466e1022515'),(6582,'Issue',365,16,'win-sysmon'),(6583,'Issue',365,17,''),(6584,'Issue',365,7,''),(6585,'Issue',365,3,'Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder\'s content (i.e. renaming files) without changing them on disk.'),(6586,'Issue',365,4,''),(6587,'Issue',365,5,'_False Positives_\nOperations performed through Windows SCCM or equivalent'),(6588,'Issue',365,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"11\" AND event_data.TargetFilename.keyword:*\\\\desktop.ini) AND (NOT (process.executable:(\"C\\:\\\\Windows\\\\explorer.exe\" OR \"C\\:\\\\Windows\\\\System32\\\\msiexec.exe\" OR \"C\\:\\\\Windows\\\\System32\\\\mmc.exe\"))))\nindex: so-*\nname: Suspicious desktop.ini Action\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6589,'Issue',365,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious desktop.ini Action\nid: 81315b50-6b60-4d8f-9928-3466e1022515\nstatus: experimental\ndescription: Detects unusual processes accessing desktop.ini, which can be leveraged\n  to alter how Explorer displays a folder\'s content (i.e. renaming files) without\n  changing them on disk.\nreferences:\n- https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/\nauthor: Maxime Thiebaut (@0xThiebaut)\ndate: 2020/03/19\ntags:\n- attack.persistence\n- attack.t1023\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  filter:\n    Image:\n    - C:\\Windows\\explorer.exe\n    - C:\\Windows\\System32\\msiexec.exe\n    - C:\\Windows\\System32\\mmc.exe\n  selection:\n    EventID: 11\n    TargetFilename|endswith: \\desktop.ini\n  condition: selection and not filter\nfalsepositives:\n- Operations performed through Windows SCCM or equivalent\nlevel: medium\n\n
\n}}'),(6590,'Issue',365,15,'T1023'),(6591,'Issue',366,1,'Suspicious RUN Key from Download'),(6592,'Issue',366,2,'Florian Roth'),(6593,'Issue',366,8,'https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/'),(6594,'Issue',366,10,'high'),(6595,'Issue',366,13,'community'),(6596,'Issue',366,14,'windows'),(6598,'Issue',366,11,'4a98c6777'),(6599,'Issue',366,12,'9c5037d1-c568-49b3-88c7-9846a5bdc2be'),(6600,'Issue',366,16,'win-sysmon'),(6601,'Issue',366,17,''),(6602,'Issue',366,7,''),(6603,'Issue',366,3,'Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories'),(6604,'Issue',366,4,''),(6605,'Issue',366,5,'_False Positives_\nSoftware installers downloaded and used by users'),(6606,'Issue',366,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND process.executable.keyword:(*\\\\Downloads\\\\* OR *\\\\Temporary\\ Internet\\ Files\\\\Content.Outlook\\\\* OR *\\\\Local\\ Settings\\\\Temporary\\ Internet\\ Files\\\\*) AND event_data.TargetObject.keyword:*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*)\nindex: so-*\nname: Suspicious RUN Key from Download\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6607,'Issue',366,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious RUN Key from Download\nid: 9c5037d1-c568-49b3-88c7-9846a5bdc2be\nstatus: experimental\ndescription: Detects the suspicious RUN keys created by software located in Download\n  or temporary Outlook/Internet Explorer directories\nreferences:\n- https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/\nauthor: Florian Roth\ndate: 2019/10/01\ntags:\n- attack.persistence\n- attack.t1060\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    Image:\n    - \'*\\Downloads\\\\*\'\n    - \'*\\Temporary Internet Files\\Content.Outlook\\\\*\'\n    - \'*\\Local Settings\\Temporary Internet Files\\\\*\'\n    TargetObject: \'*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\\*\'\n  condition: selection\nfalsepositives:\n- Software installers downloaded and used by users\nlevel: high\n\n
\n}}'),(6608,'Issue',366,15,'T1060'),(6609,'Issue',367,1,'Suspicious Driver Load from Temp'),(6610,'Issue',367,2,'Florian Roth'),(6611,'Issue',367,8,'none'),(6612,'Issue',367,10,'medium'),(6613,'Issue',367,13,'community'),(6614,'Issue',367,14,'windows'),(6616,'Issue',367,11,'d9e3b1335'),(6617,'Issue',367,12,'2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75'),(6618,'Issue',367,16,'win-sysmon'),(6619,'Issue',367,17,''),(6620,'Issue',367,7,''),(6621,'Issue',367,3,'Detects a driver load from a temporary directory'),(6622,'Issue',367,4,''),(6623,'Issue',367,5,'_False Positives_\nthere is a relevant set of false positives depending on applications in the environment'),(6624,'Issue',367,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"6\" AND event_data.ImageLoaded.keyword:*\\\\Temp\\\\*)\nindex: so-*\nname: Suspicious Driver Load from Temp\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6625,'Issue',367,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Driver Load from Temp\nid: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75\ndescription: Detects a driver load from a temporary directory\nauthor: Florian Roth\ndate: 2017/02/12\ntags:\n- attack.persistence\n- attack.t1050\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 6\n    ImageLoaded: \'*\\Temp\\\\*\'\n  condition: selection\nfalsepositives:\n- there is a relevant set of false positives depending on applications in the environment\nlevel: medium\n\n
\n}}'),(6626,'Issue',367,15,'T1050'),(6627,'Issue',368,1,'Suspicious File Characteristics Due to Missing Fields'),(6628,'Issue',368,2,'Markus Neis'),(6629,'Issue',368,8,'https://securelist.com/muddywater/88059/\nhttps://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection'),(6630,'Issue',368,10,'medium'),(6631,'Issue',368,13,'community'),(6632,'Issue',368,14,'windows'),(6634,'Issue',368,11,'c82bedced'),(6635,'Issue',368,12,'9637e8a5-7131-4f7f-bdc7-2b05d8670c43'),(6636,'Issue',368,16,'win-sysmon'),(6637,'Issue',368,17,''),(6638,'Issue',368,7,''),(6639,'Issue',368,3,'Detects Executables without FileVersion,Description,Product,Company likely created with py2exe'),(6640,'Issue',368,4,''),(6641,'Issue',368,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(6642,'Issue',368,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.pe.description:\"\\?\" AND (event_data.FileVersion:\"\\?\" OR process.pe.product:\"\\?\" OR event_data.Company:\"\\?\"))\nindex: so-*\nname: Suspicious File Characteristics Due to Missing Fields\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6643,'Issue',368,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious File Characteristics Due to Missing Fields\nid: 9637e8a5-7131-4f7f-bdc7-2b05d8670c43\ndescription: Detects Executables without FileVersion,Description,Product,Company likely\n  created with py2exe\nstatus: experimental\nreferences:\n- https://securelist.com/muddywater/88059/\n- https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection\nauthor: Markus Neis\ndate: 2018/11/22\nmodified: 2019/11/09\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1064\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection1:\n    Description: \\?\n    FileVersion: \\?\n  selection2:\n    Description: \\?\n    Product: \\?\n  selection3:\n    Description: \\?\n    Company: \\?\n  condition: 1 of them\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: medium\n\n
\n}}'),(6644,'Issue',368,15,'T1064'),(6645,'Issue',369,1,'Possible Process Hollowing Image Loading'),(6646,'Issue',369,2,'Markus Neis'),(6647,'Issue',369,8,'https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html'),(6648,'Issue',369,10,'high'),(6649,'Issue',369,13,'community'),(6650,'Issue',369,14,'windows'),(6652,'Issue',369,11,'5e6ed7268'),(6653,'Issue',369,12,'e32ce4f5-46c6-4c47-ba69-5de3c9193cd7'),(6654,'Issue',369,16,'win-sysmon'),(6655,'Issue',369,17,''),(6656,'Issue',369,7,''),(6657,'Issue',369,3,'Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz'),(6658,'Issue',369,4,''),(6659,'Issue',369,5,'_False Positives_\nVery likely, needs more tuning'),(6660,'Issue',369,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\notepad.exe) AND event_data.ImageLoaded.keyword:(*\\\\samlib.dll OR *\\\\WinSCard.dll))\nindex: so-*\nname: Possible Process Hollowing Image Loading\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6661,'Issue',369,9,'{{collapse(View Sigma)\n
\n\ntitle: Possible Process Hollowing Image Loading\nid: e32ce4f5-46c6-4c47-ba69-5de3c9193cd7\nstatus: experimental\ndescription: Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g.\n  through process hollowing by Mimikatz\nreferences:\n- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html\nauthor: Markus Neis\ndate: 2018/01/07\ntags:\n- attack.defense_evasion\n- attack.t1073\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image:\n    - \'*\\notepad.exe\'\n    ImageLoaded:\n    - \'*\\samlib.dll\'\n    - \'*\\WinSCard.dll\'\n  condition: selection\nfalsepositives:\n- Very likely, needs more tuning\nlevel: high\n\n
\n}}'),(6662,'Issue',369,15,'T1073'),(6663,'Issue',370,1,'DLL Load via LSASS'),(6664,'Issue',370,2,'Florian Roth'),(6665,'Issue',370,8,'https://blog.xpnsec.com/exploring-mimikatz-part-1/\nhttps://twitter.com/SBousseaden/status/1183745981189427200'),(6666,'Issue',370,10,'high'),(6667,'Issue',370,13,'community'),(6668,'Issue',370,14,'windows'),(6670,'Issue',370,11,'351d4d774'),(6671,'Issue',370,12,'b3503044-60ce-4bf4-bbcb-e3db98788823'),(6672,'Issue',370,16,'win-sysmon'),(6673,'Issue',370,17,''),(6674,'Issue',370,7,''),(6675,'Issue',370,3,'Detects a method to load DLL via LSASS process using an undocumented Registry key'),(6676,'Issue',370,4,''),(6677,'Issue',370,5,'_False Positives_\nUnknown'),(6678,'Issue',370,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:(\"12\" OR \"13\") AND event_data.TargetObject.keyword:(*\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\DirectoryServiceExtPt* OR *\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\LsaDbExtPt*))\nindex: so-*\nname: DLL Load via LSASS\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6679,'Issue',370,9,'{{collapse(View Sigma)\n
\n\ntitle: DLL Load via LSASS\nid: b3503044-60ce-4bf4-bbcb-e3db98788823\nstatus: experimental\ndescription: Detects a method to load DLL via LSASS process using an undocumented\n  Registry key\nauthor: Florian Roth\ndate: 2019/10/16\nreferences:\n- https://blog.xpnsec.com/exploring-mimikatz-part-1/\n- https://twitter.com/SBousseaden/status/1183745981189427200\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID:\n    - 12\n    - 13\n    TargetObject:\n    - \'*\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt*\'\n    - \'*\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt*\'\n  condition: selection\ntags:\n- attack.execution\n- attack.t1177\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(6680,'Issue',370,15,'T1177'),(6681,'Issue',371,1,'dotNET DLL Loaded Via Office Applications'),(6682,'Issue',371,2,'Antonlovesdnb'),(6683,'Issue',371,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16'),(6684,'Issue',371,10,'high'),(6685,'Issue',371,13,'community'),(6686,'Issue',371,14,'windows'),(6688,'Issue',371,11,'0080b54ee'),(6689,'Issue',371,12,'ff0f2b05-09db-4095-b96d-1b75ca24894a'),(6690,'Issue',371,16,'win-sysmon'),(6691,'Issue',371,17,''),(6692,'Issue',371,7,''),(6693,'Issue',371,3,'Detects any assembly DLL being loaded by an Office Product'),(6694,'Issue',371,4,''),(6695,'Issue',371,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6696,'Issue',371,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe* OR *\\\\powerpnt.exe* OR *\\\\excel.exe* OR *\\\\outlook.exe*) AND event_data.ImageLoaded.keyword:(*C\\:\\\\Windows\\\\assembly\\*))\nindex: so-*\nname: dotNET DLL Loaded Via Office Applications\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6697,'Issue',371,9,'{{collapse(View Sigma)\n
\n\ntitle: dotNET DLL Loaded Via Office Applications\nid: ff0f2b05-09db-4095-b96d-1b75ca24894a\nstatus: experimental\ndescription: Detects any assembly DLL being loaded by an Office Product\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image:\n    - \'*\\winword.exe*\'\n    - \'*\\powerpnt.exe*\'\n    - \'*\\excel.exe*\'\n    - \'*\\outlook.exe*\'\n    ImageLoaded:\n    - \'*C:\\Windows\\assembly\\*\'\n  condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: high\n\n
\n}}'),(6698,'Issue',371,15,'T1193'),(6699,'Issue',372,1,'CLR DLL Loaded Via Office Applications'),(6700,'Issue',372,2,'Antonlovesdnb'),(6701,'Issue',372,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16'),(6702,'Issue',372,10,'high'),(6703,'Issue',372,13,'community'),(6704,'Issue',372,14,'windows'),(6706,'Issue',372,11,'7105151cd'),(6707,'Issue',372,12,'d13c43f0-f66b-4279-8b2c-5912077c1780'),(6708,'Issue',372,16,'win-sysmon'),(6709,'Issue',372,17,''),(6710,'Issue',372,7,''),(6711,'Issue',372,3,'Detects CLR DLL being loaded by an Office Product'),(6712,'Issue',372,4,''),(6713,'Issue',372,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6714,'Issue',372,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe OR *\\\\powerpnt.exe OR *\\\\excel.exe OR *\\\\outlook.exe) AND event_data.ImageLoaded.keyword:(*\\\\clr.dll*))\nindex: so-*\nname: CLR DLL Loaded Via Office Applications\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6715,'Issue',372,9,'{{collapse(View Sigma)\n
\n\ntitle: CLR DLL Loaded Via Office Applications\nid: d13c43f0-f66b-4279-8b2c-5912077c1780\nstatus: experimental\ndescription: Detects CLR DLL being loaded by an Office Product\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image:\n    - \'*\\winword.exe\'\n    - \'*\\powerpnt.exe\'\n    - \'*\\excel.exe\'\n    - \'*\\outlook.exe\'\n    ImageLoaded:\n    - \'*\\clr.dll*\'\n  condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: high\n\n
\n}}'),(6716,'Issue',372,15,'T1193'),(6717,'Issue',373,1,'GAC DLL Loaded Via Office Applications'),(6718,'Issue',373,2,'Antonlovesdnb'),(6719,'Issue',373,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16'),(6720,'Issue',373,10,'high'),(6721,'Issue',373,13,'community'),(6722,'Issue',373,14,'windows'),(6724,'Issue',373,11,'e450b3ce2'),(6725,'Issue',373,12,'90217a70-13fc-48e4-b3db-0d836c5824ac'),(6726,'Issue',373,16,'win-sysmon'),(6727,'Issue',373,17,''),(6728,'Issue',373,7,''),(6729,'Issue',373,3,'Detects any GAC DLL being loaded by an Office Product'),(6730,'Issue',373,4,''),(6731,'Issue',373,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6732,'Issue',373,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe* OR *\\\\powerpnt.exe* OR *\\\\excel.exe* OR *\\\\outlook.exe*) AND event_data.ImageLoaded.keyword:(*C\\:\\\\Windows\\\\Microsoft.NET\\\\assembly\\\\GAC_MSIL*))\nindex: so-*\nname: GAC DLL Loaded Via Office Applications\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6733,'Issue',373,9,'{{collapse(View Sigma)\n
\n\ntitle: GAC DLL Loaded Via Office Applications\nid: 90217a70-13fc-48e4-b3db-0d836c5824ac\nstatus: experimental\ndescription: Detects any GAC DLL being loaded by an Office Product\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image:\n    - \'*\\winword.exe*\'\n    - \'*\\powerpnt.exe*\'\n    - \'*\\excel.exe*\'\n    - \'*\\outlook.exe*\'\n    ImageLoaded:\n    - \'*C:\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL*\'\n  condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: high\n\n
\n}}'),(6734,'Issue',373,15,'T1193'),(6735,'Issue',374,1,'Active Directory Parsing DLL Loaded Via Office Applications'),(6736,'Issue',374,2,'Antonlovesdnb'),(6737,'Issue',374,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16'),(6738,'Issue',374,10,'high'),(6739,'Issue',374,13,'community'),(6740,'Issue',374,14,'windows'),(6742,'Issue',374,11,'203be1d6b'),(6743,'Issue',374,12,'a2a3b925-7bb0-433b-b508-db9003263cc4'),(6744,'Issue',374,16,'win-sysmon'),(6745,'Issue',374,17,''),(6746,'Issue',374,7,''),(6747,'Issue',374,3,'Detects DSParse DLL being loaded by an Office Product'),(6748,'Issue',374,4,''),(6749,'Issue',374,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6750,'Issue',374,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe OR *\\\\powerpnt.exe OR *\\\\excel.exe OR *\\\\outlook.exe) AND event_data.ImageLoaded.keyword:(*\\\\dsparse.dll*))\nindex: so-*\nname: Active Directory Parsing DLL Loaded Via Office Applications\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6751,'Issue',374,9,'{{collapse(View Sigma)\n
\n\ntitle: Active Directory Parsing DLL Loaded Via Office Applications\nid: a2a3b925-7bb0-433b-b508-db9003263cc4\nstatus: experimental\ndescription: Detects DSParse DLL being loaded by an Office Product\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image:\n    - \'*\\winword.exe\'\n    - \'*\\powerpnt.exe\'\n    - \'*\\excel.exe\'\n    - \'*\\outlook.exe\'\n    ImageLoaded:\n    - \'*\\dsparse.dll*\'\n  condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: high\n\n
\n}}'),(6752,'Issue',374,15,'T1193'),(6753,'Issue',375,1,'Active Directory Kerberos DLL Loaded Via Office Applications'),(6754,'Issue',375,2,'Antonlovesdnb'),(6755,'Issue',375,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16'),(6756,'Issue',375,10,'high'),(6757,'Issue',375,13,'community'),(6758,'Issue',375,14,'windows'),(6760,'Issue',375,11,'3ce399676'),(6761,'Issue',375,12,'7417e29e-c2e7-4cf6-a2e8-767228c64837'),(6762,'Issue',375,16,'win-sysmon'),(6763,'Issue',375,17,''),(6764,'Issue',375,7,''),(6765,'Issue',375,3,'Detects Kerberos DLL being loaded by an Office Product'),(6766,'Issue',375,4,''),(6767,'Issue',375,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6768,'Issue',375,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe* OR *\\\\powerpnt.exe* OR *\\\\excel.exe* OR *\\\\outlook.exe*) AND event_data.ImageLoaded.keyword:(*\\\\kerberos.dll*))\nindex: so-*\nname: Active Directory Kerberos DLL Loaded Via Office Applications\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6769,'Issue',375,9,'{{collapse(View Sigma)\n
\n\ntitle: Active Directory Kerberos DLL Loaded Via Office Applications\nid: 7417e29e-c2e7-4cf6-a2e8-767228c64837\nstatus: experimental\ndescription: Detects Kerberos DLL being loaded by an Office Product\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image:\n    - \'*\\winword.exe*\'\n    - \'*\\powerpnt.exe*\'\n    - \'*\\excel.exe*\'\n    - \'*\\outlook.exe*\'\n    ImageLoaded:\n    - \'*\\kerberos.dll*\'\n  condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: high\n\n
\n}}'),(6770,'Issue',375,15,'T1193'),(6771,'Issue',376,1,'PowerShell Rundll32 Remote Thread Creation'),(6772,'Issue',376,2,'Florian Roth'),(6773,'Issue',376,8,'https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html'),(6774,'Issue',376,10,'high'),(6775,'Issue',376,13,'community'),(6776,'Issue',376,14,'windows'),(6778,'Issue',376,11,'037897459'),(6779,'Issue',376,12,'99b97608-3e21-4bfe-8217-2a127c396a0e'),(6780,'Issue',376,16,'win-sysmon'),(6781,'Issue',376,17,''),(6782,'Issue',376,7,''),(6783,'Issue',376,3,'Detects PowerShell remote thread creation in Rundll32.exe'),(6784,'Issue',376,4,''),(6785,'Issue',376,5,'_False Positives_\nUnkown'),(6786,'Issue',376,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"8\" AND event_data.SourceImage.keyword:*\\\\powershell.exe AND event_data.TargetImage.keyword:*\\\\rundll32.exe)\nindex: so-*\nname: PowerShell Rundll32 Remote Thread Creation\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6787,'Issue',376,9,'{{collapse(View Sigma)\n
\n\ntitle: PowerShell Rundll32 Remote Thread Creation\nid: 99b97608-3e21-4bfe-8217-2a127c396a0e\nstatus: experimental\ndescription: Detects PowerShell remote thread creation in Rundll32.exe\nauthor: Florian Roth\nreferences:\n- https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html\ndate: 2018/06/25\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 8\n    SourceImage: \'*\\powershell.exe\'\n    TargetImage: \'*\\rundll32.exe\'\n  condition: selection\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1085\n- attack.t1086\nfalsepositives:\n- Unkown\nlevel: high\n\n
\n}}'),(6788,'Issue',376,15,'T1085'),(6789,'Issue',376,15,'T1086'),(6790,'Issue',377,1,'Suspicious PROCEXP152.sys File Created In TMP'),(6791,'Issue',377,2,'xknow (@xknow_infosec), xorxes (@xor_xes)'),(6792,'Issue',377,8,'https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/'),(6793,'Issue',377,10,'medium'),(6794,'Issue',377,13,'community'),(6795,'Issue',377,14,'windows'),(6797,'Issue',377,11,'9af1e153b'),(6798,'Issue',377,12,'3da70954-0f2c-4103-adff-b7440368f50e'),(6799,'Issue',377,16,'win-sysmon'),(6800,'Issue',377,17,''),(6801,'Issue',377,7,''),(6802,'Issue',377,3,'Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.'),(6803,'Issue',377,4,''),(6804,'Issue',377,5,'_False Positives_\nOther legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don\'t rely on it.'),(6805,'Issue',377,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"11\" AND event_data.TargetFilename.keyword:*\\\\AppData\\\\Local\\\\Temp\\*\\\\PROCEXP152.sys) AND (NOT (process.executable.keyword:(*\\\\procexp64.exe* OR *\\\\procexp.exe* OR *\\\\procmon64.exe* OR *\\\\procmon.exe*))))\nindex: so-*\nname: Suspicious PROCEXP152.sys File Created In TMP\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6806,'Issue',377,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious PROCEXP152.sys File Created In TMP\nid: 3da70954-0f2c-4103-adff-b7440368f50e\ndescription: Detects the creation of the PROCEXP152.sys file in the application-data\n  local temporary folder. This driver is used by Sysinternals Process Explorer but\n  also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs),\n  which uses KDU.\nstatus: experimental\ndate: 2019/04/08\nauthor: xknow (@xknow_infosec), xorxes (@xor_xes)\nreferences:\n- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/\ntags:\n- attack.t1089\n- attack.defense_evasion\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection_1:\n    EventID: 11\n    TargetFilename: \'*\\AppData\\Local\\Temp\\*\\PROCEXP152.sys\'\n  selection_2:\n    Image|contains:\n    - \'*\\procexp64.exe\'\n    - \'*\\procexp.exe\'\n    - \'*\\procmon64.exe\'\n    - \'*\\procmon.exe\'\n  condition: selection_1 and not selection_2\nfalsepositives:\n- Other legimate tools using this driver and filename (like Sysinternals). Note -\n  Clever attackers may easily bypass this detection by just renaming the driver filename.\n  Therefore just Medium-level and don\'t rely on it.\nlevel: medium\n\n
\n}}'),(6807,'Issue',377,15,'T1089'),(6808,'Issue',378,1,'Suspicious Program Location with Network Connections'),(6809,'Issue',378,2,'Florian Roth'),(6810,'Issue',378,8,'https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo'),(6811,'Issue',378,10,'high'),(6812,'Issue',378,13,'community'),(6813,'Issue',378,14,'windows'),(6814,'Issue',378,15,''),(6815,'Issue',378,11,'58575f239'),(6816,'Issue',378,12,'7b434893-c57d-4f41-908d-6a17bf1ae98f'),(6817,'Issue',378,16,'win-sysmon'),(6818,'Issue',378,17,''),(6819,'Issue',378,7,''),(6820,'Issue',378,3,'Detects programs with network connections running in suspicious files system locations'),(6821,'Issue',378,4,''),(6822,'Issue',378,5,'_False Positives_\nunknown'),(6823,'Issue',378,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"3\" AND process.executable.keyword:(*\\\\$Recycle.bin OR *\\\\Users\\\\All\\ Users\\\\* OR *\\\\Users\\\\Default\\\\* OR *\\\\Users\\\\Public\\\\* OR *\\\\Users\\\\Contacts\\\\* OR *\\\\Users\\\\Searches\\\\* OR C\\:\\\\Perflogs\\\\* OR *\\\\config\\\\systemprofile\\\\* OR *\\\\Windows\\\\Fonts\\\\* OR *\\\\Windows\\\\IME\\\\* OR *\\\\Windows\\\\addins\\\\*))\nindex: so-*\nname: Suspicious Program Location with Network Connections\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6824,'Issue',378,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Program Location with Network Connections\nid: 7b434893-c57d-4f41-908d-6a17bf1ae98f\nstatus: experimental\ndescription: Detects programs with network connections running in suspicious files\n  system locations\nreferences:\n- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo\nauthor: Florian Roth\ndate: 2017/03/19\nlogsource:\n  product: windows\n  service: sysmon\n  definition: Use the following config to generate the necessary Event ID 3 Network\n    Connection events\ndetection:\n  selection:\n    EventID: 3\n    Image:\n    - \'*\\$Recycle.bin\'\n    - \'*\\Users\\All Users\\\\*\'\n    - \'*\\Users\\Default\\\\*\'\n    - \'*\\Users\\Public\\\\*\'\n    - \'*\\Users\\Contacts\\\\*\'\n    - \'*\\Users\\Searches\\\\*\'\n    - C:\\Perflogs\\\\*\n    - \'*\\config\\systemprofile\\\\*\'\n    - \'*\\Windows\\Fonts\\\\*\'\n    - \'*\\Windows\\IME\\\\*\'\n    - \'*\\Windows\\addins\\\\*\'\n  condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6825,'Issue',379,1,'Suspicious Outbound RDP Connections'),(6826,'Issue',379,2,'Markus Neis - Swisscom'),(6827,'Issue',379,8,'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708'),(6828,'Issue',379,10,'high'),(6829,'Issue',379,13,'community'),(6830,'Issue',379,14,'windows'),(6832,'Issue',379,11,'9f1b0b238'),(6833,'Issue',379,12,'ed74fe75-7594-4b4b-ae38-e38e3fd2eb23'),(6834,'Issue',379,16,'win-sysmon'),(6835,'Issue',379,17,''),(6836,'Issue',379,7,''),(6837,'Issue',379,3,'Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement'),(6838,'Issue',379,4,''),(6839,'Issue',379,5,'_False Positives_\nOther Remote Desktop RDP tools'),(6840,'Issue',379,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"3\" AND destination_port:\"3389\" AND event_data.Initiated:\"true\") AND (NOT (process.executable.keyword:(*\\\\mstsc.exe OR *\\\\RTSApp.exe OR *\\\\RTS2App.exe OR *\\\\RDCMan.exe OR *\\\\ws_TunnelService.exe OR *\\\\RSSensor.exe OR *\\\\RemoteDesktopManagerFree.exe OR *\\\\RemoteDesktopManager.exe OR *\\\\RemoteDesktopManager64.exe OR *\\\\mRemoteNG.exe OR *\\\\mRemote.exe OR *\\\\Terminals.exe OR *\\\\spiceworks\\-finder.exe OR *\\\\FSDiscovery.exe OR *\\\\FSAssessment.exe OR *\\\\MobaRTE.exe OR *\\\\chrome.exe OR *\\\\thor.exe OR *\\\\thor64.exe))))\nindex: so-*\nname: Suspicious Outbound RDP Connections\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6841,'Issue',379,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Outbound RDP Connections\nid: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23\nstatus: experimental\ndescription: Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible\n  lateral movement\nreferences:\n- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708\nauthor: Markus Neis - Swisscom\ndate: 2019/05/15\ntags:\n- attack.lateral_movement\n- attack.t1210\n- car.2013-07-002\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 3\n    DestinationPort: 3389\n    Initiated: \'true\'\n  filter:\n    Image:\n    - \'*\\mstsc.exe\'\n    - \'*\\RTSApp.exe\'\n    - \'*\\RTS2App.exe\'\n    - \'*\\RDCMan.exe\'\n    - \'*\\ws_TunnelService.exe\'\n    - \'*\\RSSensor.exe\'\n    - \'*\\RemoteDesktopManagerFree.exe\'\n    - \'*\\RemoteDesktopManager.exe\'\n    - \'*\\RemoteDesktopManager64.exe\'\n    - \'*\\mRemoteNG.exe\'\n    - \'*\\mRemote.exe\'\n    - \'*\\Terminals.exe\'\n    - \'*\\spiceworks-finder.exe\'\n    - \'*\\FSDiscovery.exe\'\n    - \'*\\FSAssessment.exe\'\n    - \'*\\MobaRTE.exe\'\n    - \'*\\chrome.exe\'\n    - \'*\\thor.exe\'\n    - \'*\\thor64.exe\'\n  condition: selection and not filter\nfalsepositives:\n- Other Remote Desktop RDP tools\nlevel: high\n\n
\n}}'),(6842,'Issue',379,15,'T1210'),(6843,'Issue',380,1,'Registry Persistence via Explorer Run Key'),(6844,'Issue',380,2,'Florian Roth'),(6845,'Issue',380,8,'https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/'),(6846,'Issue',380,10,'high'),(6847,'Issue',380,13,'community'),(6848,'Issue',380,14,'windows'),(6850,'Issue',380,11,'d976ce159'),(6851,'Issue',380,12,'b7916c2a-fa2f-4795-9477-32b731f70f11'),(6852,'Issue',380,16,'win-sysmon'),(6853,'Issue',380,17,''),(6854,'Issue',380,7,''),(6855,'Issue',380,3,'Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder'),(6856,'Issue',380,4,''),(6857,'Issue',380,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nImage\nParentImage'),(6858,'Issue',380,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run AND event_data.Details.keyword:(C\\:\\\\Windows\\\\Temp\\\\* OR C\\:\\\\ProgramData\\\\* OR *\\\\AppData\\\\* OR C\\:\\\\$Recycle.bin\\\\* OR C\\:\\\\Temp\\\\* OR C\\:\\\\Users\\\\Public\\\\* OR C\\:\\\\Users\\\\Default\\\\*))\nindex: so-*\nname: Registry Persistence via Explorer Run Key\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6859,'Issue',380,9,'{{collapse(View Sigma)\n
\n\ntitle: Registry Persistence via Explorer Run Key\nid: b7916c2a-fa2f-4795-9477-32b731f70f11\nstatus: experimental\ndescription: Detects a possible persistence mechanism using RUN key for Windows Explorer\n  and pointing to a suspicious folder\nauthor: Florian Roth\ndate: 2018/07/18\nreferences:\n- https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    TargetObject: \'*\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\'\n    Details:\n    - C:\\Windows\\Temp\\\\*\n    - C:\\ProgramData\\\\*\n    - \'*\\AppData\\\\*\'\n    - C:\\$Recycle.bin\\\\*\n    - C:\\Temp\\\\*\n    - C:\\Users\\Public\\\\*\n    - C:\\Users\\Default\\\\*\n  condition: selection\ntags:\n- attack.persistence\n- attack.t1060\n- capec.270\nfields:\n- Image\n- ParentImage\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(6860,'Issue',380,15,'T1060'),(6861,'Issue',381,1,'New RUN Key Pointing to Suspicious Folder'),(6862,'Issue',381,2,'Florian Roth, Markus Neis'),(6863,'Issue',381,8,'https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html'),(6864,'Issue',381,10,'high'),(6865,'Issue',381,13,'community'),(6866,'Issue',381,14,'windows'),(6868,'Issue',381,11,'321e02b21'),(6869,'Issue',381,12,'02ee49e2-e294-4d0f-9278-f5b3212fc588'),(6870,'Issue',381,16,'win-sysmon'),(6871,'Issue',381,17,''),(6872,'Issue',381,7,''),(6873,'Issue',381,3,'Detects suspicious new RUN key element pointing to an executable in a suspicious folder'),(6874,'Issue',381,4,''),(6875,'Issue',381,5,'_False Positives_\nSoftware using the AppData folders for updates\n\n_Interesting Log Fields_\nImage'),(6876,'Issue',381,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\* OR *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*) AND event_data.Details.keyword:(*C\\:\\\\Windows\\\\Temp\\\\* OR *\\\\AppData\\\\* OR %AppData%\\\\* OR *C\\:\\\\$Recycle.bin\\\\* OR *C\\:\\\\Temp\\\\* OR *C\\:\\\\Users\\\\Public\\\\* OR %Public%\\\\* OR *C\\:\\\\Users\\\\Default\\\\* OR *C\\:\\\\Users\\\\Desktop\\\\* OR wscript* OR cscript*)) AND (NOT (event_data.Details.keyword:(*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\*))))\nindex: so-*\nname: New RUN Key Pointing to Suspicious Folder\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6877,'Issue',381,9,'{{collapse(View Sigma)\n
\n\ntitle: New RUN Key Pointing to Suspicious Folder\nid: 02ee49e2-e294-4d0f-9278-f5b3212fc588\nstatus: experimental\ndescription: Detects suspicious new RUN key element pointing to an executable in a\n  suspicious folder\nreferences:\n- https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\nauthor: Florian Roth, Markus Neis\ntags:\n- attack.persistence\n- attack.t1060\ndate: 2018/08/25\nmodified: 2020/02/26\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    TargetObject:\n    - \'*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\\*\'\n    - \'*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\\\*\'\n    Details:\n    - \'*C:\\Windows\\Temp\\\\*\'\n    - \'*\\AppData\\\\*\'\n    - \'%AppData%\\\\*\'\n    - \'*C:\\$Recycle.bin\\\\*\'\n    - \'*C:\\Temp\\\\*\'\n    - \'*C:\\Users\\Public\\\\*\'\n    - \'%Public%\\\\*\'\n    - \'*C:\\Users\\Default\\\\*\'\n    - \'*C:\\Users\\Desktop\\\\*\'\n    - wscript*\n    - cscript*\n  filter:\n    Details|contains:\n    - \\AppData\\Local\\Microsoft\\OneDrive\\\n  condition: selection and not filter\nfields:\n- Image\nfalsepositives:\n- Software using the AppData folders for updates\nlevel: high\n\n
\n}}'),(6878,'Issue',381,15,'T1060'),(6879,'Issue',382,1,'Suspicious Service Installed'),(6880,'Issue',382,2,'xknow (@xknow_infosec), xorxes (@xor_xes)'),(6881,'Issue',382,8,'https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/'),(6882,'Issue',382,10,'medium'),(6883,'Issue',382,13,'community'),(6884,'Issue',382,14,'windows'),(6886,'Issue',382,11,'9842ac371'),(6887,'Issue',382,12,'f2485272-a156-4773-82d7-1d178bc4905b'),(6888,'Issue',382,16,'win-sysmon'),(6889,'Issue',382,17,''),(6890,'Issue',382,7,''),(6891,'Issue',382,3,'Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)'),(6892,'Issue',382,4,''),(6893,'Issue',382,5,'_False Positives_\nOther legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don\'t rely on it.'),(6894,'Issue',382,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:\"13\" AND event_data.TargetObject:(\"HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\NalDrv\\\\ImagePath\" OR \"HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PROCEXP152\\\\ImagePath\")) AND (NOT (process.executable.keyword:(*\\\\procexp64.exe* OR *\\\\procexp.exe* OR *\\\\procmon64.exe* OR *\\\\procmon.exe*)))) AND (NOT (event_data.Details.keyword:(*\\\\WINDOWS\\\\system32\\\\Drivers\\\\PROCEXP152.SYS*))))\nindex: so-*\nname: Suspicious Service Installed\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6895,'Issue',382,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Service Installed\nid: f2485272-a156-4773-82d7-1d178bc4905b\ndescription: Detects installation of NalDrv or PROCEXP152 services via registry-keys\n  to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs),\n  which uses KDU (https://github.com/hfiref0x/KDU)\nstatus: experimental\ndate: 2019/04/08\nauthor: xknow (@xknow_infosec), xorxes (@xor_xes)\nreferences:\n- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/\ntags:\n- attack.t1089\n- attack.defense_evasion\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection_1:\n    EventID: 13\n    TargetObject:\n    - HKLM\\System\\CurrentControlSet\\Services\\NalDrv\\ImagePath\n    - HKLM\\System\\CurrentControlSet\\Services\\PROCEXP152\\ImagePath\n  selection_2:\n    Image|contains:\n    - \'*\\procexp64.exe\'\n    - \'*\\procexp.exe\'\n    - \'*\\procmon64.exe\'\n    - \'*\\procmon.exe\'\n  selection_3:\n    Details|contains:\n    - \'*\\WINDOWS\\system32\\Drivers\\PROCEXP152.SYS\'\n  condition: selection_1 and not selection_2 and not selection_3\nfalsepositives:\n- Other legimate tools using this service names and drivers. Note - clever attackers\n  may easily bypass this detection by just renaming the services. Therefore just Medium-level\n  and don\'t rely on it.\nlevel: medium\n\n
\n}}'),(6896,'Issue',382,15,'T1089'),(6897,'Issue',383,1,'VBA DLL Loaded Via Microsoft Word'),(6898,'Issue',383,2,'Antonlovesdnb'),(6899,'Issue',383,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16'),(6900,'Issue',383,10,'high'),(6901,'Issue',383,13,'community'),(6902,'Issue',383,14,'windows'),(6904,'Issue',383,11,'53eb4530b'),(6905,'Issue',383,12,'e6ce8457-68b1-485b-9bdd-3c2b5d679aa9'),(6906,'Issue',383,16,'win-sysmon'),(6907,'Issue',383,17,''),(6908,'Issue',383,7,''),(6909,'Issue',383,3,'Detects DLL\'s Loaded Via Word Containing VBA Macros'),(6910,'Issue',383,4,''),(6911,'Issue',383,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6912,'Issue',383,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe* OR *\\\\powerpnt.exe* OR *\\\\excel.exe* OR *\\\\outlook.exe*) AND event_data.ImageLoaded.keyword:(*\\\\VBE7.DLL* OR *\\\\VBEUI.DLL* OR *\\\\VBE7INTL.DLL*))\nindex: so-*\nname: VBA DLL Loaded Via Microsoft Word\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6913,'Issue',383,9,'{{collapse(View Sigma)\n
\n\ntitle: VBA DLL Loaded Via Microsoft Word\nid: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9\nstatus: experimental\ndescription: Detects DLL\'s Loaded Via Word Containing VBA Macros\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image:\n    - \'*\\winword.exe*\'\n    - \'*\\powerpnt.exe*\'\n    - \'*\\excel.exe*\'\n    - \'*\\outlook.exe*\'\n    ImageLoaded:\n    - \'*\\VBE7.DLL*\'\n    - \'*\\VBEUI.DLL*\'\n    - \'*\\VBE7INTL.DLL*\'\n  condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: high\n\n
\n}}'),(6914,'Issue',383,15,'T1193'),(6915,'Issue',384,1,'Windows Mangement Instrumentation DLL Loaded Via Microsoft Word'),(6916,'Issue',384,2,'Michael R. (@nahamike01)'),(6917,'Issue',384,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nhttps://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/\nhttps://media.cert.europa.eu/static/SecurityAdvisories/2019/CERT-EU-SA2019-021.pdf'),(6918,'Issue',384,10,'high'),(6919,'Issue',384,13,'community'),(6920,'Issue',384,14,'windows'),(6922,'Issue',384,11,'b23e2aa5c'),(6923,'Issue',384,12,'a457f232-7df9-491d-898f-b5aabd2cbe2f'),(6924,'Issue',384,16,'win-sysmon'),(6925,'Issue',384,17,''),(6926,'Issue',384,7,''),(6927,'Issue',384,3,'Detects DLL\'s Loaded Via Word Containing VBA Macros Executing WMI Commands'),(6928,'Issue',384,4,''),(6929,'Issue',384,5,'_False Positives_\nPossible. Requires further testing.'),(6930,'Issue',384,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe OR *\\\\powerpnt.exe OR *\\\\excel.exe OR *\\\\outlook.exe) AND event_data.ImageLoaded.keyword:(*\\\\wmiutils.dll OR *\\\\wbemcomn.dll OR *\\\\wbemprox.dll OR *\\\\wbemdisp.dll OR *\\\\wbemsvc.dll))\nindex: so-*\nname: Windows Mangement Instrumentation DLL Loaded Via Microsoft Word\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6931,'Issue',384,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows Mangement Instrumentation DLL Loaded Via Microsoft Word\nid: a457f232-7df9-491d-898f-b5aabd2cbe2f\nstatus: experimental\ndescription: Detects DLL\'s Loaded Via Word Containing VBA Macros Executing WMI Commands\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\n- https://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/\n- https://media.cert.europa.eu/static/SecurityAdvisories/2019/CERT-EU-SA2019-021.pdf\nauthor: Michael R. (@nahamike01)\ndate: 2019/12/26\ntags:\n- attack.execution\n- attack.t1047\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image:\n    - \'*\\winword.exe\'\n    - \'*\\powerpnt.exe\'\n    - \'*\\excel.exe\'\n    - \'*\\outlook.exe\'\n    ImageLoaded:\n    - \'*\\wmiutils.dll\'\n    - \'*\\wbemcomn.dll\'\n    - \'*\\wbemprox.dll\'\n    - \'*\\wbemdisp.dll\'\n    - \'*\\wbemsvc.dll\'\n  condition: selection\nfalsepositives:\n- Possible. Requires further testing.\nlevel: high\n\n
\n}}'),(6932,'Issue',384,15,'T1047'),(6933,'Issue',385,1,'Suspicious Keyboard Layout Load'),(6934,'Issue',385,2,'Florian Roth'),(6935,'Issue',385,8,'https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index\nhttps://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'),(6936,'Issue',385,10,'medium'),(6937,'Issue',385,13,'community'),(6938,'Issue',385,14,'windows'),(6939,'Issue',385,15,''),(6940,'Issue',385,11,'496ab3e58'),(6941,'Issue',385,12,'34aa0252-6039-40ff-951f-939fd6ce47d8'),(6942,'Issue',385,16,'win-sysmon'),(6943,'Issue',385,17,''),(6944,'Issue',385,7,''),(6945,'Issue',385,3,'Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only'),(6946,'Issue',385,4,''),(6947,'Issue',385,5,'_False Positives_\nAdministrators or users that actually use the selected keyboard layouts (heavily depends on the organisation\'s user base)'),(6948,'Issue',385,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\Keyboard\\ Layout\\\\Preload\\* OR *\\\\Keyboard\\ Layout\\\\Substitutes\\*) AND event_data.Details.keyword:(*00000429* OR *00050429* OR *0000042a*))\nindex: so-*\nname: Suspicious Keyboard Layout Load\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6949,'Issue',385,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Keyboard Layout Load\nid: 34aa0252-6039-40ff-951f-939fd6ce47d8\ndescription: Detects the keyboard preload installation with a suspicious keyboard\n  layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems\n  maintained by US staff only\nreferences:\n- https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index\n- https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files\nauthor: Florian Roth\ndate: 2019/10/12\nmodified: 2019/10/15\nlogsource:\n  product: windows\n  service: sysmon\n  definition: \'Requirements: Sysmon config that monitors \\Keyboard Layout\\Preload\n    subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files\'\ndetection:\n  selection_registry:\n    EventID: 13\n    TargetObject:\n    - \'*\\Keyboard Layout\\Preload\\*\'\n    - \'*\\Keyboard Layout\\Substitutes\\*\'\n    Details|contains:\n    - 429\n    - 50429\n    - 0000042a\n  condition: selection_registry\nfalsepositives:\n- Administrators or users that actually use the selected keyboard layouts (heavily\n  depends on the organisation\'s user base)\nlevel: medium\n\n
\n}}'),(6950,'Issue',386,1,'Suspicious Outbound Kerberos Connection'),(6951,'Issue',386,2,'Ilyas Ochkov, oscd.community'),(6952,'Issue',386,8,'https://github.com/GhostPack/Rubeus8'),(6953,'Issue',386,10,'high'),(6954,'Issue',386,13,'community'),(6955,'Issue',386,14,'windows'),(6957,'Issue',386,11,'b61a1dd2a'),(6958,'Issue',386,12,'e54979bd-c5f9-4d6c-967b-a04b19ac4c74'),(6959,'Issue',386,16,'win-sysmon'),(6960,'Issue',386,17,''),(6961,'Issue',386,7,''),(6962,'Issue',386,3,'Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.'),(6963,'Issue',386,4,''),(6964,'Issue',386,5,'_False Positives_\nOther browsers'),(6965,'Issue',386,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"3\" AND destination_port:\"88\" AND event_data.Initiated:\"true\") AND (NOT (process.executable.keyword:(*\\\\lsass.exe OR *\\\\opera.exe OR *\\\\chrome.exe OR *\\\\firefox.exe))))\nindex: so-*\nname: Suspicious Outbound Kerberos Connection\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6966,'Issue',386,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Outbound Kerberos Connection\nid: e54979bd-c5f9-4d6c-967b-a04b19ac4c74\nstatus: experimental\ndescription: Detects suspicious outbound network activity via kerberos default port\n  indicating possible lateral movement or first stage PrivEsc via delegation.\nreferences:\n- https://github.com/GhostPack/Rubeus8\nauthor: Ilyas Ochkov, oscd.community\ndate: 2019/10/24\nmodified: 2019/11/13\ntags:\n- attack.lateral_movement\n- attack.t1208\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 3\n    DestinationPort: 88\n    Initiated: \'true\'\n  filter:\n    Image|endswith:\n    - \\lsass.exe\n    - \\opera.exe\n    - \\chrome.exe\n    - \\firefox.exe\n  condition: selection and not filter\nfalsepositives:\n- Other browsers\nlevel: high\n\n
\n}}'),(6967,'Issue',386,15,'T1208'),(6968,'Issue',387,1,'Suspicious Remote Thread Created'),(6969,'Issue',387,2,'Perez Diego (@darkquassar), oscd.community'),(6970,'Issue',387,8,'Personal research, statistical analysis\nhttps://lolbas-project.github.io'),(6971,'Issue',387,10,'high'),(6972,'Issue',387,13,'community'),(6973,'Issue',387,14,'windows'),(6975,'Issue',387,11,'d107c9166'),(6976,'Issue',387,12,'66d31e5f-52d6-40a4-9615-002d3789a119'),(6977,'Issue',387,16,'win-sysmon'),(6978,'Issue',387,17,''),(6979,'Issue',387,7,''),(6980,'Issue',387,3,'Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild. This rule aims to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes. It is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.'),(6981,'Issue',387,4,''),(6982,'Issue',387,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nComputerName\nUser\nSourceImage\nTargetImage'),(6983,'Issue',387,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"8\" AND event_data.SourceImage.keyword:(*\\\\bash.exe OR *\\\\cvtres.exe OR *\\\\defrag.exe OR *\\\\dnx.exe OR *\\\\esentutl.exe OR *\\\\excel.exe OR *\\\\expand.exe OR *\\\\explorer.exe OR *\\\\find.exe OR *\\\\findstr.exe OR *\\\\forfiles.exe OR *\\\\git.exe OR *\\\\gpupdate.exe OR *\\\\hh.exe OR *\\\\iexplore.exe OR *\\\\installutil.exe OR *\\\\lync.exe OR *\\\\makecab.exe OR *\\\\mDNSResponder.exe OR *\\\\monitoringhost.exe OR *\\\\msbuild.exe OR *\\\\mshta.exe OR *\\\\msiexec.exe OR *\\\\mspaint.exe OR *\\\\outlook.exe OR *\\\\ping.exe OR *\\\\powerpnt.exe OR *\\\\powershell.exe OR *\\\\provtool.exe OR *\\\\python.exe OR *\\\\regsvr32.exe OR *\\\\robocopy.exe OR *\\\\runonce.exe OR *\\\\sapcimc.exe OR *\\\\schtasks.exe OR *\\\\smartscreen.exe OR *\\\\spoolsv.exe OR *\\\\tstheme.exe OR *\\\\userinit.exe OR *\\\\vssadmin.exe OR *\\\\vssvc.exe OR *\\\\w3wp.exe* OR *\\\\winlogon.exe OR *\\\\winscp.exe OR *\\\\wmic.exe OR *\\\\word.exe OR *\\\\wscript.exe)) AND (NOT (event_data.SourceImage.keyword:*Visual\\ Studio*)))\nindex: so-*\nname: Suspicious Remote Thread Created\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6984,'Issue',387,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Remote Thread Created\nid: 66d31e5f-52d6-40a4-9615-002d3789a119\ndescription: Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\",\n  however, this is still largely observed in the wild. This rule aims to detect suspicious\n  processes (those we would not expect to behave in this way like word.exe or outlook.exe)\n  creating remote threads on other processes. It is a generalistic rule, but it should\n  have a low FP ratio due to the selected range of processes.\nnotes:\n- MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite\n  for process injection for .NET in-memory offensive tools.\nstatus: experimental\ndate: 2019/10/27\nmodified: 2019/11/13\nauthor: Perez Diego (@darkquassar), oscd.community\nreferences:\n- Personal research, statistical analysis\n- https://lolbas-project.github.io\nlogsource:\n  product: windows\n  service: sysmon\ntags:\n- attack.privilege_escalation\n- attack.t1055\ndetection:\n  selection:\n    EventID: 8\n    SourceImage|endswith:\n    - \\bash.exe\n    - \\cvtres.exe\n    - \\defrag.exe\n    - \\dnx.exe\n    - \\esentutl.exe\n    - \\excel.exe\n    - \\expand.exe\n    - \\explorer.exe\n    - \\find.exe\n    - \\findstr.exe\n    - \\forfiles.exe\n    - \\git.exe\n    - \\gpupdate.exe\n    - \\hh.exe\n    - \\iexplore.exe\n    - \\installutil.exe\n    - \\lync.exe\n    - \\makecab.exe\n    - \\mDNSResponder.exe\n    - \\monitoringhost.exe\n    - \\msbuild.exe\n    - \\mshta.exe\n    - \\msiexec.exe\n    - \\mspaint.exe\n    - \\outlook.exe\n    - \\ping.exe\n    - \\powerpnt.exe\n    - \\powershell.exe\n    - \\provtool.exe\n    - \\python.exe\n    - \\regsvr32.exe\n    - \\robocopy.exe\n    - \\runonce.exe\n    - \\sapcimc.exe\n    - \\schtasks.exe\n    - \\smartscreen.exe\n    - \\spoolsv.exe\n    - \\tstheme.exe\n    - \\userinit.exe\n    - \\vssadmin.exe\n    - \\vssvc.exe\n    - \\w3wp.exe*\n    - \\winlogon.exe\n    - \\winscp.exe\n    - \\wmic.exe\n    - \\word.exe\n    - \\wscript.exe\n  filter:\n    SourceImage|contains: Visual Studio\n  condition: selection AND NOT filter\nfields:\n- ComputerName\n- User\n- SourceImage\n- TargetImage\nlevel: high\nfalsepositives:\n- Unknown\n\n
\n}}'),(6985,'Issue',387,15,'T1055'),(6986,'Issue',388,1,'Svchost DLL Search Order Hijack'),(6987,'Issue',388,2,'SBousseaden'),(6988,'Issue',388,8,'https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992'),(6989,'Issue',388,10,'high'),(6990,'Issue',388,13,'community'),(6991,'Issue',388,14,'windows'),(6993,'Issue',388,11,'6ca7b2b85'),(6994,'Issue',388,12,'602a1f13-c640-4d73-b053-be9a2fa58b77'),(6995,'Issue',388,16,'win-sysmon'),(6996,'Issue',388,17,''),(6997,'Issue',388,7,''),(6998,'Issue',388,3,'IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\\Windows\\System32\\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote machine.'),(6999,'Issue',388,4,''),(7000,'Issue',388,5,'_False Positives_\nPentest'),(7001,'Issue',388,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"7\" AND process.executable.keyword:(*\\\\svchost.exe) AND event_data.ImageLoaded.keyword:(*\\\\tsmsisrv.dll OR *\\\\tsvipsrv.dll OR *\\\\wlbsctrl.dll)) AND (NOT (event.code:\"7\" AND process.executable.keyword:(*\\\\svchost.exe) AND event_data.ImageLoaded:(\"C\\:\\\\Windows\\\\WinSxS\\*\"))))\nindex: so-*\nname: Svchost DLL Search Order Hijack\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7002,'Issue',388,9,'{{collapse(View Sigma)\n
\n\ntitle: Svchost DLL Search Order Hijack\nid: 602a1f13-c640-4d73-b053-be9a2fa58b77\nstatus: experimental\ndescription: IKEEXT and SessionEnv service, as they call LoadLibrary on files that\n  do not exist within C:\\Windows\\System32\\ by default. An attacker can place their\n  malicious logic within the PROCESS_ATTACH block of their library and restart the\n  aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote\n  machine.\nreferences:\n- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992\nauthor: SBousseaden\ndate: 2019/10/28\ntags:\n- attack.persistence\n- attack.defense_evasion\n- attack.t1073\n- attack.t1038\n- attack.t1112\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image:\n    - \'*\\svchost.exe\'\n    ImageLoaded:\n    - \'*\\tsmsisrv.dll\'\n    - \'*\\tsvipsrv.dll\'\n    - \'*\\wlbsctrl.dll\'\n  filter:\n    EventID: 7\n    Image:\n    - \'*\\svchost.exe\'\n    ImageLoaded:\n    - C:\\Windows\\WinSxS\\*\n  condition: selection and not filter\nfalsepositives:\n- Pentest\nlevel: high\n\n
\n}}'),(7003,'Issue',388,15,'T1073'),(7004,'Issue',388,15,'T1038'),(7005,'Issue',388,15,'T1112'),(7006,'Issue',389,1,'Hijack Legit RDP Session to Move Laterally'),(7007,'Issue',389,2,'Samir Bousseaden'),(7008,'Issue',389,8,'none'),(7009,'Issue',389,10,'high'),(7010,'Issue',389,13,'community'),(7011,'Issue',389,14,'windows'),(7012,'Issue',389,15,''),(7013,'Issue',389,11,'edf49a6c5'),(7014,'Issue',389,12,'52753ea4-b3a0-4365-910d-36cff487b789'),(7015,'Issue',389,16,'win-sysmon'),(7016,'Issue',389,17,''),(7017,'Issue',389,7,''),(7018,'Issue',389,3,'Detects the usage of tsclient share to place a backdoor on the RDP source machine\'s startup folder'),(7019,'Issue',389,4,''),(7020,'Issue',389,5,'_False Positives_\nunknown'),(7021,'Issue',389,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND process.executable.keyword:*\\\\mstsc.exe AND TargetFileName.keyword:*\\\\Microsoft\\\\Windows\\\\Start\\ Menu\\\\Programs\\\\Startup\\\\*)\nindex: so-*\nname: Hijack Legit RDP Session to Move Laterally\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7022,'Issue',389,9,'{{collapse(View Sigma)\n
\n\ntitle: Hijack Legit RDP Session to Move Laterally\nid: 52753ea4-b3a0-4365-910d-36cff487b789\nstatus: experimental\ndescription: Detects the usage of tsclient share to place a backdoor on the RDP source\n  machine\'s startup folder\ndate: 2019/02/21\nauthor: Samir Bousseaden\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 11\n    Image: \'*\\mstsc.exe\'\n    TargetFileName: \'*\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\\\*\'\n  condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(7023,'Issue',390,1,'UAC Bypass via Event Viewer'),(7024,'Issue',390,2,'Florian Roth'),(7025,'Issue',390,8,'https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\nhttps://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100'),(7026,'Issue',390,10,'critical'),(7027,'Issue',390,13,'community'),(7028,'Issue',390,14,'windows'),(7030,'Issue',390,11,'266938263'),(7031,'Issue',390,12,'7c81fec3-1c1d-43b0-996a-46753041b1b6'),(7032,'Issue',390,16,'win-sysmon'),(7033,'Issue',390,17,''),(7034,'Issue',390,7,''),(7035,'Issue',390,3,'Detects UAC bypass method using Windows event viewer'),(7036,'Issue',390,4,''),(7037,'Issue',390,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7038,'Issue',390,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:\"13\" AND event_data.TargetObject.keyword:HKU\\\\*\\\\mscfile\\\\shell\\\\open\\\\command) OR (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND process.parent.executable.keyword:*\\\\eventvwr.exe) AND (NOT (process.executable.keyword:*\\\\mmc.exe)))))\nindex: so-*\nname: UAC Bypass via Event Viewer\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7039,'Issue',390,9,'{{collapse(View Sigma)\n
\n\ntitle: UAC Bypass via Event Viewer\nid: 7c81fec3-1c1d-43b0-996a-46753041b1b6\nstatus: experimental\ndescription: Detects UAC bypass method using Windows event viewer\nreferences:\n- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\n- https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100\nauthor: Florian Roth\ndate: 2017/03/19\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  methregistry:\n    EventID: 13\n    TargetObject: HKU\\\\*\\mscfile\\shell\\open\\command\n  methprocess:\n    EventID: 1\n    ParentImage: \'*\\eventvwr.exe\'\n  filterprocess:\n    Image: \'*\\mmc.exe\'\n  condition: methregistry or ( methprocess and not filterprocess )\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1088\n- car.2019-04-001\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7040,'Issue',390,15,'T1088'),(7041,'Issue',391,1,'UAC Bypass via Sdclt'),(7042,'Issue',391,2,'Omer Yampel'),(7043,'Issue',391,8,'https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/'),(7044,'Issue',391,10,'high'),(7045,'Issue',391,13,'community'),(7046,'Issue',391,14,'windows'),(7048,'Issue',391,11,'269c211ef'),(7049,'Issue',391,12,'5b872a46-3b90-45c1-8419-f675db8053aa'),(7050,'Issue',391,16,'win-sysmon'),(7051,'Issue',391,17,''),(7052,'Issue',391,7,''),(7053,'Issue',391,3,'Detects changes to HKCU:\\Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand'),(7054,'Issue',391,4,''),(7055,'Issue',391,5,'_False Positives_\nunknown'),(7056,'Issue',391,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:HKU\\\\*_Classes\\\\exefile\\\\shell\\\\runas\\\\command\\\\isolatedCommand)\nindex: so-*\nname: UAC Bypass via Sdclt\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7057,'Issue',391,9,'{{collapse(View Sigma)\n
\n\ntitle: UAC Bypass via Sdclt\nid: 5b872a46-3b90-45c1-8419-f675db8053aa\nstatus: experimental\ndescription: Detects changes to HKCU:\\Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand\nreferences:\n- https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/\nauthor: Omer Yampel\ndate: 2017/03/17\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    TargetObject: HKU\\\\*_Classes\\exefile\\shell\\runas\\command\\isolatedCommand\n  condition: selection\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1088\n- car.2019-04-001\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(7058,'Issue',391,15,'T1088'),(7059,'Issue',392,1,'Unsigned Image Loaded Into LSASS Process'),(7060,'Issue',392,2,'Teymur Kheirkhabarov, oscd.community'),(7061,'Issue',392,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(7062,'Issue',392,10,'medium'),(7063,'Issue',392,13,'community'),(7064,'Issue',392,14,'windows'),(7066,'Issue',392,11,'23f5b5af8'),(7067,'Issue',392,12,'857c8db3-c89b-42fb-882b-f681c7cf4da2'),(7068,'Issue',392,16,'win-sysmon'),(7069,'Issue',392,17,''),(7070,'Issue',392,7,''),(7071,'Issue',392,3,'Loading unsigned image (DLL, EXE) into LSASS process'),(7072,'Issue',392,4,''),(7073,'Issue',392,5,'_False Positives_\nValid user connecting using RDP'),(7074,'Issue',392,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:*\\\\lsass.exe AND Signed:\"false\")\nindex: so-*\nname: Unsigned Image Loaded Into LSASS Process\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7075,'Issue',392,9,'{{collapse(View Sigma)\n
\n\ntitle: Unsigned Image Loaded Into LSASS Process\nid: 857c8db3-c89b-42fb-882b-f681c7cf4da2\ndescription: Loading unsigned image (DLL, EXE) into LSASS process\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/10/22\nmodified: 2019/11/13\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image|endswith: \\lsass.exe\n    Signed: \'false\'\n  condition: selection\nfalsepositives:\n- Valid user connecting using RDP\nstatus: experimental\nlevel: medium\n\n
\n}}'),(7076,'Issue',392,15,'T1003'),(7077,'Issue',393,1,'Windows Webshell Creation'),(7078,'Issue',393,2,'Beyu Denis, oscd.community'),(7079,'Issue',393,8,'PT ESC rule and personal experience'),(7080,'Issue',393,10,'critical'),(7081,'Issue',393,13,'community'),(7082,'Issue',393,14,'windows'),(7084,'Issue',393,11,'2f30d8784'),(7085,'Issue',393,12,'39f1f9f2-9636-45de-98f6-a4046aa8e4b9'),(7086,'Issue',393,16,'win-sysmon'),(7087,'Issue',393,17,''),(7088,'Issue',393,7,''),(7089,'Issue',393,3,'Possible webshell file creation on a static web site'),(7090,'Issue',393,4,''),(7091,'Issue',393,5,'_False Positives_\nLegitimate administrator or developer creating legitimate executable files in a web application folder'),(7092,'Issue',393,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND ((event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event_data.TargetFilename.keyword:*\\\\inetpub\\\\wwwroot\\* AND event_data.TargetFilename.keyword:(*.asp* OR *.ashx* OR *.ph*)) OR (event_data.TargetFilename.keyword:(*\\\\www\\* OR *\\\\htdocs\\* OR *\\\\html\\*) AND event_data.TargetFilename.keyword:*.ph*))) OR (event_data.TargetFilename.keyword:*.jsp OR (event_data.TargetFilename.keyword:*\\\\cgi\\-bin\\* AND event_data.TargetFilename.keyword:*.pl*))))\nindex: so-*\nname: Windows Webshell Creation\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7093,'Issue',393,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows Webshell Creation\nid: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9\nstatus: experimental\ndescription: Possible webshell file creation on a static web site\nreferences:\n- PT ESC rule and personal experience\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/22\nmodified: 2019/11/04\ntags:\n- attack.persistence\n- attack.t1100\nlevel: critical\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection_1:\n    EventID: 11\n  selection_2:\n    TargetFilename|contains: \\inetpub\\wwwroot\\\n  selection_3:\n    TargetFilename|contains:\n    - .asp\n    - .ashx\n    - .ph\n  selection_4:\n    TargetFilename|contains:\n    - \\www\\\n    - \\htdocs\\\n    - \\html\\\n  selection_5:\n    TargetFilename|contains: .ph\n  selection_6:\n  - TargetFilename|endswith: .jsp\n  - TargetFilename|contains|all:\n    - \\cgi-bin\\\n    - .pl\n  condition: selection_1 and ( selection_2 and selection_3 ) or selection_1 and (\n    selection_4 and selection_5 ) or selection_1 and selection_6\nfalsepositives:\n- Legitimate administrator or developer creating legitimate executable files in a\n  web application folder\n\n
\n}}'),(7094,'Issue',393,15,'T1100'),(7095,'Issue',394,1,'Microsoft Binary Github Communication'),(7096,'Issue',394,2,'Michael Haag (idea), Florian Roth (rule)'),(7097,'Issue',394,8,'https://twitter.com/M_haggis/status/900741347035889665\nhttps://twitter.com/M_haggis/status/1032799638213066752'),(7098,'Issue',394,10,'high'),(7099,'Issue',394,13,'community'),(7100,'Issue',394,14,'windows'),(7102,'Issue',394,11,'04a41c5fb'),(7103,'Issue',394,12,'635dbb88-67b3-4b41-9ea5-a3af2dd88153'),(7104,'Issue',394,16,'win-sysmon'),(7105,'Issue',394,17,''),(7106,'Issue',394,7,''),(7107,'Issue',394,3,'Detects an executable in the Windows folder accessing github.com'),(7108,'Issue',394,4,''),(7109,'Issue',394,5,'_False Positives_\nUnknown\n@subTee in your network'),(7110,'Issue',394,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"3\" AND event_data.Initiated:\"true\" AND event_data.DestinationHostname.keyword:(*.github.com OR *.githubusercontent.com) AND process.executable.keyword:C\\:\\\\Windows\\\\*)\nindex: so-*\nname: Microsoft Binary Github Communication\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7111,'Issue',394,9,'{{collapse(View Sigma)\n
\n\ntitle: Microsoft Binary Github Communication\nid: 635dbb88-67b3-4b41-9ea5-a3af2dd88153\nstatus: experimental\ndescription: Detects an executable in the Windows folder accessing github.com\nreferences:\n- https://twitter.com/M_haggis/status/900741347035889665\n- https://twitter.com/M_haggis/status/1032799638213066752\nauthor: Michael Haag (idea), Florian Roth (rule)\ndate: 2017/08/24\ntags:\n- attack.lateral_movement\n- attack.t1105\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 3\n    Initiated: \'true\'\n    DestinationHostname:\n    - \'*.github.com\'\n    - \'*.githubusercontent.com\'\n    Image: C:\\Windows\\\\*\n  condition: selection\nfalsepositives:\n- Unknown\n- \'@subTee in your network\'\nlevel: high\n\n
\n}}'),(7112,'Issue',394,15,'T1105'),(7113,'Issue',395,1,'Microsoft Binary Suspicious Communication Endpoint'),(7114,'Issue',395,2,'Florian Roth'),(7115,'Issue',395,8,'https://twitter.com/M_haggis/status/900741347035889665\nhttps://twitter.com/M_haggis/status/1032799638213066752'),(7116,'Issue',395,10,'high'),(7117,'Issue',395,13,'community'),(7118,'Issue',395,14,'windows'),(7120,'Issue',395,11,'847f9c649'),(7121,'Issue',395,12,'e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97'),(7122,'Issue',395,16,'win-sysmon'),(7123,'Issue',395,17,''),(7124,'Issue',395,7,''),(7125,'Issue',395,3,'Detects an executable in the Windows folder accessing suspicious domains'),(7126,'Issue',395,4,''),(7127,'Issue',395,5,'_False Positives_\nUnknown'),(7128,'Issue',395,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"3\" AND event_data.Initiated:\"true\" AND event_data.DestinationHostname.keyword:(*dl.dropboxusercontent.com OR *.pastebin.com OR *.githubusercontent.com) AND process.executable.keyword:C\\:\\\\Windows\\\\*)\nindex: so-*\nname: Microsoft Binary Suspicious Communication Endpoint\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7129,'Issue',395,9,'{{collapse(View Sigma)\n
\n\ntitle: Microsoft Binary Suspicious Communication Endpoint\nid: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97\nstatus: experimental\ndescription: Detects an executable in the Windows folder accessing suspicious domains\nreferences:\n- https://twitter.com/M_haggis/status/900741347035889665\n- https://twitter.com/M_haggis/status/1032799638213066752\nauthor: Florian Roth\ndate: 2018/08/30\ntags:\n- attack.lateral_movement\n- attack.t1105\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 3\n    Initiated: \'true\'\n    DestinationHostname:\n    - \'*dl.dropboxusercontent.com\'\n    - \'*.pastebin.com\'\n    - \'*.githubusercontent.com\'\n    Image: C:\\Windows\\\\*\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(7130,'Issue',395,15,'T1105'),(7131,'Issue',396,1,'Registry Persistence Mechanisms'),(7132,'Issue',396,2,'Karneades'),(7133,'Issue',396,8,'https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/'),(7134,'Issue',396,10,'critical'),(7135,'Issue',396,13,'community'),(7136,'Issue',396,14,'windows'),(7138,'Issue',396,11,'b6d5e6bc2'),(7139,'Issue',396,12,'36803969-5421-41ec-b92f-8500f79c23b0'),(7140,'Issue',396,16,'win-sysmon'),(7141,'Issue',396,17,''),(7142,'Issue',396,7,''),(7143,'Issue',396,3,'Detects persistence registry keys'),(7144,'Issue',396,4,''),(7145,'Issue',396,5,'_False Positives_\nunknown'),(7146,'Issue',396,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\*\\\\GlobalFlag OR *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\ReportingMode OR *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess) AND event_data.EventType:\"SetValue\")\nindex: so-*\nname: Registry Persistence Mechanisms\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7147,'Issue',396,9,'{{collapse(View Sigma)\n
\n\ntitle: Registry Persistence Mechanisms\nid: 36803969-5421-41ec-b92f-8500f79c23b0\ndescription: Detects persistence registry keys\nreferences:\n- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/\ndate: 2018/04/11\nauthor: Karneades\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection_reg1:\n    EventID: 13\n    TargetObject:\n    - \'*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\\\*\\GlobalFlag\'\n    - \'*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\\\*\\ReportingMode\'\n    - \'*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\\\*\\MonitorProcess\'\n    EventType: SetValue\n  condition: selection_reg1\ntags:\n- attack.privilege_escalation\n- attack.persistence\n- attack.defense_evasion\n- attack.t1183\n- car.2013-01-002\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7148,'Issue',396,15,'T1183'),(7149,'Issue',397,1,'WMI Event Subscription'),(7150,'Issue',397,2,'Tom Ueltschi (@c_APT_ure)'),(7151,'Issue',397,8,'https://attack.mitre.org/techniques/T1084/'),(7152,'Issue',397,10,'high'),(7153,'Issue',397,13,'community'),(7154,'Issue',397,14,'windows'),(7156,'Issue',397,11,'9dd7ef828'),(7157,'Issue',397,12,'0f06a3a5-6a09-413f-8743-e6cf35561297'),(7158,'Issue',397,16,'win-sysmon'),(7159,'Issue',397,17,''),(7160,'Issue',397,7,''),(7161,'Issue',397,3,'Detects creation of WMI event subscription persistence method'),(7162,'Issue',397,4,''),(7163,'Issue',397,5,'_False Positives_\nexclude legitimate (vetted) use of WMI event subscription in your network'),(7164,'Issue',397,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:(\"19\" OR \"20\" OR \"21\"))\nindex: so-*\nname: WMI Event Subscription\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7165,'Issue',397,9,'{{collapse(View Sigma)\n
\n\ntitle: WMI Event Subscription\nid: 0f06a3a5-6a09-413f-8743-e6cf35561297\nstatus: experimental\ndescription: Detects creation of WMI event subscription persistence method\nreferences:\n- https://attack.mitre.org/techniques/T1084/\ntags:\n- attack.t1084\n- attack.persistence\nauthor: Tom Ueltschi (@c_APT_ure)\ndate: 2019/01/12\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selector:\n    EventID:\n    - 19\n    - 20\n    - 21\n  condition: selector\nfalsepositives:\n- exclude legitimate (vetted) use of WMI event subscription in your network\nlevel: high\n\n
\n}}'),(7166,'Issue',397,15,'T1084'),(7167,'Issue',398,1,'WMI Modules Loaded'),(7168,'Issue',398,2,'Roberto Rodriguez @Cyb3rWard0g'),(7169,'Issue',398,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_wmi_module_load.md'),(7170,'Issue',398,10,'high'),(7171,'Issue',398,13,'community'),(7172,'Issue',398,14,'windows'),(7174,'Issue',398,11,'eaf1ac318'),(7175,'Issue',398,12,'671bb7e3-a020-4824-a00e-2ee5b55f385e'),(7176,'Issue',398,16,'win-sysmon'),(7177,'Issue',398,17,''),(7178,'Issue',398,7,''),(7179,'Issue',398,3,'Detects non wmiprvse loading WMI modules'),(7180,'Issue',398,4,''),(7181,'Issue',398,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nComputerName\nUser\nImage\nImageLoaded'),(7182,'Issue',398,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"7\" AND event_data.ImageLoaded.keyword:(*\\\\wmiclnt.dll OR *\\\\WmiApRpl.dll OR *\\\\wmiprov.dll OR *\\\\wmiutils.dll OR *\\\\wbemcomn.dll OR *\\\\wbemprox.dll OR *\\\\WMINet_Utils.dll OR *\\\\wbemsvc.dll OR *\\\\fastprox.dll)) AND (NOT (process.executable.keyword:(*\\\\WmiPrvSe.exe OR *\\\\WmiPrvSE.exe OR *\\\\WmiAPsrv.exe OR *\\\\svchost.exe))))\nindex: so-*\nname: WMI Modules Loaded\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7183,'Issue',398,9,'{{collapse(View Sigma)\n
\n\ntitle: WMI Modules Loaded\nid: 671bb7e3-a020-4824-a00e-2ee5b55f385e\ndescription: Detects non wmiprvse loading WMI modules\nstatus: experimental\ndate: 2019/08/10\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_wmi_module_load.md\ntags:\n- attack.execution\n- attack.t1047\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    ImageLoaded|endswith:\n    - \\wmiclnt.dll\n    - \\WmiApRpl.dll\n    - \\wmiprov.dll\n    - \\wmiutils.dll\n    - \\wbemcomn.dll\n    - \\wbemprox.dll\n    - \\WMINet_Utils.dll\n    - \\wbemsvc.dll\n    - \\fastprox.dll\n  filter:\n    Image|endswith:\n    - \\WmiPrvSe.exe\n    - \\WmiPrvSE.exe\n    - \\WmiAPsrv.exe\n    - \\svchost.exe\n  condition: selection and not filter\nfields:\n- ComputerName\n- User\n- Image\n- ImageLoaded\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(7184,'Issue',398,15,'T1047'),(7185,'Issue',399,1,'WMI Persistence - Command Line Event Consumer'),(7186,'Issue',399,2,'Thomas Patzke'),(7187,'Issue',399,8,'https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/'),(7188,'Issue',399,10,'high'),(7189,'Issue',399,13,'community'),(7190,'Issue',399,14,'windows'),(7192,'Issue',399,11,'9e9efa320'),(7193,'Issue',399,12,'05936ce2-ee05-4dae-9d03-9a391cf2d2c6'),(7194,'Issue',399,16,'win-sysmon'),(7195,'Issue',399,17,''),(7196,'Issue',399,7,''),(7197,'Issue',399,3,'Detects WMI command line event consumers'),(7198,'Issue',399,4,''),(7199,'Issue',399,5,'_False Positives_\nUnknown (data set is too small; further testing needed)'),(7200,'Issue',399,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable:\"C\\:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\" AND event_data.ImageLoaded:\"wbemcons.dll\")\nindex: so-*\nname: WMI Persistence - Command Line Event Consumer\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7201,'Issue',399,9,'{{collapse(View Sigma)\n
\n\ntitle: WMI Persistence - Command Line Event Consumer\nid: 05936ce2-ee05-4dae-9d03-9a391cf2d2c6\nstatus: experimental\ndescription: Detects WMI command line event consumers\nreferences:\n- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/\nauthor: Thomas Patzke\ndate: 2018/03/07\ntags:\n- attack.t1084\n- attack.persistence\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image: C:\\Windows\\System32\\wbem\\WmiPrvSE.exe\n    ImageLoaded: wbemcons.dll\n  condition: selection\nfalsepositives:\n- Unknown (data set is too small; further testing needed)\nlevel: high\n\n
\n}}'),(7202,'Issue',399,15,'T1084'),(7203,'Issue',400,1,'WMI Persistence - Script Event Consumer File Write'),(7204,'Issue',400,2,'Thomas Patzke'),(7205,'Issue',400,8,'https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/'),(7206,'Issue',400,10,'high'),(7207,'Issue',400,13,'community'),(7208,'Issue',400,14,'windows'),(7210,'Issue',400,11,'9ec7edf07'),(7211,'Issue',400,12,'33f41cdd-35ac-4ba8-814b-c6a4244a1ad4'),(7212,'Issue',400,16,'win-sysmon'),(7213,'Issue',400,17,''),(7214,'Issue',400,7,''),(7215,'Issue',400,3,'Detects file writes of WMI script event consumer'),(7216,'Issue',400,4,''),(7217,'Issue',400,5,'_False Positives_\nUnknown (data set is too small; further testing needed)'),(7218,'Issue',400,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND process.executable:\"C\\:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe\")\nindex: so-*\nname: WMI Persistence - Script Event Consumer File Write\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7219,'Issue',400,9,'{{collapse(View Sigma)\n
\n\ntitle: WMI Persistence - Script Event Consumer File Write\nid: 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4\nstatus: experimental\ndescription: Detects file writes of WMI script event consumer\nreferences:\n- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/\nauthor: Thomas Patzke\ndate: 2018/03/07\ntags:\n- attack.t1084\n- attack.persistence\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 11\n    Image: C:\\WINDOWS\\system32\\wbem\\scrcons.exe\n  condition: selection\nfalsepositives:\n- Unknown (data set is too small; further testing needed)\nlevel: high\n\n
\n}}'),(7220,'Issue',400,15,'T1084'),(7221,'Issue',401,1,'Suspicious Scripting in a WMI Consumer'),(7222,'Issue',401,2,'Florian Roth'),(7223,'Issue',401,8,'https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/\nhttps://github.com/Neo23x0/signature-base/blob/master/yara/gen_susp_lnk_files.yar#L19'),(7224,'Issue',401,10,'high'),(7225,'Issue',401,13,'community'),(7226,'Issue',401,14,'windows'),(7228,'Issue',401,11,'5e0c4b4b2'),(7229,'Issue',401,12,'fe21810c-2a8c-478f-8dd3-5a287fb2a0e0'),(7230,'Issue',401,16,'win-sysmon'),(7231,'Issue',401,17,''),(7232,'Issue',401,7,''),(7233,'Issue',401,3,'Detects suspicious scripting in WMI Event Consumers'),(7234,'Issue',401,4,''),(7235,'Issue',401,5,'_False Positives_\nAdministrative scripts\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7236,'Issue',401,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"20\" AND Destination.keyword:(*new\\-object\\ system.net.webclient\\).downloadstring\\(* OR *new\\-object\\ system.net.webclient\\).downloadfile\\(* OR *new\\-object\\ net.webclient\\).downloadstring\\(* OR *new\\-object\\ net.webclient\\).downloadfile\\(* OR *\\ iex\\(* OR *WScript.shell* OR *\\ \\-nop\\ * OR *\\ \\-noprofile\\ * OR *\\ \\-decode\\ * OR *\\ \\-enc\\ *))\nindex: so-*\nname: Suspicious Scripting in a WMI Consumer\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7237,'Issue',401,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Scripting in a WMI Consumer\nid: fe21810c-2a8c-478f-8dd3-5a287fb2a0e0\nstatus: experimental\ndescription: Detects suspicious scripting in WMI Event Consumers\nauthor: Florian Roth\nreferences:\n- https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/\n- https://github.com/Neo23x0/signature-base/blob/master/yara/gen_susp_lnk_files.yar#L19\ndate: 2019/04/15\ntags:\n- attack.t1086\n- attack.execution\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 20\n    Destination:\n    - \'*new-object system.net.webclient).downloadstring(*\'\n    - \'*new-object system.net.webclient).downloadfile(*\'\n    - \'*new-object net.webclient).downloadstring(*\'\n    - \'*new-object net.webclient).downloadfile(*\'\n    - \'* iex(*\'\n    - \'*WScript.shell*\'\n    - \'* -nop *\'\n    - \'* -noprofile *\'\n    - \'* -decode *\'\n    - \'* -enc *\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Administrative scripts\nlevel: high\n\n
\n}}'),(7238,'Issue',401,15,'T1086'),(7239,'Issue',402,1,'APT29'),(7240,'Issue',402,2,'Florian Roth'),(7241,'Issue',402,8,'https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/'),(7242,'Issue',402,10,'critical'),(7243,'Issue',402,13,'community'),(7244,'Issue',402,14,'windows'),(7246,'Issue',402,11,'3eea01490'),(7247,'Issue',402,12,'033fe7d6-66d1-4240-ac6b-28908009c71f'),(7248,'Issue',402,16,'win-proc'),(7249,'Issue',402,17,''),(7250,'Issue',402,7,''),(7251,'Issue',402,3,'This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks'),(7252,'Issue',402,4,''),(7253,'Issue',402,5,'_False Positives_\nunknown'),(7254,'Issue',402,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\-noni\\ \\-ep\\ bypass\\ $*)\nindex: so-*\nname: APT29\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7255,'Issue',402,9,'{{collapse(View Sigma)\n
\n\ntitle: APT29\nid: 033fe7d6-66d1-4240-ac6b-28908009c71f\ndescription: This method detects a suspicious powershell command line combination\n  as used by APT29 in a campaign against US think tanks\nreferences:\n- https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/\ntags:\n- attack.execution\n- attack.g0016\n- attack.t1086\nauthor: Florian Roth\ndate: 2018/12/04\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'*-noni -ep bypass $*\'\n  condition: selection\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7256,'Issue',402,15,'T1086'),(7257,'Issue',403,1,'Baby Shark Activity'),(7258,'Issue',403,2,'Florian Roth'),(7259,'Issue',403,8,'https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/'),(7260,'Issue',403,10,'high'),(7261,'Issue',403,13,'community'),(7262,'Issue',403,14,'windows'),(7264,'Issue',403,11,'e1e3ed75c'),(7265,'Issue',403,12,'2b30fa36-3a18-402f-a22d-bf4ce2189f35'),(7266,'Issue',403,16,'win-proc'),(7267,'Issue',403,17,''),(7268,'Issue',403,7,''),(7269,'Issue',403,3,'Detects activity that could be related to Baby Shark malware'),(7270,'Issue',403,4,''),(7271,'Issue',403,5,'_False Positives_\nunknown'),(7272,'Issue',403,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(reg\\ query\\ \\\"HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Terminal\\ Server\\ Client\\\\Default\\\" OR powershell.exe\\ mshta.exe\\ http* OR cmd.exe\\ \\/c\\ taskkill\\ \\/im\\ cmd.exe))\nindex: so-*\nname: Baby Shark Activity\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7273,'Issue',403,9,'{{collapse(View Sigma)\n
\n\ntitle: Baby Shark Activity\nid: 2b30fa36-3a18-402f-a22d-bf4ce2189f35\nstatus: experimental\ndescription: Detects activity that could be related to Baby Shark malware\nreferences:\n- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/\ntags:\n- attack.execution\n- attack.t1059\n- attack.t1086\n- attack.discovery\n- attack.t1012\n- attack.defense_evasion\n- attack.t1170\nlogsource:\n  category: process_creation\n  product: windows\nauthor: Florian Roth\ndate: 2019/02/24\ndetection:\n  selection:\n    CommandLine:\n    - reg query \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\"\n    - powershell.exe mshta.exe http*\n    - cmd.exe /c taskkill /im cmd.exe\n  condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(7274,'Issue',403,15,'T1059'),(7275,'Issue',403,15,'T1086'),(7276,'Issue',403,15,'T1012'),(7277,'Issue',403,15,'T1170'),(7278,'Issue',404,1,'Judgement Panda Credential Access Activity'),(7279,'Issue',404,2,'Florian Roth'),(7280,'Issue',404,8,'https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/'),(7281,'Issue',404,10,'critical'),(7282,'Issue',404,13,'community'),(7283,'Issue',404,14,'windows'),(7285,'Issue',404,11,'ebeeba7dd'),(7286,'Issue',404,12,'b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee'),(7287,'Issue',404,16,'win-proc'),(7288,'Issue',404,17,''),(7289,'Issue',404,7,''),(7290,'Issue',404,3,'Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike'),(7291,'Issue',404,4,''),(7292,'Issue',404,5,'_False Positives_\nunknown'),(7293,'Issue',404,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\xcopy.exe AND process.command_line.keyword:*\\ \\/S\\ \\/E\\ \\/C\\ \\/Q\\ \\/H\\ \\\\*) OR (process.executable.keyword:*\\\\adexplorer.exe AND process.command_line.keyword:*\\ \\-snapshot\\ \\\"\\\"\\ c\\:\\\\users\\\\*)))\nindex: so-*\nname: Judgement Panda Credential Access Activity\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7294,'Issue',404,9,'{{collapse(View Sigma)\n
\n\ntitle: Judgement Panda Credential Access Activity\nid: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee\ndescription: Detects Russian group activity as described in Global Threat Report 2019\n  by Crowdstrike\nreferences:\n- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/\nauthor: Florian Roth\ndate: 2019/02/21\ntags:\n- attack.credential_access\n- attack.t1081\n- attack.t1003\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image: \'*\\xcopy.exe\'\n    CommandLine: \'* /S /E /C /Q /H \\\\*\'\n  selection2:\n    Image: \'*\\adexplorer.exe\'\n    CommandLine: \'* -snapshot \"\" c:\\users\\\\*\'\n  condition: selection1 or selection2\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7295,'Issue',404,15,'T1081'),(7296,'Issue',404,15,'T1003'),(7297,'Issue',405,1,'BlueMashroom DLL Load'),(7298,'Issue',405,2,'Florian Roth'),(7299,'Issue',405,8,'https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software'),(7300,'Issue',405,10,'critical'),(7301,'Issue',405,13,'community'),(7302,'Issue',405,14,'windows'),(7304,'Issue',405,11,'8bb8cf273'),(7305,'Issue',405,12,'bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0'),(7306,'Issue',405,16,'win-proc'),(7307,'Issue',405,17,''),(7308,'Issue',405,7,''),(7309,'Issue',405,3,'Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report'),(7310,'Issue',405,4,''),(7311,'Issue',405,5,'_False Positives_\nUnlikely'),(7312,'Issue',405,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\regsvr32*\\\\AppData\\\\Local\\\\* OR *\\\\AppData\\\\Local\\\\*,DllEntry*))\nindex: so-*\nname: BlueMashroom DLL Load\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7313,'Issue',405,9,'{{collapse(View Sigma)\n
\n\ntitle: BlueMashroom DLL Load\nid: bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0\nstatus: experimental\ndescription: Detects a suspicious DLL loading from AppData Local path as described\n  in BlueMashroom report\nreferences:\n- https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software\ntags:\n- attack.defense_evasion\n- attack.t1117\nauthor: Florian Roth\ndate: 2019/10/02\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'*\\regsvr32*\\AppData\\Local\\\\*\'\n    - \'*\\AppData\\Local\\\\*,DllEntry*\'\n  condition: selection\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(7314,'Issue',405,15,'T1117'),(7315,'Issue',406,1,'WMIExec VBS Script'),(7316,'Issue',406,2,'Florian Roth'),(7317,'Issue',406,8,'https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf'),(7318,'Issue',406,10,'critical'),(7319,'Issue',406,13,'community'),(7320,'Issue',406,14,'windows'),(7322,'Issue',406,11,'5b1ed0159'),(7323,'Issue',406,12,'966e4016-627f-44f7-8341-f394905c361f'),(7324,'Issue',406,16,'win-proc'),(7325,'Issue',406,17,''),(7326,'Issue',406,7,''),(7327,'Issue',406,3,'Detects suspicious file execution by wscript and cscript'),(7328,'Issue',406,4,''),(7329,'Issue',406,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7330,'Issue',406,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\cscript.exe AND process.command_line.keyword:*.vbs\\ \\/shell\\ *)\nindex: so-*\nname: WMIExec VBS Script\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7331,'Issue',406,9,'{{collapse(View Sigma)\n
\n\ntitle: WMIExec VBS Script\nid: 966e4016-627f-44f7-8341-f394905c361f\ndescription: Detects suspicious file execution by wscript and cscript\nauthor: Florian Roth\ndate: 2017/04/07\nreferences:\n- https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf\ntags:\n- attack.execution\n- attack.g0045\n- attack.t1064\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\cscript.exe\'\n    CommandLine: \'*.vbs /shell *\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(7332,'Issue',406,15,'T1064'),(7333,'Issue',407,1,'CrackMapExecWin'),(7334,'Issue',407,2,'Markus Neis'),(7335,'Issue',407,8,'https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control'),(7336,'Issue',407,10,'critical'),(7337,'Issue',407,13,'community'),(7338,'Issue',407,14,'windows'),(7339,'Issue',407,15,''),(7340,'Issue',407,11,'3fa886226'),(7341,'Issue',407,12,'04d9079e-3905-4b70-ad37-6bdf11304965'),(7342,'Issue',407,16,'win-proc'),(7343,'Issue',407,17,''),(7344,'Issue',407,7,''),(7345,'Issue',407,3,'Detects CrackMapExecWin Activity as Described by NCSC'),(7346,'Issue',407,4,''),(7347,'Issue',407,5,'_False Positives_\nNone'),(7348,'Issue',407,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\crackmapexec.exe))\nindex: so-*\nname: CrackMapExecWin\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7349,'Issue',407,9,'{{collapse(View Sigma)\n
\n\ntitle: CrackMapExecWin\nid: 04d9079e-3905-4b70-ad37-6bdf11304965\ndescription: Detects CrackMapExecWin Activity as Described by NCSC\nstatus: experimental\nreferences:\n- https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control\ntags:\n- attack.g0035\nauthor: Markus Neis\ndate: 2018/04/08\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\crackmapexec.exe\'\n  condition: selection\nfalsepositives:\n- None\nlevel: critical\n\n
\n}}'),(7350,'Issue',408,1,'Elise Backdoor'),(7351,'Issue',408,2,'Florian Roth'),(7352,'Issue',408,8,'https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting'),(7353,'Issue',408,10,'critical'),(7354,'Issue',408,13,'community'),(7355,'Issue',408,14,'windows'),(7356,'Issue',408,15,''),(7357,'Issue',408,11,'c59e20ad4'),(7358,'Issue',408,12,'e507feb7-5f73-4ef6-a970-91bb6f6d744f'),(7359,'Issue',408,16,'win-proc'),(7360,'Issue',408,17,''),(7361,'Issue',408,7,''),(7362,'Issue',408,3,'Detects Elise backdoor acitivty as used by APT32'),(7363,'Issue',408,4,''),(7364,'Issue',408,5,'_False Positives_\nUnknown'),(7365,'Issue',408,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable:\"C\\:\\\\Windows\\\\SysWOW64\\\\cmd.exe\" AND process.command_line.keyword:*\\\\Windows\\\\Caches\\\\NavShExt.dll\\ *) OR process.command_line.keyword:*\\\\AppData\\\\Roaming\\\\MICROS\\~1\\\\Windows\\\\Caches\\\\NavShExt.dll,Setting))\nindex: so-*\nname: Elise Backdoor\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7366,'Issue',408,9,'{{collapse(View Sigma)\n
\n\ntitle: Elise Backdoor\nid: e507feb7-5f73-4ef6-a970-91bb6f6d744f\nstatus: experimental\ndescription: Detects Elise backdoor acitivty as used by APT32\nreferences:\n- https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting\ntags:\n- attack.g0030\n- attack.g0050\n- attack.s0081\nauthor: Florian Roth\ndate: 2018/01/31\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image: C:\\Windows\\SysWOW64\\cmd.exe\n    CommandLine: \'*\\Windows\\Caches\\NavShExt.dll *\'\n  selection2:\n    CommandLine: \'*\\AppData\\Roaming\\MICROS~1\\Windows\\Caches\\NavShExt.dll,Setting\'\n  condition: 1 of them\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7367,'Issue',409,1,'Emissary Panda Malware SLLauncher'),(7368,'Issue',409,2,'Florian Roth'),(7369,'Issue',409,8,'https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965\nhttps://twitter.com/cyb3rops/status/1168863899531132929'),(7370,'Issue',409,10,'critical'),(7371,'Issue',409,13,'community'),(7372,'Issue',409,14,'windows'),(7373,'Issue',409,15,''),(7374,'Issue',409,11,'5e4b7990b'),(7375,'Issue',409,12,'9aa01d62-7667-4d3b-acb8-8cb5103e2014'),(7376,'Issue',409,16,'win-proc'),(7377,'Issue',409,17,''),(7378,'Issue',409,7,''),(7379,'Issue',409,3,'Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27'),(7380,'Issue',409,4,''),(7381,'Issue',409,5,'_False Positives_\nUnknown'),(7382,'Issue',409,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\sllauncher.exe AND process.executable.keyword:*\\\\svchost.exe)\nindex: so-*\nname: Emissary Panda Malware SLLauncher\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7383,'Issue',409,9,'{{collapse(View Sigma)\n
\n\ntitle: Emissary Panda Malware SLLauncher\nid: 9aa01d62-7667-4d3b-acb8-8cb5103e2014\nstatus: experimental\ndescription: Detects the execution of DLL side-loading malware used by threat group\n  Emissary Panda aka APT27\nreferences:\n- https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965\n- https://twitter.com/cyb3rops/status/1168863899531132929\nauthor: Florian Roth\ndate: 2018/09/03\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\sllauncher.exe\'\n    Image: \'*\\svchost.exe\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7384,'Issue',410,1,'Equation Group DLL_U Load'),(7385,'Issue',410,2,'Florian Roth'),(7386,'Issue',410,8,'https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=\nhttps://securelist.com/apt-slingshot/84312/\nhttps://twitter.com/cyb3rops/status/972186477512839170'),(7387,'Issue',410,10,'critical'),(7388,'Issue',410,13,'community'),(7389,'Issue',410,14,'windows'),(7391,'Issue',410,11,'8d87ab96d'),(7392,'Issue',410,12,'d465d1d8-27a2-4cca-9621-a800f37cf72e'),(7393,'Issue',410,16,'win-proc'),(7394,'Issue',410,17,''),(7395,'Issue',410,7,''),(7396,'Issue',410,3,'Detects a specific tool and export used by EquationGroup'),(7397,'Issue',410,4,''),(7398,'Issue',410,5,'_False Positives_\nUnknown'),(7399,'Issue',410,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\rundll32.exe AND process.command_line.keyword:*,dll_u) OR process.command_line.keyword:*\\ \\-export\\ dll_u\\ *))\nindex: so-*\nname: Equation Group DLL_U Load\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7400,'Issue',410,9,'{{collapse(View Sigma)\n
\n\ntitle: Equation Group DLL_U Load\nid: d465d1d8-27a2-4cca-9621-a800f37cf72e\nauthor: Florian Roth\ndate: 2019/03/04\ndescription: Detects a specific tool and export used by EquationGroup\nreferences:\n- https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=\n- https://securelist.com/apt-slingshot/84312/\n- https://twitter.com/cyb3rops/status/972186477512839170\ntags:\n- attack.execution\n- attack.g0020\n- attack.t1059\n- attack.defense_evasion\n- attack.t1085\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image: \'*\\rundll32.exe\'\n    CommandLine: \'*,dll_u\'\n  selection2:\n    CommandLine: \'* -export dll_u *\'\n  condition: 1 of them\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7401,'Issue',410,15,'T1059'),(7402,'Issue',410,15,'T1085'),(7403,'Issue',411,1,'Hurricane Panda Activity'),(7404,'Issue',411,2,'Florian Roth'),(7405,'Issue',411,8,'https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/'),(7406,'Issue',411,10,'high'),(7407,'Issue',411,13,'community'),(7408,'Issue',411,14,'windows'),(7410,'Issue',411,11,'70b43689e'),(7411,'Issue',411,12,'0eb2107b-a596-422e-b123-b389d5594ed7'),(7412,'Issue',411,16,'win-proc'),(7413,'Issue',411,17,''),(7414,'Issue',411,7,''),(7415,'Issue',411,3,'Detects Hurricane Panda Activity'),(7416,'Issue',411,4,''),(7417,'Issue',411,5,'_False Positives_\nUnknown'),(7418,'Issue',411,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ localgroup\\ administrators\\ admin\\ \\/add OR *\\\\Win64.exe*))\nindex: so-*\nname: Hurricane Panda Activity\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7419,'Issue',411,9,'{{collapse(View Sigma)\n
\n\ntitle: Hurricane Panda Activity\nid: 0eb2107b-a596-422e-b123-b389d5594ed7\nauthor: Florian Roth\ndate: 2019/03/04\nstatus: experimental\ndescription: Detects Hurricane Panda Activity\nreferences:\n- https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/\ntags:\n- attack.privilege_escalation\n- attack.g0009\n- attack.t1068\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* localgroup administrators admin /add\'\n    - \'*\\Win64.exe*\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(7420,'Issue',411,15,'T1068'),(7421,'Issue',412,1,'Judgement Panda Exfil Activity'),(7422,'Issue',412,2,'Florian Roth'),(7423,'Issue',412,8,'https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/'),(7424,'Issue',412,10,'critical'),(7425,'Issue',412,13,'community'),(7426,'Issue',412,14,'windows'),(7428,'Issue',412,11,'7b23cf39c'),(7429,'Issue',412,12,'03e2746e-2b31-42f1-ab7a-eb39365b2422'),(7430,'Issue',412,16,'win-proc'),(7431,'Issue',412,17,''),(7432,'Issue',412,7,''),(7433,'Issue',412,3,'Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike'),(7434,'Issue',412,4,''),(7435,'Issue',412,5,'_False Positives_\nunknown'),(7436,'Issue',412,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:(*\\\\ldifde.exe\\ \\-f\\ \\-n\\ * OR *\\\\7za.exe\\ a\\ 1.7z\\ * OR *\\ eprod.ldf OR *\\\\aaaa\\\\procdump64.exe* OR *\\\\aaaa\\\\netsess.exe* OR *\\\\aaaa\\\\7za.exe* OR *copy\\ .\\\\1.7z\\ \\\\* OR *copy\\ \\\\client\\\\c$\\\\aaaa\\\\*) OR process.executable:\"C\\:\\\\Users\\\\Public\\\\7za.exe\"))\nindex: so-*\nname: Judgement Panda Exfil Activity\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7437,'Issue',412,9,'{{collapse(View Sigma)\n
\n\ntitle: Judgement Panda Exfil Activity\nid: 03e2746e-2b31-42f1-ab7a-eb39365b2422\ndescription: Detects Judgement Panda activity as described in Global Threat Report\n  2019 by Crowdstrike\nreferences:\n- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/\nauthor: Florian Roth\ndate: 2019/02/21\ntags:\n- attack.lateral_movement\n- attack.g0010\n- attack.credential_access\n- attack.t1098\n- attack.exfiltration\n- attack.t1002\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine:\n    - \'*\\ldifde.exe -f -n *\'\n    - \'*\\7za.exe a 1.7z *\'\n    - \'* eprod.ldf\'\n    - \'*\\aaaa\\procdump64.exe*\'\n    - \'*\\aaaa\\netsess.exe*\'\n    - \'*\\aaaa\\7za.exe*\'\n    - \'*copy .\\1.7z \\\\*\'\n    - \'*copy \\\\client\\c$\\aaaa\\\\*\'\n  selection2:\n    Image: C:\\Users\\Public\\7za.exe\n  condition: selection1 or selection2\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7438,'Issue',412,15,'T1098'),(7439,'Issue',412,15,'T1002'),(7440,'Issue',413,1,'Mustang Panda Dropper'),(7441,'Issue',413,2,'Florian Roth'),(7442,'Issue',413,8,'https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/\nhttps://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/\nhttps://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations'),(7443,'Issue',413,10,'high'),(7444,'Issue',413,13,'community'),(7445,'Issue',413,14,'windows'),(7446,'Issue',413,15,''),(7447,'Issue',413,11,'aad32826a'),(7448,'Issue',413,12,'2d87d610-d760-45ee-a7e6-7a6f2a65de00'),(7449,'Issue',413,16,'win-proc'),(7450,'Issue',413,17,''),(7451,'Issue',413,7,''),(7452,'Issue',413,3,'Detects specific process parameters as used by Mustang Panda droppers'),(7453,'Issue',413,4,''),(7454,'Issue',413,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7455,'Issue',413,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:(*Temp\\\\wtask.exe\\ \\/create* OR *%windir\\:\\~\\-3,1%%PUBLIC\\:\\~\\-9,1%* OR *\\/E\\:vbscript\\ *\\ C\\:\\\\Users\\*.txt\\\"\\ \\/F OR *\\/tn\\ \\\"Security\\ Script\\ * OR *%windir\\:\\~\\-1,1%*) OR process.executable.keyword:(*Temp\\\\winwsh.exe)))\nindex: so-*\nname: Mustang Panda Dropper\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7456,'Issue',413,9,'{{collapse(View Sigma)\n
\n\ntitle: Mustang Panda Dropper\nid: 2d87d610-d760-45ee-a7e6-7a6f2a65de00\nstatus: experimental\ndescription: Detects specific process parameters as used by Mustang Panda droppers\nauthor: Florian Roth\ndate: 2019/10/30\nreferences:\n- https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/\n- https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/\n- https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine:\n    - \'*Temp\\wtask.exe /create*\'\n    - \'*%windir:~-3,1%%PUBLIC:~-9,1%*\'\n    - \'*/E:vbscript * C:\\Users\\*.txt\" /F\'\n    - \'*/tn \"Security Script *\'\n    - \'*%windir:~-1,1%*\'\n  selection2:\n    Image:\n    - \'*Temp\\winwsh.exe\'\n  condition: 1 of them\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: high\n\n
\n}}'),(7457,'Issue',414,1,'Sofacy Trojan Loader Activity'),(7458,'Issue',414,2,'Florian Roth'),(7459,'Issue',414,8,'https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/\nhttps://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100\nhttps://twitter.com/ClearskySec/status/960924755355369472'),(7460,'Issue',414,10,'critical'),(7461,'Issue',414,13,'community'),(7462,'Issue',414,14,'windows'),(7464,'Issue',414,11,'6b2144b03'),(7465,'Issue',414,12,'ba778144-5e3d-40cf-8af9-e28fb1df1e20'),(7466,'Issue',414,16,'win-proc'),(7467,'Issue',414,17,''),(7468,'Issue',414,7,''),(7469,'Issue',414,3,'Detects Trojan loader acitivty as used by APT28'),(7470,'Issue',414,4,''),(7471,'Issue',414,5,'_False Positives_\nUnknown'),(7472,'Issue',414,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(rundll32.exe\\ %APPDATA%\\\\*.dat\\\",* OR rundll32.exe\\ %APPDATA%\\\\*.dll\\\",#1))\nindex: so-*\nname: Sofacy Trojan Loader Activity\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7473,'Issue',414,9,'{{collapse(View Sigma)\n
\n\ntitle: Sofacy Trojan Loader Activity\nid: ba778144-5e3d-40cf-8af9-e28fb1df1e20\nauthor: Florian Roth\nstatus: experimental\ndate: 2018/03/01\ndescription: Detects Trojan loader acitivty as used by APT28\nreferences:\n- https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/\n- https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100\n- https://twitter.com/ClearskySec/status/960924755355369472\ntags:\n- attack.g0007\n- attack.execution\n- attack.t1059\n- attack.defense_evasion\n- attack.t1085\n- car.2013-10-002\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - rundll32.exe %APPDATA%\\\\*.dat\",*\n    - rundll32.exe %APPDATA%\\\\*.dll\",#1\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7474,'Issue',414,15,'T1059'),(7475,'Issue',414,15,'T1085'),(7476,'Issue',415,1,'Ps.exe Renamed SysInternals Tool'),(7477,'Issue',415,2,'Florian Roth'),(7478,'Issue',415,8,'https://www.us-cert.gov/ncas/alerts/TA17-293A'),(7479,'Issue',415,10,'high'),(7480,'Issue',415,13,'community'),(7481,'Issue',415,14,'windows'),(7483,'Issue',415,11,'0ec020dd0'),(7484,'Issue',415,12,'18da1007-3f26-470f-875d-f77faf1cab31'),(7485,'Issue',415,16,'win-proc'),(7486,'Issue',415,17,''),(7487,'Issue',415,7,''),(7488,'Issue',415,3,'Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report'),(7489,'Issue',415,4,''),(7490,'Issue',415,5,'_False Positives_\nRenamed SysInternals tool'),(7491,'Issue',415,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line:\"ps.exe\\ \\-accepteula\")\nindex: so-*\nname: Ps.exe Renamed SysInternals Tool\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7492,'Issue',415,9,'{{collapse(View Sigma)\n
\n\ntitle: Ps.exe Renamed SysInternals Tool\nid: 18da1007-3f26-470f-875d-f77faf1cab31\ndescription: Detects renamed SysInternals tool execution with a binary named ps.exe\n  as used by Dragonfly APT group and documented in TA17-293A report\nreferences:\n- https://www.us-cert.gov/ncas/alerts/TA17-293A\ntags:\n- attack.defense_evasion\n- attack.g0035\n- attack.t1036\n- car.2013-05-009\nauthor: Florian Roth\ndate: 2017/10/22\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: ps.exe -accepteula\n  condition: selection\nfalsepositives:\n- Renamed SysInternals tool\nlevel: high\n\n
\n}}'),(7493,'Issue',415,15,'T1036'),(7494,'Issue',416,1,'TropicTrooper Campaign November 2018'),(7495,'Issue',416,2,'@41thexplorer, Microsoft Defender ATP'),(7496,'Issue',416,8,'https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/'),(7497,'Issue',416,10,'high'),(7498,'Issue',416,13,'community'),(7499,'Issue',416,14,'windows'),(7501,'Issue',416,11,'95510b4d4'),(7502,'Issue',416,12,'8c7090c3-e0a0-4944-bd08-08c3a0cecf79'),(7503,'Issue',416,16,'win-proc'),(7504,'Issue',416,17,''),(7505,'Issue',416,7,''),(7506,'Issue',416,3,'Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia'),(7507,'Issue',416,4,''),(7508,'Issue',416,5,'_False Positives_\n Unknown'),(7509,'Issue',416,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*)\nindex: so-*\nname: TropicTrooper Campaign November 2018\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7510,'Issue',416,9,'{{collapse(View Sigma)\n
\n\ntitle: TropicTrooper Campaign November 2018\nid: 8c7090c3-e0a0-4944-bd08-08c3a0cecf79\nauthor: \'@41thexplorer, Microsoft Defender ATP\'\nstatus: stable\ndate: 2019/11/12\ndescription: Detects TropicTrooper activity, an actor who targeted high-profile organizations\n  in the energy and food and beverage sectors in Asia\nreferences:\n- https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/\ntags:\n- attack.execution\n- attack.t1085\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*\'\n  condition: selection\nlevel: high\n\n
\n}}'),(7511,'Issue',416,15,'T1085'),(7512,'Issue',417,1,'Winnti Malware HK University Campaign'),(7513,'Issue',417,2,'Florian Roth, Markus Neis'),(7514,'Issue',417,8,'https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/'),(7515,'Issue',417,10,'critical'),(7516,'Issue',417,13,'community'),(7517,'Issue',417,14,'windows'),(7519,'Issue',417,11,'c6c18314b'),(7520,'Issue',417,12,'3121461b-5aa0-4a41-b910-66d25524edbb'),(7521,'Issue',417,16,'win-proc'),(7522,'Issue',417,17,''),(7523,'Issue',417,7,''),(7524,'Issue',417,3,'Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities'),(7525,'Issue',417,4,''),(7526,'Issue',417,5,'_False Positives_\nUnlikely'),(7527,'Issue',417,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.parent.executable.keyword:(*C\\:\\\\Windows\\\\Temp* OR *\\\\hpqhvind.exe*) AND process.executable.keyword:C\\:\\\\ProgramData\\\\DRM*) OR (process.parent.executable.keyword:C\\:\\\\ProgramData\\\\DRM* AND process.executable.keyword:*\\\\wmplayer.exe) OR (process.parent.executable.keyword:*\\\\Test.exe AND process.executable.keyword:*\\\\wmplayer.exe) OR process.executable:\"C\\:\\\\ProgramData\\\\DRM\\\\CLR\\\\CLR.exe\" OR (process.parent.executable.keyword:C\\:\\\\ProgramData\\\\DRM\\\\Windows* AND process.executable.keyword:*\\\\SearchFilterHost.exe)))\nindex: so-*\nname: Winnti Malware HK University Campaign\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7528,'Issue',417,9,'{{collapse(View Sigma)\n
\n\ntitle: Winnti Malware HK University Campaign\nid: 3121461b-5aa0-4a41-b910-66d25524edbb\nstatus: experimental\ndescription: Detects specific process characteristics of Winnti malware noticed in\n  Dec/Jan 2020 in a campaign against Honk Kong universities\nreferences:\n- https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/\ntags:\n- attack.defense_evasion\n- attack.t1073\n- attack.g0044\nauthor: Florian Roth, Markus Neis\ndate: 2020/02/01\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    ParentImage|contains:\n    - C:\\Windows\\Temp\n    - \\hpqhvind.exe\n    Image|startswith: C:\\ProgramData\\DRM\n  selection2:\n    ParentImage|startswith: C:\\ProgramData\\DRM\n    Image|endswith: \\wmplayer.exe\n  selection3:\n    ParentImage|endswith: \\Test.exe\n    Image|endswith: \\wmplayer.exe\n  selection4:\n    Image: C:\\ProgramData\\DRM\\CLR\\CLR.exe\n  selection5:\n    ParentImage|startswith: C:\\ProgramData\\DRM\\Windows\n    Image|endswith: \\SearchFilterHost.exe\n  condition: 1 of them\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(7529,'Issue',417,15,'T1073'),(7530,'Issue',418,1,'ZxShell Malware'),(7531,'Issue',418,2,'Florian Roth'),(7532,'Issue',418,8,'https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100'),(7533,'Issue',418,10,'critical'),(7534,'Issue',418,13,'community'),(7535,'Issue',418,14,'windows'),(7537,'Issue',418,11,'948a1b3c3'),(7538,'Issue',418,12,'f0b70adb-0075-43b0-9745-e82a1c608fcc'),(7539,'Issue',418,16,'win-proc'),(7540,'Issue',418,17,''),(7541,'Issue',418,7,''),(7542,'Issue',418,3,'Detects a ZxShell start by the called and well-known function name'),(7543,'Issue',418,4,''),(7544,'Issue',418,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7545,'Issue',418,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND Command.keyword:(rundll32.exe\\ *,zxFunction* OR rundll32.exe\\ *,RemoteDiskXXXXX))\nindex: so-*\nname: ZxShell Malware\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7546,'Issue',418,9,'{{collapse(View Sigma)\n
\n\ntitle: ZxShell Malware\nid: f0b70adb-0075-43b0-9745-e82a1c608fcc\ndescription: Detects a ZxShell start by the called and well-known function name\nauthor: Florian Roth\ndate: 2017/07/20\nreferences:\n- https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100\ntags:\n- attack.g0001\n- attack.execution\n- attack.t1059\n- attack.defense_evasion\n- attack.t1085\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Command:\n    - rundll32.exe *,zxFunction*\n    - rundll32.exe *,RemoteDiskXXXXX\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(7547,'Issue',418,15,'T1059'),(7548,'Issue',418,15,'T1085'),(7549,'Issue',419,1,'Hiding Files with Attrib.exe'),(7550,'Issue',419,2,'Sami Ruohonen'),(7551,'Issue',419,8,'none'),(7552,'Issue',419,10,'low'),(7553,'Issue',419,13,'community'),(7554,'Issue',419,14,'windows'),(7556,'Issue',419,11,'3ac07f0c1'),(7557,'Issue',419,12,'4281cb20-2994-4580-aa63-c8b86d019934'),(7558,'Issue',419,16,'win-proc'),(7559,'Issue',419,17,''),(7560,'Issue',419,7,''),(7561,'Issue',419,3,'Detects usage of attrib.exe to hide files from users.'),(7562,'Issue',419,4,''),(7563,'Issue',419,5,'_False Positives_\nigfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)\nmsiexec.exe hiding desktop.ini\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine\nUser'),(7564,'Issue',419,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:*\\\\attrib.exe AND process.command_line.keyword:*\\ \\+h\\ *) AND (NOT (((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:*\\\\desktop.ini\\ * OR (process.parent.executable.keyword:*\\\\cmd.exe AND process.command_line.keyword:\\+R\\ \\+H\\ \\+S\\ \\+A\\ \\\\*.cui AND process.parent.command_line.keyword:C\\:\\\\WINDOWS\\\\system32\\\\*.bat))))))\nindex: so-*\nname: Hiding Files with Attrib.exe\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7565,'Issue',419,9,'{{collapse(View Sigma)\n
\n\ntitle: Hiding Files with Attrib.exe\nid: 4281cb20-2994-4580-aa63-c8b86d019934\nstatus: experimental\ndescription: Detects usage of attrib.exe to hide files from users.\nauthor: Sami Ruohonen\ndate: 2019/01/16\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\attrib.exe\'\n    CommandLine: \'* +h *\'\n  ini:\n    CommandLine: \'*\\desktop.ini *\'\n  intel:\n    ParentImage: \'*\\cmd.exe\'\n    CommandLine: +R +H +S +A \\\\*.cui\n    ParentCommandLine: C:\\WINDOWS\\system32\\\\*.bat\n  condition: selection and not (ini or intel)\nfields:\n- CommandLine\n- ParentCommandLine\n- User\ntags:\n- attack.defense_evasion\n- attack.persistence\n- attack.t1158\nfalsepositives:\n- igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe\n  and igfxCUIService.exe is the parent of the cmd.exe)\n- msiexec.exe hiding desktop.ini\nlevel: low\n\n
\n}}'),(7566,'Issue',419,15,'T1158'),(7567,'Issue',420,1,'Modification of Boot Configuration'),(7568,'Issue',420,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(7569,'Issue',420,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html'),(7570,'Issue',420,10,'high'),(7571,'Issue',420,13,'community'),(7572,'Issue',420,14,'windows'),(7574,'Issue',420,11,'af9bb527e'),(7575,'Issue',420,12,'1444443e-6757-43e4-9ea4-c8fc705f79a2'),(7576,'Issue',420,16,'win-proc'),(7577,'Issue',420,17,''),(7578,'Issue',420,7,''),(7579,'Issue',420,3,'Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.'),(7580,'Issue',420,4,''),(7581,'Issue',420,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(7582,'Issue',420,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:*\\\\bcdedit.exe AND process.command_line:\"set\") AND ((process.command_line.keyword:*bootstatuspolicy* AND process.command_line.keyword:*ignoreallfailures*) OR (process.command_line.keyword:*recoveryenabled* AND process.command_line.keyword:*no*)))\nindex: so-*\nname: Modification of Boot Configuration\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7583,'Issue',420,9,'{{collapse(View Sigma)\n
\n\ntitle: Modification of Boot Configuration\nid: 1444443e-6757-43e4-9ea4-c8fc705f79a2\ndescription: Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive\n    technique.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml\n    - https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html\ntags:\n    - attack.impact\n    - attack.t1490\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection1:\n        Image|endswith: \\bcdedit.exe\n        CommandLine|contains: set\n    selection2:\n        - CommandLine|contains|all:\n            - bootstatuspolicy\n            - ignoreallfailures\n        - CommandLine|contains|all:\n            - recoveryenabled\n            - \'no\'\n    condition: selection1 and selection2\nfields:\n    - ComputerName\n    - User\n    - CommandLine\nfalsepositives:\n    - Unlikely\nlevel: high\n\n
\n}}'),(7584,'Issue',420,15,'T1490'),(7585,'Issue',421,1,'SquiblyTwo'),(7586,'Issue',421,2,'Markus Neis / Florian Roth'),(7587,'Issue',421,8,'https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html\nhttps://twitter.com/mattifestation/status/986280382042595328'),(7588,'Issue',421,10,'medium'),(7589,'Issue',421,13,'community'),(7590,'Issue',421,14,'windows'),(7592,'Issue',421,11,'0eab446eb'),(7593,'Issue',421,12,'8d63dadf-b91b-4187-87b6-34a1114577ea'),(7594,'Issue',421,16,'win-proc'),(7595,'Issue',421,17,''),(7596,'Issue',421,7,''),(7597,'Issue',421,3,'Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash'),(7598,'Issue',421,4,''),(7599,'Issue',421,5,'_False Positives_\nUnknown'),(7600,'Issue',421,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:(*\\\\wmic.exe) AND process.command_line.keyword:(wmic\\ *\\ *format\\:\\\\\\\"http* OR wmic\\ *\\ \\/format\\:\'http OR wmic\\ *\\ \\/format\\:http*)) OR (event_data.Imphash:(\"1B1A3F43BF37B5BFE60751F2EE2F326E\" OR \"37777A96245A3C74EB217308F3546F4C\" OR \"9D87C9D67CE724033C0B40CC4CA1B206\") AND process.command_line.keyword:(*\\ *format\\:\\\\\\\"http* OR *\\ \\/format\\:\'http OR *\\ \\/format\\:http*))))\nindex: so-*\nname: SquiblyTwo\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7601,'Issue',421,9,'{{collapse(View Sigma)\n
\n\ntitle: SquiblyTwo\nid: 8d63dadf-b91b-4187-87b6-34a1114577ea\nstatus: experimental\ndescription: Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for\n  imphash\nreferences:\n- https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html\n- https://twitter.com/mattifestation/status/986280382042595328\ntags:\n- attack.defense_evasion\n- attack.t1047\nauthor: Markus Neis / Florian Roth\ndate: 2019/01/16\nfalsepositives:\n- Unknown\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image:\n    - \'*\\wmic.exe\'\n    CommandLine:\n    - wmic * *format:\\\"http*\n    - wmic * /format:\'http\n    - wmic * /format:http*\n  selection2:\n    Imphash:\n    - 1B1A3F43BF37B5BFE60751F2EE2F326E\n    - 37777A96245A3C74EB217308F3546F4C\n    - 9D87C9D67CE724033C0B40CC4CA1B206\n    CommandLine:\n    - \'* *format:\\\"http*\'\n    - \"* /format:\'http\"\n    - \'* /format:http*\'\n  condition: 1 of them\n\n
\n}}'),(7602,'Issue',421,15,'T1047'),(7603,'Issue',422,1,'Change Default File Association'),(7604,'Issue',422,2,'Timur Zinniatullin, oscd.community'),(7605,'Issue',422,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1042/T1042.yaml'),(7606,'Issue',422,10,'low'),(7607,'Issue',422,13,'community'),(7608,'Issue',422,14,'windows'),(7610,'Issue',422,11,'d63bbd05e'),(7611,'Issue',422,12,'3d3aa6cd-6272-44d6-8afc-7e88dfef7061'),(7612,'Issue',422,16,'win-proc'),(7613,'Issue',422,17,''),(7614,'Issue',422,7,''),(7615,'Issue',422,3,'When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.'),(7616,'Issue',422,4,''),(7617,'Issue',422,5,'_False Positives_\nAdmin activity\n\n_Interesting Log Fields_\nImage\nCommandLine\nUser\nLogonGuid\nHashes\nParentProcessGuid\nParentCommandLine'),(7618,'Issue',422,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*cmd* AND process.command_line.keyword:*\\/c* AND process.command_line.keyword:*assoc*)\nindex: so-*\nname: Change Default File Association\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7619,'Issue',422,9,'{{collapse(View Sigma)\n
\n\ntitle: Change Default File Association\nid: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061\nstatus: experimental\ndescription: When a file is opened, the default program used to open the file (also\n  called the file association or handler) is checked. File association selections\n  are stored in the Windows Registry and can be edited by users, administrators, or\n  programs that have Registry access or by administrators using the built-in assoc\n  utility. Applications can modify the file association for a given file extension\n  to call an arbitrary program when a file with the given extension is opened.\nauthor: Timur Zinniatullin, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1042/T1042.yaml\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains|all:\n    - cmd\n    - /c\n    - assoc\n  condition: selection\nfalsepositives:\n- Admin activity\nfields:\n- Image\n- CommandLine\n- User\n- LogonGuid\n- Hashes\n- ParentProcessGuid\n- ParentCommandLine\nlevel: low\ntags:\n- attack.persistence\n- attack.t1042\n\n
\n}}'),(7620,'Issue',422,15,'T1042'),(7621,'Issue',423,1,'Cmdkey Cached Credentials Recon'),(7622,'Issue',423,2,'jmallette'),(7623,'Issue',423,8,'https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation\nhttps://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx'),(7624,'Issue',423,10,'low'),(7625,'Issue',423,13,'community'),(7626,'Issue',423,14,'windows'),(7628,'Issue',423,11,'38a2cfd6c'),(7629,'Issue',423,12,'07f8bdc2-c9b3-472a-9817-5a670b872f53'),(7630,'Issue',423,16,'win-proc'),(7631,'Issue',423,17,''),(7632,'Issue',423,7,''),(7633,'Issue',423,3,'Detects usage of cmdkey to look for cached credentials'),(7634,'Issue',423,4,''),(7635,'Issue',423,5,'_False Positives_\nLegitimate administrative tasks.\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine\nUser'),(7636,'Issue',423,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\cmdkey.exe AND process.command_line.keyword:*\\ \\/list\\ *)\nindex: so-*\nname: Cmdkey Cached Credentials Recon\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7637,'Issue',423,9,'{{collapse(View Sigma)\n
\n\ntitle: Cmdkey Cached Credentials Recon\nid: 07f8bdc2-c9b3-472a-9817-5a670b872f53\nstatus: experimental\ndescription: Detects usage of cmdkey to look for cached credentials\nreferences:\n- https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation\n- https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx\nauthor: jmallette\ndate: 2019/01/16\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\cmdkey.exe\'\n    CommandLine: \'* /list *\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\n- User\nfalsepositives:\n- Legitimate administrative tasks.\nlevel: low\n\n
\n}}'),(7638,'Issue',423,15,'T1003'),(7639,'Issue',424,1,'CMSTP UAC Bypass via COM Object Access'),(7640,'Issue',424,2,'Nik Seetharaman'),(7641,'Issue',424,8,'http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/\nhttps://twitter.com/hFireF0X/status/897640081053364225'),(7642,'Issue',424,10,'high'),(7643,'Issue',424,13,'community'),(7644,'Issue',424,14,'windows'),(7646,'Issue',424,11,'bdaa50dae'),(7647,'Issue',424,12,'4b60e6f2-bf39-47b4-b4ea-398e33cfe253'),(7648,'Issue',424,16,'win-proc'),(7649,'Issue',424,17,''),(7650,'Issue',424,7,''),(7651,'Issue',424,3,'Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects'),(7652,'Issue',424,4,''),(7653,'Issue',424,5,'_False Positives_\nLegitimate CMSTP use (unlikely in modern enterprise environments)\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine\nHashes'),(7654,'Issue',424,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.command_line.keyword:*\\\\DllHost.exe AND process.parent.command_line.keyword:(*\\{3E5FC7F9\\-9A51\\-4367\\-9063\\-A120244FBEC7\\} OR *\\{3E000D72\\-A845\\-4CD9\\-BD83\\-80C07C3B881F\\}))\nindex: so-*\nname: CMSTP UAC Bypass via COM Object Access\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7655,'Issue',424,9,'{{collapse(View Sigma)\n
\n\ntitle: CMSTP UAC Bypass via COM Object Access\nid: 4b60e6f2-bf39-47b4-b4ea-398e33cfe253\nstatus: stable\ndescription: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile\n  Installer Autoelevate-capable COM Objects\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.execution\n- attack.t1088\n- attack.t1191\n- attack.g0069\n- car.2019-04-001\nauthor: Nik Seetharaman\nmodified: 2019/07/31\ndate: 2019/01/16\nreferences:\n- http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/\n- https://twitter.com/hFireF0X/status/897640081053364225\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    ParentCommandLine: \'*\\DllHost.exe\'\n  selection2:\n    ParentCommandLine:\n    - \'*{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\'\n    - \'*{3E000D72-A845-4CD9-BD83-80C07C3B881F}\'\n  condition: selection1 and selection2\nfields:\n- CommandLine\n- ParentCommandLine\n- Hashes\nfalsepositives:\n- Legitimate CMSTP use (unlikely in modern enterprise environments)\nlevel: high\n\n
\n}}'),(7656,'Issue',424,15,'T1088'),(7657,'Issue',424,15,'T1191'),(7658,'Issue',425,1,'Control Panel Items'),(7659,'Issue',425,2,'Kyaw Min Thein'),(7660,'Issue',425,8,'none'),(7661,'Issue',425,10,'critical'),(7662,'Issue',425,13,'community'),(7663,'Issue',425,14,'windows'),(7665,'Issue',425,11,'10df22d5c'),(7666,'Issue',425,12,'0ba863e6-def5-4e50-9cea-4dd8c7dc46a4'),(7667,'Issue',425,16,'win-proc'),(7668,'Issue',425,17,''),(7669,'Issue',425,7,''),(7670,'Issue',425,3,'Detects the use of a control panel item (.cpl) outside of the System32 folder'),(7671,'Issue',425,4,''),(7672,'Issue',425,5,'_False Positives_\nUnknown'),(7673,'Issue',425,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*.cpl AND (NOT (process.command_line.keyword:(*\\\\System32\\\\* OR *%System%*))))\nindex: so-*\nname: Control Panel Items\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7674,'Issue',425,9,'{{collapse(View Sigma)\n
\n\ntitle: Control Panel Items\nid: 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4\nstatus: experimental\ndescription: Detects the use of a control panel item (.cpl) outside of the System32\n  folder\nreference:\n- https://attack.mitre.org/techniques/T1196/\ntags:\n- attack.execution\n- attack.t1196\n- attack.defense_evasion\nauthor: Kyaw Min Thein\ndate: 2019/08/27\nlevel: critical\nlogsource:\n  product: windows\n  category: process_creation\ndetection:\n  selection:\n    CommandLine: \'*.cpl\'\n  filter:\n    CommandLine:\n    - \'*\\System32\\\\*\'\n    - \'*%System%*\'\n  condition: selection and not filter\nfalsepositives:\n- Unknown\n\n
\n}}'),(7675,'Issue',425,15,'T1196'),(7676,'Issue',426,1,'Copying Sensitive Files with Credential Data'),(7677,'Issue',426,2,'Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community'),(7678,'Issue',426,8,'https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/\nhttps://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nhttps://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/'),(7679,'Issue',426,10,'high'),(7680,'Issue',426,13,'community'),(7681,'Issue',426,14,'windows'),(7683,'Issue',426,11,'7971e8131'),(7684,'Issue',426,12,'e7be6119-fc37-43f0-ad4f-1f3f99be2f9f'),(7685,'Issue',426,16,'win-proc'),(7686,'Issue',426,17,''),(7687,'Issue',426,7,''),(7688,'Issue',426,3,'Files with well-known filenames (sensitive files with credential data) copying'),(7689,'Issue',426,4,''),(7690,'Issue',426,5,'_False Positives_\nCopying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator'),(7691,'Issue',426,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\esentutl.exe AND process.command_line.keyword:(*vss* OR *\\ \\/m\\ * OR *\\ \\/y\\ *)) OR process.command_line.keyword:(*\\\\windows\\\\ntds\\\\ntds.dit* OR *\\\\config\\\\sam* OR *\\\\config\\\\security* OR *\\\\config\\\\system\\ * OR *\\\\repair\\\\sam* OR *\\\\repair\\\\system* OR *\\\\repair\\\\security* OR *\\\\config\\\\RegBack\\\\sam* OR *\\\\config\\\\RegBack\\\\system* OR *\\\\config\\\\RegBack\\\\security*)))\nindex: so-*\nname: Copying Sensitive Files with Credential Data\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7692,'Issue',426,9,'{{collapse(View Sigma)\n
\n\ntitle: Copying Sensitive Files with Credential Data\nid: e7be6119-fc37-43f0-ad4f-1f3f99be2f9f\ndescription: Files with well-known filenames (sensitive files with credential data)\n  copying\nstatus: experimental\nauthor: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/22\nmodified: 2019/11/13\nreferences:\n- https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n- https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/\ntags:\n- attack.credential_access\n- attack.t1003\n- car.2013-07-001\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith: \\esentutl.exe\n    CommandLine|contains:\n    - vss\n    - \' /m \'\n    - \' /y \'\n  - CommandLine|contains:\n    - \\windows\\ntds\\ntds.dit\n    - \\config\\sam\n    - \\config\\security\n    - \'\\config\\system \'\n    - \\repair\\sam\n    - \\repair\\system\n    - \\repair\\security\n    - \\config\\RegBack\\sam\n    - \\config\\RegBack\\system\n    - \\config\\RegBack\\security\n  condition: selection\nfalsepositives:\n- Copying sensitive files for legitimate use (eg. backup) or forensic investigation\n  by legitimate incident responder or forensic invetigator\nlevel: high\n\n
\n}}'),(7693,'Issue',426,15,'T1003'),(7694,'Issue',427,1,'Fireball Archer Install'),(7695,'Issue',427,2,'Florian Roth'),(7696,'Issue',427,8,'https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/\nhttps://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100'),(7697,'Issue',427,10,'high'),(7698,'Issue',427,13,'community'),(7699,'Issue',427,14,'windows'),(7701,'Issue',427,11,'7652cf061'),(7702,'Issue',427,12,'3d4aebe0-6d29-45b2-a8a4-3dfde586a26d'),(7703,'Issue',427,16,'win-proc'),(7704,'Issue',427,17,''),(7705,'Issue',427,7,''),(7706,'Issue',427,3,'Detects Archer malware invocation via rundll32'),(7707,'Issue',427,4,''),(7708,'Issue',427,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7709,'Issue',427,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\\\rundll32.exe\\ *,InstallArcherSvc)\nindex: so-*\nname: Fireball Archer Install\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7710,'Issue',427,9,'{{collapse(View Sigma)\n
\n\ntitle: Fireball Archer Install\nid: 3d4aebe0-6d29-45b2-a8a4-3dfde586a26d\nstatus: experimental\ndescription: Detects Archer malware invocation via rundll32\nauthor: Florian Roth\ndate: 2017/06/03\nreferences:\n- https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/\n- https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100\ntags:\n- attack.execution\n- attack.t1059\n- attack.defense_evasion\n- attack.t1085\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'*\\rundll32.exe *,InstallArcherSvc\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(7711,'Issue',427,15,'T1059'),(7712,'Issue',427,15,'T1085'),(7713,'Issue',428,1,'Data Compressed - rar.exe'),(7714,'Issue',428,2,'Timur Zinniatullin, E.M. Anhaus, oscd.community'),(7715,'Issue',428,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html'),(7716,'Issue',428,10,'low'),(7717,'Issue',428,13,'community'),(7718,'Issue',428,14,'windows'),(7720,'Issue',428,11,'d76dd00e5'),(7721,'Issue',428,12,'6f3e2987-db24-4c78-a860-b4f4095a7095'),(7722,'Issue',428,16,'win-proc'),(7723,'Issue',428,17,''),(7724,'Issue',428,7,''),(7725,'Issue',428,3,'An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network'),(7726,'Issue',428,4,''),(7727,'Issue',428,5,'_False Positives_\nhighly likely if rar is default archiver in the monitored environment\n\n_Interesting Log Fields_\nImage\nCommandLine\nUser\nLogonGuid\nHashes\nParentProcessGuid\nParentCommandLine'),(7728,'Issue',428,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\rar.exe AND process.command_line.keyword:*\\ a\\ *)\nindex: so-*\nname: Data Compressed - rar.exe\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7729,'Issue',428,9,'{{collapse(View Sigma)\n
\n\ntitle: Data Compressed - rar.exe\nid: 6f3e2987-db24-4c78-a860-b4f4095a7095\nstatus: experimental\ndescription: An adversary may compress data (e.g., sensitive documents) that is collected\n  prior to exfiltration in order to make it portable and minimize the amount of data\n  sent over the network\nauthor: Timur Zinniatullin, E.M. Anhaus, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\rar.exe\n    CommandLine|contains: \' a \'\n  condition: selection\nfields:\n- Image\n- CommandLine\n- User\n- LogonGuid\n- Hashes\n- ParentProcessGuid\n- ParentCommandLine\nfalsepositives:\n- highly likely if rar is default archiver in the monitored environment\nlevel: low\ntags:\n- attack.exfiltration\n- attack.t1002\n\n
\n}}'),(7730,'Issue',428,15,'T1002'),(7731,'Issue',429,1,'Domain Trust Discovery'),(7732,'Issue',429,2,'Jakob Weinzettl, oscd.community'),(7733,'Issue',429,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.yaml'),(7734,'Issue',429,10,'medium'),(7735,'Issue',429,13,'community'),(7736,'Issue',429,14,'windows'),(7738,'Issue',429,11,'16e2ea51f'),(7739,'Issue',429,12,'77815820-246c-47b8-9741-e0def3f57308'),(7740,'Issue',429,16,'win-proc'),(7741,'Issue',429,17,''),(7742,'Issue',429,7,''),(7743,'Issue',429,3,'Detects a discovery of domain trusts'),(7744,'Issue',429,4,''),(7745,'Issue',429,5,'_False Positives_\nAdministration of systems'),(7746,'Issue',429,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\dsquery.exe AND process.command_line.keyword:*\\-filter* AND process.command_line.keyword:*trustedDomain*) OR (process.executable.keyword:*\\\\nltest.exe AND process.command_line.keyword:*domain_trusts*)))\nindex: so-*\nname: Domain Trust Discovery\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7747,'Issue',429,9,'{{collapse(View Sigma)\n
\n\ntitle: Domain Trust Discovery\nid: 77815820-246c-47b8-9741-e0def3f57308\nstatus: experimental\ndescription: Detects a discovery of domain trusts\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.yaml\nauthor: Jakob Weinzettl, oscd.community\ndate: 2019/10/23\nmodified: 2019/11/08\ntags:\n- attack.discovery\n- attack.t1482\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith: \\dsquery.exe\n    CommandLine|contains|all:\n    - -filter\n    - trustedDomain\n  - Image|endswith: \\nltest.exe\n    CommandLine|contains: domain_trusts\n  condition: selection\nfalsepositives:\n- Administration of systems\nlevel: medium\n\n
\n}}'),(7748,'Issue',429,15,'T1482'),(7749,'Issue',430,1,'Encoded FromBase64String'),(7750,'Issue',430,2,'Florian Roth'),(7751,'Issue',430,8,'none'),(7752,'Issue',430,10,'critical'),(7753,'Issue',430,13,'community'),(7754,'Issue',430,14,'windows'),(7756,'Issue',430,11,'ad3c56884'),(7757,'Issue',430,12,'fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c'),(7758,'Issue',430,16,'win-proc'),(7759,'Issue',430,17,''),(7760,'Issue',430,7,''),(7761,'Issue',430,3,'Detects a base64 encoded FromBase64String keyword in a process command line'),(7762,'Issue',430,4,''),(7763,'Issue',430,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7764,'Issue',430,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*OjpGcm9tQmFzZTY0U3RyaW5n* OR *o6RnJvbUJhc2U2NFN0cmluZ* OR *6OkZyb21CYXNlNjRTdHJpbm*))\nindex: so-*\nname: Encoded FromBase64String\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7765,'Issue',430,9,'{{collapse(View Sigma)\n
\n\ntitle: Encoded FromBase64String\nid: fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c\nstatus: experimental\ndescription: Detects a base64 encoded FromBase64String keyword in a process command\n  line\nauthor: Florian Roth\ndate: 2019/08/24\ntags:\n- attack.t1086\n- attack.t1140\n- attack.execution\n- attack.defense_evasion\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|base64offset|contains: ::FromBase64String\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7766,'Issue',430,15,'T1086'),(7767,'Issue',430,15,'T1140'),(7768,'Issue',431,1,'Encoded IEX'),(7769,'Issue',431,2,'Florian Roth'),(7770,'Issue',431,8,'none'),(7771,'Issue',431,10,'critical'),(7772,'Issue',431,13,'community'),(7773,'Issue',431,14,'windows'),(7775,'Issue',431,11,'111891242'),(7776,'Issue',431,12,'88f680b8-070e-402c-ae11-d2914f2257f1'),(7777,'Issue',431,16,'win-proc'),(7778,'Issue',431,17,''),(7779,'Issue',431,7,''),(7780,'Issue',431,3,'Detects a base64 encoded IEX command string in a process command line'),(7781,'Issue',431,4,''),(7782,'Issue',431,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7783,'Issue',431,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*SUVYIChb* OR *lFWCAoW* OR *JRVggKF* OR *aWV4IChb* OR *lleCAoW* OR *pZXggKF* OR *aWV4IChOZX* OR *lleCAoTmV3* OR *pZXggKE5ld* OR *SUVYIChOZX* OR *lFWCAoTmV3* OR *JRVggKE5ld*))\nindex: so-*\nname: Encoded IEX\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7784,'Issue',431,9,'{{collapse(View Sigma)\n
\n\ntitle: Encoded IEX\nid: 88f680b8-070e-402c-ae11-d2914f2257f1\nstatus: experimental\ndescription: Detects a base64 encoded IEX command string in a process command line\nauthor: Florian Roth\ndate: 2019/08/23\ntags:\n- attack.t1086\n- attack.t1140\n- attack.execution\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|base64offset|contains:\n    - IEX ([\n    - iex ([\n    - iex (New\n    - IEX (New\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7785,'Issue',431,15,'T1086'),(7786,'Issue',431,15,'T1140'),(7787,'Issue',432,1,'Disable of ETW Trace'),(7788,'Issue',432,2,'@neu5ron, Florian Roth'),(7789,'Issue',432,8,'https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mal_lockergoga.yml\nhttps://abuse.io/lockergoga.txt'),(7790,'Issue',432,10,'high'),(7791,'Issue',432,13,'community'),(7792,'Issue',432,14,'windows'),(7794,'Issue',432,11,'f0cec20a1'),(7795,'Issue',432,12,'a238b5d0-ce2d-4414-a676-7a531b3d13d6'),(7796,'Issue',432,16,'win-proc'),(7797,'Issue',432,17,''),(7798,'Issue',432,7,''),(7799,'Issue',432,3,'Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.'),(7800,'Issue',432,4,''),(7801,'Issue',432,5,'_False Positives_\nUnknown'),(7802,'Issue',432,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:*\\ cl\\ *\\/Trace* OR process.command_line.keyword:*\\ clear\\-log\\ *\\/Trace* OR process.command_line.keyword:*\\ sl*\\ \\/e\\:false* OR process.command_line.keyword:*\\ set\\-log*\\ \\/e\\:false*))\nindex: so-*\nname: Disable of ETW Trace\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7803,'Issue',432,9,'{{collapse(View Sigma)\n
\n\ntitle: Disable of ETW Trace\nid: a238b5d0-ce2d-4414-a676-7a531b3d13d6\ndescription: Detects a command that clears or disables any ETW trace log which could\n  indicate a logging evasion.\nstatus: experimental\nreferences:\n- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil\n- https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mal_lockergoga.yml\n- https://abuse.io/lockergoga.txt\nauthor: \'@neu5ron, Florian Roth\'\ndate: 2019/03/22\ntags:\n- attack.execution\n- attack.t1070\n- car.2016-04-002\nlevel: high\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_clear_1:\n    CommandLine: \'* cl */Trace*\'\n  selection_clear_2:\n    CommandLine: \'* clear-log */Trace*\'\n  selection_disable_1:\n    CommandLine: \'* sl* /e:false*\'\n  selection_disable_2:\n    CommandLine: \'* set-log* /e:false*\'\n  condition: selection_clear_1 or selection_clear_2 or selection_disable_1 or selection_disable_2\nfalsepositives:\n- Unknown\n\n
\n}}'),(7804,'Issue',432,15,'T1070'),(7805,'Issue',433,1,'Exfiltration and Tunneling Tools Execution'),(7806,'Issue',433,2,'Daniil Yugoslavskiy, oscd.community'),(7807,'Issue',433,8,'none'),(7808,'Issue',433,10,'medium'),(7809,'Issue',433,13,'community'),(7810,'Issue',433,14,'windows'),(7812,'Issue',433,11,'800c545f1'),(7813,'Issue',433,12,'c75309a3-59f8-4a8d-9c2c-4c927ad50555'),(7814,'Issue',433,16,'win-proc'),(7815,'Issue',433,17,''),(7816,'Issue',433,7,''),(7817,'Issue',433,3,'Execution of well known tools for data exfiltration and tunneling'),(7818,'Issue',433,4,''),(7819,'Issue',433,5,'_False Positives_\nLegitimate Administrator using tools'),(7820,'Issue',433,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.NewProcessName.keyword:(*\\\\plink.exe OR *\\\\socat.exe OR *\\\\stunnel.exe OR *\\\\httptunnel.exe))\nindex: so-*\nname: Exfiltration and Tunneling Tools Execution\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7821,'Issue',433,9,'{{collapse(View Sigma)\n
\n\ntitle: Exfiltration and Tunneling Tools Execution\nid: c75309a3-59f8-4a8d-9c2c-4c927ad50555\ndescription: Execution of well known tools for data exfiltration and tunneling\nstatus: experimental\nauthor: Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/24\ntags:\n- attack.exfiltration\n- attack.t1020\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    NewProcessName|endswith:\n    - \\plink.exe\n    - \\socat.exe\n    - \\stunnel.exe\n    - \\httptunnel.exe\n  condition: selection\nfalsepositives:\n- Legitimate Administrator using tools\nlevel: medium\n\n
\n}}'),(7822,'Issue',433,15,'T1020'),(7823,'Issue',434,1,'Exploit for CVE-2015-1641'),(7824,'Issue',434,2,'Florian Roth'),(7825,'Issue',434,8,'https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/\nhttps://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100'),(7826,'Issue',434,10,'critical'),(7827,'Issue',434,13,'community'),(7828,'Issue',434,14,'windows'),(7830,'Issue',434,11,'e2a1316d4'),(7831,'Issue',434,12,'7993792c-5ce2-4475-a3db-a3a5539827ef'),(7832,'Issue',434,16,'win-proc'),(7833,'Issue',434,17,''),(7834,'Issue',434,7,''),(7835,'Issue',434,3,'Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641'),(7836,'Issue',434,4,''),(7837,'Issue',434,5,'_False Positives_\nUnknown'),(7838,'Issue',434,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\WINWORD.EXE AND process.executable.keyword:*\\\\MicroScMgmt.exe\\ )\nindex: so-*\nname: Exploit for CVE-2015-1641\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7839,'Issue',434,9,'{{collapse(View Sigma)\n
\n\ntitle: Exploit for CVE-2015-1641\nid: 7993792c-5ce2-4475-a3db-a3a5539827ef\nstatus: experimental\ndescription: Detects Winword starting uncommon sub process MicroScMgmt.exe as used\n  in exploits for CVE-2015-1641\nreferences:\n- https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/\n- https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100\nauthor: Florian Roth\ndate: 2018/02/22\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\WINWORD.EXE\'\n    Image: \'*\\MicroScMgmt.exe \'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7840,'Issue',434,15,'T1036'),(7841,'Issue',435,1,'Exploit for CVE-2017-0261'),(7842,'Issue',435,2,'Florian Roth'),(7843,'Issue',435,8,'https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html'),(7844,'Issue',435,10,'medium'),(7845,'Issue',435,13,'community'),(7846,'Issue',435,14,'windows'),(7848,'Issue',435,11,'65dbae284'),(7849,'Issue',435,12,'864403a1-36c9-40a2-a982-4c9a45f7d833'),(7850,'Issue',435,16,'win-proc'),(7851,'Issue',435,17,''),(7852,'Issue',435,7,''),(7853,'Issue',435,3,'Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262'),(7854,'Issue',435,4,''),(7855,'Issue',435,5,'_False Positives_\nSeveral false positives identified, check for suspicious file names or locations (e.g. Temp folders)'),(7856,'Issue',435,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\WINWORD.EXE AND process.executable.keyword:*\\\\FLTLDR.exe*)\nindex: so-*\nname: Exploit for CVE-2017-0261\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7857,'Issue',435,9,'{{collapse(View Sigma)\n
\n\ntitle: Exploit for CVE-2017-0261\nid: 864403a1-36c9-40a2-a982-4c9a45f7d833\nstatus: experimental\ndescription: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits\n  for CVE-2017-0261 and CVE-2017-0262\nreferences:\n- https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html\nauthor: Florian Roth\ndate: 2018/02/22\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1055\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\WINWORD.EXE\'\n    Image: \'*\\FLTLDR.exe*\'\n  condition: selection\nfalsepositives:\n- Several false positives identified, check for suspicious file names or locations\n  (e.g. Temp folders)\nlevel: medium\n\n
\n}}'),(7858,'Issue',435,15,'T1055'),(7859,'Issue',436,1,'Droppers Exploiting CVE-2017-11882'),(7860,'Issue',436,2,'Florian Roth'),(7861,'Issue',436,8,'https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100\nhttps://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw'),(7862,'Issue',436,10,'critical'),(7863,'Issue',436,13,'community'),(7864,'Issue',436,14,'windows'),(7866,'Issue',436,11,'dcfdfd6d6'),(7867,'Issue',436,12,'678eb5f4-8597-4be6-8be7-905e4234b53a'),(7868,'Issue',436,16,'win-proc'),(7869,'Issue',436,17,''),(7870,'Issue',436,7,''),(7871,'Issue',436,3,'Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe'),(7872,'Issue',436,4,''),(7873,'Issue',436,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine'),(7874,'Issue',436,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\EQNEDT32.EXE)\nindex: so-*\nname: Droppers Exploiting CVE-2017-11882\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7875,'Issue',436,9,'{{collapse(View Sigma)\n
\n\ntitle: Droppers Exploiting CVE-2017-11882\nid: 678eb5f4-8597-4be6-8be7-905e4234b53a\nstatus: experimental\ndescription: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other\n  sub processes like mshta.exe\nreferences:\n- https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100\n- https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw\nauthor: Florian Roth\ndate: 2017/11/23\ntags:\n- attack.defense_evasion\n- attack.t1211\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\EQNEDT32.EXE\'\n  condition: selection\nfields:\n- CommandLine\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7876,'Issue',436,15,'T1211'),(7877,'Issue',437,1,'Exploit for CVE-2017-8759'),(7878,'Issue',437,2,'Florian Roth'),(7879,'Issue',437,8,'https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100\nhttps://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100'),(7880,'Issue',437,10,'critical'),(7881,'Issue',437,13,'community'),(7882,'Issue',437,14,'windows'),(7884,'Issue',437,11,'d2eddb460'),(7885,'Issue',437,12,'fdd84c68-a1f6-47c9-9477-920584f94905'),(7886,'Issue',437,16,'win-proc'),(7887,'Issue',437,17,''),(7888,'Issue',437,7,''),(7889,'Issue',437,3,'Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759'),(7890,'Issue',437,4,''),(7891,'Issue',437,5,'_False Positives_\nUnknown'),(7892,'Issue',437,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\WINWORD.EXE AND process.executable.keyword:*\\\\csc.exe)\nindex: so-*\nname: Exploit for CVE-2017-8759\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7893,'Issue',437,9,'{{collapse(View Sigma)\n
\n\ntitle: Exploit for CVE-2017-8759\nid: fdd84c68-a1f6-47c9-9477-920584f94905\ndescription: Detects Winword starting uncommon sub process csc.exe as used in exploits\n  for CVE-2017-8759\nreferences:\n- https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100\n- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100\ntags:\n- attack.execution\n- attack.t1203\nauthor: Florian Roth\ndate: 2017/09/15\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\WINWORD.EXE\'\n    Image: \'*\\csc.exe\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7894,'Issue',437,15,'T1203'),(7895,'Issue',438,1,'Exploiting SetupComplete.cmd CVE-2019-1378'),(7896,'Issue',438,2,'Florian Roth'),(7897,'Issue',438,8,'https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua'),(7898,'Issue',438,10,'high'),(7899,'Issue',438,13,'community'),(7900,'Issue',438,14,'windows'),(7902,'Issue',438,11,'b2c8941b7'),(7903,'Issue',438,12,'1c373b6d-76ce-4553-997d-8c1da9a6b5f5'),(7904,'Issue',438,16,'win-proc'),(7905,'Issue',438,17,''),(7906,'Issue',438,7,''),(7907,'Issue',438,3,'Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd decribed in CVE-2019-1378'),(7908,'Issue',438,4,''),(7909,'Issue',438,5,'_False Positives_\nUnknown'),(7910,'Issue',438,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.command_line.keyword:(*\\\\cmd.exe\\ \\/c\\ C\\:\\\\Windows\\\\Setup\\\\Scripts\\\\SetupComplete.cmd OR *\\\\cmd.exe\\ \\/c\\ C\\:\\\\Windows\\\\Setup\\\\Scripts\\\\PartnerSetupComplete.cmd) AND (NOT (process.executable.keyword:(C\\:\\\\Windows\\\\System32\\\\* OR C\\:\\\\Windows\\\\SysWOW64\\\\* OR C\\:\\\\Windows\\\\WinSxS\\\\* OR C\\:\\\\Windows\\\\Setup\\\\*))))\nindex: so-*\nname: Exploiting SetupComplete.cmd CVE-2019-1378\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7911,'Issue',438,9,'{{collapse(View Sigma)\n
\n\ntitle: Exploiting SetupComplete.cmd CVE-2019-1378\nid: 1c373b6d-76ce-4553-997d-8c1da9a6b5f5\nstatus: experimental\ndescription: Detects exploitation attempt of privilege escalation vulnerability via\n  SetupComplete.cmd and PartnerSetupComplete.cmd decribed in CVE-2019-1378\nreferences:\n- https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua\nauthor: Florian Roth\ndate: 2019/11/15\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1055\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentCommandLine:\n    - \'*\\cmd.exe /c C:\\Windows\\Setup\\Scripts\\SetupComplete.cmd\'\n    - \'*\\cmd.exe /c C:\\Windows\\Setup\\Scripts\\PartnerSetupComplete.cmd\'\n  filter:\n    Image:\n    - C:\\Windows\\System32\\\\*\n    - C:\\Windows\\SysWOW64\\\\*\n    - C:\\Windows\\WinSxS\\\\*\n    - C:\\Windows\\Setup\\\\*\n  condition: selection and not filter\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(7912,'Issue',438,15,'T1055'),(7913,'Issue',439,1,'Exploiting CVE-2019-1388'),(7914,'Issue',439,2,'Florian Roth'),(7915,'Issue',439,8,'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388\nhttps://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege'),(7916,'Issue',439,10,'critical'),(7917,'Issue',439,13,'community'),(7918,'Issue',439,14,'windows'),(7920,'Issue',439,11,'c6eb81dae'),(7921,'Issue',439,12,'02e0b2ea-a597-428e-b04a-af6a1a403e5c'),(7922,'Issue',439,16,'win-proc'),(7923,'Issue',439,17,''),(7924,'Issue',439,7,''),(7925,'Issue',439,3,'Detects an explotation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM'),(7926,'Issue',439,4,''),(7927,'Issue',439,5,'_False Positives_\nUnknown'),(7928,'Issue',439,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\consent.exe AND process.executable.keyword:*\\\\iexplore.exe AND process.command_line.keyword:*\\ http* AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (IntegrityLevel:\"System\" OR event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\"))\nindex: so-*\nname: Exploiting CVE-2019-1388\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7929,'Issue',439,9,'{{collapse(View Sigma)\n
\n\ntitle: Exploiting CVE-2019-1388\nid: 02e0b2ea-a597-428e-b04a-af6a1a403e5c\nstatus: experimental\ndescription: Detects an explotation attempt in which the UAC consent dialogue is used\n  to invoke an Internet Explorer process running as LOCAL_SYSTEM\nreferences:\n- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388\n- https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege\nauthor: Florian Roth\ndate: 2019/11/20\ntags:\n- attack.privilege_escalation\n- attack.t1068\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\consent.exe\'\n    Image: \'*\\iexplore.exe\'\n    CommandLine: \'* http*\'\n  rights1:\n    IntegrityLevel: System\n  rights2:\n    User: NT AUTHORITY\\SYSTEM\n  condition: selection and ( rights1 or rights2 )\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7930,'Issue',439,15,'T1068'),(7931,'Issue',440,1,'Exploited CVE-2020-10189 Zoho ManageEngine'),(7932,'Issue',440,2,'Florian Roth'),(7933,'Issue',440,8,'https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-10189\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189\nhttps://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224'),(7934,'Issue',440,10,'critical'),(7935,'Issue',440,13,'community'),(7936,'Issue',440,14,'windows'),(7938,'Issue',440,11,'06cab2646'),(7939,'Issue',440,12,'846b866e-2a57-46ee-8e16-85fa92759be7'),(7940,'Issue',440,16,'win-proc'),(7941,'Issue',440,17,''),(7942,'Issue',440,7,''),(7943,'Issue',440,3,'Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189'),(7944,'Issue',440,4,''),(7945,'Issue',440,5,'_False Positives_\nUnknown'),(7946,'Issue',440,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*DesktopCentral_Server\\\\jre\\\\bin\\\\java.exe AND process.executable.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\bitsadmin.exe))\nindex: so-*\nname: Exploited CVE-2020-10189 Zoho ManageEngine\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7947,'Issue',440,9,'{{collapse(View Sigma)\n
\n\ntitle: Exploited CVE-2020-10189 Zoho ManageEngine\nid: 846b866e-2a57-46ee-8e16-85fa92759be7\nstatus: experimental\ndescription: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization\n  vulnerability reported as CVE-2020-10189\nreferences:\n- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html\n- https://nvd.nist.gov/vuln/detail/CVE-2020-10189\n- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189\n- https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224\nauthor: Florian Roth\ndate: 2020/03/25\ntags:\n- attack.initial_access\n- attack.t1190\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage|endswith: DesktopCentral_Server\\jre\\bin\\java.exe\n    Image|endswith:\n    - \'*\\cmd.exe\'\n    - \'*\\powershell.exe\'\n    - \'*\\bitsadmin.exe\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7948,'Issue',440,15,'T1190'),(7949,'Issue',441,1,'File or Folder Permissions Modifications'),(7950,'Issue',441,2,'Jakob Weinzettl, oscd.community'),(7951,'Issue',441,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml'),(7952,'Issue',441,10,'medium'),(7953,'Issue',441,13,'community'),(7954,'Issue',441,14,'windows'),(7956,'Issue',441,11,'1c2d67989'),(7957,'Issue',441,12,'37ae075c-271b-459b-8d7b-55ad5f993dd8'),(7958,'Issue',441,16,'win-proc'),(7959,'Issue',441,17,''),(7960,'Issue',441,7,''),(7961,'Issue',441,3,'Detects a file or folder permissions modifications'),(7962,'Issue',441,4,''),(7963,'Issue',441,5,'_False Positives_\nUsers interacting with the files on their own (unlikely unless power users)\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(7964,'Issue',441,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:(*\\\\takeown.exe OR *\\\\cacls.exe OR *\\\\icacls.exe) AND process.command_line.keyword:*\\/grant*) OR (process.executable.keyword:*\\\\attrib.exe AND process.command_line.keyword:*\\-r*)))\nindex: so-*\nname: File or Folder Permissions Modifications\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7965,'Issue',441,9,'{{collapse(View Sigma)\n
\n\ntitle: File or Folder Permissions Modifications\nid: 37ae075c-271b-459b-8d7b-55ad5f993dd8\nstatus: experimental\ndescription: Detects a file or folder permissions modifications\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml\nauthor: Jakob Weinzettl, oscd.community\ndate: 2019/10/23\nmodified: 2019/11/08\ntags:\n- attack.defense_evasion\n- attack.t1222\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith:\n    - \\takeown.exe\n    - \\cacls.exe\n    - \\icacls.exe\n    CommandLine|contains: /grant\n  - Image|endswith: \\attrib.exe\n    CommandLine|contains: -r\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Users interacting with the files on their own (unlikely unless power users)\nlevel: medium\n\n
\n}}'),(7966,'Issue',441,15,'T1222'),(7967,'Issue',442,1,'Grabbing Sensitive Hives via Reg Utility'),(7968,'Issue',442,2,'Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community'),(7969,'Issue',442,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nhttps://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md'),(7970,'Issue',442,10,'medium'),(7971,'Issue',442,13,'community'),(7972,'Issue',442,14,'windows'),(7974,'Issue',442,11,'310cc8a8a'),(7975,'Issue',442,12,'fd877b94-9bb5-4191-bb25-d79cbd93c167'),(7976,'Issue',442,16,'win-proc'),(7977,'Issue',442,17,''),(7978,'Issue',442,7,''),(7979,'Issue',442,3,'Dump sam, system or security hives using REG.exe utility'),(7980,'Issue',442,4,''),(7981,'Issue',442,5,'_False Positives_\nDumping hives for legitimate purpouse i.e. backup or forensic investigation'),(7982,'Issue',442,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.NewProcessName.keyword:*\\\\reg.exe AND process.command_line.keyword:(*save* OR *export*) AND process.command_line.keyword:(*hklm* OR *hkey_local_machine*) AND process.command_line.keyword:(*\\\\system OR *\\\\sam OR *\\\\security))\nindex: so-*\nname: Grabbing Sensitive Hives via Reg Utility\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7983,'Issue',442,9,'{{collapse(View Sigma)\n
\n\ntitle: Grabbing Sensitive Hives via Reg Utility\nid: fd877b94-9bb5-4191-bb25-d79cbd93c167\ndescription: Dump sam, system or security hives using REG.exe utility\nauthor: Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/22\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n- https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md\ntags:\n- attack.credential_access\n- attack.t1003\n- car.2013-07-001\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_1:\n    NewProcessName: \'*\\reg.exe\'\n    CommandLine|contains:\n    - save\n    - export\n  selection_2:\n    CommandLine|contains:\n    - hklm\n    - hkey_local_machine\n  selection_3:\n    CommandLine|endswith:\n    - \\system\n    - \\sam\n    - \\security\n  condition: selection_1 and selection_2 and selection_3\nfalsepositives:\n- Dumping hives for legitimate purpouse i.e. backup or forensic investigation\nlevel: medium\nstatus: experimental\n\n
\n}}'),(7984,'Issue',442,15,'T1003'),(7985,'Issue',443,1,'Bloodhound and Sharphound Hack Tool'),(7986,'Issue',443,2,'Florian Roth'),(7987,'Issue',443,8,'https://github.com/BloodHoundAD/BloodHound\nhttps://github.com/BloodHoundAD/SharpHound'),(7988,'Issue',443,10,'high'),(7989,'Issue',443,13,'community'),(7990,'Issue',443,14,'windows'),(7992,'Issue',443,11,'6b42c6f56'),(7993,'Issue',443,12,'f376c8a7-a2d0-4ddc-aa0c-16c17236d962'),(7994,'Issue',443,16,'win-proc'),(7995,'Issue',443,17,''),(7996,'Issue',443,7,''),(7997,'Issue',443,3,'Detects command line parameters used by Bloodhound and Sharphound hack tools'),(7998,'Issue',443,4,''),(7999,'Issue',443,5,'_False Positives_\nOther programs that use these command line option and accepts an \'All\' parameter'),(8000,'Issue',443,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:(*\\\\Bloodhound.exe* OR *\\\\SharpHound.exe*) OR process.command_line.keyword:(*\\ \\-CollectionMethod\\ All\\ * OR *.exe\\ \\-c\\ All\\ \\-d\\ * OR *Invoke\\-Bloodhound* OR *Get\\-BloodHoundData*) OR (process.command_line.keyword:*\\ \\-JsonFolder\\ * AND process.command_line.keyword:*\\ \\-ZipFileName\\ *) OR (process.command_line.keyword:*\\ DCOnly\\ * AND process.command_line.keyword:*\\ \\-\\-NoSaveCache\\ *)))\nindex: so-*\nname: Bloodhound and Sharphound Hack Tool\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8001,'Issue',443,9,'{{collapse(View Sigma)\n
\n\ntitle: Bloodhound and Sharphound Hack Tool\nid: f376c8a7-a2d0-4ddc-aa0c-16c17236d962\ndescription: Detects command line parameters used by Bloodhound and Sharphound hack\n  tools\nauthor: Florian Roth\nreferences:\n- https://github.com/BloodHoundAD/BloodHound\n- https://github.com/BloodHoundAD/SharpHound\ndate: 2019/12/20\nmodified: 2019/12/21\ntags:\n- attack.discovery\n- attack.t1087\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image|contains:\n    - \\Bloodhound.exe\n    - \\SharpHound.exe\n  selection2:\n    CommandLine|contains:\n    - \' -CollectionMethod All \'\n    - \'.exe -c All -d \'\n    - Invoke-Bloodhound\n    - Get-BloodHoundData\n  selection3:\n    CommandLine|contains|all:\n    - \' -JsonFolder \'\n    - \' -ZipFileName \'\n  selection4:\n    CommandLine|contains|all:\n    - \' DCOnly \'\n    - \' --NoSaveCache \'\n  condition: 1 of them\nfalsepositives:\n- Other programs that use these command line option and accepts an \'All\' parameter\nlevel: high\n\n
\n}}'),(8002,'Issue',443,15,'T1087'),(8003,'Issue',444,1,'Koadic Execution'),(8004,'Issue',444,2,'wagga'),(8005,'Issue',444,8,'https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/\nhttps://github.com/zerosum0x0/koadic/blob/master/data/stager/js/stdlib.js#L955\nhttps://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/'),(8006,'Issue',444,10,'high'),(8007,'Issue',444,13,'community'),(8008,'Issue',444,14,'windows'),(8010,'Issue',444,11,'fa9937192'),(8011,'Issue',444,12,'5cddf373-ef00-4112-ad72-960ac29bac34'),(8012,'Issue',444,16,'win-proc'),(8013,'Issue',444,17,''),(8014,'Issue',444,7,''),(8015,'Issue',444,3,'Detects command line parameters used by Koadic hack tool'),(8016,'Issue',444,4,''),(8017,'Issue',444,5,'_False Positives_\nPentest\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8018,'Issue',444,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*cmd.exe*\\ \\/q\\ \\/c\\ chcp\\ *))\nindex: so-*\nname: Koadic Execution\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8019,'Issue',444,9,'{{collapse(View Sigma)\n
\n\ntitle: Koadic Execution\nid: 5cddf373-ef00-4112-ad72-960ac29bac34\nstatus: experimental\ndescription: Detects command line parameters used by Koadic hack tool\nreferences:\n- https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/\n- https://github.com/zerosum0x0/koadic/blob/master/data/stager/js/stdlib.js#L955\n- https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/\ntags:\n- attack.execution\n- attack.t1170\ndate: 2020/01/12\nauthor: wagga\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine:\n    - \'*cmd.exe* /q /c chcp *\'\n  condition: selection1\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Pentest\nlevel: high\n\n
\n}}'),(8020,'Issue',444,15,'T1170'),(8021,'Issue',445,1,'Rubeus Hack Tool'),(8022,'Issue',445,2,'Florian Roth'),(8023,'Issue',445,8,'https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/'),(8024,'Issue',445,10,'critical'),(8025,'Issue',445,13,'community'),(8026,'Issue',445,14,'windows'),(8028,'Issue',445,11,'ad40ec27e'),(8029,'Issue',445,12,'7ec2c172-dceb-4c10-92c9-87c1881b7e18'),(8030,'Issue',445,16,'win-proc'),(8031,'Issue',445,17,''),(8032,'Issue',445,7,''),(8033,'Issue',445,3,'Detects command line parameters used by Rubeus hack tool'),(8034,'Issue',445,4,''),(8035,'Issue',445,5,'_False Positives_\nunlikely'),(8036,'Issue',445,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ asreproast\\ * OR *\\ dump\\ \\/service\\:krbtgt\\ * OR *\\ kerberoast\\ * OR *\\ createnetonly\\ \\/program\\:* OR *\\ ptt\\ \\/ticket\\:* OR *\\ \\/impersonateuser\\:* OR *\\ renew\\ \\/ticket\\:* OR *\\ asktgt\\ \\/user\\:* OR *\\ harvest\\ \\/interval\\:*))\nindex: so-*\nname: Rubeus Hack Tool\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8037,'Issue',445,9,'{{collapse(View Sigma)\n
\n\ntitle: Rubeus Hack Tool\nid: 7ec2c172-dceb-4c10-92c9-87c1881b7e18\ndescription: Detects command line parameters used by Rubeus hack tool\nauthor: Florian Roth\nreferences:\n- https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/\ndate: 2018/12/19\ntags:\n- attack.credential_access\n- attack.t1003\n- attack.s0005\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* asreproast *\'\n    - \'* dump /service:krbtgt *\'\n    - \'* kerberoast *\'\n    - \'* createnetonly /program:*\'\n    - \'* ptt /ticket:*\'\n    - \'* /impersonateuser:*\'\n    - \'* renew /ticket:*\'\n    - \'* asktgt /user:*\'\n    - \'* harvest /interval:*\'\n  condition: selection\nfalsepositives:\n- unlikely\nlevel: critical\n\n
\n}}'),(8038,'Issue',445,15,'T1003'),(8039,'Issue',446,1,'SecurityXploded Tool'),(8040,'Issue',446,2,'Florian Roth'),(8041,'Issue',446,8,'https://securityxploded.com/\nhttps://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/'),(8042,'Issue',446,10,'critical'),(8043,'Issue',446,13,'community'),(8044,'Issue',446,14,'windows'),(8046,'Issue',446,11,'21368bb4b'),(8047,'Issue',446,12,'7679d464-4f74-45e2-9e01-ac66c5eb041a'),(8048,'Issue',446,16,'win-proc'),(8049,'Issue',446,17,''),(8050,'Issue',446,7,''),(8051,'Issue',446,3,'Detects the execution of SecurityXploded Tools'),(8052,'Issue',446,4,''),(8053,'Issue',446,5,'_False Positives_\nunlikely'),(8054,'Issue',446,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (event_data.Company:\"SecurityXploded\" OR process.executable.keyword:*PasswordDump.exe OR OriginalFilename.keyword:*PasswordDump.exe))\nindex: so-*\nname: SecurityXploded Tool\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8055,'Issue',446,9,'{{collapse(View Sigma)\n
\n\ntitle: SecurityXploded Tool\nid: 7679d464-4f74-45e2-9e01-ac66c5eb041a\ndescription: Detects the execution of SecurityXploded Tools\nauthor: Florian Roth\nreferences:\n- https://securityxploded.com/\n- https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/\ndate: 2018/12/19\ntags:\n- attack.credential_access\n- attack.t1003\n- attack.s0005\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Company: SecurityXploded\n  selection2:\n    Image|endswith: PasswordDump.exe\n  selection3:\n    OriginalFilename|endswith: PasswordDump.exe\n  condition: 1 of them\nfalsepositives:\n- unlikely\nlevel: critical\n\n
\n}}'),(8056,'Issue',446,15,'T1003'),(8057,'Issue',447,1,'HH.exe Execution'),(8058,'Issue',447,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Dan Beavin), oscd.community'),(8059,'Issue',447,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1223/T1223.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html'),(8060,'Issue',447,10,'high'),(8061,'Issue',447,13,'community'),(8062,'Issue',447,14,'windows'),(8064,'Issue',447,11,'0cb0c3bd8'),(8065,'Issue',447,12,'68c8acb4-1b60-4890-8e82-3ddf7a6dba84'),(8066,'Issue',447,16,'win-proc'),(8067,'Issue',447,17,''),(8068,'Issue',447,7,''),(8069,'Issue',447,3,'Identifies usage of hh.exe executing recently modified .chm files.'),(8070,'Issue',447,4,''),(8071,'Issue',447,5,'_False Positives_\nunlike\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8072,'Issue',447,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\hh.exe AND process.command_line.keyword:*.chm*)\nindex: so-*\nname: HH.exe Execution\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8073,'Issue',447,9,'{{collapse(View Sigma)\n
\n\ntitle: HH.exe Execution\nid: 68c8acb4-1b60-4890-8e82-3ddf7a6dba84\ndescription: Identifies usage of hh.exe executing recently modified .chm files.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Dan Beavin), oscd.community\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1223/T1223.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html\ndate: 2019/10/24\nmodified: 2019/11/11\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1223\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\hh.exe\n    CommandLine|contains: .chm\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- unlike\nlevel: high\n\n
\n}}'),(8074,'Issue',447,15,'T1223'),(8075,'Issue',448,1,'HTML Help Shell Spawn'),(8076,'Issue',448,2,'Maxim Pavlunin'),(8077,'Issue',448,8,'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/'),(8078,'Issue',448,10,'high'),(8079,'Issue',448,13,'community'),(8080,'Issue',448,14,'windows'),(8082,'Issue',448,11,'6ba3a1ad3'),(8083,'Issue',448,12,'52cad028-0ff0-4854-8f67-d25dfcbc78b4'),(8084,'Issue',448,16,'win-proc'),(8085,'Issue',448,17,''),(8086,'Issue',448,7,''),(8087,'Issue',448,3,'Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm)'),(8088,'Issue',448,4,''),(8089,'Issue',448,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8090,'Issue',448,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable:\"C\\:\\\\Windows\\\\hh.exe\" AND process.executable.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\regsvr32.exe OR *\\\\wmic.exe OR *\\\\rundll32.exe))\nindex: so-*\nname: HTML Help Shell Spawn\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8091,'Issue',448,9,'{{collapse(View Sigma)\n
\n\ntitle: HTML Help Shell Spawn\nid: 52cad028-0ff0-4854-8f67-d25dfcbc78b4\nstatus: experimental\ndescription: Detects a suspicious child process of a Microsoft HTML Help system when\n  executing compiled HTML files (.chm)\nreferences:\n- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/\nauthor: Maxim Pavlunin\ndate: 2020/04/01\nmodified: 2020/04/03\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1223\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: C:\\Windows\\hh.exe\n    Image|endswith:\n    - \\cmd.exe\n    - \\powershell.exe\n    - \\wscript.exe\n    - \\cscript.exe\n    - \\regsvr32.exe\n    - \\wmic.exe\n    - \\rundll32.exe\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(8092,'Issue',448,15,'T1223'),(8093,'Issue',449,1,'Suspicious HWP Sub Processes'),(8094,'Issue',449,2,'Florian Roth'),(8095,'Issue',449,8,'https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/\nhttps://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1\nhttps://twitter.com/cyberwar_15/status/1187287262054076416\nhttps://blog.alyac.co.kr/1901\nhttps://en.wikipedia.org/wiki/Hangul_(word_processor)'),(8096,'Issue',449,10,'high'),(8097,'Issue',449,13,'community'),(8098,'Issue',449,14,'windows'),(8100,'Issue',449,11,'45f9c4d54'),(8101,'Issue',449,12,'023394c4-29d5-46ab-92b8-6a534c6f447b'),(8102,'Issue',449,16,'win-proc'),(8103,'Issue',449,17,''),(8104,'Issue',449,7,''),(8105,'Issue',449,3,'Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation'),(8106,'Issue',449,4,''),(8107,'Issue',449,5,'_False Positives_\nUnknown'),(8108,'Issue',449,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\Hwp.exe AND process.executable.keyword:*\\\\gbb.exe)\nindex: so-*\nname: Suspicious HWP Sub Processes\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8109,'Issue',449,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious HWP Sub Processes\nid: 023394c4-29d5-46ab-92b8-6a534c6f447b\ndescription: Detects suspicious Hangul Word Processor (Hanword) sub processes that\n  could indicate an exploitation\nstatus: experimental\nreferences:\n- https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/\n- https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1\n- https://twitter.com/cyberwar_15/status/1187287262054076416\n- https://blog.alyac.co.kr/1901\n- https://en.wikipedia.org/wiki/Hangul_(word_processor)\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.initial_access\n- attack.t1059\n- attack.t1202\n- attack.t1193\n- attack.g0032\nauthor: Florian Roth\ndate: 2019/10/24\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\Hwp.exe\'\n    Image: \'*\\gbb.exe\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(8110,'Issue',449,15,'T1059'),(8111,'Issue',449,15,'T1202'),(8112,'Issue',449,15,'T1193'),(8113,'Issue',450,1,'Impacket Lateralization Detection'),(8114,'Issue',450,2,'Ecco'),(8115,'Issue',450,8,'https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py\nhttps://github.com/SecureAuthCorp/impacket/blob/master/examples/atexec.py\nhttps://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py\nhttps://github.com/SecureAuthCorp/impacket/blob/master/examples/dcomexec.py'),(8116,'Issue',450,10,'critical'),(8117,'Issue',450,13,'community'),(8118,'Issue',450,14,'windows'),(8120,'Issue',450,11,'bfb0c817e'),(8121,'Issue',450,12,'10c14723-61c7-4c75-92ca-9af245723ad2'),(8122,'Issue',450,16,'win-proc'),(8123,'Issue',450,17,''),(8124,'Issue',450,7,''),(8125,'Issue',450,3,'Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework'),(8126,'Issue',450,4,''),(8127,'Issue',450,5,'_False Positives_\npentesters\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8128,'Issue',450,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.parent.executable.keyword:(*\\\\wmiprvse.exe OR *\\\\mmc.exe OR *\\\\explorer.exe OR *\\\\services.exe) AND process.command_line.keyword:(*cmd.exe*\\ \\/Q\\ \\/c\\ *\\ \\\\\\\\127.0.0.1\\\\*&1*)) OR (process.parent.command_line.keyword:(*svchost.exe\\ \\-k\\ netsvcs OR taskeng.exe*) AND process.command_line.keyword:(cmd.exe\\ \\/C\\ *Windows\\\\Temp\\\\*&1))))\nindex: so-*\nname: Impacket Lateralization Detection\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8129,'Issue',450,9,'{{collapse(View Sigma)\n
\n\ntitle: Impacket Lateralization Detection\nid: 10c14723-61c7-4c75-92ca-9af245723ad2\nstatus: experimental\ndescription: Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework\nreferences:\n- https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py\n- https://github.com/SecureAuthCorp/impacket/blob/master/examples/atexec.py\n- https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py\n- https://github.com/SecureAuthCorp/impacket/blob/master/examples/dcomexec.py\nauthor: Ecco\ndate: 2019/09/03\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_other:\n    ParentImage:\n    - \'*\\wmiprvse.exe\'\n    - \'*\\mmc.exe\'\n    - \'*\\explorer.exe\'\n    - \'*\\services.exe\'\n    CommandLine:\n    - \'*cmd.exe* /Q /c * \\\\\\\\127.0.0.1\\\\*&1*\'\n  selection_atexec:\n    ParentCommandLine:\n    - \'*svchost.exe -k netsvcs\'\n    - taskeng.exe*\n    CommandLine:\n    - cmd.exe /C *Windows\\\\Temp\\\\*&1\n  condition: (1 of selection_*)\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.lateral_movement\n- attack.t1047\n- attack.t1175\nfalsepositives:\n- pentesters\nlevel: critical\n\n
\n}}'),(8130,'Issue',450,15,'T1047'),(8131,'Issue',450,15,'T1175'),(8132,'Issue',451,1,'Indirect Command Execution'),(8133,'Issue',451,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(8134,'Issue',451,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html'),(8135,'Issue',451,10,'low'),(8136,'Issue',451,13,'community'),(8137,'Issue',451,14,'windows'),(8139,'Issue',451,11,'4448f85f5'),(8140,'Issue',451,12,'fa47597e-90e9-41cd-ab72-c3b74cfb0d02'),(8141,'Issue',451,16,'win-proc'),(8142,'Issue',451,17,''),(8143,'Issue',451,7,''),(8144,'Issue',451,3,'Detect indirect command execution via Program Compatibility Assistant pcalua.exe or forfiles.exe'),(8145,'Issue',451,4,''),(8146,'Issue',451,5,'_False Positives_\nNeed to use extra processing with \'unique_count\' / \'filter\' to focus on outliers as opposed to commonly seen artifacts\nLegit usage of scripts\n\n_Interesting Log Fields_\nComputerName\nUser\nParentCommandLine\nCommandLine'),(8147,'Issue',451,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\pcalua.exe OR *\\\\forfiles.exe))\nindex: so-*\nname: Indirect Command Execution\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8148,'Issue',451,9,'{{collapse(View Sigma)\n
\n\ntitle: Indirect Command Execution\nid: fa47597e-90e9-41cd-ab72-c3b74cfb0d02\ndescription: Detect indirect command execution via Program Compatibility Assistant\n  pcalua.exe or forfiles.exe\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html\ndate: 2019/10/24\nmodified: 2019/11/11\ntags:\n- attack.defense_evasion\n- attack.t1202\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage|endswith:\n    - \\pcalua.exe\n    - \\forfiles.exe\n  condition: selection\nfields:\n- ComputerName\n- User\n- ParentCommandLine\n- CommandLine\nfalsepositives:\n- Need to use extra processing with \'unique_count\' / \'filter\' to focus on outliers\n  as opposed to commonly seen artifacts\n- Legit usage of scripts\nlevel: low\n\n
\n}}'),(8149,'Issue',451,15,'T1202'),(8150,'Issue',452,1,'Suspicious Debugger Registration Cmdline'),(8151,'Issue',452,2,'Florian Roth'),(8152,'Issue',452,8,'https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/'),(8153,'Issue',452,10,'high'),(8154,'Issue',452,13,'community'),(8155,'Issue',452,14,'windows'),(8157,'Issue',452,11,'8447d556d'),(8158,'Issue',452,12,'ae215552-081e-44c7-805f-be16f975c8a2'),(8159,'Issue',452,16,'win-proc'),(8160,'Issue',452,17,''),(8161,'Issue',452,7,''),(8162,'Issue',452,3,'Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).'),(8163,'Issue',452,4,''),(8164,'Issue',452,5,'_False Positives_\nPenetration Tests'),(8165,'Issue',452,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\sethc.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\utilman.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\osk.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\magnify.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\narrator.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\displayswitch.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\atbroker.exe*))\nindex: so-*\nname: Suspicious Debugger Registration Cmdline\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8166,'Issue',452,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Debugger Registration Cmdline\nid: ae215552-081e-44c7-805f-be16f975c8a2\nstatus: experimental\ndescription: Detects the registration of a debugger for a program that is available\n  in the logon screen (sticky key backdoor).\nreferences:\n- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/\ntags:\n- attack.persistence\n- attack.privilege_escalation\n- attack.t1015\nauthor: Florian Roth\ndate: 2019/09/06\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'*\\CurrentVersion\\Image File Execution Options\\sethc.exe*\'\n    - \'*\\CurrentVersion\\Image File Execution Options\\utilman.exe*\'\n    - \'*\\CurrentVersion\\Image File Execution Options\\osk.exe*\'\n    - \'*\\CurrentVersion\\Image File Execution Options\\magnify.exe*\'\n    - \'*\\CurrentVersion\\Image File Execution Options\\narrator.exe*\'\n    - \'*\\CurrentVersion\\Image File Execution Options\\displayswitch.exe*\'\n    - \'*\\CurrentVersion\\Image File Execution Options\\atbroker.exe*\'\n  condition: selection\nfalsepositives:\n- Penetration Tests\nlevel: high\n\n
\n}}'),(8167,'Issue',452,15,'T1015'),(8168,'Issue',453,1,'Interactive AT Job'),(8169,'Issue',453,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(8170,'Issue',453,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html'),(8171,'Issue',453,10,'high'),(8172,'Issue',453,13,'community'),(8173,'Issue',453,14,'windows'),(8175,'Issue',453,11,'deff452c1'),(8176,'Issue',453,12,'60fc936d-2eb0-4543-8a13-911c750a1dfc'),(8177,'Issue',453,16,'win-proc'),(8178,'Issue',453,17,''),(8179,'Issue',453,7,''),(8180,'Issue',453,3,'Detect an interactive AT job, which may be used as a form of privilege escalation'),(8181,'Issue',453,4,''),(8182,'Issue',453,5,'_False Positives_\nUnlikely (at.exe deprecated as of Windows 8)\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8183,'Issue',453,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\at.exe AND process.command_line.keyword:*interactive*)\nindex: so-*\nname: Interactive AT Job\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8184,'Issue',453,9,'{{collapse(View Sigma)\n
\n\ntitle: Interactive AT Job\nid: 60fc936d-2eb0-4543-8a13-911c750a1dfc\ndescription: Detect an interactive AT job, which may be used as a form of privilege\n  escalation\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html\ndate: 2019/10/24\nmodified: 2019/11/11\ntags:\n- attack.privilege_escalation\n- attack.t1053\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\at.exe\n    CommandLine|contains: interactive\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Unlikely (at.exe deprecated as of Windows 8)\nlevel: high\n\n
\n}}'),(8185,'Issue',453,15,'T1053'),(8186,'Issue',454,1,'Invoke-Obfuscation Obfuscated IEX Invocation'),(8187,'Issue',454,2,'Daniel Bohannon (@Mandiant/@FireEye), oscd.community'),(8188,'Issue',454,8,'none'),(8189,'Issue',454,10,'high'),(8190,'Issue',454,13,'community'),(8191,'Issue',454,14,'windows'),(8193,'Issue',454,11,'6d2baff57'),(8194,'Issue',454,12,'4bf943c6-5146-4273-98dd-e958fd1e3abf'),(8195,'Issue',454,16,'win-proc'),(8196,'Issue',454,17,''),(8197,'Issue',454,7,''),(8198,'Issue',454,3,'Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888'),(8199,'Issue',454,4,''),(8200,'Issue',454,5,'_False Positives_\nUnknown'),(8201,'Issue',454,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (process.command_line:/\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[/ OR process.command_line:/\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[/ OR process.command_line:/\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[/ OR process.command_line:/\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}/ OR process.command_line:/\\*mdr\\*\\W\\s*\\)\\.Name/ OR process.command_line:/\\$VerbosePreference\\.ToString\\(/ OR process.command_line:/\\String\\]\\s*\\$VerbosePreference/)\nindex: so-*\nname: Invoke-Obfuscation Obfuscated IEX Invocation\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8202,'Issue',454,9,'{{collapse(View Sigma)\n
\n\ntitle: Invoke-Obfuscation Obfuscated IEX Invocation\nid: 4bf943c6-5146-4273-98dd-e958fd1e3abf\ndescription: Detects all variations of obfuscated powershell IEX invocation code generated\n  by Invoke-Obfuscation framework from the following code block — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888\nstatus: experimental\nauthor: Daniel Bohannon (@Mandiant/@FireEye), oscd.community\ndate: 2019/11/08\ntags:\n- attack.defense_evasion\n- attack.t1027\nlogsource:\n  product: windows\n  service: process_creation\ndetection:\n  selection:\n  - CommandLine|re: \\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[\n  - CommandLine|re: \\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[\n  - CommandLine|re: \\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[\n  - CommandLine|re: \\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}\n  - CommandLine|re: \\*mdr\\*\\W\\s*\\)\\.Name\n  - CommandLine|re: \\$VerbosePreference\\.ToString\\(\n  - CommandLine|re: \\String\\]\\s*\\$VerbosePreference\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(8203,'Issue',454,15,'T1027'),(8204,'Issue',455,1,'Windows Kernel and 3rd-Party Drivers Exploits Token Stealing'),(8205,'Issue',455,2,'Teymur Kheirkhabarov (source), Daniil Yugoslavskiy (rule)'),(8206,'Issue',455,8,'https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment'),(8207,'Issue',455,10,'critical'),(8208,'Issue',455,13,'community'),(8209,'Issue',455,14,'windows'),(8211,'Issue',455,11,'1425eee14'),(8212,'Issue',455,12,'8065b1b4-1778-4427-877f-6bf948b26d38'),(8213,'Issue',455,16,'win-proc'),(8214,'Issue',455,17,''),(8215,'Issue',455,7,''),(8216,'Issue',455,3,'Detection of child processes spawned with SYSTEM privileges by parents with non-SYSTEM privileges and Medium integrity level'),(8217,'Issue',455,4,''),(8218,'Issue',455,5,'_False Positives_\nUnknown'),(8219,'Issue',455,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ParentIntegrityLevel:\"Medium\" AND IntegrityLevel:\"System\" AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\")\nindex: so-*\nname: Windows Kernel and 3rd-Party Drivers Exploits Token Stealing\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8220,'Issue',455,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows Kernel and 3rd-Party Drivers Exploits Token Stealing\nid: 8065b1b4-1778-4427-877f-6bf948b26d38\ndescription: Detection of child processes spawned with SYSTEM privileges by parents\n  with non-SYSTEM privileges and Medium integrity level\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\ntags:\n- attack.privilege_escalation\n- attack.t1068\nstatus: experimental\nauthor: Teymur Kheirkhabarov (source), Daniil Yugoslavskiy (rule)\ndate: 2019/06/03\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentIntegrityLevel: Medium\n    IntegrityLevel: System\n    User: NT AUTHORITY\\SYSTEM\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\nenrichment:\n- EN_0001_cache_sysmon_event_id_1_info\n- EN_0002_enrich_sysmon_event_id_1_with_parent_info\n\n
\n}}'),(8221,'Issue',455,15,'T1068'),(8222,'Issue',456,1,'MSHTA Spwaned by SVCHOST'),(8223,'Issue',456,2,'Markus Neis'),(8224,'Issue',456,8,'https://codewhitesec.blogspot.com/2018/07/lethalhta.html'),(8225,'Issue',456,10,'high'),(8226,'Issue',456,13,'community'),(8227,'Issue',456,14,'windows'),(8229,'Issue',456,11,'f443dd9d3'),(8230,'Issue',456,12,'ed5d72a6-f8f4-479d-ba79-02f6a80d7471'),(8231,'Issue',456,16,'win-proc'),(8232,'Issue',456,17,''),(8233,'Issue',456,7,''),(8234,'Issue',456,3,'Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described in report'),(8235,'Issue',456,4,''),(8236,'Issue',456,5,'_False Positives_\nUnknown'),(8237,'Issue',456,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\svchost.exe AND process.executable.keyword:*\\\\mshta.exe)\nindex: so-*\nname: MSHTA Spwaned by SVCHOST\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8238,'Issue',456,9,'{{collapse(View Sigma)\n
\n\ntitle: MSHTA Spwaned by SVCHOST\nid: ed5d72a6-f8f4-479d-ba79-02f6a80d7471\nstatus: experimental\ndescription: Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described\n  in report\nreferences:\n- https://codewhitesec.blogspot.com/2018/07/lethalhta.html\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1170\nauthor: Markus Neis\ndate: 2018/06/07\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\svchost.exe\'\n    Image: \'*\\mshta.exe\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(8239,'Issue',456,15,'T1170'),(8240,'Issue',457,1,'Local Accounts Discovery'),(8241,'Issue',457,2,'Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community'),(8242,'Issue',457,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml'),(8243,'Issue',457,10,'low'),(8244,'Issue',457,13,'community'),(8245,'Issue',457,14,'windows'),(8247,'Issue',457,11,'94d1a7cce'),(8248,'Issue',457,12,'502b42de-4306-40b4-9596-6f590c81f073'),(8249,'Issue',457,16,'win-proc'),(8250,'Issue',457,17,''),(8251,'Issue',457,7,''),(8252,'Issue',457,3,'Local accounts, System Owner/User discovery using operating systems utilities'),(8253,'Issue',457,4,''),(8254,'Issue',457,5,'_False Positives_\nLegitimate administrator or user enumerates local users for legitimate reason\n\n_Interesting Log Fields_\nImage\nCommandLine\nUser\nLogonGuid\nHashes\nParentProcessGuid\nParentCommandLine'),(8255,'Issue',457,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (((process.executable.keyword:*\\\\whoami.exe OR (process.executable.keyword:*\\\\wmic.exe AND process.command_line.keyword:*useraccount* AND process.command_line.keyword:*get*) OR process.executable.keyword:(*\\\\quser.exe OR *\\\\qwinsta.exe) OR (process.executable.keyword:*\\\\cmdkey.exe AND process.command_line.keyword:*\\/list*) OR (process.executable.keyword:*\\\\cmd.exe AND process.command_line.keyword:*\\/c* AND process.command_line.keyword:*dir\\ * AND process.command_line.keyword:*\\\\Users\\*)) AND (NOT (process.command_line.keyword:(*\\ rmdir\\ *)))) OR ((process.executable.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:*user*) AND (NOT (process.command_line.keyword:(*\\/domain* OR *\\/add* OR *\\/delete* OR *\\/active* OR *\\/expires* OR *\\/passwordreq* OR *\\/scriptpath* OR *\\/times* OR *\\/workstations*))))))\nindex: so-*\nname: Local Accounts Discovery\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8256,'Issue',457,9,'{{collapse(View Sigma)\n
\n\ntitle: Local Accounts Discovery\nid: 502b42de-4306-40b4-9596-6f590c81f073\nstatus: experimental\ndescription: Local accounts, System Owner/User discovery using operating systems utilities\nauthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_1:\n  - Image|endswith: \\whoami.exe\n  - Image|endswith: \\wmic.exe\n    CommandLine|contains|all:\n    - useraccount\n    - get\n  - Image|endswith:\n    - \\quser.exe\n    - \\qwinsta.exe\n  - Image|endswith: \\cmdkey.exe\n    CommandLine|contains: /list\n  - Image|endswith: \\cmd.exe\n    CommandLine|contains|all:\n    - /c\n    - \'dir \'\n    - \\Users\\\n  filter_1:\n    CommandLine|contains:\n    - \' rmdir \'\n  selection_2:\n    Image|endswith:\n    - \\net.exe\n    - \\net1.exe\n    CommandLine|contains: user\n  filter_2:\n    CommandLine|contains:\n    - /domain\n    - /add\n    - /delete\n    - /active\n    - /expires\n    - /passwordreq\n    - /scriptpath\n    - /times\n    - /workstations\n  condition: (selection_1 and not filter_1) or ( selection_2 and not filter_2)\nfields:\n- Image\n- CommandLine\n- User\n- LogonGuid\n- Hashes\n- ParentProcessGuid\n- ParentCommandLine\nfalsepositives:\n- Legitimate administrator or user enumerates local users for legitimate reason\nlevel: low\ntags:\n- attack.discovery\n- attack.t1033\n- attack.t1087\n\n
\n}}'),(8257,'Issue',457,15,'T1033'),(8258,'Issue',457,15,'T1087'),(8259,'Issue',458,1,'LSASS Memory Dumping'),(8260,'Issue',458,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community'),(8261,'Issue',458,8,'https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.yaml'),(8262,'Issue',458,10,'high'),(8263,'Issue',458,13,'community'),(8264,'Issue',458,14,'windows'),(8266,'Issue',458,11,'80532cee2'),(8267,'Issue',458,12,'ffa6861c-4461-4f59-8a41-578c39f3f23e'),(8268,'Issue',458,16,'win-proc'),(8269,'Issue',458,17,''),(8270,'Issue',458,7,''),(8271,'Issue',458,3,'Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.'),(8272,'Issue',458,4,''),(8273,'Issue',458,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8274,'Issue',458,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (((process.command_line.keyword:*lsass* AND process.command_line.keyword:*.dmp*) AND (NOT (process.executable.keyword:*\\\\werfault.exe))) OR (process.executable.keyword:*\\\\procdump* AND process.executable.keyword:*.exe AND process.command_line.keyword:*lsass*)))\nindex: so-*\nname: LSASS Memory Dumping\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8275,'Issue',458,9,'{{collapse(View Sigma)\n
\n\ntitle: LSASS Memory Dumping\nid: ffa6861c-4461-4f59-8a41-578c39f3f23e\ndescription: Detect creation of dump files containing the memory space of lsass.exe,\n  which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe\n  to export the memory space of lsass.exe which contains sensitive credentials.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html\n- https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.yaml\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine|contains|all:\n    - lsass\n    - .dmp\n  selection2:\n    Image|endswith: \\werfault.exe\n  selection3:\n    Image|contains: \\procdump\n    Image|endswith: .exe\n    CommandLine|contains: lsass\n  condition: selection1 and not selection2 or selection3\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Unlikely\nlevel: high\n\n
\n}}'),(8276,'Issue',458,15,'T1003'),(8277,'Issue',459,1,'Dridex Process Pattern'),(8278,'Issue',459,2,'Florian Roth'),(8279,'Issue',459,8,'https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3'),(8280,'Issue',459,10,'critical'),(8281,'Issue',459,13,'community'),(8282,'Issue',459,14,'windows'),(8284,'Issue',459,11,'89a943e8b'),(8285,'Issue',459,12,'e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e'),(8286,'Issue',459,16,'win-proc'),(8287,'Issue',459,17,''),(8288,'Issue',459,7,''),(8289,'Issue',459,3,'Detects typical Dridex process patterns'),(8290,'Issue',459,4,''),(8291,'Issue',459,5,'_False Positives_\nUnlikely'),(8292,'Issue',459,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:*\\\\svchost.exe\\ C\\:\\\\Users\\\\*\\\\Desktop\\\\* OR (process.parent.executable.keyword:*\\\\svchost.exe* AND process.command_line.keyword:(*whoami.exe\\ \\/all OR *net.exe\\ view))))\nindex: so-*\nname: Dridex Process Pattern\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8293,'Issue',459,9,'{{collapse(View Sigma)\n
\n\ntitle: Dridex Process Pattern\nid: e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e\nstatus: experimental\ndescription: Detects typical Dridex process patterns\nreferences:\n- https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3\nauthor: Florian Roth\ndate: 2019/01/10\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1055\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine: \'*\\svchost.exe C:\\Users\\\\*\\Desktop\\\\*\'\n  selection2:\n    ParentImage: \'*\\svchost.exe*\'\n    CommandLine:\n    - \'*whoami.exe /all\'\n    - \'*net.exe view\'\n  condition: 1 of them\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(8294,'Issue',459,15,'T1055'),(8295,'Issue',460,1,'DTRACK Process Creation'),(8296,'Issue',460,2,'Florian Roth'),(8297,'Issue',460,8,'https://securelist.com/my-name-is-dtrack/93338/\nhttps://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/\nhttps://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/'),(8298,'Issue',460,10,'critical'),(8299,'Issue',460,13,'community'),(8300,'Issue',460,14,'windows'),(8301,'Issue',460,15,''),(8302,'Issue',460,11,'1265efdfc'),(8303,'Issue',460,12,'f1531fa4-5b84-4342-8f68-9cf3fdbd83d4'),(8304,'Issue',460,16,'win-proc'),(8305,'Issue',460,17,''),(8306,'Issue',460,7,''),(8307,'Issue',460,3,'Detects specific process parameters as seen in DTRACK infections'),(8308,'Issue',460,4,''),(8309,'Issue',460,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8310,'Issue',460,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\ echo\\ EEEE\\ \\ *)\nindex: so-*\nname: DTRACK Process Creation\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8311,'Issue',460,9,'{{collapse(View Sigma)\n
\n\ntitle: DTRACK Process Creation\nid: f1531fa4-5b84-4342-8f68-9cf3fdbd83d4\nstatus: experimental\ndescription: Detects specific process parameters as seen in DTRACK infections\nauthor: Florian Roth\ndate: 2019/10/30\nreferences:\n- https://securelist.com/my-name-is-dtrack/93338/\n- https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/\n- https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'* echo EEEE > *\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(8312,'Issue',461,1,'Emotet Process Creation'),(8313,'Issue',461,2,'Florian Roth'),(8314,'Issue',461,8,'https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/\nhttps://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/\nhttps://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/\nhttps://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/'),(8315,'Issue',461,10,'critical'),(8316,'Issue',461,13,'community'),(8317,'Issue',461,14,'windows'),(8318,'Issue',461,15,''),(8319,'Issue',461,11,'22693b62c'),(8320,'Issue',461,12,'d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18'),(8321,'Issue',461,16,'win-proc'),(8322,'Issue',461,17,''),(8323,'Issue',461,7,''),(8324,'Issue',461,3,'Detects all Emotet like process executions that are not covered by the more generic rules'),(8325,'Issue',461,4,''),(8326,'Issue',461,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8327,'Issue',461,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-e*\\ PAA* OR *JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ* OR *QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA* OR *kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA* OR *IgAoACcAKgAnACkAOwAkA* OR *IAKAAnACoAJwApADsAJA* OR *iACgAJwAqACcAKQA7ACQA* OR *JABGAGwAeAByAGgAYwBmAGQ*))\nindex: so-*\nname: Emotet Process Creation\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8328,'Issue',461,9,'{{collapse(View Sigma)\n
\n\ntitle: Emotet Process Creation\nid: d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18\nstatus: experimental\ndescription: Detects all Emotet like process executions that are not covered by the\n  more generic rules\nauthor: Florian Roth\ndate: 2019/09/30\nmodified: 2019/10/16\nreferences:\n- https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/\n- https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/\n- https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/\n- https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* -e* PAA*\'\n    - \'*JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ*\'\n    - \'*QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA*\'\n    - \'*kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA*\'\n    - \'*IgAoACcAKgAnACkAOwAkA*\'\n    - \'*IAKAAnACoAJwApADsAJA*\'\n    - \'*iACgAJwAqACcAKQA7ACQA*\'\n    - \'*JABGAGwAeAByAGgAYwBmAGQ*\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(8329,'Issue',462,1,'Formbook Process Creation'),(8330,'Issue',462,2,'Florian Roth'),(8331,'Issue',462,8,'https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer\nhttps://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/\nhttps://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/\nhttps://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/'),(8332,'Issue',462,10,'critical'),(8333,'Issue',462,13,'community'),(8334,'Issue',462,14,'windows'),(8335,'Issue',462,15,''),(8336,'Issue',462,11,'a76fc01e3'),(8337,'Issue',462,12,'032f5fb3-d959-41a5-9263-4173c802dc2b'),(8338,'Issue',462,16,'win-proc'),(8339,'Issue',462,17,''),(8340,'Issue',462,7,''),(8341,'Issue',462,3,'Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.'),(8342,'Issue',462,4,''),(8343,'Issue',462,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8344,'Issue',462,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.command_line.keyword:(C\\:\\\\Windows\\\\System32\\\\*.exe OR C\\:\\\\Windows\\\\SysWOW64\\\\*.exe) AND process.command_line.keyword:(*\\ \\/c\\ del\\ \\\"C\\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*.exe OR *\\ \\/c\\ del\\ \\\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe OR *\\ \\/C\\ type\\ nul\\ \\ \\\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe))\nindex: so-*\nname: Formbook Process Creation\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8345,'Issue',462,9,'{{collapse(View Sigma)\n
\n\ntitle: Formbook Process Creation\nid: 032f5fb3-d959-41a5-9263-4173c802dc2b\nstatus: experimental\ndescription: Detects Formbook like process executions that inject code into a set\n  of files in the System32 folder, which executes a special command command line to\n  delete the dropper from the AppData Temp folder. We avoid false positives by excluding\n  all parent process with command line parameters.\nauthor: Florian Roth\ndate: 2019/09/30\nmodified: 2019/10/31\nreferences:\n- https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer\n- https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/\n- https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/\n- https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentCommandLine:\n    - C:\\Windows\\System32\\\\*.exe\n    - C:\\Windows\\SysWOW64\\\\*.exe\n    CommandLine:\n    - \'* /c del \"C:\\Users\\\\*\\AppData\\Local\\Temp\\\\*.exe\'\n    - \'* /c del \"C:\\Users\\\\*\\Desktop\\\\*.exe\'\n    - \'* /C type nul > \"C:\\Users\\\\*\\Desktop\\\\*.exe\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(8346,'Issue',463,1,'NotPetya Ransomware Activity'),(8347,'Issue',463,2,'Florian Roth, Tom Ueltschi'),(8348,'Issue',463,8,'https://securelist.com/schroedingers-petya/78870/\nhttps://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100'),(8349,'Issue',463,10,'critical'),(8350,'Issue',463,13,'community'),(8351,'Issue',463,14,'windows'),(8353,'Issue',463,11,'f1d5345d2'),(8354,'Issue',463,12,'79aeeb41-8156-4fac-a0cd-076495ab82a1'),(8355,'Issue',463,16,'win-proc'),(8356,'Issue',463,17,''),(8357,'Issue',463,7,''),(8358,'Issue',463,3,'Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil'),(8359,'Issue',463,4,''),(8360,'Issue',463,5,'_False Positives_\nAdmin activity\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8361,'Issue',463,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:*\\\\AppData\\\\Local\\\\Temp\\\\*\\ \\\\.\\\\pipe\\\\* OR (process.executable.keyword:*\\\\rundll32.exe AND process.command_line.keyword:*.dat,#1) OR *\\\\perfc.dat*))\nindex: so-*\nname: NotPetya Ransomware Activity\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8362,'Issue',463,9,'{{collapse(View Sigma)\n
\n\ntitle: NotPetya Ransomware Activity\nid: 79aeeb41-8156-4fac-a0cd-076495ab82a1\nstatus: experimental\ndescription: Detects NotPetya ransomware activity in which the extracted passwords\n  are passed back to the main module via named pipe, the file system journal of drive\n  C is deleted and windows eventlogs are cleared using wevtutil\nauthor: Florian Roth, Tom Ueltschi\ndate: 2019/01/16\nreferences:\n- https://securelist.com/schroedingers-petya/78870/\n- https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100\ntags:\n- attack.execution\n- attack.credential_access\n- attack.defense_evasion\n- attack.t1085\n- attack.t1070\n- attack.t1003\n- car.2016-04-002\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  pipe_com:\n    CommandLine: \'*\\AppData\\Local\\Temp\\\\* \\\\.\\pipe\\\\*\'\n  rundll32_dash1:\n    Image: \'*\\rundll32.exe\'\n    CommandLine: \'*.dat,#1\'\n  perfc_keyword:\n  - \'*\\perfc.dat*\'\n  condition: 1 of them\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Admin activity\nlevel: critical\n\n
\n}}'),(8363,'Issue',463,15,'T1085'),(8364,'Issue',463,15,'T1070'),(8365,'Issue',463,15,'T1003'),(8366,'Issue',464,1,'QBot Process Creation'),(8367,'Issue',464,2,'Florian Roth'),(8368,'Issue',464,8,'https://twitter.com/killamjr/status/1179034907932315648\nhttps://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/'),(8369,'Issue',464,10,'critical'),(8370,'Issue',464,13,'community'),(8371,'Issue',464,14,'windows'),(8372,'Issue',464,15,''),(8373,'Issue',464,11,'046681e0b'),(8374,'Issue',464,12,'4fcac6eb-0287-4090-8eea-2602e4c20040'),(8375,'Issue',464,16,'win-proc'),(8376,'Issue',464,17,''),(8377,'Issue',464,7,''),(8378,'Issue',464,3,'Detects QBot like process executions'),(8379,'Issue',464,4,''),(8380,'Issue',464,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8381,'Issue',464,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.parent.executable.keyword:*\\\\WinRAR.exe AND process.executable.keyword:*\\\\wscript.exe) OR process.command_line.keyword:*\\ \\/c\\ ping.exe\\ \\-n\\ 6\\ 127.0.0.1\\ &\\ type\\ *))\nindex: so-*\nname: QBot Process Creation\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8382,'Issue',464,9,'{{collapse(View Sigma)\n
\n\ntitle: QBot Process Creation\nid: 4fcac6eb-0287-4090-8eea-2602e4c20040\nstatus: experimental\ndescription: Detects QBot like process executions\nauthor: Florian Roth\ndate: 2019/10/01\nreferences:\n- https://twitter.com/killamjr/status/1179034907932315648\n- https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    ParentImage: \'*\\WinRAR.exe\'\n    Image: \'*\\wscript.exe\'\n  selection2:\n    CommandLine: \'* /c ping.exe -n 6 127.0.0.1 & type *\'\n  condition: selection1 or selection2\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(8383,'Issue',465,1,'Ryuk Ransomware'),(8384,'Issue',465,2,'Florian Roth'),(8385,'Issue',465,8,'https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/'),(8386,'Issue',465,10,'critical'),(8387,'Issue',465,13,'community'),(8388,'Issue',465,14,'windows'),(8389,'Issue',465,15,''),(8390,'Issue',465,11,'78f7434fc'),(8391,'Issue',465,12,'c37510b8-2107-4b78-aa32-72f251e7a844'),(8392,'Issue',465,16,'win-proc'),(8393,'Issue',465,17,''),(8394,'Issue',465,7,''),(8395,'Issue',465,3,'Detects Ryuk ransomware activity'),(8396,'Issue',465,4,''),(8397,'Issue',465,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8398,'Issue',465,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*Microsoft\\\\Windows\\\\CurrentVersion\\\\Run* AND process.command_line.keyword:*C\\:\\\\users\\\\Public\\*)\nindex: so-*\nname: Ryuk Ransomware\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8399,'Issue',465,9,'{{collapse(View Sigma)\n
\n\ntitle: Ryuk Ransomware\nid: c37510b8-2107-4b78-aa32-72f251e7a844\nstatus: experimental\ndescription: Detects Ryuk ransomware activity\nauthor: Florian Roth\ndate: 2019/12/16\nreferences:\n- https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains|all:\n    - Microsoft\\Windows\\CurrentVersion\\Run\n    - C:\\users\\Public\\\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(8400,'Issue',466,1,'WScript or CScript Dropper'),(8401,'Issue',466,2,'Margaritis Dimitrios (idea), Florian Roth (rule)'),(8402,'Issue',466,8,'none'),(8403,'Issue',466,10,'high'),(8404,'Issue',466,13,'community'),(8405,'Issue',466,14,'windows'),(8407,'Issue',466,11,'163533995'),(8408,'Issue',466,12,'cea72823-df4d-4567-950c-0b579eaf0846'),(8409,'Issue',466,16,'win-proc'),(8410,'Issue',466,17,''),(8411,'Issue',466,7,''),(8412,'Issue',466,3,'Detects wscript/cscript executions of scripts located in user directories'),(8413,'Issue',466,4,''),(8414,'Issue',466,5,'_False Positives_\nWinzip\nOther self-extractors\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8415,'Issue',466,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:(*\\\\wscript.exe OR *\\\\cscript.exe) AND process.command_line.keyword:(*\\ C\\:\\\\Users\\\\*.jse\\ * OR *\\ C\\:\\\\Users\\\\*.vbe\\ * OR *\\ C\\:\\\\Users\\\\*.js\\ * OR *\\ C\\:\\\\Users\\\\*.vba\\ * OR *\\ C\\:\\\\Users\\\\*.vbs\\ * OR *\\ C\\:\\\\ProgramData\\\\*.jse\\ * OR *\\ C\\:\\\\ProgramData\\\\*.vbe\\ * OR *\\ C\\:\\\\ProgramData\\\\*.js\\ * OR *\\ C\\:\\\\ProgramData\\\\*.vba\\ * OR *\\ C\\:\\\\ProgramData\\\\*.vbs\\ *)) AND (NOT (process.parent.executable.keyword:*\\\\winzip*)))\nindex: so-*\nname: WScript or CScript Dropper\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8416,'Issue',466,9,'{{collapse(View Sigma)\n
\n\ntitle: WScript or CScript Dropper\nid: cea72823-df4d-4567-950c-0b579eaf0846\nstatus: experimental\ndescription: Detects wscript/cscript executions of scripts located in user directories\nauthor: Margaritis Dimitrios (idea), Florian Roth (rule)\ndate: 2019/01/16\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1064\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\wscript.exe\'\n    - \'*\\cscript.exe\'\n    CommandLine:\n    - \'* C:\\Users\\\\*.jse *\'\n    - \'* C:\\Users\\\\*.vbe *\'\n    - \'* C:\\Users\\\\*.js *\'\n    - \'* C:\\Users\\\\*.vba *\'\n    - \'* C:\\Users\\\\*.vbs *\'\n    - \'* C:\\ProgramData\\\\*.jse *\'\n    - \'* C:\\ProgramData\\\\*.vbe *\'\n    - \'* C:\\ProgramData\\\\*.js *\'\n    - \'* C:\\ProgramData\\\\*.vba *\'\n    - \'* C:\\ProgramData\\\\*.vbs *\'\n  falsepositive:\n    ParentImage: \'*\\winzip*\'\n  condition: selection and not falsepositive\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Winzip\n- Other self-extractors\nlevel: high\n\n
\n}}'),(8417,'Issue',466,15,'T1064'),(8418,'Issue',467,1,'Trickbot Malware Recon Activity'),(8419,'Issue',467,2,'David Burkett'),(8420,'Issue',467,8,'https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/'),(8421,'Issue',467,10,'critical'),(8422,'Issue',467,13,'community'),(8423,'Issue',467,14,'windows'),(8425,'Issue',467,11,'1482df18d'),(8426,'Issue',467,12,'410ad193-a728-4107-bc79-4419789fcbf8'),(8427,'Issue',467,16,'win-proc'),(8428,'Issue',467,17,''),(8429,'Issue',467,7,''),(8430,'Issue',467,3,'Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes. This detectors attempts to identify that activity based off a command rarely observed in an enterprise network.'),(8431,'Issue',467,4,''),(8432,'Issue',467,5,'_False Positives_\nRare System Admin Activity\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8433,'Issue',467,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\nltest.exe) AND process.command_line:(\"\\/domain_trusts\\ \\/all_trusts\" OR \"\\/domain_trusts\"))\nindex: so-*\nname: Trickbot Malware Recon Activity\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8434,'Issue',467,9,'{{collapse(View Sigma)\n
\n\ntitle: Trickbot Malware Recon Activity\nid: 410ad193-a728-4107-bc79-4419789fcbf8\nstatus: experimental\ndescription: Trickbot enumerates domain/network topology and executes certain commands\n  automatically every few minutes. This detectors attempts to identify that activity\n  based off a command rarely observed in an enterprise network.\nreferences:\n- https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/\nauthor: David Burkett\ndate: 2019/12/28\ntags:\n- attack.t1482\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\nltest.exe\'\n    CommandLine:\n    - /domain_trusts /all_trusts\n    - /domain_trusts\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Rare System Admin Activity\nlevel: critical\n\n
\n}}'),(8435,'Issue',467,15,'T1482'),(8436,'Issue',468,1,'WannaCry Ransomware'),(8437,'Issue',468,2,'Florian Roth (rule), Tom U. @c_APT_ure (collection)'),(8438,'Issue',468,8,'https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100'),(8439,'Issue',468,10,'critical'),(8440,'Issue',468,13,'community'),(8441,'Issue',468,14,'windows'),(8442,'Issue',468,15,''),(8443,'Issue',468,11,'39c3b0af5'),(8444,'Issue',468,12,'41d40bff-377a-43e2-8e1b-2e543069e079'),(8445,'Issue',468,16,'win-proc'),(8446,'Issue',468,17,''),(8447,'Issue',468,7,''),(8448,'Issue',468,3,'Detects WannaCry ransomware activity'),(8449,'Issue',468,4,''),(8450,'Issue',468,5,'_False Positives_\nDiskpart.exe usage to manage partitions on the local hard drive\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8451,'Issue',468,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:(*\\\\tasksche.exe OR *\\\\mssecsvc.exe OR *\\\\taskdl.exe OR *\\\\@WanaDecryptor@* OR *\\\\WanaDecryptor* OR *\\\\taskhsvc.exe OR *\\\\taskse.exe OR *\\\\111.exe OR *\\\\lhdfrgui.exe OR *\\\\diskpart.exe OR *\\\\linuxnew.exe OR *\\\\wannacry.exe) OR process.command_line.keyword:(*icacls\\ *\\ \\/grant\\ Everyone\\:F\\ \\/T\\ \\/C\\ \\/Q* OR *bcdedit\\ \\/set\\ \\{default\\}\\ recoveryenabled\\ no* OR *wbadmin\\ delete\\ catalog\\ \\-quiet* OR *@Please_Read_Me@.txt*)))\nindex: so-*\nname: WannaCry Ransomware\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8452,'Issue',468,9,'{{collapse(View Sigma)\n
\n\ntitle: WannaCry Ransomware\nid: 41d40bff-377a-43e2-8e1b-2e543069e079\nstatus: experimental\ndescription: Detects WannaCry ransomware activity\nreferences:\n- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100\nauthor: Florian Roth (rule), Tom U. @c_APT_ure (collection)\ndate: 2019/01/16\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image:\n    - \'*\\tasksche.exe\'\n    - \'*\\mssecsvc.exe\'\n    - \'*\\taskdl.exe\'\n    - \'*\\@WanaDecryptor@*\'\n    - \'*\\WanaDecryptor*\'\n    - \'*\\taskhsvc.exe\'\n    - \'*\\taskse.exe\'\n    - \'*\\111.exe\'\n    - \'*\\lhdfrgui.exe\'\n    - \'*\\diskpart.exe\'\n    - \'*\\linuxnew.exe\'\n    - \'*\\wannacry.exe\'\n  selection2:\n    CommandLine:\n    - \'*icacls * /grant Everyone:F /T /C /Q*\'\n    - \'*bcdedit /set {default} recoveryenabled no*\'\n    - \'*wbadmin delete catalog -quiet*\'\n    - \'*@Please_Read_Me@.txt*\'\n  condition: 1 of them\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Diskpart.exe usage to manage partitions on the local hard drive\nlevel: critical\n\n
\n}}'),(8453,'Issue',469,1,'MavInject Process Injection'),(8454,'Issue',469,2,'Florian Roth'),(8455,'Issue',469,8,'https://twitter.com/gN3mes1s/status/941315826107510784\nhttps://reaqta.com/2017/12/mavinject-microsoft-injector/\nhttps://twitter.com/Hexacorn/status/776122138063409152'),(8456,'Issue',469,10,'critical'),(8457,'Issue',469,13,'community'),(8458,'Issue',469,14,'windows'),(8460,'Issue',469,11,'313d39562'),(8461,'Issue',469,12,'17eb8e57-9983-420d-ad8a-2c4976c22eb8'),(8462,'Issue',469,16,'win-proc'),(8463,'Issue',469,17,''),(8464,'Issue',469,7,''),(8465,'Issue',469,3,'Detects process injection using the signed Windows tool Mavinject32.exe'),(8466,'Issue',469,4,''),(8467,'Issue',469,5,'_False Positives_\nunknown'),(8468,'Issue',469,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\ \\/INJECTRUNNING\\ *)\nindex: so-*\nname: MavInject Process Injection\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8469,'Issue',469,9,'{{collapse(View Sigma)\n
\n\ntitle: MavInject Process Injection\nid: 17eb8e57-9983-420d-ad8a-2c4976c22eb8\nstatus: experimental\ndescription: Detects process injection using the signed Windows tool Mavinject32.exe\nreferences:\n- https://twitter.com/gN3mes1s/status/941315826107510784\n- https://reaqta.com/2017/12/mavinject-microsoft-injector/\n- https://twitter.com/Hexacorn/status/776122138063409152\nauthor: Florian Roth\ndate: 2018/12/12\ntags:\n- attack.t1055\n- attack.t1218\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'* /INJECTRUNNING *\'\n  condition: selection\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(8470,'Issue',469,15,'T1055'),(8471,'Issue',469,15,'T1218'),(8472,'Issue',470,1,'Meterpreter or Cobalt Strike Getsystem Service Start'),(8473,'Issue',470,2,'Teymur Kheirkhabarov'),(8474,'Issue',470,8,'https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\nhttps://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/'),(8475,'Issue',470,10,'high'),(8476,'Issue',470,13,'community'),(8477,'Issue',470,14,'windows'),(8479,'Issue',470,11,'faf8435b3'),(8480,'Issue',470,12,'15619216-e993-4721-b590-4c520615a67d'),(8481,'Issue',470,16,'win-proc'),(8482,'Issue',470,17,''),(8483,'Issue',470,7,''),(8484,'Issue',470,3,'Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting'),(8485,'Issue',470,4,''),(8486,'Issue',470,5,'_False Positives_\nCommandlines containing components like cmd accidentally\nJobs and services started with cmd\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8487,'Issue',470,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.parent.executable.keyword:*\\\\services.exe AND (process.command_line.keyword:(*cmd* OR *comspec*) OR (process.command_line.keyword:*cmd* AND process.command_line.keyword:*\\/c* AND process.command_line.keyword:*echo* AND process.command_line.keyword:*\\\\pipe\\*) OR (process.command_line.keyword:*%COMSPEC%* AND process.command_line.keyword:*\\/c* AND process.command_line.keyword:*echo* AND process.command_line.keyword:*\\\\pipe\\*) OR (process.command_line.keyword:*rundll32* AND process.command_line.keyword:*.dll,a* AND process.command_line.keyword:*\\/p\\:*))) AND (NOT (process.command_line.keyword:*MpCmdRun*)))\nindex: so-*\nname: Meterpreter or Cobalt Strike Getsystem Service Start\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8488,'Issue',470,9,'{{collapse(View Sigma)\n
\n\ntitle: Meterpreter or Cobalt Strike Getsystem Service Start\nid: 15619216-e993-4721-b590-4c520615a67d\ndescription: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting\n  a specific service starting\nauthor: Teymur Kheirkhabarov\ndate: 2019/10/26\nmodified: 2019/11/11\nreferences:\n- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\n- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/\ntags:\n- attack.privilege_escalation\n- attack.t1134\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_1:\n    ParentImage|endswith: \\services.exe\n  selection_2:\n  - CommandLine|contains:\n    - cmd\n    - comspec\n  - CommandLine|contains|all:\n    - cmd\n    - /c\n    - echo\n    - \\pipe\\\n  - CommandLine|contains|all:\n    - \'%COMSPEC%\'\n    - /c\n    - echo\n    - \\pipe\\\n  - CommandLine|contains|all:\n    - rundll32\n    - .dll,a\n    - \'/p:\'\n  filter1:\n    CommandLine|contains: MpCmdRun\n  condition: selection_1 and selection_2 and not filter1\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Commandlines containing components like cmd accidentally\n- Jobs and services started with cmd\nlevel: high\n\n
\n}}'),(8489,'Issue',470,15,'T1134'),(8490,'Issue',471,1,'Mimikatz Command Line'),(8491,'Issue',471,2,'Teymur Kheirkhabarov, oscd.community'),(8492,'Issue',471,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(8493,'Issue',471,10,'medium'),(8494,'Issue',471,13,'community'),(8495,'Issue',471,14,'windows'),(8497,'Issue',471,11,'f9e688b06'),(8498,'Issue',471,12,'a642964e-bead-4bed-8910-1bb4d63e3b4d'),(8499,'Issue',471,16,'win-proc'),(8500,'Issue',471,17,''),(8501,'Issue',471,7,''),(8502,'Issue',471,3,'Detection well-known mimikatz command line arguments'),(8503,'Issue',471,4,''),(8504,'Issue',471,5,'_False Positives_\nLegitimate Administrator using tool for password recovery'),(8505,'Issue',471,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:(*DumpCreds* OR *invoke\\-mimikatz*) OR (process.command_line.keyword:(*rpc* OR *token* OR *crypto* OR *dpapi* OR *sekurlsa* OR *kerberos* OR *lsadump* OR *privilege* OR *process*) AND process.command_line.keyword:(*\\:\\:*))))\nindex: so-*\nname: Mimikatz Command Line\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8506,'Issue',471,9,'{{collapse(View Sigma)\n
\n\ntitle: Mimikatz Command Line\nid: a642964e-bead-4bed-8910-1bb4d63e3b4d\ndescription: Detection well-known mimikatz command line arguments\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/10/22\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_1:\n    CommandLine|contains:\n    - DumpCreds\n    - invoke-mimikatz\n  selection_2:\n    CommandLine|contains:\n    - rpc\n    - token\n    - crypto\n    - dpapi\n    - sekurlsa\n    - kerberos\n    - lsadump\n    - privilege\n    - process\n  selection_3:\n    CommandLine|contains:\n    - \'::\'\n  condition: selection_1 or selection_2 and selection_3\nfalsepositives:\n- Legitimate Administrator using tool for password recovery\nlevel: medium\nstatus: experimental\n\n
\n}}'),(8507,'Issue',471,15,'T1003'),(8508,'Issue',472,1,'MMC Spawning Windows Shell'),(8509,'Issue',472,2,'Karneades, Swisscom CSIRT'),(8510,'Issue',472,8,'none'),(8511,'Issue',472,10,'high'),(8512,'Issue',472,13,'community'),(8513,'Issue',472,14,'windows'),(8515,'Issue',472,11,'5af2839b3'),(8516,'Issue',472,12,'05a2ab7e-ce11-4b63-86db-ab32e763e11d'),(8517,'Issue',472,16,'win-proc'),(8518,'Issue',472,17,''),(8519,'Issue',472,7,''),(8520,'Issue',472,3,'Detects a Windows command line executable started from MMC.'),(8521,'Issue',472,4,''),(8522,'Issue',472,5,'_False Positives_\n Unknown\n\n_Interesting Log Fields_\nCommandLine\nImage\nParentCommandLine'),(8523,'Issue',472,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\mmc.exe AND process.executable.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\sh.exe OR *\\\\bash.exe OR *\\\\reg.exe OR *\\\\regsvr32.exe OR *\\\\BITSADMIN*))\nindex: so-*\nname: MMC Spawning Windows Shell\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8524,'Issue',472,9,'{{collapse(View Sigma)\n
\n\ntitle: MMC Spawning Windows Shell\nid: 05a2ab7e-ce11-4b63-86db-ab32e763e11d\nstatus: experimental\ndescription: Detects a Windows command line executable started from MMC.\nauthor: Karneades, Swisscom CSIRT\ndate: 2019/08/05\ntags:\n- attack.lateral_movement\n- attack.t1175\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\mmc.exe\'\n    Image:\n    - \'*\\cmd.exe\'\n    - \'*\\powershell.exe\'\n    - \'*\\wscript.exe\'\n    - \'*\\cscript.exe\'\n    - \'*\\sh.exe\'\n    - \'*\\bash.exe\'\n    - \'*\\reg.exe\'\n    - \'*\\regsvr32.exe\'\n    - \'*\\BITSADMIN*\'\n  condition: selection\nfields:\n- CommandLine\n- Image\n- ParentCommandLine\nlevel: high\n\n
\n}}'),(8525,'Issue',472,15,'T1175'),(8526,'Issue',473,1,'MSHTA Spawning Windows Shell'),(8527,'Issue',473,2,'Michael Haag'),(8528,'Issue',473,8,'https://www.trustedsec.com/july-2015/malicious-htas/'),(8529,'Issue',473,10,'high'),(8530,'Issue',473,13,'community'),(8531,'Issue',473,14,'windows'),(8533,'Issue',473,11,'16c1a6c19'),(8534,'Issue',473,12,'03cc0c25-389f-4bf8-b48d-11878079f1ca'),(8535,'Issue',473,16,'win-proc'),(8536,'Issue',473,17,''),(8537,'Issue',473,7,''),(8538,'Issue',473,3,'Detects a Windows command line executable started from MSHTA.'),(8539,'Issue',473,4,''),(8540,'Issue',473,5,'_False Positives_\nPrinter software / driver installations\nHP software\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8541,'Issue',473,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\mshta.exe AND process.executable.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\sh.exe OR *\\\\bash.exe OR *\\\\reg.exe OR *\\\\regsvr32.exe OR *\\\\BITSADMIN*))\nindex: so-*\nname: MSHTA Spawning Windows Shell\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8542,'Issue',473,9,'{{collapse(View Sigma)\n
\n\ntitle: MSHTA Spawning Windows Shell\nid: 03cc0c25-389f-4bf8-b48d-11878079f1ca\nstatus: experimental\ndescription: Detects a Windows command line executable started from MSHTA.\nreferences:\n- https://www.trustedsec.com/july-2015/malicious-htas/\nauthor: Michael Haag\ndate: 2019/01/16\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\mshta.exe\'\n    Image:\n    - \'*\\cmd.exe\'\n    - \'*\\powershell.exe\'\n    - \'*\\wscript.exe\'\n    - \'*\\cscript.exe\'\n    - \'*\\sh.exe\'\n    - \'*\\bash.exe\'\n    - \'*\\reg.exe\'\n    - \'*\\regsvr32.exe\'\n    - \'*\\BITSADMIN*\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1170\n- car.2013-02-003\n- car.2013-03-001\n- car.2014-04-003\nfalsepositives:\n- Printer software / driver installations\n- HP software\nlevel: high\n\n
\n}}'),(8543,'Issue',473,15,'T1170'),(8544,'Issue',474,1,'Quick Execution of a Series of Suspicious Commands'),(8545,'Issue',474,2,'juju4'),(8546,'Issue',474,8,'https://car.mitre.org/wiki/CAR-2013-04-002'),(8547,'Issue',474,10,'low'),(8548,'Issue',474,13,'community'),(8549,'Issue',474,14,'windows'),(8550,'Issue',474,15,''),(8551,'Issue',474,11,'9a5d32ef1'),(8552,'Issue',474,12,'61ab5496-748e-4818-a92f-de78e20fe7f1'),(8553,'Issue',474,16,'win-proc'),(8554,'Issue',474,17,''),(8555,'Issue',474,7,''),(8556,'Issue',474,3,'Detects multiple suspicious process in a limited timeframe'),(8557,'Issue',474,4,''),(8558,'Issue',474,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(8559,'Issue',474,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line:(\"arp.exe\" OR \"at.exe\" OR \"attrib.exe\" OR \"cscript.exe\" OR \"dsquery.exe\" OR \"hostname.exe\" OR \"ipconfig.exe\" OR \"mimikatz.exe\" OR \"nbtstat.exe\" OR \"net.exe\" OR \"netsh.exe\" OR \"nslookup.exe\" OR \"ping.exe\" OR \"quser.exe\" OR \"qwinsta.exe\" OR \"reg.exe\" OR \"runas.exe\" OR \"sc.exe\" OR \"schtasks.exe\" OR \"ssh.exe\" OR \"systeminfo.exe\" OR \"taskkill.exe\" OR \"telnet.exe\" OR \"tracert.exe\" OR \"wscript.exe\" OR \"xcopy.exe\" OR \"pscp.exe\" OR \"copy.exe\" OR \"robocopy.exe\" OR \"certutil.exe\" OR \"vssadmin.exe\" OR \"powershell.exe\" OR \"wevtutil.exe\" OR \"psexec.exe\" OR \"bcedit.exe\" OR \"wbadmin.exe\" OR \"icacls.exe\" OR \"diskpart.exe\"))\nindex: so-*\nmax_threshold: 5\nmetric_agg_key: _id\nmetric_agg_type: cardinality\nname: Quick Execution of a Series of Suspicious Commands\npriority: 4\nquery_key: MachineName.keyword\nrealert:\n  minutes: 0\ntype: metric_aggregation\n
\n}}'),(8560,'Issue',474,9,'{{collapse(View Sigma)\n
\n\ntitle: Quick Execution of a Series of Suspicious Commands\nid: 61ab5496-748e-4818-a92f-de78e20fe7f1\ndescription: Detects multiple suspicious process in a limited timeframe\nstatus: experimental\nreferences:\n- https://car.mitre.org/wiki/CAR-2013-04-002\nauthor: juju4\ndate: 2019/01/16\ntags:\n- car.2013-04-002\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - arp.exe\n    - at.exe\n    - attrib.exe\n    - cscript.exe\n    - dsquery.exe\n    - hostname.exe\n    - ipconfig.exe\n    - mimikatz.exe\n    - nbtstat.exe\n    - net.exe\n    - netsh.exe\n    - nslookup.exe\n    - ping.exe\n    - quser.exe\n    - qwinsta.exe\n    - reg.exe\n    - runas.exe\n    - sc.exe\n    - schtasks.exe\n    - ssh.exe\n    - systeminfo.exe\n    - taskkill.exe\n    - telnet.exe\n    - tracert.exe\n    - wscript.exe\n    - xcopy.exe\n    - pscp.exe\n    - copy.exe\n    - robocopy.exe\n    - certutil.exe\n    - vssadmin.exe\n    - powershell.exe\n    - wevtutil.exe\n    - psexec.exe\n    - bcedit.exe\n    - wbadmin.exe\n    - icacls.exe\n    - diskpart.exe\n  timeframe: 5m\n  condition: selection | count() by MachineName > 5\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: low\n\n
\n}}'),(8561,'Issue',475,1,'Windows Network Enumeration'),(8562,'Issue',475,2,'Endgame, JHasenbusch (ported for oscd.community)'),(8563,'Issue',475,8,'https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.yaml'),(8564,'Issue',475,10,'low'),(8565,'Issue',475,13,'community'),(8566,'Issue',475,14,'windows'),(8568,'Issue',475,11,'bbe12b620'),(8569,'Issue',475,12,'62510e69-616b-4078-b371-847da438cc03'),(8570,'Issue',475,16,'win-proc'),(8571,'Issue',475,17,''),(8572,'Issue',475,7,''),(8573,'Issue',475,3,'Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.'),(8574,'Issue',475,4,''),(8575,'Issue',475,5,'_False Positives_\nLegitimate use of net.exe utility by legitimate user\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8576,'Issue',475,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:*view*) AND (NOT (process.command_line.keyword:*\\\\*)))\nindex: so-*\nname: Windows Network Enumeration\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8577,'Issue',475,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows Network Enumeration\nid: 62510e69-616b-4078-b371-847da438cc03\nstatus: stable\ndescription: Identifies attempts to enumerate hosts in a network using the built-in\n  Windows net.exe tool.\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.yaml\nauthor: Endgame, JHasenbusch (ported for oscd.community)\ndate: 2018/10/30\nmodified: 2019/11/11\ntags:\n- attack.discovery\n- attack.t1018\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith:\n    - \\net.exe\n    - \\net1.exe\n    CommandLine|contains: view\n  filter:\n    CommandLine|contains: \\\\\n  condition: selection and not filter\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Legitimate use of net.exe utility by legitimate user\nlevel: low\n\n
\n}}'),(8578,'Issue',475,15,'T1018'),(8579,'Issue',476,1,'Net.exe User Account Creation'),(8580,'Issue',476,2,'Endgame, JHasenbusch (adapted to sigma for oscd.community)'),(8581,'Issue',476,8,'https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.yaml'),(8582,'Issue',476,10,'medium'),(8583,'Issue',476,13,'community'),(8584,'Issue',476,14,'windows'),(8586,'Issue',476,11,'c9bfceef1'),(8587,'Issue',476,12,'cd219ff3-fa99-45d4-8380-a7d15116c6dc'),(8588,'Issue',476,16,'win-proc'),(8589,'Issue',476,17,''),(8590,'Issue',476,7,''),(8591,'Issue',476,3,'Identifies creation of local users via the net.exe command'),(8592,'Issue',476,4,''),(8593,'Issue',476,5,'_False Positives_\nLegit user creation\nBetter use event ids for user creation rather than command line rules\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8594,'Issue',476,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:*user* AND process.command_line.keyword:*add*)\nindex: so-*\nname: Net.exe User Account Creation\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8595,'Issue',476,9,'{{collapse(View Sigma)\n
\n\ntitle: Net.exe User Account Creation\nid: cd219ff3-fa99-45d4-8380-a7d15116c6dc\nstatus: experimental\ndescription: Identifies creation of local users via the net.exe command\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.yaml\nauthor: Endgame, JHasenbusch (adapted to sigma for oscd.community)\ndate: 2018/10/30\nmodified: 2019/11/11\ntags:\n- attack.persistence\n- attack.credential_access\n- attack.t1136\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith:\n    - \\net.exe\n    - \\net1.exe\n    CommandLine|contains|all:\n    - user\n    - add\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Legit user creation\n- Better use event ids for user creation rather than command line rules\nlevel: medium\n\n
\n}}'),(8596,'Issue',476,15,'T1136'),(8597,'Issue',477,1,'Netsh'),(8598,'Issue',477,2,'Markus Neis'),(8599,'Issue',477,8,'https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)\nhttps://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf'),(8600,'Issue',477,10,'medium'),(8601,'Issue',477,13,'community'),(8602,'Issue',477,14,'windows'),(8604,'Issue',477,11,'bdbaabb5e'),(8605,'Issue',477,12,'cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c'),(8606,'Issue',477,16,'win-proc'),(8607,'Issue',477,17,''),(8608,'Issue',477,7,''),(8609,'Issue',477,3,'Allow Incoming Connections by Port or Application on Windows Firewall'),(8610,'Issue',477,4,''),(8611,'Issue',477,5,'_False Positives_\nLegitimate administration'),(8612,'Issue',477,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*netsh\\ firewall\\ add*))\nindex: so-*\nname: Netsh\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8613,'Issue',477,9,'{{collapse(View Sigma)\n
\n\ntitle: Netsh\nid: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c\ndescription: Allow Incoming Connections by Port or Application on Windows Firewall\nreferences:\n- https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)\n- https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf\ndate: 2019/01/29\ntags:\n- attack.lateral_movement\n- attack.command_and_control\n- attack.t1090\nstatus: experimental\nauthor: Markus Neis\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'*netsh firewall add*\'\n  condition: selection\nfalsepositives:\n- Legitimate administration\nlevel: medium\n\n
\n}}'),(8614,'Issue',477,15,'T1090'),(8615,'Issue',478,1,'Capture a Network Trace with netsh.exe'),(8616,'Issue',478,2,'Kutepov Anton, oscd.community'),(8617,'Issue',478,8,'https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/'),(8618,'Issue',478,10,'medium'),(8619,'Issue',478,13,'community'),(8620,'Issue',478,14,'windows'),(8622,'Issue',478,11,'0b2f94184'),(8623,'Issue',478,12,'d3c3861d-c504-4c77-ba55-224ba82d0118'),(8624,'Issue',478,16,'win-proc'),(8625,'Issue',478,17,''),(8626,'Issue',478,7,''),(8627,'Issue',478,3,'Detects capture a network trace via netsh.exe trace functionality'),(8628,'Issue',478,4,''),(8629,'Issue',478,5,'_False Positives_\nLegitimate administrator or user uses netsh.exe trace functionality for legitimate reason'),(8630,'Issue',478,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*netsh* AND process.command_line.keyword:*trace* AND process.command_line.keyword:*start*)\nindex: so-*\nname: Capture a Network Trace with netsh.exe\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8631,'Issue',478,9,'{{collapse(View Sigma)\n
\n\ntitle: Capture a Network Trace with netsh.exe\nid: d3c3861d-c504-4c77-ba55-224ba82d0118\nstatus: experimental\ndescription: Detects capture a network trace via netsh.exe trace functionality\nreferences:\n- https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/\nauthor: Kutepov Anton, oscd.community\ndate: 2019/10/24\ntags:\n- attack.discovery\n- attack.t1040\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains|all:\n    - netsh\n    - trace\n    - start\n  condition: selection\nfalsepositives:\n- Legitimate administrator or user uses netsh.exe trace functionality for legitimate\n  reason\nlevel: medium\n\n
\n}}'),(8632,'Issue',478,15,'T1040'),(8633,'Issue',479,1,'Netsh Port Forwarding'),(8634,'Issue',479,2,'Florian Roth'),(8635,'Issue',479,8,'https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html'),(8636,'Issue',479,10,'medium'),(8637,'Issue',479,13,'community'),(8638,'Issue',479,14,'windows'),(8640,'Issue',479,11,'6c81001f0'),(8641,'Issue',479,12,'322ed9ec-fcab-4f67-9a34-e7c6aef43614'),(8642,'Issue',479,16,'win-proc'),(8643,'Issue',479,17,''),(8644,'Issue',479,7,''),(8645,'Issue',479,3,'Detects netsh commands that configure a port forwarding'),(8646,'Issue',479,4,''),(8647,'Issue',479,5,'_False Positives_\nLegitimate administration'),(8648,'Issue',479,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(netsh\\ interface\\ portproxy\\ add\\ v4tov4\\ *))\nindex: so-*\nname: Netsh Port Forwarding\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8649,'Issue',479,9,'{{collapse(View Sigma)\n
\n\ntitle: Netsh Port Forwarding\nid: 322ed9ec-fcab-4f67-9a34-e7c6aef43614\ndescription: Detects netsh commands that configure a port forwarding\nreferences:\n- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html\ndate: 2019/01/29\ntags:\n- attack.lateral_movement\n- attack.command_and_control\n- attack.t1090\nstatus: experimental\nauthor: Florian Roth\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - netsh interface portproxy add v4tov4 *\n  condition: selection\nfalsepositives:\n- Legitimate administration\nlevel: medium\n\n
\n}}'),(8650,'Issue',479,15,'T1090'),(8651,'Issue',480,1,'Netsh RDP Port Forwarding'),(8652,'Issue',480,2,'Florian Roth'),(8653,'Issue',480,8,'https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html'),(8654,'Issue',480,10,'high'),(8655,'Issue',480,13,'community'),(8656,'Issue',480,14,'windows'),(8658,'Issue',480,11,'e26d39913'),(8659,'Issue',480,12,'782d6f3e-4c5d-4b8c-92a3-1d05fed72e63'),(8660,'Issue',480,16,'win-proc'),(8661,'Issue',480,17,''),(8662,'Issue',480,7,''),(8663,'Issue',480,3,'Detects netsh commands that configure a port forwarding of port 3389 used for RDP'),(8664,'Issue',480,4,''),(8665,'Issue',480,5,'_False Positives_\nLegitimate administration'),(8666,'Issue',480,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(netsh\\ i*\\ p*\\=3389\\ c*))\nindex: so-*\nname: Netsh RDP Port Forwarding\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8667,'Issue',480,9,'{{collapse(View Sigma)\n
\n\ntitle: Netsh RDP Port Forwarding\nid: 782d6f3e-4c5d-4b8c-92a3-1d05fed72e63\ndescription: Detects netsh commands that configure a port forwarding of port 3389\n  used for RDP\nreferences:\n- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html\ndate: 2019/01/29\ntags:\n- attack.lateral_movement\n- attack.t1021\n- car.2013-07-002\nstatus: experimental\nauthor: Florian Roth\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - netsh i* p*=3389 c*\n  condition: selection\nfalsepositives:\n- Legitimate administration\nlevel: high\n\n
\n}}'),(8668,'Issue',480,15,'T1021'),(8669,'Issue',481,1,'Network Sniffing'),(8670,'Issue',481,2,'Timur Zinniatullin, oscd.community'),(8671,'Issue',481,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml'),(8672,'Issue',481,10,'low'),(8673,'Issue',481,13,'community'),(8674,'Issue',481,14,'windows'),(8676,'Issue',481,11,'94c26afa0'),(8677,'Issue',481,12,'ba1f7802-adc7-48b4-9ecb-81e227fddfd5'),(8678,'Issue',481,16,'win-proc'),(8679,'Issue',481,17,''),(8680,'Issue',481,7,''),(8681,'Issue',481,3,'Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.'),(8682,'Issue',481,4,''),(8683,'Issue',481,5,'_False Positives_\nAdmin activity\n\n_Interesting Log Fields_\nImage\nCommandLine\nUser\nLogonGuid\nHashes\nParentProcessGuid\nParentCommandLine'),(8684,'Issue',481,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\tshark.exe AND process.command_line.keyword:*\\-i*) OR process.executable.keyword:*\\\\windump.exe))\nindex: so-*\nname: Network Sniffing\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8685,'Issue',481,9,'{{collapse(View Sigma)\n
\n\ntitle: Network Sniffing\nid: ba1f7802-adc7-48b4-9ecb-81e227fddfd5\nstatus: experimental\ndescription: Network sniffing refers to using the network interface on a system to\n  monitor or capture information sent over a wired or wireless connection. An adversary\n  may place a network interface into promiscuous mode to passively access data in\n  transit over the network, or use span ports to capture a larger amount of data.\nauthor: Timur Zinniatullin, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith: \\tshark.exe\n    CommandLine|contains: -i\n  - Image|endswith: \\windump.exe\n  condition: selection\nfalsepositives:\n- Admin activity\nfields:\n- Image\n- CommandLine\n- User\n- LogonGuid\n- Hashes\n- ParentProcessGuid\n- ParentCommandLine\nlevel: low\ntags:\n- attack.credential_access\n- attack.discovery\n- attack.t1040\n\n
\n}}'),(8686,'Issue',481,15,'T1040'),(8687,'Issue',482,1,'New Service Creation'),(8688,'Issue',482,2,'Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community'),(8689,'Issue',482,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1050/T1050.yaml'),(8690,'Issue',482,10,'low'),(8691,'Issue',482,13,'community'),(8692,'Issue',482,14,'windows'),(8694,'Issue',482,11,'6d821e19d'),(8695,'Issue',482,12,'7fe71fc9-de3b-432a-8d57-8c809efc10ab'),(8696,'Issue',482,16,'win-proc'),(8697,'Issue',482,17,''),(8698,'Issue',482,7,''),(8699,'Issue',482,3,'Detects creation if a new service'),(8700,'Issue',482,4,''),(8701,'Issue',482,5,'_False Positives_\nLegitimate administrator or user creates a service for legitimate reason'),(8702,'Issue',482,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\sc.exe AND process.command_line.keyword:*create* AND process.command_line.keyword:*binpath*) OR (process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:*new\\-service*)))\nindex: so-*\nname: New Service Creation\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8703,'Issue',482,9,'{{collapse(View Sigma)\n
\n\ntitle: New Service Creation\nid: 7fe71fc9-de3b-432a-8d57-8c809efc10ab\nstatus: experimental\ndescription: Detects creation if a new service\nauthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\ntags:\n- attack.persistence\n- attack.privilege_escalation\n- attack.t1050\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1050/T1050.yaml\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith: \\sc.exe\n    CommandLine|contains|all:\n    - create\n    - binpath\n  - Image|endswith: \\powershell.exe\n    CommandLine|contains: new-service\n  condition: selection\nfalsepositives:\n- Legitimate administrator or user creates a service for legitimate reason\nlevel: low\n\n
\n}}'),(8704,'Issue',482,15,'T1050'),(8705,'Issue',483,1,'Non Interactive PowerShell'),(8706,'Issue',483,2,'Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)'),(8707,'Issue',483,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md'),(8708,'Issue',483,10,'medium'),(8709,'Issue',483,13,'community'),(8710,'Issue',483,14,'windows'),(8712,'Issue',483,11,'1e5e14278'),(8713,'Issue',483,12,'f4bbd493-b796-416e-bbf2-121235348529'),(8714,'Issue',483,16,'win-proc'),(8715,'Issue',483,17,''),(8716,'Issue',483,7,''),(8717,'Issue',483,3,'Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent.'),(8718,'Issue',483,4,''),(8719,'Issue',483,5,'_False Positives_\nLegitimate programs executing PowerShell scripts'),(8720,'Issue',483,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\powershell.exe AND (NOT (process.parent.executable.keyword:*\\\\explorer.exe)))\nindex: so-*\nname: Non Interactive PowerShell\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8721,'Issue',483,9,'{{collapse(View Sigma)\n
\n\ntitle: Non Interactive PowerShell\nid: f4bbd493-b796-416e-bbf2-121235348529\ndescription: Detects non-interactive PowerShell activity by looking at powershell.exe\n  with not explorer.exe as a parent.\nstatus: experimental\ndate: 2019/09/12\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\powershell.exe\n  filter:\n    ParentImage|endswith: \\explorer.exe\n  condition: selection and not filter\nfalsepositives:\n- Legitimate programs executing PowerShell scripts\nlevel: medium\n\n
\n}}'),(8722,'Issue',483,15,'T1086'),(8723,'Issue',484,1,'Microsoft Office Product Spawning Windows Shell'),(8724,'Issue',484,2,'Michael Haag, Florian Roth, Markus Neis'),(8725,'Issue',484,8,'https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100\nhttps://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html'),(8726,'Issue',484,10,'high'),(8727,'Issue',484,13,'community'),(8728,'Issue',484,14,'windows'),(8730,'Issue',484,11,'6393d359f'),(8731,'Issue',484,12,'438025f9-5856-4663-83f7-52f878a70a50'),(8732,'Issue',484,16,'win-proc'),(8733,'Issue',484,17,''),(8734,'Issue',484,7,''),(8735,'Issue',484,3,'Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio.'),(8736,'Issue',484,4,''),(8737,'Issue',484,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8738,'Issue',484,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\WINWORD.EXE OR *\\\\EXCEL.EXE OR *\\\\POWERPNT.exe OR *\\\\MSPUB.exe OR *\\\\VISIO.exe OR *\\\\OUTLOOK.EXE) AND process.executable.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\sh.exe OR *\\\\bash.exe OR *\\\\scrcons.exe OR *\\\\schtasks.exe OR *\\\\regsvr32.exe OR *\\\\hh.exe OR *\\\\wmic.exe OR *\\\\mshta.exe OR *\\\\rundll32.exe OR *\\\\msiexec.exe OR *\\\\forfiles.exe OR *\\\\scriptrunner.exe OR *\\\\mftrace.exe OR *\\\\AppVLP.exe OR *\\\\svchost.exe))\nindex: so-*\nname: Microsoft Office Product Spawning Windows Shell\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8739,'Issue',484,9,'{{collapse(View Sigma)\n
\n\ntitle: Microsoft Office Product Spawning Windows Shell\nid: 438025f9-5856-4663-83f7-52f878a70a50\nstatus: experimental\ndescription: Detects a Windows command line executable started from Microsoft Word,\n  Excel, Powerpoint, Publisher and Visio.\nreferences:\n- https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100\n- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1059\n- attack.t1202\n- car.2013-02-003\n- car.2014-04-003\nauthor: Michael Haag, Florian Roth, Markus Neis\ndate: 2018/04/06\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage:\n    - \'*\\WINWORD.EXE\'\n    - \'*\\EXCEL.EXE\'\n    - \'*\\POWERPNT.exe\'\n    - \'*\\MSPUB.exe\'\n    - \'*\\VISIO.exe\'\n    - \'*\\OUTLOOK.EXE\'\n    Image:\n    - \'*\\cmd.exe\'\n    - \'*\\powershell.exe\'\n    - \'*\\wscript.exe\'\n    - \'*\\cscript.exe\'\n    - \'*\\sh.exe\'\n    - \'*\\bash.exe\'\n    - \'*\\scrcons.exe\'\n    - \'*\\schtasks.exe\'\n    - \'*\\regsvr32.exe\'\n    - \'*\\hh.exe\'\n    - \'*\\wmic.exe\'\n    - \'*\\mshta.exe\'\n    - \'*\\rundll32.exe\'\n    - \'*\\msiexec.exe\'\n    - \'*\\forfiles.exe\'\n    - \'*\\scriptrunner.exe\'\n    - \'*\\mftrace.exe\'\n    - \'*\\AppVLP.exe\'\n    - \'*\\svchost.exe\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(8740,'Issue',484,15,'T1059'),(8741,'Issue',484,15,'T1202'),(8742,'Issue',485,1,'MS Office Product Spawning Exe in User Dir'),(8743,'Issue',485,2,'Jason Lynch'),(8744,'Issue',485,8,'sha256=23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57c\nhttps://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign'),(8745,'Issue',485,10,'high'),(8746,'Issue',485,13,'community'),(8747,'Issue',485,14,'windows'),(8749,'Issue',485,11,'73473d045'),(8750,'Issue',485,12,'aa3a6f94-890e-4e22-b634-ffdfd54792cc'),(8751,'Issue',485,16,'win-proc'),(8752,'Issue',485,17,''),(8753,'Issue',485,7,''),(8754,'Issue',485,3,'Detects an executable in the users directory started from Microsoft Word, Excel, Powerpoint, Publisher or Visio'),(8755,'Issue',485,4,''),(8756,'Issue',485,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8757,'Issue',485,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\WINWORD.EXE OR *\\\\EXCEL.EXE OR *\\\\POWERPNT.exe OR *\\\\MSPUB.exe OR *\\\\VISIO.exe OR *\\\\OUTLOOK.EXE) AND process.executable.keyword:(C\\:\\\\users\\\\*.exe))\nindex: so-*\nname: MS Office Product Spawning Exe in User Dir\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8758,'Issue',485,9,'{{collapse(View Sigma)\n
\n\ntitle: MS Office Product Spawning Exe in User Dir\nid: aa3a6f94-890e-4e22-b634-ffdfd54792cc\nstatus: experimental\ndescription: Detects an executable in the users directory started from Microsoft Word,\n  Excel, Powerpoint, Publisher or Visio\nreferences:\n- sha256=23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57c\n- https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1059\n- attack.t1202\n- FIN7\n- car.2013-05-002\nauthor: Jason Lynch\ndate: 2019/04/02\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage:\n    - \'*\\WINWORD.EXE\'\n    - \'*\\EXCEL.EXE\'\n    - \'*\\POWERPNT.exe\'\n    - \'*\\MSPUB.exe\'\n    - \'*\\VISIO.exe\'\n    - \'*\\OUTLOOK.EXE\'\n    Image:\n    - C:\\users\\\\*.exe\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(8759,'Issue',485,15,'T1059'),(8760,'Issue',485,15,'T1202'),(8761,'Issue',486,1,'Executable Used by PlugX in Uncommon Location'),(8762,'Issue',486,2,'Florian Roth'),(8763,'Issue',486,8,'http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/\nhttps://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/'),(8764,'Issue',486,10,'high'),(8765,'Issue',486,13,'community'),(8766,'Issue',486,14,'windows'),(8768,'Issue',486,11,'7c4ef5068'),(8769,'Issue',486,12,'aeab5ec5-be14-471a-80e8-e344418305c2'),(8770,'Issue',486,16,'win-proc'),(8771,'Issue',486,17,''),(8772,'Issue',486,7,''),(8773,'Issue',486,3,'Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location'),(8774,'Issue',486,4,''),(8775,'Issue',486,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8776,'Issue',486,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((((((((((((process.executable.keyword:*\\\\CamMute.exe AND (NOT (process.executable.keyword:*\\\\Lenovo\\\\Communication\\ Utility\\\\*))) OR (process.executable.keyword:*\\\\chrome_frame_helper.exe AND (NOT (process.executable.keyword:*\\\\Google\\\\Chrome\\\\application\\\\*)))) OR (process.executable.keyword:*\\\\dvcemumanager.exe AND (NOT (process.executable.keyword:*\\\\Microsoft\\ Device\\ Emulator\\\\*)))) OR (process.executable.keyword:*\\\\Gadget.exe AND (NOT (process.executable.keyword:*\\\\Windows\\ Media\\ Player\\\\*)))) OR (process.executable.keyword:*\\\\hcc.exe AND (NOT (process.executable.keyword:*\\\\HTML\\ Help\\ Workshop\\\\*)))) OR (process.executable.keyword:*\\\\hkcmd.exe AND (NOT (process.executable.keyword:(*\\\\System32\\\\* OR *\\\\SysNative\\\\* OR *\\\\SysWowo64\\\\*))))) OR (process.executable.keyword:*\\\\Mc.exe AND (NOT (process.executable.keyword:(*\\\\Microsoft\\ Visual\\ Studio* OR *\\\\Microsoft\\ SDK* OR *\\\\Windows\\ Kit*))))) OR (process.executable.keyword:*\\\\MsMpEng.exe AND (NOT (process.executable.keyword:(*\\\\Microsoft\\ Security\\ Client\\\\* OR *\\\\Windows\\ Defender\\\\* OR *\\\\AntiMalware\\\\*))))) OR (process.executable.keyword:*\\\\msseces.exe AND (NOT (process.executable.keyword:(*\\\\Microsoft\\ Security\\ Center\\\\* OR *\\\\Microsoft\\ Security\\ Client\\\\* OR *\\\\Microsoft\\ Security\\ Essentials\\\\*))))) OR (process.executable.keyword:*\\\\OInfoP11.exe AND (NOT (process.executable.keyword:*\\\\Common\\ Files\\\\Microsoft\\ Shared\\\\*)))) OR (process.executable.keyword:*\\\\OleView.exe AND (NOT (process.executable.keyword:(*\\\\Microsoft\\ Visual\\ Studio* OR *\\\\Microsoft\\ SDK* OR *\\\\Windows\\ Kit* OR *\\\\Windows\\ Resource\\ Kit\\\\*))))) OR (process.executable.keyword:*\\\\rc.exe AND (NOT (process.executable.keyword:(*\\\\Microsoft\\ Visual\\ Studio* OR *\\\\Microsoft\\ SDK* OR *\\\\Windows\\ Kit* OR *\\\\Windows\\ Resource\\ Kit\\\\* OR *\\\\Microsoft.NET\\\\*))))))\nindex: so-*\nname: Executable Used by PlugX in Uncommon Location\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8777,'Issue',486,9,'{{collapse(View Sigma)\n
\n\ntitle: Executable Used by PlugX in Uncommon Location\nid: aeab5ec5-be14-471a-80e8-e344418305c2\nstatus: experimental\ndescription: Detects the execution of an executable that is typically used by PlugX\n  for DLL side loading started from an uncommon location\nreferences:\n- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/\n- https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/\nauthor: Florian Roth\ndate: 2017/06/12\ntags:\n- attack.s0013\n- attack.defense_evasion\n- attack.t1073\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_cammute:\n    Image: \'*\\CamMute.exe\'\n  filter_cammute:\n    Image: \'*\\Lenovo\\Communication Utility\\\\*\'\n  selection_chrome_frame:\n    Image: \'*\\chrome_frame_helper.exe\'\n  filter_chrome_frame:\n    Image: \'*\\Google\\Chrome\\application\\\\*\'\n  selection_devemu:\n    Image: \'*\\dvcemumanager.exe\'\n  filter_devemu:\n    Image: \'*\\Microsoft Device Emulator\\\\*\'\n  selection_gadget:\n    Image: \'*\\Gadget.exe\'\n  filter_gadget:\n    Image: \'*\\Windows Media Player\\\\*\'\n  selection_hcc:\n    Image: \'*\\hcc.exe\'\n  filter_hcc:\n    Image: \'*\\HTML Help Workshop\\\\*\'\n  selection_hkcmd:\n    Image: \'*\\hkcmd.exe\'\n  filter_hkcmd:\n    Image:\n    - \'*\\System32\\\\*\'\n    - \'*\\SysNative\\\\*\'\n    - \'*\\SysWowo64\\\\*\'\n  selection_mc:\n    Image: \'*\\Mc.exe\'\n  filter_mc:\n    Image:\n    - \'*\\Microsoft Visual Studio*\'\n    - \'*\\Microsoft SDK*\'\n    - \'*\\Windows Kit*\'\n  selection_msmpeng:\n    Image: \'*\\MsMpEng.exe\'\n  filter_msmpeng:\n    Image:\n    - \'*\\Microsoft Security Client\\\\*\'\n    - \'*\\Windows Defender\\\\*\'\n    - \'*\\AntiMalware\\\\*\'\n  selection_msseces:\n    Image: \'*\\msseces.exe\'\n  filter_msseces:\n    Image:\n    - \'*\\Microsoft Security Center\\\\*\'\n    - \'*\\Microsoft Security Client\\\\*\'\n    - \'*\\Microsoft Security Essentials\\\\*\'\n  selection_oinfo:\n    Image: \'*\\OInfoP11.exe\'\n  filter_oinfo:\n    Image: \'*\\Common Files\\Microsoft Shared\\\\*\'\n  selection_oleview:\n    Image: \'*\\OleView.exe\'\n  filter_oleview:\n    Image:\n    - \'*\\Microsoft Visual Studio*\'\n    - \'*\\Microsoft SDK*\'\n    - \'*\\Windows Kit*\'\n    - \'*\\Windows Resource Kit\\\\*\'\n  selection_rc:\n    Image: \'*\\rc.exe\'\n  filter_rc:\n    Image:\n    - \'*\\Microsoft Visual Studio*\'\n    - \'*\\Microsoft SDK*\'\n    - \'*\\Windows Kit*\'\n    - \'*\\Windows Resource Kit\\\\*\'\n    - \'*\\Microsoft.NET\\\\*\'\n  condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame\n    and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) or\n    ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc\n    ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc\n    ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not\n    filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview\n    and not filter_oleview ) or ( selection_rc and not filter_rc )\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(8778,'Issue',486,15,'T1073'),(8779,'Issue',487,1,'Possible Applocker Bypass'),(8780,'Issue',487,2,'juju4'),(8781,'Issue',487,8,'https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt\nhttps://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/'),(8782,'Issue',487,10,'low'),(8783,'Issue',487,13,'community'),(8784,'Issue',487,14,'windows'),(8786,'Issue',487,11,'d4a0bad42'),(8787,'Issue',487,12,'82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719'),(8788,'Issue',487,16,'win-proc'),(8789,'Issue',487,17,''),(8790,'Issue',487,7,''),(8791,'Issue',487,3,'Detects execution of executables that can be used to bypass Applocker whitelisting'),(8792,'Issue',487,4,''),(8793,'Issue',487,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment\nUsing installutil to add features for .NET applications (primarly would occur in developer environments)'),(8794,'Issue',487,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\msdt.exe* OR *\\\\installutil.exe* OR *\\\\regsvcs.exe* OR *\\\\regasm.exe* OR *\\\\msbuild.exe* OR *\\\\ieexec.exe*))\nindex: so-*\nname: Possible Applocker Bypass\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8795,'Issue',487,9,'{{collapse(View Sigma)\n
\n\ntitle: Possible Applocker Bypass\nid: 82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719\ndescription: Detects execution of executables that can be used to bypass Applocker\n  whitelisting\nstatus: experimental\nreferences:\n- https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt\n- https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/\nauthor: juju4\ndate: 2019/01/16\ntags:\n- attack.defense_evasion\n- attack.t1118\n- attack.t1121\n- attack.t1127\n- attack.t1170\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains:\n    - \\msdt.exe\n    - \\installutil.exe\n    - \\regsvcs.exe\n    - \\regasm.exe\n    - \\msbuild.exe\n    - \\ieexec.exe\n  condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\n- Using installutil to add features for .NET applications (primarly would occur in\n  developer environments)\nlevel: low\n\n
\n}}'),(8796,'Issue',487,15,'T1118'),(8797,'Issue',487,15,'T1121'),(8798,'Issue',487,15,'T1127'),(8799,'Issue',487,15,'T1170'),(8800,'Issue',488,1,'Detection of Possible Rotten Potato'),(8801,'Issue',488,2,'Teymur Kheirkhabarov'),(8802,'Issue',488,8,'https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\nhttps://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/'),(8803,'Issue',488,10,'high'),(8804,'Issue',488,13,'community'),(8805,'Issue',488,14,'windows'),(8807,'Issue',488,11,'c3d4efb18'),(8808,'Issue',488,12,'6c5808ee-85a2-4e56-8137-72e5876a5096'),(8809,'Issue',488,16,'win-proc'),(8810,'Issue',488,17,''),(8811,'Issue',488,7,''),(8812,'Issue',488,3,'Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE privileges'),(8813,'Issue',488,4,''),(8814,'Issue',488,5,'_False Positives_\nUnknown'),(8815,'Issue',488,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (ParentUser:(\"NT\\ AUTHORITY\\\\NETWORK\\ SERVICE\" OR \"NT\\ AUTHORITY\\\\LOCAL\\ SERVICE\") AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\") AND (NOT (process.executable.keyword:*\\\\rundll32.exe AND process.command_line.keyword:*DavSetCookie*)))\nindex: so-*\nname: Detection of Possible Rotten Potato\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8816,'Issue',488,9,'{{collapse(View Sigma)\n
\n\ntitle: Detection of Possible Rotten Potato\nid: 6c5808ee-85a2-4e56-8137-72e5876a5096\ndescription: Detection of child processes spawned with SYSTEM privileges by parents\n  with LOCAL SERVICE or NETWORK SERVICE privileges\nreferences:\n- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\n- https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/\ntags:\n- attack.privilege_escalation\n- attack.t1134\nstatus: experimental\nauthor: Teymur Kheirkhabarov\ndate: 2019/10/26\nmodified: 2019/11/11\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentUser:\n    - NT AUTHORITY\\NETWORK SERVICE\n    - NT AUTHORITY\\LOCAL SERVICE\n    User: NT AUTHORITY\\SYSTEM\n  rundllexception:\n    Image|endswith: \\rundll32.exe\n    CommandLine|contains: DavSetCookie\n  condition: selection and not rundllexception\nfalsepositives:\n- Unknown\nlevel: high\nenrichment:\n- EN_0001_cache_sysmon_event_id_1_info\n- EN_0002_enrich_sysmon_event_id_1_with_parent_info\n\n
\n}}'),(8817,'Issue',488,15,'T1134'),(8818,'Issue',489,1,'Powershell AMSI Bypass via .NET Reflection'),(8819,'Issue',489,2,'Markus Neis'),(8820,'Issue',489,8,'https://twitter.com/mattifestation/status/735261176745988096\nhttps://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120'),(8821,'Issue',489,10,'high'),(8822,'Issue',489,13,'community'),(8823,'Issue',489,14,'windows'),(8825,'Issue',489,11,'b5bdb996a'),(8826,'Issue',489,12,'30edb182-aa75-42c0-b0a9-e998bb29067c'),(8827,'Issue',489,16,'win-proc'),(8828,'Issue',489,17,''),(8829,'Issue',489,7,''),(8830,'Issue',489,3,'Detects Request to amsiInitFailed that can be used to disable AMSI Scanning'),(8831,'Issue',489,4,''),(8832,'Issue',489,5,'_False Positives_\nPotential Admin Activity'),(8833,'Issue',489,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*System.Management.Automation.AmsiUtils*) AND process.command_line.keyword:(*amsiInitFailed*))\nindex: so-*\nname: Powershell AMSI Bypass via .NET Reflection\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8834,'Issue',489,9,'{{collapse(View Sigma)\n
\n\ntitle: Powershell AMSI Bypass via .NET Reflection\nid: 30edb182-aa75-42c0-b0a9-e998bb29067c\nstatus: experimental\ndescription: Detects Request to amsiInitFailed that can be used to disable AMSI Scanning\nreferences:\n- https://twitter.com/mattifestation/status/735261176745988096\n- https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1086\nauthor: Markus Neis\ndate: 2018/08/17\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine:\n    - \'*System.Management.Automation.AmsiUtils*\'\n  selection2:\n    CommandLine:\n    - \'*amsiInitFailed*\'\n  condition: selection1 and selection2\nfalsepositives:\n- Potential Admin Activity\nlevel: high\n\n
\n}}'),(8835,'Issue',489,15,'T1086'),(8836,'Issue',490,1,'Audio Capture via PowerShell'),(8837,'Issue',490,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(8838,'Issue',490,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html'),(8839,'Issue',490,10,'medium'),(8840,'Issue',490,13,'community'),(8841,'Issue',490,14,'windows'),(8843,'Issue',490,11,'7f4dc80d2'),(8844,'Issue',490,12,'932fb0d8-692b-4b0f-a26e-5643a50fe7d6'),(8845,'Issue',490,16,'win-proc'),(8846,'Issue',490,17,''),(8847,'Issue',490,7,''),(8848,'Issue',490,3,'Detects audio capture via PowerShell Cmdlet'),(8849,'Issue',490,4,''),(8850,'Issue',490,5,'_False Positives_\nLegitimate audio capture by legitimate user'),(8851,'Issue',490,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*WindowsAudioDevice\\-Powershell\\-Cmdlet*)\nindex: so-*\nname: Audio Capture via PowerShell\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8852,'Issue',490,9,'{{collapse(View Sigma)\n
\n\ntitle: Audio Capture via PowerShell\nid: 932fb0d8-692b-4b0f-a26e-5643a50fe7d6\ndescription: Detects audio capture via PowerShell Cmdlet\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html\ntags:\n- attack.collection\n- attack.t1123\ndetection:\n  selection:\n    CommandLine|contains: WindowsAudioDevice-Powershell-Cmdlet\n  condition: selection\nfalsepositives:\n- Legitimate audio capture by legitimate user\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\n\n
\n}}'),(8853,'Issue',490,15,'T1123'),(8854,'Issue',491,1,'PowerShell Base64 Encoded Shellcode'),(8855,'Issue',491,2,'Florian Roth'),(8856,'Issue',491,8,'https://twitter.com/cyb3rops/status/1063072865992523776'),(8857,'Issue',491,10,'critical'),(8858,'Issue',491,13,'community'),(8859,'Issue',491,14,'windows'),(8861,'Issue',491,11,'5d3447e7d'),(8862,'Issue',491,12,'2d117e49-e626-4c7c-bd1f-c3c0147774c8'),(8863,'Issue',491,16,'win-proc'),(8864,'Issue',491,17,''),(8865,'Issue',491,7,''),(8866,'Issue',491,3,'Detects Base64 encoded Shellcode'),(8867,'Issue',491,4,''),(8868,'Issue',491,5,'_False Positives_\nUnknown'),(8869,'Issue',491,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*AAAAYInlM* AND process.command_line.keyword:(*OiCAAAAYInlM* OR *OiJAAAAYInlM*))\nindex: so-*\nname: PowerShell Base64 Encoded Shellcode\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8870,'Issue',491,9,'{{collapse(View Sigma)\n
\n\ntitle: PowerShell Base64 Encoded Shellcode\nid: 2d117e49-e626-4c7c-bd1f-c3c0147774c8\ndescription: Detects Base64 encoded Shellcode\nstatus: experimental\nreferences:\n- https://twitter.com/cyb3rops/status/1063072865992523776\nauthor: Florian Roth\ndate: 2018/11/17\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine: \'*AAAAYInlM*\'\n  selection2:\n    CommandLine:\n    - \'*OiCAAAAYInlM*\'\n    - \'*OiJAAAAYInlM*\'\n  condition: selection1 and selection2\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(8871,'Issue',491,15,'T1036'),(8872,'Issue',492,1,'Suspicious Bitsadmin Job via PowerShell'),(8873,'Issue',492,2,'Endgame, JHasenbusch (ported to sigma for oscd.community)'),(8874,'Issue',492,8,'https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md'),(8875,'Issue',492,10,'medium'),(8876,'Issue',492,13,'community'),(8877,'Issue',492,14,'windows'),(8879,'Issue',492,11,'8676c64ae'),(8880,'Issue',492,12,'f67dbfce-93bc-440d-86ad-a95ae8858c90'),(8881,'Issue',492,16,'win-proc'),(8882,'Issue',492,17,''),(8883,'Issue',492,7,''),(8884,'Issue',492,3,'Detect download by BITS jobs via PowerShell'),(8885,'Issue',492,4,''),(8886,'Issue',492,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8887,'Issue',492,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:*Start\\-BitsTransfer*)\nindex: so-*\nname: Suspicious Bitsadmin Job via PowerShell\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8888,'Issue',492,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Bitsadmin Job via PowerShell\nid: f67dbfce-93bc-440d-86ad-a95ae8858c90\nstatus: experimental\ndescription: Detect download by BITS jobs via PowerShell\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md\nauthor: Endgame, JHasenbusch (ported to sigma for oscd.community)\ndate: 2018/10/30\nmodified: 2019/11/11\ntags:\n- attack.defense_evasion\n- attack.persistence\n- attack.t1197\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\powershell.exe\n    CommandLine|contains: Start-BitsTransfer\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Unknown\nlevel: medium\n\n
\n}}'),(8889,'Issue',492,15,'T1197'),(8890,'Issue',493,1,'Detection of PowerShell Execution via DLL'),(8891,'Issue',493,2,'Markus Neis'),(8892,'Issue',493,8,'https://github.com/p3nt4/PowerShdll/blob/master/README.md'),(8893,'Issue',493,10,'high'),(8894,'Issue',493,13,'community'),(8895,'Issue',493,14,'windows'),(8897,'Issue',493,11,'35da2d6b7'),(8898,'Issue',493,12,'6812a10b-60ea-420c-832f-dfcc33b646ba'),(8899,'Issue',493,16,'win-proc'),(8900,'Issue',493,17,''),(8901,'Issue',493,7,''),(8902,'Issue',493,3,'Detects PowerShell Strings applied to rundllas seen in PowerShdll.dll'),(8903,'Issue',493,4,''),(8904,'Issue',493,5,'_False Positives_\nUnknown'),(8905,'Issue',493,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:(*\\\\rundll32.exe) OR process.pe.description.keyword:(*Windows\\-Hostprozess\\ \\(Rundll32\\)*)) AND process.command_line.keyword:(*Default.GetString* OR *FromBase64String*))\nindex: so-*\nname: Detection of PowerShell Execution via DLL\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8906,'Issue',493,9,'{{collapse(View Sigma)\n
\n\ntitle: Detection of PowerShell Execution via DLL\nid: 6812a10b-60ea-420c-832f-dfcc33b646ba\nstatus: experimental\ndescription: Detects PowerShell Strings applied to rundllas seen in PowerShdll.dll\nreferences:\n- https://github.com/p3nt4/PowerShdll/blob/master/README.md\ntags:\n- attack.execution\n- attack.t1086\n- car.2014-04-003\nauthor: Markus Neis\ndate: 2018/08/25\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image:\n    - \'*\\rundll32.exe\'\n  selection2:\n    Description:\n    - \'*Windows-Hostprozess (Rundll32)*\'\n  selection3:\n    CommandLine:\n    - \'*Default.GetString*\'\n    - \'*FromBase64String*\'\n  condition: (selection1 or selection2) and selection3\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(8907,'Issue',493,15,'T1086'),(8908,'Issue',494,1,'PowerShell Downgrade Attack'),(8909,'Issue',494,2,'Harish Segar (rule)'),(8910,'Issue',494,8,'http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/'),(8911,'Issue',494,10,'medium'),(8912,'Issue',494,13,'community'),(8913,'Issue',494,14,'windows'),(8915,'Issue',494,11,'7dd8ab307'),(8916,'Issue',494,12,'b3512211-c67e-4707-bedc-66efc7848863'),(8917,'Issue',494,16,'win-proc'),(8918,'Issue',494,17,''),(8919,'Issue',494,7,''),(8920,'Issue',494,3,'Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0'),(8921,'Issue',494,4,''),(8922,'Issue',494,5,'_False Positives_\nPenetration Test\nUnknown'),(8923,'Issue',494,6,'{{collapse(View ElastAlert Config)\n
\n\n\n
\n}}'),(8924,'Issue',494,9,'{{collapse(View Sigma)\n
\n\ntitle: PowerShell Downgrade Attack\nid: b3512211-c67e-4707-bedc-66efc7848863\nrelated:\n  - id: 6331d09b-4785-4c13-980f-f96661356249\n    type: derived\nstatus: experimental\ndescription: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0\nreferences:\n    - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/\ntags:\n    - attack.defense_evasion\n    - attack.execution\n    - attack.t1086\nauthor: Harish Segar (rule)\ndate: 2020/03/20\nfalsepositives:\n    - Penetration Test\n    - Unknown\nlevel: medium\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains: \n            - \' -version 2 \'\n            - \' -versio 2 \'\n            - \' -versi 2 \'\n            - \' -vers 2 \'\n            - \' -ver 2 \'\n            - \' -ve 2 \'        \n        Image|endswith: \'\\powershell.exe\'\n    condition: selection\n\n
\n}}'),(8925,'Issue',494,15,'T1086'),(8926,'Issue',495,1,'PowerShell Download from URL'),(8927,'Issue',495,2,'Florian Roth'),(8928,'Issue',495,8,'none'),(8929,'Issue',495,10,'medium'),(8930,'Issue',495,13,'community'),(8931,'Issue',495,14,'windows'),(8933,'Issue',495,11,'0058be94d'),(8934,'Issue',495,12,'3b6ab547-8ec2-4991-b9d2-2b06702a48d7'),(8935,'Issue',495,16,'win-proc'),(8936,'Issue',495,17,''),(8937,'Issue',495,7,''),(8938,'Issue',495,3,'Detects a Powershell process that contains download commands in its command line string'),(8939,'Issue',495,4,''),(8940,'Issue',495,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8941,'Issue',495,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:(*new\\-object\\ system.net.webclient\\).downloadstring\\(* OR *new\\-object\\ system.net.webclient\\).downloadfile\\(* OR *new\\-object\\ net.webclient\\).downloadstring\\(* OR *new\\-object\\ net.webclient\\).downloadfile\\(*))\nindex: so-*\nname: PowerShell Download from URL\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8942,'Issue',495,9,'{{collapse(View Sigma)\n
\n\ntitle: PowerShell Download from URL\nid: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7\nstatus: experimental\ndescription: Detects a Powershell process that contains download commands in its command\n  line string\nauthor: Florian Roth\ndate: 2019/01/16\ntags:\n- attack.t1086\n- attack.execution\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\powershell.exe\'\n    CommandLine:\n    - \'*new-object system.net.webclient).downloadstring(*\'\n    - \'*new-object system.net.webclient).downloadfile(*\'\n    - \'*new-object net.webclient).downloadstring(*\'\n    - \'*new-object net.webclient).downloadfile(*\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: medium\n\n
\n}}'),(8943,'Issue',495,15,'T1086'),(8944,'Issue',496,1,'FromBase64String Command Line'),(8945,'Issue',496,2,'Florian Roth'),(8946,'Issue',496,8,'https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639'),(8947,'Issue',496,10,'high'),(8948,'Issue',496,13,'community'),(8949,'Issue',496,14,'windows'),(8951,'Issue',496,11,'9f0eefc93'),(8952,'Issue',496,12,'e32d4572-9826-4738-b651-95fa63747e8a'),(8953,'Issue',496,16,'win-proc'),(8954,'Issue',496,17,''),(8955,'Issue',496,7,''),(8956,'Issue',496,3,'Detects suspicious FromBase64String expressions in command line arguments'),(8957,'Issue',496,4,''),(8958,'Issue',496,5,'_False Positives_\nAdministrative script libraries'),(8959,'Issue',496,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\:\\:FromBase64String\\(*)\nindex: so-*\nname: FromBase64String Command Line\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8960,'Issue',496,9,'{{collapse(View Sigma)\n
\n\ntitle: FromBase64String Command Line\nid: e32d4572-9826-4738-b651-95fa63747e8a\nstatus: experimental\ndescription: Detects suspicious FromBase64String expressions in command line arguments\nreferences:\n- https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639\nauthor: Florian Roth\ndate: 2020/01/29\ntags:\n- attack.t1027\n- attack.defense_evasion\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains: ::FromBase64String(\n  condition: selection\nfalsepositives:\n- Administrative script libraries\nlevel: high\n\n
\n}}'),(8961,'Issue',496,15,'T1027'),(8962,'Issue',497,1,'Suspicious PowerShell Parameter Substring'),(8963,'Issue',497,2,'Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)'),(8964,'Issue',497,8,'http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier'),(8965,'Issue',497,10,'high'),(8966,'Issue',497,13,'community'),(8967,'Issue',497,14,'windows'),(8969,'Issue',497,11,'5e2eb5a76'),(8970,'Issue',497,12,'36210e0d-5b19-485d-a087-c096088885f0'),(8971,'Issue',497,16,'win-proc'),(8972,'Issue',497,17,''),(8973,'Issue',497,7,''),(8974,'Issue',497,3,'Detects suspicious PowerShell invocation with a parameter substring'),(8975,'Issue',497,4,''),(8976,'Issue',497,5,'_False Positives_\nPenetration tests'),(8977,'Issue',497,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\Powershell.exe) AND process.command_line:(\"\\ \\-windowstyle\\ h\\ \" OR \"\\ \\-windowstyl\\ h\" OR \"\\ \\-windowsty\\ h\" OR \"\\ \\-windowst\\ h\" OR \"\\ \\-windows\\ h\" OR \"\\ \\-windo\\ h\" OR \"\\ \\-wind\\ h\" OR \"\\ \\-win\\ h\" OR \"\\ \\-wi\\ h\" OR \"\\ \\-win\\ h\\ \" OR \"\\ \\-win\\ hi\\ \" OR \"\\ \\-win\\ hid\\ \" OR \"\\ \\-win\\ hidd\\ \" OR \"\\ \\-win\\ hidde\\ \" OR \"\\ \\-NoPr\\ \" OR \"\\ \\-NoPro\\ \" OR \"\\ \\-NoProf\\ \" OR \"\\ \\-NoProfi\\ \" OR \"\\ \\-NoProfil\\ \" OR \"\\ \\-nonin\\ \" OR \"\\ \\-nonint\\ \" OR \"\\ \\-noninte\\ \" OR \"\\ \\-noninter\\ \" OR \"\\ \\-nonintera\\ \" OR \"\\ \\-noninterac\\ \" OR \"\\ \\-noninteract\\ \" OR \"\\ \\-noninteracti\\ \" OR \"\\ \\-noninteractiv\\ \" OR \"\\ \\-ec\\ \" OR \"\\ \\-encodedComman\\ \" OR \"\\ \\-encodedComma\\ \" OR \"\\ \\-encodedComm\\ \" OR \"\\ \\-encodedCom\\ \" OR \"\\ \\-encodedCo\\ \" OR \"\\ \\-encodedC\\ \" OR \"\\ \\-encoded\\ \" OR \"\\ \\-encode\\ \" OR \"\\ \\-encod\\ \" OR \"\\ \\-enco\\ \" OR \"\\ \\-en\\ \"))\nindex: so-*\nname: Suspicious PowerShell Parameter Substring\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8978,'Issue',497,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious PowerShell Parameter Substring\nid: 36210e0d-5b19-485d-a087-c096088885f0\nstatus: experimental\ndescription: Detects suspicious PowerShell invocation with a parameter substring\nreferences:\n- http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier\ntags:\n- attack.execution\n- attack.t1086\nauthor: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)\ndate: 2019/01/16\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\Powershell.exe\'\n    CommandLine:\n    - \' -windowstyle h \'\n    - \' -windowstyl h\'\n    - \' -windowsty h\'\n    - \' -windowst h\'\n    - \' -windows h\'\n    - \' -windo h\'\n    - \' -wind h\'\n    - \' -win h\'\n    - \' -wi h\'\n    - \' -win h \'\n    - \' -win hi \'\n    - \' -win hid \'\n    - \' -win hidd \'\n    - \' -win hidde \'\n    - \' -NoPr \'\n    - \' -NoPro \'\n    - \' -NoProf \'\n    - \' -NoProfi \'\n    - \' -NoProfil \'\n    - \' -nonin \'\n    - \' -nonint \'\n    - \' -noninte \'\n    - \' -noninter \'\n    - \' -nonintera \'\n    - \' -noninterac \'\n    - \' -noninteract \'\n    - \' -noninteracti \'\n    - \' -noninteractiv \'\n    - \' -ec \'\n    - \' -encodedComman \'\n    - \' -encodedComma \'\n    - \' -encodedComm \'\n    - \' -encodedCom \'\n    - \' -encodedCo \'\n    - \' -encodedC \'\n    - \' -encoded \'\n    - \' -encode \'\n    - \' -encod \'\n    - \' -enco \'\n    - \' -en \'\n  condition: selection\nfalsepositives:\n- Penetration tests\nlevel: high\n\n
\n}}'),(8979,'Issue',497,15,'T1086'),(8980,'Issue',498,1,'Suspicious XOR Encoded PowerShell Command Line'),(8981,'Issue',498,2,'Sami Ruohonen'),(8982,'Issue',498,8,'none'),(8983,'Issue',498,10,'medium'),(8984,'Issue',498,13,'community'),(8985,'Issue',498,14,'windows'),(8987,'Issue',498,11,'4d93efac2'),(8988,'Issue',498,12,'bb780e0c-16cf-4383-8383-1e5471db6cf9'),(8989,'Issue',498,16,'win-proc'),(8990,'Issue',498,17,''),(8991,'Issue',498,7,''),(8992,'Issue',498,3,'Detects suspicious powershell process which includes bxor command, alternatvide obfuscation method to b64 encoded commands.'),(8993,'Issue',498,4,''),(8994,'Issue',498,5,'_False Positives_\nunknown'),(8995,'Issue',498,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-bxor*))\nindex: so-*\nname: Suspicious XOR Encoded PowerShell Command Line\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8996,'Issue',498,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious XOR Encoded PowerShell Command Line\nid: bb780e0c-16cf-4383-8383-1e5471db6cf9\ndescription: Detects suspicious powershell process which includes bxor command, alternatvide\n  obfuscation method to b64 encoded commands.\nstatus: experimental\nauthor: Sami Ruohonen\ndate: 2018/09/05\ntags:\n- attack.execution\n- attack.t1086\ndetection:\n  selection:\n    CommandLine:\n    - \'* -bxor*\'\n  condition: selection\nfalsepositives:\n- unknown\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\n\n
\n}}'),(8997,'Issue',498,15,'T1086'),(8998,'Issue',499,1,'Default PowerSploit and Empire Schtasks Persistence'),(8999,'Issue',499,2,'Markus Neis, @Karneades'),(9000,'Issue',499,8,'https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1\nhttps://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/userland/schtasks.py\nhttps://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/elevated/schtasks.py'),(9001,'Issue',499,10,'high'),(9002,'Issue',499,13,'community'),(9003,'Issue',499,14,'windows'),(9005,'Issue',499,11,'52c48c3b3'),(9006,'Issue',499,12,'56c217c3-2de2-479b-990f-5c109ba8458f'),(9007,'Issue',499,16,'win-proc'),(9008,'Issue',499,17,''),(9009,'Issue',499,7,''),(9010,'Issue',499,3,'Detects the creation of a schtask via PowerSploit or Empire Default Configuration.'),(9011,'Issue',499,4,''),(9012,'Issue',499,5,'_False Positives_\nFalse positives are possible, depends on organisation and processes'),(9013,'Issue',499,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\powershell.exe) AND process.command_line.keyword:(*schtasks*\\/Create*\\/SC\\ *ONLOGON*\\/TN\\ *Updater*\\/TR\\ *powershell* OR *schtasks*\\/Create*\\/SC\\ *DAILY*\\/TN\\ *Updater*\\/TR\\ *powershell* OR *schtasks*\\/Create*\\/SC\\ *ONIDLE*\\/TN\\ *Updater*\\/TR\\ *powershell* OR *schtasks*\\/Create*\\/SC\\ *Updater*\\/TN\\ *Updater*\\/TR\\ *powershell*))\nindex: so-*\nname: Default PowerSploit and Empire Schtasks Persistence\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9014,'Issue',499,9,'{{collapse(View Sigma)\n
\n\ntitle: Default PowerSploit and Empire Schtasks Persistence\nid: 56c217c3-2de2-479b-990f-5c109ba8458f\nstatus: experimental\ndescription: Detects the creation of a schtask via PowerSploit or Empire Default Configuration.\nreferences:\n- https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1\n- https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/userland/schtasks.py\n- https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/elevated/schtasks.py\nauthor: Markus Neis, @Karneades\ndate: 2018/03/06\nlogsource:\n  product: windows\n  category: process_creation\ndetection:\n  selection:\n    ParentImage:\n    - \'*\\powershell.exe\'\n    CommandLine:\n    - \'*schtasks*/Create*/SC *ONLOGON*/TN *Updater*/TR *powershell*\'\n    - \'*schtasks*/Create*/SC *DAILY*/TN *Updater*/TR *powershell*\'\n    - \'*schtasks*/Create*/SC *ONIDLE*/TN *Updater*/TR *powershell*\'\n    - \'*schtasks*/Create*/SC *Updater*/TN *Updater*/TR *powershell*\'\n  condition: selection\ntags:\n- attack.execution\n- attack.persistence\n- attack.privilege_escalation\n- attack.t1053\n- attack.t1086\n- attack.s0111\n- attack.g0022\n- attack.g0060\n- car.2013-08-001\nfalsepositives:\n- False positives are possible, depends on organisation and processes\nlevel: high\n\n
\n}}'),(9015,'Issue',499,15,'T1053'),(9016,'Issue',499,15,'T1086'),(9017,'Issue',500,1,'Windows Processes Suspicious Parent Directory'),(9018,'Issue',500,2,'vburov'),(9019,'Issue',500,8,'https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2\nhttps://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/\nhttps://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf\nhttps://attack.mitre.org/techniques/T1036/'),(9020,'Issue',500,10,'low'),(9021,'Issue',500,13,'community'),(9022,'Issue',500,14,'windows'),(9024,'Issue',500,11,'c9688cc7f'),(9025,'Issue',500,12,'96036718-71cc-4027-a538-d1587e0006a7'),(9026,'Issue',500,16,'win-proc'),(9027,'Issue',500,17,''),(9028,'Issue',500,7,''),(9029,'Issue',500,3,'Detect suspicious parent processes of well-known Windows processes'),(9030,'Issue',500,4,''),(9031,'Issue',500,5,'_False Positives_\nSome security products seem to spawn these'),(9032,'Issue',500,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:(*\\\\svchost.exe OR *\\\\taskhost.exe OR *\\\\lsm.exe OR *\\\\lsass.exe OR *\\\\services.exe OR *\\\\lsaiso.exe OR *\\\\csrss.exe OR *\\\\wininit.exe OR *\\\\winlogon.exe) AND (NOT (process.parent.executable.keyword:(*\\\\System32\\\\* OR *\\\\SysWOW64\\\\* OR *\\\\SavService.exe OR *\\\\Windows\\ Defender\\\\*\\\\MsMpEng.exe)))) AND (NOT (NOT _exists_:process.parent.executable)))\nindex: so-*\nname: Windows Processes Suspicious Parent Directory\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9033,'Issue',500,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows Processes Suspicious Parent Directory\nid: 96036718-71cc-4027-a538-d1587e0006a7\nstatus: experimental\ndescription: Detect suspicious parent processes of well-known Windows processes\nauthor: vburov\nreferences:\n- https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2\n- https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/\n- https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf\n- https://attack.mitre.org/techniques/T1036/\ndate: 2019/02/23\nmodified: 2019/08/20\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\svchost.exe\'\n    - \'*\\taskhost.exe\'\n    - \'*\\lsm.exe\'\n    - \'*\\lsass.exe\'\n    - \'*\\services.exe\'\n    - \'*\\lsaiso.exe\'\n    - \'*\\csrss.exe\'\n    - \'*\\wininit.exe\'\n    - \'*\\winlogon.exe\'\n  filter:\n    ParentImage:\n    - \'*\\System32\\\\*\'\n    - \'*\\SysWOW64\\\\*\'\n    - \'*\\SavService.exe\'\n    - \'*\\Windows Defender\\\\*\\MsMpEng.exe\'\n  filter_null:\n    ParentImage:\n  condition: selection and not filter and not filter_null\nfalsepositives:\n- Some security products seem to spawn these\nlevel: low\n\n
\n}}'),(9034,'Issue',500,15,'T1036'),(9035,'Issue',501,1,'Bitsadmin Download'),(9036,'Issue',501,2,'Michael Haag'),(9037,'Issue',501,8,'https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin\nhttps://isc.sans.edu/diary/22264'),(9038,'Issue',501,10,'medium'),(9039,'Issue',501,13,'community'),(9040,'Issue',501,14,'windows'),(9042,'Issue',501,11,'0859ceb13'),(9043,'Issue',501,12,'d059842b-6b9d-4ed1-b5c3-5b89143c6ede'),(9044,'Issue',501,16,'win-proc'),(9045,'Issue',501,17,''),(9046,'Issue',501,7,''),(9047,'Issue',501,3,'Detects usage of bitsadmin downloading a file'),(9048,'Issue',501,4,''),(9049,'Issue',501,5,'_False Positives_\nSome legitimate apps use this, but limited.\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9050,'Issue',501,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:(*\\\\bitsadmin.exe) AND process.command_line.keyword:(*\\ \\/transfer\\ *)) OR process.command_line.keyword:(*copy\\ bitsadmin.exe*)))\nindex: so-*\nname: Bitsadmin Download\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9051,'Issue',501,9,'{{collapse(View Sigma)\n
\n\ntitle: Bitsadmin Download\nid: d059842b-6b9d-4ed1-b5c3-5b89143c6ede\nstatus: experimental\ndescription: Detects usage of bitsadmin downloading a file\nreferences:\n- https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin\n- https://isc.sans.edu/diary/22264\ntags:\n- attack.defense_evasion\n- attack.persistence\n- attack.t1197\n- attack.s0190\ndate: 2017/03/09\nmodified: 2019/12/06\nauthor: Michael Haag\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image:\n    - \'*\\bitsadmin.exe\'\n    CommandLine:\n    - \'* /transfer *\'\n  selection2:\n    CommandLine:\n    - \'*copy bitsadmin.exe*\'\n  condition: selection1 or selection2\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Some legitimate apps use this, but limited.\nlevel: medium\n\n
\n}}'),(9052,'Issue',501,15,'T1197'),(9053,'Issue',502,1,'Process Dump via Rundll32 and Comsvcs.dll'),(9054,'Issue',502,2,'Florian Roth'),(9055,'Issue',502,8,'https://twitter.com/shantanukhande/status/1229348874298388484'),(9056,'Issue',502,10,'high'),(9057,'Issue',502,13,'community'),(9058,'Issue',502,14,'windows'),(9060,'Issue',502,11,'f4af737c0'),(9061,'Issue',502,12,'646ea171-dded-4578-8a4d-65e9822892e3'),(9062,'Issue',502,16,'win-proc'),(9063,'Issue',502,17,''),(9064,'Issue',502,7,''),(9065,'Issue',502,3,'Detects a process memory dump performed via ordinal function 24 in comsvcs.dll'),(9066,'Issue',502,4,''),(9067,'Issue',502,5,'_False Positives_\nUnlikely, because no one should dump the process memory in that way'),(9068,'Issue',502,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*comsvcs.dll,#24* OR *comsvcs.dll,MiniDump*))\nindex: so-*\nname: Process Dump via Rundll32 and Comsvcs.dll\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9069,'Issue',502,9,'{{collapse(View Sigma)\n
\n\ntitle: Process Dump via Rundll32 and Comsvcs.dll\nid: 646ea171-dded-4578-8a4d-65e9822892e3\ndescription: Detects a process memory dump performed via ordinal function 24 in comsvcs.dll\nstatus: experimental\nreferences:\n- https://twitter.com/shantanukhande/status/1229348874298388484\nauthor: Florian Roth\ndate: 2020/02/18\ntags:\n- attack.defense_evasion\n- attack.t1036\n- attack.credential_access\n- attack.t1003\n- car.2013-05-009\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains:\n    - comsvcs.dll,#24\n    - comsvcs.dll,MiniDump\n  condition: selection\nfalsepositives:\n- Unlikely, because no one should dump the process memory in that way\nlevel: high\n\n
\n}}'),(9070,'Issue',502,15,'T1036'),(9071,'Issue',502,15,'T1003'),(9072,'Issue',503,1,'PsExec Service Start'),(9073,'Issue',503,2,'Florian Roth'),(9074,'Issue',503,8,'none'),(9075,'Issue',503,10,'low'),(9076,'Issue',503,13,'community'),(9077,'Issue',503,14,'windows'),(9079,'Issue',503,11,'15de28714'),(9080,'Issue',503,12,'3ede524d-21cc-472d-a3ce-d21b568d8db7'),(9081,'Issue',503,16,'win-proc'),(9082,'Issue',503,17,''),(9083,'Issue',503,7,''),(9084,'Issue',503,3,'Detects a PsExec service start'),(9085,'Issue',503,4,''),(9086,'Issue',503,5,'_False Positives_\nAdministrative activity'),(9087,'Issue',503,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ProcessCommandLine:\"C\\:\\\\Windows\\\\PSEXESVC.exe\")\nindex: so-*\nname: PsExec Service Start\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9088,'Issue',503,9,'{{collapse(View Sigma)\n
\n\ntitle: PsExec Service Start\nid: 3ede524d-21cc-472d-a3ce-d21b568d8db7\ndescription: Detects a PsExec service start\nauthor: Florian Roth\ndate: 2018/03/13\nmodified: 2012/12/11\ntags:\n- attack.execution\n- attack.t1035\n- attack.s0029\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ProcessCommandLine: C:\\Windows\\PSEXESVC.exe\n  condition: selection\nfalsepositives:\n- Administrative activity\nlevel: low\n\n
\n}}'),(9089,'Issue',503,15,'T1035'),(9090,'Issue',504,1,'Query Registry'),(9091,'Issue',504,2,'Timur Zinniatullin, oscd.community'),(9092,'Issue',504,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.yaml'),(9093,'Issue',504,10,'low'),(9094,'Issue',504,13,'community'),(9095,'Issue',504,14,'windows'),(9097,'Issue',504,11,'05ee88dcb'),(9098,'Issue',504,12,'970007b7-ce32-49d0-a4a4-fbef016950bd'),(9099,'Issue',504,16,'win-proc'),(9100,'Issue',504,17,''),(9101,'Issue',504,7,''),(9102,'Issue',504,3,'Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.'),(9103,'Issue',504,4,''),(9104,'Issue',504,5,'_False Positives_\n Unknown\n\n_Interesting Log Fields_\nImage\nCommandLine\nUser\nLogonGuid\nHashes\nParentProcessGuid\nParentCommandLine'),(9105,'Issue',504,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\reg.exe AND process.command_line.keyword:(*query* OR *save* OR *export*) AND process.command_line.keyword:(*currentVersion\\\\windows* OR *currentVersion\\\\runServicesOnce* OR *currentVersion\\\\runServices* OR *winlogon\\* OR *currentVersion\\\\shellServiceObjectDelayLoad* OR *currentVersion\\\\runOnce* OR *currentVersion\\\\runOnceEx* OR *currentVersion\\\\run* OR *currentVersion\\\\policies\\\\explorer\\\\run* OR *currentcontrolset\\\\services*))\nindex: so-*\nname: Query Registry\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9106,'Issue',504,9,'{{collapse(View Sigma)\n
\n\ntitle: Query Registry\nid: 970007b7-ce32-49d0-a4a4-fbef016950bd\nstatus: experimental\ndescription: Adversaries may interact with the Windows Registry to gather information\n  about the system, configuration, and installed software.\nauthor: Timur Zinniatullin, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.yaml\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_1:\n    Image|endswith: \\reg.exe\n    CommandLine|contains:\n    - query\n    - save\n    - export\n  selection_2:\n    CommandLine|contains:\n    - currentVersion\\windows\n    - currentVersion\\runServicesOnce\n    - currentVersion\\runServices\n    - winlogon\\\n    - currentVersion\\shellServiceObjectDelayLoad\n    - currentVersion\\runOnce\n    - currentVersion\\runOnceEx\n    - currentVersion\\run\n    - currentVersion\\policies\\explorer\\run\n    - currentcontrolset\\services\n  condition: selection_1 and selection_2\nfields:\n- Image\n- CommandLine\n- User\n- LogonGuid\n- Hashes\n- ParentProcessGuid\n- ParentCommandLine\nlevel: low\ntags:\n- attack.discovery\n- attack.t1012\n- attack.t1007\n\n
\n}}'),(9107,'Issue',504,15,'T1012'),(9108,'Issue',504,15,'T1007'),(9109,'Issue',505,1,'MSTSC Shadowing'),(9110,'Issue',505,2,'Florian Roth'),(9111,'Issue',505,8,'https://twitter.com/kmkz_security/status/1220694202301976576\nhttps://github.com/kmkz/Pentesting/blob/master/Post-Exploitation-Cheat-Sheet'),(9112,'Issue',505,10,'high'),(9113,'Issue',505,13,'community'),(9114,'Issue',505,14,'windows'),(9115,'Issue',505,15,''),(9116,'Issue',505,11,'8c3dc3ef9'),(9117,'Issue',505,12,'6ba5a05f-b095-4f0a-8654-b825f4f16334'),(9118,'Issue',505,16,'win-proc'),(9119,'Issue',505,17,''),(9120,'Issue',505,7,''),(9121,'Issue',505,3,'Detects RDP session hijacking by using MSTSC shadowing'),(9122,'Issue',505,4,''),(9123,'Issue',505,5,'_False Positives_\nUnknown'),(9124,'Issue',505,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*noconsentprompt* AND process.command_line.keyword:*shadow\\:*)\nindex: so-*\nname: MSTSC Shadowing\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9125,'Issue',505,9,'{{collapse(View Sigma)\n
\n\ntitle: MSTSC Shadowing\nid: 6ba5a05f-b095-4f0a-8654-b825f4f16334\ndescription: Detects RDP session hijacking by using MSTSC shadowing\nstatus: experimental\nauthor: Florian Roth\ndate: 2020/01/24\nreferences:\n- https://twitter.com/kmkz_security/status/1220694202301976576\n- https://github.com/kmkz/Pentesting/blob/master/Post-Exploitation-Cheat-Sheet\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains|all:\n    - noconsentprompt\n    - \'shadow:\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9126,'Issue',506,1,'Remote PowerShell Session'),(9127,'Issue',506,2,'Roberto Rodriguez @Cyb3rWard0g'),(9128,'Issue',506,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md'),(9129,'Issue',506,10,'medium'),(9130,'Issue',506,13,'community'),(9131,'Issue',506,14,'windows'),(9133,'Issue',506,11,'fe42832a8'),(9134,'Issue',506,12,'734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8'),(9135,'Issue',506,16,'win-proc'),(9136,'Issue',506,17,''),(9137,'Issue',506,7,''),(9138,'Issue',506,3,'Detects remote PowerShell sections by monitoring for wsmprovhost as a parent or child process (sign of an active ps remote session)'),(9139,'Issue',506,4,''),(9140,'Issue',506,5,'_False Positives_\nLegitimate usage of remote Powershell, e.g. for monitoring purposes\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(9141,'Issue',506,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:*\\\\wsmprovhost.exe OR process.parent.executable.keyword:*\\\\wsmprovhost.exe))\nindex: so-*\nname: Remote PowerShell Session\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9142,'Issue',506,9,'{{collapse(View Sigma)\n
\n\ntitle: Remote PowerShell Session\nid: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8\ndescription: Detects remote PowerShell sections by monitoring for wsmprovhost as a\n  parent or child process (sign of an active ps remote session)\nstatus: experimental\ndate: 2019/09/12\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith: \\wsmprovhost.exe\n  - ParentImage|endswith: \\wsmprovhost.exe\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Legitimate usage of remote Powershell, e.g. for monitoring purposes\nlevel: medium\n\n
\n}}'),(9143,'Issue',506,15,'T1086'),(9144,'Issue',507,1,'Discovery of a System Time'),(9145,'Issue',507,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(9146,'Issue',507,8,'https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md'),(9147,'Issue',507,10,'low'),(9148,'Issue',507,13,'community'),(9149,'Issue',507,14,'windows'),(9151,'Issue',507,11,'9639546cc'),(9152,'Issue',507,12,'b243b280-65fe-48df-ba07-6ddea7646427'),(9153,'Issue',507,16,'win-proc'),(9154,'Issue',507,17,''),(9155,'Issue',507,7,''),(9156,'Issue',507,3,'Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.'),(9157,'Issue',507,4,''),(9158,'Issue',507,5,'_False Positives_\nLegitimate use of the system utilities to discover system time for legitimate reason'),(9159,'Issue',507,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:*time*) OR (process.executable.keyword:*\\\\w32tm.exe AND process.command_line.keyword:*tz*) OR (process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:*Get\\-Date*)))\nindex: so-*\nname: Discovery of a System Time\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9160,'Issue',507,9,'{{collapse(View Sigma)\n
\n\ntitle: Discovery of a System Time\nid: b243b280-65fe-48df-ba07-6ddea7646427\ndescription: Identifies use of various commands to query a systems time. This technique\n  may be used before executing a scheduled task or to discover the time zone of a\n  target system.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md\ntags:\n- attack.discovery\n- attack.t1124\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith:\n    - \\net.exe\n    - \\net1.exe\n    CommandLine|contains: time\n  - Image|endswith: \\w32tm.exe\n    CommandLine|contains: tz\n  - Image|endswith: \\powershell.exe\n    CommandLine|contains: Get-Date\n  condition: selection\nfalsepositives:\n- Legitimate use of the system utilities to discover system time for legitimate reason\nlevel: low\n\n
\n}}'),(9161,'Issue',507,15,'T1124'),(9162,'Issue',508,1,'Renamed Binary'),(9163,'Issue',508,2,'Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements)'),(9164,'Issue',508,8,'https://attack.mitre.org/techniques/T1036/\nhttps://mgreen27.github.io/posts/2019/05/12/BinaryRename.html\nhttps://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html'),(9165,'Issue',508,10,'medium'),(9166,'Issue',508,13,'community'),(9167,'Issue',508,14,'windows'),(9169,'Issue',508,11,'b585cbf22'),(9170,'Issue',508,12,'36480ae1-a1cb-4eaa-a0d6-29801d7e9142'),(9171,'Issue',508,16,'win-proc'),(9172,'Issue',508,17,''),(9173,'Issue',508,7,''),(9174,'Issue',508,3,'Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.'),(9175,'Issue',508,4,''),(9176,'Issue',508,5,'_False Positives_\nCustom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist'),(9177,'Issue',508,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND OriginalFileName:(\"cmd.exe\" OR \"powershell.exe\" OR \"powershell_ise.exe\" OR \"psexec.exe\" OR \"psexec.c\" OR \"cscript.exe\" OR \"wscript.exe\" OR \"mshta.exe\" OR \"regsvr32.exe\" OR \"wmic.exe\" OR \"certutil.exe\" OR \"rundll32.exe\" OR \"cmstp.exe\" OR \"msiexec.exe\" OR \"7z.exe\" OR \"winrar.exe\" OR \"wevtutil.exe\" OR \"net.exe\" OR \"net1.exe\") AND (NOT (process.executable.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\powershell_ise.exe OR *\\\\psexec.exe OR *\\\\psexec64.exe OR *\\\\cscript.exe OR *\\\\wscript.exe OR *\\\\mshta.exe OR *\\\\regsvr32.exe OR *\\\\wmic.exe OR *\\\\certutil.exe OR *\\\\rundll32.exe OR *\\\\cmstp.exe OR *\\\\msiexec.exe OR *\\\\7z.exe OR *\\\\winrar.exe OR *\\\\wevtutil.exe OR *\\\\net.exe OR *\\\\net1.exe))))\nindex: so-*\nname: Renamed Binary\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9178,'Issue',508,9,'{{collapse(View Sigma)\n
\n\ntitle: Renamed Binary\nid: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142\nstatus: experimental\ndescription: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.\nauthor: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements), Andreas Hunkeler (@Karneades)\ndate: 2019/06/15\nmodified: 2019/11/11\nreferences:\n    - https://attack.mitre.org/techniques/T1036/\n    - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html\n    - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html\ntags:\n    - attack.t1036\n    - attack.defense_evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        OriginalFileName:\n            - \'cmd.exe\'\n            - \'powershell.exe\'\n            - \'powershell_ise.exe\'\n            - \'psexec.exe\'\n            - \'psexec.c\'  # old versions of psexec (2016 seen)\n            - \'cscript.exe\'\n            - \'wscript.exe\'\n            - \'mshta.exe\'\n            - \'regsvr32.exe\'\n            - \'wmic.exe\'\n            - \'certutil.exe\'\n            - \'rundll32.exe\'\n            - \'cmstp.exe\'\n            - \'msiexec.exe\'\n            - \'7z.exe\'\n            - \'winrar.exe\'\n            - \'wevtutil.exe\'\n            - \'net.exe\'\n            - \'net1.exe\'\n            - \'netsh.exe\'\n    filter:\n        Image|endswith:\n            - \'\\cmd.exe\'\n            - \'\\powershell.exe\'\n            - \'\\powershell_ise.exe\'\n            - \'\\psexec.exe\'\n            - \'\\psexec64.exe\'\n            - \'\\cscript.exe\'\n            - \'\\wscript.exe\'\n            - \'\\mshta.exe\'\n            - \'\\regsvr32.exe\'\n            - \'\\wmic.exe\'\n            - \'\\certutil.exe\'\n            - \'\\rundll32.exe\'\n            - \'\\cmstp.exe\'\n            - \'\\msiexec.exe\'\n            - \'\\7z.exe\'\n            - \'\\winrar.exe\'\n            - \'\\wevtutil.exe\'\n            - \'\\net.exe\'\n            - \'\\net1.exe\'\n            - \'\\netsh.exe\'\n    condition: selection and not filter\nfalsepositives:\n    - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist\nlevel: medium\n\n
\n}}'),(9179,'Issue',508,15,'T1036'),(9180,'Issue',509,1,'Highly Relevant Renamed Binary'),(9181,'Issue',509,2,'Matthew Green - @mgreen27, Florian Roth'),(9182,'Issue',509,8,'https://attack.mitre.org/techniques/T1036/\nhttps://mgreen27.github.io/posts/2019/05/12/BinaryRename.html\nhttps://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html'),(9183,'Issue',509,10,'high'),(9184,'Issue',509,13,'community'),(9185,'Issue',509,14,'windows'),(9187,'Issue',509,11,'11b349716'),(9188,'Issue',509,12,'0ba1da6d-b6ce-4366-828c-18826c9de23e'),(9189,'Issue',509,16,'win-proc'),(9190,'Issue',509,17,''),(9191,'Issue',509,7,''),(9192,'Issue',509,3,'Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.'),(9193,'Issue',509,4,''),(9194,'Issue',509,5,'_False Positives_\nCustom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist'),(9195,'Issue',509,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND OriginalFileName:(\"powershell.exe\" OR \"powershell_ise.exe\" OR \"psexec.exe\" OR \"psexec.c\" OR \"cscript.exe\" OR \"wscript.exe\" OR \"mshta.exe\" OR \"regsvr32.exe\" OR \"wmic.exe\" OR \"certutil.exe\" OR \"rundll32.exe\" OR \"cmstp.exe\" OR \"msiexec.exe\") AND (NOT (process.executable.keyword:(*\\\\powershell.exe OR *\\\\powershell_ise.exe OR *\\\\psexec.exe OR *\\\\psexec64.exe OR *\\\\cscript.exe OR *\\\\wscript.exe OR *\\\\mshta.exe OR *\\\\regsvr32.exe OR *\\\\wmic.exe OR *\\\\certutil.exe OR *\\\\rundll32.exe OR *\\\\cmstp.exe OR *\\\\msiexec.exe))))\nindex: so-*\nname: Highly Relevant Renamed Binary\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9196,'Issue',509,9,'{{collapse(View Sigma)\n
\n\ntitle: Highly Relevant Renamed Binary\nid: 0ba1da6d-b6ce-4366-828c-18826c9de23e\nstatus: experimental\ndescription: Detects the execution of a renamed binary often used by attackers or\n  malware leveraging new Sysmon OriginalFileName datapoint.\nauthor: Matthew Green - @mgreen27, Florian Roth\ndate: 2019/06/15\nreferences:\n- https://attack.mitre.org/techniques/T1036/\n- https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html\n- https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html\ntags:\n- attack.t1036\n- attack.defense_evasion\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    OriginalFileName:\n    - powershell.exe\n    - powershell_ise.exe\n    - psexec.exe\n    - psexec.c\n    - cscript.exe\n    - wscript.exe\n    - mshta.exe\n    - regsvr32.exe\n    - wmic.exe\n    - certutil.exe\n    - rundll32.exe\n    - cmstp.exe\n    - msiexec.exe\n  filter:\n    Image:\n    - \'*\\powershell.exe\'\n    - \'*\\powershell_ise.exe\'\n    - \'*\\psexec.exe\'\n    - \'*\\psexec64.exe\'\n    - \'*\\cscript.exe\'\n    - \'*\\wscript.exe\'\n    - \'*\\mshta.exe\'\n    - \'*\\regsvr32.exe\'\n    - \'*\\wmic.exe\'\n    - \'*\\certutil.exe\'\n    - \'*\\rundll32.exe\'\n    - \'*\\cmstp.exe\'\n    - \'*\\msiexec.exe\'\n  condition: selection and not filter\nfalsepositives:\n- Custom applications use renamed binaries adding slight change to binary name. Typically\n  this is easy to spot and add to whitelist\nlevel: high\n\n
\n}}'),(9197,'Issue',509,15,'T1036'),(9198,'Issue',510,1,'Execution of Renamed PaExec'),(9199,'Issue',510,2,'Jason Lynch'),(9200,'Issue',510,8,'sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc\nhttps://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf'),(9201,'Issue',510,10,'medium'),(9202,'Issue',510,13,'community'),(9203,'Issue',510,14,'windows'),(9205,'Issue',510,11,'53a0f9acd'),(9206,'Issue',510,12,'7b0666ad-3e38-4e3d-9bab-78b06de85f7b'),(9207,'Issue',510,16,'win-proc'),(9208,'Issue',510,17,''),(9209,'Issue',510,7,''),(9210,'Issue',510,3,'Detects execution of renamed paexec via imphash and executable product string'),(9211,'Issue',510,4,''),(9212,'Issue',510,5,'_False Positives_\nUnknown imphashes'),(9213,'Issue',510,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.pe.product.keyword:(*PAExec*) AND event_data.Imphash:(\"11D40A7B7876288F919AB819CC2D9802\" OR \"6444f8a34e99b8f7d9647de66aabe516\" OR \"dfd6aa3f7b2b1035b76b718f1ddc689f\" OR \"1a6cca4d5460b1710a12dea39e4a592c\")) AND (NOT (process.executable.keyword:*paexec*)))\nindex: so-*\nname: Execution of Renamed PaExec\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9214,'Issue',510,9,'{{collapse(View Sigma)\n
\n\ntitle: Execution of Renamed PaExec\nid: 7b0666ad-3e38-4e3d-9bab-78b06de85f7b\nstatus: experimental\ndescription: Detects execution of renamed paexec via imphash and executable product\n  string\nreferences:\n- sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc\n- https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf\ntags:\n- attack.defense_evasion\n- attack.t1036\n- FIN7\n- car.2013-05-009\ndate: 2019/04/17\nauthor: Jason Lynch\nfalsepositives:\n- Unknown imphashes\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Product:\n    - \'*PAExec*\'\n  selection2:\n    Imphash:\n    - 11D40A7B7876288F919AB819CC2D9802\n    - 6444f8a34e99b8f7d9647de66aabe516\n    - dfd6aa3f7b2b1035b76b718f1ddc689f\n    - 1a6cca4d5460b1710a12dea39e4a592c\n  filter1:\n    Image: \'*paexec*\'\n  condition: (selection1 and selection2) and not filter1\n\n
\n}}'),(9215,'Issue',510,15,'T1036'),(9216,'Issue',511,1,'Run PowerShell Script from ADS'),(9217,'Issue',511,2,'Sergey Soldatov, Kaspersky Lab, oscd.community'),(9218,'Issue',511,8,'https://github.com/p0shkatz/Get-ADS/blob/master/Get-ADS.ps1'),(9219,'Issue',511,10,'high'),(9220,'Issue',511,13,'community'),(9221,'Issue',511,14,'windows'),(9223,'Issue',511,11,'3297ebd01'),(9224,'Issue',511,12,'45a594aa-1fbd-4972-a809-ff5a99dd81b8'),(9225,'Issue',511,16,'win-proc'),(9226,'Issue',511,17,''),(9227,'Issue',511,7,''),(9228,'Issue',511,3,'Detects PowerShell script execution from Alternate Data Stream (ADS)'),(9229,'Issue',511,4,''),(9230,'Issue',511,5,'_False Positives_\nUnknown'),(9231,'Issue',511,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\powershell.exe AND process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:*Get\\-Content* AND process.command_line.keyword:*\\-Stream*)\nindex: so-*\nname: Run PowerShell Script from ADS\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9232,'Issue',511,9,'{{collapse(View Sigma)\n
\n\ntitle: Run PowerShell Script from ADS\nid: 45a594aa-1fbd-4972-a809-ff5a99dd81b8\nstatus: experimental\ndescription: Detects PowerShell script execution from Alternate Data Stream (ADS)\nreferences:\n- https://github.com/p0shkatz/Get-ADS/blob/master/Get-ADS.ps1\nauthor: Sergey Soldatov, Kaspersky Lab, oscd.community\ndate: 2019/10/30\ntags:\n- attack.defense_evasion\n- attack.t1096\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage|endswith: \\powershell.exe\n    Image|endswith: \\powershell.exe\n    CommandLine|contains|all:\n    - Get-Content\n    - -Stream\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9233,'Issue',511,15,'T1096'),(9234,'Issue',512,1,'Possible Shim Database Persistence via sdbinst.exe'),(9235,'Issue',512,2,'Markus Neis'),(9236,'Issue',512,8,'https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html'),(9237,'Issue',512,10,'high'),(9238,'Issue',512,13,'community'),(9239,'Issue',512,14,'windows'),(9241,'Issue',512,11,'1f62648d2'),(9242,'Issue',512,12,'517490a7-115a-48c6-8862-1a481504d5a8'),(9243,'Issue',512,16,'win-proc'),(9244,'Issue',512,17,''),(9245,'Issue',512,7,''),(9246,'Issue',512,3,'Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.'),(9247,'Issue',512,4,''),(9248,'Issue',512,5,'_False Positives_\nUnknown'),(9249,'Issue',512,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\sdbinst.exe) AND process.command_line.keyword:(*.sdb*))\nindex: so-*\nname: Possible Shim Database Persistence via sdbinst.exe\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9250,'Issue',512,9,'{{collapse(View Sigma)\n
\n\ntitle: Possible Shim Database Persistence via sdbinst.exe\nid: 517490a7-115a-48c6-8862-1a481504d5a8\nstatus: experimental\ndescription: Detects installation of a new shim using sdbinst.exe. A shim can be used\n  to load malicious DLLs into applications.\nreferences:\n- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html\ntags:\n- attack.persistence\n- attack.t1138\nauthor: Markus Neis\ndate: 2019/01/16\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\sdbinst.exe\'\n    CommandLine:\n    - \'*.sdb*\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9251,'Issue',512,15,'T1138'),(9252,'Issue',513,1,'Service Execution'),(9253,'Issue',513,2,'Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community'),(9254,'Issue',513,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.yaml'),(9255,'Issue',513,10,'low'),(9256,'Issue',513,13,'community'),(9257,'Issue',513,14,'windows'),(9259,'Issue',513,11,'0313836b2'),(9260,'Issue',513,12,'2a072a96-a086-49fa-bcb5-15cc5a619093'),(9261,'Issue',513,16,'win-proc'),(9262,'Issue',513,17,''),(9263,'Issue',513,7,''),(9264,'Issue',513,3,'Detects manual service execution (start) via system utilities'),(9265,'Issue',513,4,''),(9266,'Issue',513,5,'_False Positives_\nLegitimate administrator or user executes a service for legitimate reason'),(9267,'Issue',513,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:*\\ start\\ *)\nindex: so-*\nname: Service Execution\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9268,'Issue',513,9,'{{collapse(View Sigma)\n
\n\ntitle: Service Execution\nid: 2a072a96-a086-49fa-bcb5-15cc5a619093\nstatus: experimental\ndescription: Detects manual service execution (start) via system utilities\nauthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.yaml\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith:\n    - \\net.exe\n    - \\net1.exe\n    CommandLine|contains: \' start \'\n  condition: selection\nfalsepositives:\n- Legitimate administrator or user executes a service for legitimate reason\nlevel: low\ntags:\n- attack.execution\n- attack.t1035\n\n
\n}}'),(9269,'Issue',513,15,'T1035'),(9270,'Issue',514,1,'Stop Windows Service'),(9271,'Issue',514,2,'Jakob Weinzettl, oscd.community'),(9272,'Issue',514,8,'none'),(9273,'Issue',514,10,'low'),(9274,'Issue',514,13,'community'),(9275,'Issue',514,14,'windows'),(9277,'Issue',514,11,'f5cf59506'),(9278,'Issue',514,12,'eb87818d-db5d-49cc-a987-d5da331fbd90'),(9279,'Issue',514,16,'win-proc'),(9280,'Issue',514,17,''),(9281,'Issue',514,7,''),(9282,'Issue',514,3,'Detects a windows service to be stopped'),(9283,'Issue',514,4,''),(9284,'Issue',514,5,'_False Positives_\nAdministrator shutting down the service due to upgrade or removal purposes\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(9285,'Issue',514,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\sc.exe OR *\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:*stop*)\nindex: so-*\nname: Stop Windows Service\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9286,'Issue',514,9,'{{collapse(View Sigma)\n
\n\ntitle: Stop Windows Service\nid: eb87818d-db5d-49cc-a987-d5da331fbd90\ndescription: Detects a windows service to be stopped\nstatus: experimental\nauthor: Jakob Weinzettl, oscd.community\ndate: 2019/10/23\nmodified: 2019/11/08\ntags:\n- attack.impact\n- attack.t1489\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith:\n    - \\sc.exe\n    - \\net.exe\n    - \\net1.exe\n    CommandLine|contains: stop\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Administrator shutting down the service due to upgrade or removal purposes\nlevel: low\n\n
\n}}'),(9287,'Issue',514,15,'T1489'),(9288,'Issue',515,1,'Shadow Copies Access via Symlink'),(9289,'Issue',515,2,'Teymur Kheirkhabarov, oscd.community'),(9290,'Issue',515,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(9291,'Issue',515,10,'medium'),(9292,'Issue',515,13,'community'),(9293,'Issue',515,14,'windows'),(9295,'Issue',515,11,'42af87c98'),(9296,'Issue',515,12,'40b19fa6-d835-400c-b301-41f3a2baacaf'),(9297,'Issue',515,16,'win-proc'),(9298,'Issue',515,17,''),(9299,'Issue',515,7,''),(9300,'Issue',515,3,'Shadow Copies storage symbolic link creation using operating systems utilities'),(9301,'Issue',515,4,''),(9302,'Issue',515,5,'_False Positives_\nLegitimate administrator working with shadow copies, access for backup purposes'),(9303,'Issue',515,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*mklink* AND process.command_line.keyword:*HarddiskVolumeShadowCopy*)\nindex: so-*\nname: Shadow Copies Access via Symlink\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9304,'Issue',515,9,'{{collapse(View Sigma)\n
\n\ntitle: Shadow Copies Access via Symlink\nid: 40b19fa6-d835-400c-b301-41f3a2baacaf\ndescription: Shadow Copies storage symbolic link creation using operating systems\n  utilities\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/10/22\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains|all:\n    - mklink\n    - HarddiskVolumeShadowCopy\n  condition: selection\nfalsepositives:\n- Legitimate administrator working with shadow copies, access for backup purposes\nstatus: experimental\nlevel: medium\n\n
\n}}'),(9305,'Issue',515,15,'T1003'),(9306,'Issue',516,1,'Shadow Copies Creation Using Operating Systems Utilities'),(9307,'Issue',516,2,'Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community'),(9308,'Issue',516,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/'),(9309,'Issue',516,10,'medium'),(9310,'Issue',516,13,'community'),(9311,'Issue',516,14,'windows'),(9313,'Issue',516,11,'8093daa95'),(9314,'Issue',516,12,'b17ea6f7-6e90-447e-a799-e6c0a493d6ce'),(9315,'Issue',516,16,'win-proc'),(9316,'Issue',516,17,''),(9317,'Issue',516,7,''),(9318,'Issue',516,3,'Shadow Copies creation using operating systems utilities, possible credential access'),(9319,'Issue',516,4,''),(9320,'Issue',516,5,'_False Positives_\nLegitimate administrator working with shadow copies, access for backup purposes'),(9321,'Issue',516,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.NewProcessName.keyword:(*\\\\powershell.exe OR *\\\\wmic.exe OR *\\\\vssadmin.exe) AND process.command_line.keyword:*shadow* AND process.command_line.keyword:*create*)\nindex: so-*\nname: Shadow Copies Creation Using Operating Systems Utilities\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9322,'Issue',516,9,'{{collapse(View Sigma)\n
\n\ntitle: Shadow Copies Creation Using Operating Systems Utilities\nid: b17ea6f7-6e90-447e-a799-e6c0a493d6ce\ndescription: Shadow Copies creation using operating systems utilities, possible credential\n  access\nauthor: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/22\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    NewProcessName|endswith:\n    - \\powershell.exe\n    - \\wmic.exe\n    - \\vssadmin.exe\n    CommandLine|contains|all:\n    - shadow\n    - create\n  condition: selection\nfalsepositives:\n- Legitimate administrator working with shadow copies, access for backup purposes\nstatus: experimental\nlevel: medium\n\n
\n}}'),(9323,'Issue',516,15,'T1003'),(9324,'Issue',517,1,'Shadow Copies Deletion Using Operating Systems Utilities'),(9325,'Issue',517,2,'Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community'),(9326,'Issue',517,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nhttps://blog.talosintelligence.com/2017/05/wannacry.html\nhttps://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/\nhttps://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/\nhttps://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100'),(9327,'Issue',517,10,'critical'),(9328,'Issue',517,13,'community'),(9329,'Issue',517,14,'windows'),(9331,'Issue',517,11,'afac78337'),(9332,'Issue',517,12,'c947b146-0abc-4c87-9c64-b17e9d7274a2'),(9333,'Issue',517,16,'win-proc'),(9334,'Issue',517,17,''),(9335,'Issue',517,7,''),(9336,'Issue',517,3,'Shadow Copies deletion using operating systems utilities'),(9337,'Issue',517,4,''),(9338,'Issue',517,5,'_False Positives_\nLegitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9339,'Issue',517,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.NewProcessName.keyword:(*\\\\powershell.exe OR *\\\\wmic.exe OR *\\\\vssadmin.exe) AND process.command_line.keyword:*shadow* AND process.command_line.keyword:*delete*)\nindex: so-*\nname: Shadow Copies Deletion Using Operating Systems Utilities\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9340,'Issue',517,9,'{{collapse(View Sigma)\n
\n\ntitle: Shadow Copies Deletion Using Operating Systems Utilities\nid: c947b146-0abc-4c87-9c64-b17e9d7274a2\nstatus: stable\ndescription: Shadow Copies deletion using operating systems utilities\nauthor: Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/22\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n- https://blog.talosintelligence.com/2017/05/wannacry.html\n- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/\n- https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/\n- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100\ntags:\n- attack.defense_evasion\n- attack.impact\n- attack.t1070\n- attack.t1490\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    NewProcessName|endswith:\n    - \\powershell.exe\n    - \\wmic.exe\n    - \\vssadmin.exe\n    CommandLine|contains|all:\n    - shadow\n    - delete\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Legitimate Administrator deletes Shadow Copies using operating systems utilities\n  for legitimate reason\nlevel: critical\n\n
\n}}'),(9341,'Issue',517,15,'T1070'),(9342,'Issue',517,15,'T1490'),(9343,'Issue',518,1,'Windows Shell Spawning Suspicious Program'),(9344,'Issue',518,2,'Florian Roth'),(9345,'Issue',518,8,'https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html'),(9346,'Issue',518,10,'high'),(9347,'Issue',518,13,'community'),(9348,'Issue',518,14,'windows'),(9350,'Issue',518,11,'cbf52c91d'),(9351,'Issue',518,12,'3a6586ad-127a-4d3b-a677-1e6eacdf8fde'),(9352,'Issue',518,16,'win-proc'),(9353,'Issue',518,17,''),(9354,'Issue',518,7,''),(9355,'Issue',518,3,'Detects a suspicious child process of a Windows shell'),(9356,'Issue',518,4,''),(9357,'Issue',518,5,'_False Positives_\nAdministrative scripts\nMicrosoft SCCM\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9358,'Issue',518,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.parent.executable.keyword:(*\\\\mshta.exe OR *\\\\powershell.exe OR *\\\\rundll32.exe OR *\\\\cscript.exe OR *\\\\wscript.exe OR *\\\\wmiprvse.exe) AND process.executable.keyword:(*\\\\schtasks.exe OR *\\\\nslookup.exe OR *\\\\certutil.exe OR *\\\\bitsadmin.exe OR *\\\\mshta.exe)) AND (NOT (process.working_directory\".keyword:*\\\\ccmcache\\\\*)))\nindex: so-*\nname: Windows Shell Spawning Suspicious Program\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9359,'Issue',518,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows Shell Spawning Suspicious Program\nid: 3a6586ad-127a-4d3b-a677-1e6eacdf8fde\nstatus: experimental\ndescription: Detects a suspicious child process of a Windows shell\nreferences:\n- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html\nauthor: Florian Roth\ndate: 2018/04/06\nmodified: 2019/02/05\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1064\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage:\n    - \'*\\mshta.exe\'\n    - \'*\\powershell.exe\'\n    - \'*\\rundll32.exe\'\n    - \'*\\cscript.exe\'\n    - \'*\\wscript.exe\'\n    - \'*\\wmiprvse.exe\'\n    Image:\n    - \'*\\schtasks.exe\'\n    - \'*\\nslookup.exe\'\n    - \'*\\certutil.exe\'\n    - \'*\\bitsadmin.exe\'\n    - \'*\\mshta.exe\'\n  falsepositives:\n    CurrentDirectory: \'*\\ccmcache\\\\*\'\n  condition: selection and not falsepositives\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Administrative scripts\n- Microsoft SCCM\nlevel: high\n\n
\n}}'),(9360,'Issue',518,15,'T1064'),(9361,'Issue',519,1,'Audio Capture via SoundRecorder'),(9362,'Issue',519,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(9363,'Issue',519,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html'),(9364,'Issue',519,10,'medium'),(9365,'Issue',519,13,'community'),(9366,'Issue',519,14,'windows'),(9368,'Issue',519,11,'cb34e0e58'),(9369,'Issue',519,12,'83865853-59aa-449e-9600-74b9d89a6d6e'),(9370,'Issue',519,16,'win-proc'),(9371,'Issue',519,17,''),(9372,'Issue',519,7,''),(9373,'Issue',519,3,'Detect attacker collecting audio via SoundRecorder application'),(9374,'Issue',519,4,''),(9375,'Issue',519,5,'_False Positives_\nLegitimate audio capture by legitimate user'),(9376,'Issue',519,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\SoundRecorder.exe AND process.command_line.keyword:*\\/FILE*)\nindex: so-*\nname: Audio Capture via SoundRecorder\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9377,'Issue',519,9,'{{collapse(View Sigma)\n
\n\ntitle: Audio Capture via SoundRecorder\nid: 83865853-59aa-449e-9600-74b9d89a6d6e\ndescription: Detect attacker collecting audio via SoundRecorder application\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html\ntags:\n- attack.collection\n- attack.t1123\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\SoundRecorder.exe\n    CommandLine|contains: /FILE\n  condition: selection\nfalsepositives:\n- Legitimate audio capture by legitimate user\nlevel: medium\n\n
\n}}'),(9378,'Issue',519,15,'T1123'),(9379,'Issue',520,1,'Possible SPN Enumeration'),(9380,'Issue',520,2,'Markus Neis, keepwatch'),(9381,'Issue',520,8,'https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation'),(9382,'Issue',520,10,'medium'),(9383,'Issue',520,13,'community'),(9384,'Issue',520,14,'windows'),(9386,'Issue',520,11,'f2f2e56bb'),(9387,'Issue',520,12,'1eeed653-dbc8-4187-ad0c-eeebb20e6599'),(9388,'Issue',520,16,'win-proc'),(9389,'Issue',520,17,''),(9390,'Issue',520,7,''),(9391,'Issue',520,3,'Detects Service Principal Name Enumeration used for Kerberoasting'),(9392,'Issue',520,4,''),(9393,'Issue',520,5,'_False Positives_\nAdministrator Activity'),(9394,'Issue',520,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:*\\\\setspn.exe OR process.pe.description.keyword:*Query\\ or\\ reset\\ the\\ computer*\\ SPN\\ attribute*) AND process.command_line.keyword:*\\-q*)\nindex: so-*\nname: Possible SPN Enumeration\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9395,'Issue',520,9,'{{collapse(View Sigma)\n
\n\ntitle: Possible SPN Enumeration\nid: 1eeed653-dbc8-4187-ad0c-eeebb20e6599\ndescription: Detects Service Principal Name Enumeration used for Kerberoasting\nstatus: experimental\nreferences:\n- https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation\nauthor: Markus Neis, keepwatch\ndate: 2018/11/14\ntags:\n- attack.credential_access\n- attack.t1208\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_image:\n    Image: \'*\\setspn.exe\'\n  selection_desc:\n    Description: \'*Query or reset the computer* SPN attribute*\'\n  cmd:\n    CommandLine: \'*-q*\'\n  condition: (selection_image or selection_desc) and cmd\nfalsepositives:\n- Administrator Activity\nlevel: medium\n\n
\n}}'),(9396,'Issue',520,15,'T1208'),(9397,'Issue',521,1,'Possible Ransomware or Unauthorized MBR Modifications'),(9398,'Issue',521,2,'@neu5ron'),(9399,'Issue',521,8,'https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set'),(9400,'Issue',521,10,'medium'),(9401,'Issue',521,13,'community'),(9402,'Issue',521,14,'windows'),(9404,'Issue',521,11,'09cf8bf91'),(9405,'Issue',521,12,'c9fbe8e9-119d-40a6-9b59-dd58a5d84429'),(9406,'Issue',521,16,'win-proc'),(9407,'Issue',521,17,''),(9408,'Issue',521,7,''),(9409,'Issue',521,3,'Detects, possibly, malicious unauthorized usage of bcdedit.exe'),(9410,'Issue',521,4,''),(9411,'Issue',521,5,'_False Positives_\n Unknown'),(9412,'Issue',521,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.NewProcessName.keyword:*\\\\bcdedit.exe AND ProcessCommandLine.keyword:(*delete* OR *deletevalue* OR *import*))\nindex: so-*\nname: Possible Ransomware or Unauthorized MBR Modifications\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9413,'Issue',521,9,'{{collapse(View Sigma)\n
\n\ntitle: Possible Ransomware or Unauthorized MBR Modifications\nid: c9fbe8e9-119d-40a6-9b59-dd58a5d84429\nstatus: experimental\ndescription: Detects, possibly, malicious unauthorized usage of bcdedit.exe\nreferences:\n- https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set\nauthor: \'@neu5ron\'\ndate: 2019/02/07\ntags:\n- attack.defense_evasion\n- attack.t1070\n- attack.persistence\n- attack.t1067\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    NewProcessName: \'*\\bcdedit.exe\'\n    ProcessCommandLine:\n    - \'*delete*\'\n    - \'*deletevalue*\'\n    - \'*import*\'\n  condition: selection\nlevel: medium\n\n
\n}}'),(9414,'Issue',521,15,'T1070'),(9415,'Issue',521,15,'T1067'),(9416,'Issue',522,1,'Application Whitelisting Bypass via Bginfo'),(9417,'Issue',522,2,'Beyu Denis, oscd.community'),(9418,'Issue',522,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Bginfo.yml\nhttps://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/'),(9419,'Issue',522,10,'medium'),(9420,'Issue',522,13,'community'),(9421,'Issue',522,14,'windows'),(9423,'Issue',522,11,'6fd11c107'),(9424,'Issue',522,12,'aaf46cdc-934e-4284-b329-34aa701e3771'),(9425,'Issue',522,16,'win-proc'),(9426,'Issue',522,17,''),(9427,'Issue',522,7,''),(9428,'Issue',522,3,'Execute VBscript code that is referenced within the *.bgi file.'),(9429,'Issue',522,4,''),(9430,'Issue',522,5,'_False Positives_\nUnknown'),(9431,'Issue',522,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\bginfo.exe AND process.command_line.keyword:*\\/popup* AND process.command_line.keyword:*\\/nolicprompt*)\nindex: so-*\nname: Application Whitelisting Bypass via Bginfo\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9432,'Issue',522,9,'{{collapse(View Sigma)\n
\n\ntitle: Application Whitelisting Bypass via Bginfo\nid: aaf46cdc-934e-4284-b329-34aa701e3771\nstatus: experimental\ndescription: Execute VBscript code that is referenced within the *.bgi file.\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Bginfo.yml\n- https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/26\nmodified: 2019/11/04\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\bginfo.exe\n    CommandLine|contains|all:\n    - /popup\n    - /nolicprompt\n  condition: selection\nfalsepositives:\n- Unknown\n\n
\n}}'),(9433,'Issue',522,15,'T1218'),(9434,'Issue',523,1,'Suspicious Calculator Usage'),(9435,'Issue',523,2,'Florian Roth'),(9436,'Issue',523,8,'https://twitter.com/ItsReallyNick/status/1094080242686312448'),(9437,'Issue',523,10,'high'),(9438,'Issue',523,13,'community'),(9439,'Issue',523,14,'windows'),(9441,'Issue',523,11,'7ea9554ba'),(9442,'Issue',523,12,'737e618a-a410-49b5-bec3-9e55ff7fbc15'),(9443,'Issue',523,16,'win-proc'),(9444,'Issue',523,17,''),(9445,'Issue',523,7,''),(9446,'Issue',523,3,'Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion'),(9447,'Issue',523,4,''),(9448,'Issue',523,5,'_False Positives_\nUnknown'),(9449,'Issue',523,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:*\\\\calc.exe\\ * OR (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\calc.exe AND (NOT (process.executable.keyword:*\\\\Windows\\\\Sys*)))))\nindex: so-*\nname: Suspicious Calculator Usage\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9450,'Issue',523,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Calculator Usage\nid: 737e618a-a410-49b5-bec3-9e55ff7fbc15\ndescription: Detects suspicious use of calc.exe with command line parameters or in\n  a suspicious directory, which is likely caused by some PoC or detection evasion\nstatus: experimental\nreferences:\n- https://twitter.com/ItsReallyNick/status/1094080242686312448\nauthor: Florian Roth\ndate: 2019/02/09\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine: \'*\\calc.exe *\'\n  selection2:\n    Image: \'*\\calc.exe\'\n  filter2:\n    Image: \'*\\Windows\\Sys*\'\n  condition: selection1 or ( selection2 and not filter2 )\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9451,'Issue',523,15,'T1036'),(9452,'Issue',524,1,'Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner'),(9453,'Issue',524,2,'Beyu Denis, oscd.community'),(9454,'Issue',524,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Cdb.yml\nhttp://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html'),(9455,'Issue',524,10,'medium'),(9456,'Issue',524,13,'community'),(9457,'Issue',524,14,'windows'),(9459,'Issue',524,11,'ef8ab8f1c'),(9460,'Issue',524,12,'b5c7395f-e501-4a08-94d4-57fe7a9da9d2'),(9461,'Issue',524,16,'win-proc'),(9462,'Issue',524,17,''),(9463,'Issue',524,7,''),(9464,'Issue',524,3,'Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe.'),(9465,'Issue',524,4,''),(9466,'Issue',524,5,'_False Positives_\nLegitimate use of debugging tools'),(9467,'Issue',524,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\cdb.exe AND process.command_line.keyword:*\\-cf*)\nindex: so-*\nname: Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9468,'Issue',524,9,'{{collapse(View Sigma)\n
\n\ntitle: Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner\nid: b5c7395f-e501-4a08-94d4-57fe7a9da9d2\nstatus: experimental\ndescription: Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe.\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Cdb.yml\n- http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/26\nmodified: 2019/11/04\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\cdb.exe\n    CommandLine|contains: -cf\n  condition: selection\nfalsepositives:\n- Legitimate use of debugging tools\n\n
\n}}'),(9469,'Issue',524,15,'T1218'),(9470,'Issue',525,1,'Suspicious Certutil Command'),(9471,'Issue',525,2,'Florian Roth, juju4, keepwatch'),(9472,'Issue',525,8,'https://twitter.com/JohnLaTwC/status/835149808817991680\nhttps://twitter.com/subTee/status/888102593838362624\nhttps://twitter.com/subTee/status/888071631528235010\nhttps://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/\nhttps://www.trustedsec.com/2017/07/new-tool-release-nps_payload/\nhttps://twitter.com/egre55/status/1087685529016193025\nhttps://lolbas-project.github.io/lolbas/Binaries/Certutil/'),(9473,'Issue',525,10,'high'),(9474,'Issue',525,13,'community'),(9475,'Issue',525,14,'windows'),(9477,'Issue',525,11,'67ceb029c'),(9478,'Issue',525,12,'e011a729-98a6-4139-b5c4-bf6f6dd8239a'),(9479,'Issue',525,16,'win-proc'),(9480,'Issue',525,17,''),(9481,'Issue',525,7,''),(9482,'Issue',525,3,'Detects a suspicious Microsoft certutil execution with sub commands like \'decode\' sub command, which is sometimes used to decode malicious code with the built-in certutil utility'),(9483,'Issue',525,4,''),(9484,'Issue',525,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9485,'Issue',525,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-decode\\ * OR *\\ \\/decode\\ * OR *\\ \\-decodehex\\ * OR *\\ \\/decodehex\\ * OR *\\ \\-urlcache\\ * OR *\\ \\/urlcache\\ * OR *\\ \\-verifyctl\\ * OR *\\ \\/verifyctl\\ * OR *\\ \\-encode\\ * OR *\\ \\/encode\\ * OR *certutil*\\ \\-URL* OR *certutil*\\ \\/URL* OR *certutil*\\ \\-ping* OR *certutil*\\ \\/ping*))\nindex: so-*\nname: Suspicious Certutil Command\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9486,'Issue',525,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Certutil Command\nid: e011a729-98a6-4139-b5c4-bf6f6dd8239a\nstatus: experimental\ndescription: Detects a suspicious Microsoft certutil execution with sub commands like\n  \'decode\' sub command, which is sometimes used to decode malicious code with the\n  built-in certutil utility\nauthor: Florian Roth, juju4, keepwatch\nmodified: 2019/01/22\ndate: 2019/01/16\nreferences:\n- https://twitter.com/JohnLaTwC/status/835149808817991680\n- https://twitter.com/subTee/status/888102593838362624\n- https://twitter.com/subTee/status/888071631528235010\n- https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/\n- https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/\n- https://twitter.com/egre55/status/1087685529016193025\n- https://lolbas-project.github.io/lolbas/Binaries/Certutil/\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* -decode *\'\n    - \'* /decode *\'\n    - \'* -decodehex *\'\n    - \'* /decodehex *\'\n    - \'* -urlcache *\'\n    - \'* /urlcache *\'\n    - \'* -verifyctl *\'\n    - \'* /verifyctl *\'\n    - \'* -encode *\'\n    - \'* /encode *\'\n    - \'*certutil* -URL*\'\n    - \'*certutil* /URL*\'\n    - \'*certutil* -ping*\'\n    - \'*certutil* /ping*\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.defense_evasion\n- attack.t1140\n- attack.t1105\n- attack.s0189\n- attack.g0007\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: high\n\n
\n}}'),(9487,'Issue',525,15,'T1140'),(9488,'Issue',525,15,'T1105'),(9489,'Issue',526,1,'Certutil Encode'),(9490,'Issue',526,2,'Florian Roth'),(9491,'Issue',526,8,'https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil\nhttps://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/'),(9492,'Issue',526,10,'medium'),(9493,'Issue',526,13,'community'),(9494,'Issue',526,14,'windows'),(9495,'Issue',526,15,''),(9496,'Issue',526,11,'8b115c8b1'),(9497,'Issue',526,12,'e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a'),(9498,'Issue',526,16,'win-proc'),(9499,'Issue',526,17,''),(9500,'Issue',526,7,''),(9501,'Issue',526,3,'Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration'),(9502,'Issue',526,4,''),(9503,'Issue',526,5,'_False Positives_\nunknown'),(9504,'Issue',526,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(certutil\\ \\-f\\ \\-encode\\ * OR certutil.exe\\ \\-f\\ \\-encode\\ * OR certutil\\ \\-encode\\ \\-f\\ * OR certutil.exe\\ \\-encode\\ \\-f\\ *))\nindex: so-*\nname: Certutil Encode\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9505,'Issue',526,9,'{{collapse(View Sigma)\n
\n\ntitle: Certutil Encode\nid: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a\nstatus: experimental\ndescription: Detects suspicious a certutil command that used to encode files, which\n  is sometimes used for data exfiltration\nreferences:\n- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil\n- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/\nauthor: Florian Roth\ndate: 2019/02/24\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - certutil -f -encode *\n    - certutil.exe -f -encode *\n    - certutil -encode -f *\n    - certutil.exe -encode -f *\n  condition: selection\nfalsepositives:\n- unknown\nlevel: medium\n\n
\n}}'),(9506,'Issue',527,1,'Suspicious Commandline Escape'),(9507,'Issue',527,2,'juju4'),(9508,'Issue',527,8,'https://twitter.com/vysecurity/status/885545634958385153\nhttps://twitter.com/Hexacorn/status/885553465417756673\nhttps://twitter.com/Hexacorn/status/885570278637678592\nhttps://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html\nhttp://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/'),(9509,'Issue',527,10,'low'),(9510,'Issue',527,13,'community'),(9511,'Issue',527,14,'windows'),(9513,'Issue',527,11,'2267c2557'),(9514,'Issue',527,12,'f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd'),(9515,'Issue',527,16,'win-proc'),(9516,'Issue',527,17,''),(9517,'Issue',527,7,''),(9518,'Issue',527,3,'Detects suspicious process that use escape characters'),(9519,'Issue',527,4,''),(9520,'Issue',527,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(9521,'Issue',527,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*h\\^t\\^t\\^p* OR *h\\\"t\\\"t\\\"p*))\nindex: so-*\nname: Suspicious Commandline Escape\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9522,'Issue',527,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Commandline Escape\nid: f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd\ndescription: Detects suspicious process that use escape characters\nstatus: experimental\nreferences:\n- https://twitter.com/vysecurity/status/885545634958385153\n- https://twitter.com/Hexacorn/status/885553465417756673\n- https://twitter.com/Hexacorn/status/885570278637678592\n- https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html\n- http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/\nauthor: juju4\ndate: 2018/12/11\nmodified: 2020/03/14\ntags:\n- attack.defense_evasion\n- attack.t1140\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'*h^t^t^p*\'\n    - \'*h\"t\"t\"p*\'\n  condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: low\n\n
\n}}'),(9523,'Issue',527,15,'T1140'),(9524,'Issue',528,1,'Command Line Execution with Suspicious URL and AppData Strings'),(9525,'Issue',528,2,'Florian Roth'),(9526,'Issue',528,8,'https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100\nhttps://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100'),(9527,'Issue',528,10,'medium'),(9528,'Issue',528,13,'community'),(9529,'Issue',528,14,'windows'),(9531,'Issue',528,11,'6f1a08e1b'),(9532,'Issue',528,12,'1ac8666b-046f-4201-8aba-1951aaec03a3'),(9533,'Issue',528,16,'win-proc'),(9534,'Issue',528,17,''),(9535,'Issue',528,7,''),(9536,'Issue',528,3,'Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)'),(9537,'Issue',528,4,''),(9538,'Issue',528,5,'_False Positives_\nHigh\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9539,'Issue',528,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(cmd.exe\\ \\/c\\ *http\\:\\/\\/*%AppData% OR cmd.exe\\ \\/c\\ *https\\:\\/\\/*%AppData%))\nindex: so-*\nname: Command Line Execution with Suspicious URL and AppData Strings\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9540,'Issue',528,9,'{{collapse(View Sigma)\n
\n\ntitle: Command Line Execution with Suspicious URL and AppData Strings\nid: 1ac8666b-046f-4201-8aba-1951aaec03a3\nstatus: experimental\ndescription: Detects a suspicious command line execution that includes an URL and\n  AppData string in the command line parameters as used by several droppers (js/vbs\n  > powershell)\nreferences:\n- https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100\n- https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100\nauthor: Florian Roth\ndate: 2019/01/16\ntags:\n- attack.execution\n- attack.t1059\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - cmd.exe /c *http://*%AppData%\n    - cmd.exe /c *https://*%AppData%\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- High\nlevel: medium\n\n
\n}}'),(9541,'Issue',528,15,'T1059'),(9542,'Issue',529,1,'Suspicious Code Page Switch'),(9543,'Issue',529,2,'Florian Roth'),(9544,'Issue',529,8,'https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers\nhttps://twitter.com/cglyer/status/1183756892952248325'),(9545,'Issue',529,10,'medium'),(9546,'Issue',529,13,'community'),(9547,'Issue',529,14,'windows'),(9548,'Issue',529,15,''),(9549,'Issue',529,11,'29f880f96'),(9550,'Issue',529,12,'c7942406-33dd-4377-a564-0f62db0593a3'),(9551,'Issue',529,16,'win-proc'),(9552,'Issue',529,17,''),(9553,'Issue',529,7,''),(9554,'Issue',529,3,'Detects a code page switch in command line or batch scripts to a rare language'),(9555,'Issue',529,4,''),(9556,'Issue',529,5,'_False Positives_\nAdministrative activity (adjust code pages according to your organisation\'s region)\n\n_Interesting Log Fields_\nParentCommandLine'),(9557,'Issue',529,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(chcp*\\ 936 OR chcp*\\ 1258))\nindex: so-*\nname: Suspicious Code Page Switch\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9558,'Issue',529,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Code Page Switch\nid: c7942406-33dd-4377-a564-0f62db0593a3\nstatus: experimental\ndescription: Detects a code page switch in command line or batch scripts to a rare\n  language\nauthor: Florian Roth\ndate: 2019/10/14\nreferences:\n- https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers\n- https://twitter.com/cglyer/status/1183756892952248325\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - chcp* 936\n    - chcp* 1258\n  condition: selection\nfields:\n- ParentCommandLine\nfalsepositives:\n- Administrative activity (adjust code pages according to your organisation\'s region)\nlevel: medium\n\n
\n}}'),(9559,'Issue',530,1,'Reconnaissance Activity with Net Command'),(9560,'Issue',530,2,'Florian Roth, Markus Neis'),(9561,'Issue',530,8,'https://twitter.com/haroonmeer/status/939099379834658817\nhttps://twitter.com/c_APT_ure/status/939475433711722497\nhttps://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html'),(9562,'Issue',530,10,'medium'),(9563,'Issue',530,13,'community'),(9564,'Issue',530,14,'windows'),(9566,'Issue',530,11,'c51af1088'),(9567,'Issue',530,12,'2887e914-ce96-435f-8105-593937e90757'),(9568,'Issue',530,16,'win-proc'),(9569,'Issue',530,17,''),(9570,'Issue',530,7,''),(9571,'Issue',530,3,'Detects a set of commands often used in recon stages by different attack groups'),(9572,'Issue',530,4,''),(9573,'Issue',530,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(9574,'Issue',530,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(tasklist OR net\\ time OR systeminfo OR whoami OR nbtstat OR net\\ start OR *\\\\net1\\ start OR qprocess OR nslookup OR hostname.exe OR *\\\\net1\\ user\\ \\/domain OR *\\\\net1\\ group\\ \\/domain OR *\\\\net1\\ group\\ \\\"domain\\ admins\\\"\\ \\/domain OR *\\\\net1\\ group\\ \\\"Exchange\\ Trusted\\ Subsystem\\\"\\ \\/domain OR *\\\\net1\\ accounts\\ \\/domain OR *\\\\net1\\ user\\ net\\ localgroup\\ administrators OR netstat\\ \\-an))\nindex: so-*\nmax_threshold: 4\nmetric_agg_key: _id\nmetric_agg_type: cardinality\nname: Reconnaissance Activity with Net Command\npriority: 3\nquery_key: process.command_line.keyword\nrealert:\n  minutes: 0\ntype: metric_aggregation\n
\n}}'),(9575,'Issue',530,9,'{{collapse(View Sigma)\n
\n\ntitle: Reconnaissance Activity with Net Command\nid: 2887e914-ce96-435f-8105-593937e90757\nstatus: experimental\ndescription: Detects a set of commands often used in recon stages by different attack\n  groups\nreferences:\n- https://twitter.com/haroonmeer/status/939099379834658817\n- https://twitter.com/c_APT_ure/status/939475433711722497\n- https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html\nauthor: Florian Roth, Markus Neis\ndate: 2018/08/22\nmodified: 2018/12/11\ntags:\n- attack.discovery\n- attack.t1087\n- attack.t1082\n- car.2016-03-001\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - tasklist\n    - net time\n    - systeminfo\n    - whoami\n    - nbtstat\n    - net start\n    - \'*\\net1 start\'\n    - qprocess\n    - nslookup\n    - hostname.exe\n    - \'*\\net1 user /domain\'\n    - \'*\\net1 group /domain\'\n    - \'*\\net1 group \"domain admins\" /domain\'\n    - \'*\\net1 group \"Exchange Trusted Subsystem\" /domain\'\n    - \'*\\net1 accounts /domain\'\n    - \'*\\net1 user net localgroup administrators\'\n    - netstat -an\n  timeframe: 15s\n  condition: selection | count() by CommandLine > 4\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: medium\n\n
\n}}'),(9576,'Issue',530,15,'T1087'),(9577,'Issue',530,15,'T1082'),(9578,'Issue',531,1,'Suspicious Compression Tool Parameters'),(9579,'Issue',531,2,'Florian Roth, Samir Bousseaden'),(9580,'Issue',531,8,'https://twitter.com/SBousseaden/status/1184067445612535811'),(9581,'Issue',531,10,'high'),(9582,'Issue',531,13,'community'),(9583,'Issue',531,14,'windows'),(9585,'Issue',531,11,'ca20cc397'),(9586,'Issue',531,12,'27a72a60-7e5e-47b1-9d17-909c9abafdcd'),(9587,'Issue',531,16,'win-proc'),(9588,'Issue',531,17,''),(9589,'Issue',531,7,''),(9590,'Issue',531,3,'Detects suspicious command line arguments of common data compression tools'),(9591,'Issue',531,4,''),(9592,'Issue',531,5,'_False Positives_\nunknown'),(9593,'Issue',531,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (OriginalFileName.keyword:(7z*.exe OR *rar.exe OR *Command*Line*RAR*) AND process.command_line.keyword:(*\\ \\-p* OR *\\ \\-ta* OR *\\ \\-tb* OR *\\ \\-sdel* OR *\\ \\-dw* OR *\\ \\-hp*)) AND (NOT (process.parent.executable.keyword:C\\:\\\\Program*)))\nindex: so-*\nname: Suspicious Compression Tool Parameters\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9594,'Issue',531,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Compression Tool Parameters\nid: 27a72a60-7e5e-47b1-9d17-909c9abafdcd\nstatus: experimental\ndescription: Detects suspicious command line arguments of common data compression\n  tools\nreferences:\n- https://twitter.com/SBousseaden/status/1184067445612535811\ntags:\n- attack.exfiltration\n- attack.t1020\n- attack.t1002\nauthor: Florian Roth, Samir Bousseaden\ndate: 2019/10/15\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    OriginalFileName:\n    - 7z*.exe\n    - \'*rar.exe\'\n    - \'*Command*Line*RAR*\'\n    CommandLine:\n    - \'* -p*\'\n    - \'* -ta*\'\n    - \'* -tb*\'\n    - \'* -sdel*\'\n    - \'* -dw*\'\n    - \'* -hp*\'\n  falsepositive:\n    ParentImage: C:\\Program*\n  condition: selection and not falsepositive\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(9595,'Issue',531,15,'T1020'),(9596,'Issue',531,15,'T1002'),(9597,'Issue',532,1,'Process Dump via Comsvcs DLL'),(9598,'Issue',532,2,'Modexp (idea)'),(9599,'Issue',532,8,'https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/\nhttps://twitter.com/SBousseaden/status/1167417096374050817'),(9600,'Issue',532,10,'medium'),(9601,'Issue',532,13,'community'),(9602,'Issue',532,14,'windows'),(9604,'Issue',532,11,'01665fd2b'),(9605,'Issue',532,12,'09e6d5c0-05b8-4ff8-9eeb-043046ec774c'),(9606,'Issue',532,16,'win-proc'),(9607,'Issue',532,17,''),(9608,'Issue',532,7,''),(9609,'Issue',532,3,'Detects process memory dump via comsvcs.dll and rundll32'),(9610,'Issue',532,4,''),(9611,'Issue',532,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9612,'Issue',532,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:*\\\\rundll32.exe OR OriginalFileName:\"RUNDLL32.EXE\") AND process.command_line.keyword:(*comsvcs*MiniDump*full* OR *comsvcs*MiniDumpW*full*))\nindex: so-*\nname: Process Dump via Comsvcs DLL\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9613,'Issue',532,9,'{{collapse(View Sigma)\n
\n\ntitle: Process Dump via Comsvcs DLL\nid: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c\nstatus: experimental\ndescription: Detects process memory dump via comsvcs.dll and rundll32\nreferences:\n- https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/\n- https://twitter.com/SBousseaden/status/1167417096374050817\nauthor: Modexp (idea)\ndate: 2019/09/02\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  rundll_image:\n    Image: \'*\\rundll32.exe\'\n  rundll_ofn:\n    OriginalFileName: RUNDLL32.EXE\n  selection:\n    CommandLine:\n    - \'*comsvcs*MiniDump*full*\'\n    - \'*comsvcs*MiniDumpW*full*\'\n  condition: (rundll_image or rundll_ofn) and selection\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.credential_access\n- attack.t1003\nfalsepositives:\n- unknown\nlevel: medium\n\n
\n}}'),(9614,'Issue',532,15,'T1003'),(9615,'Issue',533,1,'Suspicious Control Panel DLL Load'),(9616,'Issue',533,2,'Florian Roth'),(9617,'Issue',533,8,'https://twitter.com/rikvduijn/status/853251879320662017'),(9618,'Issue',533,10,'high'),(9619,'Issue',533,13,'community'),(9620,'Issue',533,14,'windows'),(9622,'Issue',533,11,'7b06179ac'),(9623,'Issue',533,12,'d7eb979b-c2b5-4a6f-a3a7-c87ce6763819'),(9624,'Issue',533,16,'win-proc'),(9625,'Issue',533,17,''),(9626,'Issue',533,7,''),(9627,'Issue',533,3,'Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits'),(9628,'Issue',533,4,''),(9629,'Issue',533,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9630,'Issue',533,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.parent.executable.keyword:*\\\\System32\\\\control.exe AND process.command_line.keyword:*\\\\rundll32.exe\\ *) AND (NOT (process.command_line.keyword:*Shell32.dll*)))\nindex: so-*\nname: Suspicious Control Panel DLL Load\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9631,'Issue',533,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Control Panel DLL Load\nid: d7eb979b-c2b5-4a6f-a3a7-c87ce6763819\nstatus: experimental\ndescription: Detects suspicious Rundll32 execution from control.exe as used by Equation\n  Group and Exploit Kits\nauthor: Florian Roth\ndate: 2017/04/15\nreferences:\n- https://twitter.com/rikvduijn/status/853251879320662017\ntags:\n- attack.defense_evasion\n- attack.t1073\n- attack.t1085\n- car.2013-10-002\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\System32\\control.exe\'\n    CommandLine: \'*\\rundll32.exe *\'\n  filter:\n    CommandLine: \'*Shell32.dll*\'\n  condition: selection and not filter\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9632,'Issue',533,15,'T1073'),(9633,'Issue',533,15,'T1085'),(9634,'Issue',534,1,'Copy from Admin Share'),(9635,'Issue',534,2,'Florian Roth'),(9636,'Issue',534,8,'https://twitter.com/SBousseaden/status/1211636381086339073'),(9637,'Issue',534,10,'high'),(9638,'Issue',534,13,'community'),(9639,'Issue',534,14,'windows'),(9641,'Issue',534,11,'ec9ee9ed7'),(9642,'Issue',534,12,'855bc8b5-2ae8-402e-a9ed-b889e6df1900'),(9643,'Issue',534,16,'win-proc'),(9644,'Issue',534,17,''),(9645,'Issue',534,7,''),(9646,'Issue',534,3,'Detects a suspicious copy command from a remote C$ or ADMIN$ share'),(9647,'Issue',534,4,''),(9648,'Issue',534,5,'_False Positives_\nAdministrative scripts\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9649,'Issue',534,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*copy\\ *\\\\c$* OR *copy\\ *\\\\ADMIN$*))\nindex: so-*\nname: Copy from Admin Share\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9650,'Issue',534,9,'{{collapse(View Sigma)\n
\n\ntitle: Copy from Admin Share\nid: 855bc8b5-2ae8-402e-a9ed-b889e6df1900\nstatus: experimental\ndescription: Detects a suspicious copy command from a remote C$ or ADMIN$ share\nreferences:\n- https://twitter.com/SBousseaden/status/1211636381086339073\nauthor: Florian Roth\ndate: 2019/12/30\ntags:\n- attack.lateral_movement\n- attack.t1077\n- attack.t1105\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains:\n    - copy *\\c$\n    - copy *\\ADMIN$\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Administrative scripts\nlevel: high\n\n
\n}}'),(9651,'Issue',534,15,'T1077'),(9652,'Issue',534,15,'T1105'),(9653,'Issue',535,1,'Suspicious Parent of Csc.exe'),(9654,'Issue',535,2,'Florian Roth'),(9655,'Issue',535,8,'https://twitter.com/SBousseaden/status/1094924091256176641'),(9656,'Issue',535,10,'high'),(9657,'Issue',535,13,'community'),(9658,'Issue',535,14,'windows'),(9660,'Issue',535,11,'2a0ef0717'),(9661,'Issue',535,12,'b730a276-6b63-41b8-bcf8-55930c8fc6ee'),(9662,'Issue',535,16,'win-proc'),(9663,'Issue',535,17,''),(9664,'Issue',535,7,''),(9665,'Issue',535,3,'Detects a suspicious parent of csc.exe, which could by a sign of payload delivery'),(9666,'Issue',535,4,''),(9667,'Issue',535,5,'_False Positives_\nUnkown'),(9668,'Issue',535,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\csc.exe* AND process.parent.executable.keyword:(*\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\mshta.exe))\nindex: so-*\nname: Suspicious Parent of Csc.exe\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9669,'Issue',535,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Parent of Csc.exe\nid: b730a276-6b63-41b8-bcf8-55930c8fc6ee\ndescription: Detects a suspicious parent of csc.exe, which could by a sign of payload\n  delivery\nstatus: experimental\nreferences:\n- https://twitter.com/SBousseaden/status/1094924091256176641\nauthor: Florian Roth\ndate: 2019/02/11\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\csc.exe*\'\n    ParentImage:\n    - \'*\\wscript.exe\'\n    - \'*\\cscript.exe\'\n    - \'*\\mshta.exe\'\n  condition: selection\nfalsepositives:\n- Unkown\nlevel: high\n\n
\n}}'),(9670,'Issue',535,15,'T1036'),(9671,'Issue',536,1,'Suspicious Csc.exe Source File Folder'),(9672,'Issue',536,2,'Florian Roth'),(9673,'Issue',536,8,'https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/\nhttps://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf\nhttps://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/\nhttps://twitter.com/gN3mes1s/status/1206874118282448897'),(9674,'Issue',536,10,'high'),(9675,'Issue',536,13,'community'),(9676,'Issue',536,14,'windows'),(9678,'Issue',536,11,'7da368a8e'),(9679,'Issue',536,12,'dcaa3f04-70c3-427a-80b4-b870d73c94c4'),(9680,'Issue',536,16,'win-proc'),(9681,'Issue',536,17,''),(9682,'Issue',536,7,''),(9683,'Issue',536,3,'Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)'),(9684,'Issue',536,4,''),(9685,'Issue',536,5,'_False Positives_\nhttps://twitter.com/gN3mes1s/status/1206874118282448897\nhttps://twitter.com/gabriele_pippi/status/1206907900268072962'),(9686,'Issue',536,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:*\\\\csc.exe AND process.command_line.keyword:(*\\\\AppData\\\\* OR *\\\\Windows\\\\Temp\\\\*)) AND (NOT (process.parent.executable.keyword:(C\\:\\\\Program\\ Files* OR *\\\\sdiagnhost.exe OR *\\\\w3wp.exe))))\nindex: so-*\nname: Suspicious Csc.exe Source File Folder\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9687,'Issue',536,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Csc.exe Source File Folder\nid: dcaa3f04-70c3-427a-80b4-b870d73c94c4\ndescription: Detects a suspicious execution of csc.exe, which uses a source in a suspicious\n  folder (e.g. AppData)\nstatus: experimental\nreferences:\n- https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/\n- https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf\n- https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/\n- https://twitter.com/gN3mes1s/status/1206874118282448897\nauthor: Florian Roth\ndate: 2019/08/24\nmodified: 2019/12/17\ntags:\n- attack.defense_evasion\n- attack.t1500\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\csc.exe\'\n    CommandLine:\n    - \'*\\AppData\\\\*\'\n    - \'*\\Windows\\Temp\\\\*\'\n  filter:\n    ParentImage:\n    - C:\\Program Files*\n    - \'*\\sdiagnhost.exe\'\n    - \'*\\w3wp.exe\'\n  condition: selection and not filter\nfalsepositives:\n- https://twitter.com/gN3mes1s/status/1206874118282448897\n- https://twitter.com/gabriele_pippi/status/1206907900268072962\nlevel: high\n\n
\n}}'),(9688,'Issue',536,15,'T1500'),(9689,'Issue',537,1,'Curl Start Combination'),(9690,'Issue',537,2,'Sreeman'),(9691,'Issue',537,8,'https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983'),(9692,'Issue',537,10,'medium'),(9693,'Issue',537,13,'community'),(9694,'Issue',537,14,'windows'),(9696,'Issue',537,11,'cba091473'),(9697,'Issue',537,12,'21dd6d38-2b18-4453-9404-a0fe4a0cc288'),(9698,'Issue',537,16,'win-proc'),(9699,'Issue',537,17,''),(9700,'Issue',537,7,''),(9701,'Issue',537,3,'Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.'),(9702,'Issue',537,4,''),(9703,'Issue',537,5,'_False Positives_\nAdministrative scripts (installers)\n\n_Interesting Log Fields_\nParentImage\nCommandLine'),(9704,'Issue',537,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*curl*\\ start\\ *)\nindex: so-*\nname: Curl Start Combination\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9705,'Issue',537,9,'{{collapse(View Sigma)\n
\n\ntitle: Curl Start Combination\nid: 21dd6d38-2b18-4453-9404-a0fe4a0cc288\nstatus: experimental\ndescription: Adversaries can use curl to download payloads remotely and execute them.\n  Curl is included by default in Windows 10 build 17063 and later.\nreferences:\n- https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983\nauthor: Sreeman\ndate: 2020/01/13\ntags:\n- attack.execution\n- attack.t1218\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  condition: selection\n  selection:\n    CommandLine|contains: \'curl* start \'\nfalsepositives:\n- Administrative scripts (installers)\nfields:\n- ParentImage\n- CommandLine\nlevel: medium\n\n
\n}}'),(9706,'Issue',537,15,'T1218'),(9707,'Issue',538,1,'ZOHO Dctask64 Process Injection'),(9708,'Issue',538,2,'Florian Roth'),(9709,'Issue',538,8,'https://twitter.com/gN3mes1s/status/1222088214581825540\nhttps://twitter.com/gN3mes1s/status/1222095963789111296\nhttps://twitter.com/gN3mes1s/status/1222095371175911424'),(9710,'Issue',538,10,'high'),(9711,'Issue',538,13,'community'),(9712,'Issue',538,14,'windows'),(9714,'Issue',538,11,'fe9f76fc8'),(9715,'Issue',538,12,'6345b048-8441-43a7-9bed-541133633d7a'),(9716,'Issue',538,16,'win-proc'),(9717,'Issue',538,17,''),(9718,'Issue',538,7,''),(9719,'Issue',538,3,'Detects suspicious process injection using ZOHO\'s dctask64.exe'),(9720,'Issue',538,4,''),(9721,'Issue',538,5,'_False Positives_\nUnknown yet\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine\nParentImage'),(9722,'Issue',538,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\dctask64.exe) AND (NOT (process.command_line.keyword:(*DesktopCentral_Agent\\\\agent*))))\nindex: so-*\nname: ZOHO Dctask64 Process Injection\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9723,'Issue',538,9,'{{collapse(View Sigma)\n
\n\ntitle: ZOHO Dctask64 Process Injection\nid: 6345b048-8441-43a7-9bed-541133633d7a\nstatus: experimental\ndescription: Detects suspicious process injection using ZOHO\'s dctask64.exe\nreferences:\n- https://twitter.com/gN3mes1s/status/1222088214581825540\n- https://twitter.com/gN3mes1s/status/1222095963789111296\n- https://twitter.com/gN3mes1s/status/1222095371175911424\nauthor: Florian Roth\ndate: 2020/01/28\ntags:\n- attack.defense_evasion\n- attack.t1055\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith:\n    - \\dctask64.exe\n  filter:\n    CommandLine|contains:\n    - DesktopCentral_Agent\\agent\n  condition: selection and not filter\nfields:\n- CommandLine\n- ParentCommandLine\n- ParentImage\nfalsepositives:\n- Unknown yet\nlevel: high\n\n
\n}}'),(9724,'Issue',538,15,'T1055'),(9725,'Issue',539,1,'Devtoolslauncher.exe Executes Specified Binary'),(9726,'Issue',539,2,'Beyu Denis, oscd.community (rule), @_felamos (idea)'),(9727,'Issue',539,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Devtoolslauncher.yml\nhttps://twitter.com/_felamos/status/1179811992841797632'),(9728,'Issue',539,10,'critical'),(9729,'Issue',539,13,'community'),(9730,'Issue',539,14,'windows'),(9732,'Issue',539,11,'8beb4a23d'),(9733,'Issue',539,12,'cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6'),(9734,'Issue',539,16,'win-proc'),(9735,'Issue',539,17,''),(9736,'Issue',539,7,''),(9737,'Issue',539,3,'The Devtoolslauncher.exe executes other binary'),(9738,'Issue',539,4,''),(9739,'Issue',539,5,'_False Positives_\nLegitimate use of devtoolslauncher.exe by legitimate user'),(9740,'Issue',539,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\devtoolslauncher.exe AND process.command_line.keyword:*LaunchForDeploy*)\nindex: so-*\nname: Devtoolslauncher.exe Executes Specified Binary\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9741,'Issue',539,9,'{{collapse(View Sigma)\n
\n\ntitle: Devtoolslauncher.exe Executes Specified Binary\nid: cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6\nstatus: experimental\ndescription: The Devtoolslauncher.exe executes other binary\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Devtoolslauncher.yml\n- https://twitter.com/_felamos/status/1179811992841797632\nauthor: Beyu Denis, oscd.community (rule), @_felamos (idea)\ndate: 2019/10/12\nmodified: 2019/11/04\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlevel: critical\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\devtoolslauncher.exe\n    CommandLine|contains: LaunchForDeploy\n  condition: selection\nfalsepositives:\n- Legitimate use of devtoolslauncher.exe by legitimate user\n\n
\n}}'),(9742,'Issue',539,15,'T1218'),(9743,'Issue',540,1,'Direct Autorun Keys Modification'),(9744,'Issue',540,2,'Victor Sergeev, Daniil Yugoslavskiy, oscd.community'),(9745,'Issue',540,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml'),(9746,'Issue',540,10,'medium'),(9747,'Issue',540,13,'community'),(9748,'Issue',540,14,'windows'),(9750,'Issue',540,11,'8eab5e98e'),(9751,'Issue',540,12,'24357373-078f-44ed-9ac4-6d334a668a11'),(9752,'Issue',540,16,'win-proc'),(9753,'Issue',540,17,''),(9754,'Issue',540,7,''),(9755,'Issue',540,3,'Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.'),(9756,'Issue',540,4,''),(9757,'Issue',540,5,'_False Positives_\nLegitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason\nLegitimate administrator sets up autorun keys for legitimate reason\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9758,'Issue',540,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\reg.exe AND process.command_line.keyword:*add* AND process.command_line.keyword:(*\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon\\\\Shell* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User\\ Shell\\ Folders* OR *\\\\system\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\AlternateShell*))\nindex: so-*\nname: Direct Autorun Keys Modification\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9759,'Issue',540,9,'{{collapse(View Sigma)\n
\n\ntitle: Direct Autorun Keys Modification\nid: 24357373-078f-44ed-9ac4-6d334a668a11\ndescription: Detects direct modification of autostart extensibility point (ASEP) in\n  registry using reg.exe.\nstatus: experimental\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml\ntags:\n- attack.persistence\n- attack.t1060\ndate: 2019/10/25\nmodified: 2019/11/10\nauthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_1:\n    Image|endswith: \'*\\reg.exe\'\n    CommandLine|contains: add\n  selection_2:\n    CommandLine|contains:\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\Run\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n    - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit\n    - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\n    - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n    - \\system\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell\n  condition: selection_1 and selection_2\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Legitimate software automatically (mostly, during installation) sets up autorun\n  keys for legitimate reason\n- Legitimate administrator sets up autorun keys for legitimate reason\nlevel: medium\n\n
\n}}'),(9760,'Issue',540,15,'T1060'),(9761,'Issue',541,1,'Application Whitelisting Bypass via Dnx.exe'),(9762,'Issue',541,2,'Beyu Denis, oscd.community'),(9763,'Issue',541,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml\nhttps://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/'),(9764,'Issue',541,10,'medium'),(9765,'Issue',541,13,'community'),(9766,'Issue',541,14,'windows'),(9768,'Issue',541,11,'4f84e2c15'),(9769,'Issue',541,12,'81ebd28b-9607-4478-bf06-974ed9d53ed7'),(9770,'Issue',541,16,'win-proc'),(9771,'Issue',541,17,''),(9772,'Issue',541,7,''),(9773,'Issue',541,3,'Execute C# code located in the consoleapp folder'),(9774,'Issue',541,4,''),(9775,'Issue',541,5,'_False Positives_\nLegitimate use of dnx.exe by legitimate user'),(9776,'Issue',541,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\dnx.exe)\nindex: so-*\nname: Application Whitelisting Bypass via Dnx.exe\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9777,'Issue',541,9,'{{collapse(View Sigma)\n
\n\ntitle: Application Whitelisting Bypass via Dnx.exe\nid: 81ebd28b-9607-4478-bf06-974ed9d53ed7\nstatus: experimental\ndescription: Execute C# code located in the consoleapp folder\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml\n- https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/26\nmodified: 2019/11/04\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\dnx.exe\n  condition: selection\nfalsepositives:\n- Legitimate use of dnx.exe by legitimate user\n\n
\n}}'),(9778,'Issue',541,15,'T1218'),(9779,'Issue',542,1,'Suspicious Double Extension'),(9780,'Issue',542,2,'Florian Roth (rule), @blu3_team (idea)'),(9781,'Issue',542,8,'https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html\nhttps://twitter.com/blackorbird/status/1140519090961825792'),(9782,'Issue',542,10,'critical'),(9783,'Issue',542,13,'community'),(9784,'Issue',542,14,'windows'),(9786,'Issue',542,11,'17b387ea8'),(9787,'Issue',542,12,'1cdd9a09-06c9-4769-99ff-626e2b3991b8'),(9788,'Issue',542,16,'win-proc'),(9789,'Issue',542,17,''),(9790,'Issue',542,7,''),(9791,'Issue',542,3,'Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns'),(9792,'Issue',542,4,''),(9793,'Issue',542,5,'_False Positives_\nUnknown'),(9794,'Issue',542,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*.doc.exe OR *.docx.exe OR *.xls.exe OR *.xlsx.exe OR *.ppt.exe OR *.pptx.exe OR *.rtf.exe OR *.pdf.exe OR *.txt.exe OR *\\ \\ \\ \\ \\ \\ .exe OR *______.exe))\nindex: so-*\nname: Suspicious Double Extension\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9795,'Issue',542,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Double Extension\nid: 1cdd9a09-06c9-4769-99ff-626e2b3991b8\ndescription: Detects suspicious use of an .exe extension after a non-executable file\n  extension like .pdf.exe, a set of spaces or underlines to cloak the executable file\n  in spear phishing campaigns\nreferences:\n- https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html\n- https://twitter.com/blackorbird/status/1140519090961825792\nauthor: Florian Roth (rule), @blu3_team (idea)\ndate: 2019/06/26\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*.doc.exe\'\n    - \'*.docx.exe\'\n    - \'*.xls.exe\'\n    - \'*.xlsx.exe\'\n    - \'*.ppt.exe\'\n    - \'*.pptx.exe\'\n    - \'*.rtf.exe\'\n    - \'*.pdf.exe\'\n    - \'*.txt.exe\'\n    - \'*      .exe\'\n    - \'*______.exe\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(9796,'Issue',542,15,'T1193'),(9797,'Issue',543,1,'Application Whitelisting Bypass via Dxcap.exe'),(9798,'Issue',543,2,'Beyu Denis, oscd.community'),(9799,'Issue',543,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dxcap.yml\nhttps://twitter.com/harr0ey/status/992008180904419328'),(9800,'Issue',543,10,'medium'),(9801,'Issue',543,13,'community'),(9802,'Issue',543,14,'windows'),(9804,'Issue',543,11,'21213eb67'),(9805,'Issue',543,12,'60f16a96-db70-42eb-8f76-16763e333590'),(9806,'Issue',543,16,'win-proc'),(9807,'Issue',543,17,''),(9808,'Issue',543,7,''),(9809,'Issue',543,3,'Detects execution of of Dxcap.exe'),(9810,'Issue',543,4,''),(9811,'Issue',543,5,'_False Positives_\nLegitimate execution of dxcap.exe by legitimate user'),(9812,'Issue',543,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\dxcap.exe AND process.command_line.keyword:*\\-c* AND process.command_line.keyword:*.exe*)\nindex: so-*\nname: Application Whitelisting Bypass via Dxcap.exe\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9813,'Issue',543,9,'{{collapse(View Sigma)\n
\n\ntitle: Application Whitelisting Bypass via Dxcap.exe\nid: 60f16a96-db70-42eb-8f76-16763e333590\nstatus: experimental\ndescription: Detects execution of of Dxcap.exe\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dxcap.yml\n- https://twitter.com/harr0ey/status/992008180904419328\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/26\nmodified: 2019/11/04\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\dxcap.exe\n    CommandLine|contains|all:\n    - -c\n    - .exe\n  condition: selection\nfalsepositives:\n- Legitimate execution of dxcap.exe by legitimate user\n\n
\n}}'),(9814,'Issue',543,15,'T1218'),(9815,'Issue',544,1,'Suspicious Eventlog Clear or Configuration Using Wevtutil'),(9816,'Issue',544,2,'Ecco, Daniil Yugoslavskiy, oscd.community'),(9817,'Issue',544,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html'),(9818,'Issue',544,10,'high'),(9819,'Issue',544,13,'community'),(9820,'Issue',544,14,'windows'),(9822,'Issue',544,11,'63dddab3d'),(9823,'Issue',544,12,'cc36992a-4671-4f21-a91d-6c2b72a2edf5'),(9824,'Issue',544,16,'win-proc'),(9825,'Issue',544,17,''),(9826,'Issue',544,7,''),(9827,'Issue',544,3,'Detects clearing or configuration of eventlogs uwing wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others)'),(9828,'Issue',544,4,''),(9829,'Issue',544,5,'_False Positives_\nAdmin activity\nScripts and administrative tools used in the monitored environment'),(9830,'Issue',544,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (((process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:(*Clear\\-EventLog* OR *Remove\\-EventLog* OR *Limit\\-EventLog*)) OR (process.executable.keyword:*\\\\wmic.exe AND process.command_line.keyword:*\\ ClearEventLog\\ *)) OR (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\wevtutil.exe AND process.command_line.keyword:(*clear\\-log* OR *\\ cl\\ * OR *set\\-log* OR *\\ sl\\ *))))\nindex: so-*\nname: Suspicious Eventlog Clear or Configuration Using Wevtutil\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9831,'Issue',544,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Eventlog Clear or Configuration Using Wevtutil\nid: cc36992a-4671-4f21-a91d-6c2b72a2edf5\ndescription: Detects clearing or configuration of eventlogs uwing wevtutil, powershell\n  and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others)\nauthor: Ecco, Daniil Yugoslavskiy, oscd.community\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html\ndate: 2019/09/26\nmodified: 2019/11/11\ntags:\n- attack.defense_evasion\n- attack.t1070\n- car.2016-04-002\nlevel: high\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_wevtutil_binary:\n    Image|endswith: \\wevtutil.exe\n  selection_wevtutil_command:\n    CommandLine|contains:\n    - clear-log\n    - \' cl \'\n    - set-log\n    - \' sl \'\n  selection_other_ps:\n    Image|endswith: \\powershell.exe\n    CommandLine|contains:\n    - Clear-EventLog\n    - Remove-EventLog\n    - Limit-EventLog\n  selection_other_wmic:\n    Image|endswith: \\wmic.exe\n    CommandLine|contains: \' ClearEventLog \'\n  condition: 1 of selection_other_* or (selection_wevtutil_binary and selection_wevtutil_command)\nfalsepositives:\n- Admin activity\n- Scripts and administrative tools used in the monitored environment\n\n
\n}}'),(9832,'Issue',544,15,'T1070'),(9833,'Issue',545,1,'Executables Started in Suspicious Folder'),(9834,'Issue',545,2,'Florian Roth'),(9835,'Issue',545,8,'https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt\nhttps://www.secureworks.com/research/bronze-butler-targets-japanese-businesses\nhttps://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/\nhttps://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md'),(9836,'Issue',545,10,'high'),(9837,'Issue',545,13,'community'),(9838,'Issue',545,14,'windows'),(9840,'Issue',545,11,'a3054aa4c'),(9841,'Issue',545,12,'7a38aa19-86a9-4af7-ac51-6bfe4e59f254'),(9842,'Issue',545,16,'win-proc'),(9843,'Issue',545,17,''),(9844,'Issue',545,7,''),(9845,'Issue',545,3,'Detects process starts of binaries from a suspicious folder'),(9846,'Issue',545,4,''),(9847,'Issue',545,5,'_False Positives_\nUnknown'),(9848,'Issue',545,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(C\\:\\\\PerfLogs\\\\* OR C\\:\\\\$Recycle.bin\\\\* OR C\\:\\\\Intel\\\\Logs\\\\* OR C\\:\\\\Users\\\\Default\\\\* OR C\\:\\\\Users\\\\Public\\\\* OR C\\:\\\\Users\\\\NetworkService\\\\* OR C\\:\\\\Windows\\\\Fonts\\\\* OR C\\:\\\\Windows\\\\Debug\\\\* OR C\\:\\\\Windows\\\\Media\\\\* OR C\\:\\\\Windows\\\\Help\\\\* OR C\\:\\\\Windows\\\\addins\\\\* OR C\\:\\\\Windows\\\\repair\\\\* OR C\\:\\\\Windows\\\\security\\\\* OR *\\\\RSA\\\\MachineKeys\\\\* OR C\\:\\\\Windows\\\\system32\\\\config\\\\systemprofile\\\\* OR C\\:\\\\Windows\\\\Tasks\\\\* OR C\\:\\\\Windows\\\\System32\\\\Tasks\\\\*))\nindex: so-*\nname: Executables Started in Suspicious Folder\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9849,'Issue',545,9,'{{collapse(View Sigma)\n
\n\ntitle: Executables Started in Suspicious Folder\nid: 7a38aa19-86a9-4af7-ac51-6bfe4e59f254\nstatus: experimental\ndescription: Detects process starts of binaries from a suspicious folder\nauthor: Florian Roth\ndate: 2017/10/14\nmodified: 2019/02/21\nreferences:\n- https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt\n- https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses\n- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/\n- https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - C:\\PerfLogs\\\\*\n    - C:\\$Recycle.bin\\\\*\n    - C:\\Intel\\Logs\\\\*\n    - C:\\Users\\Default\\\\*\n    - C:\\Users\\Public\\\\*\n    - C:\\Users\\NetworkService\\\\*\n    - C:\\Windows\\Fonts\\\\*\n    - C:\\Windows\\Debug\\\\*\n    - C:\\Windows\\Media\\\\*\n    - C:\\Windows\\Help\\\\*\n    - C:\\Windows\\addins\\\\*\n    - C:\\Windows\\repair\\\\*\n    - C:\\Windows\\security\\\\*\n    - \'*\\RSA\\MachineKeys\\\\*\'\n    - C:\\Windows\\system32\\config\\systemprofile\\\\*\n    - C:\\Windows\\Tasks\\\\*\n    - C:\\Windows\\System32\\Tasks\\\\*\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9850,'Issue',545,15,'T1036'),(9851,'Issue',546,1,'Execution in Non-Executable Folder'),(9852,'Issue',546,2,'Florian Roth'),(9853,'Issue',546,8,'none'),(9854,'Issue',546,10,'high'),(9855,'Issue',546,13,'community'),(9856,'Issue',546,14,'windows'),(9858,'Issue',546,11,'a7b3dd43a'),(9859,'Issue',546,12,'3dfd06d2-eaf4-4532-9555-68aca59f57c4'),(9860,'Issue',546,16,'win-proc'),(9861,'Issue',546,17,''),(9862,'Issue',546,7,''),(9863,'Issue',546,3,'Detects a suspicious exection from an uncommon folder'),(9864,'Issue',546,4,''),(9865,'Issue',546,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9866,'Issue',546,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\$Recycle.bin OR *\\\\Users\\\\All\\ Users\\\\* OR *\\\\Users\\\\Default\\\\* OR *\\\\Users\\\\Public\\\\* OR C\\:\\\\Perflogs\\\\* OR *\\\\config\\\\systemprofile\\\\* OR *\\\\Windows\\\\Fonts\\\\* OR *\\\\Windows\\\\IME\\\\* OR *\\\\Windows\\\\addins\\\\*))\nindex: so-*\nname: Execution in Non-Executable Folder\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9867,'Issue',546,9,'{{collapse(View Sigma)\n
\n\ntitle: Execution in Non-Executable Folder\nid: 3dfd06d2-eaf4-4532-9555-68aca59f57c4\nstatus: experimental\ndescription: Detects a suspicious exection from an uncommon folder\nauthor: Florian Roth\ndate: 2019/01/16\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\$Recycle.bin\'\n    - \'*\\Users\\All Users\\\\*\'\n    - \'*\\Users\\Default\\\\*\'\n    - \'*\\Users\\Public\\\\*\'\n    - C:\\Perflogs\\\\*\n    - \'*\\config\\systemprofile\\\\*\'\n    - \'*\\Windows\\Fonts\\\\*\'\n    - \'*\\Windows\\IME\\\\*\'\n    - \'*\\Windows\\addins\\\\*\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9868,'Issue',546,15,'T1036'),(9869,'Issue',547,1,'Execution in Webserver Root Folder'),(9870,'Issue',547,2,'Florian Roth'),(9871,'Issue',547,8,'none'),(9872,'Issue',547,10,'medium'),(9873,'Issue',547,13,'community'),(9874,'Issue',547,14,'windows'),(9876,'Issue',547,11,'3e95069d6'),(9877,'Issue',547,12,'35efb964-e6a5-47ad-bbcd-19661854018d'),(9878,'Issue',547,16,'win-proc'),(9879,'Issue',547,17,''),(9880,'Issue',547,7,''),(9881,'Issue',547,3,'Detects a suspicious program execution in a web service root folder (filter out false positives)'),(9882,'Issue',547,4,''),(9883,'Issue',547,5,'_False Positives_\nVarious applications\nTools that include ping or nslookup command invocations\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9884,'Issue',547,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\wwwroot\\\\* OR *\\\\wmpub\\\\* OR *\\\\htdocs\\\\*) AND (NOT (process.executable.keyword:(*bin\\\\* OR *\\\\Tools\\\\* OR *\\\\SMSComponent\\\\*) AND process.parent.executable.keyword:(*\\\\services.exe))))\nindex: so-*\nname: Execution in Webserver Root Folder\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9885,'Issue',547,9,'{{collapse(View Sigma)\n
\n\ntitle: Execution in Webserver Root Folder\nid: 35efb964-e6a5-47ad-bbcd-19661854018d\nstatus: experimental\ndescription: Detects a suspicious program execution in a web service root folder (filter\n  out false positives)\nauthor: Florian Roth\ndate: 2019/01/16\ntags:\n- attack.persistence\n- attack.t1100\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\wwwroot\\\\*\'\n    - \'*\\wmpub\\\\*\'\n    - \'*\\htdocs\\\\*\'\n  filter:\n    Image:\n    - \'*bin\\\\*\'\n    - \'*\\Tools\\\\*\'\n    - \'*\\SMSComponent\\\\*\'\n    ParentImage:\n    - \'*\\services.exe\'\n  condition: selection and not filter\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Various applications\n- Tools that include ping or nslookup command invocations\nlevel: medium\n\n
\n}}'),(9886,'Issue',547,15,'T1100'),(9887,'Issue',548,1,'Firewall Disabled via Netsh'),(9888,'Issue',548,2,'Fatih Sirin'),(9889,'Issue',548,8,'https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/\nhttps://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/'),(9890,'Issue',548,10,'medium'),(9891,'Issue',548,13,'community'),(9892,'Issue',548,14,'windows'),(9893,'Issue',548,15,''),(9894,'Issue',548,11,'525bbf871'),(9895,'Issue',548,12,'57c4bf16-227f-4394-8ec7-1b745ee061c3'),(9896,'Issue',548,16,'win-proc'),(9897,'Issue',548,17,''),(9898,'Issue',548,7,''),(9899,'Issue',548,3,'Detects netsh commands that turns off the Windows firewall'),(9900,'Issue',548,4,''),(9901,'Issue',548,5,'_False Positives_\nLegitimate administration'),(9902,'Issue',548,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(netsh\\ firewall\\ set\\ opmode\\ mode\\=disable OR netsh\\ advfirewall\\ set\\ *\\ state\\ off))\nindex: so-*\nname: Firewall Disabled via Netsh\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9903,'Issue',548,9,'{{collapse(View Sigma)\n
\n\ntitle: Firewall Disabled via Netsh\nid: 57c4bf16-227f-4394-8ec7-1b745ee061c3\ndescription: Detects netsh commands that turns off the Windows firewall\nreferences:\n- https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/\n- https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/\ndate: 2019/11/01\nstatus: experimental\nauthor: Fatih Sirin\ntags:\n- attack.defense_evasion\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - netsh firewall set opmode mode=disable\n    - netsh advfirewall set * state off\n  condition: selection\nfalsepositives:\n- Legitimate administration\nlevel: medium\n\n
\n}}'),(9904,'Issue',549,1,'Fsutil Suspicious Invocation'),(9905,'Issue',549,2,'Ecco, E.M. Anhaus, oscd.community'),(9906,'Issue',549,8,'https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html'),(9907,'Issue',549,10,'high'),(9908,'Issue',549,13,'community'),(9909,'Issue',549,14,'windows'),(9911,'Issue',549,11,'b3585220b'),(9912,'Issue',549,12,'add64136-62e5-48ea-807e-88638d02df1e'),(9913,'Issue',549,16,'win-proc'),(9914,'Issue',549,17,''),(9915,'Issue',549,7,''),(9916,'Issue',549,3,'Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size..). Might be used by ransomwares during the attack (seen by NotPetya and others)'),(9917,'Issue',549,4,''),(9918,'Issue',549,5,'_False Positives_\nAdmin activity\nScripts and administrative tools used in the monitored environment'),(9919,'Issue',549,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:*\\\\fsutil.exe OR OriginalFileName:\"fsutil.exe\") AND process.command_line.keyword:(*deletejournal* OR *createjournal*))\nindex: so-*\nname: Fsutil Suspicious Invocation\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9920,'Issue',549,9,'{{collapse(View Sigma)\n
\n\ntitle: Fsutil Suspicious Invocation\nid: add64136-62e5-48ea-807e-88638d02df1e\ndescription: Detects suspicious parameters of fsutil (deleting USN journal, configuring\n  it with small size..). Might be used by ransomwares during the attack (seen by NotPetya\n  and others)\nauthor: Ecco, E.M. Anhaus, oscd.community\ndate: 2019/09/26\nmodified: 2019/11/11\nlevel: high\nreferences:\n- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html\ntags:\n- attack.defense_evasion\n- attack.t1070\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  binary_1:\n    Image|endswith: \\fsutil.exe\n  binary_2:\n    OriginalFileName: fsutil.exe\n  selection:\n    CommandLine|contains:\n    - deletejournal\n    - createjournal\n  condition: (1 of binary_*) and selection\nfalsepositives:\n- Admin activity\n- Scripts and administrative tools used in the monitored environment\n\n
\n}}'),(9921,'Issue',549,15,'T1070'),(9922,'Issue',550,1,'Suspicious GUP Usage'),(9923,'Issue',550,2,'Florian Roth'),(9924,'Issue',550,8,'https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html'),(9925,'Issue',550,10,'high'),(9926,'Issue',550,13,'community'),(9927,'Issue',550,14,'windows'),(9929,'Issue',550,11,'64acf349c'),(9930,'Issue',550,12,'0a4f6091-223b-41f6-8743-f322ec84930b'),(9931,'Issue',550,16,'win-proc'),(9932,'Issue',550,17,''),(9933,'Issue',550,7,''),(9934,'Issue',550,3,'Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks'),(9935,'Issue',550,4,''),(9936,'Issue',550,5,'_False Positives_\nExecution of tools named GUP.exe and located in folders different than Notepad++\\updater'),(9937,'Issue',550,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\GUP.exe AND (NOT (process.executable.keyword:(C\\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Notepad\\+\\+\\\\updater\\\\gup.exe OR C\\:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Notepad\\+\\+\\\\updater\\\\gup.exe OR C\\:\\\\Program\\ Files\\\\Notepad\\+\\+\\\\updater\\\\gup.exe OR C\\:\\\\Program\\ Files\\ \\(x86\\)\\\\Notepad\\+\\+\\\\updater\\\\gup.exe))))\nindex: so-*\nname: Suspicious GUP Usage\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9938,'Issue',550,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious GUP Usage\nid: 0a4f6091-223b-41f6-8743-f322ec84930b\ndescription: Detects execution of the Notepad++ updater in a suspicious directory,\n  which is often used in DLL side-loading attacks\nstatus: experimental\nreferences:\n- https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html\ntags:\n- attack.defense_evasion\n- attack.t1073\nauthor: Florian Roth\ndate: 2019/02/06\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\GUP.exe\'\n  filter:\n    Image:\n    - C:\\Users\\\\*\\AppData\\Local\\Notepad++\\updater\\gup.exe\n    - C:\\Users\\\\*\\AppData\\Roaming\\Notepad++\\updater\\gup.exe\n    - C:\\Program Files\\Notepad++\\updater\\gup.exe\n    - C:\\Program Files (x86)\\Notepad++\\updater\\gup.exe\n  condition: selection and not filter\nfalsepositives:\n- Execution of tools named GUP.exe and located in folders different than Notepad++\\updater\nlevel: high\n\n
\n}}'),(9939,'Issue',550,15,'T1073'),(9940,'Issue',551,1,'IIS Native-Code Module Command Line Installation'),(9941,'Issue',551,2,'Florian Roth'),(9942,'Issue',551,8,'https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/'),(9943,'Issue',551,10,'medium'),(9944,'Issue',551,13,'community'),(9945,'Issue',551,14,'windows'),(9947,'Issue',551,11,'181436e25'),(9948,'Issue',551,12,'9465ddf4-f9e4-4ebd-8d98-702df3a93239'),(9949,'Issue',551,16,'win-proc'),(9950,'Issue',551,17,''),(9951,'Issue',551,7,''),(9952,'Issue',551,3,'Detects suspicious IIS native-code module installations via command line'),(9953,'Issue',551,4,''),(9954,'Issue',551,5,'_False Positives_\nUnknown as it may vary from organisation to arganisation how admins use to install IIS modules'),(9955,'Issue',551,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\APPCMD.EXE\\ install\\ module\\ \\/name\\:*))\nindex: so-*\nname: IIS Native-Code Module Command Line Installation\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9956,'Issue',551,9,'{{collapse(View Sigma)\n
\n\ntitle: IIS Native-Code Module Command Line Installation\nid: 9465ddf4-f9e4-4ebd-8d98-702df3a93239\ndescription: Detects suspicious IIS native-code module installations via command line\nstatus: experimental\nreferences:\n- https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/\nauthor: Florian Roth\ndate: 2012/12/11\ntags:\n- attack.persistence\n- attack.t1100\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'*\\APPCMD.EXE install module /name:*\'\n  condition: selection\nfalsepositives:\n- Unknown as it may vary from organisation to arganisation how admins use to install\n  IIS modules\nlevel: medium\n\n
\n}}'),(9957,'Issue',551,15,'T1100'),(9958,'Issue',552,1,'Suspicious MsiExec Directory'),(9959,'Issue',552,2,'Florian Roth'),(9960,'Issue',552,8,'https://twitter.com/200_okay_/status/1194765831911215104'),(9961,'Issue',552,10,'high'),(9962,'Issue',552,13,'community'),(9963,'Issue',552,14,'windows'),(9965,'Issue',552,11,'37c63b72b'),(9966,'Issue',552,12,'e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144'),(9967,'Issue',552,16,'win-proc'),(9968,'Issue',552,17,''),(9969,'Issue',552,7,''),(9970,'Issue',552,3,'Detects suspicious msiexec process starts in an uncommon directory'),(9971,'Issue',552,4,''),(9972,'Issue',552,5,'_False Positives_\nUnknown'),(9973,'Issue',552,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\msiexec.exe AND (NOT (process.executable.keyword:(C\\:\\\\Windows\\\\System32\\\\* OR C\\:\\\\Windows\\\\SysWOW64\\\\* OR C\\:\\\\Windows\\\\WinSxS\\\\*))))\nindex: so-*\nname: Suspicious MsiExec Directory\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9974,'Issue',552,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious MsiExec Directory\nid: e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144\nstatus: experimental\ndescription: Detects suspicious msiexec process starts in an uncommon directory\nreferences:\n- https://twitter.com/200_okay_/status/1194765831911215104\ntags:\n- attack.defense_evasion\n- attack.t1036\nauthor: Florian Roth\ndate: 2019/11/14\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\msiexec.exe\'\n  filter:\n    Image:\n    - C:\\Windows\\System32\\\\*\n    - C:\\Windows\\SysWOW64\\\\*\n    - C:\\Windows\\WinSxS\\\\*\n  condition: selection and not filter\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9975,'Issue',552,15,'T1036'),(9976,'Issue',553,1,'MsiExec Web Install'),(9977,'Issue',553,2,'Florian Roth'),(9978,'Issue',553,8,'https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/'),(9979,'Issue',553,10,'medium'),(9980,'Issue',553,13,'community'),(9981,'Issue',553,14,'windows'),(9982,'Issue',553,15,''),(9983,'Issue',553,11,'2175aa08b'),(9984,'Issue',553,12,'f7b5f842-a6af-4da5-9e95-e32478f3cd2f'),(9985,'Issue',553,16,'win-proc'),(9986,'Issue',553,17,''),(9987,'Issue',553,7,''),(9988,'Issue',553,3,'Detects suspicious msiexec process starts with web addreses as parameter'),(9989,'Issue',553,4,''),(9990,'Issue',553,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(9991,'Issue',553,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ msiexec*\\:\\/\\/*))\nindex: so-*\nname: MsiExec Web Install\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9992,'Issue',553,9,'{{collapse(View Sigma)\n
\n\ntitle: MsiExec Web Install\nid: f7b5f842-a6af-4da5-9e95-e32478f3cd2f\nstatus: experimental\ndescription: Detects suspicious msiexec process starts with web addreses as parameter\nreferences:\n- https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/\ntags:\n- attack.defense_evasion\nauthor: Florian Roth\ndate: 2018/02/09\nmodified: 2012/12/11\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* msiexec*://*\'\n  condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: medium\n\n
\n}}'),(9993,'Issue',554,1,'Malicious Payload Download via Office Binaries'),(9994,'Issue',554,2,'Beyu Denis, oscd.community'),(9995,'Issue',554,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Powerpnt.yml\nhttps://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191\nReegun J (OCBC Bank)'),(9996,'Issue',554,10,'high'),(9997,'Issue',554,13,'community'),(9998,'Issue',554,14,'windows'),(10000,'Issue',554,11,'8099ea1df'),(10001,'Issue',554,12,'0c79148b-118e-472b-bdb7-9b57b444cc19'),(10002,'Issue',554,16,'win-proc'),(10003,'Issue',554,17,''),(10004,'Issue',554,7,''),(10005,'Issue',554,3,'Downloads payload from remote server'),(10006,'Issue',554,4,''),(10007,'Issue',554,5,'_False Positives_\nUnknown'),(10008,'Issue',554,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\powerpnt.exe OR *\\\\winword.exe OR *\\\\excel.exe) AND process.command_line.keyword:*http*)\nindex: so-*\nname: Malicious Payload Download via Office Binaries\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10009,'Issue',554,9,'{{collapse(View Sigma)\n
\n\ntitle: Malicious Payload Download via Office Binaries\nid: 0c79148b-118e-472b-bdb7-9b57b444cc19\nstatus: experimental\ndescription: Downloads payload from remote server\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Powerpnt.yml\n- https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191\n- Reegun J (OCBC Bank)\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/26\nmodified: 2019/11/04\ntags:\n- attack.command_and_control\n- attack.t1105\nlevel: high\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith:\n    - \\powerpnt.exe\n    - \\winword.exe\n    - \\excel.exe\n    CommandLine|contains: http\n  condition: selection\nfalsepositives:\n- Unknown\n\n
\n}}'),(10010,'Issue',554,15,'T1105'),(10011,'Issue',555,1,'Net.exe Execution'),(10012,'Issue',555,2,'Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements)'),(10013,'Issue',555,8,'https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/\nhttps://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html'),(10014,'Issue',555,10,'low'),(10015,'Issue',555,13,'community'),(10016,'Issue',555,14,'windows'),(10018,'Issue',555,11,'8e384336b'),(10019,'Issue',555,12,'183e7ea8-ac4b-4c23-9aec-b3dac4e401ac'),(10020,'Issue',555,16,'win-proc'),(10021,'Issue',555,17,''),(10022,'Issue',555,7,''),(10023,'Issue',555,3,'Detects execution of Net.exe, whether suspicious or benign.'),(10024,'Issue',555,4,''),(10025,'Issue',555,5,'_False Positives_\nWill need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine.\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine\nParentCommandLine'),(10026,'Issue',555,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:(*\\ group* OR *\\ localgroup* OR *\\ user* OR *\\ view* OR *\\ share OR *\\ accounts* OR *\\ use* OR *\\ stop\\ *))\nindex: so-*\nname: Net.exe Execution\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10027,'Issue',555,9,'{{collapse(View Sigma)\n
\n\ntitle: Net.exe Execution\nid: 183e7ea8-ac4b-4c23-9aec-b3dac4e401ac\nstatus: experimental\ndescription: Detects execution of Net.exe, whether suspicious or benign.\nreferences:\n- https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/\n- https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html\n- https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html\n- https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html\nauthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community\n  (improvements)\ndate: 2019/01/16\ntags:\n- attack.s0039\n- attack.t1027\n- attack.t1049\n- attack.t1077\n- attack.t1135\n- attack.lateral_movement\n- attack.discovery\n- attack.defense_evasion\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\net.exe\'\n    - \'*\\net1.exe\'\n  cmdline:\n    CommandLine:\n    - \'* group*\'\n    - \'* localgroup*\'\n    - \'* user*\'\n    - \'* view*\'\n    - \'* share\'\n    - \'* accounts*\'\n    - \'* use*\'\n    - \'* stop *\'\n  condition: selection and cmdline\nfields:\n- ComputerName\n- User\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine\n  following the search for easy hunting by computer/CommandLine.\nlevel: low\n\n
\n}}'),(10028,'Issue',555,15,'T1027'),(10029,'Issue',555,15,'T1049'),(10030,'Issue',555,15,'T1077'),(10031,'Issue',555,15,'T1135'),(10032,'Issue',556,1,'Suspicious Netsh DLL Persistence'),(10033,'Issue',556,2,'Victor Sergeev, oscd.community'),(10034,'Issue',556,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1128/T1128.md'),(10035,'Issue',556,10,'high'),(10036,'Issue',556,13,'community'),(10037,'Issue',556,14,'windows'),(10039,'Issue',556,11,'bc3cec555'),(10040,'Issue',556,12,'56321594-9087-49d9-bf10-524fe8479452'),(10041,'Issue',556,16,'win-proc'),(10042,'Issue',556,17,''),(10043,'Issue',556,7,''),(10044,'Issue',556,3,'Detects persitence via netsh helper'),(10045,'Issue',556,4,''),(10046,'Issue',556,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine\nParentCommandLine'),(10047,'Issue',556,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\netsh.exe AND process.command_line.keyword:*add* AND process.command_line.keyword:*helper*)\nindex: so-*\nname: Suspicious Netsh DLL Persistence\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10048,'Issue',556,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Netsh DLL Persistence\nid: 56321594-9087-49d9-bf10-524fe8479452\ndescription: Detects persitence via netsh helper\nstatus: testing\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1128/T1128.md\ntags:\n    - attack.persistence\n    - attack.t1128\ndate: 2019/10/25\nmodified: 2019/10/25\nauthor: Victor Sergeev, oscd.community\nlogsource:\n    category: process_creation\n    product: windows   \ndetection:\n    selection:\n        Image|endswith: \'\\netsh.exe\'\n        CommandLine|contains|all:\n            - \'add\'\n            - \'helper\'\n    condition: selection\nfields:\n    - ComputerName\n    - User\n    - CommandLine\n    - ParentCommandLine\nfalsepositives:\n    - Unknown\nlevel: high\n\n
\n}}'),(10049,'Issue',556,15,'T1128'),(10050,'Issue',557,1,'Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)'),(10051,'Issue',557,2,'Thomas Patzke'),(10052,'Issue',557,8,'https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm'),(10053,'Issue',557,10,'high'),(10054,'Issue',557,13,'community'),(10055,'Issue',557,14,'windows'),(10057,'Issue',557,11,'49e9852da'),(10058,'Issue',557,12,'2afafd61-6aae-4df4-baed-139fa1f4c345'),(10059,'Issue',557,16,'win-proc'),(10060,'Issue',557,17,''),(10061,'Issue',557,7,''),(10062,'Issue',557,3,'Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)'),(10063,'Issue',557,4,''),(10064,'Issue',557,5,'_False Positives_\nNTDS maintenance'),(10065,'Issue',557,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\\\ntdsutil*)\nindex: so-*\nname: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10066,'Issue',557,9,'{{collapse(View Sigma)\n
\n\ntitle: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)\nid: 2afafd61-6aae-4df4-baed-139fa1f4c345\ndescription: Detects execution of ntdsutil.exe, which can be used for various attacks\n  against the NTDS database (NTDS.DIT)\nstatus: experimental\nreferences:\n- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm\nauthor: Thomas Patzke\ndate: 2019/01/16\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'*\\ntdsutil*\'\n  condition: selection\nfalsepositives:\n- NTDS maintenance\nlevel: high\n\n
\n}}'),(10067,'Issue',557,15,'T1003'),(10068,'Issue',558,1,'Application Whitelisting Bypass via DLL Loaded by odbcconf.exe'),(10069,'Issue',558,2,'Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community'),(10070,'Issue',558,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Odbcconf.yml\nhttps://twitter.com/Hexacorn/status/1187143326673330176'),(10071,'Issue',558,10,'medium'),(10072,'Issue',558,13,'community'),(10073,'Issue',558,14,'windows'),(10075,'Issue',558,11,'0c974e293'),(10076,'Issue',558,12,'65d2be45-8600-4042-b4c0-577a1ff8a60e'),(10077,'Issue',558,16,'win-proc'),(10078,'Issue',558,17,''),(10079,'Issue',558,7,''),(10080,'Issue',558,3,'Detects defence evasion attempt via odbcconf.exe execution to load DLL'),(10081,'Issue',558,4,''),(10082,'Issue',558,5,'_False Positives_\nLegitimate use of odbcconf.exe by legitimate user'),(10083,'Issue',558,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\odbcconf.exe AND process.command_line.keyword:(*\\-f* OR *regsvr*)) OR (process.parent.executable.keyword:*\\\\odbcconf.exe AND process.executable.keyword:*\\\\rundll32.exe)))\nindex: so-*\nname: Application Whitelisting Bypass via DLL Loaded by odbcconf.exe\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10084,'Issue',558,9,'{{collapse(View Sigma)\n
\n\ntitle: Application Whitelisting Bypass via DLL Loaded by odbcconf.exe\nid: 65d2be45-8600-4042-b4c0-577a1ff8a60e\ndescription: Detects defence evasion attempt via odbcconf.exe execution to load DLL\nstatus: experimental\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Odbcconf.yml\n- https://twitter.com/Hexacorn/status/1187143326673330176\nauthor: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/25\nmodified: 2019/11/07\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_1:\n    Image|endswith: \\odbcconf.exe\n    CommandLine|contains:\n    - -f\n    - regsvr\n  selection_2:\n    ParentImage|endswith: \\odbcconf.exe\n    Image|endswith: \\rundll32.exe\n  condition: selection_1 or selection_2\nlevel: medium\nfalsepositives:\n- Legitimate use of odbcconf.exe by legitimate user\n\n
\n}}'),(10085,'Issue',558,15,'T1218'),(10086,'Issue',559,1,'OpenWith.exe Executes Specified Binary'),(10087,'Issue',559,2,'Beyu Denis, oscd.community (rule), @harr0ey (idea)'),(10088,'Issue',559,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml\nhttps://twitter.com/harr0ey/status/991670870384021504'),(10089,'Issue',559,10,'high'),(10090,'Issue',559,13,'community'),(10091,'Issue',559,14,'windows'),(10093,'Issue',559,11,'1e6152842'),(10094,'Issue',559,12,'cec8e918-30f7-4e2d-9bfa-a59cc97ae60f'),(10095,'Issue',559,16,'win-proc'),(10096,'Issue',559,17,''),(10097,'Issue',559,7,''),(10098,'Issue',559,3,'The OpenWith.exe executes other binary'),(10099,'Issue',559,4,''),(10100,'Issue',559,5,'_False Positives_\nLegitimate use of OpenWith.exe by legitimate user'),(10101,'Issue',559,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\OpenWith.exe AND process.command_line.keyword:*\\/c*)\nindex: so-*\nname: OpenWith.exe Executes Specified Binary\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10102,'Issue',559,9,'{{collapse(View Sigma)\n
\n\ntitle: OpenWith.exe Executes Specified Binary\nid: cec8e918-30f7-4e2d-9bfa-a59cc97ae60f\nstatus: experimental\ndescription: The OpenWith.exe executes other binary\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml\n- https://twitter.com/harr0ey/status/991670870384021504\nauthor: Beyu Denis, oscd.community (rule), @harr0ey (idea)\ndate: 2019/10/12\nmodified: 2019/11/04\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlevel: high\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\OpenWith.exe\n    CommandLine|contains: /c\n  condition: selection\nfalsepositives:\n- Legitimate use of OpenWith.exe by legitimate user\n\n
\n}}'),(10103,'Issue',559,15,'T1218'),(10104,'Issue',560,1,'Suspicious Execution from Outlook'),(10105,'Issue',560,2,'Markus Neis'),(10106,'Issue',560,8,'https://github.com/sensepost/ruler\nhttps://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html'),(10107,'Issue',560,10,'high'),(10108,'Issue',560,13,'community'),(10109,'Issue',560,14,'windows'),(10111,'Issue',560,11,'294e47aa7'),(10112,'Issue',560,12,'e212d415-0e93-435f-9e1a-f29005bb4723'),(10113,'Issue',560,16,'win-proc'),(10114,'Issue',560,17,''),(10115,'Issue',560,7,''),(10116,'Issue',560,3,'Detects EnableUnsafeClientMailRules used for Script Execution from Outlook'),(10117,'Issue',560,4,''),(10118,'Issue',560,5,'_False Positives_\nunknown'),(10119,'Issue',560,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:*EnableUnsafeClientMailRules* OR (process.parent.executable.keyword:*\\\\outlook.exe AND process.command_line.keyword:\\\\\\\\*\\\\*.exe)))\nindex: so-*\nname: Suspicious Execution from Outlook\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10120,'Issue',560,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Execution from Outlook\nid: e212d415-0e93-435f-9e1a-f29005bb4723\nstatus: experimental\ndescription: Detects EnableUnsafeClientMailRules used for Script Execution from Outlook\nreferences:\n- https://github.com/sensepost/ruler\n- https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html\ntags:\n- attack.execution\n- attack.t1059\n- attack.t1202\nauthor: Markus Neis\ndate: 2018/12/27\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  clientMailRules:\n    CommandLine: \'*EnableUnsafeClientMailRules*\'\n  outlookExec:\n    ParentImage: \'*\\outlook.exe\'\n    CommandLine: \\\\\\\\*\\\\*.exe\n  condition: clientMailRules or outlookExec\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(10121,'Issue',560,15,'T1059'),(10122,'Issue',560,15,'T1202'),(10123,'Issue',561,1,'Execution in Outlook Temp Folder'),(10124,'Issue',561,2,'Florian Roth'),(10125,'Issue',561,8,'none'),(10126,'Issue',561,10,'high'),(10127,'Issue',561,13,'community'),(10128,'Issue',561,14,'windows'),(10130,'Issue',561,11,'1162b3913'),(10131,'Issue',561,12,'a018fdc3-46a3-44e5-9afb-2cd4af1d4b39'),(10132,'Issue',561,16,'win-proc'),(10133,'Issue',561,17,''),(10134,'Issue',561,7,''),(10135,'Issue',561,3,'Detects a suspicious program execution in Outlook temp folder'),(10136,'Issue',561,4,''),(10137,'Issue',561,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10138,'Issue',561,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\Temporary\\ Internet\\ Files\\\\Content.Outlook\\\\*)\nindex: so-*\nname: Execution in Outlook Temp Folder\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10139,'Issue',561,9,'{{collapse(View Sigma)\n
\n\ntitle: Execution in Outlook Temp Folder\nid: a018fdc3-46a3-44e5-9afb-2cd4af1d4b39\nstatus: experimental\ndescription: Detects a suspicious program execution in Outlook temp folder\nauthor: Florian Roth\ndate: 2019/10/01\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\Temporary Internet Files\\Content.Outlook\\\\*\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10140,'Issue',561,15,'T1193'),(10141,'Issue',562,1,'Ping Hex IP'),(10142,'Issue',562,2,'Florian Roth'),(10143,'Issue',562,8,'https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna\nhttps://twitter.com/vysecurity/status/977198418354491392'),(10144,'Issue',562,10,'high'),(10145,'Issue',562,13,'community'),(10146,'Issue',562,14,'windows'),(10148,'Issue',562,11,'478a5066b'),(10149,'Issue',562,12,'1a0d4aba-7668-4365-9ce4-6d79ab088dfd'),(10150,'Issue',562,16,'win-proc'),(10151,'Issue',562,17,''),(10152,'Issue',562,7,''),(10153,'Issue',562,3,'Detects a ping command that uses a hex encoded IP address'),(10154,'Issue',562,4,''),(10155,'Issue',562,5,'_False Positives_\nUnlikely, because no sane admin pings IP addresses in a hexadecimal form\n\n_Interesting Log Fields_\nParentCommandLine'),(10156,'Issue',562,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\ping.exe\\ 0x* OR *\\\\ping\\ 0x*))\nindex: so-*\nname: Ping Hex IP\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10157,'Issue',562,9,'{{collapse(View Sigma)\n
\n\ntitle: Ping Hex IP\nid: 1a0d4aba-7668-4365-9ce4-6d79ab088dfd\ndescription: Detects a ping command that uses a hex encoded IP address\nreferences:\n- https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna\n- https://twitter.com/vysecurity/status/977198418354491392\nauthor: Florian Roth\ndate: 2018/03/23\ntags:\n- attack.defense_evasion\n- attack.t1140\n- attack.t1027\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'*\\ping.exe 0x*\'\n    - \'*\\ping 0x*\'\n  condition: selection\nfields:\n- ParentCommandLine\nfalsepositives:\n- Unlikely, because no sane admin pings IP addresses in a hexadecimal form\nlevel: high\n\n
\n}}'),(10158,'Issue',562,15,'T1140'),(10159,'Issue',562,15,'T1027'),(10160,'Issue',563,1,'Empire PowerShell Launch Parameters'),(10161,'Issue',563,2,'Florian Roth'),(10162,'Issue',563,8,'https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165\nhttps://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191\nhttps://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178\nhttps://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64'),(10163,'Issue',563,10,'critical'),(10164,'Issue',563,13,'community'),(10165,'Issue',563,14,'windows'),(10167,'Issue',563,11,'182824220'),(10168,'Issue',563,12,'79f4ede3-402e-41c8-bc3e-ebbf5f162581'),(10169,'Issue',563,16,'win-proc'),(10170,'Issue',563,17,''),(10171,'Issue',563,7,''),(10172,'Issue',563,3,'Detects suspicious powershell command line parameters used in Empire'),(10173,'Issue',563,4,''),(10174,'Issue',563,5,'_False Positives_\n Unknown'),(10175,'Issue',563,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-NoP\\ \\-sta\\ \\-NonI\\ \\-W\\ Hidden\\ \\-Enc\\ * OR *\\ \\-noP\\ \\-sta\\ \\-w\\ 1\\ \\-enc\\ * OR *\\ \\-NoP\\ \\-NonI\\ \\-W\\ Hidden\\ \\-enc\\ *))\nindex: so-*\nname: Empire PowerShell Launch Parameters\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10176,'Issue',563,9,'{{collapse(View Sigma)\n
\n\ntitle: Empire PowerShell Launch Parameters\nid: 79f4ede3-402e-41c8-bc3e-ebbf5f162581\ndescription: Detects suspicious powershell command line parameters used in Empire\nstatus: experimental\nreferences:\n- https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165\n- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191\n- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178\n- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64\nauthor: Florian Roth\ndate: 2019/04/20\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* -NoP -sta -NonI -W Hidden -Enc *\'\n    - \'* -noP -sta -w 1 -enc *\'\n    - \'* -NoP -NonI -W Hidden -enc *\'\n  condition: selection\nlevel: critical\n\n
\n}}'),(10177,'Issue',563,15,'T1086'),(10178,'Issue',564,1,'Empire PowerShell UAC Bypass'),(10179,'Issue',564,2,'Ecco'),(10180,'Issue',564,8,'https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64\nhttps://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64'),(10181,'Issue',564,10,'critical'),(10182,'Issue',564,13,'community'),(10183,'Issue',564,14,'windows'),(10185,'Issue',564,11,'517422778'),(10186,'Issue',564,12,'3268b746-88d8-4cd3-bffc-30077d02c787'),(10187,'Issue',564,16,'win-proc'),(10188,'Issue',564,17,''),(10189,'Issue',564,7,''),(10190,'Issue',564,3,'Detects some Empire PowerShell UAC bypass methods'),(10191,'Issue',564,4,''),(10192,'Issue',564,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10193,'Issue',564,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-NoP\\ \\-NonI\\ \\-w\\ Hidden\\ \\-c\\ $x\\=$\\(\\(gp\\ HKCU\\:Software\\\\Microsoft\\\\Windows\\ Update\\).Update\\)* OR *\\ \\-NoP\\ \\-NonI\\ \\-c\\ $x\\=$\\(\\(gp\\ HKCU\\:Software\\\\Microsoft\\\\Windows\\ Update\\).Update\\);*))\nindex: so-*\nname: Empire PowerShell UAC Bypass\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10194,'Issue',564,9,'{{collapse(View Sigma)\n
\n\ntitle: Empire PowerShell UAC Bypass\nid: 3268b746-88d8-4cd3-bffc-30077d02c787\nstatus: experimental\ndescription: Detects some Empire PowerShell UAC bypass methods\nreferences:\n- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64\n- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64\nauthor: Ecco\ndate: 2019/08/30\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update)*\'\n    - \'* -NoP -NonI -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update);*\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1088\n- car.2019-04-001\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(10195,'Issue',564,15,'T1088'),(10196,'Issue',565,1,'Suspicious Encoded PowerShell Command Line'),(10197,'Issue',565,2,'Florian Roth, Markus Neis'),(10198,'Issue',565,8,'https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e'),(10199,'Issue',565,10,'high'),(10200,'Issue',565,13,'community'),(10201,'Issue',565,14,'windows'),(10203,'Issue',565,11,'9528c3459'),(10204,'Issue',565,12,'ca2092a1-c273-4878-9b4b-0d60115bf5ea'),(10205,'Issue',565,16,'win-proc'),(10206,'Issue',565,17,''),(10207,'Issue',565,7,''),(10208,'Issue',565,3,'Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)'),(10209,'Issue',565,4,''),(10210,'Issue',565,5,'_False Positives_\n Unknown'),(10211,'Issue',565,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-e\\ JAB* OR *\\ \\-e\\ \\ JAB* OR *\\ \\-e\\ \\ \\ JAB* OR *\\ \\-e\\ \\ \\ \\ JAB* OR *\\ \\-e\\ \\ \\ \\ \\ JAB* OR *\\ \\-e\\ \\ \\ \\ \\ \\ JAB* OR *\\ \\-en\\ JAB* OR *\\ \\-enc\\ JAB* OR *\\ \\-enc*\\ JAB* OR *\\ \\-w\\ hidden\\ \\-e*\\ JAB* OR *\\ BA\\^J\\ e\\- OR *\\ \\-e\\ SUVYI* OR *\\ \\-e\\ aWV4I* OR *\\ \\-e\\ SQBFAFgA* OR *\\ \\-e\\ aQBlAHgA* OR *\\ \\-enc\\ SUVYI* OR *\\ \\-enc\\ aWV4I* OR *\\ \\-enc\\ SQBFAFgA* OR *\\ \\-enc\\ aQBlAHgA*) AND (NOT (process.command_line.keyword:*\\ \\-ExecutionPolicy\\ remotesigned\\ *)))\nindex: so-*\nname: Suspicious Encoded PowerShell Command Line\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10212,'Issue',565,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Encoded PowerShell Command Line\nid: ca2092a1-c273-4878-9b4b-0d60115bf5ea\ndescription: Detects suspicious powershell process starts with base64 encoded commands\n  (e.g. Emotet)\nstatus: experimental\nreferences:\n- https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e\nauthor: Florian Roth, Markus Neis\ndate: 2018/09/03\nmodified: 2019/12/16\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* -e JAB*\'\n    - \'* -e  JAB*\'\n    - \'* -e   JAB*\'\n    - \'* -e    JAB*\'\n    - \'* -e     JAB*\'\n    - \'* -e      JAB*\'\n    - \'* -en JAB*\'\n    - \'* -enc JAB*\'\n    - \'* -enc* JAB*\'\n    - \'* -w hidden -e* JAB*\'\n    - \'* BA^J e-\'\n    - \'* -e SUVYI*\'\n    - \'* -e aWV4I*\'\n    - \'* -e SQBFAFgA*\'\n    - \'* -e aQBlAHgA*\'\n    - \'* -enc SUVYI*\'\n    - \'* -enc aWV4I*\'\n    - \'* -enc SQBFAFgA*\'\n    - \'* -enc aQBlAHgA*\'\n  falsepositive1:\n    CommandLine: \'* -ExecutionPolicy remotesigned *\'\n  condition: selection and not falsepositive1\nlevel: high\n\n
\n}}'),(10213,'Issue',565,15,'T1086'),(10214,'Issue',566,1,'Malicious Base64 Encoded PowerShell Keywords in Command Lines'),(10215,'Issue',566,2,'John Lambert (rule)'),(10216,'Issue',566,8,'http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/'),(10217,'Issue',566,10,'high'),(10218,'Issue',566,13,'community'),(10219,'Issue',566,14,'windows'),(10221,'Issue',566,11,'7ae9f0c0e'),(10222,'Issue',566,12,'f26c6093-6f14-4b12-800f-0fcb46f5ffd0'),(10223,'Issue',566,16,'win-proc'),(10224,'Issue',566,17,''),(10225,'Issue',566,7,''),(10226,'Issue',566,3,'Detects base64 encoded strings used in hidden malicious PowerShell command lines'),(10227,'Issue',566,4,''),(10228,'Issue',566,5,'_False Positives_\nPenetration tests'),(10229,'Issue',566,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:*\\ hidden\\ * AND process.command_line.keyword:(*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA* OR *aXRzYWRtaW4gL3RyYW5zZmVy* OR *IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA* OR *JpdHNhZG1pbiAvdHJhbnNmZX* OR *YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg* OR *Yml0c2FkbWluIC90cmFuc2Zlc* OR *AGMAaAB1AG4AawBfAHMAaQB6AGUA* OR *JABjAGgAdQBuAGsAXwBzAGkAegBlA* OR *JGNodW5rX3Npem* OR *QAYwBoAHUAbgBrAF8AcwBpAHoAZQ* OR *RjaHVua19zaXpl* OR *Y2h1bmtfc2l6Z* OR *AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A* OR *kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg* OR *lPLkNvbXByZXNzaW9u* OR *SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA* OR *SU8uQ29tcHJlc3Npb2* OR *Ty5Db21wcmVzc2lvb* OR *AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ* OR *kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA* OR *lPLk1lbW9yeVN0cmVhb* OR *SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A* OR *SU8uTWVtb3J5U3RyZWFt* OR *Ty5NZW1vcnlTdHJlYW* OR *4ARwBlAHQAQwBoAHUAbgBrA* OR *5HZXRDaHVua* OR *AEcAZQB0AEMAaAB1AG4Aaw* OR *LgBHAGUAdABDAGgAdQBuAGsA* OR *LkdldENodW5r* OR *R2V0Q2h1bm* OR *AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A* OR *QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA* OR *RIUkVBRF9JTkZPNj* OR *SFJFQURfSU5GTzY0* OR *VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA* OR *VEhSRUFEX0lORk82N* OR *AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA* OR *cmVhdGVSZW1vdGVUaHJlYW* OR *MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA* OR *NyZWF0ZVJlbW90ZVRocmVhZ* OR *Q3JlYXRlUmVtb3RlVGhyZWFk* OR *QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA* OR *0AZQBtAG0AbwB2AGUA* OR *1lbW1vdm* OR *AGUAbQBtAG8AdgBlA* OR *bQBlAG0AbQBvAHYAZQ* OR *bWVtbW92Z* OR *ZW1tb3Zl*))\nindex: so-*\nname: Malicious Base64 Encoded PowerShell Keywords in Command Lines\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10230,'Issue',566,9,'{{collapse(View Sigma)\n
\n\ntitle: Malicious Base64 Encoded PowerShell Keywords in Command Lines\nid: f26c6093-6f14-4b12-800f-0fcb46f5ffd0\nstatus: experimental\ndescription: Detects base64 encoded strings used in hidden malicious PowerShell command\n  lines\nreferences:\n- http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/\ntags:\n- attack.execution\n- attack.t1086\nauthor: John Lambert (rule)\ndate: 2019/01/16\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  encoded:\n    Image: \'*\\powershell.exe\'\n    CommandLine: \'* hidden *\'\n  selection:\n    CommandLine:\n    - \'*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA*\'\n    - \'*aXRzYWRtaW4gL3RyYW5zZmVy*\'\n    - \'*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA*\'\n    - \'*JpdHNhZG1pbiAvdHJhbnNmZX*\'\n    - \'*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg*\'\n    - \'*Yml0c2FkbWluIC90cmFuc2Zlc*\'\n    - \'*AGMAaAB1AG4AawBfAHMAaQB6AGUA*\'\n    - \'*JABjAGgAdQBuAGsAXwBzAGkAegBlA*\'\n    - \'*JGNodW5rX3Npem*\'\n    - \'*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ*\'\n    - \'*RjaHVua19zaXpl*\'\n    - \'*Y2h1bmtfc2l6Z*\'\n    - \'*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A*\'\n    - \'*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg*\'\n    - \'*lPLkNvbXByZXNzaW9u*\'\n    - \'*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA*\'\n    - \'*SU8uQ29tcHJlc3Npb2*\'\n    - \'*Ty5Db21wcmVzc2lvb*\'\n    - \'*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ*\'\n    - \'*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA*\'\n    - \'*lPLk1lbW9yeVN0cmVhb*\'\n    - \'*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A*\'\n    - \'*SU8uTWVtb3J5U3RyZWFt*\'\n    - \'*Ty5NZW1vcnlTdHJlYW*\'\n    - \'*4ARwBlAHQAQwBoAHUAbgBrA*\'\n    - \'*5HZXRDaHVua*\'\n    - \'*AEcAZQB0AEMAaAB1AG4Aaw*\'\n    - \'*LgBHAGUAdABDAGgAdQBuAGsA*\'\n    - \'*LkdldENodW5r*\'\n    - \'*R2V0Q2h1bm*\'\n    - \'*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A*\'\n    - \'*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA*\'\n    - \'*RIUkVBRF9JTkZPNj*\'\n    - \'*SFJFQURfSU5GTzY0*\'\n    - \'*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA*\'\n    - \'*VEhSRUFEX0lORk82N*\'\n    - \'*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA*\'\n    - \'*cmVhdGVSZW1vdGVUaHJlYW*\'\n    - \'*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA*\'\n    - \'*NyZWF0ZVJlbW90ZVRocmVhZ*\'\n    - \'*Q3JlYXRlUmVtb3RlVGhyZWFk*\'\n    - \'*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA*\'\n    - \'*0AZQBtAG0AbwB2AGUA*\'\n    - \'*1lbW1vdm*\'\n    - \'*AGUAbQBtAG8AdgBlA*\'\n    - \'*bQBlAG0AbQBvAHYAZQ*\'\n    - \'*bWVtbW92Z*\'\n    - \'*ZW1tb3Zl*\'\n  condition: encoded and selection\nfalsepositives:\n- Penetration tests\nlevel: high\n\n
\n}}'),(10231,'Issue',566,15,'T1086'),(10232,'Issue',567,1,'Suspicious PowerShell Invocation Based on Parent Process'),(10233,'Issue',567,2,'Florian Roth'),(10234,'Issue',567,8,'https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/'),(10235,'Issue',567,10,'medium'),(10236,'Issue',567,13,'community'),(10237,'Issue',567,14,'windows'),(10239,'Issue',567,11,'770115f6d'),(10240,'Issue',567,12,'95eadcb2-92e4-4ed1-9031-92547773a6db'),(10241,'Issue',567,16,'win-proc'),(10242,'Issue',567,17,''),(10243,'Issue',567,7,''),(10244,'Issue',567,3,'Detects suspicious powershell invocations from interpreters or unusual programs'),(10245,'Issue',567,4,''),(10246,'Issue',567,5,'_False Positives_\nMicrosoft Operations Manager (MOM)\nOther scripts\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10247,'Issue',567,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.parent.executable.keyword:(*\\\\wscript.exe OR *\\\\cscript.exe) AND process.executable.keyword:(*\\\\powershell.exe)) AND (NOT (process.working_directory\".keyword:*\\\\Health\\ Service\\ State\\\\*)))\nindex: so-*\nname: Suspicious PowerShell Invocation Based on Parent Process\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10248,'Issue',567,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious PowerShell Invocation Based on Parent Process\nid: 95eadcb2-92e4-4ed1-9031-92547773a6db\nstatus: experimental\ndescription: Detects suspicious powershell invocations from interpreters or unusual\n  programs\nauthor: Florian Roth\ndate: 2019/01/16\nreferences:\n- https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage:\n    - \'*\\wscript.exe\'\n    - \'*\\cscript.exe\'\n    Image:\n    - \'*\\powershell.exe\'\n  falsepositive:\n    CurrentDirectory: \'*\\Health Service State\\\\*\'\n  condition: selection and not falsepositive\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Microsoft Operations Manager (MOM)\n- Other scripts\nlevel: medium\n\n
\n}}'),(10249,'Issue',567,15,'T1086'),(10250,'Issue',568,1,'Suspicious Use of Procdump'),(10251,'Issue',568,2,'Florian Roth'),(10252,'Issue',568,8,'Internal Research'),(10253,'Issue',568,10,'high'),(10254,'Issue',568,13,'community'),(10255,'Issue',568,14,'windows'),(10257,'Issue',568,11,'5a6ba744a'),(10258,'Issue',568,12,'5afee48e-67dd-4e03-a783-f74259dcf998'),(10259,'Issue',568,16,'win-proc'),(10260,'Issue',568,17,''),(10261,'Issue',568,7,''),(10262,'Issue',568,3,'Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we\'re also able to catch cases in which the attacker has renamed the procdump executable.'),(10263,'Issue',568,4,''),(10264,'Issue',568,5,'_False Positives_\nUnlikely, because no one should dump an lsass process memory\nAnother tool that uses the command line switches of Procdump'),(10265,'Issue',568,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-ma\\ *) AND process.command_line.keyword:(*\\ lsass*)) OR process.command_line.keyword:(*\\ \\-ma\\ ls*)))\nindex: so-*\nname: Suspicious Use of Procdump\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10266,'Issue',568,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Use of Procdump\nid: 5afee48e-67dd-4e03-a783-f74259dcf998\ndescription: Detects suspicious uses of the SysInternals Procdump utility by using\n  a special command line parameter in combination with the lsass.exe process. This\n  way we\'re also able to catch cases in which the attacker has renamed the procdump\n  executable.\nstatus: experimental\nreferences:\n- Internal Research\nauthor: Florian Roth\ndate: 2018/10/30\nmodified: 2019/10/14\ntags:\n- attack.defense_evasion\n- attack.t1036\n- attack.credential_access\n- attack.t1003\n- car.2013-05-009\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine:\n    - \'* -ma *\'\n  selection2:\n    CommandLine:\n    - \'* lsass*\'\n  selection3:\n    CommandLine:\n    - \'* -ma ls*\'\n  condition: ( selection1 and selection2 ) or selection3\nfalsepositives:\n- Unlikely, because no one should dump an lsass process memory\n- Another tool that uses the command line switches of Procdump\nlevel: high\n\n
\n}}'),(10267,'Issue',568,15,'T1036'),(10268,'Issue',568,15,'T1003'),(10269,'Issue',569,1,'Suspicious Process Creation'),(10270,'Issue',569,2,'Florian Roth, Daniil Yugoslavskiy, oscd.community (update)'),(10271,'Issue',569,8,'https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/\nhttps://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s\nhttps://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/\nhttps://twitter.com/subTee/status/872244674609676288\nhttps://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-tool-examples\nhttps://tyranidslair.blogspot.ca/2017/07/dg-on-windows-10-s-executing-arbitrary.html\nhttps://www.trustedsec.com/2017/07/new-tool-release-nps_payload/\nhttps://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html\nhttps://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat\nhttps://twitter.com/vector_sec/status/896049052642533376\nhttp://security-research.dyndns.org/pub/slides/FIRST-TC-2018/FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf'),(10272,'Issue',569,10,'medium'),(10273,'Issue',569,13,'community'),(10274,'Issue',569,14,'windows'),(10275,'Issue',569,15,''),(10276,'Issue',569,11,'fb8d9b1f4'),(10277,'Issue',569,12,'5f0f47a5-cb16-4dbe-9e31-e8d976d73de3'),(10278,'Issue',569,16,'win-proc'),(10279,'Issue',569,17,''),(10280,'Issue',569,7,''),(10281,'Issue',569,3,'Detects suspicious process starts on Windows systems based on keywords'),(10282,'Issue',569,4,''),(10283,'Issue',569,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(10284,'Issue',569,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ sekurlsa\\:* OR net\\ localgroup\\ administrators\\ *\\ \\/add OR net\\ group\\ \\\"Domain\\ Admins\\\"\\ *\\ \\/ADD\\ \\/DOMAIN OR certutil.exe\\ *\\-urlcache*\\ http* OR certutil.exe\\ *\\-urlcache*\\ ftp* OR netsh\\ advfirewall\\ firewall\\ *\\\\AppData\\\\* OR attrib\\ \\+S\\ \\+H\\ \\+R\\ *\\\\AppData\\\\* OR schtasks*\\ \\/create\\ *\\\\AppData\\\\* OR schtasks*\\ \\/sc\\ minute* OR *\\\\Regasm.exe\\ *\\\\AppData\\\\* OR *\\\\Regasm\\ *\\\\AppData\\\\* OR *\\\\bitsadmin*\\ \\/transfer* OR *\\\\certutil.exe\\ *\\ \\-decode\\ * OR *\\\\certutil.exe\\ *\\ \\-decodehex\\ * OR *\\\\certutil.exe\\ \\-ping\\ * OR icacls\\ *\\ \\/grant\\ Everyone\\:F\\ \\/T\\ \\/C\\ \\/Q OR *\\ wbadmin.exe\\ delete\\ catalog\\ \\-quiet* OR *\\\\wscript.exe\\ *.jse OR *\\\\wscript.exe\\ *.js OR *\\\\wscript.exe\\ *.vba OR *\\\\wscript.exe\\ *.vbe OR *\\\\cscript.exe\\ *.jse OR *\\\\cscript.exe\\ *.js OR *\\\\cscript.exe\\ *.vba OR *\\\\cscript.exe\\ *.vbe OR *\\\\fodhelper.exe OR *waitfor*\\/s* OR *waitfor*\\/si\\ persist* OR *remote*\\/s* OR *remote*\\/c* OR *remote*\\/q* OR *AddInProcess* OR *\\ \\/stext\\ * OR *\\ \\/scomma\\ * OR *\\ \\/stab\\ * OR *\\ \\/stabular\\ * OR *\\ \\/shtml\\ * OR *\\ \\/sverhtml\\ * OR *\\ \\/sxml\\ *))\nindex: so-*\nname: Suspicious Process Creation\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10285,'Issue',569,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Process Creation\nid: 5f0f47a5-cb16-4dbe-9e31-e8d976d73de3\ndescription: Detects suspicious process starts on Windows systems based on keywords\nstatus: experimental\nreferences:\n- https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/\n- https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s\n- https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/\n- https://twitter.com/subTee/status/872244674609676288\n- https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-tool-examples\n- https://tyranidslair.blogspot.ca/2017/07/dg-on-windows-10-s-executing-arbitrary.html\n- https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/\n- https://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html\n- https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat\n- https://twitter.com/vector_sec/status/896049052642533376\n- http://security-research.dyndns.org/pub/slides/FIRST-TC-2018/FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf\nauthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update)\ndate: 2018/01/01\nmodified: 2019/11/01\ntags:\n- car.2013-07-001\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* sekurlsa:*\'\n    - net localgroup administrators * /add\n    - net group \"Domain Admins\" * /ADD /DOMAIN\n    - certutil.exe *-urlcache* http*\n    - certutil.exe *-urlcache* ftp*\n    - netsh advfirewall firewall *\\AppData\\\\*\n    - attrib +S +H +R *\\AppData\\\\*\n    - schtasks* /create *\\AppData\\\\*\n    - schtasks* /sc minute*\n    - \'*\\Regasm.exe *\\AppData\\\\*\'\n    - \'*\\Regasm *\\AppData\\\\*\'\n    - \'*\\bitsadmin* /transfer*\'\n    - \'*\\certutil.exe * -decode *\'\n    - \'*\\certutil.exe * -decodehex *\'\n    - \'*\\certutil.exe -ping *\'\n    - icacls * /grant Everyone:F /T /C /Q\n    - \'* wbadmin.exe delete catalog -quiet*\'\n    - \'*\\wscript.exe *.jse\'\n    - \'*\\wscript.exe *.js\'\n    - \'*\\wscript.exe *.vba\'\n    - \'*\\wscript.exe *.vbe\'\n    - \'*\\cscript.exe *.jse\'\n    - \'*\\cscript.exe *.js\'\n    - \'*\\cscript.exe *.vba\'\n    - \'*\\cscript.exe *.vbe\'\n    - \'*\\fodhelper.exe\'\n    - \'*waitfor*/s*\'\n    - \'*waitfor*/si persist*\'\n    - \'*remote*/s*\'\n    - \'*remote*/c*\'\n    - \'*remote*/q*\'\n    - \'*AddInProcess*\'\n    - \'* /stext *\'\n    - \'* /scomma *\'\n    - \'* /stab *\'\n    - \'* /stabular *\'\n    - \'* /shtml *\'\n    - \'* /sverhtml *\'\n    - \'* /sxml *\'\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: medium\n\n
\n}}'),(10286,'Issue',570,1,'Suspicious Program Location Process Starts'),(10287,'Issue',570,2,'Florian Roth'),(10288,'Issue',570,8,'https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo'),(10289,'Issue',570,10,'high'),(10290,'Issue',570,13,'community'),(10291,'Issue',570,14,'windows'),(10293,'Issue',570,11,'8bd722168'),(10294,'Issue',570,12,'f50bfd8b-e2a3-4c15-9373-7900b5a4c6d5'),(10295,'Issue',570,16,'win-proc'),(10296,'Issue',570,17,''),(10297,'Issue',570,7,''),(10298,'Issue',570,3,'Detects programs running in suspicious files system locations'),(10299,'Issue',570,4,''),(10300,'Issue',570,5,'_False Positives_\nunknown'),(10301,'Issue',570,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\$Recycle.bin OR *\\\\Users\\\\Public\\\\* OR C\\:\\\\Perflogs\\\\* OR *\\\\Windows\\\\Fonts\\\\* OR *\\\\Windows\\\\IME\\\\* OR *\\\\Windows\\\\addins\\\\* OR *\\\\Windows\\\\debug\\\\*))\nindex: so-*\nname: Suspicious Program Location Process Starts\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10302,'Issue',570,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Program Location Process Starts\nid: f50bfd8b-e2a3-4c15-9373-7900b5a4c6d5\nstatus: experimental\ndescription: Detects programs running in suspicious files system locations\nreferences:\n- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo\ntags:\n- attack.defense_evasion\n- attack.t1036\nauthor: Florian Roth\ndate: 2019/01/15\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\$Recycle.bin\'\n    - \'*\\Users\\Public\\\\*\'\n    - C:\\Perflogs\\\\*\n    - \'*\\Windows\\Fonts\\\\*\'\n    - \'*\\Windows\\IME\\\\*\'\n    - \'*\\Windows\\addins\\\\*\'\n    - \'*\\Windows\\debug\\\\*\'\n  condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(10303,'Issue',570,15,'T1036'),(10304,'Issue',571,1,'PowerShell Script Run in AppData'),(10305,'Issue',571,2,'Florian Roth'),(10306,'Issue',571,8,'https://twitter.com/JohnLaTwC/status/1082851155481288706\nhttps://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03'),(10307,'Issue',571,10,'medium'),(10308,'Issue',571,13,'community'),(10309,'Issue',571,14,'windows'),(10311,'Issue',571,11,'42ba455ec'),(10312,'Issue',571,12,'ac175779-025a-4f12-98b0-acdaeb77ea85'),(10313,'Issue',571,16,'win-proc'),(10314,'Issue',571,17,''),(10315,'Issue',571,7,''),(10316,'Issue',571,3,'Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder'),(10317,'Issue',571,4,''),(10318,'Issue',571,5,'_False Positives_\nAdministrative scripts'),(10319,'Issue',571,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\/c\\ powershell*\\\\AppData\\\\Local\\\\* OR *\\ \\/c\\ powershell*\\\\AppData\\\\Roaming\\\\*))\nindex: so-*\nname: PowerShell Script Run in AppData\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10320,'Issue',571,9,'{{collapse(View Sigma)\n
\n\ntitle: PowerShell Script Run in AppData\nid: ac175779-025a-4f12-98b0-acdaeb77ea85\nstatus: experimental\ndescription: Detects a suspicious command line execution that invokes PowerShell with\n  reference to an AppData folder\nreferences:\n- https://twitter.com/JohnLaTwC/status/1082851155481288706\n- https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03\ntags:\n- attack.execution\n- attack.t1086\nauthor: Florian Roth\ndate: 2019/01/09\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* /c powershell*\\AppData\\Local\\\\*\'\n    - \'* /c powershell*\\AppData\\Roaming\\\\*\'\n  condition: selection\nfalsepositives:\n- Administrative scripts\nlevel: medium\n\n
\n}}'),(10321,'Issue',571,15,'T1086'),(10322,'Issue',572,1,'PowerShell DownloadFile'),(10323,'Issue',572,2,'Florian Roth'),(10324,'Issue',572,8,'https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html'),(10325,'Issue',572,10,'high'),(10326,'Issue',572,13,'community'),(10327,'Issue',572,14,'windows'),(10329,'Issue',572,11,'9c624cc24'),(10330,'Issue',572,12,'8f70ac5f-1f6f-4f8e-b454-db19561216c5'),(10331,'Issue',572,16,'win-proc'),(10332,'Issue',572,17,''),(10333,'Issue',572,7,''),(10334,'Issue',572,3,'Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line'),(10335,'Issue',572,4,''),(10336,'Issue',572,5,'_False Positives_\nUnknown'),(10337,'Issue',572,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*powershell* AND process.command_line.keyword:*.DownloadFile* AND process.command_line.keyword:*System.Net.WebClient*)\nindex: so-*\nname: PowerShell DownloadFile\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10338,'Issue',572,9,'{{collapse(View Sigma)\n
\n\ntitle: PowerShell DownloadFile\nid: 8f70ac5f-1f6f-4f8e-b454-db19561216c5\nstatus: experimental\ndescription: Detects the execution of powershell, a WebClient object creation and\n  the invocation of DownloadFile in a single command line\nreferences:\n- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html\nauthor: Florian Roth\ndate: 2020/03/25\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains|all:\n    - powershell\n    - .DownloadFile\n    - System.Net.WebClient\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10339,'Issue',572,15,'T1086'),(10340,'Issue',573,1,'Psr.exe Capture Screenshots'),(10341,'Issue',573,2,'Beyu Denis, oscd.community'),(10342,'Issue',573,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Psr.yml\nhttps://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf'),(10343,'Issue',573,10,'medium'),(10344,'Issue',573,13,'community'),(10345,'Issue',573,14,'windows'),(10347,'Issue',573,11,'5688f942b'),(10348,'Issue',573,12,'2158f96f-43c2-43cb-952a-ab4580f32382'),(10349,'Issue',573,16,'win-proc'),(10350,'Issue',573,17,''),(10351,'Issue',573,7,''),(10352,'Issue',573,3,'The psr.exe captures desktop screenshots and saves them on the local machine'),(10353,'Issue',573,4,''),(10354,'Issue',573,5,'_False Positives_\nUnknown'),(10355,'Issue',573,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\Psr.exe AND process.command_line.keyword:*\\/start*)\nindex: so-*\nname: Psr.exe Capture Screenshots\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10356,'Issue',573,9,'{{collapse(View Sigma)\n
\n\ntitle: Psr.exe Capture Screenshots\nid: 2158f96f-43c2-43cb-952a-ab4580f32382\nstatus: experimental\ndescription: The psr.exe captures desktop screenshots and saves them on the local\n  machine\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Psr.yml\n- https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/12\nmodified: 2019/11/04\ntags:\n- attack.persistence\n- attack.t1218\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\Psr.exe\n    CommandLine|contains: /start\n  condition: selection\nfalsepositives:\n- Unknown\n\n
\n}}'),(10357,'Issue',573,15,'T1218'),(10358,'Issue',574,1,'Suspicious RASdial Activity'),(10359,'Issue',574,2,'juju4'),(10360,'Issue',574,8,'https://twitter.com/subTee/status/891298217907830785'),(10361,'Issue',574,10,'medium'),(10362,'Issue',574,13,'community'),(10363,'Issue',574,14,'windows'),(10365,'Issue',574,11,'5b5babf55'),(10366,'Issue',574,12,'6bba49bf-7f8c-47d6-a1bb-6b4dece4640e'),(10367,'Issue',574,16,'win-proc'),(10368,'Issue',574,17,''),(10369,'Issue',574,7,''),(10370,'Issue',574,3,'Detects suspicious process related to rasdial.exe'),(10371,'Issue',574,4,''),(10372,'Issue',574,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(10373,'Issue',574,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line:(\"rasdial\"))\nindex: so-*\nname: Suspicious RASdial Activity\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10374,'Issue',574,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious RASdial Activity\nid: 6bba49bf-7f8c-47d6-a1bb-6b4dece4640e\ndescription: Detects suspicious process related to rasdial.exe\nstatus: experimental\nreferences:\n- https://twitter.com/subTee/status/891298217907830785\nauthor: juju4\ndate: 2019/01/16\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1064\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - rasdial\n  condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: medium\n\n
\n}}'),(10375,'Issue',574,15,'T1064'),(10376,'Issue',575,1,'Suspicious Reconnaissance Activity'),(10377,'Issue',575,2,'Florian Roth'),(10378,'Issue',575,8,'none'),(10379,'Issue',575,10,'medium'),(10380,'Issue',575,13,'community'),(10381,'Issue',575,14,'windows'),(10383,'Issue',575,11,'b1f48d3a8'),(10384,'Issue',575,12,'d95de845-b83c-4a9a-8a6a-4fc802ebf6c0'),(10385,'Issue',575,16,'win-proc'),(10386,'Issue',575,17,''),(10387,'Issue',575,7,''),(10388,'Issue',575,3,'Detects suspicious command line activity on Windows systems'),(10389,'Issue',575,4,''),(10390,'Issue',575,5,'_False Positives_\nInventory tool runs\nPenetration tests\nAdministrative activity\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10391,'Issue',575,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line:(\"net\\ group\\ \\\"domain\\ admins\\\"\\ \\/domain\" OR \"net\\ localgroup\\ administrators\"))\nindex: so-*\nname: Suspicious Reconnaissance Activity\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10392,'Issue',575,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Reconnaissance Activity\nid: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0\nstatus: experimental\ndescription: Detects suspicious command line activity on Windows systems\nauthor: Florian Roth\ndate: 2019/01/16\ntags:\n- attack.discovery\n- attack.t1087\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - net group \"domain admins\" /domain\n    - net localgroup administrators\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Inventory tool runs\n- Penetration tests\n- Administrative activity\nanalysis:\n  recommendation: Check if the user that executed the commands is suspicious (e.g.\n    service accounts, LOCAL_SYSTEM)\nlevel: medium\n\n
\n}}'),(10393,'Issue',575,15,'T1087'),(10394,'Issue',576,1,'Regsvr32 Anomaly'),(10395,'Issue',576,2,'Florian Roth'),(10396,'Issue',576,8,'https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html'),(10397,'Issue',576,10,'high'),(10398,'Issue',576,13,'community'),(10399,'Issue',576,14,'windows'),(10401,'Issue',576,11,'e316d1d1d'),(10402,'Issue',576,12,'8e2b24c9-4add-46a0-b4bb-0057b4e6187d'),(10403,'Issue',576,16,'win-proc'),(10404,'Issue',576,17,''),(10405,'Issue',576,7,''),(10406,'Issue',576,3,'Detects various anomalies in relation to regsvr32.exe'),(10407,'Issue',576,4,''),(10408,'Issue',576,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10409,'Issue',576,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\regsvr32.exe AND process.command_line.keyword:*\\\\Temp\\\\*) OR (process.executable.keyword:*\\\\regsvr32.exe AND process.parent.executable.keyword:*\\\\powershell.exe) OR (process.executable.keyword:*\\\\regsvr32.exe AND process.parent.executable.keyword:*\\\\cmd.exe) OR (process.executable.keyword:*\\\\regsvr32.exe AND process.command_line.keyword:(*\\/i\\:http*\\ scrobj.dll OR *\\/i\\:ftp*\\ scrobj.dll)) OR (process.executable.keyword:*\\\\wscript.exe AND process.parent.executable.keyword:*\\\\regsvr32.exe) OR (process.executable.keyword:*\\\\EXCEL.EXE AND process.command_line.keyword:*..\\\\..\\\\..\\\\Windows\\\\System32\\\\regsvr32.exe\\ *)))\nindex: so-*\nname: Regsvr32 Anomaly\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10410,'Issue',576,9,'{{collapse(View Sigma)\n
\n\ntitle: Regsvr32 Anomaly\nid: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d\nstatus: experimental\ndescription: Detects various anomalies in relation to regsvr32.exe\nauthor: Florian Roth\ndate: 2019/01/16\nreferences:\n- https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html\ntags:\n- attack.t1117\n- attack.defense_evasion\n- attack.execution\n- car.2019-04-002\n- car.2019-04-003\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image: \'*\\regsvr32.exe\'\n    CommandLine: \'*\\Temp\\\\*\'\n  selection2:\n    Image: \'*\\regsvr32.exe\'\n    ParentImage: \'*\\powershell.exe\'\n  selection3:\n    Image: \'*\\regsvr32.exe\'\n    ParentImage: \'*\\cmd.exe\'\n  selection4:\n    Image: \'*\\regsvr32.exe\'\n    CommandLine:\n    - \'*/i:http* scrobj.dll\'\n    - \'*/i:ftp* scrobj.dll\'\n  selection5:\n    Image: \'*\\wscript.exe\'\n    ParentImage: \'*\\regsvr32.exe\'\n  selection6:\n    Image: \'*\\EXCEL.EXE\'\n    CommandLine: \'*..\\..\\..\\Windows\\System32\\regsvr32.exe *\'\n  condition: 1 of them\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10411,'Issue',576,15,'T1117'),(10412,'Issue',577,1,'Renamed ZOHO Dctask64'),(10413,'Issue',577,2,'Florian Roth'),(10414,'Issue',577,8,'https://twitter.com/gN3mes1s/status/1222088214581825540\nhttps://twitter.com/gN3mes1s/status/1222095963789111296\nhttps://twitter.com/gN3mes1s/status/1222095371175911424'),(10415,'Issue',577,10,'high'),(10416,'Issue',577,13,'community'),(10417,'Issue',577,14,'windows'),(10419,'Issue',577,11,'393865805'),(10420,'Issue',577,12,'340a090b-c4e9-412e-bb36-b4b16fe96f9b'),(10421,'Issue',577,16,'win-proc'),(10422,'Issue',577,17,''),(10423,'Issue',577,7,''),(10424,'Issue',577,3,'Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation'),(10425,'Issue',577,4,''),(10426,'Issue',577,5,'_False Positives_\nUnknown yet\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine\nParentImage'),(10427,'Issue',577,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.Imphash:\"6834B1B94E49701D77CCB3C0895E1AFD\" AND (NOT (process.executable.keyword:*\\\\dctask64.exe)))\nindex: so-*\nname: Renamed ZOHO Dctask64\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10428,'Issue',577,9,'{{collapse(View Sigma)\n
\n\ntitle: Renamed ZOHO Dctask64\nid: 340a090b-c4e9-412e-bb36-b4b16fe96f9b\nstatus: experimental\ndescription: Detects a renamed dctask64.exe used for process injection, command execution,\n  process creation with a signed binary by ZOHO Corporation\nreferences:\n- https://twitter.com/gN3mes1s/status/1222088214581825540\n- https://twitter.com/gN3mes1s/status/1222095963789111296\n- https://twitter.com/gN3mes1s/status/1222095371175911424\nauthor: Florian Roth\ndate: 2020/01/28\ntags:\n- attack.defense_evasion\n- attack.t1055\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Imphash: 6834B1B94E49701D77CCB3C0895E1AFD\n  filter:\n    Image|endswith: \\dctask64.exe\n  condition: selection and not filter\nfields:\n- CommandLine\n- ParentCommandLine\n- ParentImage\nfalsepositives:\n- Unknown yet\nlevel: high\n\n
\n}}'),(10429,'Issue',577,15,'T1055'),(10430,'Issue',578,1,'Suspicious Process Start Locations'),(10431,'Issue',578,2,'juju4'),(10432,'Issue',578,8,'https://car.mitre.org/wiki/CAR-2013-05-002'),(10433,'Issue',578,10,'medium'),(10434,'Issue',578,13,'community'),(10435,'Issue',578,14,'windows'),(10437,'Issue',578,11,'a6272c5e4'),(10438,'Issue',578,12,'15b75071-74cc-47e0-b4c6-b43744a62a2b'),(10439,'Issue',578,16,'win-proc'),(10440,'Issue',578,17,''),(10441,'Issue',578,7,''),(10442,'Issue',578,3,'Detects suspicious process run from unusual locations'),(10443,'Issue',578,4,''),(10444,'Issue',578,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(10445,'Issue',578,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\:\\\\RECYCLER\\\\* OR *\\:\\\\SystemVolumeInformation\\\\* OR C\\:\\\\Windows\\\\Tasks\\\\* OR C\\:\\\\Windows\\\\debug\\\\* OR C\\:\\\\Windows\\\\fonts\\\\* OR C\\:\\\\Windows\\\\help\\\\* OR C\\:\\\\Windows\\\\drivers\\\\* OR C\\:\\\\Windows\\\\addins\\\\* OR C\\:\\\\Windows\\\\cursors\\\\* OR C\\:\\\\Windows\\\\system32\\\\tasks\\\\*))\nindex: so-*\nname: Suspicious Process Start Locations\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10446,'Issue',578,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Process Start Locations\nid: 15b75071-74cc-47e0-b4c6-b43744a62a2b\ndescription: Detects suspicious process run from unusual locations\nstatus: experimental\nreferences:\n- https://car.mitre.org/wiki/CAR-2013-05-002\nauthor: juju4\ndate: 2019/01/16\ntags:\n- attack.defense_evasion\n- attack.t1036\n- car.2013-05-002\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*:\\RECYCLER\\\\*\'\n    - \'*:\\SystemVolumeInformation\\\\*\'\n    - C:\\\\Windows\\\\Tasks\\\\*\n    - C:\\\\Windows\\\\debug\\\\*\n    - C:\\\\Windows\\\\fonts\\\\*\n    - C:\\\\Windows\\\\help\\\\*\n    - C:\\\\Windows\\\\drivers\\\\*\n    - C:\\\\Windows\\\\addins\\\\*\n    - C:\\\\Windows\\\\cursors\\\\*\n    - C:\\\\Windows\\\\system32\\tasks\\\\*\n  condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: medium\n\n
\n}}'),(10447,'Issue',578,15,'T1036'),(10448,'Issue',579,1,'Suspicious Rundll32 Activity'),(10449,'Issue',579,2,'juju4'),(10450,'Issue',579,8,'http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/\nhttps://twitter.com/Hexacorn/status/885258886428725250\nhttps://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52'),(10451,'Issue',579,10,'medium'),(10452,'Issue',579,13,'community'),(10453,'Issue',579,14,'windows'),(10455,'Issue',579,11,'c359373f5'),(10456,'Issue',579,12,'e593cf51-88db-4ee1-b920-37e89012a3c9'),(10457,'Issue',579,16,'win-proc'),(10458,'Issue',579,17,''),(10459,'Issue',579,7,''),(10460,'Issue',579,3,'Detects suspicious process related to rundll32 based on arguments'),(10461,'Issue',579,4,''),(10462,'Issue',579,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(10463,'Issue',579,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\rundll32.exe*\\ url.dll,*OpenURL\\ * OR *\\\\rundll32.exe*\\ url.dll,*OpenURLA\\ * OR *\\\\rundll32.exe*\\ url.dll,*FileProtocolHandler\\ * OR *\\\\rundll32.exe*\\ zipfldr.dll,*RouteTheCall\\ * OR *\\\\rundll32.exe*\\ Shell32.dll,*Control_RunDLL\\ * OR *\\\\rundll32.exe\\ javascript\\:* OR *\\ url.dll,*OpenURL\\ * OR *\\ url.dll,*OpenURLA\\ * OR *\\ url.dll,*FileProtocolHandler\\ * OR *\\ zipfldr.dll,*RouteTheCall\\ * OR *\\ Shell32.dll,*Control_RunDLL\\ * OR *\\ javascript\\:* OR *.RegisterXLL*))\nindex: so-*\nname: Suspicious Rundll32 Activity\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10464,'Issue',579,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Rundll32 Activity\nid: e593cf51-88db-4ee1-b920-37e89012a3c9\ndescription: Detects suspicious process related to rundll32 based on arguments\nstatus: experimental\nreferences:\n- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/\n- https://twitter.com/Hexacorn/status/885258886428725250\n- https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1085\nauthor: juju4\ndate: 2019/01/16\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'*\\rundll32.exe* url.dll,*OpenURL *\'\n    - \'*\\rundll32.exe* url.dll,*OpenURLA *\'\n    - \'*\\rundll32.exe* url.dll,*FileProtocolHandler *\'\n    - \'*\\rundll32.exe* zipfldr.dll,*RouteTheCall *\'\n    - \'*\\rundll32.exe* Shell32.dll,*Control_RunDLL *\'\n    - \'*\\rundll32.exe javascript:*\'\n    - \'* url.dll,*OpenURL *\'\n    - \'* url.dll,*OpenURLA *\'\n    - \'* url.dll,*FileProtocolHandler *\'\n    - \'* zipfldr.dll,*RouteTheCall *\'\n    - \'* Shell32.dll,*Control_RunDLL *\'\n    - \'* javascript:*\'\n    - \'*.RegisterXLL*\'\n  condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: medium\n\n
\n}}'),(10465,'Issue',579,15,'T1085'),(10466,'Issue',580,1,'Suspicious Call by Ordinal'),(10467,'Issue',580,2,'Florian Roth'),(10468,'Issue',580,8,'https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/\nhttps://github.com/Neo23x0/DLLRunner\nhttps://twitter.com/cyb3rops/status/1186631731543236608'),(10469,'Issue',580,10,'high'),(10470,'Issue',580,13,'community'),(10471,'Issue',580,14,'windows'),(10473,'Issue',580,11,'b8fe700a1'),(10474,'Issue',580,12,'e79a9e79-eb72-4e78-a628-0e7e8f59e89c'),(10475,'Issue',580,16,'win-proc'),(10476,'Issue',580,17,''),(10477,'Issue',580,7,''),(10478,'Issue',580,3,'Detects suspicious calls of DLLs in rundll32.dll exports by ordinal'),(10479,'Issue',580,4,''),(10480,'Issue',580,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment\nWindows contol panel elements have been identified as source (mmc)'),(10481,'Issue',580,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\\\rundll32.exe\\ *,#*)\nindex: so-*\nname: Suspicious Call by Ordinal\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10482,'Issue',580,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Call by Ordinal\nid: e79a9e79-eb72-4e78-a628-0e7e8f59e89c\ndescription: Detects suspicious calls of DLLs in rundll32.dll exports by ordinal\nstatus: experimental\nreferences:\n- https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/\n- https://github.com/Neo23x0/DLLRunner\n- https://twitter.com/cyb3rops/status/1186631731543236608\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1085\nauthor: Florian Roth\ndate: 2019/10/22\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'*\\rundll32.exe *,#*\'\n  condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\n- Windows contol panel elements have been identified as source (mmc)\nlevel: high\n\n
\n}}'),(10483,'Issue',580,15,'T1085'),(10484,'Issue',581,1,'Scheduled Task Creation'),(10485,'Issue',581,2,'Florian Roth'),(10486,'Issue',581,8,'none'),(10487,'Issue',581,10,'low'),(10488,'Issue',581,13,'community'),(10489,'Issue',581,14,'windows'),(10491,'Issue',581,11,'337aa5b57'),(10492,'Issue',581,12,'92626ddd-662c-49e3-ac59-f6535f12d189'),(10493,'Issue',581,16,'win-proc'),(10494,'Issue',581,17,''),(10495,'Issue',581,7,''),(10496,'Issue',581,3,'Detects the creation of scheduled tasks in user session'),(10497,'Issue',581,4,''),(10498,'Issue',581,5,'_False Positives_\nAdministrative activity\nSoftware installation\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10499,'Issue',581,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:*\\\\schtasks.exe AND process.command_line.keyword:*\\ \\/create\\ *) AND (NOT (event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\")))\nindex: so-*\nname: Scheduled Task Creation\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10500,'Issue',581,9,'{{collapse(View Sigma)\n
\n\ntitle: Scheduled Task Creation\nid: 92626ddd-662c-49e3-ac59-f6535f12d189\nstatus: experimental\ndescription: Detects the creation of scheduled tasks in user session\nauthor: Florian Roth\ndate: 2019/01/16\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\schtasks.exe\'\n    CommandLine: \'* /create *\'\n  filter:\n    User: NT AUTHORITY\\SYSTEM\n  condition: selection and not filter\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.execution\n- attack.persistence\n- attack.privilege_escalation\n- attack.t1053\n- attack.s0111\n- car.2013-08-001\nfalsepositives:\n- Administrative activity\n- Software installation\nlevel: low\n\n
\n}}'),(10501,'Issue',581,15,'T1053'),(10502,'Issue',582,1,'WSF/JSE/JS/VBA/VBE File Execution'),(10503,'Issue',582,2,'Michael Haag'),(10504,'Issue',582,8,'none'),(10505,'Issue',582,10,'medium'),(10506,'Issue',582,13,'community'),(10507,'Issue',582,14,'windows'),(10509,'Issue',582,11,'6ed3e4c86'),(10510,'Issue',582,12,'1e33157c-53b1-41ad-bbcc-780b80b58288'),(10511,'Issue',582,16,'win-proc'),(10512,'Issue',582,17,''),(10513,'Issue',582,7,''),(10514,'Issue',582,3,'Detects suspicious file execution by wscript and cscript'),(10515,'Issue',582,4,''),(10516,'Issue',582,5,'_False Positives_\nWill need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy.\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10517,'Issue',582,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\wscript.exe OR *\\\\cscript.exe) AND process.command_line.keyword:(*.jse OR *.vbe OR *.js OR *.vba))\nindex: so-*\nname: WSF/JSE/JS/VBA/VBE File Execution\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10518,'Issue',582,9,'{{collapse(View Sigma)\n
\n\ntitle: WSF/JSE/JS/VBA/VBE File Execution\nid: 1e33157c-53b1-41ad-bbcc-780b80b58288\nstatus: experimental\ndescription: Detects suspicious file execution by wscript and cscript\nauthor: Michael Haag\ndate: 2019/01/16\ntags:\n- attack.execution\n- attack.t1064\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\wscript.exe\'\n    - \'*\\cscript.exe\'\n    CommandLine:\n    - \'*.jse\'\n    - \'*.vbe\'\n    - \'*.js\'\n    - \'*.vba\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Will need to be tuned. I recommend adding the user profile path in CommandLine if\n  it is getting too noisy.\nlevel: medium\n\n
\n}}'),(10519,'Issue',582,15,'T1064'),(10520,'Issue',583,1,'Suspicious Service Path Modification'),(10521,'Issue',583,2,'Victor Sergeev, oscd.community'),(10522,'Issue',583,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1031/T1031.yaml'),(10523,'Issue',583,10,'high'),(10524,'Issue',583,13,'community'),(10525,'Issue',583,14,'windows'),(10527,'Issue',583,11,'4809892f5'),(10528,'Issue',583,12,'138d3531-8793-4f50-a2cd-f291b2863d78'),(10529,'Issue',583,16,'win-proc'),(10530,'Issue',583,17,''),(10531,'Issue',583,7,''),(10532,'Issue',583,3,'Detects service path modification to powershell/cmd'),(10533,'Issue',583,4,''),(10534,'Issue',583,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10535,'Issue',583,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\sc.exe AND process.command_line.keyword:*config* AND process.command_line.keyword:*binpath* AND process.command_line.keyword:(*powershell* OR *cmd*))\nindex: so-*\nname: Suspicious Service Path Modification\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10536,'Issue',583,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Service Path Modification\nid: 138d3531-8793-4f50-a2cd-f291b2863d78\ndescription: Detects service path modification to powershell/cmd\nstatus: experimental\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1031/T1031.yaml\ntags:\n- attack.persistence\n- attack.t1031\ndate: 2019/10/21\nmodified: 2019/11/10\nauthor: Victor Sergeev, oscd.community\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_1:\n    Image|endswith: \\sc.exe\n    CommandLine|contains|all:\n    - config\n    - binpath\n  selection_2:\n    CommandLine|contains:\n    - powershell\n    - cmd\n  condition: selection_1 and selection_2\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10537,'Issue',583,15,'T1031'),(10538,'Issue',584,1,'Squirrel Lolbin'),(10539,'Issue',584,2,'Karneades / Markus Neis'),(10540,'Issue',584,8,'http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/\nhttp://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/'),(10541,'Issue',584,10,'high'),(10542,'Issue',584,13,'community'),(10543,'Issue',584,14,'windows'),(10544,'Issue',584,15,''),(10545,'Issue',584,11,'820e704e9'),(10546,'Issue',584,12,'fa4b21c9-0057-4493-b289-2556416ae4d7'),(10547,'Issue',584,16,'win-proc'),(10548,'Issue',584,17,''),(10549,'Issue',584,7,''),(10550,'Issue',584,3,'Detects Possible Squirrel Packages Manager as Lolbin'),(10551,'Issue',584,4,''),(10552,'Issue',584,5,'_False Positives_\n1Clipboard\nBeaker Browser\nCaret\nCollectie\nDiscord\nFigma\nFlow\nGhost\nGitHub Desktop\nGitKraken\nHyper\nInsomnia\nJIBO\nKap\nKitematic\nNow Desktop\nPostman\nPostmanCanary\nRambox\nSimplenote\nSkype\nSlack\nSourceTree\nStride\nSvgsus\nWebTorrent\nWhatsApp\nWordPress.com\natom\ngitkraken\nslack\nteams'),(10553,'Issue',584,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\update.exe) AND process.command_line.keyword:(*\\-\\-processStart*.exe* OR *\\-\\-processStartAndWait*.exe* OR *\\-\\-createShortcut*.exe*))\nindex: so-*\nname: Squirrel Lolbin\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10554,'Issue',584,9,'{{collapse(View Sigma)\n
\n\ntitle: Squirrel Lolbin\nid: fa4b21c9-0057-4493-b289-2556416ae4d7\nstatus: experimental\ndescription: Detects Possible Squirrel Packages Manager as Lolbin\nreferences:\n- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/\n- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/\ntags:\n- attack.execution\nauthor: Karneades / Markus Neis\ndate: 2019/11/12\nfalsepositives:\n- 1Clipboard\n- Beaker Browser\n- Caret\n- Collectie\n- Discord\n- Figma\n- Flow\n- Ghost\n- GitHub Desktop\n- GitKraken\n- Hyper\n- Insomnia\n- JIBO\n- Kap\n- Kitematic\n- Now Desktop\n- Postman\n- PostmanCanary\n- Rambox\n- Simplenote\n- Skype\n- Slack\n- SourceTree\n- Stride\n- Svgsus\n- WebTorrent\n- WhatsApp\n- WordPress.com\n- atom\n- gitkraken\n- slack\n- teams\nlevel: high\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\update.exe\'\n    CommandLine:\n    - \'*--processStart*.exe*\'\n    - \'*--processStartAndWait*.exe*\'\n    - \'*--createShortcut*.exe*\'\n  condition: selection\n\n
\n}}'),(10555,'Issue',585,1,'Suspicious Svchost Process'),(10556,'Issue',585,2,'Florian Roth'),(10557,'Issue',585,8,'none'),(10558,'Issue',585,10,'high'),(10559,'Issue',585,13,'community'),(10560,'Issue',585,14,'windows'),(10562,'Issue',585,11,'e79b5ce03'),(10563,'Issue',585,12,'01d2e2a1-5f09-44f7-9fc1-24faa7479b6d'),(10564,'Issue',585,16,'win-proc'),(10565,'Issue',585,17,''),(10566,'Issue',585,7,''),(10567,'Issue',585,3,'Detects a suspicious svchost process start'),(10568,'Issue',585,4,''),(10569,'Issue',585,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10570,'Issue',585,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:*\\\\svchost.exe AND (NOT (process.parent.executable.keyword:(*\\\\services.exe OR *\\\\MsMpEng.exe OR *\\\\Mrt.exe OR *\\\\rpcnet.exe OR *\\\\svchost.exe)))) AND (NOT (NOT _exists_:process.parent.executable)))\nindex: so-*\nname: Suspicious Svchost Process\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10571,'Issue',585,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Svchost Process\nid: 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d\nstatus: experimental\ndescription: Detects a suspicious svchost process start\ntags:\n- attack.defense_evasion\n- attack.t1036\nauthor: Florian Roth\ndate: 2017/08/15\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\svchost.exe\'\n  filter:\n    ParentImage:\n    - \'*\\services.exe\'\n    - \'*\\MsMpEng.exe\'\n    - \'*\\Mrt.exe\'\n    - \'*\\rpcnet.exe\'\n    - \'*\\svchost.exe\'\n  filter_null:\n    ParentImage:\n  condition: selection and not filter and not filter_null\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10572,'Issue',585,15,'T1036'),(10573,'Issue',586,1,'Suspect Svchost Activity'),(10574,'Issue',586,2,'David Burkett'),(10575,'Issue',586,8,'https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2'),(10576,'Issue',586,10,'critical'),(10577,'Issue',586,13,'community'),(10578,'Issue',586,14,'windows'),(10580,'Issue',586,11,'df188a171'),(10581,'Issue',586,12,'16c37b52-b141-42a5-a3ea-bbe098444397'),(10582,'Issue',586,16,'win-proc'),(10583,'Issue',586,17,''),(10584,'Issue',586,7,''),(10585,'Issue',586,3,'It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.'),(10586,'Issue',586,4,''),(10587,'Issue',586,5,'_False Positives_\nrpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10588,'Issue',586,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND NOT _exists_:process.command_line AND process.executable.keyword:*\\\\svchost.exe) AND (NOT (process.parent.executable.keyword:(*\\\\rpcnet.exe OR *\\\\rpcnetp.exe))))\nindex: so-*\nname: Suspect Svchost Activity\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10589,'Issue',586,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspect Svchost Activity\nid: 16c37b52-b141-42a5-a3ea-bbe098444397\nstatus: experimental\ndescription: It is extremely abnormal for svchost.exe to spawn without any CLI arguments\n  and is normally observed when a malicious process spawns the process and injects\n  code into the process memory space.\nreferences:\n- https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2\nauthor: David Burkett\ndate: 2019/12/28\ntags:\n- attack.t1055\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine:\n  selection2:\n    Image: \'*\\svchost.exe\'\n  filter:\n    ParentImage:\n    - \'*\\rpcnet.exe\'\n    - \'*\\rpcnetp.exe\'\n  condition: (selection1 and selection2) and not filter\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf\nlevel: critical\n\n
\n}}'),(10590,'Issue',586,15,'T1055'),(10591,'Issue',587,1,'Sysprep on AppData Folder'),(10592,'Issue',587,2,'Florian Roth'),(10593,'Issue',587,8,'https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets\nhttps://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b'),(10594,'Issue',587,10,'medium'),(10595,'Issue',587,13,'community'),(10596,'Issue',587,14,'windows'),(10597,'Issue',587,15,''),(10598,'Issue',587,11,'ec7672eaa'),(10599,'Issue',587,12,'d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e'),(10600,'Issue',587,16,'win-proc'),(10601,'Issue',587,17,''),(10602,'Issue',587,7,''),(10603,'Issue',587,3,'Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)'),(10604,'Issue',587,4,''),(10605,'Issue',587,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(10606,'Issue',587,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\sysprep.exe\\ *\\\\AppData\\\\* OR sysprep.exe\\ *\\\\AppData\\\\*))\nindex: so-*\nname: Sysprep on AppData Folder\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10607,'Issue',587,9,'{{collapse(View Sigma)\n
\n\ntitle: Sysprep on AppData Folder\nid: d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e\nstatus: experimental\ndescription: Detects suspicious sysprep process start with AppData folder as target\n  (as used by Trojan Syndicasec in Thrip report by Symantec)\nreferences:\n- https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets\n- https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b\ntags:\n- attack.execution\nauthor: Florian Roth\ndate: 2018/06/22\nmodified: 2018/12/11\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'*\\sysprep.exe *\\AppData\\\\*\'\n    - sysprep.exe *\\AppData\\\\*\n  condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: medium\n\n
\n}}'),(10608,'Issue',588,1,'Suspicious SYSVOL Domain Group Policy Access'),(10609,'Issue',588,2,'Markus Neis'),(10610,'Issue',588,8,'https://adsecurity.org/?p=2288\nhttps://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100'),(10611,'Issue',588,10,'medium'),(10612,'Issue',588,13,'community'),(10613,'Issue',588,14,'windows'),(10615,'Issue',588,11,'3587e5ee1'),(10616,'Issue',588,12,'05f3c945-dcc8-4393-9f3d-af65077a8f86'),(10617,'Issue',588,16,'win-proc'),(10618,'Issue',588,17,''),(10619,'Issue',588,7,''),(10620,'Issue',588,3,'Detects Access to Domain Group Policies stored in SYSVOL'),(10621,'Issue',588,4,''),(10622,'Issue',588,5,'_False Positives_\nadministrative activity'),(10623,'Issue',588,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\\\SYSVOL\\\\*\\\\policies\\\\*)\nindex: so-*\nname: Suspicious SYSVOL Domain Group Policy Access\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10624,'Issue',588,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious SYSVOL Domain Group Policy Access\nid: 05f3c945-dcc8-4393-9f3d-af65077a8f86\nstatus: experimental\ndescription: Detects Access to Domain Group Policies stored in SYSVOL\nreferences:\n- https://adsecurity.org/?p=2288\n- https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100\nauthor: Markus Neis\ndate: 2018/04/09\nmodified: 2018/12/11\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'*\\SYSVOL\\\\*\\policies\\\\*\'\n  condition: selection\nfalsepositives:\n- administrative activity\nlevel: medium\n\n
\n}}'),(10625,'Issue',588,15,'T1003'),(10626,'Issue',589,1,'Taskmgr as LOCAL_SYSTEM'),(10627,'Issue',589,2,'Florian Roth'),(10628,'Issue',589,8,'none'),(10629,'Issue',589,10,'high'),(10630,'Issue',589,13,'community'),(10631,'Issue',589,14,'windows'),(10633,'Issue',589,11,'6bcf5f333'),(10634,'Issue',589,12,'9fff585c-c33e-4a86-b3cd-39312079a65f'),(10635,'Issue',589,16,'win-proc'),(10636,'Issue',589,17,''),(10637,'Issue',589,7,''),(10638,'Issue',589,3,'Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM'),(10639,'Issue',589,4,''),(10640,'Issue',589,5,'_False Positives_\nUnkown'),(10641,'Issue',589,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\" AND process.executable.keyword:*\\\\taskmgr.exe)\nindex: so-*\nname: Taskmgr as LOCAL_SYSTEM\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10642,'Issue',589,9,'{{collapse(View Sigma)\n
\n\ntitle: Taskmgr as LOCAL_SYSTEM\nid: 9fff585c-c33e-4a86-b3cd-39312079a65f\nstatus: experimental\ndescription: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM\ntags:\n- attack.defense_evasion\n- attack.t1036\nauthor: Florian Roth\ndate: 2018/03/18\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    User: NT AUTHORITY\\SYSTEM\n    Image: \'*\\taskmgr.exe\'\n  condition: selection\nfalsepositives:\n- Unkown\nlevel: high\n\n
\n}}'),(10643,'Issue',589,15,'T1036'),(10644,'Issue',590,1,'Taskmgr as Parent'),(10645,'Issue',590,2,'Florian Roth'),(10646,'Issue',590,8,'none'),(10647,'Issue',590,10,'low'),(10648,'Issue',590,13,'community'),(10649,'Issue',590,14,'windows'),(10651,'Issue',590,11,'0181905d0'),(10652,'Issue',590,12,'3d7679bd-0c00-440c-97b0-3f204273e6c7'),(10653,'Issue',590,16,'win-proc'),(10654,'Issue',590,17,''),(10655,'Issue',590,7,''),(10656,'Issue',590,3,'Detects the creation of a process from Windows task manager'),(10657,'Issue',590,4,''),(10658,'Issue',590,5,'_False Positives_\nAdministrative activity\n\n_Interesting Log Fields_\nImage\nCommandLine\nParentCommandLine'),(10659,'Issue',590,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\taskmgr.exe AND (NOT (process.executable.keyword:(*\\\\resmon.exe OR *\\\\mmc.exe OR *\\\\taskmgr.exe))))\nindex: so-*\nname: Taskmgr as Parent\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10660,'Issue',590,9,'{{collapse(View Sigma)\n
\n\ntitle: Taskmgr as Parent\nid: 3d7679bd-0c00-440c-97b0-3f204273e6c7\nstatus: experimental\ndescription: Detects the creation of a process from Windows task manager\ntags:\n- attack.defense_evasion\n- attack.t1036\nauthor: Florian Roth\ndate: 2018/03/13\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\taskmgr.exe\'\n  filter:\n    Image:\n    - \'*\\resmon.exe\'\n    - \'*\\mmc.exe\'\n    - \'*\\taskmgr.exe\'\n  condition: selection and not filter\nfields:\n- Image\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Administrative activity\nlevel: low\n\n
\n}}'),(10661,'Issue',590,15,'T1036'),(10662,'Issue',591,1,'Suspicious TSCON Start'),(10663,'Issue',591,2,'Florian Roth'),(10664,'Issue',591,8,'http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html\nhttps://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6'),(10665,'Issue',591,10,'high'),(10666,'Issue',591,13,'community'),(10667,'Issue',591,14,'windows'),(10669,'Issue',591,11,'884abbf53'),(10670,'Issue',591,12,'9847f263-4a81-424f-970c-875dab15b79b'),(10671,'Issue',591,16,'win-proc'),(10672,'Issue',591,17,''),(10673,'Issue',591,7,''),(10674,'Issue',591,3,'Detects a tscon.exe start as LOCAL SYSTEM'),(10675,'Issue',591,4,''),(10676,'Issue',591,5,'_False Positives_\nUnknown'),(10677,'Issue',591,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\" AND process.executable.keyword:*\\\\tscon.exe)\nindex: so-*\nname: Suspicious TSCON Start\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10678,'Issue',591,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious TSCON Start\nid: 9847f263-4a81-424f-970c-875dab15b79b\nstatus: experimental\ndescription: Detects a tscon.exe start as LOCAL SYSTEM\nreferences:\n- http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html\n- https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6\nauthor: Florian Roth\ndate: 2018/03/17\ntags:\n- attack.command_and_control\n- attack.t1219\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    User: NT AUTHORITY\\SYSTEM\n    Image: \'*\\tscon.exe\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10679,'Issue',591,15,'T1219'),(10680,'Issue',592,1,'Suspicious RDP Redirect Using TSCON'),(10681,'Issue',592,2,'Florian Roth'),(10682,'Issue',592,8,'http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html\nhttps://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6'),(10683,'Issue',592,10,'high'),(10684,'Issue',592,13,'community'),(10685,'Issue',592,14,'windows'),(10687,'Issue',592,11,'0ad8fd2d6'),(10688,'Issue',592,12,'f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb'),(10689,'Issue',592,16,'win-proc'),(10690,'Issue',592,17,''),(10691,'Issue',592,7,''),(10692,'Issue',592,3,'Detects a suspicious RDP session redirect using tscon.exe'),(10693,'Issue',592,4,''),(10694,'Issue',592,5,'_False Positives_\nUnknown'),(10695,'Issue',592,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\ \\/dest\\:rdp\\-tcp\\:*)\nindex: so-*\nname: Suspicious RDP Redirect Using TSCON\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10696,'Issue',592,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious RDP Redirect Using TSCON\nid: f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb\nstatus: experimental\ndescription: Detects a suspicious RDP session redirect using tscon.exe\nreferences:\n- http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html\n- https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6\ntags:\n- attack.lateral_movement\n- attack.privilege_escalation\n- attack.t1076\n- car.2013-07-002\nauthor: Florian Roth\ndate: 2018/03/17\nmodified: 2018/12/11\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'* /dest:rdp-tcp:*\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10697,'Issue',592,15,'T1076'),(10698,'Issue',593,1,'Suspicious Use of CSharp Interactive Console'),(10699,'Issue',593,2,'Michael R. (@nahamike01)'),(10700,'Issue',593,8,'https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/'),(10701,'Issue',593,10,'high'),(10702,'Issue',593,13,'community'),(10703,'Issue',593,14,'windows'),(10705,'Issue',593,11,'b2533edff'),(10706,'Issue',593,12,'a9e416a8-e613-4f8b-88b8-a7d1d1af2f61'),(10707,'Issue',593,16,'win-proc'),(10708,'Issue',593,17,''),(10709,'Issue',593,7,''),(10710,'Issue',593,3,'Detects the execution of CSharp interactive console by PowerShell'),(10711,'Issue',593,4,''),(10712,'Issue',593,5,'_False Positives_\nPossible depending on environment. Pair with other factors such as net connections, command-line args, etc.'),(10713,'Issue',593,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\csi.exe AND process.parent.executable.keyword:*\\\\powershell.exe AND OriginalFileName:\"csi.exe\")\nindex: so-*\nname: Suspicious Use of CSharp Interactive Console\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10714,'Issue',593,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Use of CSharp Interactive Console\nid: a9e416a8-e613-4f8b-88b8-a7d1d1af2f61\nstatus: experimental\ndescription: Detects the execution of CSharp interactive console by PowerShell\nreferences:\n- https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/\nauthor: Michael R. (@nahamike01)\ndate: 2020/03/08\ntags:\n- attack.execution\n- attack.t1127\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\csi.exe\n    ParentImage|endswith: \\powershell.exe\n    OriginalFileName: csi.exe\n  condition: selection\nfalsepositives:\n- Possible depending on environment. Pair with other factors such as net connections,\n  command-line args, etc.\nlevel: high\n\n
\n}}'),(10715,'Issue',593,15,'T1127'),(10716,'Issue',594,1,'Suspicious Userinit Child Process'),(10717,'Issue',594,2,'Florian Roth (rule), Samir Bousseaden (idea)'),(10718,'Issue',594,8,'https://twitter.com/SBousseaden/status/1139811587760562176'),(10719,'Issue',594,10,'medium'),(10720,'Issue',594,13,'community'),(10721,'Issue',594,14,'windows'),(10722,'Issue',594,15,''),(10723,'Issue',594,11,'afd4cadf2'),(10724,'Issue',594,12,'b655a06a-31c0-477a-95c2-3726b83d649d'),(10725,'Issue',594,16,'win-proc'),(10726,'Issue',594,17,''),(10727,'Issue',594,7,''),(10728,'Issue',594,3,'Detects a suspicious child process of userinit'),(10729,'Issue',594,4,''),(10730,'Issue',594,5,'_False Positives_\nAdministrative scripts\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10731,'Issue',594,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.parent.executable.keyword:*\\\\userinit.exe AND (NOT (process.command_line.keyword:*\\\\netlogon\\\\*))) AND (NOT (process.executable.keyword:*\\\\explorer.exe)))\nindex: so-*\nname: Suspicious Userinit Child Process\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10732,'Issue',594,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Userinit Child Process\nid: b655a06a-31c0-477a-95c2-3726b83d649d\nstatus: experimental\ndescription: Detects a suspicious child process of userinit\nreferences:\n- https://twitter.com/SBousseaden/status/1139811587760562176\nauthor: Florian Roth (rule), Samir Bousseaden (idea)\ndate: 2019/06/17\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\userinit.exe\'\n  filter1:\n    CommandLine: \'*\\\\netlogon\\\\*\'\n  filter2:\n    Image: \'*\\explorer.exe\'\n  condition: selection and not filter1 and not filter2\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Administrative scripts\nlevel: medium\n\n
\n}}'),(10733,'Issue',595,1,'Whoami Execution'),(10734,'Issue',595,2,'Florian Roth'),(10735,'Issue',595,8,'https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/\nhttps://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/'),(10736,'Issue',595,10,'high'),(10737,'Issue',595,13,'community'),(10738,'Issue',595,14,'windows'),(10740,'Issue',595,11,'28ff9a2dc'),(10741,'Issue',595,12,'e28a5a99-da44-436d-b7a0-2afc20a5f413'),(10742,'Issue',595,16,'win-proc'),(10743,'Issue',595,17,''),(10744,'Issue',595,7,''),(10745,'Issue',595,3,'Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators'),(10746,'Issue',595,4,''),(10747,'Issue',595,5,'_False Positives_\nAdmin activity\nScripts and administrative tools used in the monitored environment'),(10748,'Issue',595,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:*\\\\whoami.exe OR OriginalFileName:\"whoami.exe\"))\nindex: so-*\nname: Whoami Execution\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10749,'Issue',595,9,'{{collapse(View Sigma)\n
\n\ntitle: Whoami Execution\nid: e28a5a99-da44-436d-b7a0-2afc20a5f413\nstatus: experimental\ndescription: Detects the execution of whoami, which is often used by attackers after\n  exloitation / privilege escalation but rarely used by administrators\nreferences:\n- https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/\n- https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/\nauthor: Florian Roth\ndate: 2018/08/13\ntags:\n- attack.discovery\n- attack.t1033\n- car.2016-03-001\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\whoami.exe\'\n  selection2:\n    OriginalFileName: whoami.exe\n  condition: selection or selection2\nfalsepositives:\n- Admin activity\n- Scripts and administrative tools used in the monitored environment\nlevel: high\n\n
\n}}'),(10750,'Issue',595,15,'T1033'),(10751,'Issue',596,1,'Suspicious WMI Execution'),(10752,'Issue',596,2,'Michael Haag, Florian Roth, juju4'),(10753,'Issue',596,8,'https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/\nhttps://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1\nhttps://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/'),(10754,'Issue',596,10,'medium'),(10755,'Issue',596,13,'community'),(10756,'Issue',596,14,'windows'),(10758,'Issue',596,11,'c641d0d76'),(10759,'Issue',596,12,'526be59f-a573-4eea-b5f7-f0973207634d'),(10760,'Issue',596,16,'win-proc'),(10761,'Issue',596,17,''),(10762,'Issue',596,7,''),(10763,'Issue',596,3,'Detects WMI executing suspicious commands'),(10764,'Issue',596,4,''),(10765,'Issue',596,5,'_False Positives_\nWill need to be tuned\nIf using Splunk, I recommend | stats count by Computer,CommandLine following for easy hunting by Computer/CommandLine.\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10766,'Issue',596,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\wmic.exe) AND process.command_line.keyword:(*\\/NODE\\:*process\\ call\\ create\\ * OR *\\ path\\ AntiVirusProduct\\ get\\ * OR *\\ path\\ FirewallProduct\\ get\\ * OR *\\ shadowcopy\\ delete\\ *))\nindex: so-*\nname: Suspicious WMI Execution\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10767,'Issue',596,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious WMI Execution\nid: 526be59f-a573-4eea-b5f7-f0973207634d\nstatus: experimental\ndescription: Detects WMI executing suspicious commands\nreferences:\n- https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/\n- https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1\n- https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/\nauthor: Michael Haag, Florian Roth, juju4\ndate: 2019/01/16\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\wmic.exe\'\n    CommandLine:\n    - \'*/NODE:*process call create *\'\n    - \'* path AntiVirusProduct get *\'\n    - \'* path FirewallProduct get *\'\n    - \'* shadowcopy delete *\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.execution\n- attack.t1047\n- car.2016-03-002\nfalsepositives:\n- Will need to be tuned\n- If using Splunk, I recommend | stats count by Computer,CommandLine following for\n  easy hunting by Computer/CommandLine.\nlevel: medium\n\n
\n}}'),(10768,'Issue',596,15,'T1047'),(10769,'Issue',597,1,'Sysmon Driver Unload'),(10770,'Issue',597,2,'Kirill Kiryanov, oscd.community'),(10771,'Issue',597,8,'https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon'),(10772,'Issue',597,10,'high'),(10773,'Issue',597,13,'community'),(10774,'Issue',597,14,'windows'),(10775,'Issue',597,15,''),(10776,'Issue',597,11,'d7439c16c'),(10777,'Issue',597,12,'4d7cda18-1b12-4e52-b45c-d28653210df8'),(10778,'Issue',597,16,'win-proc'),(10779,'Issue',597,17,''),(10780,'Issue',597,7,''),(10781,'Issue',597,3,'Detect possible Sysmon driver unload'),(10782,'Issue',597,4,''),(10783,'Issue',597,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nDetails'),(10784,'Issue',597,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\fltmc.exe AND process.command_line.keyword:*unload* AND process.command_line.keyword:*sys*)\nindex: so-*\nname: Sysmon Driver Unload\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10785,'Issue',597,9,'{{collapse(View Sigma)\n
\n\ntitle: Sysmon Driver Unload\nid: 4d7cda18-1b12-4e52-b45c-d28653210df8\nstatus: experimental\nauthor: Kirill Kiryanov, oscd.community\ndescription: Detect possible Sysmon driver unload\ndate: 2019/10/23\nmodified: 2019/11/07\nreferences:\n- https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon\nlogsource:\n  product: windows\n  category: process_creation\ndetection:\n  selection:\n    Image|endswith: \\fltmc.exe\n    CommandLine|contains|all:\n    - unload\n    - sys\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\nfields:\n- CommandLine\n- Details\n\n
\n}}'),(10786,'Issue',598,1,'System File Execution Location Anomaly'),(10787,'Issue',598,2,'Florian Roth, Patrick Bareiss'),(10788,'Issue',598,8,'https://twitter.com/GelosSnake/status/934900723426439170'),(10789,'Issue',598,10,'high'),(10790,'Issue',598,13,'community'),(10791,'Issue',598,14,'windows'),(10793,'Issue',598,11,'c8ddca7b8'),(10794,'Issue',598,12,'e4a6b256-3e47-40fc-89d2-7a477edd6915'),(10795,'Issue',598,16,'win-proc'),(10796,'Issue',598,17,''),(10797,'Issue',598,7,''),(10798,'Issue',598,3,'Detects a Windows program executable started in a suspicious folder'),(10799,'Issue',598,4,''),(10800,'Issue',598,5,'_False Positives_\nExotic software\n\n_Interesting Log Fields_\nComputerName\nUser\nImage'),(10801,'Issue',598,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\svchost.exe OR *\\\\rundll32.exe OR *\\\\services.exe OR *\\\\powershell.exe OR *\\\\regsvr32.exe OR *\\\\spoolsv.exe OR *\\\\lsass.exe OR *\\\\smss.exe OR *\\\\csrss.exe OR *\\\\conhost.exe OR *\\\\wininit.exe OR *\\\\lsm.exe OR *\\\\winlogon.exe OR *\\\\explorer.exe OR *\\\\taskhost.exe) AND (NOT (process.executable.keyword:(C\\:\\\\Windows\\\\System32\\\\* OR C\\:\\\\Windows\\\\system32\\\\* OR C\\:\\\\Windows\\\\SysWow64\\\\* OR C\\:\\\\Windows\\\\SysWOW64\\\\* OR C\\:\\\\Windows\\\\explorer.exe OR C\\:\\\\Windows\\\\winsxs\\\\* OR C\\:\\\\Windows\\\\WinSxS\\\\* OR \\\\SystemRoot\\\\System32\\\\*))))\nindex: so-*\nname: System File Execution Location Anomaly\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10802,'Issue',598,9,'{{collapse(View Sigma)\n
\n\ntitle: System File Execution Location Anomaly\nid: e4a6b256-3e47-40fc-89d2-7a477edd6915\nstatus: experimental\ndescription: Detects a Windows program executable started in a suspicious folder\nreferences:\n- https://twitter.com/GelosSnake/status/934900723426439170\nauthor: Florian Roth, Patrick Bareiss\ndate: 2017/11/27\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\svchost.exe\'\n    - \'*\\rundll32.exe\'\n    - \'*\\services.exe\'\n    - \'*\\powershell.exe\'\n    - \'*\\regsvr32.exe\'\n    - \'*\\spoolsv.exe\'\n    - \'*\\lsass.exe\'\n    - \'*\\smss.exe\'\n    - \'*\\csrss.exe\'\n    - \'*\\conhost.exe\'\n    - \'*\\wininit.exe\'\n    - \'*\\lsm.exe\'\n    - \'*\\winlogon.exe\'\n    - \'*\\explorer.exe\'\n    - \'*\\taskhost.exe\'\n  filter:\n    Image:\n    - C:\\Windows\\System32\\\\*\n    - C:\\Windows\\system32\\\\*\n    - C:\\Windows\\SysWow64\\\\*\n    - C:\\Windows\\SysWOW64\\\\*\n    - C:\\Windows\\explorer.exe\n    - C:\\Windows\\winsxs\\\\*\n    - C:\\Windows\\WinSxS\\\\*\n    - \\SystemRoot\\System32\\\\*\n  condition: selection and not filter\nfields:\n- ComputerName\n- User\n- Image\nfalsepositives:\n- Exotic software\nlevel: high\n\n
\n}}'),(10803,'Issue',598,15,'T1036'),(10804,'Issue',599,1,'Tap Installer Execution'),(10805,'Issue',599,2,'Daniil Yugoslavskiy, Ian Davis, oscd.community'),(10806,'Issue',599,8,'none'),(10807,'Issue',599,10,'medium'),(10808,'Issue',599,13,'community'),(10809,'Issue',599,14,'windows'),(10811,'Issue',599,11,'f0f415f09'),(10812,'Issue',599,12,'99793437-3e16-439b-be0f-078782cf953d'),(10813,'Issue',599,16,'win-proc'),(10814,'Issue',599,17,''),(10815,'Issue',599,7,''),(10816,'Issue',599,3,'Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques'),(10817,'Issue',599,4,''),(10818,'Issue',599,5,'_False Positives_\nLegitimate OpenVPN TAP insntallation'),(10819,'Issue',599,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\tapinstall.exe)\nindex: so-*\nname: Tap Installer Execution\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10820,'Issue',599,9,'{{collapse(View Sigma)\n
\n\ntitle: Tap Installer Execution\nid: 99793437-3e16-439b-be0f-078782cf953d\ndescription: Well-known TAP software installation. Possible preparation for data exfiltration\n  using tunneling techniques\nstatus: experimental\nauthor: Daniil Yugoslavskiy, Ian Davis, oscd.community\ndate: 2019/10/24\ntags:\n- attack.exfiltration\n- attack.t1048\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\tapinstall.exe\n  condition: selection\nfalsepositives:\n- Legitimate OpenVPN TAP insntallation\nlevel: medium\n\n
\n}}'),(10821,'Issue',599,15,'T1048'),(10822,'Issue',600,1,'Tasks Folder Evasion'),(10823,'Issue',600,2,'Sreeman'),(10824,'Issue',600,8,'https://twitter.com/subTee/status/1216465628946563073\nhttps://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26'),(10825,'Issue',600,10,'high'),(10826,'Issue',600,13,'community'),(10827,'Issue',600,14,'windows'),(10829,'Issue',600,11,'0eb37ce7b'),(10830,'Issue',600,12,'cc4e02ba-9c06-48e2-b09e-2500cace9ae0'),(10831,'Issue',600,16,'win-proc'),(10832,'Issue',600,17,''),(10833,'Issue',600,7,''),(10834,'Issue',600,3,'The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr'),(10835,'Issue',600,4,''),(10836,'Issue',600,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentProcess\nCommandLine'),(10837,'Issue',600,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (process.command_line.keyword:(*echo\\ * OR *copy\\ * OR *type\\ * OR *file\\ createnew*) AND process.command_line.keyword:(*\\ C\\:\\\\Windows\\\\System32\\\\Tasks\\* OR *\\ C\\:\\\\Windows\\\\SysWow64\\\\Tasks\\*))\nindex: so-*\nname: Tasks Folder Evasion\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10838,'Issue',600,9,'{{collapse(View Sigma)\n
\n\ntitle: Tasks Folder Evasion\nid: cc4e02ba-9c06-48e2-b09e-2500cace9ae0\nstatus: experimental\ndescription: The Tasks folder in system32 and syswow64 are globally writable paths.\n  Adversaries can take advantage of this and load or influence any script hosts or\n  ANY .NET Application in Tasks to load and execute a custom assembly into cscript,\n  wscript, regsvr32, mshta, eventvwr\nreferences:\n- https://twitter.com/subTee/status/1216465628946563073\n- https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26\ndate: 2020/01/13\nauthor: Sreeman\ntags:\n- attack.t1064\n- attack.t1211\n- attack.t1059\n- attack.defense_evasion\n- attack.persistence\nlogsource:\n  product: Windows\ndetection:\n  selection1:\n    CommandLine|contains:\n    - \'echo \'\n    - \'copy \'\n    - \'type \'\n    - file createnew\n  selection2:\n    CommandLine|contains:\n    - \' C:\\Windows\\System32\\Tasks\\\'\n    - \' C:\\Windows\\SysWow64\\Tasks\\\'\n  condition: selection1 and selection2\nfields:\n- CommandLine\n- ParentProcess\n- CommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10839,'Issue',600,15,'T1064'),(10840,'Issue',600,15,'T1211'),(10841,'Issue',600,15,'T1059'),(10842,'Issue',601,1,'Terminal Service Process Spawn'),(10843,'Issue',601,2,'Florian Roth'),(10844,'Issue',601,8,'https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/'),(10845,'Issue',601,10,'high'),(10846,'Issue',601,13,'community'),(10847,'Issue',601,14,'windows'),(10848,'Issue',601,15,''),(10849,'Issue',601,11,'b5e174d1b'),(10850,'Issue',601,12,'1012f107-b8f1-4271-af30-5aed2de89b39'),(10851,'Issue',601,16,'win-proc'),(10852,'Issue',601,17,''),(10853,'Issue',601,7,''),(10854,'Issue',601,3,'Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)'),(10855,'Issue',601,4,''),(10856,'Issue',601,5,'_False Positives_\nUnknown'),(10857,'Issue',601,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.command_line.keyword:*\\\\svchost.exe*termsvcs AND (NOT (process.executable.keyword:*\\\\rdpclip.exe)))\nindex: so-*\nname: Terminal Service Process Spawn\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10858,'Issue',601,9,'{{collapse(View Sigma)\n
\n\ntitle: Terminal Service Process Spawn\nid: 1012f107-b8f1-4271-af30-5aed2de89b39\nstatus: experimental\ndescription: Detects a process spawned by the terminal service server process (this\n  could be an indicator for an exploitation of CVE-2019-0708)\nreferences:\n- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/\nauthor: Florian Roth\ndate: 2019/05/22\ntags:\n- car.2013-07-002\nlogsource:\n  product: windows\n  category: process_creation\ndetection:\n  selection:\n    ParentCommandLine: \'*\\svchost.exe*termsvcs\'\n  filter:\n    Image: \'*\\rdpclip.exe\'\n  condition: selection and not filter\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10859,'Issue',602,1,'Domain Trust Discovery'),(10860,'Issue',602,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community'),(10861,'Issue',602,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md\nhttps://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html'),(10862,'Issue',602,10,'medium'),(10863,'Issue',602,13,'community'),(10864,'Issue',602,14,'windows'),(10866,'Issue',602,11,'c1662fb6e'),(10867,'Issue',602,12,'3bad990e-4848-4a78-9530-b427d854aac0'),(10868,'Issue',602,16,'win-proc'),(10869,'Issue',602,17,''),(10870,'Issue',602,7,''),(10871,'Issue',602,3,'Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts.'),(10872,'Issue',602,4,''),(10873,'Issue',602,5,'_False Positives_\nLegitimate use of the utilities by legitimate user for legitimate reason'),(10874,'Issue',602,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\nltest.exe AND process.command_line.keyword:*domain_trusts*) OR (process.executable.keyword:*\\\\dsquery.exe AND process.command_line.keyword:*trustedDomain*)))\nindex: so-*\nname: Domain Trust Discovery\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10875,'Issue',602,9,'{{collapse(View Sigma)\n
\n\ntitle: Domain Trust Discovery\nid: 3bad990e-4848-4a78-9530-b427d854aac0\ndescription: Identifies execution of nltest.exe and dsquery.exe for domain trust discovery.\n  This technique is used by attackers to enumerate Active Directory trusts.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md\n- https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html\ntags:\n- attack.discovery\n- attack.t1482\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith: \\nltest.exe\n    CommandLine|contains: domain_trusts\n  - Image|endswith: \\dsquery.exe\n    CommandLine|contains: trustedDomain\n  condition: selection\nfalsepositives:\n- Legitimate use of the utilities by legitimate user for legitimate reason\nlevel: medium\n\n
\n}}'),(10876,'Issue',602,15,'T1482'),(10877,'Issue',603,1,'Bypass UAC via CMSTP'),(10878,'Issue',603,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(10879,'Issue',603,8,'https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1191/T1191.md'),(10880,'Issue',603,10,'high'),(10881,'Issue',603,13,'community'),(10882,'Issue',603,14,'windows'),(10884,'Issue',603,11,'7c2726c72'),(10885,'Issue',603,12,'e66779cc-383e-4224-a3a4-267eeb585c40'),(10886,'Issue',603,16,'win-proc'),(10887,'Issue',603,17,''),(10888,'Issue',603,7,''),(10889,'Issue',603,3,'Detect child processes of automatically elevated instances of Microsoft Connection Manager Profile Installer (cmstp.exe).'),(10890,'Issue',603,4,''),(10891,'Issue',603,5,'_False Positives_\nLegitimate use of cmstp.exe utility by legitimate user\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(10892,'Issue',603,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\cmstp.exe AND process.command_line.keyword:(*\\/s* OR *\\/au*))\nindex: so-*\nname: Bypass UAC via CMSTP\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10893,'Issue',603,9,'{{collapse(View Sigma)\n
\n\ntitle: Bypass UAC via CMSTP\nid: e66779cc-383e-4224-a3a4-267eeb585c40\ndescription: Detect child processes of automatically elevated instances of Microsoft\n  Connection Manager Profile Installer (cmstp.exe).\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\nmodified: 2019/11/11\ndate: 2019/10/24\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1191/T1191.md\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1191\n- attack.t1088\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\cmstp.exe\n    CommandLine|contains:\n    - /s\n    - /au\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Legitimate use of cmstp.exe utility by legitimate user\nlevel: high\n\n
\n}}'),(10894,'Issue',603,15,'T1191'),(10895,'Issue',603,15,'T1088'),(10896,'Issue',604,1,'Bypass UAC via Fodhelper.exe'),(10897,'Issue',604,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community'),(10898,'Issue',604,8,'https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1088/T1088.md'),(10899,'Issue',604,10,'high'),(10900,'Issue',604,13,'community'),(10901,'Issue',604,14,'windows'),(10903,'Issue',604,11,'b29738791'),(10904,'Issue',604,12,'7f741dcf-fc22-4759-87b4-9ae8376676a2'),(10905,'Issue',604,16,'win-proc'),(10906,'Issue',604,17,''),(10907,'Issue',604,7,''),(10908,'Issue',604,3,'Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.'),(10909,'Issue',604,4,''),(10910,'Issue',604,5,'_False Positives_\nLegitimate use of fodhelper.exe utility by legitimate user\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(10911,'Issue',604,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\fodhelper.exe)\nindex: so-*\nname: Bypass UAC via Fodhelper.exe\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10912,'Issue',604,9,'{{collapse(View Sigma)\n
\n\ntitle: Bypass UAC via Fodhelper.exe\nid: 7f741dcf-fc22-4759-87b4-9ae8376676a2\ndescription: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries\n  use this technique to execute privileged processes.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1088/T1088.md\ntags:\n- attack.privilege_escalation\n- attack.t1088\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage|endswith: \\fodhelper.exe\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Legitimate use of fodhelper.exe utility by legitimate user\nlevel: high\n\n
\n}}'),(10913,'Issue',604,15,'T1088'),(10914,'Issue',605,1,'Bypass UAC via WSReset.exe'),(10915,'Issue',605,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community'),(10916,'Issue',605,8,'https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html'),(10917,'Issue',605,10,'high'),(10918,'Issue',605,13,'community'),(10919,'Issue',605,14,'windows'),(10921,'Issue',605,11,'88c9a0107'),(10922,'Issue',605,12,'d797268e-28a9-49a7-b9a8-2f5039011c5c'),(10923,'Issue',605,16,'win-proc'),(10924,'Issue',605,17,''),(10925,'Issue',605,7,''),(10926,'Issue',605,3,'Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.'),(10927,'Issue',605,4,''),(10928,'Issue',605,5,'_False Positives_\nUnknown'),(10929,'Issue',605,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\wsreset.exe AND (NOT (process.executable.keyword:*\\\\conhost.exe)))\nindex: so-*\nname: Bypass UAC via WSReset.exe\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10930,'Issue',605,9,'{{collapse(View Sigma)\n
\n\ntitle: Bypass UAC via WSReset.exe\nid: d797268e-28a9-49a7-b9a8-2f5039011c5c\ndescription: Identifies use of WSReset.exe to bypass User Account Control. Adversaries\n  use this technique to execute privileged processes.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html\ntags:\n- attack.privilege_escalation\n- attack.t1088\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage|endswith: \\wsreset.exe\n  filter:\n    Image|endswith: \\conhost.exe\n  condition: selection and not filter\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10931,'Issue',605,15,'T1088'),(10932,'Issue',606,1,'Possible Privilege Escalation via Weak Service Permissions'),(10933,'Issue',606,2,'Teymur Kheirkhabarov'),(10934,'Issue',606,8,'https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\nhttps://pentestlab.blog/2017/03/30/weak-service-permissions/'),(10935,'Issue',606,10,'high'),(10936,'Issue',606,13,'community'),(10937,'Issue',606,14,'windows'),(10939,'Issue',606,11,'20df1ec32'),(10940,'Issue',606,12,'d937b75f-a665-4480-88a5-2f20e9f9b22a'),(10941,'Issue',606,16,'win-proc'),(10942,'Issue',606,17,''),(10943,'Issue',606,7,''),(10944,'Issue',606,3,'Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand'),(10945,'Issue',606,4,''),(10946,'Issue',606,5,'_False Positives_\nUnknown'),(10947,'Issue',606,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\sc.exe AND IntegrityLevel:\"Medium\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.command_line.keyword:*config* AND process.command_line.keyword:*binPath*) OR (process.command_line.keyword:*failure* AND process.command_line.keyword:*command*)))\nindex: so-*\nname: Possible Privilege Escalation via Weak Service Permissions\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10948,'Issue',606,9,'{{collapse(View Sigma)\n
\n\ntitle: Possible Privilege Escalation via Weak Service Permissions\nid: d937b75f-a665-4480-88a5-2f20e9f9b22a\ndescription: Detection of sc.exe utility spawning by user with Medium integrity level\n  to change service ImagePath or FailureCommand\nreferences:\n- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\n- https://pentestlab.blog/2017/03/30/weak-service-permissions/\ntags:\n- attack.privilege_escalation\n- attack.t1134\nstatus: experimental\nauthor: Teymur Kheirkhabarov\ndate: 2019/10/26\nmodified: 2019/11/11\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  scbynonadmin:\n    Image|endswith: \\sc.exe\n    IntegrityLevel: Medium\n  binpath:\n    CommandLine|contains|all:\n    - config\n    - binPath\n  failurecommand:\n    CommandLine|contains|all:\n    - failure\n    - command\n  condition: scbynonadmin and (binpath or failurecommand)\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10949,'Issue',606,15,'T1134'),(10950,'Issue',607,1,'Java Running with Remote Debugging'),(10951,'Issue',607,2,'Florian Roth'),(10952,'Issue',607,8,'none'),(10953,'Issue',607,10,'medium'),(10954,'Issue',607,13,'community'),(10955,'Issue',607,14,'windows'),(10957,'Issue',607,11,'b24838b11'),(10958,'Issue',607,12,'8f88e3f6-2a49-48f5-a5c4-2f7eedf78710'),(10959,'Issue',607,16,'win-proc'),(10960,'Issue',607,17,''),(10961,'Issue',607,7,''),(10962,'Issue',607,3,'Detects a JAVA process running with remote debugging allowing more than just localhost to connect'),(10963,'Issue',607,4,''),(10964,'Issue',607,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10965,'Issue',607,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*transport\\=dt_socket,address\\=* AND (NOT (process.command_line.keyword:*address\\=127.0.0.1* OR process.command_line.keyword:*address\\=localhost*)))\nindex: so-*\nname: Java Running with Remote Debugging\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10966,'Issue',607,9,'{{collapse(View Sigma)\n
\n\ntitle: Java Running with Remote Debugging\nid: 8f88e3f6-2a49-48f5-a5c4-2f7eedf78710\ndescription: Detects a JAVA process running with remote debugging allowing more than\n  just localhost to connect\nauthor: Florian Roth\ndate: 2019/01/16\ntags:\n- attack.discovery\n- attack.t1046\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'*transport=dt_socket,address=*\'\n  exclusion:\n  - CommandLine: \'*address=127.0.0.1*\'\n  - CommandLine: \'*address=localhost*\'\n  condition: selection and not exclusion\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: medium\n\n
\n}}'),(10967,'Issue',607,15,'T1046'),(10968,'Issue',608,1,'Webshell Detection With Command Line Keywords'),(10969,'Issue',608,2,'Florian Roth'),(10970,'Issue',608,8,'none'),(10971,'Issue',608,10,'high'),(10972,'Issue',608,13,'community'),(10973,'Issue',608,14,'windows'),(10975,'Issue',608,11,'8d70dcff6'),(10976,'Issue',608,12,'bed2a484-9348-4143-8a8a-b801c979301c'),(10977,'Issue',608,16,'win-proc'),(10978,'Issue',608,17,''),(10979,'Issue',608,7,''),(10980,'Issue',608,3,'Detects certain command line parameters often used during reconnaissance activity via web shells'),(10981,'Issue',608,4,''),(10982,'Issue',608,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10983,'Issue',608,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\apache* OR *\\\\tomcat* OR *\\\\w3wp.exe OR *\\\\php\\-cgi.exe OR *\\\\nginx.exe OR *\\\\httpd.exe) AND process.command_line.keyword:(*whoami* OR *net\\ user\\ * OR *ping\\ \\-n\\ * OR *systeminfo OR *&cd&echo* OR *cd\\ \\/d*))\nindex: so-*\nname: Webshell Detection With Command Line Keywords\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10984,'Issue',608,9,'{{collapse(View Sigma)\n
\n\ntitle: Webshell Detection With Command Line Keywords\nid: bed2a484-9348-4143-8a8a-b801c979301c\ndescription: Detects certain command line parameters often used during reconnaissance\n  activity via web shells\nauthor: Florian Roth\nreference:\n- https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html\ndate: 2017/01/01\nmodified: 2019/10/26\ntags:\n- attack.privilege_escalation\n- attack.persistence\n- attack.t1100\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage:\n    - \'*\\apache*\'\n    - \'*\\tomcat*\'\n    - \'*\\w3wp.exe\'\n    - \'*\\php-cgi.exe\'\n    - \'*\\nginx.exe\'\n    - \'*\\httpd.exe\'\n    CommandLine:\n    - \'*whoami*\'\n    - \'*net user *\'\n    - \'*ping -n *\'\n    - \'*systeminfo\'\n    - \'*&cd&echo*\'\n    - \'*cd /d*\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(10985,'Issue',608,15,'T1100'),(10986,'Issue',609,1,'Shells Spawned by Web Servers'),(10987,'Issue',609,2,'Thomas Patzke'),(10988,'Issue',609,8,'none'),(10989,'Issue',609,10,'high'),(10990,'Issue',609,13,'community'),(10991,'Issue',609,14,'windows'),(10993,'Issue',609,11,'f05538a42'),(10994,'Issue',609,12,'8202070f-edeb-4d31-a010-a26c72ac5600'),(10995,'Issue',609,16,'win-proc'),(10996,'Issue',609,17,''),(10997,'Issue',609,7,''),(10998,'Issue',609,3,'Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack'),(10999,'Issue',609,4,''),(11000,'Issue',609,5,'_False Positives_\nParticular web applications may spawn a shell process legitimately\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(11001,'Issue',609,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\w3wp.exe OR *\\\\httpd.exe OR *\\\\nginx.exe OR *\\\\php\\-cgi.exe OR *\\\\tomcat.exe) AND process.executable.keyword:(*\\\\cmd.exe OR *\\\\sh.exe OR *\\\\bash.exe OR *\\\\powershell.exe OR *\\\\bitsadmin.exe))\nindex: so-*\nname: Shells Spawned by Web Servers\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11002,'Issue',609,9,'{{collapse(View Sigma)\n
\n\ntitle: Shells Spawned by Web Servers\nid: 8202070f-edeb-4d31-a010-a26c72ac5600\nstatus: experimental\ndescription: Web servers that spawn shell processes could be the result of a successfully\n  placed web shell or an other attack\nauthor: Thomas Patzke\ndate: 2019/01/16\nmodified: 2020/03/25\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage:\n    - \'*\\w3wp.exe\'\n    - \'*\\httpd.exe\'\n    - \'*\\nginx.exe\'\n    - \'*\\php-cgi.exe\'\n    - \'*\\tomcat.exe\'\n    Image:\n    - \'*\\cmd.exe\'\n    - \'*\\sh.exe\'\n    - \'*\\bash.exe\'\n    - \'*\\powershell.exe\'\n    - \'*\\bitsadmin.exe\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.privilege_escalation\n- attack.persistence\n- attack.t1100\nfalsepositives:\n- Particular web applications may spawn a shell process legitimately\nlevel: high\n\n
\n}}'),(11003,'Issue',609,15,'T1100'),(11004,'Issue',610,1,'Run Whoami as SYSTEM'),(11005,'Issue',610,2,'Teymur Kheirkhabarov'),(11006,'Issue',610,8,'https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment'),(11007,'Issue',610,10,'high'),(11008,'Issue',610,13,'community'),(11009,'Issue',610,14,'windows'),(11011,'Issue',610,11,'4e41dd00b'),(11012,'Issue',610,12,'80167ada-7a12-41ed-b8e9-aa47195c66a1'),(11013,'Issue',610,16,'win-proc'),(11014,'Issue',610,17,''),(11015,'Issue',610,7,''),(11016,'Issue',610,3,'Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation.'),(11017,'Issue',610,4,''),(11018,'Issue',610,5,'_False Positives_\nUnknown'),(11019,'Issue',610,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\" AND process.executable.keyword:*\\\\whoami.exe)\nindex: so-*\nname: Run Whoami as SYSTEM\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11020,'Issue',610,9,'{{collapse(View Sigma)\n
\n\ntitle: Run Whoami as SYSTEM\nid: 80167ada-7a12-41ed-b8e9-aa47195c66a1\nstatus: experimental\ndescription: Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of\n  a successful local privilege escalation.\nreferences:\n- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\nauthor: Teymur Kheirkhabarov\ndate: 2019/10/23\nmodified: 2019/11/11\ntags:\n- attack.discovery\n- attack.privilege_escalation\n- attack.t1033\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    User: NT AUTHORITY\\SYSTEM\n    Image|endswith: \\whoami.exe\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(11021,'Issue',610,15,'T1033'),(11022,'Issue',611,1,'Windows 10 Scheduled Task SandboxEscaper 0-day'),(11023,'Issue',611,2,'Olaf Hartong'),(11024,'Issue',611,8,'https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe'),(11025,'Issue',611,10,'high'),(11026,'Issue',611,13,'community'),(11027,'Issue',611,14,'windows'),(11029,'Issue',611,11,'3ff4919f0'),(11030,'Issue',611,12,'931b6802-d6a6-4267-9ffa-526f57f22aaf'),(11031,'Issue',611,16,'win-proc'),(11032,'Issue',611,17,''),(11033,'Issue',611,7,''),(11034,'Issue',611,3,'Detects Task Scheduler .job import arbitrary DACL write\\par'),(11035,'Issue',611,4,''),(11036,'Issue',611,5,'_False Positives_\nUnknown'),(11037,'Issue',611,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable:\"schtasks.exe\" AND process.command_line.keyword:*\\/change*\\/TN*\\/RU*\\/RP*)\nindex: so-*\nname: Windows 10 Scheduled Task SandboxEscaper 0-day\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11038,'Issue',611,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows 10 Scheduled Task SandboxEscaper 0-day\nid: 931b6802-d6a6-4267-9ffa-526f57f22aaf\nstatus: experimental\ndescription: Detects Task Scheduler .job import arbitrary DACL write\\par\nreferences:\n- https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe\nauthor: Olaf Hartong\ndate: 2019/05/22\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: schtasks.exe\n    CommandLine: \'*/change*/TN*/RU*/RP*\'\n  condition: selection\nfalsepositives:\n- Unknown\ntags:\n- attack.privilege_escalation\n- attack.execution\n- attack.t1053\n- car.2013-08-001\nlevel: high\n\n
\n}}'),(11039,'Issue',611,15,'T1053'),(11040,'Issue',612,1,'WMI Backdoor Exchange Transport Agent'),(11041,'Issue',612,2,'Florian Roth'),(11042,'Issue',612,8,'https://twitter.com/cglyer/status/1182389676876980224\nhttps://twitter.com/cglyer/status/1182391019633029120'),(11043,'Issue',612,10,'critical'),(11044,'Issue',612,13,'community'),(11045,'Issue',612,14,'windows'),(11047,'Issue',612,11,'a650229e3'),(11048,'Issue',612,12,'797011dc-44f4-4e6f-9f10-a8ceefbe566b'),(11049,'Issue',612,16,'win-proc'),(11050,'Issue',612,17,''),(11051,'Issue',612,7,''),(11052,'Issue',612,3,'Detects a WMi backdoor in Exchange Transport Agents via WMi event filters'),(11053,'Issue',612,4,''),(11054,'Issue',612,5,'_False Positives_\nUnknown'),(11055,'Issue',612,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\EdgeTransport.exe)\nindex: so-*\nname: WMI Backdoor Exchange Transport Agent\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11056,'Issue',612,9,'{{collapse(View Sigma)\n
\n\ntitle: WMI Backdoor Exchange Transport Agent\nid: 797011dc-44f4-4e6f-9f10-a8ceefbe566b\nstatus: experimental\ndescription: Detects a WMi backdoor in Exchange Transport Agents via WMi event filters\nauthor: Florian Roth\ndate: 2019/10/11\nreferences:\n- https://twitter.com/cglyer/status/1182389676876980224\n- https://twitter.com/cglyer/status/1182391019633029120\nlogsource:\n  category: process_creation\n  product: windows\ntags:\n- attack.persistence\n- attack.t1084\ndetection:\n  selection:\n    ParentImage: \'*\\EdgeTransport.exe\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(11057,'Issue',612,15,'T1084'),(11058,'Issue',613,1,'WMI Persistence - Script Event Consumer'),(11059,'Issue',613,2,'Thomas Patzke'),(11060,'Issue',613,8,'https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/'),(11061,'Issue',613,10,'high'),(11062,'Issue',613,13,'community'),(11063,'Issue',613,14,'windows'),(11065,'Issue',613,11,'8e6b7ecfd'),(11066,'Issue',613,12,'ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e'),(11067,'Issue',613,16,'win-proc'),(11068,'Issue',613,17,''),(11069,'Issue',613,7,''),(11070,'Issue',613,3,'Detects WMI script event consumers'),(11071,'Issue',613,4,''),(11072,'Issue',613,5,'_False Positives_\nLegitimate event consumers'),(11073,'Issue',613,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable:\"C\\:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe\" AND process.parent.executable:\"C\\:\\\\Windows\\\\System32\\\\svchost.exe\")\nindex: so-*\nname: WMI Persistence - Script Event Consumer\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11074,'Issue',613,9,'{{collapse(View Sigma)\n
\n\ntitle: WMI Persistence - Script Event Consumer\nid: ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e\nstatus: experimental\ndescription: Detects WMI script event consumers\nreferences:\n- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/\nauthor: Thomas Patzke\ndate: 2018/03/07\ntags:\n- attack.execution\n- attack.persistence\n- attack.t1047\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: C:\\WINDOWS\\system32\\wbem\\scrcons.exe\n    ParentImage: C:\\Windows\\System32\\svchost.exe\n  condition: selection\nfalsepositives:\n- Legitimate event consumers\nlevel: high\n\n
\n}}'),(11075,'Issue',613,15,'T1047'),(11076,'Issue',614,1,'WMI Spawning Windows PowerShell'),(11077,'Issue',614,2,'Markus Neis / @Karneades'),(11078,'Issue',614,8,'https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_shell_spawn_susp_program.yml\nhttps://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e'),(11079,'Issue',614,10,'high'),(11080,'Issue',614,13,'community'),(11081,'Issue',614,14,'windows'),(11083,'Issue',614,11,'127d6cb16'),(11084,'Issue',614,12,'692f0bec-83ba-4d04-af7e-e884a96059b6'),(11085,'Issue',614,16,'win-proc'),(11086,'Issue',614,17,''),(11087,'Issue',614,7,''),(11088,'Issue',614,3,'Detects WMI spawning PowerShell'),(11089,'Issue',614,4,''),(11090,'Issue',614,5,'_False Positives_\nAppvClient\nCCM'),(11091,'Issue',614,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\wmiprvse.exe) AND process.executable.keyword:(*\\\\powershell.exe))\nindex: so-*\nname: WMI Spawning Windows PowerShell\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11092,'Issue',614,9,'{{collapse(View Sigma)\n
\n\ntitle: WMI Spawning Windows PowerShell\nid: 692f0bec-83ba-4d04-af7e-e884a96059b6\nstatus: experimental\ndescription: Detects WMI spawning PowerShell\nreferences:\n- https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_shell_spawn_susp_program.yml\n- https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e\nauthor: Markus Neis / @Karneades\ndate: 2019/04/03\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1064\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage:\n    - \'*\\wmiprvse.exe\'\n    Image:\n    - \'*\\powershell.exe\'\n  condition: selection\nfalsepositives:\n- AppvClient\n- CCM\nlevel: high\n\n
\n}}'),(11093,'Issue',614,15,'T1064'),(11094,'Issue',615,1,'Wmiprvse Spawning Process'),(11095,'Issue',615,2,'Roberto Rodriguez @Cyb3rWard0g'),(11096,'Issue',615,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_win32_process_create_remote.md'),(11097,'Issue',615,10,'critical'),(11098,'Issue',615,13,'community'),(11099,'Issue',615,14,'windows'),(11101,'Issue',615,11,'eab53c8fb'),(11102,'Issue',615,12,'d21374ff-f574-44a7-9998-4a8c8bf33d7d'),(11103,'Issue',615,16,'win-proc'),(11104,'Issue',615,17,''),(11105,'Issue',615,7,''),(11106,'Issue',615,3,'Detects wmiprvse spawning processes'),(11107,'Issue',615,4,''),(11108,'Issue',615,5,'_False Positives_\nUnknown'),(11109,'Issue',615,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\WmiPrvSe.exe AND (NOT (LogonId:\"0x3e7\" OR Username:\"NT\\ AUTHORITY\\\\SYSTEM\")))\nindex: so-*\nname: Wmiprvse Spawning Process\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11110,'Issue',615,9,'{{collapse(View Sigma)\n
\n\ntitle: Wmiprvse Spawning Process\nid: d21374ff-f574-44a7-9998-4a8c8bf33d7d\ndescription: Detects wmiprvse spawning processes\nstatus: experimental\ndate: 2019/08/15\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_win32_process_create_remote.md\ntags:\n- attack.execution\n- attack.t1047\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage|endswith: \\WmiPrvSe.exe\n  filter:\n  - LogonId: \'0x3e7\'\n  - Username: NT AUTHORITY\\SYSTEM\n  condition: selection and not filter\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(11111,'Issue',615,15,'T1047'),(11112,'Issue',616,1,'Microsoft Workflow Compiler'),(11113,'Issue',616,2,'Nik Seetharaman'),(11114,'Issue',616,8,'https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb'),(11115,'Issue',616,10,'high'),(11116,'Issue',616,13,'community'),(11117,'Issue',616,14,'windows'),(11119,'Issue',616,11,'b7e329a1b'),(11120,'Issue',616,12,'419dbf2b-8a9b-4bea-bf99-7544b050ec8d'),(11121,'Issue',616,16,'win-proc'),(11122,'Issue',616,17,''),(11123,'Issue',616,7,''),(11124,'Issue',616,3,'Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.'),(11125,'Issue',616,4,''),(11126,'Issue',616,5,'_False Positives_\nLegitimate MWC use (unlikely in modern enterprise environments)\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(11127,'Issue',616,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\Microsoft.Workflow.Compiler.exe)\nindex: so-*\nname: Microsoft Workflow Compiler\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11128,'Issue',616,9,'{{collapse(View Sigma)\n
\n\ntitle: Microsoft Workflow Compiler\nid: 419dbf2b-8a9b-4bea-bf99-7544b050ec8d\nstatus: experimental\ndescription: Detects invocation of Microsoft Workflow Compiler, which may permit the\n  execution of arbitrary unsigned code.\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1127\nauthor: Nik Seetharaman\ndate: 2019/01/16\nreferences:\n- https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\Microsoft.Workflow.Compiler.exe\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Legitimate MWC use (unlikely in modern enterprise environments)\nlevel: high\n\n
\n}}'),(11129,'Issue',616,15,'T1127'),(11130,'Issue',617,1,'Wsreset UAC Bypass'),(11131,'Issue',617,2,'Florian Roth'),(11132,'Issue',617,8,'https://lolbas-project.github.io/lolbas/Binaries/Wsreset/\nhttps://www.activecyber.us/activelabs/windows-uac-bypass\nhttps://twitter.com/ReaQta/status/1222548288731217921'),(11133,'Issue',617,10,'high'),(11134,'Issue',617,13,'community'),(11135,'Issue',617,14,'windows'),(11137,'Issue',617,11,'a20c95e40'),(11138,'Issue',617,12,'bdc8918e-a1d5-49d1-9db7-ea0fd91aa2ae'),(11139,'Issue',617,16,'win-proc'),(11140,'Issue',617,17,''),(11141,'Issue',617,7,''),(11142,'Issue',617,3,'Detects a method that uses Wsreset.exe tool that can be used to reset the Windows Store to bypass UAC'),(11143,'Issue',617,4,''),(11144,'Issue',617,5,'_False Positives_\nUnknown sub processes of Wsreset.exe\n\n_Interesting Log Fields_\nCommandLine'),(11145,'Issue',617,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\WSreset.exe))\nindex: so-*\nname: Wsreset UAC Bypass\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11146,'Issue',617,9,'{{collapse(View Sigma)\n
\n\ntitle: Wsreset UAC Bypass\nid: bdc8918e-a1d5-49d1-9db7-ea0fd91aa2ae\nstatus: experimental\ndescription: Detects a method that uses Wsreset.exe tool that can be used to reset\n  the Windows Store to bypass UAC\nreferences:\n- https://lolbas-project.github.io/lolbas/Binaries/Wsreset/\n- https://www.activecyber.us/activelabs/windows-uac-bypass\n- https://twitter.com/ReaQta/status/1222548288731217921\nauthor: Florian Roth\ndate: 2020/01/30\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1088\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage|endswith:\n    - \\WSreset.exe\n  condition: selection\nfields:\n- CommandLine\nfalsepositives:\n- Unknown sub processes of Wsreset.exe\nlevel: high\n\n
\n}}'),(11147,'Issue',617,15,'T1088'),(11148,'Issue',618,1,'XSL Script Processing'),(11149,'Issue',618,2,'Timur Zinniatullin, oscd.community'),(11150,'Issue',618,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml'),(11151,'Issue',618,10,'medium'),(11152,'Issue',618,13,'community'),(11153,'Issue',618,14,'windows'),(11155,'Issue',618,11,'53788ea86'),(11156,'Issue',618,12,'05c36dd6-79d6-4a9a-97da-3db20298ab2d'),(11157,'Issue',618,16,'win-proc'),(11158,'Issue',618,17,''),(11159,'Issue',618,7,'gVP62XEBH72G5DlCexmq'),(11160,'Issue',618,3,'Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files, rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses'),(11161,'Issue',618,4,''),(11162,'Issue',618,5,'_False Positives_\nWMIC.exe FP depend on scripts and administrative methods used in the monitored environment\nmsxsl.exe is not installed by default so unlikely.'),(11163,'Issue',618,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\wmic.exe AND process.command_line.keyword:*\\/format*) OR process.executable.keyword:*\\\\msxsl.exe))\nindex: so-*\nname: XSL Script Processing\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11164,'Issue',618,9,'{{collapse(View Sigma)\r\n
\r\n\r\ntitle: XSL Script Processing\r\nid: 05c36dd6-79d6-4a9a-97da-3db20298ab2d\r\nstatus: experimental\r\ndescription: Extensible Stylesheet Language (XSL) files are commonly used to describe\r\n  the processing and rendering of data within XML files, rule detects when adversaries\r\n  abuse this functionality to execute arbitrary files while potentially bypassing\r\n  application whitelisting defenses\r\nauthor: Timur Zinniatullin, oscd.community\r\ndate: 2019/10/21\r\nmodified: 2019/11/04\r\nreferences:\r\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml\r\nlogsource:\r\n  category: process_creation\r\n  product: windows\r\ndetection:\r\n  selection:\r\n  - Image|endswith: \\wmic.exe\r\n    CommandLine|contains: /format\r\n  - Image|endswith: \\msxsl.exe\r\n  condition: selection\r\nfalsepositives:\r\n- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment\r\n- msxsl.exe is not installed by default so unlikely.\r\nlevel: medium\r\ntags:\r\n- attack.execution\r\n- attack.t1220\r\n\r\n
\r\n}}'),(11165,'Issue',618,15,'T1220'),(11184,'Issue',620,1,'New Sensitive Shared Resource'),(11185,'Issue',620,2,'Josh Brower'),(11186,'Issue',620,10,'medium'),(11187,'Issue',620,13,'imported'),(11188,'Issue',620,14,'osquery'),(11189,'Issue',620,8,'none'),(11191,'Issue',620,11,'8a0e88be7'),(11192,'Issue',620,12,'none'),(11193,'Issue',620,16,''),(11194,'Issue',620,17,''),(11195,'Issue',620,7,''),(11196,'Issue',620,3,'Network shares with loose access controls are common places that leak sensitive information. This play proactively looks for newly shared resources that likely contain sensitive data. Follow-up will be needed to confirm that appropriate access control is in place.'),(11197,'Issue',620,4,''),(11198,'Issue',620,5,'_False Positives_\nunknown'),(11199,'Issue',620,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((osquery.columns.qid:\"601\" AND osquery.columns.name.keyword:(*hr* OR *finance* OR *backup* OR *www* OR *scan*)) AND (NOT (osquery.result.counter:\"0\")))\nindex: so-osquery-*\nname: New Sensitive Shared Resource\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11200,'Issue',620,9,'{{collapse(View Sigma)\n
\n\ntitle: New Sensitive Shared Resource\ndescription: Network shares with loose access controls are common places that leak\n  sensitive information. This play proactively looks for newly shared resources that\n  likely contain sensitive data. Follow-up will be needed to confirm that appropriate\n  access control is in place.\nstatus: experimental\nauthor: Josh Brower\ntags:\n- attack.discovery\n- attack.t1135\nlogsource:\n  product: osquery\n  definition: select Description,Name,Path, \"601\" AS qid  from shared_resources where\n    type = 0 AND name <> \"print$\";\n  qid: 601\ndetection:\n  selection:\n    qid: 601\n    column_name:\n    - \'*hr*\'\n    - \'*finance*\'\n    - \'*backup*\'\n    - \'*www*\'\n    - \'*scan*\'\n  filter:\n    counter: 0\n  condition: selection and not filter\nfalsepositives:\n- unknown\nlevel: medium\ntasks:\n  1 - Check Share Permissions: Are share permissions set to an appropriate level?\n    They should be tied to the relevant AD Security Group.\n  2 - Contact System/Service Owner: If share permissions are not appropriate, contact\n    the system/service owner for remediation.\n\n
\n}}'),(11201,'Issue',620,15,'T1135'),(11202,'Issue',621,1,'Whoami Execution'),(11203,'Issue',621,2,'Florian Roth'),(11204,'Issue',621,10,'high'),(11205,'Issue',621,13,'imported'),(11206,'Issue',621,14,'windows'),(11207,'Issue',621,8,'https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/\nhttps://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/'),(11209,'Issue',621,11,'b2904c00a'),(11210,'Issue',621,12,'e28a5a99-da44-436d-b7a0-2afc20a5f413'),(11211,'Issue',621,16,''),(11212,'Issue',621,17,''),(11213,'Issue',621,7,''),(11214,'Issue',621,3,'Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators'),(11215,'Issue',621,4,''),(11216,'Issue',621,5,'_False Positives_\nAdmin activity\nScripts and administrative tools used in the monitored environment'),(11217,'Issue',621,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:*\\\\whoami.exe OR OriginalFileName:\"whoami.exe\"))\nindex: so-*\nname: Whoami Execution\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11218,'Issue',621,9,'{{collapse(View Sigma)\n
\n\ntitle: Whoami Execution\nid: e28a5a99-da44-436d-b7a0-2afc20a5f413\nstatus: experimental\ndescription: Detects the execution of whoami, which is often used by attackers after\n  exloitation / privilege escalation but rarely used by administrators\nreferences:\n- https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/\n- https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/\nauthor: Florian Roth\ndate: 2018/08/13\ntags:\n- attack.discovery\n- attack.t1033\n- car.2016-03-001\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\whoami.exe\'\n  selection2:\n    OriginalFileName: whoami.exe\n  condition: selection or selection2\nfalsepositives:\n- Admin activity\n- Scripts and administrative tools used in the monitored environment\nlevel: high\n\n
\n}}'),(11219,'Issue',621,15,'T1033'),(11220,'Issue',622,1,'Advanced IP Scanner'),(11221,'Issue',622,2,'@ROxPinTeddy'),(11222,'Issue',622,10,'medium'),(11223,'Issue',622,13,'community'),(11224,'Issue',622,14,'windows'),(11225,'Issue',622,8,'https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/\nhttps://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html'),(11227,'Issue',622,11,'28e0c60a4'),(11228,'Issue',622,12,'bef37fa2-f205-4a7b-b484-0759bfd5f86f'),(11229,'Issue',622,16,'win-proc'),(11230,'Issue',622,17,''),(11231,'Issue',622,7,''),(11232,'Issue',622,3,'Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.'),(11233,'Issue',622,4,''),(11234,'Issue',622,5,'_False Positives_\nLegitimate administrative use'),(11235,'Issue',622,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\advanced_ip_scanner*)\nindex: so-*\nname: Advanced IP Scanner\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11236,'Issue',622,9,'{{collapse(View Sigma)\n
\n\ntitle: Advanced IP Scanner\nid: bef37fa2-f205-4a7b-b484-0759bfd5f86f\nstatus: experimental\ndescription: Detects the use of Advanced IP Scanner. Seems to be a popular tool for\n  ransomware groups.\nreferences:\n- https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/\n- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\nauthor: \'@ROxPinTeddy\'\ndate: 2020/05/12\ntags:\n- attack.discovery\n- attack.t1046\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|contains: \\advanced_ip_scanner\n  condition: selection\nfalsepositives:\n- Legitimate administrative use\nlevel: medium\n\n
\n}}'),(11237,'Issue',622,15,'T1046'),(11238,'Issue',623,1,'Harvesting of Wifi Credentials Using netsh.exe'),(11239,'Issue',623,2,'Andreas Hunkeler (@Karneades)'),(11240,'Issue',623,10,'medium'),(11241,'Issue',623,13,'community'),(11242,'Issue',623,14,'windows'),(11243,'Issue',623,8,'https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/'),(11245,'Issue',623,11,'c7fcf9aee'),(11246,'Issue',623,12,'42b1a5b8-353f-4f10-b256-39de4467faff'),(11247,'Issue',623,16,'win-proc'),(11248,'Issue',623,17,''),(11249,'Issue',623,7,''),(11250,'Issue',623,3,'Detect the harvesting of wifi credentials using netsh.exe'),(11251,'Issue',623,4,''),(11252,'Issue',623,5,'_False Positives_\nLegitimate administrator or user uses netsh.exe wlan functionality for legitimate reason'),(11253,'Issue',623,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(netsh\\ wlan\\ s*\\ p*\\ k*\\=clear))\nindex: so-*\nname: Harvesting of Wifi Credentials Using netsh.exe\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11254,'Issue',623,9,'{{collapse(View Sigma)\n
\n\ntitle: Harvesting of Wifi Credentials Using netsh.exe\nid: 42b1a5b8-353f-4f10-b256-39de4467faff\nstatus: experimental\ndescription: Detect the harvesting of wifi credentials using netsh.exe\nreferences:\n- https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\nauthor: Andreas Hunkeler (@Karneades)\ndate: 2020/04/20\ntags:\n- attack.discovery\n- attack.t1040\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - netsh wlan s* p* k*=clear\n  condition: selection\nfalsepositives:\n- Legitimate administrator or user uses netsh.exe wlan functionality for legitimate\n  reason\nlevel: medium\n\n
\n}}'),(11255,'Issue',623,15,'T1040'); +/*!40000 ALTER TABLE `custom_values` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `documents` +-- + +DROP TABLE IF EXISTS `documents`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `documents` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `project_id` int(11) NOT NULL DEFAULT '0', + `category_id` int(11) NOT NULL DEFAULT '0', + `title` varchar(255) NOT NULL DEFAULT '', + `description` text, + `created_on` timestamp NULL DEFAULT NULL, + PRIMARY KEY (`id`), + KEY `documents_project_id` (`project_id`), + KEY `index_documents_on_category_id` (`category_id`), + KEY `index_documents_on_created_on` (`created_on`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `documents` +-- + +LOCK TABLES `documents` WRITE; +/*!40000 ALTER TABLE `documents` DISABLE KEYS */; +/*!40000 ALTER TABLE `documents` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `email_addresses` +-- + +DROP TABLE IF EXISTS `email_addresses`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `email_addresses` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `user_id` int(11) NOT NULL, + `address` varchar(255) NOT NULL, + `is_default` tinyint(1) NOT NULL DEFAULT '0', + `notify` tinyint(1) NOT NULL DEFAULT '1', + `created_on` datetime NOT NULL, + `updated_on` datetime NOT NULL, + PRIMARY KEY (`id`), + KEY `index_email_addresses_on_user_id` (`user_id`) +) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `email_addresses` +-- + +LOCK TABLES `email_addresses` WRITE; +/*!40000 ALTER TABLE `email_addresses` DISABLE KEYS */; +INSERT INTO `email_addresses` VALUES (1,1,'admin@example.net',1,1,'2020-04-26 13:08:38','2020-04-26 13:08:38'),(2,8,'analyst@localhost.local',1,1,'2020-04-26 18:46:48','2020-04-26 18:46:48'),(3,9,'automation@localhost.local',1,1,'2020-04-26 18:47:46','2020-04-26 18:47:46'); +/*!40000 ALTER TABLE `email_addresses` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `enabled_modules` +-- + +DROP TABLE IF EXISTS `enabled_modules`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `enabled_modules` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `project_id` int(11) DEFAULT NULL, + `name` varchar(255) NOT NULL, + PRIMARY KEY (`id`), + KEY `enabled_modules_project_id` (`project_id`) +) ENGINE=InnoDB AUTO_INCREMENT=3 DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `enabled_modules` +-- + +LOCK TABLES `enabled_modules` WRITE; +/*!40000 ALTER TABLE `enabled_modules` DISABLE KEYS */; +INSERT INTO `enabled_modules` VALUES (1,1,'sigma_editor'),(2,1,'issue_tracking'); +/*!40000 ALTER TABLE `enabled_modules` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `enumerations` +-- + +DROP TABLE IF EXISTS `enumerations`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `enumerations` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `name` varchar(30) NOT NULL DEFAULT '', + `position` int(11) DEFAULT NULL, + `is_default` tinyint(1) NOT NULL DEFAULT '0', + `type` varchar(255) DEFAULT NULL, + `active` tinyint(1) NOT NULL DEFAULT '1', + `project_id` int(11) DEFAULT NULL, + `parent_id` int(11) DEFAULT NULL, + `position_name` varchar(30) DEFAULT NULL, + PRIMARY KEY (`id`), + KEY `index_enumerations_on_project_id` (`project_id`), + KEY `index_enumerations_on_id_and_type` (`id`,`type`) +) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `enumerations` +-- + +LOCK TABLES `enumerations` WRITE; +/*!40000 ALTER TABLE `enumerations` DISABLE KEYS */; +INSERT INTO `enumerations` VALUES (1,'Normal',1,1,'IssuePriority',1,NULL,NULL,'default'); +/*!40000 ALTER TABLE `enumerations` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `groups_users` +-- + +DROP TABLE IF EXISTS `groups_users`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `groups_users` ( + `group_id` int(11) NOT NULL, + `user_id` int(11) NOT NULL, + UNIQUE KEY `groups_users_ids` (`group_id`,`user_id`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `groups_users` +-- + +LOCK TABLES `groups_users` WRITE; +/*!40000 ALTER TABLE `groups_users` DISABLE KEYS */; +INSERT INTO `groups_users` VALUES (5,8),(6,9),(7,1); +/*!40000 ALTER TABLE `groups_users` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `import_items` +-- + +DROP TABLE IF EXISTS `import_items`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `import_items` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `import_id` int(11) NOT NULL, + `position` int(11) NOT NULL, + `obj_id` int(11) DEFAULT NULL, + `message` text, + `unique_id` varchar(255) DEFAULT NULL, + PRIMARY KEY (`id`), + KEY `index_import_items_on_import_id_and_unique_id` (`import_id`,`unique_id`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `import_items` +-- + +LOCK TABLES `import_items` WRITE; +/*!40000 ALTER TABLE `import_items` DISABLE KEYS */; +/*!40000 ALTER TABLE `import_items` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `imports` +-- + +DROP TABLE IF EXISTS `imports`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `imports` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `type` varchar(255) DEFAULT NULL, + `user_id` int(11) NOT NULL, + `filename` varchar(255) DEFAULT NULL, + `settings` text, + `total_items` int(11) DEFAULT NULL, + `finished` tinyint(1) NOT NULL DEFAULT '0', + `created_at` datetime NOT NULL, + `updated_at` datetime NOT NULL, + PRIMARY KEY (`id`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `imports` +-- + +LOCK TABLES `imports` WRITE; +/*!40000 ALTER TABLE `imports` DISABLE KEYS */; +/*!40000 ALTER TABLE `imports` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `issue_categories` +-- + +DROP TABLE IF EXISTS `issue_categories`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `issue_categories` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `project_id` int(11) NOT NULL DEFAULT '0', + `name` varchar(60) NOT NULL DEFAULT '', + `assigned_to_id` int(11) DEFAULT NULL, + PRIMARY KEY (`id`), + KEY `issue_categories_project_id` (`project_id`), + KEY `index_issue_categories_on_assigned_to_id` (`assigned_to_id`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `issue_categories` +-- + +LOCK TABLES `issue_categories` WRITE; +/*!40000 ALTER TABLE `issue_categories` DISABLE KEYS */; +/*!40000 ALTER TABLE `issue_categories` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `issue_relations` +-- + +DROP TABLE IF EXISTS `issue_relations`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `issue_relations` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `issue_from_id` int(11) NOT NULL, + `issue_to_id` int(11) NOT NULL, + `relation_type` varchar(255) NOT NULL DEFAULT '', + `delay` int(11) DEFAULT NULL, + PRIMARY KEY (`id`), + UNIQUE KEY `index_issue_relations_on_issue_from_id_and_issue_to_id` (`issue_from_id`,`issue_to_id`), + KEY `index_issue_relations_on_issue_from_id` (`issue_from_id`), + KEY `index_issue_relations_on_issue_to_id` (`issue_to_id`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `issue_relations` +-- + +LOCK TABLES `issue_relations` WRITE; +/*!40000 ALTER TABLE `issue_relations` DISABLE KEYS */; +/*!40000 ALTER TABLE `issue_relations` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `issue_statuses` +-- + +DROP TABLE IF EXISTS `issue_statuses`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `issue_statuses` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `name` varchar(30) NOT NULL DEFAULT '', + `is_closed` tinyint(1) NOT NULL DEFAULT '0', + `position` int(11) DEFAULT NULL, + `default_done_ratio` int(11) DEFAULT NULL, + PRIMARY KEY (`id`), + KEY `index_issue_statuses_on_position` (`position`), + KEY `index_issue_statuses_on_is_closed` (`is_closed`) +) ENGINE=InnoDB AUTO_INCREMENT=7 DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `issue_statuses` +-- + +LOCK TABLES `issue_statuses` WRITE; +/*!40000 ALTER TABLE `issue_statuses` DISABLE KEYS */; +INSERT INTO `issue_statuses` VALUES (2,'Draft',0,1,NULL),(3,'Active',0,2,NULL),(4,'Inactive',0,3,NULL),(5,'Archived',0,4,NULL),(6,'Disabled',0,5,NULL); +/*!40000 ALTER TABLE `issue_statuses` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `issues` +-- + +DROP TABLE IF EXISTS `issues`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `issues` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `tracker_id` int(11) NOT NULL, + `project_id` int(11) NOT NULL, + `subject` varchar(255) NOT NULL DEFAULT '', + `description` longtext, + `due_date` date DEFAULT NULL, + `category_id` int(11) DEFAULT NULL, + `status_id` int(11) NOT NULL, + `assigned_to_id` int(11) DEFAULT NULL, + `priority_id` int(11) NOT NULL, + `fixed_version_id` int(11) DEFAULT NULL, + `author_id` int(11) NOT NULL, + `lock_version` int(11) NOT NULL DEFAULT '0', + `created_on` timestamp NULL DEFAULT NULL, + `updated_on` timestamp NULL DEFAULT NULL, + `start_date` date DEFAULT NULL, + `done_ratio` int(11) NOT NULL DEFAULT '0', + `estimated_hours` float DEFAULT NULL, + `parent_id` int(11) DEFAULT NULL, + `root_id` int(11) DEFAULT NULL, + `lft` int(11) DEFAULT NULL, + `rgt` int(11) DEFAULT NULL, + `is_private` tinyint(1) NOT NULL DEFAULT '0', + `closed_on` datetime DEFAULT NULL, + PRIMARY KEY (`id`), + KEY `issues_project_id` (`project_id`), + KEY `index_issues_on_status_id` (`status_id`), + KEY `index_issues_on_category_id` (`category_id`), + KEY `index_issues_on_assigned_to_id` (`assigned_to_id`), + KEY `index_issues_on_fixed_version_id` (`fixed_version_id`), + KEY `index_issues_on_tracker_id` (`tracker_id`), + KEY `index_issues_on_priority_id` (`priority_id`), + KEY `index_issues_on_author_id` (`author_id`), + KEY `index_issues_on_created_on` (`created_on`), + KEY `index_issues_on_root_id_and_lft_and_rgt` (`root_id`,`lft`,`rgt`), + KEY `index_issues_on_parent_id` (`parent_id`) +) ENGINE=InnoDB AUTO_INCREMENT=624 DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `issues` +-- + +LOCK TABLES `issues` WRITE; +/*!40000 ALTER TABLE `issues` DISABLE KEYS */; +INSERT INTO `issues` VALUES (313,1,1,'Executable in ADS',NULL,NULL,NULL,6,NULL,1,NULL,9,0,'2020-05-01 20:55:14','2020-05-01 20:55:14',NULL,0,NULL,NULL,313,1,2,0,NULL),(314,1,1,'Alternate PowerShell Hosts Module Load',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:15','2020-05-01 20:55:15',NULL,0,NULL,NULL,314,1,2,0,NULL),(315,1,1,'Alternate PowerShell Hosts Pipe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:15','2020-05-01 20:55:15',NULL,0,NULL,NULL,315,1,2,0,NULL),(316,1,1,'OceanLotus Registry Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:16','2020-05-01 20:55:16',NULL,0,NULL,NULL,316,1,2,0,NULL),(317,1,1,'Turla Group Named Pipes',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:16','2020-05-01 20:55:16',NULL,0,NULL,NULL,317,1,2,0,NULL),(318,1,1,'Autorun Keys Modification',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:17','2020-05-01 20:55:17',NULL,0,NULL,NULL,318,1,2,0,NULL),(319,1,1,'CACTUSTORCH Remote Thread Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:17','2020-05-01 20:55:17',NULL,0,NULL,NULL,319,1,2,0,NULL),(320,1,1,'CobaltStrike Process Injection',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:18','2020-05-01 20:55:18',NULL,0,NULL,NULL,320,1,2,0,NULL),(321,1,1,'CreateRemoteThread API and LoadLibrary',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:18','2020-05-01 20:55:19',NULL,0,NULL,NULL,321,1,2,0,NULL),(322,1,1,'Credentials Dumping Tools Accessing LSASS Memory',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:19','2020-05-01 20:55:19',NULL,0,NULL,NULL,322,1,2,0,NULL),(323,1,1,'Cred Dump Tools Dropped Files',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:20','2020-05-01 20:55:20',NULL,0,NULL,NULL,323,1,2,0,NULL),(324,1,1,'Cred Dump-Tools Named Pipes',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:20','2020-05-01 20:55:20',NULL,0,NULL,NULL,324,1,2,0,NULL),(325,1,1,'DHCP Callout DLL Installation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:21','2020-05-01 20:55:21',NULL,0,NULL,NULL,325,1,2,0,NULL),(326,1,1,'Disable Security Events Logging Adding Reg Key MiniNt',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:21','2020-05-01 20:55:21',NULL,0,NULL,NULL,326,1,2,0,NULL),(327,1,1,'Detection of SafetyKatz',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:22','2020-05-01 20:55:22',NULL,0,NULL,NULL,327,1,2,0,NULL),(328,1,1,'Suspicious In-Memory Module Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:22','2020-05-01 20:55:22',NULL,0,NULL,NULL,328,1,2,0,NULL),(329,1,1,'In-memory PowerShell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:23','2020-05-01 20:55:23',NULL,0,NULL,NULL,329,1,2,0,NULL),(330,1,1,'Suspect Svchost Memory Asccess',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:23','2020-05-01 20:55:24',NULL,0,NULL,NULL,330,1,2,0,NULL),(331,1,1,'LSASS Memory Dump',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:24','2020-05-01 20:55:24',NULL,0,NULL,NULL,331,1,2,0,NULL),(332,1,1,'LSASS Memory Dump File Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:24','2020-05-01 20:55:25',NULL,0,NULL,NULL,332,1,2,0,NULL),(333,1,1,'Malicious Named Pipe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:25','2020-05-01 20:55:25',NULL,0,NULL,NULL,333,1,2,0,NULL),(334,1,1,'Suspicious Typical Malware Back Connect Ports',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:26','2020-05-01 20:55:26',NULL,0,NULL,NULL,334,1,2,0,NULL),(335,1,1,'Malware Shellcode in Verclsid Target Process',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:27','2020-05-01 20:55:27',NULL,0,NULL,NULL,335,1,2,0,NULL),(336,1,1,'Mimikatz In-Memory',NULL,NULL,NULL,6,NULL,1,NULL,9,1,'2020-05-01 20:55:27','2020-05-01 20:55:28',NULL,0,NULL,NULL,336,1,2,0,NULL),(337,1,1,'Mimikatz through Windows Remote Management',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:28','2020-05-01 20:55:28',NULL,0,NULL,NULL,337,1,2,0,NULL),(338,1,1,'Dumping Lsass.exe Memory with MiniDumpWriteDump API',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:29','2020-05-01 20:55:29',NULL,0,NULL,NULL,338,1,2,0,NULL),(339,1,1,'Narrator\'s Feedback-Hub Persistence',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:29','2020-05-01 20:55:29',NULL,0,NULL,NULL,339,1,2,0,NULL),(340,1,1,'New DLL Added to AppCertDlls Registry Key',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:30','2020-05-01 20:55:30',NULL,0,NULL,NULL,340,1,2,0,NULL),(341,1,1,'New DLL Added to AppInit_DLLs Registry Key',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:30','2020-05-01 20:55:30',NULL,0,NULL,NULL,341,1,2,0,NULL),(342,1,1,'Password Dumper Remote Thread in LSASS',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:31','2020-05-01 20:55:31',NULL,0,NULL,NULL,342,1,2,0,NULL),(343,1,1,'Possible DNS Rebinding',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:31','2020-05-01 20:55:31',NULL,0,NULL,NULL,343,1,2,0,NULL),(344,1,1,'Possible Privilege Escalation via Service Permissions Weakness',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:32','2020-05-01 20:55:32',NULL,0,NULL,NULL,344,1,2,0,NULL),(345,1,1,'PowerShell Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:32','2020-05-01 20:55:33',NULL,0,NULL,NULL,345,1,2,0,NULL),(346,1,1,'Malicious PowerShell Commandlet Names',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:33','2020-05-01 20:55:33',NULL,0,NULL,NULL,346,1,2,0,NULL),(347,1,1,'PowerShell Network Connections',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:34','2020-05-01 20:55:34',NULL,0,NULL,NULL,347,1,2,0,NULL),(348,1,1,'QuarksPwDump Dump File',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:34','2020-05-01 20:55:34',NULL,0,NULL,NULL,348,1,2,0,NULL),(349,1,1,'Raw Disk Access Using Illegitimate Tools',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:35','2020-05-01 20:55:35',NULL,0,NULL,NULL,349,1,2,0,NULL),(350,1,1,'RDP Registry Modification',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:35','2020-05-01 20:55:36',NULL,0,NULL,NULL,350,1,2,0,NULL),(351,1,1,'RDP Over Reverse SSH Tunnel',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:36','2020-05-01 20:55:36',NULL,0,NULL,NULL,351,1,2,0,NULL),(352,1,1,'RDP Sensitive Settings Changed',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:37','2020-05-01 20:55:37',NULL,0,NULL,NULL,352,1,2,0,NULL),(353,1,1,'Windows Registry Persistence COM Key Linking',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:37','2020-05-01 20:55:37',NULL,0,NULL,NULL,353,1,2,0,NULL),(354,1,1,'Windows Registry Persistence COM Search Order Hijacking',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:38','2020-05-01 20:55:38',NULL,0,NULL,NULL,354,1,2,0,NULL),(355,1,1,'Windows Registry Trust Record Modification',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:38','2020-05-01 20:55:38',NULL,0,NULL,NULL,355,1,2,0,NULL),(356,1,1,'Regsvr32 Network Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:39','2020-05-01 20:55:39',NULL,0,NULL,NULL,356,1,2,0,NULL),(357,1,1,'Remote PowerShell Session',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:39','2020-05-01 20:55:39',NULL,0,NULL,NULL,357,1,2,0,NULL),(358,1,1,'Renamed jusched.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:40','2020-05-01 20:55:40',NULL,0,NULL,NULL,358,1,2,0,NULL),(359,1,1,'Renamed PowerShell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:40','2020-05-01 20:55:40',NULL,0,NULL,NULL,359,1,2,0,NULL),(360,1,1,'Renamed ProcDump',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:41','2020-05-01 20:55:41',NULL,0,NULL,NULL,360,1,2,0,NULL),(361,1,1,'Renamed PsExec',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:41','2020-05-01 20:55:42',NULL,0,NULL,NULL,361,1,2,0,NULL),(362,1,1,'Rundll32 Internet Connection',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:42','2020-05-01 20:55:42',NULL,0,NULL,NULL,362,1,2,0,NULL),(363,1,1,'Security Support Provider (SSP) Added to LSA Configuration',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:43','2020-05-01 20:55:43',NULL,0,NULL,NULL,363,1,2,0,NULL),(364,1,1,'Suspicious ADSI-Cache Usage By Unknown Tool',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:43','2020-05-01 20:55:43',NULL,0,NULL,NULL,364,1,2,0,NULL),(365,1,1,'Suspicious desktop.ini Action',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:44','2020-05-01 20:55:44',NULL,0,NULL,NULL,365,1,2,0,NULL),(366,1,1,'Suspicious RUN Key from Download',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:44','2020-05-01 20:55:44',NULL,0,NULL,NULL,366,1,2,0,NULL),(367,1,1,'Suspicious Driver Load from Temp',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:45','2020-05-01 20:55:45',NULL,0,NULL,NULL,367,1,2,0,NULL),(368,1,1,'Suspicious File Characteristics Due to Missing Fields',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:45','2020-05-01 20:55:45',NULL,0,NULL,NULL,368,1,2,0,NULL),(369,1,1,'Possible Process Hollowing Image Loading',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:46','2020-05-01 20:55:46',NULL,0,NULL,NULL,369,1,2,0,NULL),(370,1,1,'DLL Load via LSASS',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:46','2020-05-01 20:55:46',NULL,0,NULL,NULL,370,1,2,0,NULL),(371,1,1,'dotNET DLL Loaded Via Office Applications',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:47','2020-05-01 20:55:47',NULL,0,NULL,NULL,371,1,2,0,NULL),(372,1,1,'CLR DLL Loaded Via Office Applications',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:47','2020-05-01 20:55:47',NULL,0,NULL,NULL,372,1,2,0,NULL),(373,1,1,'GAC DLL Loaded Via Office Applications',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:48','2020-05-01 20:55:48',NULL,0,NULL,NULL,373,1,2,0,NULL),(374,1,1,'Active Directory Parsing DLL Loaded Via Office Applications',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:48','2020-05-01 20:55:49',NULL,0,NULL,NULL,374,1,2,0,NULL),(375,1,1,'Active Directory Kerberos DLL Loaded Via Office Applications',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:49','2020-05-01 20:55:49',NULL,0,NULL,NULL,375,1,2,0,NULL),(376,1,1,'PowerShell Rundll32 Remote Thread Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:49','2020-05-01 20:55:50',NULL,0,NULL,NULL,376,1,2,0,NULL),(377,1,1,'Suspicious PROCEXP152.sys File Created In TMP',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:50','2020-05-01 20:55:50',NULL,0,NULL,NULL,377,1,2,0,NULL),(378,1,1,'Suspicious Program Location with Network Connections',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:51','2020-05-01 20:55:51',NULL,0,NULL,NULL,378,1,2,0,NULL),(379,1,1,'Suspicious Outbound RDP Connections',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:51','2020-05-01 20:55:51',NULL,0,NULL,NULL,379,1,2,0,NULL),(380,1,1,'Registry Persistence via Explorer Run Key',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:52','2020-05-01 20:55:52',NULL,0,NULL,NULL,380,1,2,0,NULL),(381,1,1,'New RUN Key Pointing to Suspicious Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:52','2020-05-01 20:55:52',NULL,0,NULL,NULL,381,1,2,0,NULL),(382,1,1,'Suspicious Service Installed',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:53','2020-05-01 20:55:53',NULL,0,NULL,NULL,382,1,2,0,NULL),(383,1,1,'VBA DLL Loaded Via Microsoft Word',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:53','2020-05-01 20:55:53',NULL,0,NULL,NULL,383,1,2,0,NULL),(384,1,1,'Windows Mangement Instrumentation DLL Loaded Via Microsoft Word',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:54','2020-05-01 20:55:54',NULL,0,NULL,NULL,384,1,2,0,NULL),(385,1,1,'Suspicious Keyboard Layout Load',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:54','2020-05-01 20:55:54',NULL,0,NULL,NULL,385,1,2,0,NULL),(386,1,1,'Suspicious Outbound Kerberos Connection',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:55','2020-05-01 20:55:55',NULL,0,NULL,NULL,386,1,2,0,NULL),(387,1,1,'Suspicious Remote Thread Created',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:55','2020-05-01 20:55:55',NULL,0,NULL,NULL,387,1,2,0,NULL),(388,1,1,'Svchost DLL Search Order Hijack',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:56','2020-05-01 20:55:56',NULL,0,NULL,NULL,388,1,2,0,NULL),(389,1,1,'Hijack Legit RDP Session to Move Laterally',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:56','2020-05-01 20:55:57',NULL,0,NULL,NULL,389,1,2,0,NULL),(390,1,1,'UAC Bypass via Event Viewer',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:57','2020-05-01 20:55:57',NULL,0,NULL,NULL,390,1,2,0,NULL),(391,1,1,'UAC Bypass via Sdclt',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:57','2020-05-01 20:55:58',NULL,0,NULL,NULL,391,1,2,0,NULL),(392,1,1,'Unsigned Image Loaded Into LSASS Process',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:58','2020-05-01 20:55:58',NULL,0,NULL,NULL,392,1,2,0,NULL),(393,1,1,'Windows Webshell Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:59','2020-05-01 20:55:59',NULL,0,NULL,NULL,393,1,2,0,NULL),(394,1,1,'Microsoft Binary Github Communication',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:59','2020-05-01 20:55:59',NULL,0,NULL,NULL,394,1,2,0,NULL),(395,1,1,'Microsoft Binary Suspicious Communication Endpoint',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:00','2020-05-01 20:56:00',NULL,0,NULL,NULL,395,1,2,0,NULL),(396,1,1,'Registry Persistence Mechanisms',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:00','2020-05-01 20:56:00',NULL,0,NULL,NULL,396,1,2,0,NULL),(397,1,1,'WMI Event Subscription',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:01','2020-05-01 20:56:01',NULL,0,NULL,NULL,397,1,2,0,NULL),(398,1,1,'WMI Modules Loaded',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:01','2020-05-01 20:56:01',NULL,0,NULL,NULL,398,1,2,0,NULL),(399,1,1,'WMI Persistence - Command Line Event Consumer',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:02','2020-05-01 20:56:02',NULL,0,NULL,NULL,399,1,2,0,NULL),(400,1,1,'WMI Persistence - Script Event Consumer File Write',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:02','2020-05-01 20:56:02',NULL,0,NULL,NULL,400,1,2,0,NULL),(401,1,1,'Suspicious Scripting in a WMI Consumer',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:03','2020-05-01 20:56:03',NULL,0,NULL,NULL,401,1,2,0,NULL),(402,1,1,'APT29',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:03','2020-05-01 20:56:03',NULL,0,NULL,NULL,402,1,2,0,NULL),(403,1,1,'Baby Shark Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:04','2020-05-01 20:56:04',NULL,0,NULL,NULL,403,1,2,0,NULL),(404,1,1,'Judgement Panda Credential Access Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:04','2020-05-01 20:56:04',NULL,0,NULL,NULL,404,1,2,0,NULL),(405,1,1,'BlueMashroom DLL Load',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:05','2020-05-01 20:56:05',NULL,0,NULL,NULL,405,1,2,0,NULL),(406,1,1,'WMIExec VBS Script',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:05','2020-05-01 20:56:06',NULL,0,NULL,NULL,406,1,2,0,NULL),(407,1,1,'CrackMapExecWin',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:06','2020-05-01 20:56:06',NULL,0,NULL,NULL,407,1,2,0,NULL),(408,1,1,'Elise Backdoor',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:06','2020-05-01 20:56:07',NULL,0,NULL,NULL,408,1,2,0,NULL),(409,1,1,'Emissary Panda Malware SLLauncher',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:07','2020-05-01 20:56:07',NULL,0,NULL,NULL,409,1,2,0,NULL),(410,1,1,'Equation Group DLL_U Load',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:08','2020-05-01 20:56:08',NULL,0,NULL,NULL,410,1,2,0,NULL),(411,1,1,'Hurricane Panda Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:08','2020-05-01 20:56:08',NULL,0,NULL,NULL,411,1,2,0,NULL),(412,1,1,'Judgement Panda Exfil Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:09','2020-05-01 20:56:09',NULL,0,NULL,NULL,412,1,2,0,NULL),(413,1,1,'Mustang Panda Dropper',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:09','2020-05-01 20:56:09',NULL,0,NULL,NULL,413,1,2,0,NULL),(414,1,1,'Sofacy Trojan Loader Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:10','2020-05-01 20:56:10',NULL,0,NULL,NULL,414,1,2,0,NULL),(415,1,1,'Ps.exe Renamed SysInternals Tool',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:11','2020-05-01 20:56:11',NULL,0,NULL,NULL,415,1,2,0,NULL),(416,1,1,'TropicTrooper Campaign November 2018',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:11','2020-05-01 20:56:11',NULL,0,NULL,NULL,416,1,2,0,NULL),(417,1,1,'Winnti Malware HK University Campaign',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:12','2020-05-01 20:56:12',NULL,0,NULL,NULL,417,1,2,0,NULL),(418,1,1,'ZxShell Malware',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:12','2020-05-01 20:56:13',NULL,0,NULL,NULL,418,1,2,0,NULL),(419,1,1,'Hiding Files with Attrib.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:13','2020-05-01 20:56:13',NULL,0,NULL,NULL,419,1,2,0,NULL),(420,1,1,'Modification of Boot Configuration',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:14','2020-05-13 14:07:10',NULL,0,NULL,NULL,420,1,2,0,NULL),(421,1,1,'SquiblyTwo',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:14','2020-05-01 20:56:15',NULL,0,NULL,NULL,421,1,2,0,NULL),(422,1,1,'Change Default File Association',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:15','2020-05-01 20:56:15',NULL,0,NULL,NULL,422,1,2,0,NULL),(423,1,1,'Cmdkey Cached Credentials Recon',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:16','2020-05-01 20:56:16',NULL,0,NULL,NULL,423,1,2,0,NULL),(424,1,1,'CMSTP UAC Bypass via COM Object Access',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:16','2020-05-01 20:56:16',NULL,0,NULL,NULL,424,1,2,0,NULL),(425,1,1,'Control Panel Items',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:17','2020-05-01 20:56:17',NULL,0,NULL,NULL,425,1,2,0,NULL),(426,1,1,'Copying Sensitive Files with Credential Data',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:17','2020-05-01 20:56:17',NULL,0,NULL,NULL,426,1,2,0,NULL),(427,1,1,'Fireball Archer Install',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:18','2020-05-01 20:56:18',NULL,0,NULL,NULL,427,1,2,0,NULL),(428,1,1,'Data Compressed - rar.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:18','2020-05-01 20:56:19',NULL,0,NULL,NULL,428,1,2,0,NULL),(429,1,1,'Domain Trust Discovery',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:19','2020-05-01 20:56:19',NULL,0,NULL,NULL,429,1,2,0,NULL),(430,1,1,'Encoded FromBase64String',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:20','2020-05-01 20:56:20',NULL,0,NULL,NULL,430,1,2,0,NULL),(431,1,1,'Encoded IEX',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:20','2020-05-01 20:56:20',NULL,0,NULL,NULL,431,1,2,0,NULL),(432,1,1,'Disable of ETW Trace',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:21','2020-05-01 20:56:21',NULL,0,NULL,NULL,432,1,2,0,NULL),(433,1,1,'Exfiltration and Tunneling Tools Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:21','2020-05-01 20:56:21',NULL,0,NULL,NULL,433,1,2,0,NULL),(434,1,1,'Exploit for CVE-2015-1641',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:22','2020-05-01 20:56:22',NULL,0,NULL,NULL,434,1,2,0,NULL),(435,1,1,'Exploit for CVE-2017-0261',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:22','2020-05-01 20:56:22',NULL,0,NULL,NULL,435,1,2,0,NULL),(436,1,1,'Droppers Exploiting CVE-2017-11882',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:23','2020-05-01 20:56:23',NULL,0,NULL,NULL,436,1,2,0,NULL),(437,1,1,'Exploit for CVE-2017-8759',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:23','2020-05-01 20:56:24',NULL,0,NULL,NULL,437,1,2,0,NULL),(438,1,1,'Exploiting SetupComplete.cmd CVE-2019-1378',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:24','2020-05-01 20:56:24',NULL,0,NULL,NULL,438,1,2,0,NULL),(439,1,1,'Exploiting CVE-2019-1388',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:25','2020-05-01 20:56:25',NULL,0,NULL,NULL,439,1,2,0,NULL),(440,1,1,'Exploited CVE-2020-10189 Zoho ManageEngine',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:25','2020-05-01 20:56:25',NULL,0,NULL,NULL,440,1,2,0,NULL),(441,1,1,'File or Folder Permissions Modifications',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:26','2020-05-01 20:56:26',NULL,0,NULL,NULL,441,1,2,0,NULL),(442,1,1,'Grabbing Sensitive Hives via Reg Utility',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:26','2020-05-01 20:56:26',NULL,0,NULL,NULL,442,1,2,0,NULL),(443,1,1,'Bloodhound and Sharphound Hack Tool',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:27','2020-05-01 20:56:27',NULL,0,NULL,NULL,443,1,2,0,NULL),(444,1,1,'Koadic Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:27','2020-05-01 20:56:27',NULL,0,NULL,NULL,444,1,2,0,NULL),(445,1,1,'Rubeus Hack Tool',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:28','2020-05-01 20:56:28',NULL,0,NULL,NULL,445,1,2,0,NULL),(446,1,1,'SecurityXploded Tool',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:28','2020-05-01 20:56:28',NULL,0,NULL,NULL,446,1,2,0,NULL),(447,1,1,'HH.exe Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:29','2020-05-01 20:56:29',NULL,0,NULL,NULL,447,1,2,0,NULL),(448,1,1,'HTML Help Shell Spawn',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:29','2020-05-01 20:56:29',NULL,0,NULL,NULL,448,1,2,0,NULL),(449,1,1,'Suspicious HWP Sub Processes',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:30','2020-05-01 20:56:30',NULL,0,NULL,NULL,449,1,2,0,NULL),(450,1,1,'Impacket Lateralization Detection',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:30','2020-05-01 20:56:30',NULL,0,NULL,NULL,450,1,2,0,NULL),(451,1,1,'Indirect Command Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:31','2020-05-01 20:56:31',NULL,0,NULL,NULL,451,1,2,0,NULL),(452,1,1,'Suspicious Debugger Registration Cmdline',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:31','2020-05-01 20:56:31',NULL,0,NULL,NULL,452,1,2,0,NULL),(453,1,1,'Interactive AT Job',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:32','2020-05-01 20:56:32',NULL,0,NULL,NULL,453,1,2,0,NULL),(454,1,1,'Invoke-Obfuscation Obfuscated IEX Invocation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:32','2020-05-01 20:56:32',NULL,0,NULL,NULL,454,1,2,0,NULL),(455,1,1,'Windows Kernel and 3rd-Party Drivers Exploits Token Stealing',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:33','2020-05-01 20:56:33',NULL,0,NULL,NULL,455,1,2,0,NULL),(456,1,1,'MSHTA Spwaned by SVCHOST',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:33','2020-05-01 20:56:34',NULL,0,NULL,NULL,456,1,2,0,NULL),(457,1,1,'Local Accounts Discovery',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:34','2020-05-01 20:56:34',NULL,0,NULL,NULL,457,1,2,0,NULL),(458,1,1,'LSASS Memory Dumping',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:35','2020-05-01 20:56:35',NULL,0,NULL,NULL,458,1,2,0,NULL),(459,1,1,'Dridex Process Pattern',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:35','2020-05-01 20:56:35',NULL,0,NULL,NULL,459,1,2,0,NULL),(460,1,1,'DTRACK Process Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:36','2020-05-01 20:56:36',NULL,0,NULL,NULL,460,1,2,0,NULL),(461,1,1,'Emotet Process Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:36','2020-05-01 20:56:36',NULL,0,NULL,NULL,461,1,2,0,NULL),(462,1,1,'Formbook Process Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:37','2020-05-01 20:56:37',NULL,0,NULL,NULL,462,1,2,0,NULL),(463,1,1,'NotPetya Ransomware Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:37','2020-05-01 20:56:37',NULL,0,NULL,NULL,463,1,2,0,NULL),(464,1,1,'QBot Process Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:38','2020-05-01 20:56:38',NULL,0,NULL,NULL,464,1,2,0,NULL),(465,1,1,'Ryuk Ransomware',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:38','2020-05-01 20:56:38',NULL,0,NULL,NULL,465,1,2,0,NULL),(466,1,1,'WScript or CScript Dropper',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:39','2020-05-01 20:56:39',NULL,0,NULL,NULL,466,1,2,0,NULL),(467,1,1,'Trickbot Malware Recon Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:39','2020-05-01 20:56:39',NULL,0,NULL,NULL,467,1,2,0,NULL),(468,1,1,'WannaCry Ransomware',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:40','2020-05-01 20:56:40',NULL,0,NULL,NULL,468,1,2,0,NULL),(469,1,1,'MavInject Process Injection',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:40','2020-05-01 20:56:41',NULL,0,NULL,NULL,469,1,2,0,NULL),(470,1,1,'Meterpreter or Cobalt Strike Getsystem Service Start',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:41','2020-05-01 20:56:41',NULL,0,NULL,NULL,470,1,2,0,NULL),(471,1,1,'Mimikatz Command Line',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:42','2020-05-01 20:56:42',NULL,0,NULL,NULL,471,1,2,0,NULL),(472,1,1,'MMC Spawning Windows Shell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:42','2020-05-01 20:56:42',NULL,0,NULL,NULL,472,1,2,0,NULL),(473,1,1,'MSHTA Spawning Windows Shell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:43','2020-05-01 20:56:43',NULL,0,NULL,NULL,473,1,2,0,NULL),(474,1,1,'Quick Execution of a Series of Suspicious Commands',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:43','2020-05-01 20:56:43',NULL,0,NULL,NULL,474,1,2,0,NULL),(475,1,1,'Windows Network Enumeration',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:44','2020-05-01 20:56:44',NULL,0,NULL,NULL,475,1,2,0,NULL),(476,1,1,'Net.exe User Account Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:44','2020-05-01 20:56:44',NULL,0,NULL,NULL,476,1,2,0,NULL),(477,1,1,'Netsh',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:45','2020-05-01 20:56:45',NULL,0,NULL,NULL,477,1,2,0,NULL),(478,1,1,'Capture a Network Trace with netsh.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:45','2020-05-01 20:56:45',NULL,0,NULL,NULL,478,1,2,0,NULL),(479,1,1,'Netsh Port Forwarding',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:46','2020-05-01 20:56:46',NULL,0,NULL,NULL,479,1,2,0,NULL),(480,1,1,'Netsh RDP Port Forwarding',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:46','2020-05-01 20:56:46',NULL,0,NULL,NULL,480,1,2,0,NULL),(481,1,1,'Network Sniffing',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:47','2020-05-01 20:56:47',NULL,0,NULL,NULL,481,1,2,0,NULL),(482,1,1,'New Service Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:47','2020-05-01 20:56:48',NULL,0,NULL,NULL,482,1,2,0,NULL),(483,1,1,'Non Interactive PowerShell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:48','2020-05-01 20:56:48',NULL,0,NULL,NULL,483,1,2,0,NULL),(484,1,1,'Microsoft Office Product Spawning Windows Shell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:49','2020-05-01 20:56:49',NULL,0,NULL,NULL,484,1,2,0,NULL),(485,1,1,'MS Office Product Spawning Exe in User Dir',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:49','2020-05-01 20:56:49',NULL,0,NULL,NULL,485,1,2,0,NULL),(486,1,1,'Executable Used by PlugX in Uncommon Location',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:50','2020-05-01 20:56:50',NULL,0,NULL,NULL,486,1,2,0,NULL),(487,1,1,'Possible Applocker Bypass',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:50','2020-05-01 20:56:50',NULL,0,NULL,NULL,487,1,2,0,NULL),(488,1,1,'Detection of Possible Rotten Potato',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:51','2020-05-01 20:56:51',NULL,0,NULL,NULL,488,1,2,0,NULL),(489,1,1,'Powershell AMSI Bypass via .NET Reflection',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:51','2020-05-01 20:56:51',NULL,0,NULL,NULL,489,1,2,0,NULL),(490,1,1,'Audio Capture via PowerShell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:52','2020-05-01 20:56:52',NULL,0,NULL,NULL,490,1,2,0,NULL),(491,1,1,'PowerShell Base64 Encoded Shellcode',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:52','2020-05-01 20:56:52',NULL,0,NULL,NULL,491,1,2,0,NULL),(492,1,1,'Suspicious Bitsadmin Job via PowerShell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:53','2020-05-01 20:56:53',NULL,0,NULL,NULL,492,1,2,0,NULL),(493,1,1,'Detection of PowerShell Execution via DLL',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:53','2020-05-01 20:56:53',NULL,0,NULL,NULL,493,1,2,0,NULL),(494,1,1,'PowerShell Downgrade Attack',NULL,NULL,NULL,6,NULL,1,NULL,9,1,'2020-05-01 20:56:54','2020-05-13 14:07:11',NULL,0,NULL,NULL,494,1,2,0,NULL),(495,1,1,'PowerShell Download from URL',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:54','2020-05-01 20:56:54',NULL,0,NULL,NULL,495,1,2,0,NULL),(496,1,1,'FromBase64String Command Line',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:55','2020-05-01 20:56:55',NULL,0,NULL,NULL,496,1,2,0,NULL),(497,1,1,'Suspicious PowerShell Parameter Substring',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:55','2020-05-01 20:56:56',NULL,0,NULL,NULL,497,1,2,0,NULL),(498,1,1,'Suspicious XOR Encoded PowerShell Command Line',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:56','2020-05-01 20:56:56',NULL,0,NULL,NULL,498,1,2,0,NULL),(499,1,1,'Default PowerSploit and Empire Schtasks Persistence',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:56','2020-05-01 20:56:57',NULL,0,NULL,NULL,499,1,2,0,NULL),(500,1,1,'Windows Processes Suspicious Parent Directory',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:57','2020-05-01 20:56:57',NULL,0,NULL,NULL,500,1,2,0,NULL),(501,1,1,'Bitsadmin Download',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:58','2020-05-01 20:56:58',NULL,0,NULL,NULL,501,1,2,0,NULL),(502,1,1,'Process Dump via Rundll32 and Comsvcs.dll',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:58','2020-05-01 20:56:58',NULL,0,NULL,NULL,502,1,2,0,NULL),(503,1,1,'PsExec Service Start',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:59','2020-05-01 20:56:59',NULL,0,NULL,NULL,503,1,2,0,NULL),(504,1,1,'Query Registry',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:59','2020-05-01 20:56:59',NULL,0,NULL,NULL,504,1,2,0,NULL),(505,1,1,'MSTSC Shadowing',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:00','2020-05-01 20:57:00',NULL,0,NULL,NULL,505,1,2,0,NULL),(506,1,1,'Remote PowerShell Session',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:00','2020-05-01 20:57:00',NULL,0,NULL,NULL,506,1,2,0,NULL),(507,1,1,'Discovery of a System Time',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:01','2020-05-01 20:57:01',NULL,0,NULL,NULL,507,1,2,0,NULL),(508,1,1,'Renamed Binary',NULL,NULL,NULL,2,NULL,1,NULL,9,2,'2020-05-01 20:57:01','2020-05-13 14:07:11',NULL,0,NULL,NULL,508,1,2,0,NULL),(509,1,1,'Highly Relevant Renamed Binary',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:02','2020-05-01 20:57:02',NULL,0,NULL,NULL,509,1,2,0,NULL),(510,1,1,'Execution of Renamed PaExec',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:03','2020-05-01 20:57:03',NULL,0,NULL,NULL,510,1,2,0,NULL),(511,1,1,'Run PowerShell Script from ADS',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:03','2020-05-01 20:57:03',NULL,0,NULL,NULL,511,1,2,0,NULL),(512,1,1,'Possible Shim Database Persistence via sdbinst.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:04','2020-05-01 20:57:04',NULL,0,NULL,NULL,512,1,2,0,NULL),(513,1,1,'Service Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:04','2020-05-01 20:57:04',NULL,0,NULL,NULL,513,1,2,0,NULL),(514,1,1,'Stop Windows Service',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:05','2020-05-01 20:57:05',NULL,0,NULL,NULL,514,1,2,0,NULL),(515,1,1,'Shadow Copies Access via Symlink',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:05','2020-05-01 20:57:05',NULL,0,NULL,NULL,515,1,2,0,NULL),(516,1,1,'Shadow Copies Creation Using Operating Systems Utilities',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:06','2020-05-01 20:57:06',NULL,0,NULL,NULL,516,1,2,0,NULL),(517,1,1,'Shadow Copies Deletion Using Operating Systems Utilities',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:06','2020-05-01 20:57:06',NULL,0,NULL,NULL,517,1,2,0,NULL),(518,1,1,'Windows Shell Spawning Suspicious Program',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:07','2020-05-01 20:57:07',NULL,0,NULL,NULL,518,1,2,0,NULL),(519,1,1,'Audio Capture via SoundRecorder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:07','2020-05-01 20:57:07',NULL,0,NULL,NULL,519,1,2,0,NULL),(520,1,1,'Possible SPN Enumeration',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:08','2020-05-01 20:57:08',NULL,0,NULL,NULL,520,1,2,0,NULL),(521,1,1,'Possible Ransomware or Unauthorized MBR Modifications',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:08','2020-05-01 20:57:08',NULL,0,NULL,NULL,521,1,2,0,NULL),(522,1,1,'Application Whitelisting Bypass via Bginfo',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:09','2020-05-01 20:57:09',NULL,0,NULL,NULL,522,1,2,0,NULL),(523,1,1,'Suspicious Calculator Usage',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:09','2020-05-01 20:57:09',NULL,0,NULL,NULL,523,1,2,0,NULL),(524,1,1,'Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:10','2020-05-01 20:57:10',NULL,0,NULL,NULL,524,1,2,0,NULL),(525,1,1,'Suspicious Certutil Command',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:10','2020-05-01 20:57:10',NULL,0,NULL,NULL,525,1,2,0,NULL),(526,1,1,'Certutil Encode',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:11','2020-05-01 20:57:11',NULL,0,NULL,NULL,526,1,2,0,NULL),(527,1,1,'Suspicious Commandline Escape',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:11','2020-05-01 20:57:12',NULL,0,NULL,NULL,527,1,2,0,NULL),(528,1,1,'Command Line Execution with Suspicious URL and AppData Strings',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:12','2020-05-01 20:57:12',NULL,0,NULL,NULL,528,1,2,0,NULL),(529,1,1,'Suspicious Code Page Switch',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:12','2020-05-01 20:57:13',NULL,0,NULL,NULL,529,1,2,0,NULL),(530,1,1,'Reconnaissance Activity with Net Command',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:13','2020-05-01 20:57:13',NULL,0,NULL,NULL,530,1,2,0,NULL),(531,1,1,'Suspicious Compression Tool Parameters',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:14','2020-05-01 20:57:14',NULL,0,NULL,NULL,531,1,2,0,NULL),(532,1,1,'Process Dump via Comsvcs DLL',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:14','2020-05-01 20:57:14',NULL,0,NULL,NULL,532,1,2,0,NULL),(533,1,1,'Suspicious Control Panel DLL Load',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:15','2020-05-01 20:57:15',NULL,0,NULL,NULL,533,1,2,0,NULL),(534,1,1,'Copy from Admin Share',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:15','2020-05-01 20:57:15',NULL,0,NULL,NULL,534,1,2,0,NULL),(535,1,1,'Suspicious Parent of Csc.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:16','2020-05-01 20:57:16',NULL,0,NULL,NULL,535,1,2,0,NULL),(536,1,1,'Suspicious Csc.exe Source File Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:16','2020-05-01 20:57:16',NULL,0,NULL,NULL,536,1,2,0,NULL),(537,1,1,'Curl Start Combination',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:17','2020-05-01 20:57:17',NULL,0,NULL,NULL,537,1,2,0,NULL),(538,1,1,'ZOHO Dctask64 Process Injection',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:17','2020-05-01 20:57:17',NULL,0,NULL,NULL,538,1,2,0,NULL),(539,1,1,'Devtoolslauncher.exe Executes Specified Binary',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:18','2020-05-01 20:57:18',NULL,0,NULL,NULL,539,1,2,0,NULL),(540,1,1,'Direct Autorun Keys Modification',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:18','2020-05-01 20:57:18',NULL,0,NULL,NULL,540,1,2,0,NULL),(541,1,1,'Application Whitelisting Bypass via Dnx.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:19','2020-05-01 20:57:19',NULL,0,NULL,NULL,541,1,2,0,NULL),(542,1,1,'Suspicious Double Extension',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:19','2020-05-01 20:57:20',NULL,0,NULL,NULL,542,1,2,0,NULL),(543,1,1,'Application Whitelisting Bypass via Dxcap.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:20','2020-05-01 20:57:20',NULL,0,NULL,NULL,543,1,2,0,NULL),(544,1,1,'Suspicious Eventlog Clear or Configuration Using Wevtutil',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:21','2020-05-01 20:57:21',NULL,0,NULL,NULL,544,1,2,0,NULL),(545,1,1,'Executables Started in Suspicious Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:21','2020-05-01 20:57:21',NULL,0,NULL,NULL,545,1,2,0,NULL),(546,1,1,'Execution in Non-Executable Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:22','2020-05-01 20:57:22',NULL,0,NULL,NULL,546,1,2,0,NULL),(547,1,1,'Execution in Webserver Root Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:22','2020-05-01 20:57:22',NULL,0,NULL,NULL,547,1,2,0,NULL),(548,1,1,'Firewall Disabled via Netsh',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:23','2020-05-01 20:57:23',NULL,0,NULL,NULL,548,1,2,0,NULL),(549,1,1,'Fsutil Suspicious Invocation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:23','2020-05-01 20:57:23',NULL,0,NULL,NULL,549,1,2,0,NULL),(550,1,1,'Suspicious GUP Usage',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:24','2020-05-01 20:57:24',NULL,0,NULL,NULL,550,1,2,0,NULL),(551,1,1,'IIS Native-Code Module Command Line Installation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:24','2020-05-01 20:57:24',NULL,0,NULL,NULL,551,1,2,0,NULL),(552,1,1,'Suspicious MsiExec Directory',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:25','2020-05-01 20:57:25',NULL,0,NULL,NULL,552,1,2,0,NULL),(553,1,1,'MsiExec Web Install',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:25','2020-05-01 20:57:26',NULL,0,NULL,NULL,553,1,2,0,NULL),(554,1,1,'Malicious Payload Download via Office Binaries',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:26','2020-05-01 20:57:26',NULL,0,NULL,NULL,554,1,2,0,NULL),(555,1,1,'Net.exe Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:27','2020-05-01 20:57:27',NULL,0,NULL,NULL,555,1,2,0,NULL),(556,1,1,'Suspicious Netsh DLL Persistence',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:27','2020-05-13 14:07:11',NULL,0,NULL,NULL,556,1,2,0,NULL),(557,1,1,'Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:28','2020-05-01 20:57:28',NULL,0,NULL,NULL,557,1,2,0,NULL),(558,1,1,'Application Whitelisting Bypass via DLL Loaded by odbcconf.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:28','2020-05-01 20:57:28',NULL,0,NULL,NULL,558,1,2,0,NULL),(559,1,1,'OpenWith.exe Executes Specified Binary',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:29','2020-05-01 20:57:29',NULL,0,NULL,NULL,559,1,2,0,NULL),(560,1,1,'Suspicious Execution from Outlook',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:29','2020-05-01 20:57:29',NULL,0,NULL,NULL,560,1,2,0,NULL),(561,1,1,'Execution in Outlook Temp Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:30','2020-05-01 20:57:30',NULL,0,NULL,NULL,561,1,2,0,NULL),(562,1,1,'Ping Hex IP',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:30','2020-05-01 20:57:30',NULL,0,NULL,NULL,562,1,2,0,NULL),(563,1,1,'Empire PowerShell Launch Parameters',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:31','2020-05-01 20:57:31',NULL,0,NULL,NULL,563,1,2,0,NULL),(564,1,1,'Empire PowerShell UAC Bypass',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:31','2020-05-01 20:57:31',NULL,0,NULL,NULL,564,1,2,0,NULL),(565,1,1,'Suspicious Encoded PowerShell Command Line',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:32','2020-05-01 20:57:32',NULL,0,NULL,NULL,565,1,2,0,NULL),(566,1,1,'Malicious Base64 Encoded PowerShell Keywords in Command Lines',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:32','2020-05-01 20:57:33',NULL,0,NULL,NULL,566,1,2,0,NULL),(567,1,1,'Suspicious PowerShell Invocation Based on Parent Process',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:33','2020-05-01 20:57:33',NULL,0,NULL,NULL,567,1,2,0,NULL),(568,1,1,'Suspicious Use of Procdump',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:34','2020-05-01 20:57:34',NULL,0,NULL,NULL,568,1,2,0,NULL),(569,1,1,'Suspicious Process Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:34','2020-05-01 20:57:34',NULL,0,NULL,NULL,569,1,2,0,NULL),(570,1,1,'Suspicious Program Location Process Starts',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:35','2020-05-01 20:57:35',NULL,0,NULL,NULL,570,1,2,0,NULL),(571,1,1,'PowerShell Script Run in AppData',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:35','2020-05-01 20:57:35',NULL,0,NULL,NULL,571,1,2,0,NULL),(572,1,1,'PowerShell DownloadFile',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:36','2020-05-01 20:57:36',NULL,0,NULL,NULL,572,1,2,0,NULL),(573,1,1,'Psr.exe Capture Screenshots',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:36','2020-05-01 20:57:36',NULL,0,NULL,NULL,573,1,2,0,NULL),(574,1,1,'Suspicious RASdial Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:37','2020-05-01 20:57:37',NULL,0,NULL,NULL,574,1,2,0,NULL),(575,1,1,'Suspicious Reconnaissance Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:37','2020-05-01 20:57:37',NULL,0,NULL,NULL,575,1,2,0,NULL),(576,1,1,'Regsvr32 Anomaly',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:38','2020-05-01 20:57:38',NULL,0,NULL,NULL,576,1,2,0,NULL),(577,1,1,'Renamed ZOHO Dctask64',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:38','2020-05-01 20:57:38',NULL,0,NULL,NULL,577,1,2,0,NULL),(578,1,1,'Suspicious Process Start Locations',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:39','2020-05-01 20:57:39',NULL,0,NULL,NULL,578,1,2,0,NULL),(579,1,1,'Suspicious Rundll32 Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:39','2020-05-01 20:57:40',NULL,0,NULL,NULL,579,1,2,0,NULL),(580,1,1,'Suspicious Call by Ordinal',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:40','2020-05-01 20:57:40',NULL,0,NULL,NULL,580,1,2,0,NULL),(581,1,1,'Scheduled Task Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:41','2020-05-01 20:57:41',NULL,0,NULL,NULL,581,1,2,0,NULL),(582,1,1,'WSF/JSE/JS/VBA/VBE File Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:41','2020-05-01 20:57:41',NULL,0,NULL,NULL,582,1,2,0,NULL),(583,1,1,'Suspicious Service Path Modification',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:42','2020-05-01 20:57:42',NULL,0,NULL,NULL,583,1,2,0,NULL),(584,1,1,'Squirrel Lolbin',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:42','2020-05-01 20:57:42',NULL,0,NULL,NULL,584,1,2,0,NULL),(585,1,1,'Suspicious Svchost Process',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:43','2020-05-01 20:57:43',NULL,0,NULL,NULL,585,1,2,0,NULL),(586,1,1,'Suspect Svchost Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:43','2020-05-01 20:57:43',NULL,0,NULL,NULL,586,1,2,0,NULL),(587,1,1,'Sysprep on AppData Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:44','2020-05-01 20:57:44',NULL,0,NULL,NULL,587,1,2,0,NULL),(588,1,1,'Suspicious SYSVOL Domain Group Policy Access',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:44','2020-05-01 20:57:44',NULL,0,NULL,NULL,588,1,2,0,NULL),(589,1,1,'Taskmgr as LOCAL_SYSTEM',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:45','2020-05-01 20:57:45',NULL,0,NULL,NULL,589,1,2,0,NULL),(590,1,1,'Taskmgr as Parent',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:45','2020-05-01 20:57:45',NULL,0,NULL,NULL,590,1,2,0,NULL),(591,1,1,'Suspicious TSCON Start',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:46','2020-05-01 20:57:46',NULL,0,NULL,NULL,591,1,2,0,NULL),(592,1,1,'Suspicious RDP Redirect Using TSCON',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:46','2020-05-01 20:57:47',NULL,0,NULL,NULL,592,1,2,0,NULL),(593,1,1,'Suspicious Use of CSharp Interactive Console',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:47','2020-05-01 20:57:47',NULL,0,NULL,NULL,593,1,2,0,NULL),(594,1,1,'Suspicious Userinit Child Process',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:47','2020-05-01 20:57:48',NULL,0,NULL,NULL,594,1,2,0,NULL),(595,1,1,'Whoami Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:48','2020-05-01 20:57:48',NULL,0,NULL,NULL,595,1,2,0,NULL),(596,1,1,'Suspicious WMI Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:49','2020-05-01 20:57:49',NULL,0,NULL,NULL,596,1,2,0,NULL),(597,1,1,'Sysmon Driver Unload',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:49','2020-05-01 20:57:49',NULL,0,NULL,NULL,597,1,2,0,NULL),(598,1,1,'System File Execution Location Anomaly',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:50','2020-05-01 20:57:50',NULL,0,NULL,NULL,598,1,2,0,NULL),(599,1,1,'Tap Installer Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:50','2020-05-01 20:57:50',NULL,0,NULL,NULL,599,1,2,0,NULL),(600,1,1,'Tasks Folder Evasion',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:51','2020-05-01 20:57:51',NULL,0,NULL,NULL,600,1,2,0,NULL),(601,1,1,'Terminal Service Process Spawn',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:51','2020-05-01 20:57:51',NULL,0,NULL,NULL,601,1,2,0,NULL),(602,1,1,'Domain Trust Discovery',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:52','2020-05-01 20:57:52',NULL,0,NULL,NULL,602,1,2,0,NULL),(603,1,1,'Bypass UAC via CMSTP',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:52','2020-05-01 20:57:52',NULL,0,NULL,NULL,603,1,2,0,NULL),(604,1,1,'Bypass UAC via Fodhelper.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:53','2020-05-01 20:57:53',NULL,0,NULL,NULL,604,1,2,0,NULL),(605,1,1,'Bypass UAC via WSReset.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:53','2020-05-01 20:57:53',NULL,0,NULL,NULL,605,1,2,0,NULL),(606,1,1,'Possible Privilege Escalation via Weak Service Permissions',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:54','2020-05-01 20:57:54',NULL,0,NULL,NULL,606,1,2,0,NULL),(607,1,1,'Java Running with Remote Debugging',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:54','2020-05-01 20:57:55',NULL,0,NULL,NULL,607,1,2,0,NULL),(608,1,1,'Webshell Detection With Command Line Keywords',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:55','2020-05-01 20:57:55',NULL,0,NULL,NULL,608,1,2,0,NULL),(609,1,1,'Shells Spawned by Web Servers',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:55','2020-05-01 20:57:56',NULL,0,NULL,NULL,609,1,2,0,NULL),(610,1,1,'Run Whoami as SYSTEM',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:56','2020-05-01 20:57:56',NULL,0,NULL,NULL,610,1,2,0,NULL),(611,1,1,'Windows 10 Scheduled Task SandboxEscaper 0-day',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:57','2020-05-01 20:57:57',NULL,0,NULL,NULL,611,1,2,0,NULL),(612,1,1,'WMI Backdoor Exchange Transport Agent',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:57','2020-05-01 20:57:57',NULL,0,NULL,NULL,612,1,2,0,NULL),(613,1,1,'WMI Persistence - Script Event Consumer',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:58','2020-05-01 20:57:58',NULL,0,NULL,NULL,613,1,2,0,NULL),(614,1,1,'WMI Spawning Windows PowerShell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:58','2020-05-01 20:57:58',NULL,0,NULL,NULL,614,1,2,0,NULL),(615,1,1,'Wmiprvse Spawning Process',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:59','2020-05-01 20:57:59',NULL,0,NULL,NULL,615,1,2,0,NULL),(616,1,1,'Microsoft Workflow Compiler',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:59','2020-05-01 20:57:59',NULL,0,NULL,NULL,616,1,2,0,NULL),(617,1,1,'Wsreset UAC Bypass',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:58:00','2020-05-01 20:58:00',NULL,0,NULL,NULL,617,1,2,0,NULL),(618,1,1,'XSL Script Processing',NULL,NULL,NULL,4,NULL,1,NULL,9,3,'2020-05-01 20:58:00','2020-05-03 10:00:57',NULL,0,NULL,NULL,618,1,2,0,NULL),(620,1,1,'New Sensitive Shared Resource',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-13 13:30:57','2020-05-13 13:30:57',NULL,0,NULL,NULL,620,1,2,0,NULL),(621,1,1,'Whoami Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-13 14:05:41','2020-05-13 14:05:41',NULL,0,NULL,NULL,621,1,2,0,NULL),(622,1,1,'Advanced IP Scanner',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-13 14:07:09','2020-05-13 14:07:09',NULL,0,NULL,NULL,622,1,2,0,NULL),(623,1,1,'Harvesting of Wifi Credentials Using netsh.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-13 14:07:11','2020-05-13 14:07:11',NULL,0,NULL,NULL,623,1,2,0,NULL); +/*!40000 ALTER TABLE `issues` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `journal_details` +-- + +DROP TABLE IF EXISTS `journal_details`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `journal_details` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `journal_id` int(11) NOT NULL DEFAULT '0', + `property` varchar(30) NOT NULL DEFAULT '', + `prop_key` varchar(30) NOT NULL DEFAULT '', + `old_value` longtext, + `value` longtext, + PRIMARY KEY (`id`), + KEY `journal_details_journal_id` (`journal_id`) +) ENGINE=InnoDB AUTO_INCREMENT=14 DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `journal_details` +-- + +LOCK TABLES `journal_details` WRITE; +/*!40000 ALTER TABLE `journal_details` DISABLE KEYS */; +INSERT INTO `journal_details` VALUES (5,621,'attr','status_id','2','3'),(6,621,'cf','9','{{collapse(View Sigma)\n
\n\ntitle: XSL Script Processing\nid: 05c36dd6-79d6-4a9a-97da-3db20298ab2d\nstatus: experimental\ndescription: Extensible Stylesheet Language (XSL) files are commonly used to describe\n  the processing and rendering of data within XML files, rule detects when adversaries\n  abuse this functionality to execute arbitrary files while potentially bypassing\n  application whitelisting defenses\nauthor: Timur Zinniatullin, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith: \\wmic.exe\n    CommandLine|contains: /format\n  - Image|endswith: \\msxsl.exe\n  condition: selection\nfalsepositives:\n- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment\n- msxsl.exe is not installed by default so unlikely.\nlevel: medium\ntags:\n- attack.execution\n- attack.t1220\n\n
\n}}','{{collapse(View Sigma)\r\n
\r\n\r\ntitle: XSL Script Processing\r\nid: 05c36dd6-79d6-4a9a-97da-3db20298ab2d\r\nstatus: experimental\r\ndescription: Extensible Stylesheet Language (XSL) files are commonly used to describe\r\n  the processing and rendering of data within XML files, rule detects when adversaries\r\n  abuse this functionality to execute arbitrary files while potentially bypassing\r\n  application whitelisting defenses\r\nauthor: Timur Zinniatullin, oscd.community\r\ndate: 2019/10/21\r\nmodified: 2019/11/04\r\nreferences:\r\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml\r\nlogsource:\r\n  category: process_creation\r\n  product: windows\r\ndetection:\r\n  selection:\r\n  - Image|endswith: \\wmic.exe\r\n    CommandLine|contains: /format\r\n  - Image|endswith: \\msxsl.exe\r\n  condition: selection\r\nfalsepositives:\r\n- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment\r\n- msxsl.exe is not installed by default so unlikely.\r\nlevel: medium\r\ntags:\r\n- attack.execution\r\n- attack.t1220\r\n\r\n
\r\n}}'),(7,622,'cf','7','','gVP62XEBH72G5DlCexmq'),(8,623,'attr','status_id','3','4'),(9,627,'cf','9','{{collapse(View Sigma)\n
\n\ntitle: Modification of Boot Configuration\nid: 1444443e-6757-43e4-9ea4-c8fc705f79a2\ndescription: Identifies use of the bcdedit command to delete boot configuration data.\n  This tactic is sometimes used as by malware or an attacker as a destructive technique.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html\ntags:\n- attack.impact\n- attack.t1490\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image|endswith: \\bcdedit.exe\n    CommandLine: set\n  selection2:\n  - CommandLine|contains|all:\n    - bootstatuspolicy\n    - ignoreallfailures\n  - CommandLine|contains|all:\n    - recoveryenabled\n    - no\n  condition: selection1 and selection2\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Unlikely\nlevel: high\n\n
\n}}','{{collapse(View Sigma)\n
\n\ntitle: Modification of Boot Configuration\nid: 1444443e-6757-43e4-9ea4-c8fc705f79a2\ndescription: Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive\n    technique.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml\n    - https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html\ntags:\n    - attack.impact\n    - attack.t1490\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection1:\n        Image|endswith: \\bcdedit.exe\n        CommandLine|contains: set\n    selection2:\n        - CommandLine|contains|all:\n            - bootstatuspolicy\n            - ignoreallfailures\n        - CommandLine|contains|all:\n            - recoveryenabled\n            - \'no\'\n    condition: selection1 and selection2\nfields:\n    - ComputerName\n    - User\n    - CommandLine\nfalsepositives:\n    - Unlikely\nlevel: high\n\n
\n}}'),(10,629,'cf','9','{{collapse(View Sigma)\n
\n\naction: global\ntitle: PowerShell Downgrade Attack\nid: b3512211-c67e-4707-bedc-66efc7848863\nrelated:\n- id: 6331d09b-4785-4c13-980f-f96661356249\n  type: derived\nstatus: experimental\ndescription: Detects PowerShell downgrade attack by comparing the host versions with\n  the actually used engine version 2.0\nreferences:\n- http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1086\nauthor: Harish Segar (rule)\ndate: 2020/03/20\nfalsepositives:\n- Penetration Test\n- Unknown\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains:\n    - \' -version 2 \'\n    - \' -versio 2 \'\n    - \' -versi 2 \'\n    - \' -vers 2 \'\n    - \' -ver 2 \'\n    - \' -ve 2 \'\n    Image|endswith: \\powershell.exe\n  condition: selection\n\n
\n}}','{{collapse(View Sigma)\n
\n\ntitle: PowerShell Downgrade Attack\nid: b3512211-c67e-4707-bedc-66efc7848863\nrelated:\n  - id: 6331d09b-4785-4c13-980f-f96661356249\n    type: derived\nstatus: experimental\ndescription: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0\nreferences:\n    - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/\ntags:\n    - attack.defense_evasion\n    - attack.execution\n    - attack.t1086\nauthor: Harish Segar (rule)\ndate: 2020/03/20\nfalsepositives:\n    - Penetration Test\n    - Unknown\nlevel: medium\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains: \n            - \' -version 2 \'\n            - \' -versio 2 \'\n            - \' -versi 2 \'\n            - \' -vers 2 \'\n            - \' -ver 2 \'\n            - \' -ve 2 \'        \n        Image|endswith: \'\\powershell.exe\'\n    condition: selection\n\n
\n}}'),(11,630,'cf','9','{{collapse(View Sigma)\n
\n\ntitle: Renamed Binary\nid: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142\nstatus: experimental\ndescription: Detects the execution of a renamed binary often used by attackers or\n  malware leveraging new Sysmon OriginalFileName datapoint.\nauthor: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community\n  (improvements)\ndate: 2019/06/15\nmodified: 2019/11/11\nreferences:\n- https://attack.mitre.org/techniques/T1036/\n- https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html\n- https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html\ntags:\n- attack.t1036\n- attack.defense_evasion\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    OriginalFileName:\n    - cmd.exe\n    - powershell.exe\n    - powershell_ise.exe\n    - psexec.exe\n    - psexec.c\n    - cscript.exe\n    - wscript.exe\n    - mshta.exe\n    - regsvr32.exe\n    - wmic.exe\n    - certutil.exe\n    - rundll32.exe\n    - cmstp.exe\n    - msiexec.exe\n    - 7z.exe\n    - winrar.exe\n    - wevtutil.exe\n    - net.exe\n    - net1.exe\n  filter:\n    Image|endswith:\n    - \\cmd.exe\n    - \\powershell.exe\n    - \\powershell_ise.exe\n    - \\psexec.exe\n    - \\psexec64.exe\n    - \\cscript.exe\n    - \\wscript.exe\n    - \\mshta.exe\n    - \\regsvr32.exe\n    - \\wmic.exe\n    - \\certutil.exe\n    - \\rundll32.exe\n    - \\cmstp.exe\n    - \\msiexec.exe\n    - \\7z.exe\n    - \\winrar.exe\n    - \\wevtutil.exe\n    - \\net.exe\n    - \\net1.exe\n  condition: selection and not filter\nfalsepositives:\n- Custom applications use renamed binaries adding slight change to binary name. Typically\n  this is easy to spot and add to whitelist\nlevel: medium\n\n
\n}}','{{collapse(View Sigma)\n
\n\ntitle: Renamed Binary\nid: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142\nstatus: experimental\ndescription: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.\nauthor: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements), Andreas Hunkeler (@Karneades)\ndate: 2019/06/15\nmodified: 2019/11/11\nreferences:\n    - https://attack.mitre.org/techniques/T1036/\n    - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html\n    - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html\ntags:\n    - attack.t1036\n    - attack.defense_evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        OriginalFileName:\n            - \'cmd.exe\'\n            - \'powershell.exe\'\n            - \'powershell_ise.exe\'\n            - \'psexec.exe\'\n            - \'psexec.c\'  # old versions of psexec (2016 seen)\n            - \'cscript.exe\'\n            - \'wscript.exe\'\n            - \'mshta.exe\'\n            - \'regsvr32.exe\'\n            - \'wmic.exe\'\n            - \'certutil.exe\'\n            - \'rundll32.exe\'\n            - \'cmstp.exe\'\n            - \'msiexec.exe\'\n            - \'7z.exe\'\n            - \'winrar.exe\'\n            - \'wevtutil.exe\'\n            - \'net.exe\'\n            - \'net1.exe\'\n            - \'netsh.exe\'\n    filter:\n        Image|endswith:\n            - \'\\cmd.exe\'\n            - \'\\powershell.exe\'\n            - \'\\powershell_ise.exe\'\n            - \'\\psexec.exe\'\n            - \'\\psexec64.exe\'\n            - \'\\cscript.exe\'\n            - \'\\wscript.exe\'\n            - \'\\mshta.exe\'\n            - \'\\regsvr32.exe\'\n            - \'\\wmic.exe\'\n            - \'\\certutil.exe\'\n            - \'\\rundll32.exe\'\n            - \'\\cmstp.exe\'\n            - \'\\msiexec.exe\'\n            - \'\\7z.exe\'\n            - \'\\winrar.exe\'\n            - \'\\wevtutil.exe\'\n            - \'\\net.exe\'\n            - \'\\net1.exe\'\n            - \'\\netsh.exe\'\n    condition: selection and not filter\nfalsepositives:\n    - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist\nlevel: medium\n\n
\n}}'),(12,631,'cf','9','{{collapse(View Sigma)\n
\n\ntitle: Suspicious Netsh DLL Persistence\nid: 56321594-9087-49d9-bf10-524fe8479452\ndescription: Detects persitence via netsh helper\nstatus: test\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1128/T1128.md\ntags:\n- attack.persistence\n- attack.t1128\ndate: 2019/10/25\nmodified: 2019/10/25\nauthor: Victor Sergeev, oscd.community\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\netsh.exe\n    CommandLine|contains|all:\n    - add\n    - helper\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}','{{collapse(View Sigma)\n
\n\ntitle: Suspicious Netsh DLL Persistence\nid: 56321594-9087-49d9-bf10-524fe8479452\ndescription: Detects persitence via netsh helper\nstatus: testing\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1128/T1128.md\ntags:\n    - attack.persistence\n    - attack.t1128\ndate: 2019/10/25\nmodified: 2019/10/25\nauthor: Victor Sergeev, oscd.community\nlogsource:\n    category: process_creation\n    product: windows   \ndetection:\n    selection:\n        Image|endswith: \'\\netsh.exe\'\n        CommandLine|contains|all:\n            - \'add\'\n            - \'helper\'\n    condition: selection\nfields:\n    - ComputerName\n    - User\n    - CommandLine\n    - ParentCommandLine\nfalsepositives:\n    - Unknown\nlevel: high\n\n
\n}}'); +/*!40000 ALTER TABLE `journal_details` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `journals` +-- + +DROP TABLE IF EXISTS `journals`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `journals` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `journalized_id` int(11) NOT NULL DEFAULT '0', + `journalized_type` varchar(30) NOT NULL DEFAULT '', + `user_id` int(11) NOT NULL DEFAULT '0', + `notes` longtext, + `created_on` datetime NOT NULL, + `private_notes` tinyint(1) NOT NULL DEFAULT '0', + PRIMARY KEY (`id`), + KEY `journals_journalized_id` (`journalized_id`,`journalized_type`), + KEY `index_journals_on_user_id` (`user_id`), + KEY `index_journals_on_journalized_id` (`journalized_id`), + KEY `index_journals_on_created_on` (`created_on`) +) ENGINE=InnoDB AUTO_INCREMENT=633 DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `journals` +-- + +LOCK TABLES `journals` WRITE; +/*!40000 ALTER TABLE `journals` DISABLE KEYS */; +INSERT INTO `journals` VALUES (311,313,'Issue',9,'Play status set to Disabled - Sigmac error when generating ElastAlert config.','2020-05-01 20:55:14',0),(312,314,'Issue',9,'Play imported successfully.','2020-05-01 20:55:15',0),(313,315,'Issue',9,'Play imported successfully.','2020-05-01 20:55:15',0),(314,316,'Issue',9,'Play imported successfully.','2020-05-01 20:55:16',0),(315,317,'Issue',9,'Play imported successfully.','2020-05-01 20:55:16',0),(316,318,'Issue',9,'Play imported successfully.','2020-05-01 20:55:17',0),(317,319,'Issue',9,'Play imported successfully.','2020-05-01 20:55:17',0),(318,320,'Issue',9,'Play imported successfully.','2020-05-01 20:55:18',0),(319,321,'Issue',9,'Play imported successfully.','2020-05-01 20:55:19',0),(320,322,'Issue',9,'Play imported successfully.','2020-05-01 20:55:19',0),(321,323,'Issue',9,'Play imported successfully.','2020-05-01 20:55:20',0),(322,324,'Issue',9,'Play imported successfully.','2020-05-01 20:55:20',0),(323,325,'Issue',9,'Play imported successfully.','2020-05-01 20:55:21',0),(324,326,'Issue',9,'Play imported successfully.','2020-05-01 20:55:21',0),(325,327,'Issue',9,'Play imported successfully.','2020-05-01 20:55:22',0),(326,328,'Issue',9,'Play imported successfully.','2020-05-01 20:55:22',0),(327,329,'Issue',9,'Play imported successfully.','2020-05-01 20:55:23',0),(328,330,'Issue',9,'Play imported successfully.','2020-05-01 20:55:24',0),(329,331,'Issue',9,'Play imported successfully.','2020-05-01 20:55:24',0),(330,332,'Issue',9,'Play imported successfully.','2020-05-01 20:55:25',0),(331,333,'Issue',9,'Play imported successfully.','2020-05-01 20:55:25',0),(332,334,'Issue',9,'Play imported successfully.','2020-05-01 20:55:26',0),(333,335,'Issue',9,'Play imported successfully.','2020-05-01 20:55:27',0),(334,336,'Issue',9,'Play status set to Disabled - Sigmac error when generating ElastAlert config.','2020-05-01 20:55:28',0),(335,337,'Issue',9,'Play imported successfully.','2020-05-01 20:55:28',0),(336,338,'Issue',9,'Play imported successfully.','2020-05-01 20:55:29',0),(337,339,'Issue',9,'Play imported successfully.','2020-05-01 20:55:29',0),(338,340,'Issue',9,'Play imported successfully.','2020-05-01 20:55:30',0),(339,341,'Issue',9,'Play imported successfully.','2020-05-01 20:55:30',0),(340,342,'Issue',9,'Play imported successfully.','2020-05-01 20:55:31',0),(341,343,'Issue',9,'Play imported successfully.','2020-05-01 20:55:31',0),(342,344,'Issue',9,'Play imported successfully.','2020-05-01 20:55:32',0),(343,345,'Issue',9,'Play imported successfully.','2020-05-01 20:55:33',0),(344,346,'Issue',9,'Play imported successfully.','2020-05-01 20:55:33',0),(345,347,'Issue',9,'Play imported successfully.','2020-05-01 20:55:34',0),(346,348,'Issue',9,'Play imported successfully.','2020-05-01 20:55:34',0),(347,349,'Issue',9,'Play imported successfully.','2020-05-01 20:55:35',0),(348,350,'Issue',9,'Play imported successfully.','2020-05-01 20:55:36',0),(349,351,'Issue',9,'Play imported successfully.','2020-05-01 20:55:36',0),(350,352,'Issue',9,'Play imported successfully.','2020-05-01 20:55:37',0),(351,353,'Issue',9,'Play imported successfully.','2020-05-01 20:55:37',0),(352,354,'Issue',9,'Play imported successfully.','2020-05-01 20:55:38',0),(353,355,'Issue',9,'Play imported successfully.','2020-05-01 20:55:38',0),(354,356,'Issue',9,'Play imported successfully.','2020-05-01 20:55:39',0),(355,357,'Issue',9,'Play imported successfully.','2020-05-01 20:55:39',0),(356,358,'Issue',9,'Play imported successfully.','2020-05-01 20:55:40',0),(357,359,'Issue',9,'Play imported successfully.','2020-05-01 20:55:40',0),(358,360,'Issue',9,'Play imported successfully.','2020-05-01 20:55:41',0),(359,361,'Issue',9,'Play imported successfully.','2020-05-01 20:55:42',0),(360,362,'Issue',9,'Play imported successfully.','2020-05-01 20:55:42',0),(361,363,'Issue',9,'Play imported successfully.','2020-05-01 20:55:43',0),(362,364,'Issue',9,'Play imported successfully.','2020-05-01 20:55:43',0),(363,365,'Issue',9,'Play imported successfully.','2020-05-01 20:55:44',0),(364,366,'Issue',9,'Play imported successfully.','2020-05-01 20:55:44',0),(365,367,'Issue',9,'Play imported successfully.','2020-05-01 20:55:45',0),(366,368,'Issue',9,'Play imported successfully.','2020-05-01 20:55:45',0),(367,369,'Issue',9,'Play imported successfully.','2020-05-01 20:55:46',0),(368,370,'Issue',9,'Play imported successfully.','2020-05-01 20:55:46',0),(369,371,'Issue',9,'Play imported successfully.','2020-05-01 20:55:47',0),(370,372,'Issue',9,'Play imported successfully.','2020-05-01 20:55:47',0),(371,373,'Issue',9,'Play imported successfully.','2020-05-01 20:55:48',0),(372,374,'Issue',9,'Play imported successfully.','2020-05-01 20:55:49',0),(373,375,'Issue',9,'Play imported successfully.','2020-05-01 20:55:49',0),(374,376,'Issue',9,'Play imported successfully.','2020-05-01 20:55:50',0),(375,377,'Issue',9,'Play imported successfully.','2020-05-01 20:55:50',0),(376,378,'Issue',9,'Play imported successfully.','2020-05-01 20:55:51',0),(377,379,'Issue',9,'Play imported successfully.','2020-05-01 20:55:51',0),(378,380,'Issue',9,'Play imported successfully.','2020-05-01 20:55:52',0),(379,381,'Issue',9,'Play imported successfully.','2020-05-01 20:55:52',0),(380,382,'Issue',9,'Play imported successfully.','2020-05-01 20:55:53',0),(381,383,'Issue',9,'Play imported successfully.','2020-05-01 20:55:53',0),(382,384,'Issue',9,'Play imported successfully.','2020-05-01 20:55:54',0),(383,385,'Issue',9,'Play imported successfully.','2020-05-01 20:55:54',0),(384,386,'Issue',9,'Play imported successfully.','2020-05-01 20:55:55',0),(385,387,'Issue',9,'Play imported successfully.','2020-05-01 20:55:55',0),(386,388,'Issue',9,'Play imported successfully.','2020-05-01 20:55:56',0),(387,389,'Issue',9,'Play imported successfully.','2020-05-01 20:55:57',0),(388,390,'Issue',9,'Play imported successfully.','2020-05-01 20:55:57',0),(389,391,'Issue',9,'Play imported successfully.','2020-05-01 20:55:58',0),(390,392,'Issue',9,'Play imported successfully.','2020-05-01 20:55:58',0),(391,393,'Issue',9,'Play imported successfully.','2020-05-01 20:55:59',0),(392,394,'Issue',9,'Play imported successfully.','2020-05-01 20:55:59',0),(393,395,'Issue',9,'Play imported successfully.','2020-05-01 20:56:00',0),(394,396,'Issue',9,'Play imported successfully.','2020-05-01 20:56:00',0),(395,397,'Issue',9,'Play imported successfully.','2020-05-01 20:56:01',0),(396,398,'Issue',9,'Play imported successfully.','2020-05-01 20:56:01',0),(397,399,'Issue',9,'Play imported successfully.','2020-05-01 20:56:02',0),(398,400,'Issue',9,'Play imported successfully.','2020-05-01 20:56:02',0),(399,401,'Issue',9,'Play imported successfully.','2020-05-01 20:56:03',0),(400,402,'Issue',9,'Play imported successfully.','2020-05-01 20:56:03',0),(401,403,'Issue',9,'Play imported successfully.','2020-05-01 20:56:04',0),(402,404,'Issue',9,'Play imported successfully.','2020-05-01 20:56:04',0),(403,405,'Issue',9,'Play imported successfully.','2020-05-01 20:56:05',0),(404,406,'Issue',9,'Play imported successfully.','2020-05-01 20:56:06',0),(405,407,'Issue',9,'Play imported successfully.','2020-05-01 20:56:06',0),(406,408,'Issue',9,'Play imported successfully.','2020-05-01 20:56:07',0),(407,409,'Issue',9,'Play imported successfully.','2020-05-01 20:56:07',0),(408,410,'Issue',9,'Play imported successfully.','2020-05-01 20:56:08',0),(409,411,'Issue',9,'Play imported successfully.','2020-05-01 20:56:08',0),(410,412,'Issue',9,'Play imported successfully.','2020-05-01 20:56:09',0),(411,413,'Issue',9,'Play imported successfully.','2020-05-01 20:56:09',0),(412,414,'Issue',9,'Play imported successfully.','2020-05-01 20:56:10',0),(413,415,'Issue',9,'Play imported successfully.','2020-05-01 20:56:11',0),(414,416,'Issue',9,'Play imported successfully.','2020-05-01 20:56:11',0),(415,417,'Issue',9,'Play imported successfully.','2020-05-01 20:56:12',0),(416,418,'Issue',9,'Play imported successfully.','2020-05-01 20:56:13',0),(417,419,'Issue',9,'Play imported successfully.','2020-05-01 20:56:13',0),(418,420,'Issue',9,'Play imported successfully.','2020-05-01 20:56:14',0),(419,421,'Issue',9,'Play imported successfully.','2020-05-01 20:56:15',0),(420,422,'Issue',9,'Play imported successfully.','2020-05-01 20:56:15',0),(421,423,'Issue',9,'Play imported successfully.','2020-05-01 20:56:16',0),(422,424,'Issue',9,'Play imported successfully.','2020-05-01 20:56:16',0),(423,425,'Issue',9,'Play imported successfully.','2020-05-01 20:56:17',0),(424,426,'Issue',9,'Play imported successfully.','2020-05-01 20:56:17',0),(425,427,'Issue',9,'Play imported successfully.','2020-05-01 20:56:18',0),(426,428,'Issue',9,'Play imported successfully.','2020-05-01 20:56:19',0),(427,429,'Issue',9,'Play imported successfully.','2020-05-01 20:56:19',0),(428,430,'Issue',9,'Play imported successfully.','2020-05-01 20:56:20',0),(429,431,'Issue',9,'Play imported successfully.','2020-05-01 20:56:20',0),(430,432,'Issue',9,'Play imported successfully.','2020-05-01 20:56:21',0),(431,433,'Issue',9,'Play imported successfully.','2020-05-01 20:56:21',0),(432,434,'Issue',9,'Play imported successfully.','2020-05-01 20:56:22',0),(433,435,'Issue',9,'Play imported successfully.','2020-05-01 20:56:22',0),(434,436,'Issue',9,'Play imported successfully.','2020-05-01 20:56:23',0),(435,437,'Issue',9,'Play imported successfully.','2020-05-01 20:56:24',0),(436,438,'Issue',9,'Play imported successfully.','2020-05-01 20:56:24',0),(437,439,'Issue',9,'Play imported successfully.','2020-05-01 20:56:25',0),(438,440,'Issue',9,'Play imported successfully.','2020-05-01 20:56:25',0),(439,441,'Issue',9,'Play imported successfully.','2020-05-01 20:56:26',0),(440,442,'Issue',9,'Play imported successfully.','2020-05-01 20:56:26',0),(441,443,'Issue',9,'Play imported successfully.','2020-05-01 20:56:27',0),(442,444,'Issue',9,'Play imported successfully.','2020-05-01 20:56:27',0),(443,445,'Issue',9,'Play imported successfully.','2020-05-01 20:56:28',0),(444,446,'Issue',9,'Play imported successfully.','2020-05-01 20:56:28',0),(445,447,'Issue',9,'Play imported successfully.','2020-05-01 20:56:29',0),(446,448,'Issue',9,'Play imported successfully.','2020-05-01 20:56:29',0),(447,449,'Issue',9,'Play imported successfully.','2020-05-01 20:56:30',0),(448,450,'Issue',9,'Play imported successfully.','2020-05-01 20:56:30',0),(449,451,'Issue',9,'Play imported successfully.','2020-05-01 20:56:31',0),(450,452,'Issue',9,'Play imported successfully.','2020-05-01 20:56:31',0),(451,453,'Issue',9,'Play imported successfully.','2020-05-01 20:56:32',0),(452,454,'Issue',9,'Play imported successfully.','2020-05-01 20:56:32',0),(453,455,'Issue',9,'Play imported successfully.','2020-05-01 20:56:33',0),(454,456,'Issue',9,'Play imported successfully.','2020-05-01 20:56:34',0),(455,457,'Issue',9,'Play imported successfully.','2020-05-01 20:56:34',0),(456,458,'Issue',9,'Play imported successfully.','2020-05-01 20:56:35',0),(457,459,'Issue',9,'Play imported successfully.','2020-05-01 20:56:35',0),(458,460,'Issue',9,'Play imported successfully.','2020-05-01 20:56:36',0),(459,461,'Issue',9,'Play imported successfully.','2020-05-01 20:56:36',0),(460,462,'Issue',9,'Play imported successfully.','2020-05-01 20:56:37',0),(461,463,'Issue',9,'Play imported successfully.','2020-05-01 20:56:37',0),(462,464,'Issue',9,'Play imported successfully.','2020-05-01 20:56:38',0),(463,465,'Issue',9,'Play imported successfully.','2020-05-01 20:56:38',0),(464,466,'Issue',9,'Play imported successfully.','2020-05-01 20:56:39',0),(465,467,'Issue',9,'Play imported successfully.','2020-05-01 20:56:39',0),(466,468,'Issue',9,'Play imported successfully.','2020-05-01 20:56:40',0),(467,469,'Issue',9,'Play imported successfully.','2020-05-01 20:56:41',0),(468,470,'Issue',9,'Play imported successfully.','2020-05-01 20:56:41',0),(469,471,'Issue',9,'Play imported successfully.','2020-05-01 20:56:42',0),(470,472,'Issue',9,'Play imported successfully.','2020-05-01 20:56:42',0),(471,473,'Issue',9,'Play imported successfully.','2020-05-01 20:56:43',0),(472,474,'Issue',9,'Play imported successfully.','2020-05-01 20:56:43',0),(473,475,'Issue',9,'Play imported successfully.','2020-05-01 20:56:44',0),(474,476,'Issue',9,'Play imported successfully.','2020-05-01 20:56:44',0),(475,477,'Issue',9,'Play imported successfully.','2020-05-01 20:56:45',0),(476,478,'Issue',9,'Play imported successfully.','2020-05-01 20:56:45',0),(477,479,'Issue',9,'Play imported successfully.','2020-05-01 20:56:46',0),(478,480,'Issue',9,'Play imported successfully.','2020-05-01 20:56:46',0),(479,481,'Issue',9,'Play imported successfully.','2020-05-01 20:56:47',0),(480,482,'Issue',9,'Play imported successfully.','2020-05-01 20:56:48',0),(481,483,'Issue',9,'Play imported successfully.','2020-05-01 20:56:48',0),(482,484,'Issue',9,'Play imported successfully.','2020-05-01 20:56:49',0),(483,485,'Issue',9,'Play imported successfully.','2020-05-01 20:56:49',0),(484,486,'Issue',9,'Play imported successfully.','2020-05-01 20:56:50',0),(485,487,'Issue',9,'Play imported successfully.','2020-05-01 20:56:50',0),(486,488,'Issue',9,'Play imported successfully.','2020-05-01 20:56:51',0),(487,489,'Issue',9,'Play imported successfully.','2020-05-01 20:56:51',0),(488,490,'Issue',9,'Play imported successfully.','2020-05-01 20:56:52',0),(489,491,'Issue',9,'Play imported successfully.','2020-05-01 20:56:52',0),(490,492,'Issue',9,'Play imported successfully.','2020-05-01 20:56:53',0),(491,493,'Issue',9,'Play imported successfully.','2020-05-01 20:56:53',0),(492,494,'Issue',9,'Play status set to Disabled - Sigmac error when generating ElastAlert config.','2020-05-01 20:56:54',0),(493,495,'Issue',9,'Play imported successfully.','2020-05-01 20:56:54',0),(494,496,'Issue',9,'Play imported successfully.','2020-05-01 20:56:55',0),(495,497,'Issue',9,'Play imported successfully.','2020-05-01 20:56:56',0),(496,498,'Issue',9,'Play imported successfully.','2020-05-01 20:56:56',0),(497,499,'Issue',9,'Play imported successfully.','2020-05-01 20:56:57',0),(498,500,'Issue',9,'Play imported successfully.','2020-05-01 20:56:57',0),(499,501,'Issue',9,'Play imported successfully.','2020-05-01 20:56:58',0),(500,502,'Issue',9,'Play imported successfully.','2020-05-01 20:56:58',0),(501,503,'Issue',9,'Play imported successfully.','2020-05-01 20:56:59',0),(502,504,'Issue',9,'Play imported successfully.','2020-05-01 20:56:59',0),(503,505,'Issue',9,'Play imported successfully.','2020-05-01 20:57:00',0),(504,506,'Issue',9,'Play imported successfully.','2020-05-01 20:57:00',0),(505,507,'Issue',9,'Play imported successfully.','2020-05-01 20:57:01',0),(506,508,'Issue',9,'Play imported successfully.','2020-05-01 20:57:02',0),(507,509,'Issue',9,'Play imported successfully.','2020-05-01 20:57:02',0),(508,510,'Issue',9,'Play imported successfully.','2020-05-01 20:57:03',0),(509,511,'Issue',9,'Play imported successfully.','2020-05-01 20:57:03',0),(510,512,'Issue',9,'Play imported successfully.','2020-05-01 20:57:04',0),(511,513,'Issue',9,'Play imported successfully.','2020-05-01 20:57:04',0),(512,514,'Issue',9,'Play imported successfully.','2020-05-01 20:57:05',0),(513,515,'Issue',9,'Play imported successfully.','2020-05-01 20:57:05',0),(514,516,'Issue',9,'Play imported successfully.','2020-05-01 20:57:06',0),(515,517,'Issue',9,'Play imported successfully.','2020-05-01 20:57:06',0),(516,518,'Issue',9,'Play imported successfully.','2020-05-01 20:57:07',0),(517,519,'Issue',9,'Play imported successfully.','2020-05-01 20:57:07',0),(518,520,'Issue',9,'Play imported successfully.','2020-05-01 20:57:08',0),(519,521,'Issue',9,'Play imported successfully.','2020-05-01 20:57:08',0),(520,522,'Issue',9,'Play imported successfully.','2020-05-01 20:57:09',0),(521,523,'Issue',9,'Play imported successfully.','2020-05-01 20:57:09',0),(522,524,'Issue',9,'Play imported successfully.','2020-05-01 20:57:10',0),(523,525,'Issue',9,'Play imported successfully.','2020-05-01 20:57:11',0),(524,526,'Issue',9,'Play imported successfully.','2020-05-01 20:57:11',0),(525,527,'Issue',9,'Play imported successfully.','2020-05-01 20:57:12',0),(526,528,'Issue',9,'Play imported successfully.','2020-05-01 20:57:12',0),(527,529,'Issue',9,'Play imported successfully.','2020-05-01 20:57:13',0),(528,530,'Issue',9,'Play imported successfully.','2020-05-01 20:57:13',0),(529,531,'Issue',9,'Play imported successfully.','2020-05-01 20:57:14',0),(530,532,'Issue',9,'Play imported successfully.','2020-05-01 20:57:14',0),(531,533,'Issue',9,'Play imported successfully.','2020-05-01 20:57:15',0),(532,534,'Issue',9,'Play imported successfully.','2020-05-01 20:57:15',0),(533,535,'Issue',9,'Play imported successfully.','2020-05-01 20:57:16',0),(534,536,'Issue',9,'Play imported successfully.','2020-05-01 20:57:16',0),(535,537,'Issue',9,'Play imported successfully.','2020-05-01 20:57:17',0),(536,538,'Issue',9,'Play imported successfully.','2020-05-01 20:57:17',0),(537,539,'Issue',9,'Play imported successfully.','2020-05-01 20:57:18',0),(538,540,'Issue',9,'Play imported successfully.','2020-05-01 20:57:18',0),(539,541,'Issue',9,'Play imported successfully.','2020-05-01 20:57:19',0),(540,542,'Issue',9,'Play imported successfully.','2020-05-01 20:57:20',0),(541,543,'Issue',9,'Play imported successfully.','2020-05-01 20:57:20',0),(542,544,'Issue',9,'Play imported successfully.','2020-05-01 20:57:21',0),(543,545,'Issue',9,'Play imported successfully.','2020-05-01 20:57:21',0),(544,546,'Issue',9,'Play imported successfully.','2020-05-01 20:57:22',0),(545,547,'Issue',9,'Play imported successfully.','2020-05-01 20:57:22',0),(546,548,'Issue',9,'Play imported successfully.','2020-05-01 20:57:23',0),(547,549,'Issue',9,'Play imported successfully.','2020-05-01 20:57:23',0),(548,550,'Issue',9,'Play imported successfully.','2020-05-01 20:57:24',0),(549,551,'Issue',9,'Play imported successfully.','2020-05-01 20:57:24',0),(550,552,'Issue',9,'Play imported successfully.','2020-05-01 20:57:25',0),(551,553,'Issue',9,'Play imported successfully.','2020-05-01 20:57:26',0),(552,554,'Issue',9,'Play imported successfully.','2020-05-01 20:57:26',0),(553,555,'Issue',9,'Play imported successfully.','2020-05-01 20:57:27',0),(554,556,'Issue',9,'Play imported successfully.','2020-05-01 20:57:27',0),(555,557,'Issue',9,'Play imported successfully.','2020-05-01 20:57:28',0),(556,558,'Issue',9,'Play imported successfully.','2020-05-01 20:57:28',0),(557,559,'Issue',9,'Play imported successfully.','2020-05-01 20:57:29',0),(558,560,'Issue',9,'Play imported successfully.','2020-05-01 20:57:29',0),(559,561,'Issue',9,'Play imported successfully.','2020-05-01 20:57:30',0),(560,562,'Issue',9,'Play imported successfully.','2020-05-01 20:57:30',0),(561,563,'Issue',9,'Play imported successfully.','2020-05-01 20:57:31',0),(562,564,'Issue',9,'Play imported successfully.','2020-05-01 20:57:31',0),(563,565,'Issue',9,'Play imported successfully.','2020-05-01 20:57:32',0),(564,566,'Issue',9,'Play imported successfully.','2020-05-01 20:57:33',0),(565,567,'Issue',9,'Play imported successfully.','2020-05-01 20:57:33',0),(566,568,'Issue',9,'Play imported successfully.','2020-05-01 20:57:34',0),(567,569,'Issue',9,'Play imported successfully.','2020-05-01 20:57:34',0),(568,570,'Issue',9,'Play imported successfully.','2020-05-01 20:57:35',0),(569,571,'Issue',9,'Play imported successfully.','2020-05-01 20:57:35',0),(570,572,'Issue',9,'Play imported successfully.','2020-05-01 20:57:36',0),(571,573,'Issue',9,'Play imported successfully.','2020-05-01 20:57:36',0),(572,574,'Issue',9,'Play imported successfully.','2020-05-01 20:57:37',0),(573,575,'Issue',9,'Play imported successfully.','2020-05-01 20:57:37',0),(574,576,'Issue',9,'Play imported successfully.','2020-05-01 20:57:38',0),(575,577,'Issue',9,'Play imported successfully.','2020-05-01 20:57:38',0),(576,578,'Issue',9,'Play imported successfully.','2020-05-01 20:57:39',0),(577,579,'Issue',9,'Play imported successfully.','2020-05-01 20:57:40',0),(578,580,'Issue',9,'Play imported successfully.','2020-05-01 20:57:40',0),(579,581,'Issue',9,'Play imported successfully.','2020-05-01 20:57:41',0),(580,582,'Issue',9,'Play imported successfully.','2020-05-01 20:57:41',0),(581,583,'Issue',9,'Play imported successfully.','2020-05-01 20:57:42',0),(582,584,'Issue',9,'Play imported successfully.','2020-05-01 20:57:42',0),(583,585,'Issue',9,'Play imported successfully.','2020-05-01 20:57:43',0),(584,586,'Issue',9,'Play imported successfully.','2020-05-01 20:57:43',0),(585,587,'Issue',9,'Play imported successfully.','2020-05-01 20:57:44',0),(586,588,'Issue',9,'Play imported successfully.','2020-05-01 20:57:44',0),(587,589,'Issue',9,'Play imported successfully.','2020-05-01 20:57:45',0),(588,590,'Issue',9,'Play imported successfully.','2020-05-01 20:57:45',0),(589,591,'Issue',9,'Play imported successfully.','2020-05-01 20:57:46',0),(590,592,'Issue',9,'Play imported successfully.','2020-05-01 20:57:47',0),(591,593,'Issue',9,'Play imported successfully.','2020-05-01 20:57:47',0),(592,594,'Issue',9,'Play imported successfully.','2020-05-01 20:57:48',0),(593,595,'Issue',9,'Play imported successfully.','2020-05-01 20:57:48',0),(594,596,'Issue',9,'Play imported successfully.','2020-05-01 20:57:49',0),(595,597,'Issue',9,'Play imported successfully.','2020-05-01 20:57:49',0),(596,598,'Issue',9,'Play imported successfully.','2020-05-01 20:57:50',0),(597,599,'Issue',9,'Play imported successfully.','2020-05-01 20:57:50',0),(598,600,'Issue',9,'Play imported successfully.','2020-05-01 20:57:51',0),(599,601,'Issue',9,'Play imported successfully.','2020-05-01 20:57:51',0),(600,602,'Issue',9,'Play imported successfully.','2020-05-01 20:57:52',0),(601,603,'Issue',9,'Play imported successfully.','2020-05-01 20:57:52',0),(602,604,'Issue',9,'Play imported successfully.','2020-05-01 20:57:53',0),(603,605,'Issue',9,'Play imported successfully.','2020-05-01 20:57:53',0),(604,606,'Issue',9,'Play imported successfully.','2020-05-01 20:57:54',0),(605,607,'Issue',9,'Play imported successfully.','2020-05-01 20:57:55',0),(606,608,'Issue',9,'Play imported successfully.','2020-05-01 20:57:55',0),(607,609,'Issue',9,'Play imported successfully.','2020-05-01 20:57:56',0),(608,610,'Issue',9,'Play imported successfully.','2020-05-01 20:57:56',0),(609,611,'Issue',9,'Play imported successfully.','2020-05-01 20:57:57',0),(610,612,'Issue',9,'Play imported successfully.','2020-05-01 20:57:57',0),(611,613,'Issue',9,'Play imported successfully.','2020-05-01 20:57:58',0),(612,614,'Issue',9,'Play imported successfully.','2020-05-01 20:57:58',0),(613,615,'Issue',9,'Play imported successfully.','2020-05-01 20:57:59',0),(614,616,'Issue',9,'Play imported successfully.','2020-05-01 20:57:59',0),(615,617,'Issue',9,'Play imported successfully.','2020-05-01 20:58:00',0),(616,618,'Issue',9,'Play imported successfully.','2020-05-01 20:58:00',0),(621,618,'Issue',8,'','2020-05-03 09:59:49',0),(622,618,'Issue',9,'','2020-05-03 10:00:04',0),(623,618,'Issue',8,'','2020-05-03 10:00:57',0),(624,620,'Issue',9,'Play imported successfully.','2020-05-13 13:30:57',0),(625,621,'Issue',9,'Play imported successfully.','2020-05-13 14:05:41',0),(626,622,'Issue',9,'Play imported successfully.','2020-05-13 14:07:09',0),(627,420,'Issue',9,'','2020-05-13 14:07:10',0),(628,623,'Issue',9,'Play imported successfully.','2020-05-13 14:07:11',0),(629,494,'Issue',9,'','2020-05-13 14:07:11',0),(630,508,'Issue',9,'','2020-05-13 14:07:11',0),(631,556,'Issue',9,'','2020-05-13 14:07:11',0); +/*!40000 ALTER TABLE `journals` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `member_roles` +-- + +DROP TABLE IF EXISTS `member_roles`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `member_roles` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `member_id` int(11) NOT NULL, + `role_id` int(11) NOT NULL, + `inherited_from` int(11) DEFAULT NULL, + PRIMARY KEY (`id`), + KEY `index_member_roles_on_member_id` (`member_id`), + KEY `index_member_roles_on_role_id` (`role_id`), + KEY `index_member_roles_on_inherited_from` (`inherited_from`) +) ENGINE=InnoDB AUTO_INCREMENT=8 DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `member_roles` +-- + +LOCK TABLES `member_roles` WRITE; +/*!40000 ALTER TABLE `member_roles` DISABLE KEYS */; +INSERT INTO `member_roles` VALUES (1,1,5,NULL),(2,2,3,NULL),(3,3,4,NULL),(4,4,5,1),(5,5,3,2),(7,7,4,3); +/*!40000 ALTER TABLE `member_roles` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `members` +-- + +DROP TABLE IF EXISTS `members`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `members` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `user_id` int(11) NOT NULL DEFAULT '0', + `project_id` int(11) NOT NULL DEFAULT '0', + `created_on` timestamp NULL DEFAULT NULL, + `mail_notification` tinyint(1) NOT NULL DEFAULT '0', + PRIMARY KEY (`id`), + UNIQUE KEY `index_members_on_user_id_and_project_id` (`user_id`,`project_id`), + KEY `index_members_on_user_id` (`user_id`), + KEY `index_members_on_project_id` (`project_id`) +) ENGINE=InnoDB AUTO_INCREMENT=8 DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `members` +-- + +LOCK TABLES `members` WRITE; +/*!40000 ALTER TABLE `members` DISABLE KEYS */; +INSERT INTO `members` VALUES (1,6,1,'2020-04-26 18:44:14',0),(2,5,1,'2020-04-26 18:44:23',0),(3,7,1,'2020-04-26 18:45:27',0),(4,9,1,'2020-04-26 18:47:51',0),(5,8,1,'2020-04-26 18:48:00',0),(7,1,1,'2020-05-01 16:42:56',0); +/*!40000 ALTER TABLE `members` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `messages` +-- + +DROP TABLE IF EXISTS `messages`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `messages` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `board_id` int(11) NOT NULL, + `parent_id` int(11) DEFAULT NULL, + `subject` varchar(255) NOT NULL DEFAULT '', + `content` text, + `author_id` int(11) DEFAULT NULL, + `replies_count` int(11) NOT NULL DEFAULT '0', + `last_reply_id` int(11) DEFAULT NULL, + `created_on` datetime NOT NULL, + `updated_on` datetime NOT NULL, + `locked` tinyint(1) DEFAULT '0', + `sticky` int(11) DEFAULT '0', + PRIMARY KEY (`id`), + KEY `messages_board_id` (`board_id`), + KEY `messages_parent_id` (`parent_id`), + KEY `index_messages_on_last_reply_id` (`last_reply_id`), + KEY `index_messages_on_author_id` (`author_id`), + KEY `index_messages_on_created_on` (`created_on`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `messages` +-- + +LOCK TABLES `messages` WRITE; +/*!40000 ALTER TABLE `messages` DISABLE KEYS */; +/*!40000 ALTER TABLE `messages` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `news` +-- + +DROP TABLE IF EXISTS `news`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `news` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `project_id` int(11) DEFAULT NULL, + `title` varchar(60) NOT NULL DEFAULT '', + `summary` varchar(255) DEFAULT '', + `description` text, + `author_id` int(11) NOT NULL DEFAULT '0', + `created_on` timestamp NULL DEFAULT NULL, + `comments_count` int(11) NOT NULL DEFAULT '0', + PRIMARY KEY (`id`), + KEY `news_project_id` (`project_id`), + KEY `index_news_on_author_id` (`author_id`), + KEY `index_news_on_created_on` (`created_on`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `news` +-- + +LOCK TABLES `news` WRITE; +/*!40000 ALTER TABLE `news` DISABLE KEYS */; +/*!40000 ALTER TABLE `news` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `open_id_authentication_associations` +-- + +DROP TABLE IF EXISTS `open_id_authentication_associations`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `open_id_authentication_associations` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `issued` int(11) DEFAULT NULL, + `lifetime` int(11) DEFAULT NULL, + `handle` varchar(255) DEFAULT NULL, + `assoc_type` varchar(255) DEFAULT NULL, + `server_url` blob, + `secret` blob, + PRIMARY KEY (`id`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `open_id_authentication_associations` +-- + +LOCK TABLES `open_id_authentication_associations` WRITE; +/*!40000 ALTER TABLE `open_id_authentication_associations` DISABLE KEYS */; +/*!40000 ALTER TABLE `open_id_authentication_associations` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `open_id_authentication_nonces` +-- + +DROP TABLE IF EXISTS `open_id_authentication_nonces`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `open_id_authentication_nonces` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `timestamp` int(11) NOT NULL, + `server_url` varchar(255) DEFAULT NULL, + `salt` varchar(255) NOT NULL, + PRIMARY KEY (`id`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `open_id_authentication_nonces` +-- + +LOCK TABLES `open_id_authentication_nonces` WRITE; +/*!40000 ALTER TABLE `open_id_authentication_nonces` DISABLE KEYS */; +/*!40000 ALTER TABLE `open_id_authentication_nonces` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `projects` +-- + +DROP TABLE IF EXISTS `projects`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `projects` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `name` varchar(255) NOT NULL DEFAULT '', + `description` text, + `homepage` varchar(255) DEFAULT '', + `is_public` tinyint(1) NOT NULL DEFAULT '1', + `parent_id` int(11) DEFAULT NULL, + `created_on` timestamp NULL DEFAULT NULL, + `updated_on` timestamp NULL DEFAULT NULL, + `identifier` varchar(255) DEFAULT NULL, + `status` int(11) NOT NULL DEFAULT '1', + `lft` int(11) DEFAULT NULL, + `rgt` int(11) DEFAULT NULL, + `inherit_members` tinyint(1) NOT NULL DEFAULT '0', + `default_version_id` int(11) DEFAULT NULL, + `default_assigned_to_id` int(11) DEFAULT NULL, + PRIMARY KEY (`id`), + KEY `index_projects_on_lft` (`lft`), + KEY `index_projects_on_rgt` (`rgt`) +) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `projects` +-- + +LOCK TABLES `projects` WRITE; +/*!40000 ALTER TABLE `projects` DISABLE KEYS */; +INSERT INTO `projects` VALUES (1,'Detection Playbooks','','',0,NULL,'2020-04-26 13:13:01','2020-04-26 13:13:01','detection-playbooks',1,1,2,0,NULL,NULL); +/*!40000 ALTER TABLE `projects` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `projects_trackers` +-- + +DROP TABLE IF EXISTS `projects_trackers`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `projects_trackers` ( + `project_id` int(11) NOT NULL DEFAULT '0', + `tracker_id` int(11) NOT NULL DEFAULT '0', + UNIQUE KEY `projects_trackers_unique` (`project_id`,`tracker_id`), + KEY `projects_trackers_project_id` (`project_id`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `projects_trackers` +-- + +LOCK TABLES `projects_trackers` WRITE; +/*!40000 ALTER TABLE `projects_trackers` DISABLE KEYS */; +INSERT INTO `projects_trackers` VALUES (1,1); +/*!40000 ALTER TABLE `projects_trackers` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `queries` +-- + +DROP TABLE IF EXISTS `queries`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `queries` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `project_id` int(11) DEFAULT NULL, + `name` varchar(255) NOT NULL DEFAULT '', + `filters` text, + `user_id` int(11) NOT NULL DEFAULT '0', + `column_names` text, + `sort_criteria` text, + `group_by` varchar(255) DEFAULT NULL, + `type` varchar(255) DEFAULT NULL, + `visibility` int(11) DEFAULT '0', + `options` text, + PRIMARY KEY (`id`), + KEY `index_queries_on_project_id` (`project_id`), + KEY `index_queries_on_user_id` (`user_id`) +) ENGINE=InnoDB AUTO_INCREMENT=9 DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `queries` +-- + +LOCK TABLES `queries` WRITE; +/*!40000 ALTER TABLE `queries` DISABLE KEYS */; +INSERT INTO `queries` VALUES (3,1,'All Plays','---\ntracker_id:\n :operator: \"=\"\n :values:\n - \'1\'\n',1,NULL,'---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(4,NULL,'Disabled Plays','---\nstatus_id:\n :operator: \"=\"\n :values:\n - \'6\'\n',1,NULL,'---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(5,NULL,'Draft Plays','---\nstatus_id:\n :operator: \"=\"\n :values:\n - \'2\'\n',1,NULL,'---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(6,NULL,'Playbook - Community Sigma','---\ncf_13:\n :operator: \"=\"\n :values:\n - community\n',1,'---\n- :status\n- :cf_10\n- :cf_14\n- :cf_16\n- :cf_1\n- :updated_on\n','---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(8,NULL,'Playbook - Internal','---\ncf_13:\n :operator: \"=\"\n :values:\n - Internal\n',1,'---\n- :status\n- :cf_10\n- :cf_14\n- :cf_16\n- :cf_1\n- :updated_on\n','---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'); +/*!40000 ALTER TABLE `queries` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `queries_roles` +-- + +DROP TABLE IF EXISTS `queries_roles`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `queries_roles` ( + `query_id` int(11) NOT NULL, + `role_id` int(11) NOT NULL, + UNIQUE KEY `queries_roles_ids` (`query_id`,`role_id`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `queries_roles` +-- + +LOCK TABLES `queries_roles` WRITE; +/*!40000 ALTER TABLE `queries_roles` DISABLE KEYS */; +/*!40000 ALTER TABLE `queries_roles` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `repositories` +-- + +DROP TABLE IF EXISTS `repositories`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `repositories` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `project_id` int(11) NOT NULL DEFAULT '0', + `url` varchar(255) NOT NULL DEFAULT '', + `login` varchar(60) DEFAULT '', + `password` varchar(255) DEFAULT '', + `root_url` varchar(255) DEFAULT '', + `type` varchar(255) DEFAULT NULL, + `path_encoding` varchar(64) DEFAULT NULL, + `log_encoding` varchar(64) DEFAULT NULL, + `extra_info` longtext, + `identifier` varchar(255) DEFAULT NULL, + `is_default` tinyint(1) DEFAULT '0', + `created_on` timestamp NULL DEFAULT NULL, + PRIMARY KEY (`id`), + KEY `index_repositories_on_project_id` (`project_id`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `repositories` +-- + +LOCK TABLES `repositories` WRITE; +/*!40000 ALTER TABLE `repositories` DISABLE KEYS */; +/*!40000 ALTER TABLE `repositories` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `roles` +-- + +DROP TABLE IF EXISTS `roles`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `roles` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `name` varchar(255) NOT NULL DEFAULT '', + `position` int(11) DEFAULT NULL, + `assignable` tinyint(1) DEFAULT '1', + `builtin` int(11) NOT NULL DEFAULT '0', + `permissions` text, + `issues_visibility` varchar(30) NOT NULL DEFAULT 'default', + `users_visibility` varchar(30) NOT NULL DEFAULT 'all', + `time_entries_visibility` varchar(30) NOT NULL DEFAULT 'all', + `all_roles_managed` tinyint(1) NOT NULL DEFAULT '1', + `settings` text, + PRIMARY KEY (`id`) +) ENGINE=InnoDB AUTO_INCREMENT=6 DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `roles` +-- + +LOCK TABLES `roles` WRITE; +/*!40000 ALTER TABLE `roles` DISABLE KEYS */; +INSERT INTO `roles` VALUES (1,'Non member',0,1,1,NULL,'default','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'0\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n'),(2,'Anonymous',0,1,2,NULL,'default','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'0\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n'),(3,'Security-Analyst',1,0,0,'---\n- :save_queries\n- :view_issues\n- :edit_issues\n- :add_issue_notes\n- :edit_issue_notes\n- :sigma_editor\n','all','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'1\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\n delete_issues: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n delete_issues: []\n'),(4,'SuperAdmin',2,0,0,'---\n- :add_project\n- :edit_project\n- :close_project\n- :select_project_modules\n- :manage_members\n- :manage_versions\n- :add_subprojects\n- :manage_public_queries\n- :save_queries\n- :manage_hook\n- :view_messages\n- :add_messages\n- :edit_messages\n- :edit_own_messages\n- :delete_messages\n- :delete_own_messages\n- :manage_boards\n- :view_calendar\n- :view_documents\n- :add_documents\n- :edit_documents\n- :delete_documents\n- :view_files\n- :manage_files\n- :view_gantt\n- :view_issues\n- :edit_issues\n- :edit_own_issues\n- :copy_issues\n- :manage_issue_relations\n- :manage_subtasks\n- :set_issues_private\n- :set_own_issues_private\n- :add_issue_notes\n- :edit_issue_notes\n- :edit_own_issue_notes\n- :view_private_notes\n- :set_notes_private\n- :delete_issues\n- :view_issue_watchers\n- :add_issue_watchers\n- :delete_issue_watchers\n- :import_issues\n- :manage_categories\n- :view_news\n- :manage_news\n- :comment_news\n- :view_changesets\n- :browse_repository\n- :commit_access\n- :manage_related_issues\n- :manage_repository\n- :sigma_editor\n- :view_time_entries\n- :log_time\n- :edit_time_entries\n- :edit_own_time_entries\n- :manage_project_activities\n- :log_time_for_other_users\n- :import_time_entries\n- :view_wiki_pages\n- :view_wiki_edits\n- :export_wiki_pages\n- :edit_wiki_pages\n- :rename_wiki_pages\n- :delete_wiki_pages\n- :delete_wiki_pages_attachments\n- :protect_wiki_pages\n- :manage_wiki\n','default','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'1\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\n delete_issues: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n delete_issues: []\n'),(5,'Automation',3,0,0,'---\n- :view_issues\n- :add_issues\n- :edit_issues\n- :add_issue_notes\n- :edit_issue_notes\n- :import_issues\n- :sigma_editor\n','default','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'1\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\n delete_issues: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n delete_issues: []\n'); +/*!40000 ALTER TABLE `roles` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `roles_managed_roles` +-- + +DROP TABLE IF EXISTS `roles_managed_roles`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `roles_managed_roles` ( + `role_id` int(11) NOT NULL, + `managed_role_id` int(11) NOT NULL, + UNIQUE KEY `index_roles_managed_roles_on_role_id_and_managed_role_id` (`role_id`,`managed_role_id`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `roles_managed_roles` +-- + +LOCK TABLES `roles_managed_roles` WRITE; +/*!40000 ALTER TABLE `roles_managed_roles` DISABLE KEYS */; +/*!40000 ALTER TABLE `roles_managed_roles` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `schema_migrations` +-- + +DROP TABLE IF EXISTS `schema_migrations`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `schema_migrations` ( + `version` varchar(255) NOT NULL, + PRIMARY KEY (`version`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `schema_migrations` +-- + +LOCK TABLES `schema_migrations` WRITE; +/*!40000 ALTER TABLE `schema_migrations` DISABLE KEYS */; +INSERT INTO `schema_migrations` VALUES ('1'),('1-redmine_webhook'),('10'),('100'),('101'),('102'),('103'),('104'),('105'),('106'),('107'),('108'),('11'),('12'),('13'),('14'),('15'),('16'),('17'),('18'),('19'),('2'),('20'),('20090214190337'),('20090312172426'),('20090312194159'),('20090318181151'),('20090323224724'),('20090401221305'),('20090401231134'),('20090403001910'),('20090406161854'),('20090425161243'),('20090503121501'),('20090503121505'),('20090503121510'),('20090614091200'),('20090704172350'),('20090704172355'),('20090704172358'),('20091010093521'),('20091017212227'),('20091017212457'),('20091017212644'),('20091017212938'),('20091017213027'),('20091017213113'),('20091017213151'),('20091017213228'),('20091017213257'),('20091017213332'),('20091017213444'),('20091017213536'),('20091017213642'),('20091017213716'),('20091017213757'),('20091017213835'),('20091017213910'),('20091017214015'),('20091017214107'),('20091017214136'),('20091017214236'),('20091017214308'),('20091017214336'),('20091017214406'),('20091017214440'),('20091017214519'),('20091017214611'),('20091017214644'),('20091017214720'),('20091017214750'),('20091025163651'),('20091108092559'),('20091114105931'),('20091123212029'),('20091205124427'),('20091220183509'),('20091220183727'),('20091220184736'),('20091225164732'),('20091227112908'),('20100129193402'),('20100129193813'),('20100221100219'),('20100313132032'),('20100313171051'),('20100705164950'),('20100819172912'),('20101104182107'),('20101107130441'),('20101114115114'),('20101114115359'),('20110220160626'),('20110223180944'),('20110223180953'),('20110224000000'),('20110226120112'),('20110226120132'),('20110227125750'),('20110228000000'),('20110228000100'),('20110401192910'),('20110408103312'),('20110412065600'),('20110511000000'),('20110902000000'),('20111201201315'),('20120115143024'),('20120115143100'),('20120115143126'),('20120127174243'),('20120205111326'),('20120223110929'),('20120301153455'),('20120422150750'),('20120705074331'),('20120707064544'),('20120714122000'),('20120714122100'),('20120714122200'),('20120731164049'),('20120930112914'),('20121026002032'),('20121026003537'),('20121209123234'),('20121209123358'),('20121213084931'),('20130110122628'),('20130201184705'),('20130202090625'),('20130207175206'),('20130207181455'),('20130215073721'),('20130215111127'),('20130215111141'),('20130217094251'),('20130602092539'),('20130710182539'),('20130713104233'),('20130713111657'),('20130729070143'),('20130911193200'),('20131004113137'),('20131005100610'),('20131124175346'),('20131210180802'),('20131214094309'),('20131215104612'),('20131218183023'),('20140228130325'),('20140903143914'),('20140920094058'),('20141029181752'),('20141029181824'),('20141109112308'),('20141122124142'),('20150113194759'),('20150113211532'),('20150113213922'),('20150113213955'),('20150208105930'),('20150510083747'),('20150525103953'),('20150526183158'),('20150528084820'),('20150528092912'),('20150528093249'),('20150725112753'),('20150730122707'),('20150730122735'),('20150921204850'),('20150921210243'),('20151020182334'),('20151020182731'),('20151021184614'),('20151021185456'),('20151021190616'),('20151024082034'),('20151025072118'),('20151031095005'),('20160404080304'),('20160416072926'),('20160529063352'),('20161001122012'),('20161002133421'),('20161010081301'),('20161010081528'),('20161010081600'),('20161126094932'),('20161220091118'),('20170207050700'),('20170302015225'),('20170309214320'),('20170320051650'),('20170418090031'),('20170419144536'),('20170723112801'),('20180501132547'),('20180913072918'),('20180923082945'),('20180923091603'),('20190315094151'),('20190315102101'),('20190510070108'),('20190620135549'),('21'),('22'),('23'),('24'),('25'),('26'),('27'),('28'),('29'),('3'),('30'),('31'),('32'),('33'),('34'),('35'),('36'),('37'),('38'),('39'),('4'),('40'),('41'),('42'),('43'),('44'),('45'),('46'),('47'),('48'),('49'),('5'),('50'),('51'),('52'),('53'),('54'),('55'),('56'),('57'),('58'),('59'),('6'),('60'),('61'),('62'),('63'),('64'),('65'),('66'),('67'),('68'),('69'),('7'),('70'),('71'),('72'),('73'),('74'),('75'),('76'),('77'),('78'),('79'),('8'),('80'),('81'),('82'),('83'),('84'),('85'),('86'),('87'),('88'),('89'),('9'),('90'),('91'),('92'),('93'),('94'),('95'),('96'),('97'),('98'),('99'); +/*!40000 ALTER TABLE `schema_migrations` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `settings` +-- + +DROP TABLE IF EXISTS `settings`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `settings` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `name` varchar(255) NOT NULL DEFAULT '', + `value` text, + `updated_on` timestamp NULL DEFAULT NULL, + PRIMARY KEY (`id`), + KEY `index_settings_on_name` (`name`) +) ENGINE=InnoDB AUTO_INCREMENT=71 DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `settings` +-- + +LOCK TABLES `settings` WRITE; +/*!40000 ALTER TABLE `settings` DISABLE KEYS */; +INSERT INTO `settings` VALUES (1,'ui_theme','circle','2020-04-26 13:11:26'),(2,'default_language','en','2020-04-26 13:11:26'),(3,'force_default_language_for_anonymous','0','2020-04-26 13:11:26'),(4,'force_default_language_for_loggedin','0','2020-04-26 13:11:26'),(5,'start_of_week','','2020-04-26 13:11:26'),(6,'date_format','','2020-04-26 13:11:26'),(7,'time_format','','2020-04-26 13:11:26'),(8,'timespan_format','decimal','2020-04-26 13:11:26'),(9,'user_format','firstname_lastname','2020-05-02 12:45:00'),(10,'gravatar_enabled','1','2020-05-02 12:41:07'),(11,'thumbnails_enabled','1','2020-04-26 13:11:26'),(12,'thumbnails_size','100','2020-04-26 13:11:26'),(13,'new_item_menu_tab','0','2020-04-26 13:11:30'),(14,'login_required','1','2020-04-26 13:11:54'),(15,'autologin','0','2020-04-26 13:11:54'),(16,'self_registration','0','2020-04-26 13:11:54'),(17,'show_custom_fields_on_registration','0','2020-04-26 13:11:54'),(18,'password_min_length','8','2020-04-26 13:11:54'),(19,'password_required_char_classes','--- []\n','2020-04-26 13:11:54'),(20,'password_max_age','0','2020-04-26 13:11:54'),(21,'lost_password','1','2020-04-26 13:11:54'),(22,'openid','0','2020-04-26 13:11:55'),(23,'session_lifetime','0','2020-04-26 13:11:55'),(24,'session_timeout','0','2020-04-26 13:11:55'),(25,'rest_api_enabled','1','2020-04-26 13:11:58'),(26,'jsonp_enabled','0','2020-04-26 13:11:58'),(27,'default_projects_public','0','2020-04-26 13:12:21'),(28,'default_projects_modules','---\n- sigma_editor\n','2020-04-26 13:12:21'),(29,'default_projects_tracker_ids','--- []\n','2020-04-26 13:12:21'),(30,'sequential_project_identifiers','0','2020-04-26 13:12:21'),(31,'project_list_defaults','---\n:column_names:\n- name\n- identifier\n- short_description\n','2020-04-26 13:12:21'),(32,'app_title','Playbook','2020-04-26 18:17:51'),(33,'welcome_text','','2020-04-26 18:17:51'),(34,'per_page_options','25,75,150','2020-05-02 12:41:38'),(35,'search_results_per_page','10','2020-04-26 18:17:51'),(36,'activity_days_default','30','2020-04-26 18:17:51'),(37,'host_name','localhost:3000','2020-04-26 18:17:51'),(38,'protocol','http','2020-04-26 18:17:51'),(39,'text_formatting','textile','2020-04-26 18:17:51'),(40,'cache_formatted_text','0','2020-04-26 18:17:51'),(41,'wiki_compression','','2020-04-26 18:17:51'),(42,'feeds_limit','15','2020-04-26 18:17:51'),(43,'plugin_redmine_playbook','--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nproject: \'1\'\nconvert_url: http://10.66.166.178:7000/playbook/sigmac\ncreate_url: http://10.66.166.178:7000/playbook/play','2020-05-02 12:39:20'),(44,'cross_project_issue_relations','0','2020-05-01 16:27:33'),(45,'link_copied_issue','no','2020-05-01 16:27:33'),(46,'cross_project_subtasks','','2020-05-01 16:27:33'),(47,'close_duplicate_issues','0','2020-05-01 16:27:33'),(48,'issue_group_assignment','0','2020-05-01 16:27:33'),(49,'default_issue_start_date_to_creation_date','1','2020-05-01 16:27:33'),(50,'display_subprojects_issues','0','2020-05-01 16:27:33'),(51,'issue_done_ratio','issue_field','2020-05-01 16:27:33'),(52,'non_working_week_days','---\n- \'6\'\n- \'7\'\n','2020-05-01 16:27:33'),(53,'issues_export_limit','500','2020-05-01 16:27:33'),(54,'gantt_items_limit','500','2020-05-01 16:27:33'),(55,'gantt_months_limit','24','2020-05-01 16:27:33'),(56,'parent_issue_dates','derived','2020-05-01 16:27:33'),(57,'parent_issue_priority','derived','2020-05-01 16:27:33'),(58,'parent_issue_done_ratio','derived','2020-05-01 16:27:33'),(59,'issue_list_default_columns','---\n- status\n- cf_10\n- cf_13\n- cf_14\n- cf_1\n- updated_on\n','2020-05-01 19:32:13'),(60,'issue_list_default_totals','--- []\n','2020-05-01 16:27:33'),(61,'enabled_scm','--- []\n','2020-05-01 16:27:47'),(62,'autofetch_changesets','0','2020-05-01 16:27:47'),(63,'sys_api_enabled','0','2020-05-01 16:27:47'),(64,'repository_log_display_limit','100','2020-05-01 16:27:47'),(65,'commit_logs_formatting','1','2020-05-01 16:27:47'),(66,'commit_ref_keywords','refs,references,IssueID','2020-05-01 16:27:47'),(67,'commit_cross_project_ref','0','2020-05-01 16:27:47'),(68,'commit_logtime_enabled','0','2020-05-01 16:27:47'),(69,'commit_update_keywords','--- []\n','2020-05-01 16:27:47'),(70,'gravatar_default','','2020-05-02 12:41:07'); +/*!40000 ALTER TABLE `settings` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `time_entries` +-- + +DROP TABLE IF EXISTS `time_entries`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `time_entries` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `project_id` int(11) NOT NULL, + `author_id` int(11) DEFAULT NULL, + `user_id` int(11) NOT NULL, + `issue_id` int(11) DEFAULT NULL, + `hours` float NOT NULL, + `comments` varchar(1024) DEFAULT NULL, + `activity_id` int(11) NOT NULL, + `spent_on` date NOT NULL, + `tyear` int(11) NOT NULL, + `tmonth` int(11) NOT NULL, + `tweek` int(11) NOT NULL, + `created_on` datetime NOT NULL, + `updated_on` datetime NOT NULL, + PRIMARY KEY (`id`), + KEY `time_entries_project_id` (`project_id`), + KEY `time_entries_issue_id` (`issue_id`), + KEY `index_time_entries_on_activity_id` (`activity_id`), + KEY `index_time_entries_on_user_id` (`user_id`), + KEY `index_time_entries_on_created_on` (`created_on`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `time_entries` +-- + +LOCK TABLES `time_entries` WRITE; +/*!40000 ALTER TABLE `time_entries` DISABLE KEYS */; +/*!40000 ALTER TABLE `time_entries` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `tokens` +-- + +DROP TABLE IF EXISTS `tokens`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `tokens` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `user_id` int(11) NOT NULL DEFAULT '0', + `action` varchar(30) NOT NULL DEFAULT '', + `value` varchar(40) NOT NULL DEFAULT '', + `created_on` datetime NOT NULL, + `updated_on` timestamp NULL DEFAULT NULL, + PRIMARY KEY (`id`), + UNIQUE KEY `tokens_value` (`value`), + KEY `index_tokens_on_user_id` (`user_id`) +) ENGINE=InnoDB AUTO_INCREMENT=55 DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `tokens` +-- + +LOCK TABLES `tokens` WRITE; +/*!40000 ALTER TABLE `tokens` DISABLE KEYS */; +INSERT INTO `tokens` VALUES (3,1,'feeds','6e5575602e1227c188cd85ef6d12608bb8701193','2020-04-26 13:10:46','2020-04-26 13:10:46'),(4,1,'session','999412fa9badda7423c6c654d6364c32c20b3eac','2020-04-26 18:07:03','2020-04-26 18:12:02'),(5,1,'session','124ad4acbf87a942426350e7ad028c1d119c3851','2020-04-26 18:17:11','2020-04-26 18:19:24'),(8,8,'feeds','1f28542e983dc0a3abfc81013ff7f008f1cb6800','2020-04-26 18:50:50','2020-04-26 18:50:50'),(9,1,'session','2890c663e0552f26ddb92acad6ab3b6d05b92915','2020-04-26 18:51:15','2020-04-26 18:51:15'),(19,1,'session','b7ffb106ea0b34650dd9c1770f74c2b0ffe166b2','2020-05-01 16:52:33','2020-05-01 18:02:30'),(20,1,'session','f44cfcf918eef59ffda47991c431d9c2b2ac6113','2020-05-01 18:05:56','2020-05-01 18:05:56'),(23,9,'feeds','211918c9d7168979b5dc19bebb14573b928a5067','2020-05-01 18:26:17','2020-05-01 18:26:17'),(25,9,'api','de6639318502476f2fa5aa06f43f51fb389a3d7f','2020-05-01 18:26:31','2020-05-01 18:26:31'),(36,8,'session','47616205d262d3e3f05665038888edc463b872d9','2020-05-01 19:41:12','2020-05-01 19:44:24'),(39,8,'session','a4d98ddceb539f8a5d2f99ee4f4274f711f6dc14','2020-05-01 20:40:23','2020-05-01 20:40:27'),(45,8,'session','b7346c8089e9b6237d9438f7c08ce014ad46d5d2','2020-05-03 09:13:00','2020-05-03 10:01:34'),(46,1,'session','2d0c8f8ae641c06d8c2362746846440d465d53c0','2020-05-06 20:48:01','2020-05-06 20:48:07'),(47,8,'session','1adb4bf696b7a4eafedf633cef7dee28e138ec01','2020-05-06 20:52:43','2020-05-06 20:52:48'),(54,8,'session','c1d788feea4bc194f6b24005943807b477bc1fb8','2020-05-13 14:23:44','2020-05-13 14:29:25'); +/*!40000 ALTER TABLE `tokens` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `trackers` +-- + +DROP TABLE IF EXISTS `trackers`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `trackers` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `name` varchar(30) NOT NULL DEFAULT '', + `description` varchar(255) DEFAULT NULL, + `is_in_chlog` tinyint(1) NOT NULL DEFAULT '0', + `position` int(11) DEFAULT NULL, + `is_in_roadmap` tinyint(1) NOT NULL DEFAULT '1', + `fields_bits` int(11) DEFAULT '0', + `default_status_id` int(11) DEFAULT NULL, + PRIMARY KEY (`id`) +) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `trackers` +-- + +LOCK TABLES `trackers` WRITE; +/*!40000 ALTER TABLE `trackers` DISABLE KEYS */; +INSERT INTO `trackers` VALUES (1,'Play','',0,1,0,255,2); +/*!40000 ALTER TABLE `trackers` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `user_preferences` +-- + +DROP TABLE IF EXISTS `user_preferences`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `user_preferences` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `user_id` int(11) NOT NULL DEFAULT '0', + `others` text, + `hide_mail` tinyint(1) DEFAULT '1', + `time_zone` varchar(255) DEFAULT NULL, + PRIMARY KEY (`id`), + KEY `index_user_preferences_on_user_id` (`user_id`) +) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `user_preferences` +-- + +LOCK TABLES `user_preferences` WRITE; +/*!40000 ALTER TABLE `user_preferences` DISABLE KEYS */; +INSERT INTO `user_preferences` VALUES (1,1,'---\n:no_self_notified: \'1\'\n:my_page_layout:\n left:\n - issuesassignedtome\n right:\n - issuesreportedbyme\n:my_page_settings: {}\n:comments_sorting: asc\n:warn_on_leaving_unsaved: \'1\'\n:textarea_font: \'\'\n:recently_used_projects: 3\n:history_default_tab: notes\n:recently_used_project_ids: \'1\'\n',1,''),(2,8,'---\n:no_self_notified: \'1\'\n:comments_sorting: asc\n:warn_on_leaving_unsaved: \'1\'\n:textarea_font: \'\'\n:recently_used_projects: 3\n:history_default_tab: notes\n:my_page_layout:\n left:\n - issuesassignedtome\n right:\n - issuesreportedbyme\n:my_page_settings: {}\n:recently_used_project_ids: \'1\'\n',1,''),(3,9,'---\n:no_self_notified: \'1\'\n:comments_sorting: asc\n:warn_on_leaving_unsaved: \'1\'\n:textarea_font: \'\'\n:recently_used_projects: 3\n:history_default_tab: notes\n:my_page_layout:\n left:\n - issuesassignedtome\n right:\n - issuesreportedbyme\n:my_page_settings: {}\n:recently_used_project_ids: \'1\'\n',1,''); +/*!40000 ALTER TABLE `user_preferences` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `users` +-- + +DROP TABLE IF EXISTS `users`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `users` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `login` varchar(255) NOT NULL DEFAULT '', + `hashed_password` varchar(40) NOT NULL DEFAULT '', + `firstname` varchar(30) NOT NULL DEFAULT '', + `lastname` varchar(255) NOT NULL DEFAULT '', + `admin` tinyint(1) NOT NULL DEFAULT '0', + `status` int(11) NOT NULL DEFAULT '1', + `last_login_on` datetime DEFAULT NULL, + `language` varchar(5) DEFAULT '', + `auth_source_id` int(11) DEFAULT NULL, + `created_on` timestamp NULL DEFAULT NULL, + `updated_on` timestamp NULL DEFAULT NULL, + `type` varchar(255) DEFAULT NULL, + `identity_url` varchar(255) DEFAULT NULL, + `mail_notification` varchar(255) NOT NULL DEFAULT '', + `salt` varchar(64) DEFAULT NULL, + `must_change_passwd` tinyint(1) NOT NULL DEFAULT '0', + `passwd_changed_on` datetime DEFAULT NULL, + PRIMARY KEY (`id`), + KEY `index_users_on_id_and_type` (`id`,`type`), + KEY `index_users_on_auth_source_id` (`auth_source_id`), + KEY `index_users_on_type` (`type`) +) ENGINE=InnoDB AUTO_INCREMENT=10 DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `users` +-- + +LOCK TABLES `users` WRITE; +/*!40000 ALTER TABLE `users` DISABLE KEYS */; +INSERT INTO `users` VALUES (1,'admin','95535e9f7a386c412f20134ebb869c00cf346477','Admin','Admin',1,1,'2020-05-13 14:22:22','',NULL,'2020-04-26 13:08:34','2020-04-26 13:10:45','User',NULL,'all','5ceb2c95ce1593d4ba034d385ceefb2f',0,'2020-04-26 13:10:27'),(2,'','','','Anonymous users',0,1,NULL,'',NULL,'2020-04-26 13:08:38','2020-04-26 13:08:38','GroupAnonymous',NULL,'',NULL,0,NULL),(3,'','','','Non member users',0,1,NULL,'',NULL,'2020-04-26 13:08:38','2020-04-26 13:08:38','GroupNonMember',NULL,'',NULL,0,NULL),(4,'','','','Anonymous',0,0,NULL,'',NULL,'2020-04-26 13:09:44','2020-04-26 13:09:44','AnonymousUser',NULL,'only_my_events',NULL,0,NULL),(5,'','','','Analysts',0,1,NULL,'',NULL,'2020-04-26 18:43:40','2020-04-26 18:43:40','Group',NULL,'',NULL,0,NULL),(6,'','','','Automation',0,1,NULL,'',NULL,'2020-04-26 18:43:47','2020-04-26 18:43:47','Group',NULL,'',NULL,0,NULL),(7,'','','','Admins',0,1,NULL,'',NULL,'2020-04-26 18:43:58','2020-04-26 18:43:58','Group',NULL,'',NULL,0,NULL),(8,'analyst','adfc2e9391aa2ce34a02ce5bcc225efe853ee6cc','analyst','analyst',0,1,'2020-05-13 14:23:44','en',NULL,'2020-04-26 18:46:48','2020-04-26 18:46:48','User',NULL,'none','6b5dc1c8429a1c7d69375d723f7e3207',0,'2020-04-26 18:46:48'),(9,'automation','d2e7d78af1f0c0637765ae8cf1a359c4a30034c9','SecOps','Automation',0,1,'2020-05-01 18:26:17','en',NULL,'2020-04-26 18:47:46','2020-05-01 18:26:10','User',NULL,'none','41043e596f70e327e34fc99c861f5b31',0,'2020-05-01 18:26:10'); +/*!40000 ALTER TABLE `users` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `versions` +-- + +DROP TABLE IF EXISTS `versions`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `versions` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `project_id` int(11) NOT NULL DEFAULT '0', + `name` varchar(255) NOT NULL DEFAULT '', + `description` varchar(255) DEFAULT '', + `effective_date` date DEFAULT NULL, + `created_on` timestamp NULL DEFAULT NULL, + `updated_on` timestamp NULL DEFAULT NULL, + `wiki_page_title` varchar(255) DEFAULT NULL, + `status` varchar(255) DEFAULT 'open', + `sharing` varchar(255) NOT NULL DEFAULT 'none', + PRIMARY KEY (`id`), + KEY `versions_project_id` (`project_id`), + KEY `index_versions_on_sharing` (`sharing`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `versions` +-- + +LOCK TABLES `versions` WRITE; +/*!40000 ALTER TABLE `versions` DISABLE KEYS */; +/*!40000 ALTER TABLE `versions` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `watchers` +-- + +DROP TABLE IF EXISTS `watchers`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `watchers` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `watchable_type` varchar(255) NOT NULL DEFAULT '', + `watchable_id` int(11) NOT NULL DEFAULT '0', + `user_id` int(11) DEFAULT NULL, + PRIMARY KEY (`id`), + KEY `watchers_user_id_type` (`user_id`,`watchable_type`), + KEY `index_watchers_on_user_id` (`user_id`), + KEY `index_watchers_on_watchable_id_and_watchable_type` (`watchable_id`,`watchable_type`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `watchers` +-- + +LOCK TABLES `watchers` WRITE; +/*!40000 ALTER TABLE `watchers` DISABLE KEYS */; +/*!40000 ALTER TABLE `watchers` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `webhooks` +-- + +DROP TABLE IF EXISTS `webhooks`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `webhooks` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `url` varchar(255) DEFAULT NULL, + `project_id` int(11) DEFAULT NULL, + PRIMARY KEY (`id`) +) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `webhooks` +-- + +LOCK TABLES `webhooks` WRITE; +/*!40000 ALTER TABLE `webhooks` DISABLE KEYS */; +INSERT INTO `webhooks` VALUES (1,'http://10.66.166.178:7000/playbook/webhook',1); +/*!40000 ALTER TABLE `webhooks` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `wiki_content_versions` +-- + +DROP TABLE IF EXISTS `wiki_content_versions`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `wiki_content_versions` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `wiki_content_id` int(11) NOT NULL, + `page_id` int(11) NOT NULL, + `author_id` int(11) DEFAULT NULL, + `data` longblob, + `compression` varchar(6) DEFAULT '', + `comments` varchar(1024) DEFAULT '', + `updated_on` datetime NOT NULL, + `version` int(11) NOT NULL, + PRIMARY KEY (`id`), + KEY `wiki_content_versions_wcid` (`wiki_content_id`), + KEY `index_wiki_content_versions_on_updated_on` (`updated_on`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `wiki_content_versions` +-- + +LOCK TABLES `wiki_content_versions` WRITE; +/*!40000 ALTER TABLE `wiki_content_versions` DISABLE KEYS */; +/*!40000 ALTER TABLE `wiki_content_versions` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `wiki_contents` +-- + +DROP TABLE IF EXISTS `wiki_contents`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `wiki_contents` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `page_id` int(11) NOT NULL, + `author_id` int(11) DEFAULT NULL, + `text` longtext, + `comments` varchar(1024) DEFAULT '', + `updated_on` datetime NOT NULL, + `version` int(11) NOT NULL, + PRIMARY KEY (`id`), + KEY `wiki_contents_page_id` (`page_id`), + KEY `index_wiki_contents_on_author_id` (`author_id`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `wiki_contents` +-- + +LOCK TABLES `wiki_contents` WRITE; +/*!40000 ALTER TABLE `wiki_contents` DISABLE KEYS */; +/*!40000 ALTER TABLE `wiki_contents` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `wiki_pages` +-- + +DROP TABLE IF EXISTS `wiki_pages`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `wiki_pages` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `wiki_id` int(11) NOT NULL, + `title` varchar(255) NOT NULL, + `created_on` datetime NOT NULL, + `protected` tinyint(1) NOT NULL DEFAULT '0', + `parent_id` int(11) DEFAULT NULL, + PRIMARY KEY (`id`), + KEY `wiki_pages_wiki_id_title` (`wiki_id`,`title`), + KEY `index_wiki_pages_on_wiki_id` (`wiki_id`), + KEY `index_wiki_pages_on_parent_id` (`parent_id`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `wiki_pages` +-- + +LOCK TABLES `wiki_pages` WRITE; +/*!40000 ALTER TABLE `wiki_pages` DISABLE KEYS */; +/*!40000 ALTER TABLE `wiki_pages` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `wiki_redirects` +-- + +DROP TABLE IF EXISTS `wiki_redirects`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `wiki_redirects` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `wiki_id` int(11) NOT NULL, + `title` varchar(255) DEFAULT NULL, + `redirects_to` varchar(255) DEFAULT NULL, + `created_on` datetime NOT NULL, + `redirects_to_wiki_id` int(11) NOT NULL, + PRIMARY KEY (`id`), + KEY `wiki_redirects_wiki_id_title` (`wiki_id`,`title`), + KEY `index_wiki_redirects_on_wiki_id` (`wiki_id`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `wiki_redirects` +-- + +LOCK TABLES `wiki_redirects` WRITE; +/*!40000 ALTER TABLE `wiki_redirects` DISABLE KEYS */; +/*!40000 ALTER TABLE `wiki_redirects` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `wikis` +-- + +DROP TABLE IF EXISTS `wikis`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `wikis` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `project_id` int(11) NOT NULL, + `start_page` varchar(255) NOT NULL, + `status` int(11) NOT NULL DEFAULT '1', + PRIMARY KEY (`id`), + KEY `wikis_project_id` (`project_id`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `wikis` +-- + +LOCK TABLES `wikis` WRITE; +/*!40000 ALTER TABLE `wikis` DISABLE KEYS */; +/*!40000 ALTER TABLE `wikis` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `workflows` +-- + +DROP TABLE IF EXISTS `workflows`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `workflows` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `tracker_id` int(11) NOT NULL DEFAULT '0', + `old_status_id` int(11) NOT NULL DEFAULT '0', + `new_status_id` int(11) NOT NULL DEFAULT '0', + `role_id` int(11) NOT NULL DEFAULT '0', + `assignee` tinyint(1) NOT NULL DEFAULT '0', + `author` tinyint(1) NOT NULL DEFAULT '0', + `type` varchar(30) DEFAULT NULL, + `field_name` varchar(30) DEFAULT NULL, + `rule` varchar(30) DEFAULT NULL, + PRIMARY KEY (`id`), + KEY `wkfs_role_tracker_old_status` (`role_id`,`tracker_id`,`old_status_id`), + KEY `index_workflows_on_old_status_id` (`old_status_id`), + KEY `index_workflows_on_role_id` (`role_id`), + KEY `index_workflows_on_new_status_id` (`new_status_id`), + KEY `index_workflows_on_tracker_id` (`tracker_id`) +) ENGINE=InnoDB AUTO_INCREMENT=247 DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `workflows` +-- + +LOCK TABLES `workflows` WRITE; +/*!40000 ALTER TABLE `workflows` DISABLE KEYS */; +INSERT INTO `workflows` VALUES (116,1,2,0,3,0,0,'WorkflowPermission','project_id','readonly'),(117,1,2,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(118,1,2,0,3,0,0,'WorkflowPermission','subject','readonly'),(119,1,2,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(120,1,2,0,3,0,0,'WorkflowPermission','is_private','readonly'),(121,1,2,0,3,0,0,'WorkflowPermission','description','readonly'),(122,1,2,0,3,0,0,'WorkflowPermission','1','readonly'),(123,1,2,0,3,0,0,'WorkflowPermission','2','readonly'),(124,1,2,0,3,0,0,'WorkflowPermission','3','readonly'),(125,1,2,0,3,0,0,'WorkflowPermission','5','readonly'),(126,1,2,0,3,0,0,'WorkflowPermission','6','readonly'),(127,1,2,0,3,0,0,'WorkflowPermission','7','readonly'),(128,1,2,0,3,0,0,'WorkflowPermission','8','readonly'),(129,1,2,0,3,0,0,'WorkflowPermission','10','readonly'),(130,1,2,0,3,0,0,'WorkflowPermission','11','readonly'),(131,1,2,0,3,0,0,'WorkflowPermission','12','readonly'),(132,1,2,0,3,0,0,'WorkflowPermission','14','readonly'),(133,1,2,0,3,0,0,'WorkflowPermission','15','readonly'),(134,1,2,0,3,0,0,'WorkflowPermission','16','readonly'),(135,1,3,0,3,0,0,'WorkflowPermission','project_id','readonly'),(136,1,3,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(137,1,3,0,3,0,0,'WorkflowPermission','subject','readonly'),(138,1,3,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(139,1,3,0,3,0,0,'WorkflowPermission','is_private','readonly'),(140,1,3,0,3,0,0,'WorkflowPermission','description','readonly'),(141,1,3,0,3,0,0,'WorkflowPermission','1','readonly'),(142,1,3,0,3,0,0,'WorkflowPermission','2','readonly'),(143,1,3,0,3,0,0,'WorkflowPermission','3','readonly'),(144,1,3,0,3,0,0,'WorkflowPermission','5','readonly'),(145,1,3,0,3,0,0,'WorkflowPermission','6','readonly'),(146,1,3,0,3,0,0,'WorkflowPermission','7','readonly'),(147,1,3,0,3,0,0,'WorkflowPermission','8','readonly'),(148,1,3,0,3,0,0,'WorkflowPermission','10','readonly'),(149,1,3,0,3,0,0,'WorkflowPermission','11','readonly'),(150,1,3,0,3,0,0,'WorkflowPermission','12','readonly'),(151,1,3,0,3,0,0,'WorkflowPermission','14','readonly'),(152,1,3,0,3,0,0,'WorkflowPermission','15','readonly'),(153,1,3,0,3,0,0,'WorkflowPermission','16','readonly'),(154,1,4,0,3,0,0,'WorkflowPermission','project_id','readonly'),(155,1,4,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(156,1,4,0,3,0,0,'WorkflowPermission','subject','readonly'),(157,1,4,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(158,1,4,0,3,0,0,'WorkflowPermission','is_private','readonly'),(159,1,4,0,3,0,0,'WorkflowPermission','description','readonly'),(160,1,4,0,3,0,0,'WorkflowPermission','1','readonly'),(161,1,4,0,3,0,0,'WorkflowPermission','2','readonly'),(162,1,4,0,3,0,0,'WorkflowPermission','3','readonly'),(163,1,4,0,3,0,0,'WorkflowPermission','5','readonly'),(164,1,4,0,3,0,0,'WorkflowPermission','6','readonly'),(165,1,4,0,3,0,0,'WorkflowPermission','7','readonly'),(166,1,4,0,3,0,0,'WorkflowPermission','8','readonly'),(167,1,4,0,3,0,0,'WorkflowPermission','10','readonly'),(168,1,4,0,3,0,0,'WorkflowPermission','11','readonly'),(169,1,4,0,3,0,0,'WorkflowPermission','12','readonly'),(170,1,4,0,3,0,0,'WorkflowPermission','14','readonly'),(171,1,4,0,3,0,0,'WorkflowPermission','15','readonly'),(172,1,4,0,3,0,0,'WorkflowPermission','16','readonly'),(173,1,5,0,3,0,0,'WorkflowPermission','project_id','readonly'),(174,1,5,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(175,1,5,0,3,0,0,'WorkflowPermission','subject','readonly'),(176,1,5,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(177,1,5,0,3,0,0,'WorkflowPermission','is_private','readonly'),(178,1,5,0,3,0,0,'WorkflowPermission','description','readonly'),(179,1,5,0,3,0,0,'WorkflowPermission','1','readonly'),(180,1,5,0,3,0,0,'WorkflowPermission','2','readonly'),(181,1,5,0,3,0,0,'WorkflowPermission','3','readonly'),(182,1,5,0,3,0,0,'WorkflowPermission','5','readonly'),(183,1,5,0,3,0,0,'WorkflowPermission','6','readonly'),(184,1,5,0,3,0,0,'WorkflowPermission','7','readonly'),(185,1,5,0,3,0,0,'WorkflowPermission','8','readonly'),(186,1,5,0,3,0,0,'WorkflowPermission','10','readonly'),(187,1,5,0,3,0,0,'WorkflowPermission','11','readonly'),(188,1,5,0,3,0,0,'WorkflowPermission','12','readonly'),(189,1,5,0,3,0,0,'WorkflowPermission','14','readonly'),(190,1,5,0,3,0,0,'WorkflowPermission','15','readonly'),(191,1,5,0,3,0,0,'WorkflowPermission','16','readonly'),(192,1,6,0,3,0,0,'WorkflowPermission','project_id','readonly'),(193,1,6,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(194,1,6,0,3,0,0,'WorkflowPermission','subject','readonly'),(195,1,6,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(196,1,6,0,3,0,0,'WorkflowPermission','is_private','readonly'),(197,1,6,0,3,0,0,'WorkflowPermission','description','readonly'),(198,1,6,0,3,0,0,'WorkflowPermission','1','readonly'),(199,1,6,0,3,0,0,'WorkflowPermission','2','readonly'),(200,1,6,0,3,0,0,'WorkflowPermission','3','readonly'),(201,1,6,0,3,0,0,'WorkflowPermission','5','readonly'),(202,1,6,0,3,0,0,'WorkflowPermission','6','readonly'),(203,1,6,0,3,0,0,'WorkflowPermission','7','readonly'),(204,1,6,0,3,0,0,'WorkflowPermission','8','readonly'),(205,1,6,0,3,0,0,'WorkflowPermission','10','readonly'),(206,1,6,0,3,0,0,'WorkflowPermission','11','readonly'),(207,1,6,0,3,0,0,'WorkflowPermission','12','readonly'),(208,1,6,0,3,0,0,'WorkflowPermission','14','readonly'),(209,1,6,0,3,0,0,'WorkflowPermission','15','readonly'),(210,1,6,0,3,0,0,'WorkflowPermission','16','readonly'),(220,1,2,3,3,0,0,'WorkflowTransition',NULL,NULL),(221,1,2,3,4,0,0,'WorkflowTransition',NULL,NULL),(222,1,2,3,5,0,0,'WorkflowTransition',NULL,NULL),(223,1,2,6,3,0,0,'WorkflowTransition',NULL,NULL),(224,1,2,6,4,0,0,'WorkflowTransition',NULL,NULL),(225,1,2,6,5,0,0,'WorkflowTransition',NULL,NULL),(226,1,3,4,3,0,0,'WorkflowTransition',NULL,NULL),(227,1,3,4,4,0,0,'WorkflowTransition',NULL,NULL),(228,1,3,4,5,0,0,'WorkflowTransition',NULL,NULL),(229,1,4,5,3,0,0,'WorkflowTransition',NULL,NULL),(230,1,4,5,4,0,0,'WorkflowTransition',NULL,NULL),(231,1,4,5,5,0,0,'WorkflowTransition',NULL,NULL),(232,1,4,6,3,0,0,'WorkflowTransition',NULL,NULL),(233,1,4,6,4,0,0,'WorkflowTransition',NULL,NULL),(234,1,4,6,5,0,0,'WorkflowTransition',NULL,NULL),(235,1,6,3,3,0,0,'WorkflowTransition',NULL,NULL),(236,1,6,3,4,0,0,'WorkflowTransition',NULL,NULL),(237,1,6,3,5,0,0,'WorkflowTransition',NULL,NULL),(239,1,2,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(240,1,3,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(241,1,4,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(242,1,5,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(243,1,6,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(244,1,0,2,5,0,0,'WorkflowTransition',NULL,NULL),(245,1,0,2,4,0,0,'WorkflowTransition',NULL,NULL),(246,1,0,6,5,0,0,'WorkflowTransition',NULL,NULL); +/*!40000 ALTER TABLE `workflows` ENABLE KEYS */; +UNLOCK TABLES; +/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */; + +/*!40101 SET SQL_MODE=@OLD_SQL_MODE */; +/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */; +/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */; +/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */; +/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */; +/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */; +/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */; + +-- Dump completed on 2020-05-13 15:01:33 diff --git a/setup/so-setup b/setup/so-setup index a5b57f13d..2ceb06a0a 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -516,51 +516,52 @@ fi set_progress_str 72 "$(print_salt_state_apply 'soctopus')" salt-call state.apply -l info soctopus >> $setup_log 2>&1 fi + + if [[ "$PLAYBOOK" = 1 ]]; then + set_progress_str 73 "$(print_salt_state_apply 'playbook')" + salt-call state.apply -l info playbook >> $setup_log 2>&1 + so-playbook-ruleupdate >> /root/setup_playbook_rule_update.log 2>&1 & + fi if [[ "$OSQUERY" = 1 ]]; then - set_progress_str 73 "$(print_salt_state_apply 'mysql')" + set_progress_str 74 "$(print_salt_state_apply 'mysql')" salt-call state.apply -l info mysql >> $setup_log 2>&1 - set_progress_str 73 "$(print_salt_state_apply 'fleet')" + set_progress_str 75 "$(print_salt_state_apply 'fleet')" salt-call state.apply -l info fleet >> $setup_log 2>&1 - set_progress_str 73 "$(print_salt_state_apply 'redis')" + set_progress_str 76 "$(print_salt_state_apply 'redis')" salt-call state.apply -l info redis >> $setup_log 2>&1 if [[ $is_fleet_standalone && $FLEETCUSTOMHOSTNAME != '' ]]; then - set_progress_str 73 "$(print_salt_state_apply 'fleet.event_update-custom-hostname')" + set_progress_str 77 "$(print_salt_state_apply 'fleet.event_update-custom-hostname')" pillar_override="{\"static\":{\"fleet_custom_hostname\": \"$FLEETCUSTOMHOSTNAME\"}}" salt-call state.apply -l info fleet.event_update-custom-hostname pillar="$pillar_override" >> $setup_log 2>&1 fi - set_progress_str 74 "$(print_salt_state_apply 'so-fleet-setup')" + set_progress_str 77 "$(print_salt_state_apply 'so-fleet-setup')" so-fleet-setup $FLEETNODEUSER $FLEETNODEPASSWD1 >> $setup_log 2>&1 fi if [[ "$WAZUH" = 1 ]]; then - set_progress_str 75 "$(print_salt_state_apply 'wazuh')" + set_progress_str 78 "$(print_salt_state_apply 'wazuh')" salt-call state.apply -l info wazuh >> $setup_log 2>&1 fi if [[ "$THEHIVE" = 1 ]]; then - set_progress_str 76 "$(print_salt_state_apply 'thehive')" + set_progress_str 79 "$(print_salt_state_apply 'thehive')" salt-call state.apply -l info thehive >> $setup_log 2>&1 fi if [[ "$STRELKA" = 1 ]]; then - set_progress_str 77 "$(print_salt_state_apply 'strelka')" + set_progress_str 80 "$(print_salt_state_apply 'strelka')" salt-call state.apply -l info strelka >> $setup_log 2>&1 if [[ $STRELKARULES == 1 ]]; then /usr/sbin/so-yara-update >> $setup_log 2>&1 fi fi - if [[ "$PLAYBOOK" = 1 ]]; then - set_progress_str 78 "$(print_salt_state_apply 'playbook')" - salt-call state.apply -l info playbook >> $setup_log 2>&1 - fi - if [[ $is_master || $is_helix ]]; then set_progress_str 81 "$(print_salt_state_apply 'utility')" salt-call state.apply -l info utility >> $setup_log 2>&1 From 96e93b012d8426d62221b7cf40ceb82e35b49de1 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 1 Jul 2020 17:18:01 -0400 Subject: [PATCH 098/314] Adjust imports for filebeat configuration to ensure import data is placed into ES --- salt/common/tools/sbin/so-import-pcap | 6 ++++-- salt/filebeat/etc/filebeat.yml | 8 ++++---- salt/filebeat/init.sls | 3 +-- 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/salt/common/tools/sbin/so-import-pcap b/salt/common/tools/sbin/so-import-pcap index 3ca1f0277..402f921cb 100755 --- a/salt/common/tools/sbin/so-import-pcap +++ b/salt/common/tools/sbin/so-import-pcap @@ -76,11 +76,13 @@ function zeek() { NSM_PATH=/nsm/import/${HASH}/zeek mkdir -p $NSM_PATH/logs - mkdir -p $NSM_PATH/spool mkdir -p $NSM_PATH/extracted + mkdir -p $NSM_PATH/spool chown -R zeek:socore $NSM_PATH docker run --rm \ - -v $NSM_PATH:/nsm:rw \ + -v $NSM_PATH/logs:/nsm/zeek/logs:rw \ + -v $NSM_PATH/spool:/nsm/zeek/spool:rw \ + -v $NSM_PATH/extracted:/nsm/zeek/extracted:rw \ -v $PCAP:/input.pcap:ro \ -v /opt/so/conf/zeek/local.zeek:/opt/zeek/share/zeek/site/local.zeek:ro \ -v /opt/so/conf/zeek/node.cfg:/opt/zeek/etc/node.cfg:ro \ diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 9d0889a34..176365756 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -128,8 +128,8 @@ filebeat.inputs: imported: true processors: - dissect: - tokenizer: "/nsm/import/%{import_id}/zeek/logs/%{import_source}" - field: "source" + tokenizer: "/nsm/import/%{import.id}/zeek/logs/%{import.file}" + field: "log.file.path" target_prefix: "" - drop_fields: fields: ["source", "prospector", "input", "offset", "beat"] @@ -166,8 +166,8 @@ filebeat.inputs: imported: true processors: - dissect: - tokenizer: "/nsm/import/%{import_id}/suricata/%{import_source}" - field: "source" + tokenizer: "/nsm/import/%{import.id}/suricata/%{import.file}" + field: "log.file.path" target_prefix: "" - drop_fields: fields: ["source", "prospector", "input", "offset", "beat"] diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 8fba7e258..95352010e 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -53,12 +53,11 @@ so-filebeat: - user: root - extra_hosts: {{ MASTER }}:{{ MASTERIP }} - binds: + - /nsm:/nsm:ro - /opt/so/log/filebeat:/usr/share/filebeat/logs:rw - /opt/so/conf/filebeat/etc/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro - - /nsm:/nsm:ro - /opt/so/wazuh/logs/alerts:/wazuh/alerts:ro - /opt/so/wazuh/logs/archives:/wazuh/archives:ro - - /nsm/osquery/fleet/:/nsm/osquery/fleet:ro - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro From 408b5ee32d515563117d9c612d71f1ea6556be4d Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 1 Jul 2020 16:53:43 -0400 Subject: [PATCH 099/314] [ix] Fix if conditions --- setup/so-functions | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 46d08cc51..033d6ef3c 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -521,7 +521,7 @@ configure_network_sensor() { nmcli -f name,uuid -p con | grep -q "$INTERFACE" local found_int=$? - if [[ ! $found_int ]]; then + if [[ $found_int != 0 ]]; then nmcli con add ifname "$INTERFACE" con-name "$INTERFACE" $nmcli_con_arg -- \ ipv4.method disabled \ ipv6.method ignore \ @@ -560,7 +560,7 @@ configure_network_sensor() { nmcli -f name,uuid -p con | grep -q "bond0-slave-$BNIC" local found_int=$? - if [[ ! $found_int ]]; then + if [[ $found_int != 0 ]]; then # Create the slave interface and assign it to the bond nmcli con add type ethernet ifname "$BNIC" con-name "bond0-slave-$BNIC" master bond0 -- \ ethernet.mtu $MTU \ @@ -1668,7 +1668,5 @@ es_heapsize() { detect_ec2() { # Check if EC2 - curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null - is_ec2=$? - export is_ec2 + if ( curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null ); then export is_ec2="true"; fi } From aeda3fde74a5db1632e074db4e8a385c5134a9a9 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 1 Jul 2020 17:39:04 -0400 Subject: [PATCH 100/314] [revert] Remove regex from setup log grep --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index d5541a5b0..7397f3685 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -51,7 +51,7 @@ echo "---- Starting setup at $(date -u) ----" >> $setup_log 2>&1 automated=no function progress() { - if grep -qE "(ERROR|Error)" $setup_log || [[ -s /var/spool/mail/root ]]; then + if grep -q "ERROR" $setup_log || [[ -s /var/spool/mail/root ]]; then if [[ -s /var/spool/mail/root ]]; then echo '[ ERROR ] /var/spool/mail/root grew unexpectedly' >> $setup_log 2>&1 fi From e3126064e8ce6557c11a028d42b36ec0f088fb68 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 1 Jul 2020 17:58:02 -0400 Subject: [PATCH 101/314] Improve usage instructions for so-import-pcap --- salt/common/tools/sbin/so-import-pcap | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/salt/common/tools/sbin/so-import-pcap b/salt/common/tools/sbin/so-import-pcap index 402f921cb..74661964d 100755 --- a/salt/common/tools/sbin/so-import-pcap +++ b/salt/common/tools/sbin/so-import-pcap @@ -21,18 +21,9 @@ function usage { cat << EOF -Usage: -Please supply at least one pcap file. - -For example, to import a single pcap named import.pcap: -so-import-pcap import.pcap - -To import multiple pcaps: -so-import-pcap import1.pcap import2.pcap - -** IMPORTANT ** -Security Onion installations contain processes that automatically discard old data. Therefore, imports of old network traffic might immediately be erased, unless those processes are first disabled. +Usage: $0 [pcap-file-2] [pcap-file-3] +Imports the given file(s) into the Security Onion system. Be aware that importing PCAP files with traffic dated older than the curator threshold will result in missing data. Use the included "so-curator-stop" command to avoid this scenario. EOF } From 2cbd5ffe6129fe84c4f33dbd74a491a01646b4b7 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Wed, 1 Jul 2020 20:26:06 -0400 Subject: [PATCH 102/314] fix zeek.ssh description --- salt/elasticsearch/files/ingest/zeek.ssh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/zeek.ssh b/salt/elasticsearch/files/ingest/zeek.ssh index f4685de74..03a9abc15 100644 --- a/salt/elasticsearch/files/ingest/zeek.ssh +++ b/salt/elasticsearch/files/ingest/zeek.ssh @@ -1,5 +1,5 @@ { - "description" : "zeek.conn", + "description" : "zeek.ssh", "processors" : [ { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, From f6adf4ed565545924658b3d6d2167004c581b6a4 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Wed, 1 Jul 2020 20:26:51 -0400 Subject: [PATCH 103/314] fix zeek.smb_mapping description --- salt/elasticsearch/files/ingest/zeek.smb_mapping | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/zeek.smb_mapping b/salt/elasticsearch/files/ingest/zeek.smb_mapping index 0242ab8f8..637ff414f 100644 --- a/salt/elasticsearch/files/ingest/zeek.smb_mapping +++ b/salt/elasticsearch/files/ingest/zeek.smb_mapping @@ -1,5 +1,5 @@ { - "description" : "zeek.smb_files", + "description" : "zeek.smb_mapping", "processors" : [ { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, From 98cfba18e9cbcc036eb10c9175b236ef25157d60 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Wed, 1 Jul 2020 20:27:40 -0400 Subject: [PATCH 104/314] fix zeek.ftp description --- salt/elasticsearch/files/ingest/zeek.ftp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/zeek.ftp b/salt/elasticsearch/files/ingest/zeek.ftp index 55f6b4029..45aa76055 100644 --- a/salt/elasticsearch/files/ingest/zeek.ftp +++ b/salt/elasticsearch/files/ingest/zeek.ftp @@ -1,5 +1,5 @@ { - "description" : "zeek.http", + "description" : "zeek.ftp", "processors" : [ { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, From ac01b8de4b682d10d434316272517c51f3f408b7 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 1 Jul 2020 22:03:58 -0400 Subject: [PATCH 105/314] Stop curator when directed on PCAP imports --- salt/common/tools/sbin/so-import-pcap | 49 ++++++++++++++++++++++++--- 1 file changed, 44 insertions(+), 5 deletions(-) diff --git a/salt/common/tools/sbin/so-import-pcap b/salt/common/tools/sbin/so-import-pcap index 74661964d..72b713a98 100755 --- a/salt/common/tools/sbin/so-import-pcap +++ b/salt/common/tools/sbin/so-import-pcap @@ -21,9 +21,18 @@ function usage { cat << EOF -Usage: $0 [pcap-file-2] [pcap-file-3] +Usage: $0 [options] [pcap-file-2] [pcap-file-N] -Imports the given file(s) into the Security Onion system. Be aware that importing PCAP files with traffic dated older than the curator threshold will result in missing data. Use the included "so-curator-stop" command to avoid this scenario. +Imports one or more PCAP files for analysis. + +Options: + --stop-curator Use this option when importing PCAPs with older traffic, + otherwise the data will not be available for analysis. + CAUTION: Curator will remain disabled! If this is a + production installation then curator should be + re-enabled once analysis of the imported PCAP + data is completed. Use the 'so-curator-start' + command to re-enable curator. EOF } @@ -89,16 +98,35 @@ function zeek() { -C -r /input.pcap local > $NSM_PATH/logs/console.log 2>&1 } +MORE_OPTIONS=1 +while [[ $# -gt 0 && $MORE_OPTIONS -eq 1 ]]; do + arg="$1" + case "$arg" in + "--stop-curator" ) + STOP_CURATOR=1 + shift + ;; + * ) + if [[ "$arg" == "--"* ]]; then + echo "Invalid option" + usage + exit 1 + else + MORE_OPTIONS=0 + fi + esac +done + # if no parameters supplied, display usage if [ $# -eq 0 ]; then usage - exit + exit 1 fi # ensure this is a manager node if [ ! -d /opt/so/conf/soc ]; then echo "This procedure must be run on a manager node." - exit + exit 2 fi # verify that all parameters are files @@ -106,10 +134,16 @@ for i in "$@"; do if ! [ -f "$i" ]; then usage echo "\"$i\" is not a valid file!" - exit + exit 3 fi done +if [[ $STOP_CURATOR -eq 1 ]]; then + echo -n "Stopping curator..." + so-curator-stop > /dev/null 2>&1 + echo "Done" +fi + # track if we have any valid or invalid pcaps INVALID_PCAPS="no" VALID_PCAPS="no" @@ -211,4 +245,9 @@ From: $START_OLDEST To: $END_NEWEST Please note that it may take 30 seconds or more for events to appear in Kibana. EOF +fi + +if [[ $STOP_CURATOR -eq 1 ]]; then + echo "" + echo "CAUTION: Curator has been stopped and must be manually re-enabled via so-curator-start, once analysis is completed." fi \ No newline at end of file From 0b10b775c54149057c1fcc24272825c310bbe065 Mon Sep 17 00:00:00 2001 From: bryant-treacle Date: Thu, 2 Jul 2020 07:02:35 +0000 Subject: [PATCH 106/314] Additional so-container scripts --- salt/common/tools/sbin/so-idstools-restart | 20 ++++++++++++++++++++ salt/common/tools/sbin/so-idstools-start | 20 ++++++++++++++++++++ salt/common/tools/sbin/so-idstools-stop | 20 ++++++++++++++++++++ salt/common/tools/sbin/so-influxdb-restart | 20 ++++++++++++++++++++ salt/common/tools/sbin/so-influxdb-start | 20 ++++++++++++++++++++ salt/common/tools/sbin/so-influxdb-stop | 20 ++++++++++++++++++++ salt/common/tools/sbin/so-nginx-restart | 20 ++++++++++++++++++++ salt/common/tools/sbin/so-nginx-start | 20 ++++++++++++++++++++ salt/common/tools/sbin/so-nginx-stop | 20 ++++++++++++++++++++ salt/common/tools/sbin/so-soc-restart | 20 ++++++++++++++++++++ salt/common/tools/sbin/so-soc-start | 20 ++++++++++++++++++++ salt/common/tools/sbin/so-soc-stop | 20 ++++++++++++++++++++ salt/common/tools/sbin/so-telegraf-restart | 20 ++++++++++++++++++++ salt/common/tools/sbin/so-telegraf-start | 20 ++++++++++++++++++++ salt/common/tools/sbin/so-telegraf-stop | 20 ++++++++++++++++++++ 15 files changed, 300 insertions(+) create mode 100755 salt/common/tools/sbin/so-idstools-restart create mode 100755 salt/common/tools/sbin/so-idstools-start create mode 100755 salt/common/tools/sbin/so-idstools-stop create mode 100755 salt/common/tools/sbin/so-influxdb-restart create mode 100755 salt/common/tools/sbin/so-influxdb-start create mode 100755 salt/common/tools/sbin/so-influxdb-stop create mode 100755 salt/common/tools/sbin/so-nginx-restart create mode 100755 salt/common/tools/sbin/so-nginx-start create mode 100755 salt/common/tools/sbin/so-nginx-stop create mode 100755 salt/common/tools/sbin/so-soc-restart create mode 100755 salt/common/tools/sbin/so-soc-start create mode 100755 salt/common/tools/sbin/so-soc-stop create mode 100755 salt/common/tools/sbin/so-telegraf-restart create mode 100755 salt/common/tools/sbin/so-telegraf-start create mode 100755 salt/common/tools/sbin/so-telegraf-stop diff --git a/salt/common/tools/sbin/so-idstools-restart b/salt/common/tools/sbin/so-idstools-restart new file mode 100755 index 000000000..8dec9b4c4 --- /dev/null +++ b/salt/common/tools/sbin/so-idstools-restart @@ -0,0 +1,20 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-restart idstools $1 diff --git a/salt/common/tools/sbin/so-idstools-start b/salt/common/tools/sbin/so-idstools-start new file mode 100755 index 000000000..8b34b458f --- /dev/null +++ b/salt/common/tools/sbin/so-idstools-start @@ -0,0 +1,20 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-start idstools $1 diff --git a/salt/common/tools/sbin/so-idstools-stop b/salt/common/tools/sbin/so-idstools-stop new file mode 100755 index 000000000..8c4b25031 --- /dev/null +++ b/salt/common/tools/sbin/so-idstools-stop @@ -0,0 +1,20 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-stop idstools $1 diff --git a/salt/common/tools/sbin/so-influxdb-restart b/salt/common/tools/sbin/so-influxdb-restart new file mode 100755 index 000000000..c822dc251 --- /dev/null +++ b/salt/common/tools/sbin/so-influxdb-restart @@ -0,0 +1,20 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-restart influxdb $1 diff --git a/salt/common/tools/sbin/so-influxdb-start b/salt/common/tools/sbin/so-influxdb-start new file mode 100755 index 000000000..d840838f3 --- /dev/null +++ b/salt/common/tools/sbin/so-influxdb-start @@ -0,0 +1,20 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-start influxdb $1 diff --git a/salt/common/tools/sbin/so-influxdb-stop b/salt/common/tools/sbin/so-influxdb-stop new file mode 100755 index 000000000..fe06c34e4 --- /dev/null +++ b/salt/common/tools/sbin/so-influxdb-stop @@ -0,0 +1,20 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-stop influxdb $1 diff --git a/salt/common/tools/sbin/so-nginx-restart b/salt/common/tools/sbin/so-nginx-restart new file mode 100755 index 000000000..ce45ebd06 --- /dev/null +++ b/salt/common/tools/sbin/so-nginx-restart @@ -0,0 +1,20 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-restart nginx $1 diff --git a/salt/common/tools/sbin/so-nginx-start b/salt/common/tools/sbin/so-nginx-start new file mode 100755 index 000000000..5ee1e3c55 --- /dev/null +++ b/salt/common/tools/sbin/so-nginx-start @@ -0,0 +1,20 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-start nginx $1 diff --git a/salt/common/tools/sbin/so-nginx-stop b/salt/common/tools/sbin/so-nginx-stop new file mode 100755 index 000000000..1901c6e85 --- /dev/null +++ b/salt/common/tools/sbin/so-nginx-stop @@ -0,0 +1,20 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-stop nginx $1 diff --git a/salt/common/tools/sbin/so-soc-restart b/salt/common/tools/sbin/so-soc-restart new file mode 100755 index 000000000..19bc85b2a --- /dev/null +++ b/salt/common/tools/sbin/so-soc-restart @@ -0,0 +1,20 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-restart soc $1 diff --git a/salt/common/tools/sbin/so-soc-start b/salt/common/tools/sbin/so-soc-start new file mode 100755 index 000000000..44480d3db --- /dev/null +++ b/salt/common/tools/sbin/so-soc-start @@ -0,0 +1,20 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-start soc $1 diff --git a/salt/common/tools/sbin/so-soc-stop b/salt/common/tools/sbin/so-soc-stop new file mode 100755 index 000000000..d089fe9ea --- /dev/null +++ b/salt/common/tools/sbin/so-soc-stop @@ -0,0 +1,20 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-stop soc $1 diff --git a/salt/common/tools/sbin/so-telegraf-restart b/salt/common/tools/sbin/so-telegraf-restart new file mode 100755 index 000000000..e69e14ee8 --- /dev/null +++ b/salt/common/tools/sbin/so-telegraf-restart @@ -0,0 +1,20 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-restart telegraf $1 diff --git a/salt/common/tools/sbin/so-telegraf-start b/salt/common/tools/sbin/so-telegraf-start new file mode 100755 index 000000000..4d9b760ef --- /dev/null +++ b/salt/common/tools/sbin/so-telegraf-start @@ -0,0 +1,20 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-start telegraf $1 diff --git a/salt/common/tools/sbin/so-telegraf-stop b/salt/common/tools/sbin/so-telegraf-stop new file mode 100755 index 000000000..4b6ca2ca9 --- /dev/null +++ b/salt/common/tools/sbin/so-telegraf-stop @@ -0,0 +1,20 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-stop telegraf $1 From 3c93f9fd4558c26aa2799473eb917f5ab7208a50 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 2 Jul 2020 05:30:30 -0400 Subject: [PATCH 107/314] Playbook setup fix --- setup/so-setup | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/setup/so-setup b/setup/so-setup index 2ceb06a0a..3f3759012 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -518,14 +518,19 @@ fi fi if [[ "$PLAYBOOK" = 1 ]]; then + set_progress_str 73 "$(print_salt_state_apply 'mysql')" + salt-call state.apply -l info mysql >> $setup_log 2>&1 + set_progress_str 73 "$(print_salt_state_apply 'playbook')" salt-call state.apply -l info playbook >> $setup_log 2>&1 so-playbook-ruleupdate >> /root/setup_playbook_rule_update.log 2>&1 & fi if [[ "$OSQUERY" = 1 ]]; then + if [[ "$PLAYBOOK" != 1 ]]; then set_progress_str 74 "$(print_salt_state_apply 'mysql')" salt-call state.apply -l info mysql >> $setup_log 2>&1 + fi set_progress_str 75 "$(print_salt_state_apply 'fleet')" salt-call state.apply -l info fleet >> $setup_log 2>&1 From 7811ea5d4c622132e0976786364fe6adf6aa7f2b Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 2 Jul 2020 05:32:35 -0400 Subject: [PATCH 108/314] Delete playbook_db_init.sql.backup --- .../files/playbook_db_init.sql.backup | 1771 ----------------- 1 file changed, 1771 deletions(-) delete mode 100644 salt/playbook/files/playbook_db_init.sql.backup diff --git a/salt/playbook/files/playbook_db_init.sql.backup b/salt/playbook/files/playbook_db_init.sql.backup deleted file mode 100644 index 0a10e6eb5..000000000 --- a/salt/playbook/files/playbook_db_init.sql.backup +++ /dev/null @@ -1,1771 +0,0 @@ --- MySQL dump 10.13 Distrib 5.7.24, for Linux (x86_64) --- --- Host: localhost Database: playbook --- ------------------------------------------------------ --- Server version 5.7.24 - -/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */; -/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */; -/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */; -/*!40101 SET NAMES utf8 */; -/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */; -/*!40103 SET TIME_ZONE='+00:00' */; -/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */; -/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */; -/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */; -/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */; - --- --- Current Database: `playbook` --- - -CREATE DATABASE /*!32312 IF NOT EXISTS*/ `playbook` /*!40100 DEFAULT CHARACTER SET latin1 */; - -USE `playbook`; - --- --- Table structure for table `ar_internal_metadata` --- - -DROP TABLE IF EXISTS `ar_internal_metadata`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `ar_internal_metadata` ( - `key` varchar(255) NOT NULL, - `value` varchar(255) DEFAULT NULL, - `created_at` datetime NOT NULL, - `updated_at` datetime NOT NULL, - PRIMARY KEY (`key`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `ar_internal_metadata` --- - -LOCK TABLES `ar_internal_metadata` WRITE; -/*!40000 ALTER TABLE `ar_internal_metadata` DISABLE KEYS */; -INSERT INTO `ar_internal_metadata` VALUES ('environment','production','2020-04-26 13:08:38','2020-04-26 13:08:38'); -/*!40000 ALTER TABLE `ar_internal_metadata` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `attachments` --- - -DROP TABLE IF EXISTS `attachments`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `attachments` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `container_id` int(11) DEFAULT NULL, - `container_type` varchar(30) DEFAULT NULL, - `filename` varchar(255) NOT NULL DEFAULT '', - `disk_filename` varchar(255) NOT NULL DEFAULT '', - `filesize` bigint(20) NOT NULL DEFAULT '0', - `content_type` varchar(255) DEFAULT '', - `digest` varchar(64) NOT NULL DEFAULT '', - `downloads` int(11) NOT NULL DEFAULT '0', - `author_id` int(11) NOT NULL DEFAULT '0', - `created_on` timestamp NULL DEFAULT NULL, - `description` varchar(255) DEFAULT NULL, - `disk_directory` varchar(255) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_attachments_on_author_id` (`author_id`), - KEY `index_attachments_on_created_on` (`created_on`), - KEY `index_attachments_on_container_id_and_container_type` (`container_id`,`container_type`), - KEY `index_attachments_on_disk_filename` (`disk_filename`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `attachments` --- - -LOCK TABLES `attachments` WRITE; -/*!40000 ALTER TABLE `attachments` DISABLE KEYS */; -/*!40000 ALTER TABLE `attachments` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `auth_sources` --- - -DROP TABLE IF EXISTS `auth_sources`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `auth_sources` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `type` varchar(30) NOT NULL DEFAULT '', - `name` varchar(60) NOT NULL DEFAULT '', - `host` varchar(60) DEFAULT NULL, - `port` int(11) DEFAULT NULL, - `account` varchar(255) DEFAULT NULL, - `account_password` varchar(255) DEFAULT '', - `base_dn` varchar(255) DEFAULT NULL, - `attr_login` varchar(30) DEFAULT NULL, - `attr_firstname` varchar(30) DEFAULT NULL, - `attr_lastname` varchar(30) DEFAULT NULL, - `attr_mail` varchar(30) DEFAULT NULL, - `onthefly_register` tinyint(1) NOT NULL DEFAULT '0', - `tls` tinyint(1) NOT NULL DEFAULT '0', - `filter` text, - `timeout` int(11) DEFAULT NULL, - `verify_peer` tinyint(1) NOT NULL DEFAULT '1', - PRIMARY KEY (`id`), - KEY `index_auth_sources_on_id_and_type` (`id`,`type`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `auth_sources` --- - -LOCK TABLES `auth_sources` WRITE; -/*!40000 ALTER TABLE `auth_sources` DISABLE KEYS */; -/*!40000 ALTER TABLE `auth_sources` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `boards` --- - -DROP TABLE IF EXISTS `boards`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `boards` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) NOT NULL, - `name` varchar(255) NOT NULL DEFAULT '', - `description` varchar(255) DEFAULT NULL, - `position` int(11) DEFAULT NULL, - `topics_count` int(11) NOT NULL DEFAULT '0', - `messages_count` int(11) NOT NULL DEFAULT '0', - `last_message_id` int(11) DEFAULT NULL, - `parent_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `boards_project_id` (`project_id`), - KEY `index_boards_on_last_message_id` (`last_message_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `boards` --- - -LOCK TABLES `boards` WRITE; -/*!40000 ALTER TABLE `boards` DISABLE KEYS */; -/*!40000 ALTER TABLE `boards` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `changes` --- - -DROP TABLE IF EXISTS `changes`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `changes` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `changeset_id` int(11) NOT NULL, - `action` varchar(1) NOT NULL DEFAULT '', - `path` text NOT NULL, - `from_path` text, - `from_revision` varchar(255) DEFAULT NULL, - `revision` varchar(255) DEFAULT NULL, - `branch` varchar(255) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `changesets_changeset_id` (`changeset_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `changes` --- - -LOCK TABLES `changes` WRITE; -/*!40000 ALTER TABLE `changes` DISABLE KEYS */; -/*!40000 ALTER TABLE `changes` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `changeset_parents` --- - -DROP TABLE IF EXISTS `changeset_parents`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `changeset_parents` ( - `changeset_id` int(11) NOT NULL, - `parent_id` int(11) NOT NULL, - KEY `changeset_parents_changeset_ids` (`changeset_id`), - KEY `changeset_parents_parent_ids` (`parent_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `changeset_parents` --- - -LOCK TABLES `changeset_parents` WRITE; -/*!40000 ALTER TABLE `changeset_parents` DISABLE KEYS */; -/*!40000 ALTER TABLE `changeset_parents` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `changesets` --- - -DROP TABLE IF EXISTS `changesets`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `changesets` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `repository_id` int(11) NOT NULL, - `revision` varchar(255) NOT NULL, - `committer` varchar(255) DEFAULT NULL, - `committed_on` datetime NOT NULL, - `comments` longtext, - `commit_date` date DEFAULT NULL, - `scmid` varchar(255) DEFAULT NULL, - `user_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - UNIQUE KEY `changesets_repos_rev` (`repository_id`,`revision`), - KEY `index_changesets_on_user_id` (`user_id`), - KEY `index_changesets_on_repository_id` (`repository_id`), - KEY `index_changesets_on_committed_on` (`committed_on`), - KEY `changesets_repos_scmid` (`repository_id`,`scmid`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `changesets` --- - -LOCK TABLES `changesets` WRITE; -/*!40000 ALTER TABLE `changesets` DISABLE KEYS */; -/*!40000 ALTER TABLE `changesets` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `changesets_issues` --- - -DROP TABLE IF EXISTS `changesets_issues`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `changesets_issues` ( - `changeset_id` int(11) NOT NULL, - `issue_id` int(11) NOT NULL, - UNIQUE KEY `changesets_issues_ids` (`changeset_id`,`issue_id`), - KEY `index_changesets_issues_on_issue_id` (`issue_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `changesets_issues` --- - -LOCK TABLES `changesets_issues` WRITE; -/*!40000 ALTER TABLE `changesets_issues` DISABLE KEYS */; -/*!40000 ALTER TABLE `changesets_issues` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `comments` --- - -DROP TABLE IF EXISTS `comments`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `comments` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `commented_type` varchar(30) NOT NULL DEFAULT '', - `commented_id` int(11) NOT NULL DEFAULT '0', - `author_id` int(11) NOT NULL DEFAULT '0', - `content` text, - `created_on` datetime NOT NULL, - `updated_on` datetime NOT NULL, - PRIMARY KEY (`id`), - KEY `index_comments_on_commented_id_and_commented_type` (`commented_id`,`commented_type`), - KEY `index_comments_on_author_id` (`author_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `comments` --- - -LOCK TABLES `comments` WRITE; -/*!40000 ALTER TABLE `comments` DISABLE KEYS */; -/*!40000 ALTER TABLE `comments` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `custom_field_enumerations` --- - -DROP TABLE IF EXISTS `custom_field_enumerations`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `custom_field_enumerations` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `custom_field_id` int(11) NOT NULL, - `name` varchar(255) NOT NULL, - `active` tinyint(1) NOT NULL DEFAULT '1', - `position` int(11) NOT NULL DEFAULT '1', - PRIMARY KEY (`id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `custom_field_enumerations` --- - -LOCK TABLES `custom_field_enumerations` WRITE; -/*!40000 ALTER TABLE `custom_field_enumerations` DISABLE KEYS */; -/*!40000 ALTER TABLE `custom_field_enumerations` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `custom_fields` --- - -DROP TABLE IF EXISTS `custom_fields`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `custom_fields` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `type` varchar(30) NOT NULL DEFAULT '', - `name` varchar(30) NOT NULL DEFAULT '', - `field_format` varchar(30) NOT NULL DEFAULT '', - `possible_values` text, - `regexp` varchar(255) DEFAULT '', - `min_length` int(11) DEFAULT NULL, - `max_length` int(11) DEFAULT NULL, - `is_required` tinyint(1) NOT NULL DEFAULT '0', - `is_for_all` tinyint(1) NOT NULL DEFAULT '0', - `is_filter` tinyint(1) NOT NULL DEFAULT '0', - `position` int(11) DEFAULT NULL, - `searchable` tinyint(1) DEFAULT '0', - `default_value` text, - `editable` tinyint(1) DEFAULT '1', - `visible` tinyint(1) NOT NULL DEFAULT '1', - `multiple` tinyint(1) DEFAULT '0', - `format_store` text, - `description` text, - PRIMARY KEY (`id`), - KEY `index_custom_fields_on_id_and_type` (`id`,`type`) -) ENGINE=InnoDB AUTO_INCREMENT=18 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `custom_fields` --- - -LOCK TABLES `custom_fields` WRITE; -/*!40000 ALTER TABLE `custom_fields` DISABLE KEYS */; -INSERT INTO `custom_fields` VALUES (1,'IssueCustomField','Title','string',NULL,'',NULL,NULL,0,1,1,1,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(2,'IssueCustomField','Author','string',NULL,'',NULL,NULL,0,1,1,2,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(3,'IssueCustomField','Objective','text',NULL,'',NULL,NULL,0,1,1,13,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nfull_width_layout: \'1\'\n',''),(4,'IssueCustomField','Operational Notes','text',NULL,'',NULL,NULL,0,1,0,14,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'1\'\n',''),(5,'IssueCustomField','Result Analysis','text',NULL,'',NULL,NULL,0,1,0,15,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'1\'\n',''),(6,'IssueCustomField','ElastAlert Config','text',NULL,'',NULL,NULL,0,1,0,16,0,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'1\'\n',''),(7,'IssueCustomField','HiveID','string',NULL,'',NULL,NULL,0,1,1,12,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(8,'IssueCustomField','References','text',NULL,'',NULL,NULL,0,1,0,6,0,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'0\'\n',''),(9,'IssueCustomField','Sigma','text',NULL,'',NULL,NULL,0,1,0,17,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'1\'\n',''),(10,'IssueCustomField','Level','list','---\n- low\n- medium\n- high\n- critical\n','',NULL,NULL,0,1,1,3,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: \'\'\nedit_tag_style: \'\'\n',''),(11,'IssueCustomField','PlayID','string',NULL,'',NULL,NULL,0,1,1,8,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(12,'IssueCustomField','Signature ID','string',NULL,'',NULL,NULL,0,1,1,9,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(13,'IssueCustomField','Playbook','list','---\n- Internal\n- imported\n- community\n','',NULL,NULL,0,1,1,4,0,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: \'\'\nedit_tag_style: \'\'\n',''),(14,'IssueCustomField','Product','list','---\n- windows\n- linux\n- antivirus\n- osquery\n','',NULL,NULL,0,1,1,5,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: \'\'\nedit_tag_style: \'\'\n',''),(15,'IssueCustomField','ATT&CK Technique','list','---\n- T1001\n- T1002\n- T1003\n- T1004\n- T1005\n- T1006\n- T1007\n- T1008\n- T1009\n- T1010\n- T1011\n- T1012\n- T1013\n- T1014\n- T1015\n- T1016\n- T1017\n- T1018\n- T1019\n- T1020\n- T1021\n- T1022\n- T1023\n- T1024\n- T1025\n- T1026\n- T1027\n- T1028\n- T1029\n- T1030\n- T1031\n- T1032\n- T1033\n- T1034\n- T1035\n- T1036\n- T1037\n- T1038\n- T1039\n- T1040\n- T1041\n- T1042\n- T1043\n- T1044\n- T1045\n- T1046\n- T1047\n- T1048\n- T1049\n- T1050\n- T1051\n- T1052\n- T1053\n- T1054\n- T1055\n- T1056\n- T1057\n- T1058\n- T1059\n- T1060\n- T1061\n- T1062\n- T1063\n- T1064\n- T1065\n- T1066\n- T1067\n- T1068\n- T1069\n- T1070\n- T1071\n- T1072\n- T1073\n- T1074\n- T1075\n- T1076\n- T1077\n- T1078\n- T1079\n- T1080\n- T1081\n- T1082\n- T1083\n- T1084\n- T1085\n- T1086\n- T1087\n- T1088\n- T1089\n- T1090\n- T1091\n- T1092\n- T1093\n- T1094\n- T1095\n- T1096\n- T1097\n- T1098\n- T1099\n- T1100\n- T1101\n- T1102\n- T1103\n- T1104\n- T1105\n- T1106\n- T1107\n- T1108\n- T1109\n- T1110\n- T1111\n- T1112\n- T1113\n- T1114\n- T1115\n- T1116\n- T1117\n- T1118\n- T1119\n- T1120\n- T1121\n- T1122\n- T1123\n- T1124\n- T1125\n- T1126\n- T1127\n- T1128\n- T1129\n- T1130\n- T1131\n- T1132\n- T1133\n- T1134\n- T1135\n- T1136\n- T1137\n- T1138\n- T1139\n- T1140\n- T1141\n- T1142\n- T1143\n- T1144\n- T1145\n- T1146\n- T1147\n- T1148\n- T1149\n- T1150\n- T1151\n- T1152\n- T1153\n- T1154\n- T1155\n- T1156\n- T1157\n- T1158\n- T1159\n- T1160\n- T1161\n- T1162\n- T1163\n- T1164\n- T1165\n- T1166\n- T1167\n- T1168\n- T1169\n- T1170\n- T1171\n- T1172\n- T1173\n- T1174\n- T1175\n- T1176\n- T1177\n- T1178\n- T1179\n- T1180\n- T1181\n- T1182\n- T1183\n- T1184\n- T1185\n- T1186\n- T1187\n- T1188\n- T1189\n- T1190\n- T1191\n- T1192\n- T1193\n- T1194\n- T1195\n- T1196\n- T1197\n- T1198\n- T1199\n- T1200\n- T1201\n- T1202\n- T1203\n- T1204\n- T1205\n- T1206\n- T1207\n- T1208\n- T1209\n- T1210\n- T1211\n- T1212\n- T1213\n- T1214\n- T1215\n- T1216\n- T1217\n- T1218\n- T1219\n- T1220\n- T1221\n- T1222\n- T1223\n- T1224\n- T1225\n- T1226\n- T1227\n- T1228\n- T1229\n- T1230\n- T1231\n- T1232\n- T1233\n- T1234\n- T1235\n- T1236\n- T1237\n- T1238\n- T1239\n- T1240\n- T1241\n- T1242\n- T1243\n- T1244\n- T1245\n- T1246\n- T1247\n- T1248\n- T1249\n- T1250\n- T1251\n- T1252\n- T1253\n- T1254\n- T1255\n- T1256\n- T1257\n- T1258\n- T1259\n- T1260\n- T1261\n- T1262\n- T1263\n- T1264\n- T1265\n- T1266\n- T1267\n- T1268\n- T1269\n- T1270\n- T1271\n- T1272\n- T1273\n- T1274\n- T1275\n- T1276\n- T1277\n- T1278\n- T1279\n- T1280\n- T1281\n- T1282\n- T1283\n- T1284\n- T1285\n- T1286\n- T1287\n- T1288\n- T1289\n- T1290\n- T1291\n- T1292\n- T1293\n- T1294\n- T1295\n- T1296\n- T1297\n- T1298\n- T1299\n- T1300\n- T1301\n- T1302\n- T1303\n- T1304\n- T1305\n- T1306\n- T1307\n- T1308\n- T1309\n- T1310\n- T1311\n- T1312\n- T1313\n- T1314\n- T1315\n- T1316\n- T1317\n- T1318\n- T1319\n- T1320\n- T1321\n- T1322\n- T1323\n- T1324\n- T1325\n- T1326\n- T1327\n- T1328\n- T1329\n- T1330\n- T1331\n- T1332\n- T1333\n- T1334\n- T1335\n- T1336\n- T1337\n- T1338\n- T1339\n- T1340\n- T1341\n- T1342\n- T1343\n- T1344\n- T1345\n- T1346\n- T1347\n- T1348\n- T1349\n- T1350\n- T1351\n- T1352\n- T1353\n- T1354\n- T1355\n- T1356\n- T1357\n- T1358\n- T1359\n- T1360\n- T1361\n- T1362\n- T1363\n- T1364\n- T1365\n- T1366\n- T1367\n- T1368\n- T1369\n- T1370\n- T1371\n- T1372\n- T1373\n- T1374\n- T1375\n- T1376\n- T1377\n- T1378\n- T1379\n- T1380\n- T1381\n- T1382\n- T1383\n- T1384\n- T1385\n- T1386\n- T1387\n- T1388\n- T1389\n- T1390\n- T1391\n- T1392\n- T1393\n- T1394\n- T1395\n- T1396\n- T1397\n- T1398\n- T1399\n- T1400\n- T1401\n- T1402\n- T1403\n- T1404\n- T1405\n- T1406\n- T1407\n- T1408\n- T1409\n- T1410\n- T1411\n- T1412\n- T1413\n- T1414\n- T1415\n- T1416\n- T1417\n- T1418\n- T1419\n- T1420\n- T1421\n- T1422\n- T1423\n- T1424\n- T1425\n- T1426\n- T1427\n- T1428\n- T1429\n- T1430\n- T1431\n- T1432\n- T1433\n- T1434\n- T1435\n- T1436\n- T1437\n- T1438\n- T1439\n- T1440\n- T1441\n- T1442\n- T1443\n- T1444\n- T1445\n- T1446\n- T1447\n- T1448\n- T1449\n- T1450\n- T1451\n- T1452\n- T1453\n- T1454\n- T1455\n- T1456\n- T1457\n- T1458\n- T1459\n- T1460\n- T1461\n- T1462\n- T1463\n- T1464\n- T1465\n- T1466\n- T1467\n- T1468\n- T1469\n- T1470\n- T1471\n- T1472\n- T1473\n- T1474\n- T1475\n- T1476\n- T1477\n- T1478\n- T1479\n- T1480\n- T1481\n- T1482\n- T1483\n- T1484\n- T1485\n- T1486\n- T1487\n- T1488\n- T1489\n- T1490\n- T1491\n- T1492\n- T1493\n- T1494\n- T1495\n- T1496\n- T1497\n- T1498\n- T1499\n- T1500\n- T1501\n- T1502\n- T1503\n- T1504\n- T1505\n- T1506\n- T1507\n- T1508\n- T1509\n- T1510\n- T1511\n- T1512\n- T1513\n- T1514\n- T1515\n- T1516\n- T1517\n- T1518\n- T1519\n- T1520\n- T1521\n- T1522\n- T1523\n- T1524\n- T1525\n- T1526\n- T1527\n- T1528\n- T1529\n- T1530\n- T1531\n- T1532\n- T1533\n- T1534\n- T1535\n- T1536\n- T1537\n- T1538\n- T1539\n- T1540\n- T1541\n- T1542\n- T1543\n- T1544\n- T1545\n- T1546\n- T1547\n- T1548\n- T1549\n- T1550\n- T1551\n- T1552\n- T1553\n','',NULL,NULL,0,1,1,7,0,'',1,1,1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: https://attack.mitre.org/techniques/%value%\nedit_tag_style: \'\'\n',''),(16,'IssueCustomField','Category','list','---\n- win-sysmon\n- win-builtin\n- win-proc\n- win-malware\n- win-other\n- win-powershell\n','',NULL,NULL,0,1,1,10,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: \'\'\nedit_tag_style: \'\'\n',''),(17,'IssueCustomField','Case Analyzers','list','---\n- Urlscan_io_Search - ip,domain,hash,url\n- CERTatPassiveDNS - domain,fqdn,ip\n','',NULL,NULL,0,1,1,11,1,'',1,1,1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: \'\'\nedit_tag_style: \'\'\n',''); -/*!40000 ALTER TABLE `custom_fields` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `custom_fields_projects` --- - -DROP TABLE IF EXISTS `custom_fields_projects`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `custom_fields_projects` ( - `custom_field_id` int(11) NOT NULL DEFAULT '0', - `project_id` int(11) NOT NULL DEFAULT '0', - UNIQUE KEY `index_custom_fields_projects_on_custom_field_id_and_project_id` (`custom_field_id`,`project_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `custom_fields_projects` --- - -LOCK TABLES `custom_fields_projects` WRITE; -/*!40000 ALTER TABLE `custom_fields_projects` DISABLE KEYS */; -/*!40000 ALTER TABLE `custom_fields_projects` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `custom_fields_roles` --- - -DROP TABLE IF EXISTS `custom_fields_roles`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `custom_fields_roles` ( - `custom_field_id` int(11) NOT NULL, - `role_id` int(11) NOT NULL, - UNIQUE KEY `custom_fields_roles_ids` (`custom_field_id`,`role_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `custom_fields_roles` --- - -LOCK TABLES `custom_fields_roles` WRITE; -/*!40000 ALTER TABLE `custom_fields_roles` DISABLE KEYS */; -/*!40000 ALTER TABLE `custom_fields_roles` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `custom_fields_trackers` --- - -DROP TABLE IF EXISTS `custom_fields_trackers`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `custom_fields_trackers` ( - `custom_field_id` int(11) NOT NULL DEFAULT '0', - `tracker_id` int(11) NOT NULL DEFAULT '0', - UNIQUE KEY `index_custom_fields_trackers_on_custom_field_id_and_tracker_id` (`custom_field_id`,`tracker_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `custom_fields_trackers` --- - -LOCK TABLES `custom_fields_trackers` WRITE; -/*!40000 ALTER TABLE `custom_fields_trackers` DISABLE KEYS */; -INSERT INTO `custom_fields_trackers` VALUES (1,1),(2,1),(3,1),(4,1),(5,1),(6,1),(7,1),(8,1),(9,1),(10,1),(11,1),(12,1),(13,1),(14,1),(15,1),(16,1),(17,1); -/*!40000 ALTER TABLE `custom_fields_trackers` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `custom_values` --- - -DROP TABLE IF EXISTS `custom_values`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `custom_values` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `customized_type` varchar(30) NOT NULL DEFAULT '', - `customized_id` int(11) NOT NULL DEFAULT '0', - `custom_field_id` int(11) NOT NULL DEFAULT '0', - `value` longtext, - PRIMARY KEY (`id`), - KEY `custom_values_customized` (`customized_type`,`customized_id`), - KEY `index_custom_values_on_custom_field_id` (`custom_field_id`) -) ENGINE=InnoDB AUTO_INCREMENT=11256 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `custom_values` --- - -LOCK TABLES `custom_values` WRITE; -/*!40000 ALTER TABLE `custom_values` DISABLE KEYS */; -INSERT INTO `custom_values` VALUES (5638,'Issue',313,1,'Executable in ADS'),(5639,'Issue',313,2,'Florian Roth, @0xrawsec'),(5640,'Issue',313,8,'https://twitter.com/0xrawsec/status/1002478725605273600?s=21'),(5641,'Issue',313,10,'critical'),(5642,'Issue',313,13,'community'),(5643,'Issue',313,14,'windows'),(5645,'Issue',313,11,'7a9593a8c'),(5646,'Issue',313,12,'b69888d4-380c-45ce-9cf9-d9ce46e67821'),(5647,'Issue',313,16,'win-sysmon'),(5648,'Issue',313,17,''),(5649,'Issue',313,7,''),(5650,'Issue',313,3,'Detects the creation of an ADS data stream that contains an executable (non-empty imphash)'),(5651,'Issue',313,4,''),(5652,'Issue',313,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nTargetFilename\nImage'),(5653,'Issue',313,6,'{{collapse(View ElastAlert Config)\n
\n\n\n
\n}}'),(5654,'Issue',313,9,'{{collapse(View Sigma)\n
\n\ntitle: Executable in ADS\nid: b69888d4-380c-45ce-9cf9-d9ce46e67821\nstatus: experimental\ndescription: Detects the creation of an ADS data stream that contains an executable\n  (non-empty imphash)\nreferences:\n- https://twitter.com/0xrawsec/status/1002478725605273600?s=21\ntags:\n- attack.defense_evasion\n- attack.t1027\n- attack.s0139\nauthor: Florian Roth, @0xrawsec\ndate: 2018/06/03\nlogsource:\n  product: windows\n  service: sysmon\n  definition: \'Requirements: Sysmon config with Imphash logging activated\'\ndetection:\n  selection:\n    EventID: 15\n  filter:\n    Imphash:\n    - \'00000000000000000000000000000000\'\n    - \n  condition: selection and not filter\nfields:\n- TargetFilename\n- Image\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(5655,'Issue',313,15,'T1027'),(5656,'Issue',314,1,'Alternate PowerShell Hosts Module Load'),(5657,'Issue',314,2,'Roberto Rodriguez @Cyb3rWard0g'),(5658,'Issue',314,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md'),(5659,'Issue',314,10,'high'),(5660,'Issue',314,13,'community'),(5661,'Issue',314,14,'windows'),(5663,'Issue',314,11,'2f468dc10'),(5664,'Issue',314,12,'f67f6c57-257d-4919-a416-69cd31f9aac3'),(5665,'Issue',314,16,'win-sysmon'),(5666,'Issue',314,17,''),(5667,'Issue',314,7,''),(5668,'Issue',314,3,'Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe'),(5669,'Issue',314,4,''),(5670,'Issue',314,5,'_False Positives_\nPrograms using PowerShell directly without invocation of a dedicated interpreter.'),(5671,'Issue',314,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"7\" AND process.pe.description:\"system.management.automation\" AND event_data.ImageLoaded.keyword:*system.management.automation*) AND (NOT (process.executable.keyword:*\\\\powershell.exe)))\nindex: so-*\nname: Alternate PowerShell Hosts Module Load\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5672,'Issue',314,9,'{{collapse(View Sigma)\n
\n\ntitle: Alternate PowerShell Hosts Module Load\nid: f67f6c57-257d-4919-a416-69cd31f9aac3\ndescription: Detects alternate PowerShell hosts potentially bypassing detections looking\n  for powershell.exe\nstatus: experimental\ndate: 2019/09/12\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Description: system.management.automation\n    ImageLoaded|contains: system.management.automation\n  filter:\n    Image|endswith: \\powershell.exe\n  condition: selection and not filter\nfalsepositives:\n- Programs using PowerShell directly without invocation of a dedicated interpreter.\nlevel: high\n\n
\n}}'),(5673,'Issue',314,15,'T1086'),(5674,'Issue',315,1,'Alternate PowerShell Hosts Pipe'),(5675,'Issue',315,2,'Roberto Rodriguez @Cyb3rWard0g'),(5676,'Issue',315,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md'),(5677,'Issue',315,10,'medium'),(5678,'Issue',315,13,'community'),(5679,'Issue',315,14,'windows'),(5681,'Issue',315,11,'705958333'),(5682,'Issue',315,12,'58cb02d5-78ce-4692-b3e1-dce850aae41a'),(5683,'Issue',315,16,'win-sysmon'),(5684,'Issue',315,17,''),(5685,'Issue',315,7,''),(5686,'Issue',315,3,'Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe'),(5687,'Issue',315,4,''),(5688,'Issue',315,5,'_False Positives_\nPrograms using PowerShell directly without invocation of a dedicated interpreter.\n\n_Interesting Log Fields_\nComputerName\nUser\nImage\nPipeName'),(5689,'Issue',315,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"17\" AND event_data.PipeName.keyword:\\\\PSHost*) AND (NOT (process.executable.keyword:*\\\\powershell.exe)))\nindex: so-*\nname: Alternate PowerShell Hosts Pipe\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5690,'Issue',315,9,'{{collapse(View Sigma)\n
\n\ntitle: Alternate PowerShell Hosts Pipe\nid: 58cb02d5-78ce-4692-b3e1-dce850aae41a\ndescription: Detects alternate PowerShell hosts potentially bypassing detections looking\n  for powershell.exe\nstatus: experimental\ndate: 2019/09/12\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 17\n    PipeName|startswith: \\PSHost\n  filter:\n    Image|endswith: \\powershell.exe\n  condition: selection and not filter\nfields:\n- ComputerName\n- User\n- Image\n- PipeName\nfalsepositives:\n- Programs using PowerShell directly without invocation of a dedicated interpreter.\nlevel: medium\n\n
\n}}'),(5691,'Issue',315,15,'T1086'),(5692,'Issue',316,1,'OceanLotus Registry Activity'),(5693,'Issue',316,2,'megan201296'),(5694,'Issue',316,8,'https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/'),(5695,'Issue',316,10,'critical'),(5696,'Issue',316,13,'community'),(5697,'Issue',316,14,'windows'),(5699,'Issue',316,11,'515c55bec'),(5700,'Issue',316,12,'4ac5fc44-a601-4c06-955b-309df8c4e9d4'),(5701,'Issue',316,16,'win-sysmon'),(5702,'Issue',316,17,''),(5703,'Issue',316,7,''),(5704,'Issue',316,3,'Detects registry keys created in OceanLotus (also known as APT32) attacks'),(5705,'Issue',316,4,''),(5706,'Issue',316,5,'_False Positives_\nUnknown'),(5707,'Issue',316,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(HKCR\\\\CLSID\\\\\\{E08A0F4B\\-1F65\\-4D4D\\-9A09\\-BD4625B9C5A1\\}\\\\Model OR HKU\\\\*_Classes\\\\CLSID\\\\\\{E08A0F4B\\-1F65\\-4D4D\\-9A09\\-BD4625B9C5A1\\}\\\\Model OR *\\\\SOFTWARE\\\\App\\\\AppXbf13d4ea2945444d8b13e2121cb6b663\\\\Application OR *\\\\SOFTWARE\\\\App\\\\AppXbf13d4ea2945444d8b13e2121cb6b663\\\\DefaultIcon OR *\\\\SOFTWARE\\\\App\\\\AppX70162486c7554f7f80f481985d67586d\\\\Application OR *\\\\SOFTWARE\\\\App\\\\AppX70162486c7554f7f80f481985d67586d\\\\DefaultIcon OR *\\\\SOFTWARE\\\\App\\\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\\\Application OR *\\\\SOFTWARE\\\\App\\\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\\\DefaultIcon OR HKU\\\\*_Classes\\\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\\\* OR HKU\\\\*_Classes\\\\AppX3bbba44c6cae4d9695755183472171e2\\\\* OR HKU\\\\*_Classes\\\\CLSID\\\\\\{E3517E26\\-8E93\\-458D\\-A6DF\\-8030BC80528B\\}\\\\*))\nindex: so-*\nname: OceanLotus Registry Activity\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5708,'Issue',316,9,'{{collapse(View Sigma)\n
\n\ntitle: OceanLotus Registry Activity\nid: 4ac5fc44-a601-4c06-955b-309df8c4e9d4\nstatus: experimental\ndescription: Detects registry keys created in OceanLotus (also known as APT32) attacks\nreferences:\n- https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/\ntags:\n- attack.t1112\nauthor: megan201296\ndate: 2019/04/14\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    TargetObject:\n    - HKCR\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model\n    - HKU\\\\*_Classes\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model\n    - \'*\\SOFTWARE\\App\\AppXbf13d4ea2945444d8b13e2121cb6b663\\Application\'\n    - \'*\\SOFTWARE\\App\\AppXbf13d4ea2945444d8b13e2121cb6b663\\DefaultIcon\'\n    - \'*\\SOFTWARE\\App\\AppX70162486c7554f7f80f481985d67586d\\Application\'\n    - \'*\\SOFTWARE\\App\\AppX70162486c7554f7f80f481985d67586d\\DefaultIcon\'\n    - \'*\\SOFTWARE\\App\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\Application\'\n    - \'*\\SOFTWARE\\App\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\DefaultIcon\'\n    - HKU\\\\*_Classes\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\\\*\n    - HKU\\\\*_Classes\\AppX3bbba44c6cae4d9695755183472171e2\\\\*\n    - HKU\\\\*_Classes\\CLSID\\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\\\*\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(5709,'Issue',316,15,'T1112'),(5710,'Issue',317,1,'Turla Group Named Pipes'),(5711,'Issue',317,2,'Markus Neis'),(5712,'Issue',317,8,'Internal Research'),(5713,'Issue',317,10,'critical'),(5714,'Issue',317,13,'community'),(5715,'Issue',317,14,'windows'),(5716,'Issue',317,15,''),(5717,'Issue',317,11,'9f6d31f18'),(5718,'Issue',317,12,'739915e4-1e70-4778-8b8a-17db02f66db1'),(5719,'Issue',317,16,'win-sysmon'),(5720,'Issue',317,17,''),(5721,'Issue',317,7,''),(5722,'Issue',317,3,'Detects a named pipe used by Turla group samples'),(5723,'Issue',317,4,''),(5724,'Issue',317,5,'_False Positives_\nUnkown'),(5725,'Issue',317,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:(\"17\" OR \"18\") AND event_data.PipeName:(\"\\\\atctl\" OR \"\\\\userpipe\" OR \"\\\\iehelper\" OR \"\\\\sdlrpc\" OR \"\\\\comnap\"))\nindex: so-*\nname: Turla Group Named Pipes\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5726,'Issue',317,9,'{{collapse(View Sigma)\n
\n\ntitle: Turla Group Named Pipes\nid: 739915e4-1e70-4778-8b8a-17db02f66db1\nstatus: experimental\ndescription: Detects a named pipe used by Turla group samples\nreferences:\n- Internal Research\ndate: 2017/11/06\ntags:\n- attack.g0010\nauthor: Markus Neis\nlogsource:\n  product: windows\n  service: sysmon\n  definition: Note that you have to configure logging for PipeEvents in Symson config\ndetection:\n  selection:\n    EventID:\n    - 17\n    - 18\n    PipeName:\n    - \\atctl\n    - \\userpipe\n    - \\iehelper\n    - \\sdlrpc\n    - \\comnap\n  condition: selection\nfalsepositives:\n- Unkown\nlevel: critical\n\n
\n}}'),(5727,'Issue',318,1,'Autorun Keys Modification'),(5728,'Issue',318,2,'Victor Sergeev, Daniil Yugoslavskiy, oscd.community'),(5729,'Issue',318,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml'),(5730,'Issue',318,10,'medium'),(5731,'Issue',318,13,'community'),(5732,'Issue',318,14,'windows'),(5734,'Issue',318,11,'102e8b3e7'),(5735,'Issue',318,12,'17f878b8-9968-4578-b814-c4217fc5768c'),(5736,'Issue',318,16,'win-sysmon'),(5737,'Issue',318,17,''),(5738,'Issue',318,7,''),(5739,'Issue',318,3,'Detects modification of autostart extensibility point (ASEP) in registry'),(5740,'Issue',318,4,''),(5741,'Issue',318,5,'_False Positives_\nLegitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason\nLegitimate administrator sets up autorun keys for legitimate reason'),(5742,'Issue',318,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon\\\\Shell* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User\\ Shell\\ Folders*))\nindex: so-*\nname: Autorun Keys Modification\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5743,'Issue',318,9,'{{collapse(View Sigma)\n
\n\ntitle: Autorun Keys Modification\nid: 17f878b8-9968-4578-b814-c4217fc5768c\ndescription: Detects modification of autostart extensibility point (ASEP) in registry\nstatus: experimental\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml\ntags:\n- attack.persistence\n- attack.t1060\ndate: 2019/10/21\nmodified: 2019/11/10\nauthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    TargetObject|contains:\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\Run\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n    - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit\n    - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\n    - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n  condition: selection\nfalsepositives:\n- Legitimate software automatically (mostly, during installation) sets up autorun\n  keys for legitimate reason\n- Legitimate administrator sets up autorun keys for legitimate reason\nlevel: medium\n\n
\n}}'),(5744,'Issue',318,15,'T1060'),(5745,'Issue',319,1,'CACTUSTORCH Remote Thread Creation'),(5746,'Issue',319,2,'@SBousseaden (detection), Thomas Patzke (rule)'),(5747,'Issue',319,8,'https://twitter.com/SBousseaden/status/1090588499517079552\nhttps://github.com/mdsecactivebreach/CACTUSTORCH'),(5748,'Issue',319,10,'high'),(5749,'Issue',319,13,'community'),(5750,'Issue',319,14,'windows'),(5752,'Issue',319,11,'3ea2f31f8'),(5753,'Issue',319,12,'2e4e488a-6164-4811-9ea1-f960c7359c40'),(5754,'Issue',319,16,'win-sysmon'),(5755,'Issue',319,17,''),(5756,'Issue',319,7,''),(5757,'Issue',319,3,'Detects remote thread creation from CACTUSTORCH as described in references.'),(5758,'Issue',319,4,''),(5759,'Issue',319,5,'_False Positives_\nunknown'),(5760,'Issue',319,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"8\" AND event_data.SourceImage.keyword:(*\\\\System32\\\\cscript.exe OR *\\\\System32\\\\wscript.exe OR *\\\\System32\\\\mshta.exe OR *\\\\winword.exe OR *\\\\excel.exe) AND event_data.TargetImage.keyword:*\\\\SysWOW64\\\\* AND NOT _exists_:event_data.StartModule)\nindex: so-*\nname: CACTUSTORCH Remote Thread Creation\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5761,'Issue',319,9,'{{collapse(View Sigma)\n
\n\ntitle: CACTUSTORCH Remote Thread Creation\nid: 2e4e488a-6164-4811-9ea1-f960c7359c40\ndescription: Detects remote thread creation from CACTUSTORCH as described in references.\nreferences:\n- https://twitter.com/SBousseaden/status/1090588499517079552\n- https://github.com/mdsecactivebreach/CACTUSTORCH\nstatus: experimental\nauthor: \'@SBousseaden (detection), Thomas Patzke (rule)\'\ndate: 2019/02/01\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 8\n    SourceImage:\n    - \'*\\System32\\cscript.exe\'\n    - \'*\\System32\\wscript.exe\'\n    - \'*\\System32\\mshta.exe\'\n    - \'*\\winword.exe\'\n    - \'*\\excel.exe\'\n    TargetImage: \'*\\SysWOW64\\\\*\'\n    StartModule:\n  condition: selection\ntags:\n- attack.execution\n- attack.t1055\n- attack.t1064\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(5762,'Issue',319,15,'T1055'),(5763,'Issue',319,15,'T1064'),(5764,'Issue',320,1,'CobaltStrike Process Injection'),(5765,'Issue',320,2,'Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community'),(5766,'Issue',320,8,'https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f\nhttps://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/'),(5767,'Issue',320,10,'high'),(5768,'Issue',320,13,'community'),(5769,'Issue',320,14,'windows'),(5771,'Issue',320,11,'28d3c60ec'),(5772,'Issue',320,12,'6309645e-122d-4c5b-bb2b-22e4f9c2fa42'),(5773,'Issue',320,16,'win-sysmon'),(5774,'Issue',320,17,''),(5775,'Issue',320,7,''),(5776,'Issue',320,3,'Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons'),(5777,'Issue',320,4,''),(5778,'Issue',320,5,'_False Positives_\nunknown'),(5779,'Issue',320,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"8\" AND TargetProcessAddress.keyword:(*0B80 OR *0C7C OR *0C88))\nindex: so-*\nname: CobaltStrike Process Injection\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5780,'Issue',320,9,'{{collapse(View Sigma)\n
\n\ntitle: CobaltStrike Process Injection\nid: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42\ndescription: Detects a possible remote threat creation with certain characteristics\n  which are typical for Cobalt Strike beacons\nreferences:\n- https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f\n- https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/\ntags:\n- attack.defense_evasion\n- attack.t1055\nstatus: experimental\nauthor: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community\ndate: 2018/11/30\nmodified: 2019/11/08\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 8\n    TargetProcessAddress|endswith:\n    - 0B80\n    - 0C7C\n    - 0C88\n  condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(5781,'Issue',320,15,'T1055'),(5782,'Issue',321,1,'CreateRemoteThread API and LoadLibrary'),(5783,'Issue',321,2,'Roberto Rodriguez @Cyb3rWard0g'),(5784,'Issue',321,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1055_process_injection/dll_injection_createremotethread_loadlibrary.md'),(5785,'Issue',321,10,'critical'),(5786,'Issue',321,13,'community'),(5787,'Issue',321,14,'windows'),(5789,'Issue',321,11,'3325ffed5'),(5790,'Issue',321,12,'052ec6f6-1adc-41e6-907a-f1c813478bee'),(5791,'Issue',321,16,'win-sysmon'),(5792,'Issue',321,17,''),(5793,'Issue',321,7,''),(5794,'Issue',321,3,'Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process'),(5795,'Issue',321,4,''),(5796,'Issue',321,5,'_False Positives_\nUnknown'),(5797,'Issue',321,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"8\" AND event_data.StartModule.keyword:*\\\\kernel32.dll AND StartFunction:\"LoadLibraryA\")\nindex: so-*\nname: CreateRemoteThread API and LoadLibrary\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5798,'Issue',321,9,'{{collapse(View Sigma)\n
\n\ntitle: CreateRemoteThread API and LoadLibrary\nid: 052ec6f6-1adc-41e6-907a-f1c813478bee\ndescription: Detects potential use of CreateRemoteThread api and LoadLibrary function\n  to inject DLL into a process\nstatus: experimental\ndate: 2019/08/11\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1055_process_injection/dll_injection_createremotethread_loadlibrary.md\ntags:\n- attack.defense_evasion\n- attack.t1055\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 8\n    StartModule|endswith: \\kernel32.dll\n    StartFunction: LoadLibraryA\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(5799,'Issue',321,15,'T1055'),(5800,'Issue',322,1,'Credentials Dumping Tools Accessing LSASS Memory'),(5801,'Issue',322,2,'Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update)'),(5802,'Issue',322,8,'https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow\nhttps://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html\nhttps://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nhttp://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf'),(5803,'Issue',322,10,'high'),(5804,'Issue',322,13,'community'),(5805,'Issue',322,14,'windows'),(5807,'Issue',322,11,'38beb365c'),(5808,'Issue',322,12,'32d0d3e2-e58d-4d41-926b-18b520b2b32d'),(5809,'Issue',322,16,'win-sysmon'),(5810,'Issue',322,17,''),(5811,'Issue',322,7,''),(5812,'Issue',322,3,'Detects process access LSASS memory which is typical for credentials dumping tools'),(5813,'Issue',322,4,''),(5814,'Issue',322,5,'_False Positives_\nLegitimate software accessing LSASS process for legitimate reason; update the whitelist with it\n\n_Interesting Log Fields_\nComputerName\nUser\nSourceImage'),(5815,'Issue',322,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"10\" AND event_data.TargetImage.keyword:*\\\\lsass.exe AND event_data.GrantedAccess.keyword:(*0x40* OR *0x1000* OR *0x1400* OR *0x100000* OR *0x1410* OR *0x1010* OR *0x1438* OR *0x143a* OR *0x1418* OR *0x1f0fff* OR *0x1f1fff* OR *0x1f2fff* OR *0x1f3fff*)) AND (NOT (event_data.ProcessName.keyword:(*\\\\wmiprvse.exe OR *\\\\taskmgr.exe OR *\\\\procexp64.exe OR *\\\\procexp.exe OR *\\\\lsm.exe OR *\\\\csrss.exe OR *\\\\wininit.exe OR *\\\\vmtoolsd.exe))))\nindex: so-*\nname: Credentials Dumping Tools Accessing LSASS Memory\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5816,'Issue',322,9,'{{collapse(View Sigma)\n
\n\ntitle: Credentials Dumping Tools Accessing LSASS Memory\nid: 32d0d3e2-e58d-4d41-926b-18b520b2b32d\nstatus: experimental\ndescription: Detects process access LSASS memory which is typical for credentials\n  dumping tools\nauthor: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas\n  Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community\n  (update)\ndate: 2017/02/16\nmodified: 2019/11/08\nreferences:\n- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow\n- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n- http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf\ntags:\n- attack.t1003\n- attack.s0002\n- attack.credential_access\n- car.2019-04-004\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 10\n    TargetImage|endswith: \\lsass.exe\n    GrantedAccess|contains:\n    - \'0x40\'\n    - \'0x1000\'\n    - \'0x1400\'\n    - \'0x100000\'\n    - \'0x1410\'\n    - \'0x1010\'\n    - \'0x1438\'\n    - \'0x143a\'\n    - \'0x1418\'\n    - \'0x1f0fff\'\n    - \'0x1f1fff\'\n    - \'0x1f2fff\'\n    - \'0x1f3fff\'\n  filter:\n    ProcessName|endswith:\n    - \\wmiprvse.exe\n    - \\taskmgr.exe\n    - \\procexp64.exe\n    - \\procexp.exe\n    - \\lsm.exe\n    - \\csrss.exe\n    - \\wininit.exe\n    - \\vmtoolsd.exe\n  condition: selection and not filter\nfields:\n- ComputerName\n- User\n- SourceImage\nfalsepositives:\n- Legitimate software accessing LSASS process for legitimate reason; update the whitelist\n  with it\nlevel: high\n\n
\n}}'),(5817,'Issue',322,15,'T1003'),(5818,'Issue',323,1,'Cred Dump Tools Dropped Files'),(5819,'Issue',323,2,'Teymur Kheirkhabarov, oscd.community'),(5820,'Issue',323,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(5821,'Issue',323,10,'high'),(5822,'Issue',323,13,'community'),(5823,'Issue',323,14,'windows'),(5825,'Issue',323,11,'3205565a1'),(5826,'Issue',323,12,'8fbf3271-1ef6-4e94-8210-03c2317947f6'),(5827,'Issue',323,16,'win-sysmon'),(5828,'Issue',323,17,''),(5829,'Issue',323,7,''),(5830,'Issue',323,3,'Files with well-known filenames (parts of credential dump software or files produced by them) creation'),(5831,'Issue',323,4,''),(5832,'Issue',323,5,'_False Positives_\nLegitimate Administrator using tool for password recovery'),(5833,'Issue',323,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND event_data.TargetFilename.keyword:(*\\\\pwdump* OR *\\\\kirbi* OR *\\\\pwhashes* OR *\\\\wce_ccache* OR *\\\\wce_krbtkts* OR *\\\\fgdump\\-log*) AND event_data.TargetFilename.keyword:(*\\\\test.pwd OR *\\\\lsremora64.dll OR *\\\\lsremora.dll OR *\\\\fgexec.exe OR *\\\\wceaux.dll OR *\\\\SAM.out OR *\\\\SECURITY.out OR *\\\\SYSTEM.out OR *\\\\NTDS.out OR *\\\\DumpExt.dll OR *\\\\DumpSvc.exe OR *\\\\cachedump64.exe OR *\\\\cachedump.exe OR *\\\\pstgdump.exe OR *\\\\servpw.exe OR *\\\\servpw64.exe OR *\\\\pwdump.exe OR *\\\\procdump64.exe))\nindex: so-*\nname: Cred Dump Tools Dropped Files\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5834,'Issue',323,9,'{{collapse(View Sigma)\n
\n\ntitle: Cred Dump Tools Dropped Files\nid: 8fbf3271-1ef6-4e94-8210-03c2317947f6\ndescription: Files with well-known filenames (parts of credential dump software or\n  files produced by them) creation\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/11/01\nmodified: 2019/11/13\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 11\n    TargetFilename|contains:\n    - \\pwdump\n    - \\kirbi\n    - \\pwhashes\n    - \\wce_ccache\n    - \\wce_krbtkts\n    - \\fgdump-log\n    TargetFilename|endswith:\n    - \\test.pwd\n    - \\lsremora64.dll\n    - \\lsremora.dll\n    - \\fgexec.exe\n    - \\wceaux.dll\n    - \\SAM.out\n    - \\SECURITY.out\n    - \\SYSTEM.out\n    - \\NTDS.out\n    - \\DumpExt.dll\n    - \\DumpSvc.exe\n    - \\cachedump64.exe\n    - \\cachedump.exe\n    - \\pstgdump.exe\n    - \\servpw.exe\n    - \\servpw64.exe\n    - \\pwdump.exe\n    - \\procdump64.exe\n  condition: selection\nfalsepositives:\n- Legitimate Administrator using tool for password recovery\nlevel: high\nstatus: experimental\n\n
\n}}'),(5835,'Issue',323,15,'T1003'),(5836,'Issue',324,1,'Cred Dump-Tools Named Pipes'),(5837,'Issue',324,2,'Teymur Kheirkhabarov, oscd.community'),(5838,'Issue',324,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(5839,'Issue',324,10,'critical'),(5840,'Issue',324,13,'community'),(5841,'Issue',324,14,'windows'),(5843,'Issue',324,11,'f819bdb50'),(5844,'Issue',324,12,'961d0ba2-3eea-4303-a930-2cf78bbfcc5e'),(5845,'Issue',324,16,'win-sysmon'),(5846,'Issue',324,17,''),(5847,'Issue',324,7,''),(5848,'Issue',324,3,'Detects well-known credential dumping tools execution via specific named pipes'),(5849,'Issue',324,4,''),(5850,'Issue',324,5,'_False Positives_\nLegitimate Administrator using tool for password recovery'),(5851,'Issue',324,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"17\" AND event_data.PipeName.keyword:(*\\\\lsadump* OR *\\\\cachedump* OR *\\\\wceservicepipe*))\nindex: so-*\nname: Cred Dump-Tools Named Pipes\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5852,'Issue',324,9,'{{collapse(View Sigma)\n
\n\ntitle: Cred Dump-Tools Named Pipes\nid: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e\ndescription: Detects well-known credential dumping tools execution via specific named\n  pipes\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/11/01\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 17\n    PipeName|contains:\n    - \\lsadump\n    - \\cachedump\n    - \\wceservicepipe\n  condition: selection\nfalsepositives:\n- Legitimate Administrator using tool for password recovery\nlevel: critical\nstatus: experimental\n\n
\n}}'),(5853,'Issue',324,15,'T1003'),(5854,'Issue',325,1,'DHCP Callout DLL Installation'),(5855,'Issue',325,2,'Dimitrios Slamaris'),(5856,'Issue',325,8,'https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html\nhttps://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx\nhttps://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx'),(5857,'Issue',325,10,'high'),(5858,'Issue',325,13,'community'),(5859,'Issue',325,14,'windows'),(5861,'Issue',325,11,'6fbe5639d'),(5862,'Issue',325,12,'9d3436ef-9476-4c43-acca-90ce06bdf33a'),(5863,'Issue',325,16,'win-sysmon'),(5864,'Issue',325,17,''),(5865,'Issue',325,7,''),(5866,'Issue',325,3,'Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)'),(5867,'Issue',325,4,''),(5868,'Issue',325,5,'_False Positives_\nunknown'),(5869,'Issue',325,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutDlls OR *\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutEnabled))\nindex: so-*\nname: DHCP Callout DLL Installation\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5870,'Issue',325,9,'{{collapse(View Sigma)\n
\n\ntitle: DHCP Callout DLL Installation\nid: 9d3436ef-9476-4c43-acca-90ce06bdf33a\nstatus: experimental\ndescription: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled\n  parameter in Registry, which can be used to execute code in context of the DHCP\n  server (restart required)\nreferences:\n- https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html\n- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx\n- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx\ndate: 2017/05/15\nauthor: Dimitrios Slamaris\ntags:\n- attack.defense_evasion\n- attack.t1073\n- attack.t1112\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    TargetObject:\n    - \'*\\Services\\DHCPServer\\Parameters\\CalloutDlls\'\n    - \'*\\Services\\DHCPServer\\Parameters\\CalloutEnabled\'\n  condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(5871,'Issue',325,15,'T1073'),(5872,'Issue',325,15,'T1112'),(5873,'Issue',326,1,'Disable Security Events Logging Adding Reg Key MiniNt'),(5874,'Issue',326,2,'Ilyas Ochkov, oscd.community'),(5875,'Issue',326,8,'https://twitter.com/0gtweet/status/1182516740955226112'),(5876,'Issue',326,10,'high'),(5877,'Issue',326,13,'community'),(5878,'Issue',326,14,'windows'),(5880,'Issue',326,11,'685c808fd'),(5881,'Issue',326,12,'919f2ef0-be2d-4a7a-b635-eb2b41fde044'),(5882,'Issue',326,16,'win-sysmon'),(5883,'Issue',326,17,''),(5884,'Issue',326,7,''),(5885,'Issue',326,3,'Detects the addition of a key \'MiniNt\' to the registry. Upon a reboot, Windows Event Log service will stopped write events.'),(5886,'Issue',326,4,''),(5887,'Issue',326,5,'_False Positives_\nUnkown\n\n_Interesting Log Fields_\nEventID\nImage\nTargetObject\nNewName'),(5888,'Issue',326,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:\"12\" AND event_data.TargetObject:\"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt\") OR (event.code:\"14\" AND NewName:\"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt\")))\nindex: so-*\nname: Disable Security Events Logging Adding Reg Key MiniNt\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5889,'Issue',326,9,'{{collapse(View Sigma)\n
\n\ntitle: Disable Security Events Logging Adding Reg Key MiniNt\nid: 919f2ef0-be2d-4a7a-b635-eb2b41fde044\nstatus: experimental\ndescription: Detects the addition of a key \'MiniNt\' to the registry. Upon a reboot,\n  Windows Event Log service will stopped write events.\nreferences:\n- https://twitter.com/0gtweet/status/1182516740955226112\ntags:\n- attack.defense_evasion\n- attack.t1089\nauthor: Ilyas Ochkov, oscd.community\ndate: 2019/10/25\nmodified: 2019/11/13\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n  - EventID: 12\n    TargetObject: HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt\n  - EventID: 14\n    NewName: HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt\n  condition: selection\nfields:\n- EventID\n- Image\n- TargetObject\n- NewName\nfalsepositives:\n- Unkown\nlevel: high\n\n
\n}}'),(5890,'Issue',326,15,'T1089'),(5891,'Issue',327,1,'Detection of SafetyKatz'),(5892,'Issue',327,2,'Markus Neis'),(5893,'Issue',327,8,'https://github.com/GhostPack/SafetyKatz'),(5894,'Issue',327,10,'high'),(5895,'Issue',327,13,'community'),(5896,'Issue',327,14,'windows'),(5898,'Issue',327,11,'de878e0bb'),(5899,'Issue',327,12,'e074832a-eada-4fd7-94a1-10642b130e16'),(5900,'Issue',327,16,'win-sysmon'),(5901,'Issue',327,17,''),(5902,'Issue',327,7,''),(5903,'Issue',327,3,'Detects possible SafetyKatz Behaviour'),(5904,'Issue',327,4,''),(5905,'Issue',327,5,'_False Positives_\nUnknown'),(5906,'Issue',327,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND event_data.TargetFilename.keyword:*\\\\Temp\\\\debug.bin)\nindex: so-*\nname: Detection of SafetyKatz\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5907,'Issue',327,9,'{{collapse(View Sigma)\n
\n\ntitle: Detection of SafetyKatz\nid: e074832a-eada-4fd7-94a1-10642b130e16\nstatus: experimental\ndescription: Detects possible SafetyKatz Behaviour\nreferences:\n- https://github.com/GhostPack/SafetyKatz\ntags:\n- attack.credential_access\n- attack.t1003\nauthor: Markus Neis\ndate: 2018/07/24\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 11\n    TargetFilename: \'*\\Temp\\debug.bin\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(5908,'Issue',327,15,'T1003'),(5909,'Issue',328,1,'Suspicious In-Memory Module Execution'),(5910,'Issue',328,2,'Perez Diego (@darkquassar), oscd.community'),(5911,'Issue',328,8,'https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/'),(5912,'Issue',328,10,'critical'),(5913,'Issue',328,13,'community'),(5914,'Issue',328,14,'windows'),(5916,'Issue',328,11,'0b938deb6'),(5917,'Issue',328,12,'5f113a8f-8b61-41ca-b90f-d374fa7e4a39'),(5918,'Issue',328,16,'win-sysmon'),(5919,'Issue',328,17,''),(5920,'Issue',328,7,''),(5921,'Issue',328,3,'Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display \"UNKNOWN\" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious.'),(5922,'Issue',328,4,''),(5923,'Issue',328,5,'_False Positives_\nLow\n\n_Interesting Log Fields_\nComputerName\nUser\nSourceImage\nTargetImage\nCallTrace'),(5924,'Issue',328,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"10\" AND (event_data.CallTrace.keyword:(C\\:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll\\+*|C\\:\\\\Windows\\\\System32\\\\KERNELBASE.dll\\+*|UNKNOWN\\(*\\) OR *UNKNOWN\\(*\\)|UNKNOWN\\(*\\)) OR (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.CallTrace.keyword:*UNKNOWN* AND event_data.GrantedAccess:(\"0x1F0FFF\" OR \"0x1F1FFF\" OR \"0x143A\" OR \"0x1410\" OR \"0x1010\" OR \"0x1F2FFF\" OR \"0x1F3FFF\" OR \"0x1FFFFF\"))))\nindex: so-*\nname: Suspicious In-Memory Module Execution\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5925,'Issue',328,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious In-Memory Module Execution\nid: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39\ndescription: Detects the access to processes by other suspicious processes which have\n  reflectively loaded libraries in their memory space. An example is SilentTrinity\n  C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack\n  call to a dll loaded from disk (the standard way), it will display \"UNKNOWN\" as\n  the module name. Usually this means the stack call points to a module that was reflectively\n  loaded in memory. Adding to this, it is not common to see such few calls in the\n  stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most\n  of the functions required by the process to execute certain routines are already\n  present in memory, not requiring any calls to external libraries. The latter should\n  also be considered suspicious.\nstatus: experimental\ndate: 2019/10/27\nauthor: Perez Diego (@darkquassar), oscd.community\nreferences:\n- https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/\ntags:\n- attack.privilege_escalation\n- attack.t1055\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection_01:\n    EventID: 10\n    CallTrace:\n    - C:\\Windows\\SYSTEM32\\ntdll.dll+*|C:\\Windows\\System32\\KERNELBASE.dll+*|UNKNOWN(*)\n    - \'*UNKNOWN(*)|UNKNOWN(*)\'\n  selection_02:\n    EventID: 10\n    CallTrace: \'*UNKNOWN*\'\n  granted_access:\n    GrantedAccess:\n    - \'0x1F0FFF\'\n    - \'0x1F1FFF\'\n    - \'0x143A\'\n    - \'0x1410\'\n    - \'0x1010\'\n    - \'0x1F2FFF\'\n    - \'0x1F3FFF\'\n    - \'0x1FFFFF\'\n  condition: selection_01 OR (selection_02 AND granted_access)\nfields:\n- ComputerName\n- User\n- SourceImage\n- TargetImage\n- CallTrace\nlevel: critical\nfalsepositives:\n- Low\n\n
\n}}'),(5926,'Issue',328,15,'T1055'),(5927,'Issue',329,1,'In-memory PowerShell'),(5928,'Issue',329,2,'Tom Kern, oscd.community'),(5929,'Issue',329,8,'https://adsecurity.org/?p=2921\nhttps://github.com/p3nt4/PowerShdll'),(5930,'Issue',329,10,'high'),(5931,'Issue',329,13,'community'),(5932,'Issue',329,14,'windows'),(5934,'Issue',329,11,'442bc82a3'),(5935,'Issue',329,12,'092bc4b9-3d1d-43b4-a6b4-8c8acd83522f'),(5936,'Issue',329,16,'win-sysmon'),(5937,'Issue',329,17,''),(5938,'Issue',329,7,''),(5939,'Issue',329,3,'Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter\'s \"load powershell\" extension.'),(5940,'Issue',329,4,''),(5941,'Issue',329,5,'_False Positives_\nUsed by some .NET binaries, minimal on user workstation.'),(5942,'Issue',329,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"7\" AND event_data.ImageLoaded.keyword:(*\\\\System.Management.Automation.Dll OR *\\\\System.Management.Automation.ni.Dll)) AND (NOT (process.executable.keyword:(*\\\\powershell.exe OR *\\\\WINDOWS\\\\System32\\\\sdiagnhost.exe) AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\")))\nindex: so-*\nname: In-memory PowerShell\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5943,'Issue',329,9,'{{collapse(View Sigma)\n
\n\ntitle: In-memory PowerShell\nid: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f\nstatus: experimental\ndescription: Detects loading of essential DLL used by PowerShell, but not by the process\n  powershell.exe. Detects meterpreter\'s \"load powershell\" extension.\nauthor: Tom Kern, oscd.community\ndate: 2019/11/14\nmodified: 2019/11/30\nreferences:\n- https://adsecurity.org/?p=2921\n- https://github.com/p3nt4/PowerShdll\ntags:\n- attack.t1086\n- attack.execution\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    ImageLoaded|endswith:\n    - \\System.Management.Automation.Dll\n    - \\System.Management.Automation.ni.Dll\n  filter:\n    Image|endswith:\n    - \\powershell.exe\n    - \\WINDOWS\\System32\\sdiagnhost.exe\n    User: NT AUTHORITY\\SYSTEM\n  condition: selection and not filter\nfalsepositives:\n- Used by some .NET binaries, minimal on user workstation.\nlevel: high\nenrichment:\n- EN_0001_cache_sysmon_event_id_1_info\n- EN_0003_enrich_other_sysmon_events_with_event_id_1_data\n\n
\n}}'),(5944,'Issue',329,15,'T1086'),(5945,'Issue',330,1,'Suspect Svchost Memory Asccess'),(5946,'Issue',330,2,'Tim Burrell'),(5947,'Issue',330,8,'https://github.com/hlldz/Invoke-Phant0m\nhttps://twitter.com/timbmsft/status/900724491076214784'),(5948,'Issue',330,10,'high'),(5949,'Issue',330,13,'community'),(5950,'Issue',330,14,'windows'),(5952,'Issue',330,11,'ff9ac8949'),(5953,'Issue',330,12,'166e9c50-8cd9-44af-815d-d1f0c0e90dde'),(5954,'Issue',330,16,'win-sysmon'),(5955,'Issue',330,17,''),(5956,'Issue',330,7,''),(5957,'Issue',330,3,'Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.'),(5958,'Issue',330,4,''),(5959,'Issue',330,5,'_False Positives_\nunknown'),(5960,'Issue',330,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"10\" AND event_data.TargetImage.keyword:*\\\\windows\\\\system32\\\\svchost.exe AND event_data.GrantedAccess:\"0x1f3fff\" AND event_data.CallTrace.keyword:(*unknown*))\nindex: so-*\nname: Suspect Svchost Memory Asccess\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5961,'Issue',330,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspect Svchost Memory Asccess\nid: 166e9c50-8cd9-44af-815d-d1f0c0e90dde\nstatus: experimental\ndescription: Detects suspect access to svchost process memory such as that used by\n  Invoke-Phantom to kill the winRM windows event logging service.\nauthor: Tim Burrell\ndate: 2020/01/02\nreferences:\n- https://github.com/hlldz/Invoke-Phant0m\n- https://twitter.com/timbmsft/status/900724491076214784\ntags:\n- attack.t1089\n- attack.defense_evasion\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 10\n    TargetImage: \'*\\windows\\system32\\svchost.exe\'\n    GrantedAccess: \'0x1f3fff\'\n    CallTrace:\n    - \'*unknown*\'\n  condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(5962,'Issue',330,15,'T1089'),(5963,'Issue',331,1,'LSASS Memory Dump'),(5964,'Issue',331,2,'Samir Bousseaden'),(5965,'Issue',331,8,'https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html'),(5966,'Issue',331,10,'high'),(5967,'Issue',331,13,'community'),(5968,'Issue',331,14,'windows'),(5970,'Issue',331,11,'183b4c501'),(5971,'Issue',331,12,'5ef9853e-4d0e-4a70-846f-a9ca37d876da'),(5972,'Issue',331,16,'win-sysmon'),(5973,'Issue',331,17,''),(5974,'Issue',331,7,''),(5975,'Issue',331,3,'Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10'),(5976,'Issue',331,4,''),(5977,'Issue',331,5,'_False Positives_\nunknown'),(5978,'Issue',331,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"10\" AND event_data.TargetImage:\"C\\:\\\\windows\\\\system32\\\\lsass.exe\" AND event_data.GrantedAccess:\"0x1fffff\" AND event_data.CallTrace.keyword:(*dbghelp.dll* OR *dbgcore.dll*))\nindex: so-*\nname: LSASS Memory Dump\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5979,'Issue',331,9,'{{collapse(View Sigma)\n
\n\ntitle: LSASS Memory Dump\nid: 5ef9853e-4d0e-4a70-846f-a9ca37d876da\nstatus: experimental\ndescription: Detects process LSASS memory dump using procdump or taskmgr based on\n  the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10\nauthor: Samir Bousseaden\ndate: 2019/04/03\nreferences:\n- https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html\ntags:\n- attack.t1003\n- attack.s0002\n- attack.credential_access\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 10\n    TargetImage: C:\\windows\\system32\\lsass.exe\n    GrantedAccess: \'0x1fffff\'\n    CallTrace:\n    - \'*dbghelp.dll*\'\n    - \'*dbgcore.dll*\'\n  condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(5980,'Issue',331,15,'T1003'),(5981,'Issue',332,1,'LSASS Memory Dump File Creation'),(5982,'Issue',332,2,'Teymur Kheirkhabarov, oscd.community'),(5983,'Issue',332,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(5984,'Issue',332,10,'medium'),(5985,'Issue',332,13,'community'),(5986,'Issue',332,14,'windows'),(5988,'Issue',332,11,'d6052fb1a'),(5989,'Issue',332,12,'5e3d3601-0662-4af0-b1d2-36a05e90c40a'),(5990,'Issue',332,16,'win-sysmon'),(5991,'Issue',332,17,''),(5992,'Issue',332,7,''),(5993,'Issue',332,3,'LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified'),(5994,'Issue',332,4,''),(5995,'Issue',332,5,'_False Positives_\nDumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator\n\n_Interesting Log Fields_\nComputerName\nTargetFileName'),(5996,'Issue',332,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND event_data.TargetFilename.keyword:*lsass* AND event_data.TargetFilename.keyword:*dmp)\nindex: so-*\nname: LSASS Memory Dump File Creation\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5997,'Issue',332,9,'{{collapse(View Sigma)\n
\n\ntitle: LSASS Memory Dump File Creation\nid: 5e3d3601-0662-4af0-b1d2-36a05e90c40a\ndescription: LSASS memory dump creation using operating systems utilities. Procdump\n  will use process name in output file if no name is specified\nauthor: Teymur Kheirkhabarov, oscd.community\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ndate: 2019/10/22\nmodified: 2019/11/13\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 11\n    TargetFilename|contains: lsass\n    TargetFilename|endswith: dmp\n  condition: selection\nfields:\n- ComputerName\n- TargetFileName\nfalsepositives:\n- Dumping lsass memory for forensic investigation purposes by legitimate incident\n  responder or forensic invetigator\nlevel: medium\nstatus: experimental\n\n
\n}}'),(5998,'Issue',332,15,'T1003'),(5999,'Issue',333,1,'Malicious Named Pipe'),(6000,'Issue',333,2,'Florian Roth'),(6001,'Issue',333,8,'Various sources'),(6002,'Issue',333,10,'critical'),(6003,'Issue',333,13,'community'),(6004,'Issue',333,14,'windows'),(6006,'Issue',333,11,'192999425'),(6007,'Issue',333,12,'fe3ac066-98bb-432a-b1e7-a5229cb39d4a'),(6008,'Issue',333,16,'win-sysmon'),(6009,'Issue',333,17,''),(6010,'Issue',333,7,''),(6011,'Issue',333,3,'Detects the creation of a named pipe used by known APT malware'),(6012,'Issue',333,4,''),(6013,'Issue',333,5,'_False Positives_\nUnkown'),(6014,'Issue',333,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:(\"17\" OR \"18\") AND event_data.PipeName.keyword:(\\\\isapi_http OR \\\\isapi_dg OR \\\\isapi_dg2 OR \\\\sdlrpc OR \\\\ahexec OR \\\\winsession OR \\\\lsassw OR \\\\46a676ab7f179e511e30dd2dc41bd388 OR \\\\9f81f59bc58452127884ce513865ed20 OR \\\\e710f28d59aa529d6792ca6ff0ca1b34 OR \\\\rpchlp_3 OR \\\\NamePipe_MoreWindows OR \\\\pcheap_reuse OR \\\\msagent_* OR \\\\gruntsvc))\nindex: so-*\nname: Malicious Named Pipe\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6015,'Issue',333,9,'{{collapse(View Sigma)\n
\n\ntitle: Malicious Named Pipe\nid: fe3ac066-98bb-432a-b1e7-a5229cb39d4a\nstatus: experimental\ndescription: Detects the creation of a named pipe used by known APT malware\nreferences:\n- Various sources\ndate: 2017/11/06\nauthor: Florian Roth\nlogsource:\n  product: windows\n  service: sysmon\n  definition: Note that you have to configure logging for PipeEvents in Symson config\ndetection:\n  selection:\n    EventID:\n    - 17\n    - 18\n    PipeName:\n    - \\isapi_http\n    - \\isapi_dg\n    - \\isapi_dg2\n    - \\sdlrpc\n    - \\ahexec\n    - \\winsession\n    - \\lsassw\n    - \\46a676ab7f179e511e30dd2dc41bd388\n    - \\9f81f59bc58452127884ce513865ed20\n    - \\e710f28d59aa529d6792ca6ff0ca1b34\n    - \\rpchlp_3\n    - \\NamePipe_MoreWindows\n    - \\pcheap_reuse\n    - \\msagent_*\n    - \\gruntsvc\n  condition: selection\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1055\nfalsepositives:\n- Unkown\nlevel: critical\n\n
\n}}'),(6016,'Issue',333,15,'T1055'),(6017,'Issue',334,1,'Suspicious Typical Malware Back Connect Ports'),(6018,'Issue',334,2,'Florian Roth'),(6019,'Issue',334,8,'https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo'),(6020,'Issue',334,10,'medium'),(6021,'Issue',334,13,'community'),(6022,'Issue',334,14,'windows'),(6024,'Issue',334,11,'1e14702d5'),(6025,'Issue',334,12,'4b89abaa-99fe-4232-afdd-8f9aa4d20382'),(6026,'Issue',334,16,'win-sysmon'),(6027,'Issue',334,17,''),(6028,'Issue',334,7,''),(6029,'Issue',334,3,'Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases'),(6030,'Issue',334,4,''),(6031,'Issue',334,5,'_False Positives_\nunknown'),(6032,'Issue',334,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"3\" AND event_data.Initiated:\"true\" AND destination_port:(\"4443\" OR \"2448\" OR \"8143\" OR \"1777\" OR \"1443\" OR \"243\" OR \"65535\" OR \"13506\" OR \"3360\" OR \"200\" OR \"198\" OR \"49180\" OR \"13507\" OR \"6625\" OR \"4444\" OR \"4438\" OR \"1904\" OR \"13505\" OR \"13504\" OR \"12102\" OR \"9631\" OR \"5445\" OR \"2443\" OR \"777\" OR \"13394\" OR \"13145\" OR \"12103\" OR \"5552\" OR \"3939\" OR \"3675\" OR \"666\" OR \"473\" OR \"5649\" OR \"4455\" OR \"4433\" OR \"1817\" OR \"100\" OR \"65520\" OR \"1960\" OR \"1515\" OR \"743\" OR \"700\" OR \"14154\" OR \"14103\" OR \"14102\" OR \"12322\" OR \"10101\" OR \"7210\" OR \"4040\" OR \"9943\")) AND (NOT ((event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:*\\\\Program\\ Files* OR (destination_ip.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*) AND event_data.DestinationIsIpv6:\"false\"))))))\nindex: so-*\nname: Suspicious Typical Malware Back Connect Ports\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6033,'Issue',334,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Typical Malware Back Connect Ports\nid: 4b89abaa-99fe-4232-afdd-8f9aa4d20382\nstatus: experimental\ndescription: Detects programs that connect to typical malware back connect ports based\n  on statistical analysis from two different sandbox system databases\nreferences:\n- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo\nauthor: Florian Roth\ndate: 2017/03/19\ntags:\n- attack.command_and_control\n- attack.t1043\nlogsource:\n  product: windows\n  service: sysmon\n  definition: \'Use the following config to generate the necessary Event ID 10 Process\n    Access events: VBE7.DLLUNKNOWN\'\ndetection:\n  selection:\n    EventID: 3\n    Initiated: \'true\'\n    DestinationPort:\n    - \'4443\'\n    - \'2448\'\n    - \'8143\'\n    - \'1777\'\n    - \'1443\'\n    - \'243\'\n    - \'65535\'\n    - \'13506\'\n    - \'3360\'\n    - \'200\'\n    - \'198\'\n    - \'49180\'\n    - \'13507\'\n    - \'6625\'\n    - \'4444\'\n    - \'4438\'\n    - \'1904\'\n    - \'13505\'\n    - \'13504\'\n    - \'12102\'\n    - \'9631\'\n    - \'5445\'\n    - \'2443\'\n    - \'777\'\n    - \'13394\'\n    - \'13145\'\n    - \'12103\'\n    - \'5552\'\n    - \'3939\'\n    - \'3675\'\n    - \'666\'\n    - \'473\'\n    - \'5649\'\n    - \'4455\'\n    - \'4433\'\n    - \'1817\'\n    - \'100\'\n    - \'65520\'\n    - \'1960\'\n    - \'1515\'\n    - \'743\'\n    - \'700\'\n    - \'14154\'\n    - \'14103\'\n    - \'14102\'\n    - \'12322\'\n    - \'10101\'\n    - \'7210\'\n    - \'4040\'\n    - \'9943\'\n  filter1:\n    Image: \'*\\Program Files*\'\n  filter2:\n    DestinationIp:\n    - 10.*\n    - 192.168.*\n    - 172.16.*\n    - 172.17.*\n    - 172.18.*\n    - 172.19.*\n    - 172.20.*\n    - 172.21.*\n    - 172.22.*\n    - 172.23.*\n    - 172.24.*\n    - 172.25.*\n    - 172.26.*\n    - 172.27.*\n    - 172.28.*\n    - 172.29.*\n    - 172.30.*\n    - 172.31.*\n    - 127.*\n    DestinationIsIpv6: \'false\'\n  condition: selection and not ( filter1 or filter2 )\nfalsepositives:\n- unknown\nlevel: medium\n\n
\n}}'),(6034,'Issue',334,15,'T1043'),(6035,'Issue',335,1,'Malware Shellcode in Verclsid Target Process'),(6036,'Issue',335,2,'John Lambert (tech), Florian Roth (rule)'),(6037,'Issue',335,8,'https://twitter.com/JohnLaTwC/status/837743453039534080'),(6038,'Issue',335,10,'high'),(6039,'Issue',335,13,'community'),(6040,'Issue',335,14,'windows'),(6042,'Issue',335,11,'0ff3c02c6'),(6043,'Issue',335,12,'b7967e22-3d7e-409b-9ed5-cdae3f9243a1'),(6044,'Issue',335,16,'win-sysmon'),(6045,'Issue',335,17,''),(6046,'Issue',335,7,''),(6047,'Issue',335,3,'Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro'),(6048,'Issue',335,4,''),(6049,'Issue',335,5,'_False Positives_\nunknown'),(6050,'Issue',335,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"10\" AND event_data.TargetImage.keyword:*\\\\verclsid.exe AND event_data.GrantedAccess:\"0x1FFFFF\") AND (event_data.CallTrace.keyword:*|UNKNOWN\\(*VBE7.DLL* OR (event_data.SourceImage.keyword:*\\\\Microsoft\\ Office\\\\* AND event_data.CallTrace.keyword:*|UNKNOWN*)))\nindex: so-*\nname: Malware Shellcode in Verclsid Target Process\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6051,'Issue',335,9,'{{collapse(View Sigma)\n
\n\ntitle: Malware Shellcode in Verclsid Target Process\nid: b7967e22-3d7e-409b-9ed5-cdae3f9243a1\nstatus: experimental\ndescription: Detects a process access to verclsid.exe that injects shellcode from\n  a Microsoft Office application / VBA macro\nreferences:\n- https://twitter.com/JohnLaTwC/status/837743453039534080\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1055\nauthor: John Lambert (tech), Florian Roth (rule)\ndate: 2017/03/04\nlogsource:\n  product: windows\n  service: sysmon\n  definition: \'Use the following config to generate the necessary Event ID 10 Process\n    Access events: VBE7.DLLUNKNOWN\'\ndetection:\n  selection:\n    EventID: 10\n    TargetImage: \'*\\verclsid.exe\'\n    GrantedAccess: \'0x1FFFFF\'\n  combination1:\n    CallTrace: \'*|UNKNOWN(*VBE7.DLL*\'\n  combination2:\n    SourceImage: \'*\\Microsoft Office\\\\*\'\n    CallTrace: \'*|UNKNOWN*\'\n  condition: selection and 1 of combination*\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6052,'Issue',335,15,'T1055'),(6053,'Issue',336,1,'Mimikatz In-Memory'),(6054,'Issue',336,2,'none'),(6055,'Issue',336,8,'https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/'),(6056,'Issue',336,10,'medium'),(6057,'Issue',336,13,'community'),(6058,'Issue',336,14,'windows'),(6060,'Issue',336,11,'aa5743912'),(6061,'Issue',336,12,'c0478ead-5336-46c2-bd5e-b4c84bc3a36e'),(6062,'Issue',336,16,'win-sysmon'),(6063,'Issue',336,17,''),(6064,'Issue',336,7,''),(6065,'Issue',336,3,'Detects certain DLL loads when Mimikatz gets executed'),(6066,'Issue',336,4,''),(6067,'Issue',336,5,'_False Positives_\nunknown'),(6068,'Issue',336,6,'{{collapse(View ElastAlert Config)\n
\n\n\n
\n}}'),(6069,'Issue',336,9,'{{collapse(View Sigma)\n
\n\ntitle: Mimikatz In-Memory\nid: c0478ead-5336-46c2-bd5e-b4c84bc3a36e\nstatus: experimental\ndescription: Detects certain DLL loads when Mimikatz gets executed\nreferences:\n- https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/\ntags:\n- attack.s0002\n- attack.t1003\n- attack.lateral_movement\n- attack.credential_access\n- car.2019-04-004\nlogsource:\n  product: windows\n  service: sysmon\ndate: 2017/03/13\ndetection:\n  selector:\n    EventID: 7\n    Image: C:\\Windows\\System32\\rundll32.exe\n  dllload1:\n    ImageLoaded: \'*\\vaultcli.dll\'\n  dllload2:\n    ImageLoaded: \'*\\wlanapi.dll\'\n  exclusion:\n    ImageLoaded:\n    - ntdsapi.dll\n    - netapi32.dll\n    - imm32.dll\n    - samlib.dll\n    - combase.dll\n    - srvcli.dll\n    - shcore.dll\n    - ntasn1.dll\n    - cryptdll.dll\n    - logoncli.dll\n  timeframe: 30s\n  condition: selector | near dllload1 and dllload2 and not exclusion\nfalsepositives:\n- unknown\nlevel: medium\n\n
\n}}'),(6070,'Issue',336,15,'T1003'),(6071,'Issue',337,1,'Mimikatz through Windows Remote Management'),(6072,'Issue',337,2,'Patryk Prauze - ING Tech'),(6073,'Issue',337,8,'https://pentestlab.blog/2018/05/15/lateral-movement-winrm/'),(6074,'Issue',337,10,'high'),(6075,'Issue',337,13,'community'),(6076,'Issue',337,14,'windows'),(6078,'Issue',337,11,'e1af444f5'),(6079,'Issue',337,12,'aa35a627-33fb-4d04-a165-d33b4afca3e8'),(6080,'Issue',337,16,'win-sysmon'),(6081,'Issue',337,17,''),(6082,'Issue',337,7,''),(6083,'Issue',337,3,'Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.'),(6084,'Issue',337,4,''),(6085,'Issue',337,5,'_False Positives_\nlow'),(6086,'Issue',337,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"10\" AND event_data.TargetImage:\"C\\:\\\\windows\\\\system32\\\\lsass.exe\" AND event_data.SourceImage:\"C\\:\\\\Windows\\\\system32\\\\wsmprovhost.exe\")\nindex: so-*\nname: Mimikatz through Windows Remote Management\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6087,'Issue',337,9,'{{collapse(View Sigma)\n
\n\ntitle: Mimikatz through Windows Remote Management\nid: aa35a627-33fb-4d04-a165-d33b4afca3e8\ndescription: Detects usage of mimikatz through WinRM protocol by monitoring access\n  to lsass process by wsmprovhost.exe.\nreferences:\n- https://pentestlab.blog/2018/05/15/lateral-movement-winrm/\nstatus: stable\nauthor: Patryk Prauze - ING Tech\ndate: 2019/05/20\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 10\n    TargetImage: C:\\windows\\system32\\lsass.exe\n    SourceImage: C:\\Windows\\system32\\wsmprovhost.exe\n  condition: selection\ntags:\n- attack.credential_access\n- attack.execution\n- attack.t1003\n- attack.t1028\n- attack.s0005\nfalsepositives:\n- low\nlevel: high\n\n
\n}}'),(6088,'Issue',337,15,'T1003'),(6089,'Issue',337,15,'T1028'),(6090,'Issue',338,1,'Dumping Lsass.exe Memory with MiniDumpWriteDump API'),(6091,'Issue',338,2,'Perez Diego (@darkquassar), oscd.community'),(6092,'Issue',338,8,'https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump\nhttps://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html\nhttps://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6'),(6093,'Issue',338,10,'critical'),(6094,'Issue',338,13,'community'),(6095,'Issue',338,14,'windows'),(6097,'Issue',338,11,'465ca35d4'),(6098,'Issue',338,12,'dd5ab153-beaa-4315-9647-65abc5f71541'),(6099,'Issue',338,16,'win-sysmon'),(6100,'Issue',338,17,''),(6101,'Issue',338,7,''),(6102,'Issue',338,3,'Detects the use of MiniDumpWriteDump API for dumping lsass.exe memory in a stealth way. Tools like ProcessHacker and some attacker tradecract use this API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker\'s machine.'),(6103,'Issue',338,4,''),(6104,'Issue',338,5,'_False Positives_\nPenetration tests\n\n_Interesting Log Fields_\nComputerName\nUser\nImage\nImageLoaded'),(6105,'Issue',338,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (((event.code:\"7\" AND event_data.ImageLoaded.keyword:(*\\\\dbghelp.dll OR *\\\\dbgcore.dll) AND process.executable.keyword:(*\\\\msbuild.exe OR *\\\\cmd.exe OR *\\\\svchost.exe OR *\\\\rundll32.exe OR *\\\\powershell.exe OR *\\\\word.exe OR *\\\\excel.exe OR *\\\\powerpnt.exe OR *\\\\outlook.exe OR *\\\\monitoringhost.exe OR *\\\\wmic.exe OR *\\\\msiexec.exe OR *\\\\bash.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\mshta.exe OR *\\\\regsvr32.exe OR *\\\\schtasks.exe OR *\\\\dnx.exe OR *\\\\regsvcs.exe OR *\\\\sc.exe OR *\\\\scriptrunner.exe)) AND (NOT (process.executable.keyword:*Visual\\ Studio*))) OR ((event.code:\"7\" AND event_data.ImageLoaded.keyword:(*\\\\dbghelp.dll OR *\\\\dbgcore.dll) AND Signed:\"FALSE\") AND (NOT (process.executable.keyword:*Visual\\ Studio*)))))\nindex: so-*\nname: Dumping Lsass.exe Memory with MiniDumpWriteDump API\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6106,'Issue',338,9,'{{collapse(View Sigma)\n
\n\ntitle: Dumping Lsass.exe Memory with MiniDumpWriteDump API\nid: dd5ab153-beaa-4315-9647-65abc5f71541\nstatus: experimental\ndescription: Detects the use of MiniDumpWriteDump API for dumping lsass.exe memory\n  in a stealth way. Tools like ProcessHacker and some attacker tradecract use this\n  API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework\n  has a module that leverages this API to dump the contents of Lsass.exe and transfer\n  it over the network back to the attacker\'s machine.\ndate: 2019/10/27\nmodified: 2019/11/13\nauthor: Perez Diego (@darkquassar), oscd.community\nreferences:\n- https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump\n- https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html\n- https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  signedprocess:\n    EventID: 7\n    ImageLoaded|endswith:\n    - \\dbghelp.dll\n    - \\dbgcore.dll\n    Image|endswith:\n    - \\msbuild.exe\n    - \\cmd.exe\n    - \\svchost.exe\n    - \\rundll32.exe\n    - \\powershell.exe\n    - \\word.exe\n    - \\excel.exe\n    - \\powerpnt.exe\n    - \\outlook.exe\n    - \\monitoringhost.exe\n    - \\wmic.exe\n    - \\msiexec.exe\n    - \\bash.exe\n    - \\wscript.exe\n    - \\cscript.exe\n    - \\mshta.exe\n    - \\regsvr32.exe\n    - \\schtasks.exe\n    - \\dnx.exe\n    - \\regsvcs.exe\n    - \\sc.exe\n    - \\scriptrunner.exe\n  unsignedprocess:\n    EventID: 7\n    ImageLoaded|endswith:\n    - \\dbghelp.dll\n    - \\dbgcore.dll\n    Signed: \'FALSE\'\n  filter:\n    Image|contains: Visual Studio\n  condition: (signedprocess AND NOT filter) OR (unsignedprocess AND NOT filter)\nfields:\n- ComputerName\n- User\n- Image\n- ImageLoaded\nfalsepositives:\n- Penetration tests\nlevel: critical\n\n
\n}}'),(6107,'Issue',338,15,'T1003'),(6108,'Issue',339,1,'Narrator\'s Feedback-Hub Persistence'),(6109,'Issue',339,2,'Dmitriy Lifanov, oscd.community'),(6110,'Issue',339,8,'https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html'),(6111,'Issue',339,10,'high'),(6112,'Issue',339,13,'community'),(6113,'Issue',339,14,'windows'),(6115,'Issue',339,11,'cfdda5bc0'),(6116,'Issue',339,12,'f663a6d9-9d1b-49b8-b2b1-0637914d199a'),(6117,'Issue',339,16,'win-sysmon'),(6118,'Issue',339,17,''),(6119,'Issue',339,7,''),(6120,'Issue',339,3,'Detects abusing Windows 10 Narrator\'s Feedback-Hub'),(6121,'Issue',339,4,''),(6122,'Issue',339,5,'_False Positives_\nunknown'),(6123,'Issue',339,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:\"12\" AND event_data.EventType:\"DeleteValue\" AND event_data.TargetObject.keyword:*\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\DelegateExecute) OR (event.code:\"13\" AND event_data.TargetObject.keyword:*\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\\\(Default\\))))\nindex: so-*\nname: Narrator\'s Feedback-Hub Persistence\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6124,'Issue',339,9,'{{collapse(View Sigma)\n
\n\ntitle: Narrator\'s Feedback-Hub Persistence\nid: f663a6d9-9d1b-49b8-b2b1-0637914d199a\ndescription: Detects abusing Windows 10 Narrator\'s Feedback-Hub\nreferences:\n- https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html\ntags:\n- attack.persistence\n- attack.t1060\nauthor: Dmitriy Lifanov, oscd.community\nstatus: experimental\ndate: 2019/10/25\nmodified: 2019/11/10\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection1:\n    EventID: 12\n    EventType: DeleteValue\n    TargetObject|endswith: \\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\DelegateExecute\n  selection2:\n    EventID: 13\n    TargetObject|endswith: \\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\(Default)\n  condition: 1 of them\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6125,'Issue',339,15,'T1060'),(6126,'Issue',340,1,'New DLL Added to AppCertDlls Registry Key'),(6127,'Issue',340,2,'Ilyas Ochkov, oscd.community'),(6128,'Issue',340,8,'http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/\nhttps://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html'),(6129,'Issue',340,10,'medium'),(6130,'Issue',340,13,'community'),(6131,'Issue',340,14,'windows'),(6133,'Issue',340,11,'c62e6aeb2'),(6134,'Issue',340,12,'6aa1d992-5925-4e9f-a49b-845e51d1de01'),(6135,'Issue',340,16,'win-sysmon'),(6136,'Issue',340,17,''),(6137,'Issue',340,7,''),(6138,'Issue',340,3,'Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.'),(6139,'Issue',340,4,''),(6140,'Issue',340,5,'_False Positives_\nUnkown\n\n_Interesting Log Fields_\nEventID\nImage\nTargetObject\nNewName'),(6141,'Issue',340,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:(\"12\" OR \"13\") AND event_data.TargetObject:\"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session\\ Manager\\\\AppCertDlls\") OR (event.code:\"14\" AND NewName:\"HKLM\\\\SYSTEM\\\\CurentControlSet\\\\Control\\\\Session\\ Manager\\\\AppCertDlls\")))\nindex: so-*\nname: New DLL Added to AppCertDlls Registry Key\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6142,'Issue',340,9,'{{collapse(View Sigma)\n
\n\ntitle: New DLL Added to AppCertDlls Registry Key\nid: 6aa1d992-5925-4e9f-a49b-845e51d1de01\nstatus: experimental\ndescription: Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value\n  in the Registry key can be abused to obtain persistence and privilege escalation\n  by causing a malicious DLL to be loaded and run in the context of separate processes\n  on the computer.\nreferences:\n- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/\n- https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html\ntags:\n- attack.persistence\n- attack.t1182\nauthor: Ilyas Ochkov, oscd.community\ndate: 2019/10/25\nmodified: 2019/11/13\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n  - EventID:\n    - 12\n    - 13\n    TargetObject: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls\n  - EventID: 14\n    NewName: HKLM\\SYSTEM\\CurentControlSet\\Control\\Session Manager\\AppCertDlls\n  condition: selection\nfields:\n- EventID\n- Image\n- TargetObject\n- NewName\nfalsepositives:\n- Unkown\nlevel: medium\n\n
\n}}'),(6143,'Issue',340,15,'T1182'),(6144,'Issue',341,1,'New DLL Added to AppInit_DLLs Registry Key'),(6145,'Issue',341,2,'Ilyas Ochkov, oscd.community'),(6146,'Issue',341,8,'https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html'),(6147,'Issue',341,10,'medium'),(6148,'Issue',341,13,'community'),(6149,'Issue',341,14,'windows'),(6151,'Issue',341,11,'2c5115a75'),(6152,'Issue',341,12,'4f84b697-c9ed-4420-8ab5-e09af5b2345d'),(6153,'Issue',341,16,'win-sysmon'),(6154,'Issue',341,17,''),(6155,'Issue',341,7,''),(6156,'Issue',341,3,'DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll'),(6157,'Issue',341,4,''),(6158,'Issue',341,5,'_False Positives_\nUnkown\n\n_Interesting Log Fields_\nEventID\nImage\nTargetObject\nNewName'),(6159,'Issue',341,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:(\"12\" OR \"13\") AND event_data.TargetObject.keyword:(*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls OR *\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls)) OR (event.code:\"14\" AND NewName.keyword:(*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls OR *\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls))))\nindex: so-*\nname: New DLL Added to AppInit_DLLs Registry Key\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6160,'Issue',341,9,'{{collapse(View Sigma)\n
\n\ntitle: New DLL Added to AppInit_DLLs Registry Key\nid: 4f84b697-c9ed-4420-8ab5-e09af5b2345d\nstatus: experimental\ndescription: DLLs that are specified in the AppInit_DLLs value in the Registry key\n  HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll\n  into every process that loads user32.dll\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html\ntags:\n- attack.persistence\n- attack.t1103\nauthor: Ilyas Ochkov, oscd.community\ndate: 2019/10/25\nmodified: 2019/11/13\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n  - EventID:\n    - 12\n    - 13\n    TargetObject:\n    - \'*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls\'\n    - \'*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls\'\n  - EventID: 14\n    NewName:\n    - \'*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls\'\n    - \'*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls\'\n  condition: selection\nfields:\n- EventID\n- Image\n- TargetObject\n- NewName\nfalsepositives:\n- Unkown\nlevel: medium\n\n
\n}}'),(6161,'Issue',341,15,'T1103'),(6162,'Issue',342,1,'Password Dumper Remote Thread in LSASS'),(6163,'Issue',342,2,'Thomas Patzke'),(6164,'Issue',342,8,'https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm'),(6165,'Issue',342,10,'high'),(6166,'Issue',342,13,'community'),(6167,'Issue',342,14,'windows'),(6169,'Issue',342,11,'5c5659709'),(6170,'Issue',342,12,'f239b326-2f41-4d6b-9dfa-c846a60ef505'),(6171,'Issue',342,16,'win-sysmon'),(6172,'Issue',342,17,''),(6173,'Issue',342,7,''),(6174,'Issue',342,3,'Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.'),(6175,'Issue',342,4,''),(6176,'Issue',342,5,'_False Positives_\nunknown'),(6177,'Issue',342,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"8\" AND event_data.TargetImage:\"C\\:\\\\Windows\\\\System32\\\\lsass.exe\" AND NOT _exists_:event_data.StartModule)\nindex: so-*\nname: Password Dumper Remote Thread in LSASS\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6178,'Issue',342,9,'{{collapse(View Sigma)\n
\n\ntitle: Password Dumper Remote Thread in LSASS\nid: f239b326-2f41-4d6b-9dfa-c846a60ef505\ndescription: Detects password dumper activity by monitoring remote thread creation\n  EventID 8 in combination with the lsass.exe process as TargetImage. The process\n  in field Process is the malicious program. A single execution can lead to hundreds\n  of events.\nreferences:\n- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm\nstatus: stable\nauthor: Thomas Patzke\ndate: 2017/02/19\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 8\n    TargetImage: C:\\Windows\\System32\\lsass.exe\n    StartModule:\n  condition: selection\ntags:\n- attack.credential_access\n- attack.t1003\n- attack.s0005\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6179,'Issue',342,15,'T1003'),(6180,'Issue',343,1,'Possible DNS Rebinding'),(6181,'Issue',343,2,'Ilyas Ochkov, oscd.community'),(6182,'Issue',343,8,'https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325'),(6183,'Issue',343,10,'medium'),(6184,'Issue',343,13,'community'),(6185,'Issue',343,14,'windows'),(6187,'Issue',343,11,'238493844'),(6188,'Issue',343,12,'eb07e747-2552-44cd-af36-b659ae0958e4'),(6189,'Issue',343,16,'win-sysmon'),(6190,'Issue',343,17,''),(6191,'Issue',343,7,''),(6192,'Issue',343,3,'Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL).'),(6193,'Issue',343,4,''),(6194,'Issue',343,5,'_False Positives_\n Unknown'),(6195,'Issue',343,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"22\" AND QueryName.keyword:* AND QueryStatus:\"0\" AND QueryResults.keyword:(\\(\\:\\:ffff\\:\\)?10.* OR \\(\\:\\:ffff\\:\\)?192.168.* OR \\(\\:\\:ffff\\:\\)?172.16.* OR \\(\\:\\:ffff\\:\\)?172.17.* OR \\(\\:\\:ffff\\:\\)?172.18.* OR \\(\\:\\:ffff\\:\\)?172.19.* OR \\(\\:\\:ffff\\:\\)?172.20.* OR \\(\\:\\:ffff\\:\\)?172.21.* OR \\(\\:\\:ffff\\:\\)?172.22.* OR \\(\\:\\:ffff\\:\\)?172.23.* OR \\(\\:\\:ffff\\:\\)?172.24.* OR \\(\\:\\:ffff\\:\\)?172.25.* OR \\(\\:\\:ffff\\:\\)?172.26.* OR \\(\\:\\:ffff\\:\\)?172.27.* OR \\(\\:\\:ffff\\:\\)?172.28.* OR \\(\\:\\:ffff\\:\\)?172.29.* OR \\(\\:\\:ffff\\:\\)?172.30.* OR \\(\\:\\:ffff\\:\\)?172.31.* OR \\(\\:\\:ffff\\:\\)?127.*) AND (event.code:\"22\" AND QueryName.keyword:* AND QueryStatus:\"0\") AND (NOT (QueryResults.keyword:(\\(\\:\\:ffff\\:\\)?10.* OR \\(\\:\\:ffff\\:\\)?192.168.* OR \\(\\:\\:ffff\\:\\)?172.16.* OR \\(\\:\\:ffff\\:\\)?172.17.* OR \\(\\:\\:ffff\\:\\)?172.18.* OR \\(\\:\\:ffff\\:\\)?172.19.* OR \\(\\:\\:ffff\\:\\)?172.20.* OR \\(\\:\\:ffff\\:\\)?172.21.* OR \\(\\:\\:ffff\\:\\)?172.22.* OR \\(\\:\\:ffff\\:\\)?172.23.* OR \\(\\:\\:ffff\\:\\)?172.24.* OR \\(\\:\\:ffff\\:\\)?172.25.* OR \\(\\:\\:ffff\\:\\)?172.26.* OR \\(\\:\\:ffff\\:\\)?172.27.* OR \\(\\:\\:ffff\\:\\)?172.28.* OR \\(\\:\\:ffff\\:\\)?172.29.* OR \\(\\:\\:ffff\\:\\)?172.30.* OR \\(\\:\\:ffff\\:\\)?172.31.* OR \\(\\:\\:ffff\\:\\)?127.*))))\nindex: so-*\nmax_threshold: 3\nmetric_agg_key: QueryName.keyword\nmetric_agg_type: cardinality\nname: Possible DNS Rebinding\npriority: 3\nquery_key: event_data.ComputerName.keyword\nrealert:\n  minutes: 0\ntype: metric_aggregation\n
\n}}'),(6196,'Issue',343,9,'{{collapse(View Sigma)\n
\n\ntitle: Possible DNS Rebinding\nid: eb07e747-2552-44cd-af36-b659ae0958e4\nstatus: experimental\ndescription: Detects several different DNS-answers by one domain with IPs from internal\n  and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved\n  in host cache for a while TTL).\ndate: 2019/10/25\nmodified: 2019/11/13\nauthor: Ilyas Ochkov, oscd.community\nreferences:\n- https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325\ntags:\n- attack.command_and_control\n- attack.t1043\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  dns_answer:\n    EventID: 22\n    QueryName: \'*\'\n    QueryStatus: \'0\'\n  filter_int_ip:\n    QueryResults|startswith:\n    - (::ffff:)?10.\n    - (::ffff:)?192.168.\n    - (::ffff:)?172.16.\n    - (::ffff:)?172.17.\n    - (::ffff:)?172.18.\n    - (::ffff:)?172.19.\n    - (::ffff:)?172.20.\n    - (::ffff:)?172.21.\n    - (::ffff:)?172.22.\n    - (::ffff:)?172.23.\n    - (::ffff:)?172.24.\n    - (::ffff:)?172.25.\n    - (::ffff:)?172.26.\n    - (::ffff:)?172.27.\n    - (::ffff:)?172.28.\n    - (::ffff:)?172.29.\n    - (::ffff:)?172.30.\n    - (::ffff:)?172.31.\n    - (::ffff:)?127.\n  timeframe: 30s\n  condition: (dns_answer and filter_int_ip) and (dns_answer and not filter_int_ip)\n    | count(QueryName) by ComputerName > 3\nlevel: medium\n\n
\n}}'),(6197,'Issue',343,15,'T1043'),(6198,'Issue',344,1,'Possible Privilege Escalation via Service Permissions Weakness'),(6199,'Issue',344,2,'Teymur Kheirkhabarov'),(6200,'Issue',344,8,'https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\nhttps://pentestlab.blog/2017/03/31/insecure-registry-permissions/'),(6201,'Issue',344,10,'high'),(6202,'Issue',344,13,'community'),(6203,'Issue',344,14,'windows'),(6205,'Issue',344,11,'ca6038e23'),(6206,'Issue',344,12,'0f9c21f1-6a73-4b0e-9809-cb562cb8d981'),(6207,'Issue',344,16,'win-sysmon'),(6208,'Issue',344,17,''),(6209,'Issue',344,7,''),(6210,'Issue',344,3,'Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level'),(6211,'Issue',344,4,''),(6212,'Issue',344,5,'_False Positives_\nUnknown'),(6213,'Issue',344,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND IntegrityLevel:\"Medium\" AND event_data.TargetObject.keyword:*\\\\services\\* AND event_data.TargetObject.keyword:(*\\\\ImagePath OR *\\\\FailureCommand OR *\\\\Parameters\\\\ServiceDll))\nindex: so-*\nname: Possible Privilege Escalation via Service Permissions Weakness\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6214,'Issue',344,9,'{{collapse(View Sigma)\n
\n\ntitle: Possible Privilege Escalation via Service Permissions Weakness\nid: 0f9c21f1-6a73-4b0e-9809-cb562cb8d981\ndescription: Detect modification of services configuration (ImagePath, FailureCommand\n  and ServiceDLL) in registry by processes with Medium integrity level\nreferences:\n- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\n- https://pentestlab.blog/2017/03/31/insecure-registry-permissions/\ntags:\n- attack.privilege_escalation\n- attack.t1058\nstatus: experimental\nauthor: Teymur Kheirkhabarov\ndate: 2019/10/26\nmodified: 2019/11/11\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    IntegrityLevel: Medium\n    TargetObject|contains: \\services\\\n    TargetObject|endswith:\n    - \\ImagePath\n    - \\FailureCommand\n    - \\Parameters\\ServiceDll\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\nenrichment:\n- EN_0001_cache_sysmon_event_id_1_info\n- EN_0003_enrich_other_sysmon_events_with_event_id_1_data\n\n
\n}}'),(6215,'Issue',344,15,'T1058'),(6216,'Issue',345,1,'PowerShell Execution'),(6217,'Issue',345,2,'Roberto Rodriguez @Cyb3rWard0g'),(6218,'Issue',345,8,'https://github.com/hunters-forge/ThreatHunter-Playbook/blob/8869b7a58dba1cff63bae1d7ab923974b8c0539b/playbooks/WIN-190410151110.yaml'),(6219,'Issue',345,10,'medium'),(6220,'Issue',345,13,'community'),(6221,'Issue',345,14,'windows'),(6223,'Issue',345,11,'b785c06a3'),(6224,'Issue',345,12,'867613fb-fa60-4497-a017-a82df74a172c'),(6225,'Issue',345,16,'win-sysmon'),(6226,'Issue',345,17,''),(6227,'Issue',345,7,''),(6228,'Issue',345,3,'Detects execution of PowerShell'),(6229,'Issue',345,4,''),(6230,'Issue',345,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nComputerName\nImage\nProcessID\nImageLoaded'),(6231,'Issue',345,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.pe.description:\"system.management.automation\" AND event_data.ImageLoaded.keyword:*system.management.automation*)\nindex: so-*\nname: PowerShell Execution\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6232,'Issue',345,9,'{{collapse(View Sigma)\n
\n\ntitle: PowerShell Execution\nid: 867613fb-fa60-4497-a017-a82df74a172c\ndescription: Detects execution of PowerShell\nstatus: experimental\ndate: 2019/09/12\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/hunters-forge/ThreatHunter-Playbook/blob/8869b7a58dba1cff63bae1d7ab923974b8c0539b/playbooks/WIN-190410151110.yaml\nlogsource:\n  product: windows\n  service: sysmon\ntags:\n- attack.execution\n- attack.t1086\ndetection:\n  selection:\n    EventID: 7\n    Description: system.management.automation\n    ImageLoaded|contains: system.management.automation\n  condition: selection\nfields:\n- ComputerName\n- Image\n- ProcessID\n- ImageLoaded\nfalsepositives:\n- Unknown\nlevel: medium\n\n
\n}}'),(6233,'Issue',345,15,'T1086'),(6234,'Issue',346,1,'Malicious PowerShell Commandlet Names'),(6235,'Issue',346,2,'Markus Neis'),(6236,'Issue',346,8,'https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml'),(6237,'Issue',346,10,'high'),(6238,'Issue',346,13,'community'),(6239,'Issue',346,14,'windows'),(6241,'Issue',346,11,'89b3e1259'),(6242,'Issue',346,12,'f331aa1f-8c53-4fc3-b083-cc159bc971cb'),(6243,'Issue',346,16,'win-sysmon'),(6244,'Issue',346,17,''),(6245,'Issue',346,7,''),(6246,'Issue',346,3,'Detects the creation of known powershell scripts for exploitation'),(6247,'Issue',346,4,''),(6248,'Issue',346,5,'_False Positives_\nPenetration Tests'),(6249,'Issue',346,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND event_data.TargetFilename.keyword:(*\\\\Invoke\\-DllInjection.ps1 OR *\\\\Invoke\\-WmiCommand.ps1 OR *\\\\Get\\-GPPPassword.ps1 OR *\\\\Get\\-Keystrokes.ps1 OR *\\\\Get\\-VaultCredential.ps1 OR *\\\\Invoke\\-CredentialInjection.ps1 OR *\\\\Invoke\\-Mimikatz.ps1 OR *\\\\Invoke\\-NinjaCopy.ps1 OR *\\\\Invoke\\-TokenManipulation.ps1 OR *\\\\Out\\-Minidump.ps1 OR *\\\\VolumeShadowCopyTools.ps1 OR *\\\\Invoke\\-ReflectivePEInjection.ps1 OR *\\\\Get\\-TimedScreenshot.ps1 OR *\\\\Invoke\\-UserHunter.ps1 OR *\\\\Find\\-GPOLocation.ps1 OR *\\\\Invoke\\-ACLScanner.ps1 OR *\\\\Invoke\\-DowngradeAccount.ps1 OR *\\\\Get\\-ServiceUnquoted.ps1 OR *\\\\Get\\-ServiceFilePermission.ps1 OR *\\\\Get\\-ServicePermission.ps1 OR *\\\\Invoke\\-ServiceAbuse.ps1 OR *\\\\Install\\-ServiceBinary.ps1 OR *\\\\Get\\-RegAutoLogon.ps1 OR *\\\\Get\\-VulnAutoRun.ps1 OR *\\\\Get\\-VulnSchTask.ps1 OR *\\\\Get\\-UnattendedInstallFile.ps1 OR *\\\\Get\\-WebConfig.ps1 OR *\\\\Get\\-ApplicationHost.ps1 OR *\\\\Get\\-RegAlwaysInstallElevated.ps1 OR *\\\\Get\\-Unconstrained.ps1 OR *\\\\Add\\-RegBackdoor.ps1 OR *\\\\Add\\-ScrnSaveBackdoor.ps1 OR *\\\\Gupt\\-Backdoor.ps1 OR *\\\\Invoke\\-ADSBackdoor.ps1 OR *\\\\Enabled\\-DuplicateToken.ps1 OR *\\\\Invoke\\-PsUaCme.ps1 OR *\\\\Remove\\-Update.ps1 OR *\\\\Check\\-VM.ps1 OR *\\\\Get\\-LSASecret.ps1 OR *\\\\Get\\-PassHashes.ps1 OR *\\\\Show\\-TargetScreen.ps1 OR *\\\\Port\\-Scan.ps1 OR *\\\\Invoke\\-PoshRatHttp.ps1 OR *\\\\Invoke\\-PowerShellTCP.ps1 OR *\\\\Invoke\\-PowerShellWMI.ps1 OR *\\\\Add\\-Exfiltration.ps1 OR *\\\\Add\\-Persistence.ps1 OR *\\\\Do\\-Exfiltration.ps1 OR *\\\\Start\\-CaptureServer.ps1 OR *\\\\Invoke\\-ShellCode.ps1 OR *\\\\Get\\-ChromeDump.ps1 OR *\\\\Get\\-ClipboardContents.ps1 OR *\\\\Get\\-FoxDump.ps1 OR *\\\\Get\\-IndexedItem.ps1 OR *\\\\Get\\-Screenshot.ps1 OR *\\\\Invoke\\-Inveigh.ps1 OR *\\\\Invoke\\-NetRipper.ps1 OR *\\\\Invoke\\-EgressCheck.ps1 OR *\\\\Invoke\\-PostExfil.ps1 OR *\\\\Invoke\\-PSInject.ps1 OR *\\\\Invoke\\-RunAs.ps1 OR *\\\\MailRaider.ps1 OR *\\\\New\\-HoneyHash.ps1 OR *\\\\Set\\-MacAttribute.ps1 OR *\\\\Invoke\\-DCSync.ps1 OR *\\\\Invoke\\-PowerDump.ps1 OR *\\\\Exploit\\-Jboss.ps1 OR *\\\\Invoke\\-ThunderStruck.ps1 OR *\\\\Invoke\\-VoiceTroll.ps1 OR *\\\\Set\\-Wallpaper.ps1 OR *\\\\Invoke\\-InveighRelay.ps1 OR *\\\\Invoke\\-PsExec.ps1 OR *\\\\Invoke\\-SSHCommand.ps1 OR *\\\\Get\\-SecurityPackages.ps1 OR *\\\\Install\\-SSP.ps1 OR *\\\\Invoke\\-BackdoorLNK.ps1 OR *\\\\PowerBreach.ps1 OR *\\\\Get\\-SiteListPassword.ps1 OR *\\\\Get\\-System.ps1 OR *\\\\Invoke\\-BypassUAC.ps1 OR *\\\\Invoke\\-Tater.ps1 OR *\\\\Invoke\\-WScriptBypassUAC.ps1 OR *\\\\PowerUp.ps1 OR *\\\\PowerView.ps1 OR *\\\\Get\\-RickAstley.ps1 OR *\\\\Find\\-Fruit.ps1 OR *\\\\HTTP\\-Login.ps1 OR *\\\\Find\\-TrustedDocuments.ps1 OR *\\\\Invoke\\-Paranoia.ps1 OR *\\\\Invoke\\-WinEnum.ps1 OR *\\\\Invoke\\-ARPScan.ps1 OR *\\\\Invoke\\-PortScan.ps1 OR *\\\\Invoke\\-ReverseDNSLookup.ps1 OR *\\\\Invoke\\-SMBScanner.ps1 OR *\\\\Invoke\\-Mimikittenz.ps1))\nindex: so-*\nname: Malicious PowerShell Commandlet Names\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6250,'Issue',346,9,'{{collapse(View Sigma)\n
\n\ntitle: Malicious PowerShell Commandlet Names\nid: f331aa1f-8c53-4fc3-b083-cc159bc971cb\nstatus: experimental\ndescription: Detects the creation of known powershell scripts for exploitation\nreferences:\n- https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml\ntags:\n- attack.execution\n- attack.t1086\nauthor: Markus Neis\ndate: 2018/04/07\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 11\n    TargetFilename:\n    - \'*\\Invoke-DllInjection.ps1\'\n    - \'*\\Invoke-WmiCommand.ps1\'\n    - \'*\\Get-GPPPassword.ps1\'\n    - \'*\\Get-Keystrokes.ps1\'\n    - \'*\\Get-VaultCredential.ps1\'\n    - \'*\\Invoke-CredentialInjection.ps1\'\n    - \'*\\Invoke-Mimikatz.ps1\'\n    - \'*\\Invoke-NinjaCopy.ps1\'\n    - \'*\\Invoke-TokenManipulation.ps1\'\n    - \'*\\Out-Minidump.ps1\'\n    - \'*\\VolumeShadowCopyTools.ps1\'\n    - \'*\\Invoke-ReflectivePEInjection.ps1\'\n    - \'*\\Get-TimedScreenshot.ps1\'\n    - \'*\\Invoke-UserHunter.ps1\'\n    - \'*\\Find-GPOLocation.ps1\'\n    - \'*\\Invoke-ACLScanner.ps1\'\n    - \'*\\Invoke-DowngradeAccount.ps1\'\n    - \'*\\Get-ServiceUnquoted.ps1\'\n    - \'*\\Get-ServiceFilePermission.ps1\'\n    - \'*\\Get-ServicePermission.ps1\'\n    - \'*\\Invoke-ServiceAbuse.ps1\'\n    - \'*\\Install-ServiceBinary.ps1\'\n    - \'*\\Get-RegAutoLogon.ps1\'\n    - \'*\\Get-VulnAutoRun.ps1\'\n    - \'*\\Get-VulnSchTask.ps1\'\n    - \'*\\Get-UnattendedInstallFile.ps1\'\n    - \'*\\Get-WebConfig.ps1\'\n    - \'*\\Get-ApplicationHost.ps1\'\n    - \'*\\Get-RegAlwaysInstallElevated.ps1\'\n    - \'*\\Get-Unconstrained.ps1\'\n    - \'*\\Add-RegBackdoor.ps1\'\n    - \'*\\Add-ScrnSaveBackdoor.ps1\'\n    - \'*\\Gupt-Backdoor.ps1\'\n    - \'*\\Invoke-ADSBackdoor.ps1\'\n    - \'*\\Enabled-DuplicateToken.ps1\'\n    - \'*\\Invoke-PsUaCme.ps1\'\n    - \'*\\Remove-Update.ps1\'\n    - \'*\\Check-VM.ps1\'\n    - \'*\\Get-LSASecret.ps1\'\n    - \'*\\Get-PassHashes.ps1\'\n    - \'*\\Show-TargetScreen.ps1\'\n    - \'*\\Port-Scan.ps1\'\n    - \'*\\Invoke-PoshRatHttp.ps1\'\n    - \'*\\Invoke-PowerShellTCP.ps1\'\n    - \'*\\Invoke-PowerShellWMI.ps1\'\n    - \'*\\Add-Exfiltration.ps1\'\n    - \'*\\Add-Persistence.ps1\'\n    - \'*\\Do-Exfiltration.ps1\'\n    - \'*\\Start-CaptureServer.ps1\'\n    - \'*\\Invoke-ShellCode.ps1\'\n    - \'*\\Get-ChromeDump.ps1\'\n    - \'*\\Get-ClipboardContents.ps1\'\n    - \'*\\Get-FoxDump.ps1\'\n    - \'*\\Get-IndexedItem.ps1\'\n    - \'*\\Get-Screenshot.ps1\'\n    - \'*\\Invoke-Inveigh.ps1\'\n    - \'*\\Invoke-NetRipper.ps1\'\n    - \'*\\Invoke-EgressCheck.ps1\'\n    - \'*\\Invoke-PostExfil.ps1\'\n    - \'*\\Invoke-PSInject.ps1\'\n    - \'*\\Invoke-RunAs.ps1\'\n    - \'*\\MailRaider.ps1\'\n    - \'*\\New-HoneyHash.ps1\'\n    - \'*\\Set-MacAttribute.ps1\'\n    - \'*\\Invoke-DCSync.ps1\'\n    - \'*\\Invoke-PowerDump.ps1\'\n    - \'*\\Exploit-Jboss.ps1\'\n    - \'*\\Invoke-ThunderStruck.ps1\'\n    - \'*\\Invoke-VoiceTroll.ps1\'\n    - \'*\\Set-Wallpaper.ps1\'\n    - \'*\\Invoke-InveighRelay.ps1\'\n    - \'*\\Invoke-PsExec.ps1\'\n    - \'*\\Invoke-SSHCommand.ps1\'\n    - \'*\\Get-SecurityPackages.ps1\'\n    - \'*\\Install-SSP.ps1\'\n    - \'*\\Invoke-BackdoorLNK.ps1\'\n    - \'*\\PowerBreach.ps1\'\n    - \'*\\Get-SiteListPassword.ps1\'\n    - \'*\\Get-System.ps1\'\n    - \'*\\Invoke-BypassUAC.ps1\'\n    - \'*\\Invoke-Tater.ps1\'\n    - \'*\\Invoke-WScriptBypassUAC.ps1\'\n    - \'*\\PowerUp.ps1\'\n    - \'*\\PowerView.ps1\'\n    - \'*\\Get-RickAstley.ps1\'\n    - \'*\\Find-Fruit.ps1\'\n    - \'*\\HTTP-Login.ps1\'\n    - \'*\\Find-TrustedDocuments.ps1\'\n    - \'*\\Invoke-Paranoia.ps1\'\n    - \'*\\Invoke-WinEnum.ps1\'\n    - \'*\\Invoke-ARPScan.ps1\'\n    - \'*\\Invoke-PortScan.ps1\'\n    - \'*\\Invoke-ReverseDNSLookup.ps1\'\n    - \'*\\Invoke-SMBScanner.ps1\'\n    - \'*\\Invoke-Mimikittenz.ps1\'\n  condition: selection\nfalsepositives:\n- Penetration Tests\nlevel: high\n\n
\n}}'),(6251,'Issue',346,15,'T1086'),(6252,'Issue',347,1,'PowerShell Network Connections'),(6253,'Issue',347,2,'Florian Roth'),(6254,'Issue',347,8,'https://www.youtube.com/watch?v=DLtJTxMWZ2o'),(6255,'Issue',347,10,'low'),(6256,'Issue',347,13,'community'),(6257,'Issue',347,14,'windows'),(6259,'Issue',347,11,'bdecf01db'),(6260,'Issue',347,12,'1f21ec3f-810d-4b0e-8045-322202e22b4b'),(6261,'Issue',347,16,'win-sysmon'),(6262,'Issue',347,17,''),(6263,'Issue',347,7,''),(6264,'Issue',347,3,'Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company\'s ip range\')'),(6265,'Issue',347,4,''),(6266,'Issue',347,5,'_False Positives_\nAdministrative scripts'),(6267,'Issue',347,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"3\" AND process.executable.keyword:*\\\\powershell.exe AND event_data.Initiated:\"true\") AND (NOT (destination_ip.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.0.0.1) AND event_data.DestinationIsIpv6:\"false\" AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\")))\nindex: so-*\nname: PowerShell Network Connections\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6268,'Issue',347,9,'{{collapse(View Sigma)\n
\n\ntitle: PowerShell Network Connections\nid: 1f21ec3f-810d-4b0e-8045-322202e22b4b\nstatus: experimental\ndescription: Detects a Powershell process that opens network connections - check for\n  suspicious target ports and target systems - adjust to your environment (e.g. extend\n  filters with company\'s ip range\')\nauthor: Florian Roth\ndate: 2017/03/13\nreferences:\n- https://www.youtube.com/watch?v=DLtJTxMWZ2o\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 3\n    Image: \'*\\powershell.exe\'\n    Initiated: \'true\'\n  filter:\n    DestinationIp:\n    - 10.*\n    - 192.168.*\n    - 172.16.*\n    - 172.17.*\n    - 172.18.*\n    - 172.19.*\n    - 172.20.*\n    - 172.21.*\n    - 172.22.*\n    - 172.23.*\n    - 172.24.*\n    - 172.25.*\n    - 172.26.*\n    - 172.27.*\n    - 172.28.*\n    - 172.29.*\n    - 172.30.*\n    - 172.31.*\n    - 127.0.0.1\n    DestinationIsIpv6: \'false\'\n    User: NT AUTHORITY\\SYSTEM\n  condition: selection and not filter\nfalsepositives:\n- Administrative scripts\nlevel: low\n\n
\n}}'),(6269,'Issue',347,15,'T1086'),(6270,'Issue',348,1,'QuarksPwDump Dump File'),(6271,'Issue',348,2,'Florian Roth'),(6272,'Issue',348,8,'https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm'),(6273,'Issue',348,10,'critical'),(6274,'Issue',348,13,'community'),(6275,'Issue',348,14,'windows'),(6277,'Issue',348,11,'3ce09ad54'),(6278,'Issue',348,12,'847def9e-924d-4e90-b7c4-5f581395a2b4'),(6279,'Issue',348,16,'win-sysmon'),(6280,'Issue',348,17,''),(6281,'Issue',348,7,''),(6282,'Issue',348,3,'Detects a dump file written by QuarksPwDump password dumper'),(6283,'Issue',348,4,''),(6284,'Issue',348,5,'_False Positives_\nUnknown'),(6285,'Issue',348,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND event_data.TargetFilename.keyword:*\\\\AppData\\\\Local\\\\Temp\\\\SAM\\-*.dmp*)\nindex: so-*\nname: QuarksPwDump Dump File\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6286,'Issue',348,9,'{{collapse(View Sigma)\n
\n\ntitle: QuarksPwDump Dump File\nid: 847def9e-924d-4e90-b7c4-5f581395a2b4\nstatus: experimental\ndescription: Detects a dump file written by QuarksPwDump password dumper\nreferences:\n- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm\nauthor: Florian Roth\ndate: 2018/02/10\ntags:\n- attack.credential_access\n- attack.t1003\nlevel: critical\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 11\n    TargetFilename: \'*\\AppData\\Local\\Temp\\SAM-*.dmp*\'\n  condition: selection\nfalsepositives:\n- Unknown\n\n
\n}}'),(6287,'Issue',348,15,'T1003'),(6288,'Issue',349,1,'Raw Disk Access Using Illegitimate Tools'),(6289,'Issue',349,2,'Teymur Kheirkhabarov, oscd.community'),(6290,'Issue',349,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(6291,'Issue',349,10,'medium'),(6292,'Issue',349,13,'community'),(6293,'Issue',349,14,'windows'),(6295,'Issue',349,11,'979a4709f'),(6296,'Issue',349,12,'db809f10-56ce-4420-8c86-d6a7d793c79c'),(6297,'Issue',349,16,'win-sysmon'),(6298,'Issue',349,17,''),(6299,'Issue',349,7,''),(6300,'Issue',349,3,'Raw disk access using illegitimate tools, possible defence evasion'),(6301,'Issue',349,4,''),(6302,'Issue',349,5,'_False Positives_\nLegitimate Administrator using tool for raw access or ongoing forensic investigation\n\n_Interesting Log Fields_\nComputerName\nImage\nProcessID\nDevice'),(6303,'Issue',349,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"9\" AND (NOT (Device.keyword:*floppy*))) AND (NOT (process.executable.keyword:(*\\\\wmiprvse.exe OR *\\\\sdiagnhost.exe OR *\\\\searchindexer.exe OR *\\\\csrss.exe OR *\\\\defrag.exe OR *\\\\smss.exe OR *\\\\vssvc.exe OR *\\\\compattelrunner.exe OR *\\\\wininit.exe OR *\\\\autochk.exe OR *\\\\taskhost.exe OR *\\\\dfsrs.exe OR *\\\\vds.exe OR *\\\\lsass.exe))))\nindex: so-*\nname: Raw Disk Access Using Illegitimate Tools\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6304,'Issue',349,9,'{{collapse(View Sigma)\n
\n\ntitle: Raw Disk Access Using Illegitimate Tools\nid: db809f10-56ce-4420-8c86-d6a7d793c79c\ndescription: Raw disk access using illegitimate tools, possible defence evasion\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/10/22\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ntags:\n- attack.defense_evasion\n- attack.t1006\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 9\n  filter_1:\n    Device|contains: floppy\n  filter_2:\n  - Image|endswith:\n    - \\wmiprvse.exe\n    - \\sdiagnhost.exe\n    - \\searchindexer.exe\n    - \\csrss.exe\n    - \\defrag.exe\n    - \\smss.exe\n    - \\vssvc.exe\n    - \\compattelrunner.exe\n    - \\wininit.exe\n    - \\autochk.exe\n    - \\taskhost.exe\n    - \\dfsrs.exe\n    - \\vds.exe\n    - \\lsass.exe\n  condition: selection and not filter_1 and not filter_2\nfields:\n- ComputerName\n- Image\n- ProcessID\n- Device\nfalsepositives:\n- Legitimate Administrator using tool for raw access or ongoing forensic investigation\nlevel: medium\nstatus: experimental\n\n
\n}}'),(6305,'Issue',349,15,'T1006'),(6306,'Issue',350,1,'RDP Registry Modification'),(6307,'Issue',350,2,'Roberto Rodriguez @Cyb3rWard0g'),(6308,'Issue',350,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1112_Modify_Registry/enable_rdp_registry.md'),(6309,'Issue',350,10,'high'),(6310,'Issue',350,13,'community'),(6311,'Issue',350,14,'windows'),(6313,'Issue',350,11,'5a3902041'),(6314,'Issue',350,12,'41904ebe-d56c-4904-b9ad-7a77bdf154b3'),(6315,'Issue',350,16,'win-sysmon'),(6316,'Issue',350,17,''),(6317,'Issue',350,7,''),(6318,'Issue',350,3,'Detects potential malicious modification of the property value of fDenyTSConnections and UserAuthentication to enable remote desktop connections.'),(6319,'Issue',350,4,''),(6320,'Issue',350,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nComputerName\nImage\nEventType\nTargetObject'),(6321,'Issue',350,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\CurrentControlSet\\\\Control\\\\Terminal\\ Server\\\\WinStations\\\\RDP\\-Tcp\\\\UserAuthentication OR *\\\\CurrentControlSet\\\\Control\\\\Terminal\\ Server\\\\fDenyTSConnections) AND event_data.Details:\"DWORD\\ \\(0x00000000\\)\")\nindex: so-*\nname: RDP Registry Modification\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6322,'Issue',350,9,'{{collapse(View Sigma)\n
\n\ntitle: RDP Registry Modification\nid: 41904ebe-d56c-4904-b9ad-7a77bdf154b3\ndescription: Detects potential malicious modification of the property value of fDenyTSConnections\n  and UserAuthentication to enable remote desktop connections.\nstatus: experimental\ndate: 2019/09/12\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1112_Modify_Registry/enable_rdp_registry.md\ntags:\n- attack.defense_evasion\n- attack.t1112\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    TargetObject|endswith:\n    - \\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication\n    - \\CurrentControlSet\\Control\\Terminal Server\\fDenyTSConnections\n    Details: DWORD (0x00000000)\n  condition: selection\nfields:\n- ComputerName\n- Image\n- EventType\n- TargetObject\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(6323,'Issue',350,15,'T1112'),(6324,'Issue',351,1,'RDP Over Reverse SSH Tunnel'),(6325,'Issue',351,2,'Samir Bousseaden'),(6326,'Issue',351,8,'https://twitter.com/SBousseaden/status/1096148422984384514'),(6327,'Issue',351,10,'high'),(6328,'Issue',351,13,'community'),(6329,'Issue',351,14,'windows'),(6331,'Issue',351,11,'31989b88d'),(6332,'Issue',351,12,'5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4'),(6333,'Issue',351,16,'win-sysmon'),(6334,'Issue',351,17,''),(6335,'Issue',351,7,''),(6336,'Issue',351,3,'Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389'),(6337,'Issue',351,4,''),(6338,'Issue',351,5,'_False Positives_\nunknown'),(6339,'Issue',351,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"3\" AND process.executable.keyword:*\\\\svchost.exe AND event_data.Initiated:\"true\" AND SourcePort:\"3389\" AND destination_ip.keyword:(127.* OR \\:\\:1))\nindex: so-*\nname: RDP Over Reverse SSH Tunnel\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6340,'Issue',351,9,'{{collapse(View Sigma)\n
\n\ntitle: RDP Over Reverse SSH Tunnel\nid: 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4\nstatus: experimental\ndescription: Detects svchost hosting RDP termsvcs communicating with the loopback\n  address and on TCP port 3389\nreferences:\n- https://twitter.com/SBousseaden/status/1096148422984384514\nauthor: Samir Bousseaden\ndate: 2019/02/16\ntags:\n- attack.defense_evasion\n- attack.command_and_control\n- attack.t1076\n- car.2013-07-002\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 3\n    Image: \'*\\svchost.exe\'\n    Initiated: \'true\'\n    SourcePort: 3389\n    DestinationIp:\n    - 127.*\n    - ::1\n  condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6341,'Issue',351,15,'T1076'),(6342,'Issue',352,1,'RDP Sensitive Settings Changed'),(6343,'Issue',352,2,'Samir Bousseaden'),(6344,'Issue',352,8,'https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html'),(6345,'Issue',352,10,'high'),(6346,'Issue',352,13,'community'),(6347,'Issue',352,14,'windows'),(6348,'Issue',352,15,''),(6349,'Issue',352,11,'548ae70d5'),(6350,'Issue',352,12,'171b67e1-74b4-460e-8d55-b331f3e32d67'),(6351,'Issue',352,16,'win-sysmon'),(6352,'Issue',352,17,''),(6353,'Issue',352,7,''),(6354,'Issue',352,3,'Detects changes to RDP terminal service sensitive settings'),(6355,'Issue',352,4,''),(6356,'Issue',352,5,'_False Positives_\nunknown'),(6357,'Issue',352,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\services\\\\TermService\\\\Parameters\\\\ServiceDll* OR *\\\\Control\\\\Terminal\\ Server\\\\fSingleSessionPerUser* OR *\\\\Control\\\\Terminal\\ Server\\\\fDenyTSConnections*))\nindex: so-*\nname: RDP Sensitive Settings Changed\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6358,'Issue',352,9,'{{collapse(View Sigma)\n
\n\ntitle: RDP Sensitive Settings Changed\nid: 171b67e1-74b4-460e-8d55-b331f3e32d67\ndescription: Detects changes to RDP terminal service sensitive settings\nreferences:\n- https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html\ndate: 2019/04/03\nauthor: Samir Bousseaden\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection_reg:\n    EventID: 13\n    TargetObject:\n    - \'*\\services\\TermService\\Parameters\\ServiceDll*\'\n    - \'*\\Control\\Terminal Server\\fSingleSessionPerUser*\'\n    - \'*\\Control\\Terminal Server\\fDenyTSConnections*\'\n  condition: selection_reg\ntags:\n- attack.defense_evasion\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6359,'Issue',353,1,'Windows Registry Persistence COM Key Linking'),(6360,'Issue',353,2,'Kutepov Anton, oscd.community'),(6361,'Issue',353,8,'https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/'),(6362,'Issue',353,10,'medium'),(6363,'Issue',353,13,'community'),(6364,'Issue',353,14,'windows'),(6366,'Issue',353,11,'6f021fb7c'),(6367,'Issue',353,12,'9b0f8a61-91b2-464f-aceb-0527e0a45020'),(6368,'Issue',353,16,'win-sysmon'),(6369,'Issue',353,17,''),(6370,'Issue',353,7,''),(6371,'Issue',353,3,'Detects COM object hijacking via TreatAs subkey'),(6372,'Issue',353,4,''),(6373,'Issue',353,5,'_False Positives_\nMaybe some system utilities in rare cases use linking keys for backward compability'),(6374,'Issue',353,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"12\" AND event_data.TargetObject.keyword:HKU\\\\*_Classes\\\\CLSID\\\\*\\\\TreatAs)\nindex: so-*\nname: Windows Registry Persistence COM Key Linking\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6375,'Issue',353,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows Registry Persistence COM Key Linking\nid: 9b0f8a61-91b2-464f-aceb-0527e0a45020\nstatus: experimental\ndescription: Detects COM object hijacking via TreatAs subkey\nreferences:\n- https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/\nauthor: Kutepov Anton, oscd.community\ndate: 2019/10/23\nmodified: 2019/11/07\ntags:\n- attack.persistence\n- attack.t1122\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 12\n    TargetObject: HKU\\\\*_Classes\\CLSID\\\\*\\TreatAs\n  condition: selection\nfalsepositives:\n- Maybe some system utilities in rare cases use linking keys for backward compability\nlevel: medium\n\n
\n}}'),(6376,'Issue',353,15,'T1122'),(6377,'Issue',354,1,'Windows Registry Persistence COM Search Order Hijacking'),(6378,'Issue',354,2,'Maxime Thiebaut (@0xThiebaut)'),(6379,'Issue',354,8,'https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/'),(6380,'Issue',354,10,'medium'),(6381,'Issue',354,13,'community'),(6382,'Issue',354,14,'windows'),(6384,'Issue',354,11,'27898e00b'),(6385,'Issue',354,12,'a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12'),(6386,'Issue',354,16,'win-sysmon'),(6387,'Issue',354,17,''),(6388,'Issue',354,7,''),(6389,'Issue',354,3,'Detects potential COM object hijacking leveraging the COM Search Order'),(6390,'Issue',354,4,''),(6391,'Issue',354,5,'_False Positives_\nSome installed utilities (i.e. OneDrive) may serve new COM objects at user-level'),(6392,'Issue',354,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"13\" AND event_data.TargetObject.keyword:HKU\\\\*_Classes\\\\CLSID\\\\*\\\\InProcServer32\\\\\\(Default\\)) AND (NOT (event_data.Details.keyword:(%%systemroot%%\\\\system32\\\\* OR %%systemroot%%\\\\SysWow64\\\\* OR *\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\\FileCoAuthLib64.dll OR *\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\\FileSyncShell64.dll OR *\\\\AppData\\\\Local\\\\Microsoft\\\\TeamsMeetingAddin\\\\*\\\\Microsoft.Teams.AddinLoader.dll))))\nindex: so-*\nname: Windows Registry Persistence COM Search Order Hijacking\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6393,'Issue',354,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows Registry Persistence COM Search Order Hijacking\nid: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12\nstatus: experimental\ndescription: Detects potential COM object hijacking leveraging the COM Search Order\nreferences:\n- https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/\nauthor: Maxime Thiebaut (@0xThiebaut)\ndate: 2020/04/14\ntags:\n- attack.persistence\n- attack.t1038\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    TargetObject: HKU\\\\*_Classes\\CLSID\\\\*\\InProcServer32\\(Default)\n  filter:\n    Details:\n    - \'%%systemroot%%\\system32\\\\*\'\n    - \'%%systemroot%%\\SysWow64\\\\*\'\n    - \'*\\AppData\\Local\\Microsoft\\OneDrive\\\\*\\FileCoAuthLib64.dll\'\n    - \'*\\AppData\\Local\\Microsoft\\OneDrive\\\\*\\FileSyncShell64.dll\'\n    - \'*\\AppData\\Local\\Microsoft\\TeamsMeetingAddin\\\\*\\Microsoft.Teams.AddinLoader.dll\'\n  condition: selection and not filter\nfalsepositives:\n- Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level\nlevel: medium\n\n
\n}}'),(6394,'Issue',354,15,'T1038'),(6395,'Issue',355,1,'Windows Registry Trust Record Modification'),(6396,'Issue',355,2,'Antonlovesdnb'),(6397,'Issue',355,8,'https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/\nhttp://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html'),(6398,'Issue',355,10,'medium'),(6399,'Issue',355,13,'community'),(6400,'Issue',355,14,'windows'),(6402,'Issue',355,11,'ab08d709e'),(6403,'Issue',355,12,'295a59c1-7b79-4b47-a930-df12c15fc9c2'),(6404,'Issue',355,16,'win-sysmon'),(6405,'Issue',355,17,''),(6406,'Issue',355,7,''),(6407,'Issue',355,3,'Alerts on trust record modification within the registry, indicating usage of macros'),(6408,'Issue',355,4,''),(6409,'Issue',355,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6410,'Issue',355,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"12\" AND event_data.TargetObject.keyword:*TrustRecords*)\nindex: so-*\nname: Windows Registry Trust Record Modification\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6411,'Issue',355,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows Registry Trust Record Modification\nid: 295a59c1-7b79-4b47-a930-df12c15fc9c2\nstatus: experimental\ndescription: Alerts on trust record modification within the registry, indicating usage\n  of macros\nreferences:\n- https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/\n- http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html\nauthor: Antonlovesdnb\ndate: 2020/02/19\nmodified: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 12\n    TargetObject|contains: TrustRecords\n  condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: medium\n\n
\n}}'),(6412,'Issue',355,15,'T1193'),(6413,'Issue',356,1,'Regsvr32 Network Activity'),(6414,'Issue',356,2,'Dmitriy Lifanov, oscd.community'),(6415,'Issue',356,8,'https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/\nhttps://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md'),(6416,'Issue',356,10,'high'),(6417,'Issue',356,13,'community'),(6418,'Issue',356,14,'windows'),(6420,'Issue',356,11,'2dae90c53'),(6421,'Issue',356,12,'c7e91a02-d771-4a6d-a700-42587e0b1095'),(6422,'Issue',356,16,'win-sysmon'),(6423,'Issue',356,17,''),(6424,'Issue',356,7,''),(6425,'Issue',356,3,'Detects network connections and DNS queries initiated by Regsvr32.exe'),(6426,'Issue',356,4,''),(6427,'Issue',356,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nComputerName\nUser\nImage\nDestinationIp\nDestinationPort'),(6428,'Issue',356,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:(\"3\" OR \"22\") AND process.executable.keyword:*\\\\regsvr32.exe)\nindex: so-*\nname: Regsvr32 Network Activity\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6429,'Issue',356,9,'{{collapse(View Sigma)\n
\n\ntitle: Regsvr32 Network Activity\nid: c7e91a02-d771-4a6d-a700-42587e0b1095\ndescription: Detects network connections and DNS queries initiated by Regsvr32.exe\nreferences:\n- https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/\n- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1117\nauthor: Dmitriy Lifanov, oscd.community\nstatus: experimental\ndate: 2019/10/25\nmodified: 2019/11/10\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID:\n    - 3\n    - 22\n    Image|endswith: \\regsvr32.exe\n  condition: selection\nfields:\n- ComputerName\n- User\n- Image\n- DestinationIp\n- DestinationPort\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6430,'Issue',356,15,'T1117'),(6431,'Issue',357,1,'Remote PowerShell Session'),(6432,'Issue',357,2,'Roberto Rodriguez @Cyb3rWard0g'),(6433,'Issue',357,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md'),(6434,'Issue',357,10,'high'),(6435,'Issue',357,13,'community'),(6436,'Issue',357,14,'windows'),(6438,'Issue',357,11,'1a8504907'),(6439,'Issue',357,12,'c539afac-c12a-46ed-b1bd-5a5567c9f045'),(6440,'Issue',357,16,'win-sysmon'),(6441,'Issue',357,17,''),(6442,'Issue',357,7,''),(6443,'Issue',357,3,'Detects remote PowerShell connections by monitoring network outbount connections to ports 5985 or 5986 from not network service account'),(6444,'Issue',357,4,''),(6445,'Issue',357,5,'_False Positives_\nLeigitmate usage of remote PowerShell, e.g. remote administration and monitoring.'),(6446,'Issue',357,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"3\" AND destination_port:(\"5985\" OR \"5986\")) AND (NOT (event_data.User:\"NT\\ AUTHORITY\\\\NETWORK\\ SERVICE\")))\nindex: so-*\nname: Remote PowerShell Session\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6447,'Issue',357,9,'{{collapse(View Sigma)\n
\n\ntitle: Remote PowerShell Session\nid: c539afac-c12a-46ed-b1bd-5a5567c9f045\ndescription: Detects remote PowerShell connections by monitoring network outbount\n  connections to ports 5985 or 5986 from not network service account\nstatus: experimental\ndate: 2019/09/12\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 3\n    DestinationPort:\n    - 5985\n    - 5986\n  filter:\n    User: NT AUTHORITY\\NETWORK SERVICE\n  condition: selection and not filter\nfalsepositives:\n- Leigitmate usage of remote PowerShell, e.g. remote administration and monitoring.\nlevel: high\n\n
\n}}'),(6448,'Issue',357,15,'T1086'),(6449,'Issue',358,1,'Renamed jusched.exe'),(6450,'Issue',358,2,'Markus Neis, Swisscom'),(6451,'Issue',358,8,'https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf'),(6452,'Issue',358,10,'high'),(6453,'Issue',358,13,'community'),(6454,'Issue',358,14,'windows'),(6456,'Issue',358,11,'3042f2e24'),(6457,'Issue',358,12,'edd8a48c-1b9f-4ba1-83aa-490338cd1ccb'),(6458,'Issue',358,16,'win-sysmon'),(6459,'Issue',358,17,''),(6460,'Issue',358,7,''),(6461,'Issue',358,3,'Detects renamed jusched.exe used by cobalt group'),(6462,'Issue',358,4,''),(6463,'Issue',358,5,'_False Positives_\npenetration tests, red teaming'),(6464,'Issue',358,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.pe.description:\"Java\\ Update\\ Scheduler\" OR process.pe.description:\"Java\\(TM\\)\\ Update\\ Scheduler\")) AND (NOT (process.executable.keyword:(*\\\\jusched.exe))))\nindex: so-*\nname: Renamed jusched.exe\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6465,'Issue',358,9,'{{collapse(View Sigma)\n
\n\ntitle: Renamed jusched.exe\nstatus: experimental\nid: edd8a48c-1b9f-4ba1-83aa-490338cd1ccb\ndescription: Detects renamed jusched.exe used by cobalt group\nreferences:\n- https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf\ntags:\n- attack.t1036\n- attack.execution\nauthor: Markus Neis, Swisscom\ndate: 2019/06/04\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Description: Java Update Scheduler\n  selection2:\n    Description: Java(TM) Update Scheduler\n  filter:\n    Image|endswith:\n    - \\jusched.exe\n  condition: (selection1 or selection2) and not filter\nfalsepositives:\n- penetration tests, red teaming\nlevel: high\n\n
\n}}'),(6466,'Issue',358,15,'T1036'),(6467,'Issue',359,1,'Renamed PowerShell'),(6468,'Issue',359,2,'Florian Roth'),(6469,'Issue',359,8,'https://twitter.com/christophetd/status/1164506034720952320'),(6470,'Issue',359,10,'critical'),(6471,'Issue',359,13,'community'),(6472,'Issue',359,14,'windows'),(6473,'Issue',359,15,''),(6474,'Issue',359,11,'a6d71f3ed'),(6475,'Issue',359,12,'d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20'),(6476,'Issue',359,16,'win-sysmon'),(6477,'Issue',359,17,''),(6478,'Issue',359,7,''),(6479,'Issue',359,3,'Detects the execution of a renamed PowerShell often used by attackers or malware'),(6480,'Issue',359,4,''),(6481,'Issue',359,5,'_False Positives_\nUnknown'),(6482,'Issue',359,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.pe.description:\"Windows\\ PowerShell\" AND event_data.Company:\"Microsoft\\ Corporation\") AND (NOT (process.executable.keyword:(*\\\\powershell.exe OR *\\\\powershell_ise.exe))))\nindex: so-*\nname: Renamed PowerShell\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6483,'Issue',359,9,'{{collapse(View Sigma)\n
\n\ntitle: Renamed PowerShell\nid: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20\nstatus: experimental\ndescription: Detects the execution of a renamed PowerShell often used by attackers\n  or malware\nreferences:\n- https://twitter.com/christophetd/status/1164506034720952320\nauthor: Florian Roth\ndate: 2019/08/22\ntags:\n- car.2013-05-009\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    Description: Windows PowerShell\n    Company: Microsoft Corporation\n  filter:\n    Image:\n    - \'*\\powershell.exe\'\n    - \'*\\powershell_ise.exe\'\n  condition: selection and not filter\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(6484,'Issue',360,1,'Renamed ProcDump'),(6485,'Issue',360,2,'Florian Roth'),(6486,'Issue',360,8,'https://docs.microsoft.com/en-us/sysinternals/downloads/procdump'),(6487,'Issue',360,10,'critical'),(6488,'Issue',360,13,'community'),(6489,'Issue',360,14,'windows'),(6491,'Issue',360,11,'abbcffccf'),(6492,'Issue',360,12,'4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67'),(6493,'Issue',360,16,'win-sysmon'),(6494,'Issue',360,17,''),(6495,'Issue',360,7,''),(6496,'Issue',360,3,'Detects the execution of a renamed ProcDump executable often used by attackers or malware'),(6497,'Issue',360,4,''),(6498,'Issue',360,5,'_False Positives_\nProcdump illegaly bundled with legitimate software\nWeird admins who renamed binaries'),(6499,'Issue',360,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND OriginalFileName:\"procdump\" AND (NOT (process.executable.keyword:(*\\\\procdump.exe OR *\\\\procdump64.exe))))\nindex: so-*\nname: Renamed ProcDump\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6500,'Issue',360,9,'{{collapse(View Sigma)\n
\n\ntitle: Renamed ProcDump\nid: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67\nstatus: experimental\ndescription: Detects the execution of a renamed ProcDump executable often used by\n  attackers or malware\nreferences:\n- https://docs.microsoft.com/en-us/sysinternals/downloads/procdump\nauthor: Florian Roth\ndate: 2019/11/18\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    OriginalFileName: procdump\n  filter:\n    Image:\n    - \'*\\procdump.exe\'\n    - \'*\\procdump64.exe\'\n  condition: selection and not filter\nfalsepositives:\n- Procdump illegaly bundled with legitimate software\n- Weird admins who renamed binaries\nlevel: critical\n\n
\n}}'),(6501,'Issue',360,15,'T1036'),(6502,'Issue',361,1,'Renamed PsExec'),(6503,'Issue',361,2,'Florian Roth'),(6504,'Issue',361,8,'https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks'),(6505,'Issue',361,10,'high'),(6506,'Issue',361,13,'community'),(6507,'Issue',361,14,'windows'),(6508,'Issue',361,15,''),(6509,'Issue',361,11,'297d076c3'),(6510,'Issue',361,12,'a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2'),(6511,'Issue',361,16,'win-sysmon'),(6512,'Issue',361,17,''),(6513,'Issue',361,7,''),(6514,'Issue',361,3,'Detects the execution of a renamed PsExec often used by attackers or malware'),(6515,'Issue',361,4,''),(6516,'Issue',361,5,'_False Positives_\nSoftware that illegaly integrates PsExec in a renamed form\nAdministrators that have renamed PsExec and no one knows why'),(6517,'Issue',361,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.pe.description:\"Execute\\ processes\\ remotely\" AND process.pe.product:\"Sysinternals\\ PsExec\") AND (NOT (process.executable.keyword:(*\\\\PsExec.exe OR *\\\\PsExec64.exe))))\nindex: so-*\nname: Renamed PsExec\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6518,'Issue',361,9,'{{collapse(View Sigma)\n
\n\ntitle: Renamed PsExec\nid: a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2\nstatus: experimental\ndescription: Detects the execution of a renamed PsExec often used by attackers or\n  malware\nreferences:\n- https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks\nauthor: Florian Roth\ndate: 2019/05/21\ntags:\n- car.2013-05-009\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    Description: Execute processes remotely\n    Product: Sysinternals PsExec\n  filter:\n    Image:\n    - \'*\\PsExec.exe\'\n    - \'*\\PsExec64.exe\'\n  condition: selection and not filter\nfalsepositives:\n- Software that illegaly integrates PsExec in a renamed form\n- Administrators that have renamed PsExec and no one knows why\nlevel: high\n\n
\n}}'),(6519,'Issue',362,1,'Rundll32 Internet Connection'),(6520,'Issue',362,2,'Florian Roth'),(6521,'Issue',362,8,'https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100'),(6522,'Issue',362,10,'medium'),(6523,'Issue',362,13,'community'),(6524,'Issue',362,14,'windows'),(6526,'Issue',362,11,'0381dead4'),(6527,'Issue',362,12,'cdc8da7d-c303-42f8-b08c-b4ab47230263'),(6528,'Issue',362,16,'win-sysmon'),(6529,'Issue',362,17,''),(6530,'Issue',362,7,''),(6531,'Issue',362,3,'Detects a rundll32 that communicates with public IP addresses'),(6532,'Issue',362,4,''),(6533,'Issue',362,5,'_False Positives_\nCommunication to other corporate systems that use IP addresses from public address spaces'),(6534,'Issue',362,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"3\" AND process.executable.keyword:*\\\\rundll32.exe AND event_data.Initiated:\"true\") AND (NOT (destination_ip.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*))))\nindex: so-*\nname: Rundll32 Internet Connection\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6535,'Issue',362,9,'{{collapse(View Sigma)\n
\n\ntitle: Rundll32 Internet Connection\nid: cdc8da7d-c303-42f8-b08c-b4ab47230263\nstatus: experimental\ndescription: Detects a rundll32 that communicates with public IP addresses\nreferences:\n- https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100\nauthor: Florian Roth\ndate: 2017/11/04\ntags:\n- attack.t1085\n- attack.defense_evasion\n- attack.execution\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 3\n    Image: \'*\\rundll32.exe\'\n    Initiated: \'true\'\n  filter:\n    DestinationIp:\n    - 10.*\n    - 192.168.*\n    - 172.16.*\n    - 172.17.*\n    - 172.18.*\n    - 172.19.*\n    - 172.20.*\n    - 172.21.*\n    - 172.22.*\n    - 172.23.*\n    - 172.24.*\n    - 172.25.*\n    - 172.26.*\n    - 172.27.*\n    - 172.28.*\n    - 172.29.*\n    - 172.30.*\n    - 172.31.*\n    - 127.*\n  condition: selection and not filter\nfalsepositives:\n- Communication to other corporate systems that use IP addresses from public address\n  spaces\nlevel: medium\n\n
\n}}'),(6536,'Issue',362,15,'T1085'),(6537,'Issue',363,1,'Security Support Provider (SSP) Added to LSA Configuration'),(6538,'Issue',363,2,'iwillkeepwatch'),(6539,'Issue',363,8,'https://attack.mitre.org/techniques/T1101/\nhttps://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/'),(6540,'Issue',363,10,'critical'),(6541,'Issue',363,13,'community'),(6542,'Issue',363,14,'windows'),(6544,'Issue',363,11,'9bc1e9894'),(6545,'Issue',363,12,'eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc'),(6546,'Issue',363,16,'win-sysmon'),(6547,'Issue',363,17,''),(6548,'Issue',363,7,''),(6549,'Issue',363,3,'Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.'),(6550,'Issue',363,4,''),(6551,'Issue',363,5,'_False Positives_\nUnlikely'),(6552,'Issue',363,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"13\" AND event_data.TargetObject:(\"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security\\ Packages\" OR \"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security\\ Packages\")) AND (NOT (process.executable:\"C\\:\\\\Windows\\\\system32\\\\msiexec.exe\" OR process.executable:\"C\\:\\\\Windows\\\\syswow64\\\\MsiExec.exe\")))\nindex: so-*\nname: Security Support Provider (SSP) Added to LSA Configuration\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6553,'Issue',363,9,'{{collapse(View Sigma)\n
\n\ntitle: Security Support Provider (SSP) Added to LSA Configuration\nid: eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc\nstatus: experimental\ndescription: Detects the addition of a SSP to the registry. Upon a reboot or API call,\n  SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.\nreferences:\n- https://attack.mitre.org/techniques/T1101/\n- https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/\ntags:\n- attack.persistence\n- attack.t1011\nauthor: iwillkeepwatch\ndate: 2019/01/18\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection_registry:\n    EventID: 13\n    TargetObject:\n    - HKLM\\System\\CurrentControlSet\\Control\\Lsa\\Security Packages\n    - HKLM\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages\n  exclusion_images:\n  - Image: C:\\Windows\\system32\\msiexec.exe\n  - Image: C:\\Windows\\syswow64\\MsiExec.exe\n  condition: selection_registry and not exclusion_images\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(6554,'Issue',363,15,'T1011'),(6555,'Issue',364,1,'Suspicious ADSI-Cache Usage By Unknown Tool'),(6556,'Issue',364,2,'xknow @xknow_infosec'),(6557,'Issue',364,8,'https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961\nhttps://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/\nhttps://github.com/fox-it/LDAPFragger'),(6558,'Issue',364,10,'high'),(6559,'Issue',364,13,'community'),(6560,'Issue',364,14,'windows'),(6562,'Issue',364,11,'8268e4aa6'),(6563,'Issue',364,12,'75bf09fa-1dd7-4d18-9af9-dd9e492562eb'),(6564,'Issue',364,16,'win-sysmon'),(6565,'Issue',364,17,''),(6566,'Issue',364,7,''),(6567,'Issue',364,3,'detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.'),(6568,'Issue',364,4,''),(6569,'Issue',364,5,'_False Positives_\nOther legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc.'),(6570,'Issue',364,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"11\" AND event_data.TargetFilename.keyword:*\\\\Local\\\\Microsoft\\\\Windows\\\\SchCache\\*.sch) AND (NOT (process.executable.keyword:(*C\\:\\\\windows\\\\system32\\\\svchost.exe* OR *C\\:\\\\windows\\\\system32\\\\dllhost.exe* OR *C\\:\\\\windows\\\\system32\\\\mmc.exe* OR *C\\:\\\\windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe*))))\nindex: so-*\nname: Suspicious ADSI-Cache Usage By Unknown Tool\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6571,'Issue',364,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious ADSI-Cache Usage By Unknown Tool\nid: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb\ndescription: detects the usage of ADSI (LDAP) operations by tools. This may also detect\n  tools like LDAPFragger.\nstatus: experimental\ndate: 2019/03/24\nauthor: xknow @xknow_infosec\nreferences:\n- https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961\n- https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/\n- https://github.com/fox-it/LDAPFragger\ntags:\n- attack.t1041\n- attack.persistence\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection_1:\n    EventID: 11\n    TargetFilename: \'*\\Local\\Microsoft\\Windows\\SchCache\\*.sch\'\n  selection_2:\n    Image|contains:\n    - C:\\windows\\system32\\svchost.exe\n    - C:\\windows\\system32\\dllhost.exe\n    - C:\\windows\\system32\\mmc.exe\n    - C:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\n  condition: selection_1 and not selection_2\nfalsepositives:\n- Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity\n  by MMC, Powershell, Windows etc.\nlevel: high\n\n
\n}}'),(6572,'Issue',364,15,'T1041'),(6573,'Issue',365,1,'Suspicious desktop.ini Action'),(6574,'Issue',365,2,'Maxime Thiebaut (@0xThiebaut)'),(6575,'Issue',365,8,'https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/'),(6576,'Issue',365,10,'medium'),(6577,'Issue',365,13,'community'),(6578,'Issue',365,14,'windows'),(6580,'Issue',365,11,'370bd2225'),(6581,'Issue',365,12,'81315b50-6b60-4d8f-9928-3466e1022515'),(6582,'Issue',365,16,'win-sysmon'),(6583,'Issue',365,17,''),(6584,'Issue',365,7,''),(6585,'Issue',365,3,'Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder\'s content (i.e. renaming files) without changing them on disk.'),(6586,'Issue',365,4,''),(6587,'Issue',365,5,'_False Positives_\nOperations performed through Windows SCCM or equivalent'),(6588,'Issue',365,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"11\" AND event_data.TargetFilename.keyword:*\\\\desktop.ini) AND (NOT (process.executable:(\"C\\:\\\\Windows\\\\explorer.exe\" OR \"C\\:\\\\Windows\\\\System32\\\\msiexec.exe\" OR \"C\\:\\\\Windows\\\\System32\\\\mmc.exe\"))))\nindex: so-*\nname: Suspicious desktop.ini Action\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6589,'Issue',365,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious desktop.ini Action\nid: 81315b50-6b60-4d8f-9928-3466e1022515\nstatus: experimental\ndescription: Detects unusual processes accessing desktop.ini, which can be leveraged\n  to alter how Explorer displays a folder\'s content (i.e. renaming files) without\n  changing them on disk.\nreferences:\n- https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/\nauthor: Maxime Thiebaut (@0xThiebaut)\ndate: 2020/03/19\ntags:\n- attack.persistence\n- attack.t1023\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  filter:\n    Image:\n    - C:\\Windows\\explorer.exe\n    - C:\\Windows\\System32\\msiexec.exe\n    - C:\\Windows\\System32\\mmc.exe\n  selection:\n    EventID: 11\n    TargetFilename|endswith: \\desktop.ini\n  condition: selection and not filter\nfalsepositives:\n- Operations performed through Windows SCCM or equivalent\nlevel: medium\n\n
\n}}'),(6590,'Issue',365,15,'T1023'),(6591,'Issue',366,1,'Suspicious RUN Key from Download'),(6592,'Issue',366,2,'Florian Roth'),(6593,'Issue',366,8,'https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/'),(6594,'Issue',366,10,'high'),(6595,'Issue',366,13,'community'),(6596,'Issue',366,14,'windows'),(6598,'Issue',366,11,'4a98c6777'),(6599,'Issue',366,12,'9c5037d1-c568-49b3-88c7-9846a5bdc2be'),(6600,'Issue',366,16,'win-sysmon'),(6601,'Issue',366,17,''),(6602,'Issue',366,7,''),(6603,'Issue',366,3,'Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories'),(6604,'Issue',366,4,''),(6605,'Issue',366,5,'_False Positives_\nSoftware installers downloaded and used by users'),(6606,'Issue',366,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND process.executable.keyword:(*\\\\Downloads\\\\* OR *\\\\Temporary\\ Internet\\ Files\\\\Content.Outlook\\\\* OR *\\\\Local\\ Settings\\\\Temporary\\ Internet\\ Files\\\\*) AND event_data.TargetObject.keyword:*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*)\nindex: so-*\nname: Suspicious RUN Key from Download\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6607,'Issue',366,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious RUN Key from Download\nid: 9c5037d1-c568-49b3-88c7-9846a5bdc2be\nstatus: experimental\ndescription: Detects the suspicious RUN keys created by software located in Download\n  or temporary Outlook/Internet Explorer directories\nreferences:\n- https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/\nauthor: Florian Roth\ndate: 2019/10/01\ntags:\n- attack.persistence\n- attack.t1060\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    Image:\n    - \'*\\Downloads\\\\*\'\n    - \'*\\Temporary Internet Files\\Content.Outlook\\\\*\'\n    - \'*\\Local Settings\\Temporary Internet Files\\\\*\'\n    TargetObject: \'*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\\*\'\n  condition: selection\nfalsepositives:\n- Software installers downloaded and used by users\nlevel: high\n\n
\n}}'),(6608,'Issue',366,15,'T1060'),(6609,'Issue',367,1,'Suspicious Driver Load from Temp'),(6610,'Issue',367,2,'Florian Roth'),(6611,'Issue',367,8,'none'),(6612,'Issue',367,10,'medium'),(6613,'Issue',367,13,'community'),(6614,'Issue',367,14,'windows'),(6616,'Issue',367,11,'d9e3b1335'),(6617,'Issue',367,12,'2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75'),(6618,'Issue',367,16,'win-sysmon'),(6619,'Issue',367,17,''),(6620,'Issue',367,7,''),(6621,'Issue',367,3,'Detects a driver load from a temporary directory'),(6622,'Issue',367,4,''),(6623,'Issue',367,5,'_False Positives_\nthere is a relevant set of false positives depending on applications in the environment'),(6624,'Issue',367,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"6\" AND event_data.ImageLoaded.keyword:*\\\\Temp\\\\*)\nindex: so-*\nname: Suspicious Driver Load from Temp\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6625,'Issue',367,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Driver Load from Temp\nid: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75\ndescription: Detects a driver load from a temporary directory\nauthor: Florian Roth\ndate: 2017/02/12\ntags:\n- attack.persistence\n- attack.t1050\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 6\n    ImageLoaded: \'*\\Temp\\\\*\'\n  condition: selection\nfalsepositives:\n- there is a relevant set of false positives depending on applications in the environment\nlevel: medium\n\n
\n}}'),(6626,'Issue',367,15,'T1050'),(6627,'Issue',368,1,'Suspicious File Characteristics Due to Missing Fields'),(6628,'Issue',368,2,'Markus Neis'),(6629,'Issue',368,8,'https://securelist.com/muddywater/88059/\nhttps://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection'),(6630,'Issue',368,10,'medium'),(6631,'Issue',368,13,'community'),(6632,'Issue',368,14,'windows'),(6634,'Issue',368,11,'c82bedced'),(6635,'Issue',368,12,'9637e8a5-7131-4f7f-bdc7-2b05d8670c43'),(6636,'Issue',368,16,'win-sysmon'),(6637,'Issue',368,17,''),(6638,'Issue',368,7,''),(6639,'Issue',368,3,'Detects Executables without FileVersion,Description,Product,Company likely created with py2exe'),(6640,'Issue',368,4,''),(6641,'Issue',368,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(6642,'Issue',368,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.pe.description:\"\\?\" AND (event_data.FileVersion:\"\\?\" OR process.pe.product:\"\\?\" OR event_data.Company:\"\\?\"))\nindex: so-*\nname: Suspicious File Characteristics Due to Missing Fields\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6643,'Issue',368,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious File Characteristics Due to Missing Fields\nid: 9637e8a5-7131-4f7f-bdc7-2b05d8670c43\ndescription: Detects Executables without FileVersion,Description,Product,Company likely\n  created with py2exe\nstatus: experimental\nreferences:\n- https://securelist.com/muddywater/88059/\n- https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection\nauthor: Markus Neis\ndate: 2018/11/22\nmodified: 2019/11/09\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1064\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection1:\n    Description: \\?\n    FileVersion: \\?\n  selection2:\n    Description: \\?\n    Product: \\?\n  selection3:\n    Description: \\?\n    Company: \\?\n  condition: 1 of them\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: medium\n\n
\n}}'),(6644,'Issue',368,15,'T1064'),(6645,'Issue',369,1,'Possible Process Hollowing Image Loading'),(6646,'Issue',369,2,'Markus Neis'),(6647,'Issue',369,8,'https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html'),(6648,'Issue',369,10,'high'),(6649,'Issue',369,13,'community'),(6650,'Issue',369,14,'windows'),(6652,'Issue',369,11,'5e6ed7268'),(6653,'Issue',369,12,'e32ce4f5-46c6-4c47-ba69-5de3c9193cd7'),(6654,'Issue',369,16,'win-sysmon'),(6655,'Issue',369,17,''),(6656,'Issue',369,7,''),(6657,'Issue',369,3,'Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz'),(6658,'Issue',369,4,''),(6659,'Issue',369,5,'_False Positives_\nVery likely, needs more tuning'),(6660,'Issue',369,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\notepad.exe) AND event_data.ImageLoaded.keyword:(*\\\\samlib.dll OR *\\\\WinSCard.dll))\nindex: so-*\nname: Possible Process Hollowing Image Loading\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6661,'Issue',369,9,'{{collapse(View Sigma)\n
\n\ntitle: Possible Process Hollowing Image Loading\nid: e32ce4f5-46c6-4c47-ba69-5de3c9193cd7\nstatus: experimental\ndescription: Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g.\n  through process hollowing by Mimikatz\nreferences:\n- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html\nauthor: Markus Neis\ndate: 2018/01/07\ntags:\n- attack.defense_evasion\n- attack.t1073\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image:\n    - \'*\\notepad.exe\'\n    ImageLoaded:\n    - \'*\\samlib.dll\'\n    - \'*\\WinSCard.dll\'\n  condition: selection\nfalsepositives:\n- Very likely, needs more tuning\nlevel: high\n\n
\n}}'),(6662,'Issue',369,15,'T1073'),(6663,'Issue',370,1,'DLL Load via LSASS'),(6664,'Issue',370,2,'Florian Roth'),(6665,'Issue',370,8,'https://blog.xpnsec.com/exploring-mimikatz-part-1/\nhttps://twitter.com/SBousseaden/status/1183745981189427200'),(6666,'Issue',370,10,'high'),(6667,'Issue',370,13,'community'),(6668,'Issue',370,14,'windows'),(6670,'Issue',370,11,'351d4d774'),(6671,'Issue',370,12,'b3503044-60ce-4bf4-bbcb-e3db98788823'),(6672,'Issue',370,16,'win-sysmon'),(6673,'Issue',370,17,''),(6674,'Issue',370,7,''),(6675,'Issue',370,3,'Detects a method to load DLL via LSASS process using an undocumented Registry key'),(6676,'Issue',370,4,''),(6677,'Issue',370,5,'_False Positives_\nUnknown'),(6678,'Issue',370,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:(\"12\" OR \"13\") AND event_data.TargetObject.keyword:(*\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\DirectoryServiceExtPt* OR *\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\LsaDbExtPt*))\nindex: so-*\nname: DLL Load via LSASS\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6679,'Issue',370,9,'{{collapse(View Sigma)\n
\n\ntitle: DLL Load via LSASS\nid: b3503044-60ce-4bf4-bbcb-e3db98788823\nstatus: experimental\ndescription: Detects a method to load DLL via LSASS process using an undocumented\n  Registry key\nauthor: Florian Roth\ndate: 2019/10/16\nreferences:\n- https://blog.xpnsec.com/exploring-mimikatz-part-1/\n- https://twitter.com/SBousseaden/status/1183745981189427200\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID:\n    - 12\n    - 13\n    TargetObject:\n    - \'*\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt*\'\n    - \'*\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt*\'\n  condition: selection\ntags:\n- attack.execution\n- attack.t1177\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(6680,'Issue',370,15,'T1177'),(6681,'Issue',371,1,'dotNET DLL Loaded Via Office Applications'),(6682,'Issue',371,2,'Antonlovesdnb'),(6683,'Issue',371,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16'),(6684,'Issue',371,10,'high'),(6685,'Issue',371,13,'community'),(6686,'Issue',371,14,'windows'),(6688,'Issue',371,11,'0080b54ee'),(6689,'Issue',371,12,'ff0f2b05-09db-4095-b96d-1b75ca24894a'),(6690,'Issue',371,16,'win-sysmon'),(6691,'Issue',371,17,''),(6692,'Issue',371,7,''),(6693,'Issue',371,3,'Detects any assembly DLL being loaded by an Office Product'),(6694,'Issue',371,4,''),(6695,'Issue',371,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6696,'Issue',371,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe* OR *\\\\powerpnt.exe* OR *\\\\excel.exe* OR *\\\\outlook.exe*) AND event_data.ImageLoaded.keyword:(*C\\:\\\\Windows\\\\assembly\\*))\nindex: so-*\nname: dotNET DLL Loaded Via Office Applications\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6697,'Issue',371,9,'{{collapse(View Sigma)\n
\n\ntitle: dotNET DLL Loaded Via Office Applications\nid: ff0f2b05-09db-4095-b96d-1b75ca24894a\nstatus: experimental\ndescription: Detects any assembly DLL being loaded by an Office Product\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image:\n    - \'*\\winword.exe*\'\n    - \'*\\powerpnt.exe*\'\n    - \'*\\excel.exe*\'\n    - \'*\\outlook.exe*\'\n    ImageLoaded:\n    - \'*C:\\Windows\\assembly\\*\'\n  condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: high\n\n
\n}}'),(6698,'Issue',371,15,'T1193'),(6699,'Issue',372,1,'CLR DLL Loaded Via Office Applications'),(6700,'Issue',372,2,'Antonlovesdnb'),(6701,'Issue',372,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16'),(6702,'Issue',372,10,'high'),(6703,'Issue',372,13,'community'),(6704,'Issue',372,14,'windows'),(6706,'Issue',372,11,'7105151cd'),(6707,'Issue',372,12,'d13c43f0-f66b-4279-8b2c-5912077c1780'),(6708,'Issue',372,16,'win-sysmon'),(6709,'Issue',372,17,''),(6710,'Issue',372,7,''),(6711,'Issue',372,3,'Detects CLR DLL being loaded by an Office Product'),(6712,'Issue',372,4,''),(6713,'Issue',372,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6714,'Issue',372,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe OR *\\\\powerpnt.exe OR *\\\\excel.exe OR *\\\\outlook.exe) AND event_data.ImageLoaded.keyword:(*\\\\clr.dll*))\nindex: so-*\nname: CLR DLL Loaded Via Office Applications\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6715,'Issue',372,9,'{{collapse(View Sigma)\n
\n\ntitle: CLR DLL Loaded Via Office Applications\nid: d13c43f0-f66b-4279-8b2c-5912077c1780\nstatus: experimental\ndescription: Detects CLR DLL being loaded by an Office Product\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image:\n    - \'*\\winword.exe\'\n    - \'*\\powerpnt.exe\'\n    - \'*\\excel.exe\'\n    - \'*\\outlook.exe\'\n    ImageLoaded:\n    - \'*\\clr.dll*\'\n  condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: high\n\n
\n}}'),(6716,'Issue',372,15,'T1193'),(6717,'Issue',373,1,'GAC DLL Loaded Via Office Applications'),(6718,'Issue',373,2,'Antonlovesdnb'),(6719,'Issue',373,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16'),(6720,'Issue',373,10,'high'),(6721,'Issue',373,13,'community'),(6722,'Issue',373,14,'windows'),(6724,'Issue',373,11,'e450b3ce2'),(6725,'Issue',373,12,'90217a70-13fc-48e4-b3db-0d836c5824ac'),(6726,'Issue',373,16,'win-sysmon'),(6727,'Issue',373,17,''),(6728,'Issue',373,7,''),(6729,'Issue',373,3,'Detects any GAC DLL being loaded by an Office Product'),(6730,'Issue',373,4,''),(6731,'Issue',373,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6732,'Issue',373,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe* OR *\\\\powerpnt.exe* OR *\\\\excel.exe* OR *\\\\outlook.exe*) AND event_data.ImageLoaded.keyword:(*C\\:\\\\Windows\\\\Microsoft.NET\\\\assembly\\\\GAC_MSIL*))\nindex: so-*\nname: GAC DLL Loaded Via Office Applications\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6733,'Issue',373,9,'{{collapse(View Sigma)\n
\n\ntitle: GAC DLL Loaded Via Office Applications\nid: 90217a70-13fc-48e4-b3db-0d836c5824ac\nstatus: experimental\ndescription: Detects any GAC DLL being loaded by an Office Product\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image:\n    - \'*\\winword.exe*\'\n    - \'*\\powerpnt.exe*\'\n    - \'*\\excel.exe*\'\n    - \'*\\outlook.exe*\'\n    ImageLoaded:\n    - \'*C:\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL*\'\n  condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: high\n\n
\n}}'),(6734,'Issue',373,15,'T1193'),(6735,'Issue',374,1,'Active Directory Parsing DLL Loaded Via Office Applications'),(6736,'Issue',374,2,'Antonlovesdnb'),(6737,'Issue',374,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16'),(6738,'Issue',374,10,'high'),(6739,'Issue',374,13,'community'),(6740,'Issue',374,14,'windows'),(6742,'Issue',374,11,'203be1d6b'),(6743,'Issue',374,12,'a2a3b925-7bb0-433b-b508-db9003263cc4'),(6744,'Issue',374,16,'win-sysmon'),(6745,'Issue',374,17,''),(6746,'Issue',374,7,''),(6747,'Issue',374,3,'Detects DSParse DLL being loaded by an Office Product'),(6748,'Issue',374,4,''),(6749,'Issue',374,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6750,'Issue',374,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe OR *\\\\powerpnt.exe OR *\\\\excel.exe OR *\\\\outlook.exe) AND event_data.ImageLoaded.keyword:(*\\\\dsparse.dll*))\nindex: so-*\nname: Active Directory Parsing DLL Loaded Via Office Applications\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6751,'Issue',374,9,'{{collapse(View Sigma)\n
\n\ntitle: Active Directory Parsing DLL Loaded Via Office Applications\nid: a2a3b925-7bb0-433b-b508-db9003263cc4\nstatus: experimental\ndescription: Detects DSParse DLL being loaded by an Office Product\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image:\n    - \'*\\winword.exe\'\n    - \'*\\powerpnt.exe\'\n    - \'*\\excel.exe\'\n    - \'*\\outlook.exe\'\n    ImageLoaded:\n    - \'*\\dsparse.dll*\'\n  condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: high\n\n
\n}}'),(6752,'Issue',374,15,'T1193'),(6753,'Issue',375,1,'Active Directory Kerberos DLL Loaded Via Office Applications'),(6754,'Issue',375,2,'Antonlovesdnb'),(6755,'Issue',375,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16'),(6756,'Issue',375,10,'high'),(6757,'Issue',375,13,'community'),(6758,'Issue',375,14,'windows'),(6760,'Issue',375,11,'3ce399676'),(6761,'Issue',375,12,'7417e29e-c2e7-4cf6-a2e8-767228c64837'),(6762,'Issue',375,16,'win-sysmon'),(6763,'Issue',375,17,''),(6764,'Issue',375,7,''),(6765,'Issue',375,3,'Detects Kerberos DLL being loaded by an Office Product'),(6766,'Issue',375,4,''),(6767,'Issue',375,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6768,'Issue',375,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe* OR *\\\\powerpnt.exe* OR *\\\\excel.exe* OR *\\\\outlook.exe*) AND event_data.ImageLoaded.keyword:(*\\\\kerberos.dll*))\nindex: so-*\nname: Active Directory Kerberos DLL Loaded Via Office Applications\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6769,'Issue',375,9,'{{collapse(View Sigma)\n
\n\ntitle: Active Directory Kerberos DLL Loaded Via Office Applications\nid: 7417e29e-c2e7-4cf6-a2e8-767228c64837\nstatus: experimental\ndescription: Detects Kerberos DLL being loaded by an Office Product\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image:\n    - \'*\\winword.exe*\'\n    - \'*\\powerpnt.exe*\'\n    - \'*\\excel.exe*\'\n    - \'*\\outlook.exe*\'\n    ImageLoaded:\n    - \'*\\kerberos.dll*\'\n  condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: high\n\n
\n}}'),(6770,'Issue',375,15,'T1193'),(6771,'Issue',376,1,'PowerShell Rundll32 Remote Thread Creation'),(6772,'Issue',376,2,'Florian Roth'),(6773,'Issue',376,8,'https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html'),(6774,'Issue',376,10,'high'),(6775,'Issue',376,13,'community'),(6776,'Issue',376,14,'windows'),(6778,'Issue',376,11,'037897459'),(6779,'Issue',376,12,'99b97608-3e21-4bfe-8217-2a127c396a0e'),(6780,'Issue',376,16,'win-sysmon'),(6781,'Issue',376,17,''),(6782,'Issue',376,7,''),(6783,'Issue',376,3,'Detects PowerShell remote thread creation in Rundll32.exe'),(6784,'Issue',376,4,''),(6785,'Issue',376,5,'_False Positives_\nUnkown'),(6786,'Issue',376,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"8\" AND event_data.SourceImage.keyword:*\\\\powershell.exe AND event_data.TargetImage.keyword:*\\\\rundll32.exe)\nindex: so-*\nname: PowerShell Rundll32 Remote Thread Creation\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6787,'Issue',376,9,'{{collapse(View Sigma)\n
\n\ntitle: PowerShell Rundll32 Remote Thread Creation\nid: 99b97608-3e21-4bfe-8217-2a127c396a0e\nstatus: experimental\ndescription: Detects PowerShell remote thread creation in Rundll32.exe\nauthor: Florian Roth\nreferences:\n- https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html\ndate: 2018/06/25\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 8\n    SourceImage: \'*\\powershell.exe\'\n    TargetImage: \'*\\rundll32.exe\'\n  condition: selection\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1085\n- attack.t1086\nfalsepositives:\n- Unkown\nlevel: high\n\n
\n}}'),(6788,'Issue',376,15,'T1085'),(6789,'Issue',376,15,'T1086'),(6790,'Issue',377,1,'Suspicious PROCEXP152.sys File Created In TMP'),(6791,'Issue',377,2,'xknow (@xknow_infosec), xorxes (@xor_xes)'),(6792,'Issue',377,8,'https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/'),(6793,'Issue',377,10,'medium'),(6794,'Issue',377,13,'community'),(6795,'Issue',377,14,'windows'),(6797,'Issue',377,11,'9af1e153b'),(6798,'Issue',377,12,'3da70954-0f2c-4103-adff-b7440368f50e'),(6799,'Issue',377,16,'win-sysmon'),(6800,'Issue',377,17,''),(6801,'Issue',377,7,''),(6802,'Issue',377,3,'Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.'),(6803,'Issue',377,4,''),(6804,'Issue',377,5,'_False Positives_\nOther legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don\'t rely on it.'),(6805,'Issue',377,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"11\" AND event_data.TargetFilename.keyword:*\\\\AppData\\\\Local\\\\Temp\\*\\\\PROCEXP152.sys) AND (NOT (process.executable.keyword:(*\\\\procexp64.exe* OR *\\\\procexp.exe* OR *\\\\procmon64.exe* OR *\\\\procmon.exe*))))\nindex: so-*\nname: Suspicious PROCEXP152.sys File Created In TMP\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6806,'Issue',377,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious PROCEXP152.sys File Created In TMP\nid: 3da70954-0f2c-4103-adff-b7440368f50e\ndescription: Detects the creation of the PROCEXP152.sys file in the application-data\n  local temporary folder. This driver is used by Sysinternals Process Explorer but\n  also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs),\n  which uses KDU.\nstatus: experimental\ndate: 2019/04/08\nauthor: xknow (@xknow_infosec), xorxes (@xor_xes)\nreferences:\n- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/\ntags:\n- attack.t1089\n- attack.defense_evasion\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection_1:\n    EventID: 11\n    TargetFilename: \'*\\AppData\\Local\\Temp\\*\\PROCEXP152.sys\'\n  selection_2:\n    Image|contains:\n    - \'*\\procexp64.exe\'\n    - \'*\\procexp.exe\'\n    - \'*\\procmon64.exe\'\n    - \'*\\procmon.exe\'\n  condition: selection_1 and not selection_2\nfalsepositives:\n- Other legimate tools using this driver and filename (like Sysinternals). Note -\n  Clever attackers may easily bypass this detection by just renaming the driver filename.\n  Therefore just Medium-level and don\'t rely on it.\nlevel: medium\n\n
\n}}'),(6807,'Issue',377,15,'T1089'),(6808,'Issue',378,1,'Suspicious Program Location with Network Connections'),(6809,'Issue',378,2,'Florian Roth'),(6810,'Issue',378,8,'https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo'),(6811,'Issue',378,10,'high'),(6812,'Issue',378,13,'community'),(6813,'Issue',378,14,'windows'),(6814,'Issue',378,15,''),(6815,'Issue',378,11,'58575f239'),(6816,'Issue',378,12,'7b434893-c57d-4f41-908d-6a17bf1ae98f'),(6817,'Issue',378,16,'win-sysmon'),(6818,'Issue',378,17,''),(6819,'Issue',378,7,''),(6820,'Issue',378,3,'Detects programs with network connections running in suspicious files system locations'),(6821,'Issue',378,4,''),(6822,'Issue',378,5,'_False Positives_\nunknown'),(6823,'Issue',378,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"3\" AND process.executable.keyword:(*\\\\$Recycle.bin OR *\\\\Users\\\\All\\ Users\\\\* OR *\\\\Users\\\\Default\\\\* OR *\\\\Users\\\\Public\\\\* OR *\\\\Users\\\\Contacts\\\\* OR *\\\\Users\\\\Searches\\\\* OR C\\:\\\\Perflogs\\\\* OR *\\\\config\\\\systemprofile\\\\* OR *\\\\Windows\\\\Fonts\\\\* OR *\\\\Windows\\\\IME\\\\* OR *\\\\Windows\\\\addins\\\\*))\nindex: so-*\nname: Suspicious Program Location with Network Connections\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6824,'Issue',378,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Program Location with Network Connections\nid: 7b434893-c57d-4f41-908d-6a17bf1ae98f\nstatus: experimental\ndescription: Detects programs with network connections running in suspicious files\n  system locations\nreferences:\n- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo\nauthor: Florian Roth\ndate: 2017/03/19\nlogsource:\n  product: windows\n  service: sysmon\n  definition: Use the following config to generate the necessary Event ID 3 Network\n    Connection events\ndetection:\n  selection:\n    EventID: 3\n    Image:\n    - \'*\\$Recycle.bin\'\n    - \'*\\Users\\All Users\\\\*\'\n    - \'*\\Users\\Default\\\\*\'\n    - \'*\\Users\\Public\\\\*\'\n    - \'*\\Users\\Contacts\\\\*\'\n    - \'*\\Users\\Searches\\\\*\'\n    - C:\\Perflogs\\\\*\n    - \'*\\config\\systemprofile\\\\*\'\n    - \'*\\Windows\\Fonts\\\\*\'\n    - \'*\\Windows\\IME\\\\*\'\n    - \'*\\Windows\\addins\\\\*\'\n  condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6825,'Issue',379,1,'Suspicious Outbound RDP Connections'),(6826,'Issue',379,2,'Markus Neis - Swisscom'),(6827,'Issue',379,8,'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708'),(6828,'Issue',379,10,'high'),(6829,'Issue',379,13,'community'),(6830,'Issue',379,14,'windows'),(6832,'Issue',379,11,'9f1b0b238'),(6833,'Issue',379,12,'ed74fe75-7594-4b4b-ae38-e38e3fd2eb23'),(6834,'Issue',379,16,'win-sysmon'),(6835,'Issue',379,17,''),(6836,'Issue',379,7,''),(6837,'Issue',379,3,'Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement'),(6838,'Issue',379,4,''),(6839,'Issue',379,5,'_False Positives_\nOther Remote Desktop RDP tools'),(6840,'Issue',379,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"3\" AND destination_port:\"3389\" AND event_data.Initiated:\"true\") AND (NOT (process.executable.keyword:(*\\\\mstsc.exe OR *\\\\RTSApp.exe OR *\\\\RTS2App.exe OR *\\\\RDCMan.exe OR *\\\\ws_TunnelService.exe OR *\\\\RSSensor.exe OR *\\\\RemoteDesktopManagerFree.exe OR *\\\\RemoteDesktopManager.exe OR *\\\\RemoteDesktopManager64.exe OR *\\\\mRemoteNG.exe OR *\\\\mRemote.exe OR *\\\\Terminals.exe OR *\\\\spiceworks\\-finder.exe OR *\\\\FSDiscovery.exe OR *\\\\FSAssessment.exe OR *\\\\MobaRTE.exe OR *\\\\chrome.exe OR *\\\\thor.exe OR *\\\\thor64.exe))))\nindex: so-*\nname: Suspicious Outbound RDP Connections\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6841,'Issue',379,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Outbound RDP Connections\nid: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23\nstatus: experimental\ndescription: Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible\n  lateral movement\nreferences:\n- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708\nauthor: Markus Neis - Swisscom\ndate: 2019/05/15\ntags:\n- attack.lateral_movement\n- attack.t1210\n- car.2013-07-002\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 3\n    DestinationPort: 3389\n    Initiated: \'true\'\n  filter:\n    Image:\n    - \'*\\mstsc.exe\'\n    - \'*\\RTSApp.exe\'\n    - \'*\\RTS2App.exe\'\n    - \'*\\RDCMan.exe\'\n    - \'*\\ws_TunnelService.exe\'\n    - \'*\\RSSensor.exe\'\n    - \'*\\RemoteDesktopManagerFree.exe\'\n    - \'*\\RemoteDesktopManager.exe\'\n    - \'*\\RemoteDesktopManager64.exe\'\n    - \'*\\mRemoteNG.exe\'\n    - \'*\\mRemote.exe\'\n    - \'*\\Terminals.exe\'\n    - \'*\\spiceworks-finder.exe\'\n    - \'*\\FSDiscovery.exe\'\n    - \'*\\FSAssessment.exe\'\n    - \'*\\MobaRTE.exe\'\n    - \'*\\chrome.exe\'\n    - \'*\\thor.exe\'\n    - \'*\\thor64.exe\'\n  condition: selection and not filter\nfalsepositives:\n- Other Remote Desktop RDP tools\nlevel: high\n\n
\n}}'),(6842,'Issue',379,15,'T1210'),(6843,'Issue',380,1,'Registry Persistence via Explorer Run Key'),(6844,'Issue',380,2,'Florian Roth'),(6845,'Issue',380,8,'https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/'),(6846,'Issue',380,10,'high'),(6847,'Issue',380,13,'community'),(6848,'Issue',380,14,'windows'),(6850,'Issue',380,11,'d976ce159'),(6851,'Issue',380,12,'b7916c2a-fa2f-4795-9477-32b731f70f11'),(6852,'Issue',380,16,'win-sysmon'),(6853,'Issue',380,17,''),(6854,'Issue',380,7,''),(6855,'Issue',380,3,'Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder'),(6856,'Issue',380,4,''),(6857,'Issue',380,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nImage\nParentImage'),(6858,'Issue',380,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run AND event_data.Details.keyword:(C\\:\\\\Windows\\\\Temp\\\\* OR C\\:\\\\ProgramData\\\\* OR *\\\\AppData\\\\* OR C\\:\\\\$Recycle.bin\\\\* OR C\\:\\\\Temp\\\\* OR C\\:\\\\Users\\\\Public\\\\* OR C\\:\\\\Users\\\\Default\\\\*))\nindex: so-*\nname: Registry Persistence via Explorer Run Key\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6859,'Issue',380,9,'{{collapse(View Sigma)\n
\n\ntitle: Registry Persistence via Explorer Run Key\nid: b7916c2a-fa2f-4795-9477-32b731f70f11\nstatus: experimental\ndescription: Detects a possible persistence mechanism using RUN key for Windows Explorer\n  and pointing to a suspicious folder\nauthor: Florian Roth\ndate: 2018/07/18\nreferences:\n- https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    TargetObject: \'*\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\'\n    Details:\n    - C:\\Windows\\Temp\\\\*\n    - C:\\ProgramData\\\\*\n    - \'*\\AppData\\\\*\'\n    - C:\\$Recycle.bin\\\\*\n    - C:\\Temp\\\\*\n    - C:\\Users\\Public\\\\*\n    - C:\\Users\\Default\\\\*\n  condition: selection\ntags:\n- attack.persistence\n- attack.t1060\n- capec.270\nfields:\n- Image\n- ParentImage\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(6860,'Issue',380,15,'T1060'),(6861,'Issue',381,1,'New RUN Key Pointing to Suspicious Folder'),(6862,'Issue',381,2,'Florian Roth, Markus Neis'),(6863,'Issue',381,8,'https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html'),(6864,'Issue',381,10,'high'),(6865,'Issue',381,13,'community'),(6866,'Issue',381,14,'windows'),(6868,'Issue',381,11,'321e02b21'),(6869,'Issue',381,12,'02ee49e2-e294-4d0f-9278-f5b3212fc588'),(6870,'Issue',381,16,'win-sysmon'),(6871,'Issue',381,17,''),(6872,'Issue',381,7,''),(6873,'Issue',381,3,'Detects suspicious new RUN key element pointing to an executable in a suspicious folder'),(6874,'Issue',381,4,''),(6875,'Issue',381,5,'_False Positives_\nSoftware using the AppData folders for updates\n\n_Interesting Log Fields_\nImage'),(6876,'Issue',381,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\* OR *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*) AND event_data.Details.keyword:(*C\\:\\\\Windows\\\\Temp\\\\* OR *\\\\AppData\\\\* OR %AppData%\\\\* OR *C\\:\\\\$Recycle.bin\\\\* OR *C\\:\\\\Temp\\\\* OR *C\\:\\\\Users\\\\Public\\\\* OR %Public%\\\\* OR *C\\:\\\\Users\\\\Default\\\\* OR *C\\:\\\\Users\\\\Desktop\\\\* OR wscript* OR cscript*)) AND (NOT (event_data.Details.keyword:(*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\*))))\nindex: so-*\nname: New RUN Key Pointing to Suspicious Folder\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6877,'Issue',381,9,'{{collapse(View Sigma)\n
\n\ntitle: New RUN Key Pointing to Suspicious Folder\nid: 02ee49e2-e294-4d0f-9278-f5b3212fc588\nstatus: experimental\ndescription: Detects suspicious new RUN key element pointing to an executable in a\n  suspicious folder\nreferences:\n- https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\nauthor: Florian Roth, Markus Neis\ntags:\n- attack.persistence\n- attack.t1060\ndate: 2018/08/25\nmodified: 2020/02/26\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    TargetObject:\n    - \'*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\\*\'\n    - \'*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\\\*\'\n    Details:\n    - \'*C:\\Windows\\Temp\\\\*\'\n    - \'*\\AppData\\\\*\'\n    - \'%AppData%\\\\*\'\n    - \'*C:\\$Recycle.bin\\\\*\'\n    - \'*C:\\Temp\\\\*\'\n    - \'*C:\\Users\\Public\\\\*\'\n    - \'%Public%\\\\*\'\n    - \'*C:\\Users\\Default\\\\*\'\n    - \'*C:\\Users\\Desktop\\\\*\'\n    - wscript*\n    - cscript*\n  filter:\n    Details|contains:\n    - \\AppData\\Local\\Microsoft\\OneDrive\\\n  condition: selection and not filter\nfields:\n- Image\nfalsepositives:\n- Software using the AppData folders for updates\nlevel: high\n\n
\n}}'),(6878,'Issue',381,15,'T1060'),(6879,'Issue',382,1,'Suspicious Service Installed'),(6880,'Issue',382,2,'xknow (@xknow_infosec), xorxes (@xor_xes)'),(6881,'Issue',382,8,'https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/'),(6882,'Issue',382,10,'medium'),(6883,'Issue',382,13,'community'),(6884,'Issue',382,14,'windows'),(6886,'Issue',382,11,'9842ac371'),(6887,'Issue',382,12,'f2485272-a156-4773-82d7-1d178bc4905b'),(6888,'Issue',382,16,'win-sysmon'),(6889,'Issue',382,17,''),(6890,'Issue',382,7,''),(6891,'Issue',382,3,'Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)'),(6892,'Issue',382,4,''),(6893,'Issue',382,5,'_False Positives_\nOther legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don\'t rely on it.'),(6894,'Issue',382,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:\"13\" AND event_data.TargetObject:(\"HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\NalDrv\\\\ImagePath\" OR \"HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PROCEXP152\\\\ImagePath\")) AND (NOT (process.executable.keyword:(*\\\\procexp64.exe* OR *\\\\procexp.exe* OR *\\\\procmon64.exe* OR *\\\\procmon.exe*)))) AND (NOT (event_data.Details.keyword:(*\\\\WINDOWS\\\\system32\\\\Drivers\\\\PROCEXP152.SYS*))))\nindex: so-*\nname: Suspicious Service Installed\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6895,'Issue',382,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Service Installed\nid: f2485272-a156-4773-82d7-1d178bc4905b\ndescription: Detects installation of NalDrv or PROCEXP152 services via registry-keys\n  to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs),\n  which uses KDU (https://github.com/hfiref0x/KDU)\nstatus: experimental\ndate: 2019/04/08\nauthor: xknow (@xknow_infosec), xorxes (@xor_xes)\nreferences:\n- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/\ntags:\n- attack.t1089\n- attack.defense_evasion\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection_1:\n    EventID: 13\n    TargetObject:\n    - HKLM\\System\\CurrentControlSet\\Services\\NalDrv\\ImagePath\n    - HKLM\\System\\CurrentControlSet\\Services\\PROCEXP152\\ImagePath\n  selection_2:\n    Image|contains:\n    - \'*\\procexp64.exe\'\n    - \'*\\procexp.exe\'\n    - \'*\\procmon64.exe\'\n    - \'*\\procmon.exe\'\n  selection_3:\n    Details|contains:\n    - \'*\\WINDOWS\\system32\\Drivers\\PROCEXP152.SYS\'\n  condition: selection_1 and not selection_2 and not selection_3\nfalsepositives:\n- Other legimate tools using this service names and drivers. Note - clever attackers\n  may easily bypass this detection by just renaming the services. Therefore just Medium-level\n  and don\'t rely on it.\nlevel: medium\n\n
\n}}'),(6896,'Issue',382,15,'T1089'),(6897,'Issue',383,1,'VBA DLL Loaded Via Microsoft Word'),(6898,'Issue',383,2,'Antonlovesdnb'),(6899,'Issue',383,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16'),(6900,'Issue',383,10,'high'),(6901,'Issue',383,13,'community'),(6902,'Issue',383,14,'windows'),(6904,'Issue',383,11,'53eb4530b'),(6905,'Issue',383,12,'e6ce8457-68b1-485b-9bdd-3c2b5d679aa9'),(6906,'Issue',383,16,'win-sysmon'),(6907,'Issue',383,17,''),(6908,'Issue',383,7,''),(6909,'Issue',383,3,'Detects DLL\'s Loaded Via Word Containing VBA Macros'),(6910,'Issue',383,4,''),(6911,'Issue',383,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6912,'Issue',383,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe* OR *\\\\powerpnt.exe* OR *\\\\excel.exe* OR *\\\\outlook.exe*) AND event_data.ImageLoaded.keyword:(*\\\\VBE7.DLL* OR *\\\\VBEUI.DLL* OR *\\\\VBE7INTL.DLL*))\nindex: so-*\nname: VBA DLL Loaded Via Microsoft Word\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6913,'Issue',383,9,'{{collapse(View Sigma)\n
\n\ntitle: VBA DLL Loaded Via Microsoft Word\nid: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9\nstatus: experimental\ndescription: Detects DLL\'s Loaded Via Word Containing VBA Macros\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image:\n    - \'*\\winword.exe*\'\n    - \'*\\powerpnt.exe*\'\n    - \'*\\excel.exe*\'\n    - \'*\\outlook.exe*\'\n    ImageLoaded:\n    - \'*\\VBE7.DLL*\'\n    - \'*\\VBEUI.DLL*\'\n    - \'*\\VBE7INTL.DLL*\'\n  condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: high\n\n
\n}}'),(6914,'Issue',383,15,'T1193'),(6915,'Issue',384,1,'Windows Mangement Instrumentation DLL Loaded Via Microsoft Word'),(6916,'Issue',384,2,'Michael R. (@nahamike01)'),(6917,'Issue',384,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nhttps://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/\nhttps://media.cert.europa.eu/static/SecurityAdvisories/2019/CERT-EU-SA2019-021.pdf'),(6918,'Issue',384,10,'high'),(6919,'Issue',384,13,'community'),(6920,'Issue',384,14,'windows'),(6922,'Issue',384,11,'b23e2aa5c'),(6923,'Issue',384,12,'a457f232-7df9-491d-898f-b5aabd2cbe2f'),(6924,'Issue',384,16,'win-sysmon'),(6925,'Issue',384,17,''),(6926,'Issue',384,7,''),(6927,'Issue',384,3,'Detects DLL\'s Loaded Via Word Containing VBA Macros Executing WMI Commands'),(6928,'Issue',384,4,''),(6929,'Issue',384,5,'_False Positives_\nPossible. Requires further testing.'),(6930,'Issue',384,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe OR *\\\\powerpnt.exe OR *\\\\excel.exe OR *\\\\outlook.exe) AND event_data.ImageLoaded.keyword:(*\\\\wmiutils.dll OR *\\\\wbemcomn.dll OR *\\\\wbemprox.dll OR *\\\\wbemdisp.dll OR *\\\\wbemsvc.dll))\nindex: so-*\nname: Windows Mangement Instrumentation DLL Loaded Via Microsoft Word\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6931,'Issue',384,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows Mangement Instrumentation DLL Loaded Via Microsoft Word\nid: a457f232-7df9-491d-898f-b5aabd2cbe2f\nstatus: experimental\ndescription: Detects DLL\'s Loaded Via Word Containing VBA Macros Executing WMI Commands\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\n- https://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/\n- https://media.cert.europa.eu/static/SecurityAdvisories/2019/CERT-EU-SA2019-021.pdf\nauthor: Michael R. (@nahamike01)\ndate: 2019/12/26\ntags:\n- attack.execution\n- attack.t1047\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image:\n    - \'*\\winword.exe\'\n    - \'*\\powerpnt.exe\'\n    - \'*\\excel.exe\'\n    - \'*\\outlook.exe\'\n    ImageLoaded:\n    - \'*\\wmiutils.dll\'\n    - \'*\\wbemcomn.dll\'\n    - \'*\\wbemprox.dll\'\n    - \'*\\wbemdisp.dll\'\n    - \'*\\wbemsvc.dll\'\n  condition: selection\nfalsepositives:\n- Possible. Requires further testing.\nlevel: high\n\n
\n}}'),(6932,'Issue',384,15,'T1047'),(6933,'Issue',385,1,'Suspicious Keyboard Layout Load'),(6934,'Issue',385,2,'Florian Roth'),(6935,'Issue',385,8,'https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index\nhttps://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'),(6936,'Issue',385,10,'medium'),(6937,'Issue',385,13,'community'),(6938,'Issue',385,14,'windows'),(6939,'Issue',385,15,''),(6940,'Issue',385,11,'496ab3e58'),(6941,'Issue',385,12,'34aa0252-6039-40ff-951f-939fd6ce47d8'),(6942,'Issue',385,16,'win-sysmon'),(6943,'Issue',385,17,''),(6944,'Issue',385,7,''),(6945,'Issue',385,3,'Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only'),(6946,'Issue',385,4,''),(6947,'Issue',385,5,'_False Positives_\nAdministrators or users that actually use the selected keyboard layouts (heavily depends on the organisation\'s user base)'),(6948,'Issue',385,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\Keyboard\\ Layout\\\\Preload\\* OR *\\\\Keyboard\\ Layout\\\\Substitutes\\*) AND event_data.Details.keyword:(*00000429* OR *00050429* OR *0000042a*))\nindex: so-*\nname: Suspicious Keyboard Layout Load\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6949,'Issue',385,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Keyboard Layout Load\nid: 34aa0252-6039-40ff-951f-939fd6ce47d8\ndescription: Detects the keyboard preload installation with a suspicious keyboard\n  layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems\n  maintained by US staff only\nreferences:\n- https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index\n- https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files\nauthor: Florian Roth\ndate: 2019/10/12\nmodified: 2019/10/15\nlogsource:\n  product: windows\n  service: sysmon\n  definition: \'Requirements: Sysmon config that monitors \\Keyboard Layout\\Preload\n    subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files\'\ndetection:\n  selection_registry:\n    EventID: 13\n    TargetObject:\n    - \'*\\Keyboard Layout\\Preload\\*\'\n    - \'*\\Keyboard Layout\\Substitutes\\*\'\n    Details|contains:\n    - 429\n    - 50429\n    - 0000042a\n  condition: selection_registry\nfalsepositives:\n- Administrators or users that actually use the selected keyboard layouts (heavily\n  depends on the organisation\'s user base)\nlevel: medium\n\n
\n}}'),(6950,'Issue',386,1,'Suspicious Outbound Kerberos Connection'),(6951,'Issue',386,2,'Ilyas Ochkov, oscd.community'),(6952,'Issue',386,8,'https://github.com/GhostPack/Rubeus8'),(6953,'Issue',386,10,'high'),(6954,'Issue',386,13,'community'),(6955,'Issue',386,14,'windows'),(6957,'Issue',386,11,'b61a1dd2a'),(6958,'Issue',386,12,'e54979bd-c5f9-4d6c-967b-a04b19ac4c74'),(6959,'Issue',386,16,'win-sysmon'),(6960,'Issue',386,17,''),(6961,'Issue',386,7,''),(6962,'Issue',386,3,'Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.'),(6963,'Issue',386,4,''),(6964,'Issue',386,5,'_False Positives_\nOther browsers'),(6965,'Issue',386,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"3\" AND destination_port:\"88\" AND event_data.Initiated:\"true\") AND (NOT (process.executable.keyword:(*\\\\lsass.exe OR *\\\\opera.exe OR *\\\\chrome.exe OR *\\\\firefox.exe))))\nindex: so-*\nname: Suspicious Outbound Kerberos Connection\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6966,'Issue',386,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Outbound Kerberos Connection\nid: e54979bd-c5f9-4d6c-967b-a04b19ac4c74\nstatus: experimental\ndescription: Detects suspicious outbound network activity via kerberos default port\n  indicating possible lateral movement or first stage PrivEsc via delegation.\nreferences:\n- https://github.com/GhostPack/Rubeus8\nauthor: Ilyas Ochkov, oscd.community\ndate: 2019/10/24\nmodified: 2019/11/13\ntags:\n- attack.lateral_movement\n- attack.t1208\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 3\n    DestinationPort: 88\n    Initiated: \'true\'\n  filter:\n    Image|endswith:\n    - \\lsass.exe\n    - \\opera.exe\n    - \\chrome.exe\n    - \\firefox.exe\n  condition: selection and not filter\nfalsepositives:\n- Other browsers\nlevel: high\n\n
\n}}'),(6967,'Issue',386,15,'T1208'),(6968,'Issue',387,1,'Suspicious Remote Thread Created'),(6969,'Issue',387,2,'Perez Diego (@darkquassar), oscd.community'),(6970,'Issue',387,8,'Personal research, statistical analysis\nhttps://lolbas-project.github.io'),(6971,'Issue',387,10,'high'),(6972,'Issue',387,13,'community'),(6973,'Issue',387,14,'windows'),(6975,'Issue',387,11,'d107c9166'),(6976,'Issue',387,12,'66d31e5f-52d6-40a4-9615-002d3789a119'),(6977,'Issue',387,16,'win-sysmon'),(6978,'Issue',387,17,''),(6979,'Issue',387,7,''),(6980,'Issue',387,3,'Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild. This rule aims to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes. It is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.'),(6981,'Issue',387,4,''),(6982,'Issue',387,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nComputerName\nUser\nSourceImage\nTargetImage'),(6983,'Issue',387,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"8\" AND event_data.SourceImage.keyword:(*\\\\bash.exe OR *\\\\cvtres.exe OR *\\\\defrag.exe OR *\\\\dnx.exe OR *\\\\esentutl.exe OR *\\\\excel.exe OR *\\\\expand.exe OR *\\\\explorer.exe OR *\\\\find.exe OR *\\\\findstr.exe OR *\\\\forfiles.exe OR *\\\\git.exe OR *\\\\gpupdate.exe OR *\\\\hh.exe OR *\\\\iexplore.exe OR *\\\\installutil.exe OR *\\\\lync.exe OR *\\\\makecab.exe OR *\\\\mDNSResponder.exe OR *\\\\monitoringhost.exe OR *\\\\msbuild.exe OR *\\\\mshta.exe OR *\\\\msiexec.exe OR *\\\\mspaint.exe OR *\\\\outlook.exe OR *\\\\ping.exe OR *\\\\powerpnt.exe OR *\\\\powershell.exe OR *\\\\provtool.exe OR *\\\\python.exe OR *\\\\regsvr32.exe OR *\\\\robocopy.exe OR *\\\\runonce.exe OR *\\\\sapcimc.exe OR *\\\\schtasks.exe OR *\\\\smartscreen.exe OR *\\\\spoolsv.exe OR *\\\\tstheme.exe OR *\\\\userinit.exe OR *\\\\vssadmin.exe OR *\\\\vssvc.exe OR *\\\\w3wp.exe* OR *\\\\winlogon.exe OR *\\\\winscp.exe OR *\\\\wmic.exe OR *\\\\word.exe OR *\\\\wscript.exe)) AND (NOT (event_data.SourceImage.keyword:*Visual\\ Studio*)))\nindex: so-*\nname: Suspicious Remote Thread Created\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6984,'Issue',387,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Remote Thread Created\nid: 66d31e5f-52d6-40a4-9615-002d3789a119\ndescription: Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\",\n  however, this is still largely observed in the wild. This rule aims to detect suspicious\n  processes (those we would not expect to behave in this way like word.exe or outlook.exe)\n  creating remote threads on other processes. It is a generalistic rule, but it should\n  have a low FP ratio due to the selected range of processes.\nnotes:\n- MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite\n  for process injection for .NET in-memory offensive tools.\nstatus: experimental\ndate: 2019/10/27\nmodified: 2019/11/13\nauthor: Perez Diego (@darkquassar), oscd.community\nreferences:\n- Personal research, statistical analysis\n- https://lolbas-project.github.io\nlogsource:\n  product: windows\n  service: sysmon\ntags:\n- attack.privilege_escalation\n- attack.t1055\ndetection:\n  selection:\n    EventID: 8\n    SourceImage|endswith:\n    - \\bash.exe\n    - \\cvtres.exe\n    - \\defrag.exe\n    - \\dnx.exe\n    - \\esentutl.exe\n    - \\excel.exe\n    - \\expand.exe\n    - \\explorer.exe\n    - \\find.exe\n    - \\findstr.exe\n    - \\forfiles.exe\n    - \\git.exe\n    - \\gpupdate.exe\n    - \\hh.exe\n    - \\iexplore.exe\n    - \\installutil.exe\n    - \\lync.exe\n    - \\makecab.exe\n    - \\mDNSResponder.exe\n    - \\monitoringhost.exe\n    - \\msbuild.exe\n    - \\mshta.exe\n    - \\msiexec.exe\n    - \\mspaint.exe\n    - \\outlook.exe\n    - \\ping.exe\n    - \\powerpnt.exe\n    - \\powershell.exe\n    - \\provtool.exe\n    - \\python.exe\n    - \\regsvr32.exe\n    - \\robocopy.exe\n    - \\runonce.exe\n    - \\sapcimc.exe\n    - \\schtasks.exe\n    - \\smartscreen.exe\n    - \\spoolsv.exe\n    - \\tstheme.exe\n    - \\userinit.exe\n    - \\vssadmin.exe\n    - \\vssvc.exe\n    - \\w3wp.exe*\n    - \\winlogon.exe\n    - \\winscp.exe\n    - \\wmic.exe\n    - \\word.exe\n    - \\wscript.exe\n  filter:\n    SourceImage|contains: Visual Studio\n  condition: selection AND NOT filter\nfields:\n- ComputerName\n- User\n- SourceImage\n- TargetImage\nlevel: high\nfalsepositives:\n- Unknown\n\n
\n}}'),(6985,'Issue',387,15,'T1055'),(6986,'Issue',388,1,'Svchost DLL Search Order Hijack'),(6987,'Issue',388,2,'SBousseaden'),(6988,'Issue',388,8,'https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992'),(6989,'Issue',388,10,'high'),(6990,'Issue',388,13,'community'),(6991,'Issue',388,14,'windows'),(6993,'Issue',388,11,'6ca7b2b85'),(6994,'Issue',388,12,'602a1f13-c640-4d73-b053-be9a2fa58b77'),(6995,'Issue',388,16,'win-sysmon'),(6996,'Issue',388,17,''),(6997,'Issue',388,7,''),(6998,'Issue',388,3,'IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\\Windows\\System32\\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote machine.'),(6999,'Issue',388,4,''),(7000,'Issue',388,5,'_False Positives_\nPentest'),(7001,'Issue',388,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"7\" AND process.executable.keyword:(*\\\\svchost.exe) AND event_data.ImageLoaded.keyword:(*\\\\tsmsisrv.dll OR *\\\\tsvipsrv.dll OR *\\\\wlbsctrl.dll)) AND (NOT (event.code:\"7\" AND process.executable.keyword:(*\\\\svchost.exe) AND event_data.ImageLoaded:(\"C\\:\\\\Windows\\\\WinSxS\\*\"))))\nindex: so-*\nname: Svchost DLL Search Order Hijack\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7002,'Issue',388,9,'{{collapse(View Sigma)\n
\n\ntitle: Svchost DLL Search Order Hijack\nid: 602a1f13-c640-4d73-b053-be9a2fa58b77\nstatus: experimental\ndescription: IKEEXT and SessionEnv service, as they call LoadLibrary on files that\n  do not exist within C:\\Windows\\System32\\ by default. An attacker can place their\n  malicious logic within the PROCESS_ATTACH block of their library and restart the\n  aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote\n  machine.\nreferences:\n- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992\nauthor: SBousseaden\ndate: 2019/10/28\ntags:\n- attack.persistence\n- attack.defense_evasion\n- attack.t1073\n- attack.t1038\n- attack.t1112\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image:\n    - \'*\\svchost.exe\'\n    ImageLoaded:\n    - \'*\\tsmsisrv.dll\'\n    - \'*\\tsvipsrv.dll\'\n    - \'*\\wlbsctrl.dll\'\n  filter:\n    EventID: 7\n    Image:\n    - \'*\\svchost.exe\'\n    ImageLoaded:\n    - C:\\Windows\\WinSxS\\*\n  condition: selection and not filter\nfalsepositives:\n- Pentest\nlevel: high\n\n
\n}}'),(7003,'Issue',388,15,'T1073'),(7004,'Issue',388,15,'T1038'),(7005,'Issue',388,15,'T1112'),(7006,'Issue',389,1,'Hijack Legit RDP Session to Move Laterally'),(7007,'Issue',389,2,'Samir Bousseaden'),(7008,'Issue',389,8,'none'),(7009,'Issue',389,10,'high'),(7010,'Issue',389,13,'community'),(7011,'Issue',389,14,'windows'),(7012,'Issue',389,15,''),(7013,'Issue',389,11,'edf49a6c5'),(7014,'Issue',389,12,'52753ea4-b3a0-4365-910d-36cff487b789'),(7015,'Issue',389,16,'win-sysmon'),(7016,'Issue',389,17,''),(7017,'Issue',389,7,''),(7018,'Issue',389,3,'Detects the usage of tsclient share to place a backdoor on the RDP source machine\'s startup folder'),(7019,'Issue',389,4,''),(7020,'Issue',389,5,'_False Positives_\nunknown'),(7021,'Issue',389,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND process.executable.keyword:*\\\\mstsc.exe AND TargetFileName.keyword:*\\\\Microsoft\\\\Windows\\\\Start\\ Menu\\\\Programs\\\\Startup\\\\*)\nindex: so-*\nname: Hijack Legit RDP Session to Move Laterally\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7022,'Issue',389,9,'{{collapse(View Sigma)\n
\n\ntitle: Hijack Legit RDP Session to Move Laterally\nid: 52753ea4-b3a0-4365-910d-36cff487b789\nstatus: experimental\ndescription: Detects the usage of tsclient share to place a backdoor on the RDP source\n  machine\'s startup folder\ndate: 2019/02/21\nauthor: Samir Bousseaden\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 11\n    Image: \'*\\mstsc.exe\'\n    TargetFileName: \'*\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\\\*\'\n  condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(7023,'Issue',390,1,'UAC Bypass via Event Viewer'),(7024,'Issue',390,2,'Florian Roth'),(7025,'Issue',390,8,'https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\nhttps://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100'),(7026,'Issue',390,10,'critical'),(7027,'Issue',390,13,'community'),(7028,'Issue',390,14,'windows'),(7030,'Issue',390,11,'266938263'),(7031,'Issue',390,12,'7c81fec3-1c1d-43b0-996a-46753041b1b6'),(7032,'Issue',390,16,'win-sysmon'),(7033,'Issue',390,17,''),(7034,'Issue',390,7,''),(7035,'Issue',390,3,'Detects UAC bypass method using Windows event viewer'),(7036,'Issue',390,4,''),(7037,'Issue',390,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7038,'Issue',390,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:\"13\" AND event_data.TargetObject.keyword:HKU\\\\*\\\\mscfile\\\\shell\\\\open\\\\command) OR (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND process.parent.executable.keyword:*\\\\eventvwr.exe) AND (NOT (process.executable.keyword:*\\\\mmc.exe)))))\nindex: so-*\nname: UAC Bypass via Event Viewer\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7039,'Issue',390,9,'{{collapse(View Sigma)\n
\n\ntitle: UAC Bypass via Event Viewer\nid: 7c81fec3-1c1d-43b0-996a-46753041b1b6\nstatus: experimental\ndescription: Detects UAC bypass method using Windows event viewer\nreferences:\n- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\n- https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100\nauthor: Florian Roth\ndate: 2017/03/19\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  methregistry:\n    EventID: 13\n    TargetObject: HKU\\\\*\\mscfile\\shell\\open\\command\n  methprocess:\n    EventID: 1\n    ParentImage: \'*\\eventvwr.exe\'\n  filterprocess:\n    Image: \'*\\mmc.exe\'\n  condition: methregistry or ( methprocess and not filterprocess )\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1088\n- car.2019-04-001\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7040,'Issue',390,15,'T1088'),(7041,'Issue',391,1,'UAC Bypass via Sdclt'),(7042,'Issue',391,2,'Omer Yampel'),(7043,'Issue',391,8,'https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/'),(7044,'Issue',391,10,'high'),(7045,'Issue',391,13,'community'),(7046,'Issue',391,14,'windows'),(7048,'Issue',391,11,'269c211ef'),(7049,'Issue',391,12,'5b872a46-3b90-45c1-8419-f675db8053aa'),(7050,'Issue',391,16,'win-sysmon'),(7051,'Issue',391,17,''),(7052,'Issue',391,7,''),(7053,'Issue',391,3,'Detects changes to HKCU:\\Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand'),(7054,'Issue',391,4,''),(7055,'Issue',391,5,'_False Positives_\nunknown'),(7056,'Issue',391,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:HKU\\\\*_Classes\\\\exefile\\\\shell\\\\runas\\\\command\\\\isolatedCommand)\nindex: so-*\nname: UAC Bypass via Sdclt\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7057,'Issue',391,9,'{{collapse(View Sigma)\n
\n\ntitle: UAC Bypass via Sdclt\nid: 5b872a46-3b90-45c1-8419-f675db8053aa\nstatus: experimental\ndescription: Detects changes to HKCU:\\Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand\nreferences:\n- https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/\nauthor: Omer Yampel\ndate: 2017/03/17\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    TargetObject: HKU\\\\*_Classes\\exefile\\shell\\runas\\command\\isolatedCommand\n  condition: selection\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1088\n- car.2019-04-001\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(7058,'Issue',391,15,'T1088'),(7059,'Issue',392,1,'Unsigned Image Loaded Into LSASS Process'),(7060,'Issue',392,2,'Teymur Kheirkhabarov, oscd.community'),(7061,'Issue',392,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(7062,'Issue',392,10,'medium'),(7063,'Issue',392,13,'community'),(7064,'Issue',392,14,'windows'),(7066,'Issue',392,11,'23f5b5af8'),(7067,'Issue',392,12,'857c8db3-c89b-42fb-882b-f681c7cf4da2'),(7068,'Issue',392,16,'win-sysmon'),(7069,'Issue',392,17,''),(7070,'Issue',392,7,''),(7071,'Issue',392,3,'Loading unsigned image (DLL, EXE) into LSASS process'),(7072,'Issue',392,4,''),(7073,'Issue',392,5,'_False Positives_\nValid user connecting using RDP'),(7074,'Issue',392,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:*\\\\lsass.exe AND Signed:\"false\")\nindex: so-*\nname: Unsigned Image Loaded Into LSASS Process\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7075,'Issue',392,9,'{{collapse(View Sigma)\n
\n\ntitle: Unsigned Image Loaded Into LSASS Process\nid: 857c8db3-c89b-42fb-882b-f681c7cf4da2\ndescription: Loading unsigned image (DLL, EXE) into LSASS process\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/10/22\nmodified: 2019/11/13\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image|endswith: \\lsass.exe\n    Signed: \'false\'\n  condition: selection\nfalsepositives:\n- Valid user connecting using RDP\nstatus: experimental\nlevel: medium\n\n
\n}}'),(7076,'Issue',392,15,'T1003'),(7077,'Issue',393,1,'Windows Webshell Creation'),(7078,'Issue',393,2,'Beyu Denis, oscd.community'),(7079,'Issue',393,8,'PT ESC rule and personal experience'),(7080,'Issue',393,10,'critical'),(7081,'Issue',393,13,'community'),(7082,'Issue',393,14,'windows'),(7084,'Issue',393,11,'2f30d8784'),(7085,'Issue',393,12,'39f1f9f2-9636-45de-98f6-a4046aa8e4b9'),(7086,'Issue',393,16,'win-sysmon'),(7087,'Issue',393,17,''),(7088,'Issue',393,7,''),(7089,'Issue',393,3,'Possible webshell file creation on a static web site'),(7090,'Issue',393,4,''),(7091,'Issue',393,5,'_False Positives_\nLegitimate administrator or developer creating legitimate executable files in a web application folder'),(7092,'Issue',393,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND ((event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event_data.TargetFilename.keyword:*\\\\inetpub\\\\wwwroot\\* AND event_data.TargetFilename.keyword:(*.asp* OR *.ashx* OR *.ph*)) OR (event_data.TargetFilename.keyword:(*\\\\www\\* OR *\\\\htdocs\\* OR *\\\\html\\*) AND event_data.TargetFilename.keyword:*.ph*))) OR (event_data.TargetFilename.keyword:*.jsp OR (event_data.TargetFilename.keyword:*\\\\cgi\\-bin\\* AND event_data.TargetFilename.keyword:*.pl*))))\nindex: so-*\nname: Windows Webshell Creation\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7093,'Issue',393,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows Webshell Creation\nid: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9\nstatus: experimental\ndescription: Possible webshell file creation on a static web site\nreferences:\n- PT ESC rule and personal experience\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/22\nmodified: 2019/11/04\ntags:\n- attack.persistence\n- attack.t1100\nlevel: critical\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection_1:\n    EventID: 11\n  selection_2:\n    TargetFilename|contains: \\inetpub\\wwwroot\\\n  selection_3:\n    TargetFilename|contains:\n    - .asp\n    - .ashx\n    - .ph\n  selection_4:\n    TargetFilename|contains:\n    - \\www\\\n    - \\htdocs\\\n    - \\html\\\n  selection_5:\n    TargetFilename|contains: .ph\n  selection_6:\n  - TargetFilename|endswith: .jsp\n  - TargetFilename|contains|all:\n    - \\cgi-bin\\\n    - .pl\n  condition: selection_1 and ( selection_2 and selection_3 ) or selection_1 and (\n    selection_4 and selection_5 ) or selection_1 and selection_6\nfalsepositives:\n- Legitimate administrator or developer creating legitimate executable files in a\n  web application folder\n\n
\n}}'),(7094,'Issue',393,15,'T1100'),(7095,'Issue',394,1,'Microsoft Binary Github Communication'),(7096,'Issue',394,2,'Michael Haag (idea), Florian Roth (rule)'),(7097,'Issue',394,8,'https://twitter.com/M_haggis/status/900741347035889665\nhttps://twitter.com/M_haggis/status/1032799638213066752'),(7098,'Issue',394,10,'high'),(7099,'Issue',394,13,'community'),(7100,'Issue',394,14,'windows'),(7102,'Issue',394,11,'04a41c5fb'),(7103,'Issue',394,12,'635dbb88-67b3-4b41-9ea5-a3af2dd88153'),(7104,'Issue',394,16,'win-sysmon'),(7105,'Issue',394,17,''),(7106,'Issue',394,7,''),(7107,'Issue',394,3,'Detects an executable in the Windows folder accessing github.com'),(7108,'Issue',394,4,''),(7109,'Issue',394,5,'_False Positives_\nUnknown\n@subTee in your network'),(7110,'Issue',394,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"3\" AND event_data.Initiated:\"true\" AND event_data.DestinationHostname.keyword:(*.github.com OR *.githubusercontent.com) AND process.executable.keyword:C\\:\\\\Windows\\\\*)\nindex: so-*\nname: Microsoft Binary Github Communication\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7111,'Issue',394,9,'{{collapse(View Sigma)\n
\n\ntitle: Microsoft Binary Github Communication\nid: 635dbb88-67b3-4b41-9ea5-a3af2dd88153\nstatus: experimental\ndescription: Detects an executable in the Windows folder accessing github.com\nreferences:\n- https://twitter.com/M_haggis/status/900741347035889665\n- https://twitter.com/M_haggis/status/1032799638213066752\nauthor: Michael Haag (idea), Florian Roth (rule)\ndate: 2017/08/24\ntags:\n- attack.lateral_movement\n- attack.t1105\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 3\n    Initiated: \'true\'\n    DestinationHostname:\n    - \'*.github.com\'\n    - \'*.githubusercontent.com\'\n    Image: C:\\Windows\\\\*\n  condition: selection\nfalsepositives:\n- Unknown\n- \'@subTee in your network\'\nlevel: high\n\n
\n}}'),(7112,'Issue',394,15,'T1105'),(7113,'Issue',395,1,'Microsoft Binary Suspicious Communication Endpoint'),(7114,'Issue',395,2,'Florian Roth'),(7115,'Issue',395,8,'https://twitter.com/M_haggis/status/900741347035889665\nhttps://twitter.com/M_haggis/status/1032799638213066752'),(7116,'Issue',395,10,'high'),(7117,'Issue',395,13,'community'),(7118,'Issue',395,14,'windows'),(7120,'Issue',395,11,'847f9c649'),(7121,'Issue',395,12,'e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97'),(7122,'Issue',395,16,'win-sysmon'),(7123,'Issue',395,17,''),(7124,'Issue',395,7,''),(7125,'Issue',395,3,'Detects an executable in the Windows folder accessing suspicious domains'),(7126,'Issue',395,4,''),(7127,'Issue',395,5,'_False Positives_\nUnknown'),(7128,'Issue',395,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"3\" AND event_data.Initiated:\"true\" AND event_data.DestinationHostname.keyword:(*dl.dropboxusercontent.com OR *.pastebin.com OR *.githubusercontent.com) AND process.executable.keyword:C\\:\\\\Windows\\\\*)\nindex: so-*\nname: Microsoft Binary Suspicious Communication Endpoint\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7129,'Issue',395,9,'{{collapse(View Sigma)\n
\n\ntitle: Microsoft Binary Suspicious Communication Endpoint\nid: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97\nstatus: experimental\ndescription: Detects an executable in the Windows folder accessing suspicious domains\nreferences:\n- https://twitter.com/M_haggis/status/900741347035889665\n- https://twitter.com/M_haggis/status/1032799638213066752\nauthor: Florian Roth\ndate: 2018/08/30\ntags:\n- attack.lateral_movement\n- attack.t1105\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 3\n    Initiated: \'true\'\n    DestinationHostname:\n    - \'*dl.dropboxusercontent.com\'\n    - \'*.pastebin.com\'\n    - \'*.githubusercontent.com\'\n    Image: C:\\Windows\\\\*\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(7130,'Issue',395,15,'T1105'),(7131,'Issue',396,1,'Registry Persistence Mechanisms'),(7132,'Issue',396,2,'Karneades'),(7133,'Issue',396,8,'https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/'),(7134,'Issue',396,10,'critical'),(7135,'Issue',396,13,'community'),(7136,'Issue',396,14,'windows'),(7138,'Issue',396,11,'b6d5e6bc2'),(7139,'Issue',396,12,'36803969-5421-41ec-b92f-8500f79c23b0'),(7140,'Issue',396,16,'win-sysmon'),(7141,'Issue',396,17,''),(7142,'Issue',396,7,''),(7143,'Issue',396,3,'Detects persistence registry keys'),(7144,'Issue',396,4,''),(7145,'Issue',396,5,'_False Positives_\nunknown'),(7146,'Issue',396,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\*\\\\GlobalFlag OR *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\ReportingMode OR *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess) AND event_data.EventType:\"SetValue\")\nindex: so-*\nname: Registry Persistence Mechanisms\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7147,'Issue',396,9,'{{collapse(View Sigma)\n
\n\ntitle: Registry Persistence Mechanisms\nid: 36803969-5421-41ec-b92f-8500f79c23b0\ndescription: Detects persistence registry keys\nreferences:\n- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/\ndate: 2018/04/11\nauthor: Karneades\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection_reg1:\n    EventID: 13\n    TargetObject:\n    - \'*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\\\*\\GlobalFlag\'\n    - \'*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\\\*\\ReportingMode\'\n    - \'*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\\\*\\MonitorProcess\'\n    EventType: SetValue\n  condition: selection_reg1\ntags:\n- attack.privilege_escalation\n- attack.persistence\n- attack.defense_evasion\n- attack.t1183\n- car.2013-01-002\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7148,'Issue',396,15,'T1183'),(7149,'Issue',397,1,'WMI Event Subscription'),(7150,'Issue',397,2,'Tom Ueltschi (@c_APT_ure)'),(7151,'Issue',397,8,'https://attack.mitre.org/techniques/T1084/'),(7152,'Issue',397,10,'high'),(7153,'Issue',397,13,'community'),(7154,'Issue',397,14,'windows'),(7156,'Issue',397,11,'9dd7ef828'),(7157,'Issue',397,12,'0f06a3a5-6a09-413f-8743-e6cf35561297'),(7158,'Issue',397,16,'win-sysmon'),(7159,'Issue',397,17,''),(7160,'Issue',397,7,''),(7161,'Issue',397,3,'Detects creation of WMI event subscription persistence method'),(7162,'Issue',397,4,''),(7163,'Issue',397,5,'_False Positives_\nexclude legitimate (vetted) use of WMI event subscription in your network'),(7164,'Issue',397,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:(\"19\" OR \"20\" OR \"21\"))\nindex: so-*\nname: WMI Event Subscription\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7165,'Issue',397,9,'{{collapse(View Sigma)\n
\n\ntitle: WMI Event Subscription\nid: 0f06a3a5-6a09-413f-8743-e6cf35561297\nstatus: experimental\ndescription: Detects creation of WMI event subscription persistence method\nreferences:\n- https://attack.mitre.org/techniques/T1084/\ntags:\n- attack.t1084\n- attack.persistence\nauthor: Tom Ueltschi (@c_APT_ure)\ndate: 2019/01/12\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selector:\n    EventID:\n    - 19\n    - 20\n    - 21\n  condition: selector\nfalsepositives:\n- exclude legitimate (vetted) use of WMI event subscription in your network\nlevel: high\n\n
\n}}'),(7166,'Issue',397,15,'T1084'),(7167,'Issue',398,1,'WMI Modules Loaded'),(7168,'Issue',398,2,'Roberto Rodriguez @Cyb3rWard0g'),(7169,'Issue',398,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_wmi_module_load.md'),(7170,'Issue',398,10,'high'),(7171,'Issue',398,13,'community'),(7172,'Issue',398,14,'windows'),(7174,'Issue',398,11,'eaf1ac318'),(7175,'Issue',398,12,'671bb7e3-a020-4824-a00e-2ee5b55f385e'),(7176,'Issue',398,16,'win-sysmon'),(7177,'Issue',398,17,''),(7178,'Issue',398,7,''),(7179,'Issue',398,3,'Detects non wmiprvse loading WMI modules'),(7180,'Issue',398,4,''),(7181,'Issue',398,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nComputerName\nUser\nImage\nImageLoaded'),(7182,'Issue',398,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"7\" AND event_data.ImageLoaded.keyword:(*\\\\wmiclnt.dll OR *\\\\WmiApRpl.dll OR *\\\\wmiprov.dll OR *\\\\wmiutils.dll OR *\\\\wbemcomn.dll OR *\\\\wbemprox.dll OR *\\\\WMINet_Utils.dll OR *\\\\wbemsvc.dll OR *\\\\fastprox.dll)) AND (NOT (process.executable.keyword:(*\\\\WmiPrvSe.exe OR *\\\\WmiPrvSE.exe OR *\\\\WmiAPsrv.exe OR *\\\\svchost.exe))))\nindex: so-*\nname: WMI Modules Loaded\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7183,'Issue',398,9,'{{collapse(View Sigma)\n
\n\ntitle: WMI Modules Loaded\nid: 671bb7e3-a020-4824-a00e-2ee5b55f385e\ndescription: Detects non wmiprvse loading WMI modules\nstatus: experimental\ndate: 2019/08/10\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_wmi_module_load.md\ntags:\n- attack.execution\n- attack.t1047\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    ImageLoaded|endswith:\n    - \\wmiclnt.dll\n    - \\WmiApRpl.dll\n    - \\wmiprov.dll\n    - \\wmiutils.dll\n    - \\wbemcomn.dll\n    - \\wbemprox.dll\n    - \\WMINet_Utils.dll\n    - \\wbemsvc.dll\n    - \\fastprox.dll\n  filter:\n    Image|endswith:\n    - \\WmiPrvSe.exe\n    - \\WmiPrvSE.exe\n    - \\WmiAPsrv.exe\n    - \\svchost.exe\n  condition: selection and not filter\nfields:\n- ComputerName\n- User\n- Image\n- ImageLoaded\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(7184,'Issue',398,15,'T1047'),(7185,'Issue',399,1,'WMI Persistence - Command Line Event Consumer'),(7186,'Issue',399,2,'Thomas Patzke'),(7187,'Issue',399,8,'https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/'),(7188,'Issue',399,10,'high'),(7189,'Issue',399,13,'community'),(7190,'Issue',399,14,'windows'),(7192,'Issue',399,11,'9e9efa320'),(7193,'Issue',399,12,'05936ce2-ee05-4dae-9d03-9a391cf2d2c6'),(7194,'Issue',399,16,'win-sysmon'),(7195,'Issue',399,17,''),(7196,'Issue',399,7,''),(7197,'Issue',399,3,'Detects WMI command line event consumers'),(7198,'Issue',399,4,''),(7199,'Issue',399,5,'_False Positives_\nUnknown (data set is too small; further testing needed)'),(7200,'Issue',399,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable:\"C\\:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\" AND event_data.ImageLoaded:\"wbemcons.dll\")\nindex: so-*\nname: WMI Persistence - Command Line Event Consumer\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7201,'Issue',399,9,'{{collapse(View Sigma)\n
\n\ntitle: WMI Persistence - Command Line Event Consumer\nid: 05936ce2-ee05-4dae-9d03-9a391cf2d2c6\nstatus: experimental\ndescription: Detects WMI command line event consumers\nreferences:\n- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/\nauthor: Thomas Patzke\ndate: 2018/03/07\ntags:\n- attack.t1084\n- attack.persistence\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image: C:\\Windows\\System32\\wbem\\WmiPrvSE.exe\n    ImageLoaded: wbemcons.dll\n  condition: selection\nfalsepositives:\n- Unknown (data set is too small; further testing needed)\nlevel: high\n\n
\n}}'),(7202,'Issue',399,15,'T1084'),(7203,'Issue',400,1,'WMI Persistence - Script Event Consumer File Write'),(7204,'Issue',400,2,'Thomas Patzke'),(7205,'Issue',400,8,'https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/'),(7206,'Issue',400,10,'high'),(7207,'Issue',400,13,'community'),(7208,'Issue',400,14,'windows'),(7210,'Issue',400,11,'9ec7edf07'),(7211,'Issue',400,12,'33f41cdd-35ac-4ba8-814b-c6a4244a1ad4'),(7212,'Issue',400,16,'win-sysmon'),(7213,'Issue',400,17,''),(7214,'Issue',400,7,''),(7215,'Issue',400,3,'Detects file writes of WMI script event consumer'),(7216,'Issue',400,4,''),(7217,'Issue',400,5,'_False Positives_\nUnknown (data set is too small; further testing needed)'),(7218,'Issue',400,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND process.executable:\"C\\:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe\")\nindex: so-*\nname: WMI Persistence - Script Event Consumer File Write\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7219,'Issue',400,9,'{{collapse(View Sigma)\n
\n\ntitle: WMI Persistence - Script Event Consumer File Write\nid: 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4\nstatus: experimental\ndescription: Detects file writes of WMI script event consumer\nreferences:\n- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/\nauthor: Thomas Patzke\ndate: 2018/03/07\ntags:\n- attack.t1084\n- attack.persistence\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 11\n    Image: C:\\WINDOWS\\system32\\wbem\\scrcons.exe\n  condition: selection\nfalsepositives:\n- Unknown (data set is too small; further testing needed)\nlevel: high\n\n
\n}}'),(7220,'Issue',400,15,'T1084'),(7221,'Issue',401,1,'Suspicious Scripting in a WMI Consumer'),(7222,'Issue',401,2,'Florian Roth'),(7223,'Issue',401,8,'https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/\nhttps://github.com/Neo23x0/signature-base/blob/master/yara/gen_susp_lnk_files.yar#L19'),(7224,'Issue',401,10,'high'),(7225,'Issue',401,13,'community'),(7226,'Issue',401,14,'windows'),(7228,'Issue',401,11,'5e0c4b4b2'),(7229,'Issue',401,12,'fe21810c-2a8c-478f-8dd3-5a287fb2a0e0'),(7230,'Issue',401,16,'win-sysmon'),(7231,'Issue',401,17,''),(7232,'Issue',401,7,''),(7233,'Issue',401,3,'Detects suspicious scripting in WMI Event Consumers'),(7234,'Issue',401,4,''),(7235,'Issue',401,5,'_False Positives_\nAdministrative scripts\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7236,'Issue',401,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"20\" AND Destination.keyword:(*new\\-object\\ system.net.webclient\\).downloadstring\\(* OR *new\\-object\\ system.net.webclient\\).downloadfile\\(* OR *new\\-object\\ net.webclient\\).downloadstring\\(* OR *new\\-object\\ net.webclient\\).downloadfile\\(* OR *\\ iex\\(* OR *WScript.shell* OR *\\ \\-nop\\ * OR *\\ \\-noprofile\\ * OR *\\ \\-decode\\ * OR *\\ \\-enc\\ *))\nindex: so-*\nname: Suspicious Scripting in a WMI Consumer\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7237,'Issue',401,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Scripting in a WMI Consumer\nid: fe21810c-2a8c-478f-8dd3-5a287fb2a0e0\nstatus: experimental\ndescription: Detects suspicious scripting in WMI Event Consumers\nauthor: Florian Roth\nreferences:\n- https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/\n- https://github.com/Neo23x0/signature-base/blob/master/yara/gen_susp_lnk_files.yar#L19\ndate: 2019/04/15\ntags:\n- attack.t1086\n- attack.execution\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 20\n    Destination:\n    - \'*new-object system.net.webclient).downloadstring(*\'\n    - \'*new-object system.net.webclient).downloadfile(*\'\n    - \'*new-object net.webclient).downloadstring(*\'\n    - \'*new-object net.webclient).downloadfile(*\'\n    - \'* iex(*\'\n    - \'*WScript.shell*\'\n    - \'* -nop *\'\n    - \'* -noprofile *\'\n    - \'* -decode *\'\n    - \'* -enc *\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Administrative scripts\nlevel: high\n\n
\n}}'),(7238,'Issue',401,15,'T1086'),(7239,'Issue',402,1,'APT29'),(7240,'Issue',402,2,'Florian Roth'),(7241,'Issue',402,8,'https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/'),(7242,'Issue',402,10,'critical'),(7243,'Issue',402,13,'community'),(7244,'Issue',402,14,'windows'),(7246,'Issue',402,11,'3eea01490'),(7247,'Issue',402,12,'033fe7d6-66d1-4240-ac6b-28908009c71f'),(7248,'Issue',402,16,'win-proc'),(7249,'Issue',402,17,''),(7250,'Issue',402,7,''),(7251,'Issue',402,3,'This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks'),(7252,'Issue',402,4,''),(7253,'Issue',402,5,'_False Positives_\nunknown'),(7254,'Issue',402,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\-noni\\ \\-ep\\ bypass\\ $*)\nindex: so-*\nname: APT29\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7255,'Issue',402,9,'{{collapse(View Sigma)\n
\n\ntitle: APT29\nid: 033fe7d6-66d1-4240-ac6b-28908009c71f\ndescription: This method detects a suspicious powershell command line combination\n  as used by APT29 in a campaign against US think tanks\nreferences:\n- https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/\ntags:\n- attack.execution\n- attack.g0016\n- attack.t1086\nauthor: Florian Roth\ndate: 2018/12/04\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'*-noni -ep bypass $*\'\n  condition: selection\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7256,'Issue',402,15,'T1086'),(7257,'Issue',403,1,'Baby Shark Activity'),(7258,'Issue',403,2,'Florian Roth'),(7259,'Issue',403,8,'https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/'),(7260,'Issue',403,10,'high'),(7261,'Issue',403,13,'community'),(7262,'Issue',403,14,'windows'),(7264,'Issue',403,11,'e1e3ed75c'),(7265,'Issue',403,12,'2b30fa36-3a18-402f-a22d-bf4ce2189f35'),(7266,'Issue',403,16,'win-proc'),(7267,'Issue',403,17,''),(7268,'Issue',403,7,''),(7269,'Issue',403,3,'Detects activity that could be related to Baby Shark malware'),(7270,'Issue',403,4,''),(7271,'Issue',403,5,'_False Positives_\nunknown'),(7272,'Issue',403,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(reg\\ query\\ \\\"HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Terminal\\ Server\\ Client\\\\Default\\\" OR powershell.exe\\ mshta.exe\\ http* OR cmd.exe\\ \\/c\\ taskkill\\ \\/im\\ cmd.exe))\nindex: so-*\nname: Baby Shark Activity\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7273,'Issue',403,9,'{{collapse(View Sigma)\n
\n\ntitle: Baby Shark Activity\nid: 2b30fa36-3a18-402f-a22d-bf4ce2189f35\nstatus: experimental\ndescription: Detects activity that could be related to Baby Shark malware\nreferences:\n- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/\ntags:\n- attack.execution\n- attack.t1059\n- attack.t1086\n- attack.discovery\n- attack.t1012\n- attack.defense_evasion\n- attack.t1170\nlogsource:\n  category: process_creation\n  product: windows\nauthor: Florian Roth\ndate: 2019/02/24\ndetection:\n  selection:\n    CommandLine:\n    - reg query \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\"\n    - powershell.exe mshta.exe http*\n    - cmd.exe /c taskkill /im cmd.exe\n  condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(7274,'Issue',403,15,'T1059'),(7275,'Issue',403,15,'T1086'),(7276,'Issue',403,15,'T1012'),(7277,'Issue',403,15,'T1170'),(7278,'Issue',404,1,'Judgement Panda Credential Access Activity'),(7279,'Issue',404,2,'Florian Roth'),(7280,'Issue',404,8,'https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/'),(7281,'Issue',404,10,'critical'),(7282,'Issue',404,13,'community'),(7283,'Issue',404,14,'windows'),(7285,'Issue',404,11,'ebeeba7dd'),(7286,'Issue',404,12,'b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee'),(7287,'Issue',404,16,'win-proc'),(7288,'Issue',404,17,''),(7289,'Issue',404,7,''),(7290,'Issue',404,3,'Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike'),(7291,'Issue',404,4,''),(7292,'Issue',404,5,'_False Positives_\nunknown'),(7293,'Issue',404,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\xcopy.exe AND process.command_line.keyword:*\\ \\/S\\ \\/E\\ \\/C\\ \\/Q\\ \\/H\\ \\\\*) OR (process.executable.keyword:*\\\\adexplorer.exe AND process.command_line.keyword:*\\ \\-snapshot\\ \\\"\\\"\\ c\\:\\\\users\\\\*)))\nindex: so-*\nname: Judgement Panda Credential Access Activity\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7294,'Issue',404,9,'{{collapse(View Sigma)\n
\n\ntitle: Judgement Panda Credential Access Activity\nid: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee\ndescription: Detects Russian group activity as described in Global Threat Report 2019\n  by Crowdstrike\nreferences:\n- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/\nauthor: Florian Roth\ndate: 2019/02/21\ntags:\n- attack.credential_access\n- attack.t1081\n- attack.t1003\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image: \'*\\xcopy.exe\'\n    CommandLine: \'* /S /E /C /Q /H \\\\*\'\n  selection2:\n    Image: \'*\\adexplorer.exe\'\n    CommandLine: \'* -snapshot \"\" c:\\users\\\\*\'\n  condition: selection1 or selection2\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7295,'Issue',404,15,'T1081'),(7296,'Issue',404,15,'T1003'),(7297,'Issue',405,1,'BlueMashroom DLL Load'),(7298,'Issue',405,2,'Florian Roth'),(7299,'Issue',405,8,'https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software'),(7300,'Issue',405,10,'critical'),(7301,'Issue',405,13,'community'),(7302,'Issue',405,14,'windows'),(7304,'Issue',405,11,'8bb8cf273'),(7305,'Issue',405,12,'bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0'),(7306,'Issue',405,16,'win-proc'),(7307,'Issue',405,17,''),(7308,'Issue',405,7,''),(7309,'Issue',405,3,'Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report'),(7310,'Issue',405,4,''),(7311,'Issue',405,5,'_False Positives_\nUnlikely'),(7312,'Issue',405,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\regsvr32*\\\\AppData\\\\Local\\\\* OR *\\\\AppData\\\\Local\\\\*,DllEntry*))\nindex: so-*\nname: BlueMashroom DLL Load\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7313,'Issue',405,9,'{{collapse(View Sigma)\n
\n\ntitle: BlueMashroom DLL Load\nid: bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0\nstatus: experimental\ndescription: Detects a suspicious DLL loading from AppData Local path as described\n  in BlueMashroom report\nreferences:\n- https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software\ntags:\n- attack.defense_evasion\n- attack.t1117\nauthor: Florian Roth\ndate: 2019/10/02\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'*\\regsvr32*\\AppData\\Local\\\\*\'\n    - \'*\\AppData\\Local\\\\*,DllEntry*\'\n  condition: selection\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(7314,'Issue',405,15,'T1117'),(7315,'Issue',406,1,'WMIExec VBS Script'),(7316,'Issue',406,2,'Florian Roth'),(7317,'Issue',406,8,'https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf'),(7318,'Issue',406,10,'critical'),(7319,'Issue',406,13,'community'),(7320,'Issue',406,14,'windows'),(7322,'Issue',406,11,'5b1ed0159'),(7323,'Issue',406,12,'966e4016-627f-44f7-8341-f394905c361f'),(7324,'Issue',406,16,'win-proc'),(7325,'Issue',406,17,''),(7326,'Issue',406,7,''),(7327,'Issue',406,3,'Detects suspicious file execution by wscript and cscript'),(7328,'Issue',406,4,''),(7329,'Issue',406,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7330,'Issue',406,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\cscript.exe AND process.command_line.keyword:*.vbs\\ \\/shell\\ *)\nindex: so-*\nname: WMIExec VBS Script\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7331,'Issue',406,9,'{{collapse(View Sigma)\n
\n\ntitle: WMIExec VBS Script\nid: 966e4016-627f-44f7-8341-f394905c361f\ndescription: Detects suspicious file execution by wscript and cscript\nauthor: Florian Roth\ndate: 2017/04/07\nreferences:\n- https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf\ntags:\n- attack.execution\n- attack.g0045\n- attack.t1064\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\cscript.exe\'\n    CommandLine: \'*.vbs /shell *\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(7332,'Issue',406,15,'T1064'),(7333,'Issue',407,1,'CrackMapExecWin'),(7334,'Issue',407,2,'Markus Neis'),(7335,'Issue',407,8,'https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control'),(7336,'Issue',407,10,'critical'),(7337,'Issue',407,13,'community'),(7338,'Issue',407,14,'windows'),(7339,'Issue',407,15,''),(7340,'Issue',407,11,'3fa886226'),(7341,'Issue',407,12,'04d9079e-3905-4b70-ad37-6bdf11304965'),(7342,'Issue',407,16,'win-proc'),(7343,'Issue',407,17,''),(7344,'Issue',407,7,''),(7345,'Issue',407,3,'Detects CrackMapExecWin Activity as Described by NCSC'),(7346,'Issue',407,4,''),(7347,'Issue',407,5,'_False Positives_\nNone'),(7348,'Issue',407,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\crackmapexec.exe))\nindex: so-*\nname: CrackMapExecWin\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7349,'Issue',407,9,'{{collapse(View Sigma)\n
\n\ntitle: CrackMapExecWin\nid: 04d9079e-3905-4b70-ad37-6bdf11304965\ndescription: Detects CrackMapExecWin Activity as Described by NCSC\nstatus: experimental\nreferences:\n- https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control\ntags:\n- attack.g0035\nauthor: Markus Neis\ndate: 2018/04/08\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\crackmapexec.exe\'\n  condition: selection\nfalsepositives:\n- None\nlevel: critical\n\n
\n}}'),(7350,'Issue',408,1,'Elise Backdoor'),(7351,'Issue',408,2,'Florian Roth'),(7352,'Issue',408,8,'https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting'),(7353,'Issue',408,10,'critical'),(7354,'Issue',408,13,'community'),(7355,'Issue',408,14,'windows'),(7356,'Issue',408,15,''),(7357,'Issue',408,11,'c59e20ad4'),(7358,'Issue',408,12,'e507feb7-5f73-4ef6-a970-91bb6f6d744f'),(7359,'Issue',408,16,'win-proc'),(7360,'Issue',408,17,''),(7361,'Issue',408,7,''),(7362,'Issue',408,3,'Detects Elise backdoor acitivty as used by APT32'),(7363,'Issue',408,4,''),(7364,'Issue',408,5,'_False Positives_\nUnknown'),(7365,'Issue',408,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable:\"C\\:\\\\Windows\\\\SysWOW64\\\\cmd.exe\" AND process.command_line.keyword:*\\\\Windows\\\\Caches\\\\NavShExt.dll\\ *) OR process.command_line.keyword:*\\\\AppData\\\\Roaming\\\\MICROS\\~1\\\\Windows\\\\Caches\\\\NavShExt.dll,Setting))\nindex: so-*\nname: Elise Backdoor\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7366,'Issue',408,9,'{{collapse(View Sigma)\n
\n\ntitle: Elise Backdoor\nid: e507feb7-5f73-4ef6-a970-91bb6f6d744f\nstatus: experimental\ndescription: Detects Elise backdoor acitivty as used by APT32\nreferences:\n- https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting\ntags:\n- attack.g0030\n- attack.g0050\n- attack.s0081\nauthor: Florian Roth\ndate: 2018/01/31\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image: C:\\Windows\\SysWOW64\\cmd.exe\n    CommandLine: \'*\\Windows\\Caches\\NavShExt.dll *\'\n  selection2:\n    CommandLine: \'*\\AppData\\Roaming\\MICROS~1\\Windows\\Caches\\NavShExt.dll,Setting\'\n  condition: 1 of them\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7367,'Issue',409,1,'Emissary Panda Malware SLLauncher'),(7368,'Issue',409,2,'Florian Roth'),(7369,'Issue',409,8,'https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965\nhttps://twitter.com/cyb3rops/status/1168863899531132929'),(7370,'Issue',409,10,'critical'),(7371,'Issue',409,13,'community'),(7372,'Issue',409,14,'windows'),(7373,'Issue',409,15,''),(7374,'Issue',409,11,'5e4b7990b'),(7375,'Issue',409,12,'9aa01d62-7667-4d3b-acb8-8cb5103e2014'),(7376,'Issue',409,16,'win-proc'),(7377,'Issue',409,17,''),(7378,'Issue',409,7,''),(7379,'Issue',409,3,'Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27'),(7380,'Issue',409,4,''),(7381,'Issue',409,5,'_False Positives_\nUnknown'),(7382,'Issue',409,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\sllauncher.exe AND process.executable.keyword:*\\\\svchost.exe)\nindex: so-*\nname: Emissary Panda Malware SLLauncher\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7383,'Issue',409,9,'{{collapse(View Sigma)\n
\n\ntitle: Emissary Panda Malware SLLauncher\nid: 9aa01d62-7667-4d3b-acb8-8cb5103e2014\nstatus: experimental\ndescription: Detects the execution of DLL side-loading malware used by threat group\n  Emissary Panda aka APT27\nreferences:\n- https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965\n- https://twitter.com/cyb3rops/status/1168863899531132929\nauthor: Florian Roth\ndate: 2018/09/03\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\sllauncher.exe\'\n    Image: \'*\\svchost.exe\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7384,'Issue',410,1,'Equation Group DLL_U Load'),(7385,'Issue',410,2,'Florian Roth'),(7386,'Issue',410,8,'https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=\nhttps://securelist.com/apt-slingshot/84312/\nhttps://twitter.com/cyb3rops/status/972186477512839170'),(7387,'Issue',410,10,'critical'),(7388,'Issue',410,13,'community'),(7389,'Issue',410,14,'windows'),(7391,'Issue',410,11,'8d87ab96d'),(7392,'Issue',410,12,'d465d1d8-27a2-4cca-9621-a800f37cf72e'),(7393,'Issue',410,16,'win-proc'),(7394,'Issue',410,17,''),(7395,'Issue',410,7,''),(7396,'Issue',410,3,'Detects a specific tool and export used by EquationGroup'),(7397,'Issue',410,4,''),(7398,'Issue',410,5,'_False Positives_\nUnknown'),(7399,'Issue',410,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\rundll32.exe AND process.command_line.keyword:*,dll_u) OR process.command_line.keyword:*\\ \\-export\\ dll_u\\ *))\nindex: so-*\nname: Equation Group DLL_U Load\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7400,'Issue',410,9,'{{collapse(View Sigma)\n
\n\ntitle: Equation Group DLL_U Load\nid: d465d1d8-27a2-4cca-9621-a800f37cf72e\nauthor: Florian Roth\ndate: 2019/03/04\ndescription: Detects a specific tool and export used by EquationGroup\nreferences:\n- https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=\n- https://securelist.com/apt-slingshot/84312/\n- https://twitter.com/cyb3rops/status/972186477512839170\ntags:\n- attack.execution\n- attack.g0020\n- attack.t1059\n- attack.defense_evasion\n- attack.t1085\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image: \'*\\rundll32.exe\'\n    CommandLine: \'*,dll_u\'\n  selection2:\n    CommandLine: \'* -export dll_u *\'\n  condition: 1 of them\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7401,'Issue',410,15,'T1059'),(7402,'Issue',410,15,'T1085'),(7403,'Issue',411,1,'Hurricane Panda Activity'),(7404,'Issue',411,2,'Florian Roth'),(7405,'Issue',411,8,'https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/'),(7406,'Issue',411,10,'high'),(7407,'Issue',411,13,'community'),(7408,'Issue',411,14,'windows'),(7410,'Issue',411,11,'70b43689e'),(7411,'Issue',411,12,'0eb2107b-a596-422e-b123-b389d5594ed7'),(7412,'Issue',411,16,'win-proc'),(7413,'Issue',411,17,''),(7414,'Issue',411,7,''),(7415,'Issue',411,3,'Detects Hurricane Panda Activity'),(7416,'Issue',411,4,''),(7417,'Issue',411,5,'_False Positives_\nUnknown'),(7418,'Issue',411,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ localgroup\\ administrators\\ admin\\ \\/add OR *\\\\Win64.exe*))\nindex: so-*\nname: Hurricane Panda Activity\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7419,'Issue',411,9,'{{collapse(View Sigma)\n
\n\ntitle: Hurricane Panda Activity\nid: 0eb2107b-a596-422e-b123-b389d5594ed7\nauthor: Florian Roth\ndate: 2019/03/04\nstatus: experimental\ndescription: Detects Hurricane Panda Activity\nreferences:\n- https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/\ntags:\n- attack.privilege_escalation\n- attack.g0009\n- attack.t1068\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* localgroup administrators admin /add\'\n    - \'*\\Win64.exe*\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(7420,'Issue',411,15,'T1068'),(7421,'Issue',412,1,'Judgement Panda Exfil Activity'),(7422,'Issue',412,2,'Florian Roth'),(7423,'Issue',412,8,'https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/'),(7424,'Issue',412,10,'critical'),(7425,'Issue',412,13,'community'),(7426,'Issue',412,14,'windows'),(7428,'Issue',412,11,'7b23cf39c'),(7429,'Issue',412,12,'03e2746e-2b31-42f1-ab7a-eb39365b2422'),(7430,'Issue',412,16,'win-proc'),(7431,'Issue',412,17,''),(7432,'Issue',412,7,''),(7433,'Issue',412,3,'Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike'),(7434,'Issue',412,4,''),(7435,'Issue',412,5,'_False Positives_\nunknown'),(7436,'Issue',412,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:(*\\\\ldifde.exe\\ \\-f\\ \\-n\\ * OR *\\\\7za.exe\\ a\\ 1.7z\\ * OR *\\ eprod.ldf OR *\\\\aaaa\\\\procdump64.exe* OR *\\\\aaaa\\\\netsess.exe* OR *\\\\aaaa\\\\7za.exe* OR *copy\\ .\\\\1.7z\\ \\\\* OR *copy\\ \\\\client\\\\c$\\\\aaaa\\\\*) OR process.executable:\"C\\:\\\\Users\\\\Public\\\\7za.exe\"))\nindex: so-*\nname: Judgement Panda Exfil Activity\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7437,'Issue',412,9,'{{collapse(View Sigma)\n
\n\ntitle: Judgement Panda Exfil Activity\nid: 03e2746e-2b31-42f1-ab7a-eb39365b2422\ndescription: Detects Judgement Panda activity as described in Global Threat Report\n  2019 by Crowdstrike\nreferences:\n- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/\nauthor: Florian Roth\ndate: 2019/02/21\ntags:\n- attack.lateral_movement\n- attack.g0010\n- attack.credential_access\n- attack.t1098\n- attack.exfiltration\n- attack.t1002\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine:\n    - \'*\\ldifde.exe -f -n *\'\n    - \'*\\7za.exe a 1.7z *\'\n    - \'* eprod.ldf\'\n    - \'*\\aaaa\\procdump64.exe*\'\n    - \'*\\aaaa\\netsess.exe*\'\n    - \'*\\aaaa\\7za.exe*\'\n    - \'*copy .\\1.7z \\\\*\'\n    - \'*copy \\\\client\\c$\\aaaa\\\\*\'\n  selection2:\n    Image: C:\\Users\\Public\\7za.exe\n  condition: selection1 or selection2\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7438,'Issue',412,15,'T1098'),(7439,'Issue',412,15,'T1002'),(7440,'Issue',413,1,'Mustang Panda Dropper'),(7441,'Issue',413,2,'Florian Roth'),(7442,'Issue',413,8,'https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/\nhttps://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/\nhttps://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations'),(7443,'Issue',413,10,'high'),(7444,'Issue',413,13,'community'),(7445,'Issue',413,14,'windows'),(7446,'Issue',413,15,''),(7447,'Issue',413,11,'aad32826a'),(7448,'Issue',413,12,'2d87d610-d760-45ee-a7e6-7a6f2a65de00'),(7449,'Issue',413,16,'win-proc'),(7450,'Issue',413,17,''),(7451,'Issue',413,7,''),(7452,'Issue',413,3,'Detects specific process parameters as used by Mustang Panda droppers'),(7453,'Issue',413,4,''),(7454,'Issue',413,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7455,'Issue',413,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:(*Temp\\\\wtask.exe\\ \\/create* OR *%windir\\:\\~\\-3,1%%PUBLIC\\:\\~\\-9,1%* OR *\\/E\\:vbscript\\ *\\ C\\:\\\\Users\\*.txt\\\"\\ \\/F OR *\\/tn\\ \\\"Security\\ Script\\ * OR *%windir\\:\\~\\-1,1%*) OR process.executable.keyword:(*Temp\\\\winwsh.exe)))\nindex: so-*\nname: Mustang Panda Dropper\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7456,'Issue',413,9,'{{collapse(View Sigma)\n
\n\ntitle: Mustang Panda Dropper\nid: 2d87d610-d760-45ee-a7e6-7a6f2a65de00\nstatus: experimental\ndescription: Detects specific process parameters as used by Mustang Panda droppers\nauthor: Florian Roth\ndate: 2019/10/30\nreferences:\n- https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/\n- https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/\n- https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine:\n    - \'*Temp\\wtask.exe /create*\'\n    - \'*%windir:~-3,1%%PUBLIC:~-9,1%*\'\n    - \'*/E:vbscript * C:\\Users\\*.txt\" /F\'\n    - \'*/tn \"Security Script *\'\n    - \'*%windir:~-1,1%*\'\n  selection2:\n    Image:\n    - \'*Temp\\winwsh.exe\'\n  condition: 1 of them\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: high\n\n
\n}}'),(7457,'Issue',414,1,'Sofacy Trojan Loader Activity'),(7458,'Issue',414,2,'Florian Roth'),(7459,'Issue',414,8,'https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/\nhttps://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100\nhttps://twitter.com/ClearskySec/status/960924755355369472'),(7460,'Issue',414,10,'critical'),(7461,'Issue',414,13,'community'),(7462,'Issue',414,14,'windows'),(7464,'Issue',414,11,'6b2144b03'),(7465,'Issue',414,12,'ba778144-5e3d-40cf-8af9-e28fb1df1e20'),(7466,'Issue',414,16,'win-proc'),(7467,'Issue',414,17,''),(7468,'Issue',414,7,''),(7469,'Issue',414,3,'Detects Trojan loader acitivty as used by APT28'),(7470,'Issue',414,4,''),(7471,'Issue',414,5,'_False Positives_\nUnknown'),(7472,'Issue',414,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(rundll32.exe\\ %APPDATA%\\\\*.dat\\\",* OR rundll32.exe\\ %APPDATA%\\\\*.dll\\\",#1))\nindex: so-*\nname: Sofacy Trojan Loader Activity\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7473,'Issue',414,9,'{{collapse(View Sigma)\n
\n\ntitle: Sofacy Trojan Loader Activity\nid: ba778144-5e3d-40cf-8af9-e28fb1df1e20\nauthor: Florian Roth\nstatus: experimental\ndate: 2018/03/01\ndescription: Detects Trojan loader acitivty as used by APT28\nreferences:\n- https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/\n- https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100\n- https://twitter.com/ClearskySec/status/960924755355369472\ntags:\n- attack.g0007\n- attack.execution\n- attack.t1059\n- attack.defense_evasion\n- attack.t1085\n- car.2013-10-002\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - rundll32.exe %APPDATA%\\\\*.dat\",*\n    - rundll32.exe %APPDATA%\\\\*.dll\",#1\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7474,'Issue',414,15,'T1059'),(7475,'Issue',414,15,'T1085'),(7476,'Issue',415,1,'Ps.exe Renamed SysInternals Tool'),(7477,'Issue',415,2,'Florian Roth'),(7478,'Issue',415,8,'https://www.us-cert.gov/ncas/alerts/TA17-293A'),(7479,'Issue',415,10,'high'),(7480,'Issue',415,13,'community'),(7481,'Issue',415,14,'windows'),(7483,'Issue',415,11,'0ec020dd0'),(7484,'Issue',415,12,'18da1007-3f26-470f-875d-f77faf1cab31'),(7485,'Issue',415,16,'win-proc'),(7486,'Issue',415,17,''),(7487,'Issue',415,7,''),(7488,'Issue',415,3,'Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report'),(7489,'Issue',415,4,''),(7490,'Issue',415,5,'_False Positives_\nRenamed SysInternals tool'),(7491,'Issue',415,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line:\"ps.exe\\ \\-accepteula\")\nindex: so-*\nname: Ps.exe Renamed SysInternals Tool\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7492,'Issue',415,9,'{{collapse(View Sigma)\n
\n\ntitle: Ps.exe Renamed SysInternals Tool\nid: 18da1007-3f26-470f-875d-f77faf1cab31\ndescription: Detects renamed SysInternals tool execution with a binary named ps.exe\n  as used by Dragonfly APT group and documented in TA17-293A report\nreferences:\n- https://www.us-cert.gov/ncas/alerts/TA17-293A\ntags:\n- attack.defense_evasion\n- attack.g0035\n- attack.t1036\n- car.2013-05-009\nauthor: Florian Roth\ndate: 2017/10/22\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: ps.exe -accepteula\n  condition: selection\nfalsepositives:\n- Renamed SysInternals tool\nlevel: high\n\n
\n}}'),(7493,'Issue',415,15,'T1036'),(7494,'Issue',416,1,'TropicTrooper Campaign November 2018'),(7495,'Issue',416,2,'@41thexplorer, Microsoft Defender ATP'),(7496,'Issue',416,8,'https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/'),(7497,'Issue',416,10,'high'),(7498,'Issue',416,13,'community'),(7499,'Issue',416,14,'windows'),(7501,'Issue',416,11,'95510b4d4'),(7502,'Issue',416,12,'8c7090c3-e0a0-4944-bd08-08c3a0cecf79'),(7503,'Issue',416,16,'win-proc'),(7504,'Issue',416,17,''),(7505,'Issue',416,7,''),(7506,'Issue',416,3,'Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia'),(7507,'Issue',416,4,''),(7508,'Issue',416,5,'_False Positives_\n Unknown'),(7509,'Issue',416,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*)\nindex: so-*\nname: TropicTrooper Campaign November 2018\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7510,'Issue',416,9,'{{collapse(View Sigma)\n
\n\ntitle: TropicTrooper Campaign November 2018\nid: 8c7090c3-e0a0-4944-bd08-08c3a0cecf79\nauthor: \'@41thexplorer, Microsoft Defender ATP\'\nstatus: stable\ndate: 2019/11/12\ndescription: Detects TropicTrooper activity, an actor who targeted high-profile organizations\n  in the energy and food and beverage sectors in Asia\nreferences:\n- https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/\ntags:\n- attack.execution\n- attack.t1085\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*\'\n  condition: selection\nlevel: high\n\n
\n}}'),(7511,'Issue',416,15,'T1085'),(7512,'Issue',417,1,'Winnti Malware HK University Campaign'),(7513,'Issue',417,2,'Florian Roth, Markus Neis'),(7514,'Issue',417,8,'https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/'),(7515,'Issue',417,10,'critical'),(7516,'Issue',417,13,'community'),(7517,'Issue',417,14,'windows'),(7519,'Issue',417,11,'c6c18314b'),(7520,'Issue',417,12,'3121461b-5aa0-4a41-b910-66d25524edbb'),(7521,'Issue',417,16,'win-proc'),(7522,'Issue',417,17,''),(7523,'Issue',417,7,''),(7524,'Issue',417,3,'Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities'),(7525,'Issue',417,4,''),(7526,'Issue',417,5,'_False Positives_\nUnlikely'),(7527,'Issue',417,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.parent.executable.keyword:(*C\\:\\\\Windows\\\\Temp* OR *\\\\hpqhvind.exe*) AND process.executable.keyword:C\\:\\\\ProgramData\\\\DRM*) OR (process.parent.executable.keyword:C\\:\\\\ProgramData\\\\DRM* AND process.executable.keyword:*\\\\wmplayer.exe) OR (process.parent.executable.keyword:*\\\\Test.exe AND process.executable.keyword:*\\\\wmplayer.exe) OR process.executable:\"C\\:\\\\ProgramData\\\\DRM\\\\CLR\\\\CLR.exe\" OR (process.parent.executable.keyword:C\\:\\\\ProgramData\\\\DRM\\\\Windows* AND process.executable.keyword:*\\\\SearchFilterHost.exe)))\nindex: so-*\nname: Winnti Malware HK University Campaign\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7528,'Issue',417,9,'{{collapse(View Sigma)\n
\n\ntitle: Winnti Malware HK University Campaign\nid: 3121461b-5aa0-4a41-b910-66d25524edbb\nstatus: experimental\ndescription: Detects specific process characteristics of Winnti malware noticed in\n  Dec/Jan 2020 in a campaign against Honk Kong universities\nreferences:\n- https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/\ntags:\n- attack.defense_evasion\n- attack.t1073\n- attack.g0044\nauthor: Florian Roth, Markus Neis\ndate: 2020/02/01\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    ParentImage|contains:\n    - C:\\Windows\\Temp\n    - \\hpqhvind.exe\n    Image|startswith: C:\\ProgramData\\DRM\n  selection2:\n    ParentImage|startswith: C:\\ProgramData\\DRM\n    Image|endswith: \\wmplayer.exe\n  selection3:\n    ParentImage|endswith: \\Test.exe\n    Image|endswith: \\wmplayer.exe\n  selection4:\n    Image: C:\\ProgramData\\DRM\\CLR\\CLR.exe\n  selection5:\n    ParentImage|startswith: C:\\ProgramData\\DRM\\Windows\n    Image|endswith: \\SearchFilterHost.exe\n  condition: 1 of them\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(7529,'Issue',417,15,'T1073'),(7530,'Issue',418,1,'ZxShell Malware'),(7531,'Issue',418,2,'Florian Roth'),(7532,'Issue',418,8,'https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100'),(7533,'Issue',418,10,'critical'),(7534,'Issue',418,13,'community'),(7535,'Issue',418,14,'windows'),(7537,'Issue',418,11,'948a1b3c3'),(7538,'Issue',418,12,'f0b70adb-0075-43b0-9745-e82a1c608fcc'),(7539,'Issue',418,16,'win-proc'),(7540,'Issue',418,17,''),(7541,'Issue',418,7,''),(7542,'Issue',418,3,'Detects a ZxShell start by the called and well-known function name'),(7543,'Issue',418,4,''),(7544,'Issue',418,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7545,'Issue',418,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND Command.keyword:(rundll32.exe\\ *,zxFunction* OR rundll32.exe\\ *,RemoteDiskXXXXX))\nindex: so-*\nname: ZxShell Malware\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7546,'Issue',418,9,'{{collapse(View Sigma)\n
\n\ntitle: ZxShell Malware\nid: f0b70adb-0075-43b0-9745-e82a1c608fcc\ndescription: Detects a ZxShell start by the called and well-known function name\nauthor: Florian Roth\ndate: 2017/07/20\nreferences:\n- https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100\ntags:\n- attack.g0001\n- attack.execution\n- attack.t1059\n- attack.defense_evasion\n- attack.t1085\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Command:\n    - rundll32.exe *,zxFunction*\n    - rundll32.exe *,RemoteDiskXXXXX\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(7547,'Issue',418,15,'T1059'),(7548,'Issue',418,15,'T1085'),(7549,'Issue',419,1,'Hiding Files with Attrib.exe'),(7550,'Issue',419,2,'Sami Ruohonen'),(7551,'Issue',419,8,'none'),(7552,'Issue',419,10,'low'),(7553,'Issue',419,13,'community'),(7554,'Issue',419,14,'windows'),(7556,'Issue',419,11,'3ac07f0c1'),(7557,'Issue',419,12,'4281cb20-2994-4580-aa63-c8b86d019934'),(7558,'Issue',419,16,'win-proc'),(7559,'Issue',419,17,''),(7560,'Issue',419,7,''),(7561,'Issue',419,3,'Detects usage of attrib.exe to hide files from users.'),(7562,'Issue',419,4,''),(7563,'Issue',419,5,'_False Positives_\nigfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)\nmsiexec.exe hiding desktop.ini\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine\nUser'),(7564,'Issue',419,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:*\\\\attrib.exe AND process.command_line.keyword:*\\ \\+h\\ *) AND (NOT (((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:*\\\\desktop.ini\\ * OR (process.parent.executable.keyword:*\\\\cmd.exe AND process.command_line.keyword:\\+R\\ \\+H\\ \\+S\\ \\+A\\ \\\\*.cui AND process.parent.command_line.keyword:C\\:\\\\WINDOWS\\\\system32\\\\*.bat))))))\nindex: so-*\nname: Hiding Files with Attrib.exe\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7565,'Issue',419,9,'{{collapse(View Sigma)\n
\n\ntitle: Hiding Files with Attrib.exe\nid: 4281cb20-2994-4580-aa63-c8b86d019934\nstatus: experimental\ndescription: Detects usage of attrib.exe to hide files from users.\nauthor: Sami Ruohonen\ndate: 2019/01/16\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\attrib.exe\'\n    CommandLine: \'* +h *\'\n  ini:\n    CommandLine: \'*\\desktop.ini *\'\n  intel:\n    ParentImage: \'*\\cmd.exe\'\n    CommandLine: +R +H +S +A \\\\*.cui\n    ParentCommandLine: C:\\WINDOWS\\system32\\\\*.bat\n  condition: selection and not (ini or intel)\nfields:\n- CommandLine\n- ParentCommandLine\n- User\ntags:\n- attack.defense_evasion\n- attack.persistence\n- attack.t1158\nfalsepositives:\n- igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe\n  and igfxCUIService.exe is the parent of the cmd.exe)\n- msiexec.exe hiding desktop.ini\nlevel: low\n\n
\n}}'),(7566,'Issue',419,15,'T1158'),(7567,'Issue',420,1,'Modification of Boot Configuration'),(7568,'Issue',420,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(7569,'Issue',420,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html'),(7570,'Issue',420,10,'high'),(7571,'Issue',420,13,'community'),(7572,'Issue',420,14,'windows'),(7574,'Issue',420,11,'af9bb527e'),(7575,'Issue',420,12,'1444443e-6757-43e4-9ea4-c8fc705f79a2'),(7576,'Issue',420,16,'win-proc'),(7577,'Issue',420,17,''),(7578,'Issue',420,7,''),(7579,'Issue',420,3,'Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.'),(7580,'Issue',420,4,''),(7581,'Issue',420,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(7582,'Issue',420,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:*\\\\bcdedit.exe AND process.command_line:\"set\") AND ((process.command_line.keyword:*bootstatuspolicy* AND process.command_line.keyword:*ignoreallfailures*) OR (process.command_line.keyword:*recoveryenabled* AND process.command_line.keyword:*no*)))\nindex: so-*\nname: Modification of Boot Configuration\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7583,'Issue',420,9,'{{collapse(View Sigma)\n
\n\ntitle: Modification of Boot Configuration\nid: 1444443e-6757-43e4-9ea4-c8fc705f79a2\ndescription: Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive\n    technique.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml\n    - https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html\ntags:\n    - attack.impact\n    - attack.t1490\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection1:\n        Image|endswith: \\bcdedit.exe\n        CommandLine|contains: set\n    selection2:\n        - CommandLine|contains|all:\n            - bootstatuspolicy\n            - ignoreallfailures\n        - CommandLine|contains|all:\n            - recoveryenabled\n            - \'no\'\n    condition: selection1 and selection2\nfields:\n    - ComputerName\n    - User\n    - CommandLine\nfalsepositives:\n    - Unlikely\nlevel: high\n\n
\n}}'),(7584,'Issue',420,15,'T1490'),(7585,'Issue',421,1,'SquiblyTwo'),(7586,'Issue',421,2,'Markus Neis / Florian Roth'),(7587,'Issue',421,8,'https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html\nhttps://twitter.com/mattifestation/status/986280382042595328'),(7588,'Issue',421,10,'medium'),(7589,'Issue',421,13,'community'),(7590,'Issue',421,14,'windows'),(7592,'Issue',421,11,'0eab446eb'),(7593,'Issue',421,12,'8d63dadf-b91b-4187-87b6-34a1114577ea'),(7594,'Issue',421,16,'win-proc'),(7595,'Issue',421,17,''),(7596,'Issue',421,7,''),(7597,'Issue',421,3,'Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash'),(7598,'Issue',421,4,''),(7599,'Issue',421,5,'_False Positives_\nUnknown'),(7600,'Issue',421,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:(*\\\\wmic.exe) AND process.command_line.keyword:(wmic\\ *\\ *format\\:\\\\\\\"http* OR wmic\\ *\\ \\/format\\:\'http OR wmic\\ *\\ \\/format\\:http*)) OR (event_data.Imphash:(\"1B1A3F43BF37B5BFE60751F2EE2F326E\" OR \"37777A96245A3C74EB217308F3546F4C\" OR \"9D87C9D67CE724033C0B40CC4CA1B206\") AND process.command_line.keyword:(*\\ *format\\:\\\\\\\"http* OR *\\ \\/format\\:\'http OR *\\ \\/format\\:http*))))\nindex: so-*\nname: SquiblyTwo\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7601,'Issue',421,9,'{{collapse(View Sigma)\n
\n\ntitle: SquiblyTwo\nid: 8d63dadf-b91b-4187-87b6-34a1114577ea\nstatus: experimental\ndescription: Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for\n  imphash\nreferences:\n- https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html\n- https://twitter.com/mattifestation/status/986280382042595328\ntags:\n- attack.defense_evasion\n- attack.t1047\nauthor: Markus Neis / Florian Roth\ndate: 2019/01/16\nfalsepositives:\n- Unknown\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image:\n    - \'*\\wmic.exe\'\n    CommandLine:\n    - wmic * *format:\\\"http*\n    - wmic * /format:\'http\n    - wmic * /format:http*\n  selection2:\n    Imphash:\n    - 1B1A3F43BF37B5BFE60751F2EE2F326E\n    - 37777A96245A3C74EB217308F3546F4C\n    - 9D87C9D67CE724033C0B40CC4CA1B206\n    CommandLine:\n    - \'* *format:\\\"http*\'\n    - \"* /format:\'http\"\n    - \'* /format:http*\'\n  condition: 1 of them\n\n
\n}}'),(7602,'Issue',421,15,'T1047'),(7603,'Issue',422,1,'Change Default File Association'),(7604,'Issue',422,2,'Timur Zinniatullin, oscd.community'),(7605,'Issue',422,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1042/T1042.yaml'),(7606,'Issue',422,10,'low'),(7607,'Issue',422,13,'community'),(7608,'Issue',422,14,'windows'),(7610,'Issue',422,11,'d63bbd05e'),(7611,'Issue',422,12,'3d3aa6cd-6272-44d6-8afc-7e88dfef7061'),(7612,'Issue',422,16,'win-proc'),(7613,'Issue',422,17,''),(7614,'Issue',422,7,''),(7615,'Issue',422,3,'When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.'),(7616,'Issue',422,4,''),(7617,'Issue',422,5,'_False Positives_\nAdmin activity\n\n_Interesting Log Fields_\nImage\nCommandLine\nUser\nLogonGuid\nHashes\nParentProcessGuid\nParentCommandLine'),(7618,'Issue',422,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*cmd* AND process.command_line.keyword:*\\/c* AND process.command_line.keyword:*assoc*)\nindex: so-*\nname: Change Default File Association\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7619,'Issue',422,9,'{{collapse(View Sigma)\n
\n\ntitle: Change Default File Association\nid: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061\nstatus: experimental\ndescription: When a file is opened, the default program used to open the file (also\n  called the file association or handler) is checked. File association selections\n  are stored in the Windows Registry and can be edited by users, administrators, or\n  programs that have Registry access or by administrators using the built-in assoc\n  utility. Applications can modify the file association for a given file extension\n  to call an arbitrary program when a file with the given extension is opened.\nauthor: Timur Zinniatullin, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1042/T1042.yaml\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains|all:\n    - cmd\n    - /c\n    - assoc\n  condition: selection\nfalsepositives:\n- Admin activity\nfields:\n- Image\n- CommandLine\n- User\n- LogonGuid\n- Hashes\n- ParentProcessGuid\n- ParentCommandLine\nlevel: low\ntags:\n- attack.persistence\n- attack.t1042\n\n
\n}}'),(7620,'Issue',422,15,'T1042'),(7621,'Issue',423,1,'Cmdkey Cached Credentials Recon'),(7622,'Issue',423,2,'jmallette'),(7623,'Issue',423,8,'https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation\nhttps://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx'),(7624,'Issue',423,10,'low'),(7625,'Issue',423,13,'community'),(7626,'Issue',423,14,'windows'),(7628,'Issue',423,11,'38a2cfd6c'),(7629,'Issue',423,12,'07f8bdc2-c9b3-472a-9817-5a670b872f53'),(7630,'Issue',423,16,'win-proc'),(7631,'Issue',423,17,''),(7632,'Issue',423,7,''),(7633,'Issue',423,3,'Detects usage of cmdkey to look for cached credentials'),(7634,'Issue',423,4,''),(7635,'Issue',423,5,'_False Positives_\nLegitimate administrative tasks.\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine\nUser'),(7636,'Issue',423,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\cmdkey.exe AND process.command_line.keyword:*\\ \\/list\\ *)\nindex: so-*\nname: Cmdkey Cached Credentials Recon\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7637,'Issue',423,9,'{{collapse(View Sigma)\n
\n\ntitle: Cmdkey Cached Credentials Recon\nid: 07f8bdc2-c9b3-472a-9817-5a670b872f53\nstatus: experimental\ndescription: Detects usage of cmdkey to look for cached credentials\nreferences:\n- https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation\n- https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx\nauthor: jmallette\ndate: 2019/01/16\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\cmdkey.exe\'\n    CommandLine: \'* /list *\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\n- User\nfalsepositives:\n- Legitimate administrative tasks.\nlevel: low\n\n
\n}}'),(7638,'Issue',423,15,'T1003'),(7639,'Issue',424,1,'CMSTP UAC Bypass via COM Object Access'),(7640,'Issue',424,2,'Nik Seetharaman'),(7641,'Issue',424,8,'http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/\nhttps://twitter.com/hFireF0X/status/897640081053364225'),(7642,'Issue',424,10,'high'),(7643,'Issue',424,13,'community'),(7644,'Issue',424,14,'windows'),(7646,'Issue',424,11,'bdaa50dae'),(7647,'Issue',424,12,'4b60e6f2-bf39-47b4-b4ea-398e33cfe253'),(7648,'Issue',424,16,'win-proc'),(7649,'Issue',424,17,''),(7650,'Issue',424,7,''),(7651,'Issue',424,3,'Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects'),(7652,'Issue',424,4,''),(7653,'Issue',424,5,'_False Positives_\nLegitimate CMSTP use (unlikely in modern enterprise environments)\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine\nHashes'),(7654,'Issue',424,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.command_line.keyword:*\\\\DllHost.exe AND process.parent.command_line.keyword:(*\\{3E5FC7F9\\-9A51\\-4367\\-9063\\-A120244FBEC7\\} OR *\\{3E000D72\\-A845\\-4CD9\\-BD83\\-80C07C3B881F\\}))\nindex: so-*\nname: CMSTP UAC Bypass via COM Object Access\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7655,'Issue',424,9,'{{collapse(View Sigma)\n
\n\ntitle: CMSTP UAC Bypass via COM Object Access\nid: 4b60e6f2-bf39-47b4-b4ea-398e33cfe253\nstatus: stable\ndescription: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile\n  Installer Autoelevate-capable COM Objects\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.execution\n- attack.t1088\n- attack.t1191\n- attack.g0069\n- car.2019-04-001\nauthor: Nik Seetharaman\nmodified: 2019/07/31\ndate: 2019/01/16\nreferences:\n- http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/\n- https://twitter.com/hFireF0X/status/897640081053364225\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    ParentCommandLine: \'*\\DllHost.exe\'\n  selection2:\n    ParentCommandLine:\n    - \'*{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\'\n    - \'*{3E000D72-A845-4CD9-BD83-80C07C3B881F}\'\n  condition: selection1 and selection2\nfields:\n- CommandLine\n- ParentCommandLine\n- Hashes\nfalsepositives:\n- Legitimate CMSTP use (unlikely in modern enterprise environments)\nlevel: high\n\n
\n}}'),(7656,'Issue',424,15,'T1088'),(7657,'Issue',424,15,'T1191'),(7658,'Issue',425,1,'Control Panel Items'),(7659,'Issue',425,2,'Kyaw Min Thein'),(7660,'Issue',425,8,'none'),(7661,'Issue',425,10,'critical'),(7662,'Issue',425,13,'community'),(7663,'Issue',425,14,'windows'),(7665,'Issue',425,11,'10df22d5c'),(7666,'Issue',425,12,'0ba863e6-def5-4e50-9cea-4dd8c7dc46a4'),(7667,'Issue',425,16,'win-proc'),(7668,'Issue',425,17,''),(7669,'Issue',425,7,''),(7670,'Issue',425,3,'Detects the use of a control panel item (.cpl) outside of the System32 folder'),(7671,'Issue',425,4,''),(7672,'Issue',425,5,'_False Positives_\nUnknown'),(7673,'Issue',425,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*.cpl AND (NOT (process.command_line.keyword:(*\\\\System32\\\\* OR *%System%*))))\nindex: so-*\nname: Control Panel Items\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7674,'Issue',425,9,'{{collapse(View Sigma)\n
\n\ntitle: Control Panel Items\nid: 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4\nstatus: experimental\ndescription: Detects the use of a control panel item (.cpl) outside of the System32\n  folder\nreference:\n- https://attack.mitre.org/techniques/T1196/\ntags:\n- attack.execution\n- attack.t1196\n- attack.defense_evasion\nauthor: Kyaw Min Thein\ndate: 2019/08/27\nlevel: critical\nlogsource:\n  product: windows\n  category: process_creation\ndetection:\n  selection:\n    CommandLine: \'*.cpl\'\n  filter:\n    CommandLine:\n    - \'*\\System32\\\\*\'\n    - \'*%System%*\'\n  condition: selection and not filter\nfalsepositives:\n- Unknown\n\n
\n}}'),(7675,'Issue',425,15,'T1196'),(7676,'Issue',426,1,'Copying Sensitive Files with Credential Data'),(7677,'Issue',426,2,'Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community'),(7678,'Issue',426,8,'https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/\nhttps://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nhttps://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/'),(7679,'Issue',426,10,'high'),(7680,'Issue',426,13,'community'),(7681,'Issue',426,14,'windows'),(7683,'Issue',426,11,'7971e8131'),(7684,'Issue',426,12,'e7be6119-fc37-43f0-ad4f-1f3f99be2f9f'),(7685,'Issue',426,16,'win-proc'),(7686,'Issue',426,17,''),(7687,'Issue',426,7,''),(7688,'Issue',426,3,'Files with well-known filenames (sensitive files with credential data) copying'),(7689,'Issue',426,4,''),(7690,'Issue',426,5,'_False Positives_\nCopying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator'),(7691,'Issue',426,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\esentutl.exe AND process.command_line.keyword:(*vss* OR *\\ \\/m\\ * OR *\\ \\/y\\ *)) OR process.command_line.keyword:(*\\\\windows\\\\ntds\\\\ntds.dit* OR *\\\\config\\\\sam* OR *\\\\config\\\\security* OR *\\\\config\\\\system\\ * OR *\\\\repair\\\\sam* OR *\\\\repair\\\\system* OR *\\\\repair\\\\security* OR *\\\\config\\\\RegBack\\\\sam* OR *\\\\config\\\\RegBack\\\\system* OR *\\\\config\\\\RegBack\\\\security*)))\nindex: so-*\nname: Copying Sensitive Files with Credential Data\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7692,'Issue',426,9,'{{collapse(View Sigma)\n
\n\ntitle: Copying Sensitive Files with Credential Data\nid: e7be6119-fc37-43f0-ad4f-1f3f99be2f9f\ndescription: Files with well-known filenames (sensitive files with credential data)\n  copying\nstatus: experimental\nauthor: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/22\nmodified: 2019/11/13\nreferences:\n- https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n- https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/\ntags:\n- attack.credential_access\n- attack.t1003\n- car.2013-07-001\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith: \\esentutl.exe\n    CommandLine|contains:\n    - vss\n    - \' /m \'\n    - \' /y \'\n  - CommandLine|contains:\n    - \\windows\\ntds\\ntds.dit\n    - \\config\\sam\n    - \\config\\security\n    - \'\\config\\system \'\n    - \\repair\\sam\n    - \\repair\\system\n    - \\repair\\security\n    - \\config\\RegBack\\sam\n    - \\config\\RegBack\\system\n    - \\config\\RegBack\\security\n  condition: selection\nfalsepositives:\n- Copying sensitive files for legitimate use (eg. backup) or forensic investigation\n  by legitimate incident responder or forensic invetigator\nlevel: high\n\n
\n}}'),(7693,'Issue',426,15,'T1003'),(7694,'Issue',427,1,'Fireball Archer Install'),(7695,'Issue',427,2,'Florian Roth'),(7696,'Issue',427,8,'https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/\nhttps://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100'),(7697,'Issue',427,10,'high'),(7698,'Issue',427,13,'community'),(7699,'Issue',427,14,'windows'),(7701,'Issue',427,11,'7652cf061'),(7702,'Issue',427,12,'3d4aebe0-6d29-45b2-a8a4-3dfde586a26d'),(7703,'Issue',427,16,'win-proc'),(7704,'Issue',427,17,''),(7705,'Issue',427,7,''),(7706,'Issue',427,3,'Detects Archer malware invocation via rundll32'),(7707,'Issue',427,4,''),(7708,'Issue',427,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7709,'Issue',427,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\\\rundll32.exe\\ *,InstallArcherSvc)\nindex: so-*\nname: Fireball Archer Install\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7710,'Issue',427,9,'{{collapse(View Sigma)\n
\n\ntitle: Fireball Archer Install\nid: 3d4aebe0-6d29-45b2-a8a4-3dfde586a26d\nstatus: experimental\ndescription: Detects Archer malware invocation via rundll32\nauthor: Florian Roth\ndate: 2017/06/03\nreferences:\n- https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/\n- https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100\ntags:\n- attack.execution\n- attack.t1059\n- attack.defense_evasion\n- attack.t1085\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'*\\rundll32.exe *,InstallArcherSvc\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(7711,'Issue',427,15,'T1059'),(7712,'Issue',427,15,'T1085'),(7713,'Issue',428,1,'Data Compressed - rar.exe'),(7714,'Issue',428,2,'Timur Zinniatullin, E.M. Anhaus, oscd.community'),(7715,'Issue',428,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html'),(7716,'Issue',428,10,'low'),(7717,'Issue',428,13,'community'),(7718,'Issue',428,14,'windows'),(7720,'Issue',428,11,'d76dd00e5'),(7721,'Issue',428,12,'6f3e2987-db24-4c78-a860-b4f4095a7095'),(7722,'Issue',428,16,'win-proc'),(7723,'Issue',428,17,''),(7724,'Issue',428,7,''),(7725,'Issue',428,3,'An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network'),(7726,'Issue',428,4,''),(7727,'Issue',428,5,'_False Positives_\nhighly likely if rar is default archiver in the monitored environment\n\n_Interesting Log Fields_\nImage\nCommandLine\nUser\nLogonGuid\nHashes\nParentProcessGuid\nParentCommandLine'),(7728,'Issue',428,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\rar.exe AND process.command_line.keyword:*\\ a\\ *)\nindex: so-*\nname: Data Compressed - rar.exe\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7729,'Issue',428,9,'{{collapse(View Sigma)\n
\n\ntitle: Data Compressed - rar.exe\nid: 6f3e2987-db24-4c78-a860-b4f4095a7095\nstatus: experimental\ndescription: An adversary may compress data (e.g., sensitive documents) that is collected\n  prior to exfiltration in order to make it portable and minimize the amount of data\n  sent over the network\nauthor: Timur Zinniatullin, E.M. Anhaus, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\rar.exe\n    CommandLine|contains: \' a \'\n  condition: selection\nfields:\n- Image\n- CommandLine\n- User\n- LogonGuid\n- Hashes\n- ParentProcessGuid\n- ParentCommandLine\nfalsepositives:\n- highly likely if rar is default archiver in the monitored environment\nlevel: low\ntags:\n- attack.exfiltration\n- attack.t1002\n\n
\n}}'),(7730,'Issue',428,15,'T1002'),(7731,'Issue',429,1,'Domain Trust Discovery'),(7732,'Issue',429,2,'Jakob Weinzettl, oscd.community'),(7733,'Issue',429,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.yaml'),(7734,'Issue',429,10,'medium'),(7735,'Issue',429,13,'community'),(7736,'Issue',429,14,'windows'),(7738,'Issue',429,11,'16e2ea51f'),(7739,'Issue',429,12,'77815820-246c-47b8-9741-e0def3f57308'),(7740,'Issue',429,16,'win-proc'),(7741,'Issue',429,17,''),(7742,'Issue',429,7,''),(7743,'Issue',429,3,'Detects a discovery of domain trusts'),(7744,'Issue',429,4,''),(7745,'Issue',429,5,'_False Positives_\nAdministration of systems'),(7746,'Issue',429,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\dsquery.exe AND process.command_line.keyword:*\\-filter* AND process.command_line.keyword:*trustedDomain*) OR (process.executable.keyword:*\\\\nltest.exe AND process.command_line.keyword:*domain_trusts*)))\nindex: so-*\nname: Domain Trust Discovery\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7747,'Issue',429,9,'{{collapse(View Sigma)\n
\n\ntitle: Domain Trust Discovery\nid: 77815820-246c-47b8-9741-e0def3f57308\nstatus: experimental\ndescription: Detects a discovery of domain trusts\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.yaml\nauthor: Jakob Weinzettl, oscd.community\ndate: 2019/10/23\nmodified: 2019/11/08\ntags:\n- attack.discovery\n- attack.t1482\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith: \\dsquery.exe\n    CommandLine|contains|all:\n    - -filter\n    - trustedDomain\n  - Image|endswith: \\nltest.exe\n    CommandLine|contains: domain_trusts\n  condition: selection\nfalsepositives:\n- Administration of systems\nlevel: medium\n\n
\n}}'),(7748,'Issue',429,15,'T1482'),(7749,'Issue',430,1,'Encoded FromBase64String'),(7750,'Issue',430,2,'Florian Roth'),(7751,'Issue',430,8,'none'),(7752,'Issue',430,10,'critical'),(7753,'Issue',430,13,'community'),(7754,'Issue',430,14,'windows'),(7756,'Issue',430,11,'ad3c56884'),(7757,'Issue',430,12,'fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c'),(7758,'Issue',430,16,'win-proc'),(7759,'Issue',430,17,''),(7760,'Issue',430,7,''),(7761,'Issue',430,3,'Detects a base64 encoded FromBase64String keyword in a process command line'),(7762,'Issue',430,4,''),(7763,'Issue',430,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7764,'Issue',430,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*OjpGcm9tQmFzZTY0U3RyaW5n* OR *o6RnJvbUJhc2U2NFN0cmluZ* OR *6OkZyb21CYXNlNjRTdHJpbm*))\nindex: so-*\nname: Encoded FromBase64String\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7765,'Issue',430,9,'{{collapse(View Sigma)\n
\n\ntitle: Encoded FromBase64String\nid: fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c\nstatus: experimental\ndescription: Detects a base64 encoded FromBase64String keyword in a process command\n  line\nauthor: Florian Roth\ndate: 2019/08/24\ntags:\n- attack.t1086\n- attack.t1140\n- attack.execution\n- attack.defense_evasion\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|base64offset|contains: ::FromBase64String\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7766,'Issue',430,15,'T1086'),(7767,'Issue',430,15,'T1140'),(7768,'Issue',431,1,'Encoded IEX'),(7769,'Issue',431,2,'Florian Roth'),(7770,'Issue',431,8,'none'),(7771,'Issue',431,10,'critical'),(7772,'Issue',431,13,'community'),(7773,'Issue',431,14,'windows'),(7775,'Issue',431,11,'111891242'),(7776,'Issue',431,12,'88f680b8-070e-402c-ae11-d2914f2257f1'),(7777,'Issue',431,16,'win-proc'),(7778,'Issue',431,17,''),(7779,'Issue',431,7,''),(7780,'Issue',431,3,'Detects a base64 encoded IEX command string in a process command line'),(7781,'Issue',431,4,''),(7782,'Issue',431,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7783,'Issue',431,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*SUVYIChb* OR *lFWCAoW* OR *JRVggKF* OR *aWV4IChb* OR *lleCAoW* OR *pZXggKF* OR *aWV4IChOZX* OR *lleCAoTmV3* OR *pZXggKE5ld* OR *SUVYIChOZX* OR *lFWCAoTmV3* OR *JRVggKE5ld*))\nindex: so-*\nname: Encoded IEX\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7784,'Issue',431,9,'{{collapse(View Sigma)\n
\n\ntitle: Encoded IEX\nid: 88f680b8-070e-402c-ae11-d2914f2257f1\nstatus: experimental\ndescription: Detects a base64 encoded IEX command string in a process command line\nauthor: Florian Roth\ndate: 2019/08/23\ntags:\n- attack.t1086\n- attack.t1140\n- attack.execution\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|base64offset|contains:\n    - IEX ([\n    - iex ([\n    - iex (New\n    - IEX (New\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7785,'Issue',431,15,'T1086'),(7786,'Issue',431,15,'T1140'),(7787,'Issue',432,1,'Disable of ETW Trace'),(7788,'Issue',432,2,'@neu5ron, Florian Roth'),(7789,'Issue',432,8,'https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mal_lockergoga.yml\nhttps://abuse.io/lockergoga.txt'),(7790,'Issue',432,10,'high'),(7791,'Issue',432,13,'community'),(7792,'Issue',432,14,'windows'),(7794,'Issue',432,11,'f0cec20a1'),(7795,'Issue',432,12,'a238b5d0-ce2d-4414-a676-7a531b3d13d6'),(7796,'Issue',432,16,'win-proc'),(7797,'Issue',432,17,''),(7798,'Issue',432,7,''),(7799,'Issue',432,3,'Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.'),(7800,'Issue',432,4,''),(7801,'Issue',432,5,'_False Positives_\nUnknown'),(7802,'Issue',432,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:*\\ cl\\ *\\/Trace* OR process.command_line.keyword:*\\ clear\\-log\\ *\\/Trace* OR process.command_line.keyword:*\\ sl*\\ \\/e\\:false* OR process.command_line.keyword:*\\ set\\-log*\\ \\/e\\:false*))\nindex: so-*\nname: Disable of ETW Trace\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7803,'Issue',432,9,'{{collapse(View Sigma)\n
\n\ntitle: Disable of ETW Trace\nid: a238b5d0-ce2d-4414-a676-7a531b3d13d6\ndescription: Detects a command that clears or disables any ETW trace log which could\n  indicate a logging evasion.\nstatus: experimental\nreferences:\n- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil\n- https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mal_lockergoga.yml\n- https://abuse.io/lockergoga.txt\nauthor: \'@neu5ron, Florian Roth\'\ndate: 2019/03/22\ntags:\n- attack.execution\n- attack.t1070\n- car.2016-04-002\nlevel: high\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_clear_1:\n    CommandLine: \'* cl */Trace*\'\n  selection_clear_2:\n    CommandLine: \'* clear-log */Trace*\'\n  selection_disable_1:\n    CommandLine: \'* sl* /e:false*\'\n  selection_disable_2:\n    CommandLine: \'* set-log* /e:false*\'\n  condition: selection_clear_1 or selection_clear_2 or selection_disable_1 or selection_disable_2\nfalsepositives:\n- Unknown\n\n
\n}}'),(7804,'Issue',432,15,'T1070'),(7805,'Issue',433,1,'Exfiltration and Tunneling Tools Execution'),(7806,'Issue',433,2,'Daniil Yugoslavskiy, oscd.community'),(7807,'Issue',433,8,'none'),(7808,'Issue',433,10,'medium'),(7809,'Issue',433,13,'community'),(7810,'Issue',433,14,'windows'),(7812,'Issue',433,11,'800c545f1'),(7813,'Issue',433,12,'c75309a3-59f8-4a8d-9c2c-4c927ad50555'),(7814,'Issue',433,16,'win-proc'),(7815,'Issue',433,17,''),(7816,'Issue',433,7,''),(7817,'Issue',433,3,'Execution of well known tools for data exfiltration and tunneling'),(7818,'Issue',433,4,''),(7819,'Issue',433,5,'_False Positives_\nLegitimate Administrator using tools'),(7820,'Issue',433,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.NewProcessName.keyword:(*\\\\plink.exe OR *\\\\socat.exe OR *\\\\stunnel.exe OR *\\\\httptunnel.exe))\nindex: so-*\nname: Exfiltration and Tunneling Tools Execution\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7821,'Issue',433,9,'{{collapse(View Sigma)\n
\n\ntitle: Exfiltration and Tunneling Tools Execution\nid: c75309a3-59f8-4a8d-9c2c-4c927ad50555\ndescription: Execution of well known tools for data exfiltration and tunneling\nstatus: experimental\nauthor: Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/24\ntags:\n- attack.exfiltration\n- attack.t1020\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    NewProcessName|endswith:\n    - \\plink.exe\n    - \\socat.exe\n    - \\stunnel.exe\n    - \\httptunnel.exe\n  condition: selection\nfalsepositives:\n- Legitimate Administrator using tools\nlevel: medium\n\n
\n}}'),(7822,'Issue',433,15,'T1020'),(7823,'Issue',434,1,'Exploit for CVE-2015-1641'),(7824,'Issue',434,2,'Florian Roth'),(7825,'Issue',434,8,'https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/\nhttps://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100'),(7826,'Issue',434,10,'critical'),(7827,'Issue',434,13,'community'),(7828,'Issue',434,14,'windows'),(7830,'Issue',434,11,'e2a1316d4'),(7831,'Issue',434,12,'7993792c-5ce2-4475-a3db-a3a5539827ef'),(7832,'Issue',434,16,'win-proc'),(7833,'Issue',434,17,''),(7834,'Issue',434,7,''),(7835,'Issue',434,3,'Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641'),(7836,'Issue',434,4,''),(7837,'Issue',434,5,'_False Positives_\nUnknown'),(7838,'Issue',434,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\WINWORD.EXE AND process.executable.keyword:*\\\\MicroScMgmt.exe\\ )\nindex: so-*\nname: Exploit for CVE-2015-1641\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7839,'Issue',434,9,'{{collapse(View Sigma)\n
\n\ntitle: Exploit for CVE-2015-1641\nid: 7993792c-5ce2-4475-a3db-a3a5539827ef\nstatus: experimental\ndescription: Detects Winword starting uncommon sub process MicroScMgmt.exe as used\n  in exploits for CVE-2015-1641\nreferences:\n- https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/\n- https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100\nauthor: Florian Roth\ndate: 2018/02/22\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\WINWORD.EXE\'\n    Image: \'*\\MicroScMgmt.exe \'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7840,'Issue',434,15,'T1036'),(7841,'Issue',435,1,'Exploit for CVE-2017-0261'),(7842,'Issue',435,2,'Florian Roth'),(7843,'Issue',435,8,'https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html'),(7844,'Issue',435,10,'medium'),(7845,'Issue',435,13,'community'),(7846,'Issue',435,14,'windows'),(7848,'Issue',435,11,'65dbae284'),(7849,'Issue',435,12,'864403a1-36c9-40a2-a982-4c9a45f7d833'),(7850,'Issue',435,16,'win-proc'),(7851,'Issue',435,17,''),(7852,'Issue',435,7,''),(7853,'Issue',435,3,'Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262'),(7854,'Issue',435,4,''),(7855,'Issue',435,5,'_False Positives_\nSeveral false positives identified, check for suspicious file names or locations (e.g. Temp folders)'),(7856,'Issue',435,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\WINWORD.EXE AND process.executable.keyword:*\\\\FLTLDR.exe*)\nindex: so-*\nname: Exploit for CVE-2017-0261\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7857,'Issue',435,9,'{{collapse(View Sigma)\n
\n\ntitle: Exploit for CVE-2017-0261\nid: 864403a1-36c9-40a2-a982-4c9a45f7d833\nstatus: experimental\ndescription: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits\n  for CVE-2017-0261 and CVE-2017-0262\nreferences:\n- https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html\nauthor: Florian Roth\ndate: 2018/02/22\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1055\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\WINWORD.EXE\'\n    Image: \'*\\FLTLDR.exe*\'\n  condition: selection\nfalsepositives:\n- Several false positives identified, check for suspicious file names or locations\n  (e.g. Temp folders)\nlevel: medium\n\n
\n}}'),(7858,'Issue',435,15,'T1055'),(7859,'Issue',436,1,'Droppers Exploiting CVE-2017-11882'),(7860,'Issue',436,2,'Florian Roth'),(7861,'Issue',436,8,'https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100\nhttps://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw'),(7862,'Issue',436,10,'critical'),(7863,'Issue',436,13,'community'),(7864,'Issue',436,14,'windows'),(7866,'Issue',436,11,'dcfdfd6d6'),(7867,'Issue',436,12,'678eb5f4-8597-4be6-8be7-905e4234b53a'),(7868,'Issue',436,16,'win-proc'),(7869,'Issue',436,17,''),(7870,'Issue',436,7,''),(7871,'Issue',436,3,'Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe'),(7872,'Issue',436,4,''),(7873,'Issue',436,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine'),(7874,'Issue',436,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\EQNEDT32.EXE)\nindex: so-*\nname: Droppers Exploiting CVE-2017-11882\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7875,'Issue',436,9,'{{collapse(View Sigma)\n
\n\ntitle: Droppers Exploiting CVE-2017-11882\nid: 678eb5f4-8597-4be6-8be7-905e4234b53a\nstatus: experimental\ndescription: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other\n  sub processes like mshta.exe\nreferences:\n- https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100\n- https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw\nauthor: Florian Roth\ndate: 2017/11/23\ntags:\n- attack.defense_evasion\n- attack.t1211\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\EQNEDT32.EXE\'\n  condition: selection\nfields:\n- CommandLine\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7876,'Issue',436,15,'T1211'),(7877,'Issue',437,1,'Exploit for CVE-2017-8759'),(7878,'Issue',437,2,'Florian Roth'),(7879,'Issue',437,8,'https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100\nhttps://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100'),(7880,'Issue',437,10,'critical'),(7881,'Issue',437,13,'community'),(7882,'Issue',437,14,'windows'),(7884,'Issue',437,11,'d2eddb460'),(7885,'Issue',437,12,'fdd84c68-a1f6-47c9-9477-920584f94905'),(7886,'Issue',437,16,'win-proc'),(7887,'Issue',437,17,''),(7888,'Issue',437,7,''),(7889,'Issue',437,3,'Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759'),(7890,'Issue',437,4,''),(7891,'Issue',437,5,'_False Positives_\nUnknown'),(7892,'Issue',437,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\WINWORD.EXE AND process.executable.keyword:*\\\\csc.exe)\nindex: so-*\nname: Exploit for CVE-2017-8759\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7893,'Issue',437,9,'{{collapse(View Sigma)\n
\n\ntitle: Exploit for CVE-2017-8759\nid: fdd84c68-a1f6-47c9-9477-920584f94905\ndescription: Detects Winword starting uncommon sub process csc.exe as used in exploits\n  for CVE-2017-8759\nreferences:\n- https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100\n- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100\ntags:\n- attack.execution\n- attack.t1203\nauthor: Florian Roth\ndate: 2017/09/15\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\WINWORD.EXE\'\n    Image: \'*\\csc.exe\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7894,'Issue',437,15,'T1203'),(7895,'Issue',438,1,'Exploiting SetupComplete.cmd CVE-2019-1378'),(7896,'Issue',438,2,'Florian Roth'),(7897,'Issue',438,8,'https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua'),(7898,'Issue',438,10,'high'),(7899,'Issue',438,13,'community'),(7900,'Issue',438,14,'windows'),(7902,'Issue',438,11,'b2c8941b7'),(7903,'Issue',438,12,'1c373b6d-76ce-4553-997d-8c1da9a6b5f5'),(7904,'Issue',438,16,'win-proc'),(7905,'Issue',438,17,''),(7906,'Issue',438,7,''),(7907,'Issue',438,3,'Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd decribed in CVE-2019-1378'),(7908,'Issue',438,4,''),(7909,'Issue',438,5,'_False Positives_\nUnknown'),(7910,'Issue',438,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.command_line.keyword:(*\\\\cmd.exe\\ \\/c\\ C\\:\\\\Windows\\\\Setup\\\\Scripts\\\\SetupComplete.cmd OR *\\\\cmd.exe\\ \\/c\\ C\\:\\\\Windows\\\\Setup\\\\Scripts\\\\PartnerSetupComplete.cmd) AND (NOT (process.executable.keyword:(C\\:\\\\Windows\\\\System32\\\\* OR C\\:\\\\Windows\\\\SysWOW64\\\\* OR C\\:\\\\Windows\\\\WinSxS\\\\* OR C\\:\\\\Windows\\\\Setup\\\\*))))\nindex: so-*\nname: Exploiting SetupComplete.cmd CVE-2019-1378\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7911,'Issue',438,9,'{{collapse(View Sigma)\n
\n\ntitle: Exploiting SetupComplete.cmd CVE-2019-1378\nid: 1c373b6d-76ce-4553-997d-8c1da9a6b5f5\nstatus: experimental\ndescription: Detects exploitation attempt of privilege escalation vulnerability via\n  SetupComplete.cmd and PartnerSetupComplete.cmd decribed in CVE-2019-1378\nreferences:\n- https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua\nauthor: Florian Roth\ndate: 2019/11/15\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1055\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentCommandLine:\n    - \'*\\cmd.exe /c C:\\Windows\\Setup\\Scripts\\SetupComplete.cmd\'\n    - \'*\\cmd.exe /c C:\\Windows\\Setup\\Scripts\\PartnerSetupComplete.cmd\'\n  filter:\n    Image:\n    - C:\\Windows\\System32\\\\*\n    - C:\\Windows\\SysWOW64\\\\*\n    - C:\\Windows\\WinSxS\\\\*\n    - C:\\Windows\\Setup\\\\*\n  condition: selection and not filter\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(7912,'Issue',438,15,'T1055'),(7913,'Issue',439,1,'Exploiting CVE-2019-1388'),(7914,'Issue',439,2,'Florian Roth'),(7915,'Issue',439,8,'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388\nhttps://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege'),(7916,'Issue',439,10,'critical'),(7917,'Issue',439,13,'community'),(7918,'Issue',439,14,'windows'),(7920,'Issue',439,11,'c6eb81dae'),(7921,'Issue',439,12,'02e0b2ea-a597-428e-b04a-af6a1a403e5c'),(7922,'Issue',439,16,'win-proc'),(7923,'Issue',439,17,''),(7924,'Issue',439,7,''),(7925,'Issue',439,3,'Detects an explotation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM'),(7926,'Issue',439,4,''),(7927,'Issue',439,5,'_False Positives_\nUnknown'),(7928,'Issue',439,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\consent.exe AND process.executable.keyword:*\\\\iexplore.exe AND process.command_line.keyword:*\\ http* AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (IntegrityLevel:\"System\" OR event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\"))\nindex: so-*\nname: Exploiting CVE-2019-1388\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7929,'Issue',439,9,'{{collapse(View Sigma)\n
\n\ntitle: Exploiting CVE-2019-1388\nid: 02e0b2ea-a597-428e-b04a-af6a1a403e5c\nstatus: experimental\ndescription: Detects an explotation attempt in which the UAC consent dialogue is used\n  to invoke an Internet Explorer process running as LOCAL_SYSTEM\nreferences:\n- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388\n- https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege\nauthor: Florian Roth\ndate: 2019/11/20\ntags:\n- attack.privilege_escalation\n- attack.t1068\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\consent.exe\'\n    Image: \'*\\iexplore.exe\'\n    CommandLine: \'* http*\'\n  rights1:\n    IntegrityLevel: System\n  rights2:\n    User: NT AUTHORITY\\SYSTEM\n  condition: selection and ( rights1 or rights2 )\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7930,'Issue',439,15,'T1068'),(7931,'Issue',440,1,'Exploited CVE-2020-10189 Zoho ManageEngine'),(7932,'Issue',440,2,'Florian Roth'),(7933,'Issue',440,8,'https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-10189\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189\nhttps://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224'),(7934,'Issue',440,10,'critical'),(7935,'Issue',440,13,'community'),(7936,'Issue',440,14,'windows'),(7938,'Issue',440,11,'06cab2646'),(7939,'Issue',440,12,'846b866e-2a57-46ee-8e16-85fa92759be7'),(7940,'Issue',440,16,'win-proc'),(7941,'Issue',440,17,''),(7942,'Issue',440,7,''),(7943,'Issue',440,3,'Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189'),(7944,'Issue',440,4,''),(7945,'Issue',440,5,'_False Positives_\nUnknown'),(7946,'Issue',440,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*DesktopCentral_Server\\\\jre\\\\bin\\\\java.exe AND process.executable.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\bitsadmin.exe))\nindex: so-*\nname: Exploited CVE-2020-10189 Zoho ManageEngine\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7947,'Issue',440,9,'{{collapse(View Sigma)\n
\n\ntitle: Exploited CVE-2020-10189 Zoho ManageEngine\nid: 846b866e-2a57-46ee-8e16-85fa92759be7\nstatus: experimental\ndescription: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization\n  vulnerability reported as CVE-2020-10189\nreferences:\n- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html\n- https://nvd.nist.gov/vuln/detail/CVE-2020-10189\n- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189\n- https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224\nauthor: Florian Roth\ndate: 2020/03/25\ntags:\n- attack.initial_access\n- attack.t1190\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage|endswith: DesktopCentral_Server\\jre\\bin\\java.exe\n    Image|endswith:\n    - \'*\\cmd.exe\'\n    - \'*\\powershell.exe\'\n    - \'*\\bitsadmin.exe\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7948,'Issue',440,15,'T1190'),(7949,'Issue',441,1,'File or Folder Permissions Modifications'),(7950,'Issue',441,2,'Jakob Weinzettl, oscd.community'),(7951,'Issue',441,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml'),(7952,'Issue',441,10,'medium'),(7953,'Issue',441,13,'community'),(7954,'Issue',441,14,'windows'),(7956,'Issue',441,11,'1c2d67989'),(7957,'Issue',441,12,'37ae075c-271b-459b-8d7b-55ad5f993dd8'),(7958,'Issue',441,16,'win-proc'),(7959,'Issue',441,17,''),(7960,'Issue',441,7,''),(7961,'Issue',441,3,'Detects a file or folder permissions modifications'),(7962,'Issue',441,4,''),(7963,'Issue',441,5,'_False Positives_\nUsers interacting with the files on their own (unlikely unless power users)\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(7964,'Issue',441,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:(*\\\\takeown.exe OR *\\\\cacls.exe OR *\\\\icacls.exe) AND process.command_line.keyword:*\\/grant*) OR (process.executable.keyword:*\\\\attrib.exe AND process.command_line.keyword:*\\-r*)))\nindex: so-*\nname: File or Folder Permissions Modifications\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7965,'Issue',441,9,'{{collapse(View Sigma)\n
\n\ntitle: File or Folder Permissions Modifications\nid: 37ae075c-271b-459b-8d7b-55ad5f993dd8\nstatus: experimental\ndescription: Detects a file or folder permissions modifications\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml\nauthor: Jakob Weinzettl, oscd.community\ndate: 2019/10/23\nmodified: 2019/11/08\ntags:\n- attack.defense_evasion\n- attack.t1222\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith:\n    - \\takeown.exe\n    - \\cacls.exe\n    - \\icacls.exe\n    CommandLine|contains: /grant\n  - Image|endswith: \\attrib.exe\n    CommandLine|contains: -r\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Users interacting with the files on their own (unlikely unless power users)\nlevel: medium\n\n
\n}}'),(7966,'Issue',441,15,'T1222'),(7967,'Issue',442,1,'Grabbing Sensitive Hives via Reg Utility'),(7968,'Issue',442,2,'Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community'),(7969,'Issue',442,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nhttps://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md'),(7970,'Issue',442,10,'medium'),(7971,'Issue',442,13,'community'),(7972,'Issue',442,14,'windows'),(7974,'Issue',442,11,'310cc8a8a'),(7975,'Issue',442,12,'fd877b94-9bb5-4191-bb25-d79cbd93c167'),(7976,'Issue',442,16,'win-proc'),(7977,'Issue',442,17,''),(7978,'Issue',442,7,''),(7979,'Issue',442,3,'Dump sam, system or security hives using REG.exe utility'),(7980,'Issue',442,4,''),(7981,'Issue',442,5,'_False Positives_\nDumping hives for legitimate purpouse i.e. backup or forensic investigation'),(7982,'Issue',442,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.NewProcessName.keyword:*\\\\reg.exe AND process.command_line.keyword:(*save* OR *export*) AND process.command_line.keyword:(*hklm* OR *hkey_local_machine*) AND process.command_line.keyword:(*\\\\system OR *\\\\sam OR *\\\\security))\nindex: so-*\nname: Grabbing Sensitive Hives via Reg Utility\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7983,'Issue',442,9,'{{collapse(View Sigma)\n
\n\ntitle: Grabbing Sensitive Hives via Reg Utility\nid: fd877b94-9bb5-4191-bb25-d79cbd93c167\ndescription: Dump sam, system or security hives using REG.exe utility\nauthor: Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/22\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n- https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md\ntags:\n- attack.credential_access\n- attack.t1003\n- car.2013-07-001\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_1:\n    NewProcessName: \'*\\reg.exe\'\n    CommandLine|contains:\n    - save\n    - export\n  selection_2:\n    CommandLine|contains:\n    - hklm\n    - hkey_local_machine\n  selection_3:\n    CommandLine|endswith:\n    - \\system\n    - \\sam\n    - \\security\n  condition: selection_1 and selection_2 and selection_3\nfalsepositives:\n- Dumping hives for legitimate purpouse i.e. backup or forensic investigation\nlevel: medium\nstatus: experimental\n\n
\n}}'),(7984,'Issue',442,15,'T1003'),(7985,'Issue',443,1,'Bloodhound and Sharphound Hack Tool'),(7986,'Issue',443,2,'Florian Roth'),(7987,'Issue',443,8,'https://github.com/BloodHoundAD/BloodHound\nhttps://github.com/BloodHoundAD/SharpHound'),(7988,'Issue',443,10,'high'),(7989,'Issue',443,13,'community'),(7990,'Issue',443,14,'windows'),(7992,'Issue',443,11,'6b42c6f56'),(7993,'Issue',443,12,'f376c8a7-a2d0-4ddc-aa0c-16c17236d962'),(7994,'Issue',443,16,'win-proc'),(7995,'Issue',443,17,''),(7996,'Issue',443,7,''),(7997,'Issue',443,3,'Detects command line parameters used by Bloodhound and Sharphound hack tools'),(7998,'Issue',443,4,''),(7999,'Issue',443,5,'_False Positives_\nOther programs that use these command line option and accepts an \'All\' parameter'),(8000,'Issue',443,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:(*\\\\Bloodhound.exe* OR *\\\\SharpHound.exe*) OR process.command_line.keyword:(*\\ \\-CollectionMethod\\ All\\ * OR *.exe\\ \\-c\\ All\\ \\-d\\ * OR *Invoke\\-Bloodhound* OR *Get\\-BloodHoundData*) OR (process.command_line.keyword:*\\ \\-JsonFolder\\ * AND process.command_line.keyword:*\\ \\-ZipFileName\\ *) OR (process.command_line.keyword:*\\ DCOnly\\ * AND process.command_line.keyword:*\\ \\-\\-NoSaveCache\\ *)))\nindex: so-*\nname: Bloodhound and Sharphound Hack Tool\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8001,'Issue',443,9,'{{collapse(View Sigma)\n
\n\ntitle: Bloodhound and Sharphound Hack Tool\nid: f376c8a7-a2d0-4ddc-aa0c-16c17236d962\ndescription: Detects command line parameters used by Bloodhound and Sharphound hack\n  tools\nauthor: Florian Roth\nreferences:\n- https://github.com/BloodHoundAD/BloodHound\n- https://github.com/BloodHoundAD/SharpHound\ndate: 2019/12/20\nmodified: 2019/12/21\ntags:\n- attack.discovery\n- attack.t1087\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image|contains:\n    - \\Bloodhound.exe\n    - \\SharpHound.exe\n  selection2:\n    CommandLine|contains:\n    - \' -CollectionMethod All \'\n    - \'.exe -c All -d \'\n    - Invoke-Bloodhound\n    - Get-BloodHoundData\n  selection3:\n    CommandLine|contains|all:\n    - \' -JsonFolder \'\n    - \' -ZipFileName \'\n  selection4:\n    CommandLine|contains|all:\n    - \' DCOnly \'\n    - \' --NoSaveCache \'\n  condition: 1 of them\nfalsepositives:\n- Other programs that use these command line option and accepts an \'All\' parameter\nlevel: high\n\n
\n}}'),(8002,'Issue',443,15,'T1087'),(8003,'Issue',444,1,'Koadic Execution'),(8004,'Issue',444,2,'wagga'),(8005,'Issue',444,8,'https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/\nhttps://github.com/zerosum0x0/koadic/blob/master/data/stager/js/stdlib.js#L955\nhttps://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/'),(8006,'Issue',444,10,'high'),(8007,'Issue',444,13,'community'),(8008,'Issue',444,14,'windows'),(8010,'Issue',444,11,'fa9937192'),(8011,'Issue',444,12,'5cddf373-ef00-4112-ad72-960ac29bac34'),(8012,'Issue',444,16,'win-proc'),(8013,'Issue',444,17,''),(8014,'Issue',444,7,''),(8015,'Issue',444,3,'Detects command line parameters used by Koadic hack tool'),(8016,'Issue',444,4,''),(8017,'Issue',444,5,'_False Positives_\nPentest\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8018,'Issue',444,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*cmd.exe*\\ \\/q\\ \\/c\\ chcp\\ *))\nindex: so-*\nname: Koadic Execution\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8019,'Issue',444,9,'{{collapse(View Sigma)\n
\n\ntitle: Koadic Execution\nid: 5cddf373-ef00-4112-ad72-960ac29bac34\nstatus: experimental\ndescription: Detects command line parameters used by Koadic hack tool\nreferences:\n- https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/\n- https://github.com/zerosum0x0/koadic/blob/master/data/stager/js/stdlib.js#L955\n- https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/\ntags:\n- attack.execution\n- attack.t1170\ndate: 2020/01/12\nauthor: wagga\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine:\n    - \'*cmd.exe* /q /c chcp *\'\n  condition: selection1\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Pentest\nlevel: high\n\n
\n}}'),(8020,'Issue',444,15,'T1170'),(8021,'Issue',445,1,'Rubeus Hack Tool'),(8022,'Issue',445,2,'Florian Roth'),(8023,'Issue',445,8,'https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/'),(8024,'Issue',445,10,'critical'),(8025,'Issue',445,13,'community'),(8026,'Issue',445,14,'windows'),(8028,'Issue',445,11,'ad40ec27e'),(8029,'Issue',445,12,'7ec2c172-dceb-4c10-92c9-87c1881b7e18'),(8030,'Issue',445,16,'win-proc'),(8031,'Issue',445,17,''),(8032,'Issue',445,7,''),(8033,'Issue',445,3,'Detects command line parameters used by Rubeus hack tool'),(8034,'Issue',445,4,''),(8035,'Issue',445,5,'_False Positives_\nunlikely'),(8036,'Issue',445,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ asreproast\\ * OR *\\ dump\\ \\/service\\:krbtgt\\ * OR *\\ kerberoast\\ * OR *\\ createnetonly\\ \\/program\\:* OR *\\ ptt\\ \\/ticket\\:* OR *\\ \\/impersonateuser\\:* OR *\\ renew\\ \\/ticket\\:* OR *\\ asktgt\\ \\/user\\:* OR *\\ harvest\\ \\/interval\\:*))\nindex: so-*\nname: Rubeus Hack Tool\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8037,'Issue',445,9,'{{collapse(View Sigma)\n
\n\ntitle: Rubeus Hack Tool\nid: 7ec2c172-dceb-4c10-92c9-87c1881b7e18\ndescription: Detects command line parameters used by Rubeus hack tool\nauthor: Florian Roth\nreferences:\n- https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/\ndate: 2018/12/19\ntags:\n- attack.credential_access\n- attack.t1003\n- attack.s0005\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* asreproast *\'\n    - \'* dump /service:krbtgt *\'\n    - \'* kerberoast *\'\n    - \'* createnetonly /program:*\'\n    - \'* ptt /ticket:*\'\n    - \'* /impersonateuser:*\'\n    - \'* renew /ticket:*\'\n    - \'* asktgt /user:*\'\n    - \'* harvest /interval:*\'\n  condition: selection\nfalsepositives:\n- unlikely\nlevel: critical\n\n
\n}}'),(8038,'Issue',445,15,'T1003'),(8039,'Issue',446,1,'SecurityXploded Tool'),(8040,'Issue',446,2,'Florian Roth'),(8041,'Issue',446,8,'https://securityxploded.com/\nhttps://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/'),(8042,'Issue',446,10,'critical'),(8043,'Issue',446,13,'community'),(8044,'Issue',446,14,'windows'),(8046,'Issue',446,11,'21368bb4b'),(8047,'Issue',446,12,'7679d464-4f74-45e2-9e01-ac66c5eb041a'),(8048,'Issue',446,16,'win-proc'),(8049,'Issue',446,17,''),(8050,'Issue',446,7,''),(8051,'Issue',446,3,'Detects the execution of SecurityXploded Tools'),(8052,'Issue',446,4,''),(8053,'Issue',446,5,'_False Positives_\nunlikely'),(8054,'Issue',446,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (event_data.Company:\"SecurityXploded\" OR process.executable.keyword:*PasswordDump.exe OR OriginalFilename.keyword:*PasswordDump.exe))\nindex: so-*\nname: SecurityXploded Tool\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8055,'Issue',446,9,'{{collapse(View Sigma)\n
\n\ntitle: SecurityXploded Tool\nid: 7679d464-4f74-45e2-9e01-ac66c5eb041a\ndescription: Detects the execution of SecurityXploded Tools\nauthor: Florian Roth\nreferences:\n- https://securityxploded.com/\n- https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/\ndate: 2018/12/19\ntags:\n- attack.credential_access\n- attack.t1003\n- attack.s0005\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Company: SecurityXploded\n  selection2:\n    Image|endswith: PasswordDump.exe\n  selection3:\n    OriginalFilename|endswith: PasswordDump.exe\n  condition: 1 of them\nfalsepositives:\n- unlikely\nlevel: critical\n\n
\n}}'),(8056,'Issue',446,15,'T1003'),(8057,'Issue',447,1,'HH.exe Execution'),(8058,'Issue',447,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Dan Beavin), oscd.community'),(8059,'Issue',447,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1223/T1223.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html'),(8060,'Issue',447,10,'high'),(8061,'Issue',447,13,'community'),(8062,'Issue',447,14,'windows'),(8064,'Issue',447,11,'0cb0c3bd8'),(8065,'Issue',447,12,'68c8acb4-1b60-4890-8e82-3ddf7a6dba84'),(8066,'Issue',447,16,'win-proc'),(8067,'Issue',447,17,''),(8068,'Issue',447,7,''),(8069,'Issue',447,3,'Identifies usage of hh.exe executing recently modified .chm files.'),(8070,'Issue',447,4,''),(8071,'Issue',447,5,'_False Positives_\nunlike\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8072,'Issue',447,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\hh.exe AND process.command_line.keyword:*.chm*)\nindex: so-*\nname: HH.exe Execution\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8073,'Issue',447,9,'{{collapse(View Sigma)\n
\n\ntitle: HH.exe Execution\nid: 68c8acb4-1b60-4890-8e82-3ddf7a6dba84\ndescription: Identifies usage of hh.exe executing recently modified .chm files.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Dan Beavin), oscd.community\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1223/T1223.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html\ndate: 2019/10/24\nmodified: 2019/11/11\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1223\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\hh.exe\n    CommandLine|contains: .chm\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- unlike\nlevel: high\n\n
\n}}'),(8074,'Issue',447,15,'T1223'),(8075,'Issue',448,1,'HTML Help Shell Spawn'),(8076,'Issue',448,2,'Maxim Pavlunin'),(8077,'Issue',448,8,'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/'),(8078,'Issue',448,10,'high'),(8079,'Issue',448,13,'community'),(8080,'Issue',448,14,'windows'),(8082,'Issue',448,11,'6ba3a1ad3'),(8083,'Issue',448,12,'52cad028-0ff0-4854-8f67-d25dfcbc78b4'),(8084,'Issue',448,16,'win-proc'),(8085,'Issue',448,17,''),(8086,'Issue',448,7,''),(8087,'Issue',448,3,'Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm)'),(8088,'Issue',448,4,''),(8089,'Issue',448,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8090,'Issue',448,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable:\"C\\:\\\\Windows\\\\hh.exe\" AND process.executable.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\regsvr32.exe OR *\\\\wmic.exe OR *\\\\rundll32.exe))\nindex: so-*\nname: HTML Help Shell Spawn\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8091,'Issue',448,9,'{{collapse(View Sigma)\n
\n\ntitle: HTML Help Shell Spawn\nid: 52cad028-0ff0-4854-8f67-d25dfcbc78b4\nstatus: experimental\ndescription: Detects a suspicious child process of a Microsoft HTML Help system when\n  executing compiled HTML files (.chm)\nreferences:\n- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/\nauthor: Maxim Pavlunin\ndate: 2020/04/01\nmodified: 2020/04/03\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1223\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: C:\\Windows\\hh.exe\n    Image|endswith:\n    - \\cmd.exe\n    - \\powershell.exe\n    - \\wscript.exe\n    - \\cscript.exe\n    - \\regsvr32.exe\n    - \\wmic.exe\n    - \\rundll32.exe\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(8092,'Issue',448,15,'T1223'),(8093,'Issue',449,1,'Suspicious HWP Sub Processes'),(8094,'Issue',449,2,'Florian Roth'),(8095,'Issue',449,8,'https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/\nhttps://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1\nhttps://twitter.com/cyberwar_15/status/1187287262054076416\nhttps://blog.alyac.co.kr/1901\nhttps://en.wikipedia.org/wiki/Hangul_(word_processor)'),(8096,'Issue',449,10,'high'),(8097,'Issue',449,13,'community'),(8098,'Issue',449,14,'windows'),(8100,'Issue',449,11,'45f9c4d54'),(8101,'Issue',449,12,'023394c4-29d5-46ab-92b8-6a534c6f447b'),(8102,'Issue',449,16,'win-proc'),(8103,'Issue',449,17,''),(8104,'Issue',449,7,''),(8105,'Issue',449,3,'Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation'),(8106,'Issue',449,4,''),(8107,'Issue',449,5,'_False Positives_\nUnknown'),(8108,'Issue',449,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\Hwp.exe AND process.executable.keyword:*\\\\gbb.exe)\nindex: so-*\nname: Suspicious HWP Sub Processes\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8109,'Issue',449,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious HWP Sub Processes\nid: 023394c4-29d5-46ab-92b8-6a534c6f447b\ndescription: Detects suspicious Hangul Word Processor (Hanword) sub processes that\n  could indicate an exploitation\nstatus: experimental\nreferences:\n- https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/\n- https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1\n- https://twitter.com/cyberwar_15/status/1187287262054076416\n- https://blog.alyac.co.kr/1901\n- https://en.wikipedia.org/wiki/Hangul_(word_processor)\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.initial_access\n- attack.t1059\n- attack.t1202\n- attack.t1193\n- attack.g0032\nauthor: Florian Roth\ndate: 2019/10/24\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\Hwp.exe\'\n    Image: \'*\\gbb.exe\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(8110,'Issue',449,15,'T1059'),(8111,'Issue',449,15,'T1202'),(8112,'Issue',449,15,'T1193'),(8113,'Issue',450,1,'Impacket Lateralization Detection'),(8114,'Issue',450,2,'Ecco'),(8115,'Issue',450,8,'https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py\nhttps://github.com/SecureAuthCorp/impacket/blob/master/examples/atexec.py\nhttps://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py\nhttps://github.com/SecureAuthCorp/impacket/blob/master/examples/dcomexec.py'),(8116,'Issue',450,10,'critical'),(8117,'Issue',450,13,'community'),(8118,'Issue',450,14,'windows'),(8120,'Issue',450,11,'bfb0c817e'),(8121,'Issue',450,12,'10c14723-61c7-4c75-92ca-9af245723ad2'),(8122,'Issue',450,16,'win-proc'),(8123,'Issue',450,17,''),(8124,'Issue',450,7,''),(8125,'Issue',450,3,'Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework'),(8126,'Issue',450,4,''),(8127,'Issue',450,5,'_False Positives_\npentesters\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8128,'Issue',450,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.parent.executable.keyword:(*\\\\wmiprvse.exe OR *\\\\mmc.exe OR *\\\\explorer.exe OR *\\\\services.exe) AND process.command_line.keyword:(*cmd.exe*\\ \\/Q\\ \\/c\\ *\\ \\\\\\\\127.0.0.1\\\\*&1*)) OR (process.parent.command_line.keyword:(*svchost.exe\\ \\-k\\ netsvcs OR taskeng.exe*) AND process.command_line.keyword:(cmd.exe\\ \\/C\\ *Windows\\\\Temp\\\\*&1))))\nindex: so-*\nname: Impacket Lateralization Detection\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8129,'Issue',450,9,'{{collapse(View Sigma)\n
\n\ntitle: Impacket Lateralization Detection\nid: 10c14723-61c7-4c75-92ca-9af245723ad2\nstatus: experimental\ndescription: Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework\nreferences:\n- https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py\n- https://github.com/SecureAuthCorp/impacket/blob/master/examples/atexec.py\n- https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py\n- https://github.com/SecureAuthCorp/impacket/blob/master/examples/dcomexec.py\nauthor: Ecco\ndate: 2019/09/03\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_other:\n    ParentImage:\n    - \'*\\wmiprvse.exe\'\n    - \'*\\mmc.exe\'\n    - \'*\\explorer.exe\'\n    - \'*\\services.exe\'\n    CommandLine:\n    - \'*cmd.exe* /Q /c * \\\\\\\\127.0.0.1\\\\*&1*\'\n  selection_atexec:\n    ParentCommandLine:\n    - \'*svchost.exe -k netsvcs\'\n    - taskeng.exe*\n    CommandLine:\n    - cmd.exe /C *Windows\\\\Temp\\\\*&1\n  condition: (1 of selection_*)\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.lateral_movement\n- attack.t1047\n- attack.t1175\nfalsepositives:\n- pentesters\nlevel: critical\n\n
\n}}'),(8130,'Issue',450,15,'T1047'),(8131,'Issue',450,15,'T1175'),(8132,'Issue',451,1,'Indirect Command Execution'),(8133,'Issue',451,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(8134,'Issue',451,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html'),(8135,'Issue',451,10,'low'),(8136,'Issue',451,13,'community'),(8137,'Issue',451,14,'windows'),(8139,'Issue',451,11,'4448f85f5'),(8140,'Issue',451,12,'fa47597e-90e9-41cd-ab72-c3b74cfb0d02'),(8141,'Issue',451,16,'win-proc'),(8142,'Issue',451,17,''),(8143,'Issue',451,7,''),(8144,'Issue',451,3,'Detect indirect command execution via Program Compatibility Assistant pcalua.exe or forfiles.exe'),(8145,'Issue',451,4,''),(8146,'Issue',451,5,'_False Positives_\nNeed to use extra processing with \'unique_count\' / \'filter\' to focus on outliers as opposed to commonly seen artifacts\nLegit usage of scripts\n\n_Interesting Log Fields_\nComputerName\nUser\nParentCommandLine\nCommandLine'),(8147,'Issue',451,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\pcalua.exe OR *\\\\forfiles.exe))\nindex: so-*\nname: Indirect Command Execution\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8148,'Issue',451,9,'{{collapse(View Sigma)\n
\n\ntitle: Indirect Command Execution\nid: fa47597e-90e9-41cd-ab72-c3b74cfb0d02\ndescription: Detect indirect command execution via Program Compatibility Assistant\n  pcalua.exe or forfiles.exe\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html\ndate: 2019/10/24\nmodified: 2019/11/11\ntags:\n- attack.defense_evasion\n- attack.t1202\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage|endswith:\n    - \\pcalua.exe\n    - \\forfiles.exe\n  condition: selection\nfields:\n- ComputerName\n- User\n- ParentCommandLine\n- CommandLine\nfalsepositives:\n- Need to use extra processing with \'unique_count\' / \'filter\' to focus on outliers\n  as opposed to commonly seen artifacts\n- Legit usage of scripts\nlevel: low\n\n
\n}}'),(8149,'Issue',451,15,'T1202'),(8150,'Issue',452,1,'Suspicious Debugger Registration Cmdline'),(8151,'Issue',452,2,'Florian Roth'),(8152,'Issue',452,8,'https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/'),(8153,'Issue',452,10,'high'),(8154,'Issue',452,13,'community'),(8155,'Issue',452,14,'windows'),(8157,'Issue',452,11,'8447d556d'),(8158,'Issue',452,12,'ae215552-081e-44c7-805f-be16f975c8a2'),(8159,'Issue',452,16,'win-proc'),(8160,'Issue',452,17,''),(8161,'Issue',452,7,''),(8162,'Issue',452,3,'Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).'),(8163,'Issue',452,4,''),(8164,'Issue',452,5,'_False Positives_\nPenetration Tests'),(8165,'Issue',452,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\sethc.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\utilman.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\osk.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\magnify.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\narrator.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\displayswitch.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\atbroker.exe*))\nindex: so-*\nname: Suspicious Debugger Registration Cmdline\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8166,'Issue',452,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Debugger Registration Cmdline\nid: ae215552-081e-44c7-805f-be16f975c8a2\nstatus: experimental\ndescription: Detects the registration of a debugger for a program that is available\n  in the logon screen (sticky key backdoor).\nreferences:\n- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/\ntags:\n- attack.persistence\n- attack.privilege_escalation\n- attack.t1015\nauthor: Florian Roth\ndate: 2019/09/06\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'*\\CurrentVersion\\Image File Execution Options\\sethc.exe*\'\n    - \'*\\CurrentVersion\\Image File Execution Options\\utilman.exe*\'\n    - \'*\\CurrentVersion\\Image File Execution Options\\osk.exe*\'\n    - \'*\\CurrentVersion\\Image File Execution Options\\magnify.exe*\'\n    - \'*\\CurrentVersion\\Image File Execution Options\\narrator.exe*\'\n    - \'*\\CurrentVersion\\Image File Execution Options\\displayswitch.exe*\'\n    - \'*\\CurrentVersion\\Image File Execution Options\\atbroker.exe*\'\n  condition: selection\nfalsepositives:\n- Penetration Tests\nlevel: high\n\n
\n}}'),(8167,'Issue',452,15,'T1015'),(8168,'Issue',453,1,'Interactive AT Job'),(8169,'Issue',453,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(8170,'Issue',453,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html'),(8171,'Issue',453,10,'high'),(8172,'Issue',453,13,'community'),(8173,'Issue',453,14,'windows'),(8175,'Issue',453,11,'deff452c1'),(8176,'Issue',453,12,'60fc936d-2eb0-4543-8a13-911c750a1dfc'),(8177,'Issue',453,16,'win-proc'),(8178,'Issue',453,17,''),(8179,'Issue',453,7,''),(8180,'Issue',453,3,'Detect an interactive AT job, which may be used as a form of privilege escalation'),(8181,'Issue',453,4,''),(8182,'Issue',453,5,'_False Positives_\nUnlikely (at.exe deprecated as of Windows 8)\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8183,'Issue',453,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\at.exe AND process.command_line.keyword:*interactive*)\nindex: so-*\nname: Interactive AT Job\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8184,'Issue',453,9,'{{collapse(View Sigma)\n
\n\ntitle: Interactive AT Job\nid: 60fc936d-2eb0-4543-8a13-911c750a1dfc\ndescription: Detect an interactive AT job, which may be used as a form of privilege\n  escalation\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html\ndate: 2019/10/24\nmodified: 2019/11/11\ntags:\n- attack.privilege_escalation\n- attack.t1053\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\at.exe\n    CommandLine|contains: interactive\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Unlikely (at.exe deprecated as of Windows 8)\nlevel: high\n\n
\n}}'),(8185,'Issue',453,15,'T1053'),(8186,'Issue',454,1,'Invoke-Obfuscation Obfuscated IEX Invocation'),(8187,'Issue',454,2,'Daniel Bohannon (@Mandiant/@FireEye), oscd.community'),(8188,'Issue',454,8,'none'),(8189,'Issue',454,10,'high'),(8190,'Issue',454,13,'community'),(8191,'Issue',454,14,'windows'),(8193,'Issue',454,11,'6d2baff57'),(8194,'Issue',454,12,'4bf943c6-5146-4273-98dd-e958fd1e3abf'),(8195,'Issue',454,16,'win-proc'),(8196,'Issue',454,17,''),(8197,'Issue',454,7,''),(8198,'Issue',454,3,'Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888'),(8199,'Issue',454,4,''),(8200,'Issue',454,5,'_False Positives_\nUnknown'),(8201,'Issue',454,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (process.command_line:/\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[/ OR process.command_line:/\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[/ OR process.command_line:/\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[/ OR process.command_line:/\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}/ OR process.command_line:/\\*mdr\\*\\W\\s*\\)\\.Name/ OR process.command_line:/\\$VerbosePreference\\.ToString\\(/ OR process.command_line:/\\String\\]\\s*\\$VerbosePreference/)\nindex: so-*\nname: Invoke-Obfuscation Obfuscated IEX Invocation\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8202,'Issue',454,9,'{{collapse(View Sigma)\n
\n\ntitle: Invoke-Obfuscation Obfuscated IEX Invocation\nid: 4bf943c6-5146-4273-98dd-e958fd1e3abf\ndescription: Detects all variations of obfuscated powershell IEX invocation code generated\n  by Invoke-Obfuscation framework from the following code block — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888\nstatus: experimental\nauthor: Daniel Bohannon (@Mandiant/@FireEye), oscd.community\ndate: 2019/11/08\ntags:\n- attack.defense_evasion\n- attack.t1027\nlogsource:\n  product: windows\n  service: process_creation\ndetection:\n  selection:\n  - CommandLine|re: \\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[\n  - CommandLine|re: \\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[\n  - CommandLine|re: \\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[\n  - CommandLine|re: \\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}\n  - CommandLine|re: \\*mdr\\*\\W\\s*\\)\\.Name\n  - CommandLine|re: \\$VerbosePreference\\.ToString\\(\n  - CommandLine|re: \\String\\]\\s*\\$VerbosePreference\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(8203,'Issue',454,15,'T1027'),(8204,'Issue',455,1,'Windows Kernel and 3rd-Party Drivers Exploits Token Stealing'),(8205,'Issue',455,2,'Teymur Kheirkhabarov (source), Daniil Yugoslavskiy (rule)'),(8206,'Issue',455,8,'https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment'),(8207,'Issue',455,10,'critical'),(8208,'Issue',455,13,'community'),(8209,'Issue',455,14,'windows'),(8211,'Issue',455,11,'1425eee14'),(8212,'Issue',455,12,'8065b1b4-1778-4427-877f-6bf948b26d38'),(8213,'Issue',455,16,'win-proc'),(8214,'Issue',455,17,''),(8215,'Issue',455,7,''),(8216,'Issue',455,3,'Detection of child processes spawned with SYSTEM privileges by parents with non-SYSTEM privileges and Medium integrity level'),(8217,'Issue',455,4,''),(8218,'Issue',455,5,'_False Positives_\nUnknown'),(8219,'Issue',455,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ParentIntegrityLevel:\"Medium\" AND IntegrityLevel:\"System\" AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\")\nindex: so-*\nname: Windows Kernel and 3rd-Party Drivers Exploits Token Stealing\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8220,'Issue',455,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows Kernel and 3rd-Party Drivers Exploits Token Stealing\nid: 8065b1b4-1778-4427-877f-6bf948b26d38\ndescription: Detection of child processes spawned with SYSTEM privileges by parents\n  with non-SYSTEM privileges and Medium integrity level\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\ntags:\n- attack.privilege_escalation\n- attack.t1068\nstatus: experimental\nauthor: Teymur Kheirkhabarov (source), Daniil Yugoslavskiy (rule)\ndate: 2019/06/03\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentIntegrityLevel: Medium\n    IntegrityLevel: System\n    User: NT AUTHORITY\\SYSTEM\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\nenrichment:\n- EN_0001_cache_sysmon_event_id_1_info\n- EN_0002_enrich_sysmon_event_id_1_with_parent_info\n\n
\n}}'),(8221,'Issue',455,15,'T1068'),(8222,'Issue',456,1,'MSHTA Spwaned by SVCHOST'),(8223,'Issue',456,2,'Markus Neis'),(8224,'Issue',456,8,'https://codewhitesec.blogspot.com/2018/07/lethalhta.html'),(8225,'Issue',456,10,'high'),(8226,'Issue',456,13,'community'),(8227,'Issue',456,14,'windows'),(8229,'Issue',456,11,'f443dd9d3'),(8230,'Issue',456,12,'ed5d72a6-f8f4-479d-ba79-02f6a80d7471'),(8231,'Issue',456,16,'win-proc'),(8232,'Issue',456,17,''),(8233,'Issue',456,7,''),(8234,'Issue',456,3,'Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described in report'),(8235,'Issue',456,4,''),(8236,'Issue',456,5,'_False Positives_\nUnknown'),(8237,'Issue',456,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\svchost.exe AND process.executable.keyword:*\\\\mshta.exe)\nindex: so-*\nname: MSHTA Spwaned by SVCHOST\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8238,'Issue',456,9,'{{collapse(View Sigma)\n
\n\ntitle: MSHTA Spwaned by SVCHOST\nid: ed5d72a6-f8f4-479d-ba79-02f6a80d7471\nstatus: experimental\ndescription: Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described\n  in report\nreferences:\n- https://codewhitesec.blogspot.com/2018/07/lethalhta.html\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1170\nauthor: Markus Neis\ndate: 2018/06/07\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\svchost.exe\'\n    Image: \'*\\mshta.exe\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(8239,'Issue',456,15,'T1170'),(8240,'Issue',457,1,'Local Accounts Discovery'),(8241,'Issue',457,2,'Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community'),(8242,'Issue',457,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml'),(8243,'Issue',457,10,'low'),(8244,'Issue',457,13,'community'),(8245,'Issue',457,14,'windows'),(8247,'Issue',457,11,'94d1a7cce'),(8248,'Issue',457,12,'502b42de-4306-40b4-9596-6f590c81f073'),(8249,'Issue',457,16,'win-proc'),(8250,'Issue',457,17,''),(8251,'Issue',457,7,''),(8252,'Issue',457,3,'Local accounts, System Owner/User discovery using operating systems utilities'),(8253,'Issue',457,4,''),(8254,'Issue',457,5,'_False Positives_\nLegitimate administrator or user enumerates local users for legitimate reason\n\n_Interesting Log Fields_\nImage\nCommandLine\nUser\nLogonGuid\nHashes\nParentProcessGuid\nParentCommandLine'),(8255,'Issue',457,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (((process.executable.keyword:*\\\\whoami.exe OR (process.executable.keyword:*\\\\wmic.exe AND process.command_line.keyword:*useraccount* AND process.command_line.keyword:*get*) OR process.executable.keyword:(*\\\\quser.exe OR *\\\\qwinsta.exe) OR (process.executable.keyword:*\\\\cmdkey.exe AND process.command_line.keyword:*\\/list*) OR (process.executable.keyword:*\\\\cmd.exe AND process.command_line.keyword:*\\/c* AND process.command_line.keyword:*dir\\ * AND process.command_line.keyword:*\\\\Users\\*)) AND (NOT (process.command_line.keyword:(*\\ rmdir\\ *)))) OR ((process.executable.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:*user*) AND (NOT (process.command_line.keyword:(*\\/domain* OR *\\/add* OR *\\/delete* OR *\\/active* OR *\\/expires* OR *\\/passwordreq* OR *\\/scriptpath* OR *\\/times* OR *\\/workstations*))))))\nindex: so-*\nname: Local Accounts Discovery\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8256,'Issue',457,9,'{{collapse(View Sigma)\n
\n\ntitle: Local Accounts Discovery\nid: 502b42de-4306-40b4-9596-6f590c81f073\nstatus: experimental\ndescription: Local accounts, System Owner/User discovery using operating systems utilities\nauthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_1:\n  - Image|endswith: \\whoami.exe\n  - Image|endswith: \\wmic.exe\n    CommandLine|contains|all:\n    - useraccount\n    - get\n  - Image|endswith:\n    - \\quser.exe\n    - \\qwinsta.exe\n  - Image|endswith: \\cmdkey.exe\n    CommandLine|contains: /list\n  - Image|endswith: \\cmd.exe\n    CommandLine|contains|all:\n    - /c\n    - \'dir \'\n    - \\Users\\\n  filter_1:\n    CommandLine|contains:\n    - \' rmdir \'\n  selection_2:\n    Image|endswith:\n    - \\net.exe\n    - \\net1.exe\n    CommandLine|contains: user\n  filter_2:\n    CommandLine|contains:\n    - /domain\n    - /add\n    - /delete\n    - /active\n    - /expires\n    - /passwordreq\n    - /scriptpath\n    - /times\n    - /workstations\n  condition: (selection_1 and not filter_1) or ( selection_2 and not filter_2)\nfields:\n- Image\n- CommandLine\n- User\n- LogonGuid\n- Hashes\n- ParentProcessGuid\n- ParentCommandLine\nfalsepositives:\n- Legitimate administrator or user enumerates local users for legitimate reason\nlevel: low\ntags:\n- attack.discovery\n- attack.t1033\n- attack.t1087\n\n
\n}}'),(8257,'Issue',457,15,'T1033'),(8258,'Issue',457,15,'T1087'),(8259,'Issue',458,1,'LSASS Memory Dumping'),(8260,'Issue',458,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community'),(8261,'Issue',458,8,'https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.yaml'),(8262,'Issue',458,10,'high'),(8263,'Issue',458,13,'community'),(8264,'Issue',458,14,'windows'),(8266,'Issue',458,11,'80532cee2'),(8267,'Issue',458,12,'ffa6861c-4461-4f59-8a41-578c39f3f23e'),(8268,'Issue',458,16,'win-proc'),(8269,'Issue',458,17,''),(8270,'Issue',458,7,''),(8271,'Issue',458,3,'Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.'),(8272,'Issue',458,4,''),(8273,'Issue',458,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8274,'Issue',458,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (((process.command_line.keyword:*lsass* AND process.command_line.keyword:*.dmp*) AND (NOT (process.executable.keyword:*\\\\werfault.exe))) OR (process.executable.keyword:*\\\\procdump* AND process.executable.keyword:*.exe AND process.command_line.keyword:*lsass*)))\nindex: so-*\nname: LSASS Memory Dumping\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8275,'Issue',458,9,'{{collapse(View Sigma)\n
\n\ntitle: LSASS Memory Dumping\nid: ffa6861c-4461-4f59-8a41-578c39f3f23e\ndescription: Detect creation of dump files containing the memory space of lsass.exe,\n  which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe\n  to export the memory space of lsass.exe which contains sensitive credentials.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html\n- https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.yaml\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine|contains|all:\n    - lsass\n    - .dmp\n  selection2:\n    Image|endswith: \\werfault.exe\n  selection3:\n    Image|contains: \\procdump\n    Image|endswith: .exe\n    CommandLine|contains: lsass\n  condition: selection1 and not selection2 or selection3\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Unlikely\nlevel: high\n\n
\n}}'),(8276,'Issue',458,15,'T1003'),(8277,'Issue',459,1,'Dridex Process Pattern'),(8278,'Issue',459,2,'Florian Roth'),(8279,'Issue',459,8,'https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3'),(8280,'Issue',459,10,'critical'),(8281,'Issue',459,13,'community'),(8282,'Issue',459,14,'windows'),(8284,'Issue',459,11,'89a943e8b'),(8285,'Issue',459,12,'e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e'),(8286,'Issue',459,16,'win-proc'),(8287,'Issue',459,17,''),(8288,'Issue',459,7,''),(8289,'Issue',459,3,'Detects typical Dridex process patterns'),(8290,'Issue',459,4,''),(8291,'Issue',459,5,'_False Positives_\nUnlikely'),(8292,'Issue',459,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:*\\\\svchost.exe\\ C\\:\\\\Users\\\\*\\\\Desktop\\\\* OR (process.parent.executable.keyword:*\\\\svchost.exe* AND process.command_line.keyword:(*whoami.exe\\ \\/all OR *net.exe\\ view))))\nindex: so-*\nname: Dridex Process Pattern\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8293,'Issue',459,9,'{{collapse(View Sigma)\n
\n\ntitle: Dridex Process Pattern\nid: e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e\nstatus: experimental\ndescription: Detects typical Dridex process patterns\nreferences:\n- https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3\nauthor: Florian Roth\ndate: 2019/01/10\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1055\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine: \'*\\svchost.exe C:\\Users\\\\*\\Desktop\\\\*\'\n  selection2:\n    ParentImage: \'*\\svchost.exe*\'\n    CommandLine:\n    - \'*whoami.exe /all\'\n    - \'*net.exe view\'\n  condition: 1 of them\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(8294,'Issue',459,15,'T1055'),(8295,'Issue',460,1,'DTRACK Process Creation'),(8296,'Issue',460,2,'Florian Roth'),(8297,'Issue',460,8,'https://securelist.com/my-name-is-dtrack/93338/\nhttps://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/\nhttps://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/'),(8298,'Issue',460,10,'critical'),(8299,'Issue',460,13,'community'),(8300,'Issue',460,14,'windows'),(8301,'Issue',460,15,''),(8302,'Issue',460,11,'1265efdfc'),(8303,'Issue',460,12,'f1531fa4-5b84-4342-8f68-9cf3fdbd83d4'),(8304,'Issue',460,16,'win-proc'),(8305,'Issue',460,17,''),(8306,'Issue',460,7,''),(8307,'Issue',460,3,'Detects specific process parameters as seen in DTRACK infections'),(8308,'Issue',460,4,''),(8309,'Issue',460,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8310,'Issue',460,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\ echo\\ EEEE\\ \\ *)\nindex: so-*\nname: DTRACK Process Creation\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8311,'Issue',460,9,'{{collapse(View Sigma)\n
\n\ntitle: DTRACK Process Creation\nid: f1531fa4-5b84-4342-8f68-9cf3fdbd83d4\nstatus: experimental\ndescription: Detects specific process parameters as seen in DTRACK infections\nauthor: Florian Roth\ndate: 2019/10/30\nreferences:\n- https://securelist.com/my-name-is-dtrack/93338/\n- https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/\n- https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'* echo EEEE > *\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(8312,'Issue',461,1,'Emotet Process Creation'),(8313,'Issue',461,2,'Florian Roth'),(8314,'Issue',461,8,'https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/\nhttps://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/\nhttps://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/\nhttps://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/'),(8315,'Issue',461,10,'critical'),(8316,'Issue',461,13,'community'),(8317,'Issue',461,14,'windows'),(8318,'Issue',461,15,''),(8319,'Issue',461,11,'22693b62c'),(8320,'Issue',461,12,'d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18'),(8321,'Issue',461,16,'win-proc'),(8322,'Issue',461,17,''),(8323,'Issue',461,7,''),(8324,'Issue',461,3,'Detects all Emotet like process executions that are not covered by the more generic rules'),(8325,'Issue',461,4,''),(8326,'Issue',461,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8327,'Issue',461,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-e*\\ PAA* OR *JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ* OR *QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA* OR *kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA* OR *IgAoACcAKgAnACkAOwAkA* OR *IAKAAnACoAJwApADsAJA* OR *iACgAJwAqACcAKQA7ACQA* OR *JABGAGwAeAByAGgAYwBmAGQ*))\nindex: so-*\nname: Emotet Process Creation\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8328,'Issue',461,9,'{{collapse(View Sigma)\n
\n\ntitle: Emotet Process Creation\nid: d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18\nstatus: experimental\ndescription: Detects all Emotet like process executions that are not covered by the\n  more generic rules\nauthor: Florian Roth\ndate: 2019/09/30\nmodified: 2019/10/16\nreferences:\n- https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/\n- https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/\n- https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/\n- https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* -e* PAA*\'\n    - \'*JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ*\'\n    - \'*QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA*\'\n    - \'*kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA*\'\n    - \'*IgAoACcAKgAnACkAOwAkA*\'\n    - \'*IAKAAnACoAJwApADsAJA*\'\n    - \'*iACgAJwAqACcAKQA7ACQA*\'\n    - \'*JABGAGwAeAByAGgAYwBmAGQ*\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(8329,'Issue',462,1,'Formbook Process Creation'),(8330,'Issue',462,2,'Florian Roth'),(8331,'Issue',462,8,'https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer\nhttps://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/\nhttps://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/\nhttps://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/'),(8332,'Issue',462,10,'critical'),(8333,'Issue',462,13,'community'),(8334,'Issue',462,14,'windows'),(8335,'Issue',462,15,''),(8336,'Issue',462,11,'a76fc01e3'),(8337,'Issue',462,12,'032f5fb3-d959-41a5-9263-4173c802dc2b'),(8338,'Issue',462,16,'win-proc'),(8339,'Issue',462,17,''),(8340,'Issue',462,7,''),(8341,'Issue',462,3,'Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.'),(8342,'Issue',462,4,''),(8343,'Issue',462,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8344,'Issue',462,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.command_line.keyword:(C\\:\\\\Windows\\\\System32\\\\*.exe OR C\\:\\\\Windows\\\\SysWOW64\\\\*.exe) AND process.command_line.keyword:(*\\ \\/c\\ del\\ \\\"C\\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*.exe OR *\\ \\/c\\ del\\ \\\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe OR *\\ \\/C\\ type\\ nul\\ \\ \\\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe))\nindex: so-*\nname: Formbook Process Creation\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8345,'Issue',462,9,'{{collapse(View Sigma)\n
\n\ntitle: Formbook Process Creation\nid: 032f5fb3-d959-41a5-9263-4173c802dc2b\nstatus: experimental\ndescription: Detects Formbook like process executions that inject code into a set\n  of files in the System32 folder, which executes a special command command line to\n  delete the dropper from the AppData Temp folder. We avoid false positives by excluding\n  all parent process with command line parameters.\nauthor: Florian Roth\ndate: 2019/09/30\nmodified: 2019/10/31\nreferences:\n- https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer\n- https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/\n- https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/\n- https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentCommandLine:\n    - C:\\Windows\\System32\\\\*.exe\n    - C:\\Windows\\SysWOW64\\\\*.exe\n    CommandLine:\n    - \'* /c del \"C:\\Users\\\\*\\AppData\\Local\\Temp\\\\*.exe\'\n    - \'* /c del \"C:\\Users\\\\*\\Desktop\\\\*.exe\'\n    - \'* /C type nul > \"C:\\Users\\\\*\\Desktop\\\\*.exe\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(8346,'Issue',463,1,'NotPetya Ransomware Activity'),(8347,'Issue',463,2,'Florian Roth, Tom Ueltschi'),(8348,'Issue',463,8,'https://securelist.com/schroedingers-petya/78870/\nhttps://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100'),(8349,'Issue',463,10,'critical'),(8350,'Issue',463,13,'community'),(8351,'Issue',463,14,'windows'),(8353,'Issue',463,11,'f1d5345d2'),(8354,'Issue',463,12,'79aeeb41-8156-4fac-a0cd-076495ab82a1'),(8355,'Issue',463,16,'win-proc'),(8356,'Issue',463,17,''),(8357,'Issue',463,7,''),(8358,'Issue',463,3,'Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil'),(8359,'Issue',463,4,''),(8360,'Issue',463,5,'_False Positives_\nAdmin activity\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8361,'Issue',463,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:*\\\\AppData\\\\Local\\\\Temp\\\\*\\ \\\\.\\\\pipe\\\\* OR (process.executable.keyword:*\\\\rundll32.exe AND process.command_line.keyword:*.dat,#1) OR *\\\\perfc.dat*))\nindex: so-*\nname: NotPetya Ransomware Activity\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8362,'Issue',463,9,'{{collapse(View Sigma)\n
\n\ntitle: NotPetya Ransomware Activity\nid: 79aeeb41-8156-4fac-a0cd-076495ab82a1\nstatus: experimental\ndescription: Detects NotPetya ransomware activity in which the extracted passwords\n  are passed back to the main module via named pipe, the file system journal of drive\n  C is deleted and windows eventlogs are cleared using wevtutil\nauthor: Florian Roth, Tom Ueltschi\ndate: 2019/01/16\nreferences:\n- https://securelist.com/schroedingers-petya/78870/\n- https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100\ntags:\n- attack.execution\n- attack.credential_access\n- attack.defense_evasion\n- attack.t1085\n- attack.t1070\n- attack.t1003\n- car.2016-04-002\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  pipe_com:\n    CommandLine: \'*\\AppData\\Local\\Temp\\\\* \\\\.\\pipe\\\\*\'\n  rundll32_dash1:\n    Image: \'*\\rundll32.exe\'\n    CommandLine: \'*.dat,#1\'\n  perfc_keyword:\n  - \'*\\perfc.dat*\'\n  condition: 1 of them\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Admin activity\nlevel: critical\n\n
\n}}'),(8363,'Issue',463,15,'T1085'),(8364,'Issue',463,15,'T1070'),(8365,'Issue',463,15,'T1003'),(8366,'Issue',464,1,'QBot Process Creation'),(8367,'Issue',464,2,'Florian Roth'),(8368,'Issue',464,8,'https://twitter.com/killamjr/status/1179034907932315648\nhttps://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/'),(8369,'Issue',464,10,'critical'),(8370,'Issue',464,13,'community'),(8371,'Issue',464,14,'windows'),(8372,'Issue',464,15,''),(8373,'Issue',464,11,'046681e0b'),(8374,'Issue',464,12,'4fcac6eb-0287-4090-8eea-2602e4c20040'),(8375,'Issue',464,16,'win-proc'),(8376,'Issue',464,17,''),(8377,'Issue',464,7,''),(8378,'Issue',464,3,'Detects QBot like process executions'),(8379,'Issue',464,4,''),(8380,'Issue',464,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8381,'Issue',464,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.parent.executable.keyword:*\\\\WinRAR.exe AND process.executable.keyword:*\\\\wscript.exe) OR process.command_line.keyword:*\\ \\/c\\ ping.exe\\ \\-n\\ 6\\ 127.0.0.1\\ &\\ type\\ *))\nindex: so-*\nname: QBot Process Creation\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8382,'Issue',464,9,'{{collapse(View Sigma)\n
\n\ntitle: QBot Process Creation\nid: 4fcac6eb-0287-4090-8eea-2602e4c20040\nstatus: experimental\ndescription: Detects QBot like process executions\nauthor: Florian Roth\ndate: 2019/10/01\nreferences:\n- https://twitter.com/killamjr/status/1179034907932315648\n- https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    ParentImage: \'*\\WinRAR.exe\'\n    Image: \'*\\wscript.exe\'\n  selection2:\n    CommandLine: \'* /c ping.exe -n 6 127.0.0.1 & type *\'\n  condition: selection1 or selection2\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(8383,'Issue',465,1,'Ryuk Ransomware'),(8384,'Issue',465,2,'Florian Roth'),(8385,'Issue',465,8,'https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/'),(8386,'Issue',465,10,'critical'),(8387,'Issue',465,13,'community'),(8388,'Issue',465,14,'windows'),(8389,'Issue',465,15,''),(8390,'Issue',465,11,'78f7434fc'),(8391,'Issue',465,12,'c37510b8-2107-4b78-aa32-72f251e7a844'),(8392,'Issue',465,16,'win-proc'),(8393,'Issue',465,17,''),(8394,'Issue',465,7,''),(8395,'Issue',465,3,'Detects Ryuk ransomware activity'),(8396,'Issue',465,4,''),(8397,'Issue',465,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8398,'Issue',465,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*Microsoft\\\\Windows\\\\CurrentVersion\\\\Run* AND process.command_line.keyword:*C\\:\\\\users\\\\Public\\*)\nindex: so-*\nname: Ryuk Ransomware\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8399,'Issue',465,9,'{{collapse(View Sigma)\n
\n\ntitle: Ryuk Ransomware\nid: c37510b8-2107-4b78-aa32-72f251e7a844\nstatus: experimental\ndescription: Detects Ryuk ransomware activity\nauthor: Florian Roth\ndate: 2019/12/16\nreferences:\n- https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains|all:\n    - Microsoft\\Windows\\CurrentVersion\\Run\n    - C:\\users\\Public\\\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(8400,'Issue',466,1,'WScript or CScript Dropper'),(8401,'Issue',466,2,'Margaritis Dimitrios (idea), Florian Roth (rule)'),(8402,'Issue',466,8,'none'),(8403,'Issue',466,10,'high'),(8404,'Issue',466,13,'community'),(8405,'Issue',466,14,'windows'),(8407,'Issue',466,11,'163533995'),(8408,'Issue',466,12,'cea72823-df4d-4567-950c-0b579eaf0846'),(8409,'Issue',466,16,'win-proc'),(8410,'Issue',466,17,''),(8411,'Issue',466,7,''),(8412,'Issue',466,3,'Detects wscript/cscript executions of scripts located in user directories'),(8413,'Issue',466,4,''),(8414,'Issue',466,5,'_False Positives_\nWinzip\nOther self-extractors\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8415,'Issue',466,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:(*\\\\wscript.exe OR *\\\\cscript.exe) AND process.command_line.keyword:(*\\ C\\:\\\\Users\\\\*.jse\\ * OR *\\ C\\:\\\\Users\\\\*.vbe\\ * OR *\\ C\\:\\\\Users\\\\*.js\\ * OR *\\ C\\:\\\\Users\\\\*.vba\\ * OR *\\ C\\:\\\\Users\\\\*.vbs\\ * OR *\\ C\\:\\\\ProgramData\\\\*.jse\\ * OR *\\ C\\:\\\\ProgramData\\\\*.vbe\\ * OR *\\ C\\:\\\\ProgramData\\\\*.js\\ * OR *\\ C\\:\\\\ProgramData\\\\*.vba\\ * OR *\\ C\\:\\\\ProgramData\\\\*.vbs\\ *)) AND (NOT (process.parent.executable.keyword:*\\\\winzip*)))\nindex: so-*\nname: WScript or CScript Dropper\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8416,'Issue',466,9,'{{collapse(View Sigma)\n
\n\ntitle: WScript or CScript Dropper\nid: cea72823-df4d-4567-950c-0b579eaf0846\nstatus: experimental\ndescription: Detects wscript/cscript executions of scripts located in user directories\nauthor: Margaritis Dimitrios (idea), Florian Roth (rule)\ndate: 2019/01/16\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1064\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\wscript.exe\'\n    - \'*\\cscript.exe\'\n    CommandLine:\n    - \'* C:\\Users\\\\*.jse *\'\n    - \'* C:\\Users\\\\*.vbe *\'\n    - \'* C:\\Users\\\\*.js *\'\n    - \'* C:\\Users\\\\*.vba *\'\n    - \'* C:\\Users\\\\*.vbs *\'\n    - \'* C:\\ProgramData\\\\*.jse *\'\n    - \'* C:\\ProgramData\\\\*.vbe *\'\n    - \'* C:\\ProgramData\\\\*.js *\'\n    - \'* C:\\ProgramData\\\\*.vba *\'\n    - \'* C:\\ProgramData\\\\*.vbs *\'\n  falsepositive:\n    ParentImage: \'*\\winzip*\'\n  condition: selection and not falsepositive\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Winzip\n- Other self-extractors\nlevel: high\n\n
\n}}'),(8417,'Issue',466,15,'T1064'),(8418,'Issue',467,1,'Trickbot Malware Recon Activity'),(8419,'Issue',467,2,'David Burkett'),(8420,'Issue',467,8,'https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/'),(8421,'Issue',467,10,'critical'),(8422,'Issue',467,13,'community'),(8423,'Issue',467,14,'windows'),(8425,'Issue',467,11,'1482df18d'),(8426,'Issue',467,12,'410ad193-a728-4107-bc79-4419789fcbf8'),(8427,'Issue',467,16,'win-proc'),(8428,'Issue',467,17,''),(8429,'Issue',467,7,''),(8430,'Issue',467,3,'Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes. This detectors attempts to identify that activity based off a command rarely observed in an enterprise network.'),(8431,'Issue',467,4,''),(8432,'Issue',467,5,'_False Positives_\nRare System Admin Activity\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8433,'Issue',467,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\nltest.exe) AND process.command_line:(\"\\/domain_trusts\\ \\/all_trusts\" OR \"\\/domain_trusts\"))\nindex: so-*\nname: Trickbot Malware Recon Activity\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8434,'Issue',467,9,'{{collapse(View Sigma)\n
\n\ntitle: Trickbot Malware Recon Activity\nid: 410ad193-a728-4107-bc79-4419789fcbf8\nstatus: experimental\ndescription: Trickbot enumerates domain/network topology and executes certain commands\n  automatically every few minutes. This detectors attempts to identify that activity\n  based off a command rarely observed in an enterprise network.\nreferences:\n- https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/\nauthor: David Burkett\ndate: 2019/12/28\ntags:\n- attack.t1482\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\nltest.exe\'\n    CommandLine:\n    - /domain_trusts /all_trusts\n    - /domain_trusts\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Rare System Admin Activity\nlevel: critical\n\n
\n}}'),(8435,'Issue',467,15,'T1482'),(8436,'Issue',468,1,'WannaCry Ransomware'),(8437,'Issue',468,2,'Florian Roth (rule), Tom U. @c_APT_ure (collection)'),(8438,'Issue',468,8,'https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100'),(8439,'Issue',468,10,'critical'),(8440,'Issue',468,13,'community'),(8441,'Issue',468,14,'windows'),(8442,'Issue',468,15,''),(8443,'Issue',468,11,'39c3b0af5'),(8444,'Issue',468,12,'41d40bff-377a-43e2-8e1b-2e543069e079'),(8445,'Issue',468,16,'win-proc'),(8446,'Issue',468,17,''),(8447,'Issue',468,7,''),(8448,'Issue',468,3,'Detects WannaCry ransomware activity'),(8449,'Issue',468,4,''),(8450,'Issue',468,5,'_False Positives_\nDiskpart.exe usage to manage partitions on the local hard drive\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8451,'Issue',468,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:(*\\\\tasksche.exe OR *\\\\mssecsvc.exe OR *\\\\taskdl.exe OR *\\\\@WanaDecryptor@* OR *\\\\WanaDecryptor* OR *\\\\taskhsvc.exe OR *\\\\taskse.exe OR *\\\\111.exe OR *\\\\lhdfrgui.exe OR *\\\\diskpart.exe OR *\\\\linuxnew.exe OR *\\\\wannacry.exe) OR process.command_line.keyword:(*icacls\\ *\\ \\/grant\\ Everyone\\:F\\ \\/T\\ \\/C\\ \\/Q* OR *bcdedit\\ \\/set\\ \\{default\\}\\ recoveryenabled\\ no* OR *wbadmin\\ delete\\ catalog\\ \\-quiet* OR *@Please_Read_Me@.txt*)))\nindex: so-*\nname: WannaCry Ransomware\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8452,'Issue',468,9,'{{collapse(View Sigma)\n
\n\ntitle: WannaCry Ransomware\nid: 41d40bff-377a-43e2-8e1b-2e543069e079\nstatus: experimental\ndescription: Detects WannaCry ransomware activity\nreferences:\n- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100\nauthor: Florian Roth (rule), Tom U. @c_APT_ure (collection)\ndate: 2019/01/16\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image:\n    - \'*\\tasksche.exe\'\n    - \'*\\mssecsvc.exe\'\n    - \'*\\taskdl.exe\'\n    - \'*\\@WanaDecryptor@*\'\n    - \'*\\WanaDecryptor*\'\n    - \'*\\taskhsvc.exe\'\n    - \'*\\taskse.exe\'\n    - \'*\\111.exe\'\n    - \'*\\lhdfrgui.exe\'\n    - \'*\\diskpart.exe\'\n    - \'*\\linuxnew.exe\'\n    - \'*\\wannacry.exe\'\n  selection2:\n    CommandLine:\n    - \'*icacls * /grant Everyone:F /T /C /Q*\'\n    - \'*bcdedit /set {default} recoveryenabled no*\'\n    - \'*wbadmin delete catalog -quiet*\'\n    - \'*@Please_Read_Me@.txt*\'\n  condition: 1 of them\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Diskpart.exe usage to manage partitions on the local hard drive\nlevel: critical\n\n
\n}}'),(8453,'Issue',469,1,'MavInject Process Injection'),(8454,'Issue',469,2,'Florian Roth'),(8455,'Issue',469,8,'https://twitter.com/gN3mes1s/status/941315826107510784\nhttps://reaqta.com/2017/12/mavinject-microsoft-injector/\nhttps://twitter.com/Hexacorn/status/776122138063409152'),(8456,'Issue',469,10,'critical'),(8457,'Issue',469,13,'community'),(8458,'Issue',469,14,'windows'),(8460,'Issue',469,11,'313d39562'),(8461,'Issue',469,12,'17eb8e57-9983-420d-ad8a-2c4976c22eb8'),(8462,'Issue',469,16,'win-proc'),(8463,'Issue',469,17,''),(8464,'Issue',469,7,''),(8465,'Issue',469,3,'Detects process injection using the signed Windows tool Mavinject32.exe'),(8466,'Issue',469,4,''),(8467,'Issue',469,5,'_False Positives_\nunknown'),(8468,'Issue',469,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\ \\/INJECTRUNNING\\ *)\nindex: so-*\nname: MavInject Process Injection\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8469,'Issue',469,9,'{{collapse(View Sigma)\n
\n\ntitle: MavInject Process Injection\nid: 17eb8e57-9983-420d-ad8a-2c4976c22eb8\nstatus: experimental\ndescription: Detects process injection using the signed Windows tool Mavinject32.exe\nreferences:\n- https://twitter.com/gN3mes1s/status/941315826107510784\n- https://reaqta.com/2017/12/mavinject-microsoft-injector/\n- https://twitter.com/Hexacorn/status/776122138063409152\nauthor: Florian Roth\ndate: 2018/12/12\ntags:\n- attack.t1055\n- attack.t1218\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'* /INJECTRUNNING *\'\n  condition: selection\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(8470,'Issue',469,15,'T1055'),(8471,'Issue',469,15,'T1218'),(8472,'Issue',470,1,'Meterpreter or Cobalt Strike Getsystem Service Start'),(8473,'Issue',470,2,'Teymur Kheirkhabarov'),(8474,'Issue',470,8,'https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\nhttps://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/'),(8475,'Issue',470,10,'high'),(8476,'Issue',470,13,'community'),(8477,'Issue',470,14,'windows'),(8479,'Issue',470,11,'faf8435b3'),(8480,'Issue',470,12,'15619216-e993-4721-b590-4c520615a67d'),(8481,'Issue',470,16,'win-proc'),(8482,'Issue',470,17,''),(8483,'Issue',470,7,''),(8484,'Issue',470,3,'Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting'),(8485,'Issue',470,4,''),(8486,'Issue',470,5,'_False Positives_\nCommandlines containing components like cmd accidentally\nJobs and services started with cmd\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8487,'Issue',470,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.parent.executable.keyword:*\\\\services.exe AND (process.command_line.keyword:(*cmd* OR *comspec*) OR (process.command_line.keyword:*cmd* AND process.command_line.keyword:*\\/c* AND process.command_line.keyword:*echo* AND process.command_line.keyword:*\\\\pipe\\*) OR (process.command_line.keyword:*%COMSPEC%* AND process.command_line.keyword:*\\/c* AND process.command_line.keyword:*echo* AND process.command_line.keyword:*\\\\pipe\\*) OR (process.command_line.keyword:*rundll32* AND process.command_line.keyword:*.dll,a* AND process.command_line.keyword:*\\/p\\:*))) AND (NOT (process.command_line.keyword:*MpCmdRun*)))\nindex: so-*\nname: Meterpreter or Cobalt Strike Getsystem Service Start\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8488,'Issue',470,9,'{{collapse(View Sigma)\n
\n\ntitle: Meterpreter or Cobalt Strike Getsystem Service Start\nid: 15619216-e993-4721-b590-4c520615a67d\ndescription: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting\n  a specific service starting\nauthor: Teymur Kheirkhabarov\ndate: 2019/10/26\nmodified: 2019/11/11\nreferences:\n- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\n- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/\ntags:\n- attack.privilege_escalation\n- attack.t1134\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_1:\n    ParentImage|endswith: \\services.exe\n  selection_2:\n  - CommandLine|contains:\n    - cmd\n    - comspec\n  - CommandLine|contains|all:\n    - cmd\n    - /c\n    - echo\n    - \\pipe\\\n  - CommandLine|contains|all:\n    - \'%COMSPEC%\'\n    - /c\n    - echo\n    - \\pipe\\\n  - CommandLine|contains|all:\n    - rundll32\n    - .dll,a\n    - \'/p:\'\n  filter1:\n    CommandLine|contains: MpCmdRun\n  condition: selection_1 and selection_2 and not filter1\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Commandlines containing components like cmd accidentally\n- Jobs and services started with cmd\nlevel: high\n\n
\n}}'),(8489,'Issue',470,15,'T1134'),(8490,'Issue',471,1,'Mimikatz Command Line'),(8491,'Issue',471,2,'Teymur Kheirkhabarov, oscd.community'),(8492,'Issue',471,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(8493,'Issue',471,10,'medium'),(8494,'Issue',471,13,'community'),(8495,'Issue',471,14,'windows'),(8497,'Issue',471,11,'f9e688b06'),(8498,'Issue',471,12,'a642964e-bead-4bed-8910-1bb4d63e3b4d'),(8499,'Issue',471,16,'win-proc'),(8500,'Issue',471,17,''),(8501,'Issue',471,7,''),(8502,'Issue',471,3,'Detection well-known mimikatz command line arguments'),(8503,'Issue',471,4,''),(8504,'Issue',471,5,'_False Positives_\nLegitimate Administrator using tool for password recovery'),(8505,'Issue',471,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:(*DumpCreds* OR *invoke\\-mimikatz*) OR (process.command_line.keyword:(*rpc* OR *token* OR *crypto* OR *dpapi* OR *sekurlsa* OR *kerberos* OR *lsadump* OR *privilege* OR *process*) AND process.command_line.keyword:(*\\:\\:*))))\nindex: so-*\nname: Mimikatz Command Line\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8506,'Issue',471,9,'{{collapse(View Sigma)\n
\n\ntitle: Mimikatz Command Line\nid: a642964e-bead-4bed-8910-1bb4d63e3b4d\ndescription: Detection well-known mimikatz command line arguments\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/10/22\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_1:\n    CommandLine|contains:\n    - DumpCreds\n    - invoke-mimikatz\n  selection_2:\n    CommandLine|contains:\n    - rpc\n    - token\n    - crypto\n    - dpapi\n    - sekurlsa\n    - kerberos\n    - lsadump\n    - privilege\n    - process\n  selection_3:\n    CommandLine|contains:\n    - \'::\'\n  condition: selection_1 or selection_2 and selection_3\nfalsepositives:\n- Legitimate Administrator using tool for password recovery\nlevel: medium\nstatus: experimental\n\n
\n}}'),(8507,'Issue',471,15,'T1003'),(8508,'Issue',472,1,'MMC Spawning Windows Shell'),(8509,'Issue',472,2,'Karneades, Swisscom CSIRT'),(8510,'Issue',472,8,'none'),(8511,'Issue',472,10,'high'),(8512,'Issue',472,13,'community'),(8513,'Issue',472,14,'windows'),(8515,'Issue',472,11,'5af2839b3'),(8516,'Issue',472,12,'05a2ab7e-ce11-4b63-86db-ab32e763e11d'),(8517,'Issue',472,16,'win-proc'),(8518,'Issue',472,17,''),(8519,'Issue',472,7,''),(8520,'Issue',472,3,'Detects a Windows command line executable started from MMC.'),(8521,'Issue',472,4,''),(8522,'Issue',472,5,'_False Positives_\n Unknown\n\n_Interesting Log Fields_\nCommandLine\nImage\nParentCommandLine'),(8523,'Issue',472,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\mmc.exe AND process.executable.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\sh.exe OR *\\\\bash.exe OR *\\\\reg.exe OR *\\\\regsvr32.exe OR *\\\\BITSADMIN*))\nindex: so-*\nname: MMC Spawning Windows Shell\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8524,'Issue',472,9,'{{collapse(View Sigma)\n
\n\ntitle: MMC Spawning Windows Shell\nid: 05a2ab7e-ce11-4b63-86db-ab32e763e11d\nstatus: experimental\ndescription: Detects a Windows command line executable started from MMC.\nauthor: Karneades, Swisscom CSIRT\ndate: 2019/08/05\ntags:\n- attack.lateral_movement\n- attack.t1175\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\mmc.exe\'\n    Image:\n    - \'*\\cmd.exe\'\n    - \'*\\powershell.exe\'\n    - \'*\\wscript.exe\'\n    - \'*\\cscript.exe\'\n    - \'*\\sh.exe\'\n    - \'*\\bash.exe\'\n    - \'*\\reg.exe\'\n    - \'*\\regsvr32.exe\'\n    - \'*\\BITSADMIN*\'\n  condition: selection\nfields:\n- CommandLine\n- Image\n- ParentCommandLine\nlevel: high\n\n
\n}}'),(8525,'Issue',472,15,'T1175'),(8526,'Issue',473,1,'MSHTA Spawning Windows Shell'),(8527,'Issue',473,2,'Michael Haag'),(8528,'Issue',473,8,'https://www.trustedsec.com/july-2015/malicious-htas/'),(8529,'Issue',473,10,'high'),(8530,'Issue',473,13,'community'),(8531,'Issue',473,14,'windows'),(8533,'Issue',473,11,'16c1a6c19'),(8534,'Issue',473,12,'03cc0c25-389f-4bf8-b48d-11878079f1ca'),(8535,'Issue',473,16,'win-proc'),(8536,'Issue',473,17,''),(8537,'Issue',473,7,''),(8538,'Issue',473,3,'Detects a Windows command line executable started from MSHTA.'),(8539,'Issue',473,4,''),(8540,'Issue',473,5,'_False Positives_\nPrinter software / driver installations\nHP software\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8541,'Issue',473,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\mshta.exe AND process.executable.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\sh.exe OR *\\\\bash.exe OR *\\\\reg.exe OR *\\\\regsvr32.exe OR *\\\\BITSADMIN*))\nindex: so-*\nname: MSHTA Spawning Windows Shell\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8542,'Issue',473,9,'{{collapse(View Sigma)\n
\n\ntitle: MSHTA Spawning Windows Shell\nid: 03cc0c25-389f-4bf8-b48d-11878079f1ca\nstatus: experimental\ndescription: Detects a Windows command line executable started from MSHTA.\nreferences:\n- https://www.trustedsec.com/july-2015/malicious-htas/\nauthor: Michael Haag\ndate: 2019/01/16\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\mshta.exe\'\n    Image:\n    - \'*\\cmd.exe\'\n    - \'*\\powershell.exe\'\n    - \'*\\wscript.exe\'\n    - \'*\\cscript.exe\'\n    - \'*\\sh.exe\'\n    - \'*\\bash.exe\'\n    - \'*\\reg.exe\'\n    - \'*\\regsvr32.exe\'\n    - \'*\\BITSADMIN*\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1170\n- car.2013-02-003\n- car.2013-03-001\n- car.2014-04-003\nfalsepositives:\n- Printer software / driver installations\n- HP software\nlevel: high\n\n
\n}}'),(8543,'Issue',473,15,'T1170'),(8544,'Issue',474,1,'Quick Execution of a Series of Suspicious Commands'),(8545,'Issue',474,2,'juju4'),(8546,'Issue',474,8,'https://car.mitre.org/wiki/CAR-2013-04-002'),(8547,'Issue',474,10,'low'),(8548,'Issue',474,13,'community'),(8549,'Issue',474,14,'windows'),(8550,'Issue',474,15,''),(8551,'Issue',474,11,'9a5d32ef1'),(8552,'Issue',474,12,'61ab5496-748e-4818-a92f-de78e20fe7f1'),(8553,'Issue',474,16,'win-proc'),(8554,'Issue',474,17,''),(8555,'Issue',474,7,''),(8556,'Issue',474,3,'Detects multiple suspicious process in a limited timeframe'),(8557,'Issue',474,4,''),(8558,'Issue',474,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(8559,'Issue',474,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line:(\"arp.exe\" OR \"at.exe\" OR \"attrib.exe\" OR \"cscript.exe\" OR \"dsquery.exe\" OR \"hostname.exe\" OR \"ipconfig.exe\" OR \"mimikatz.exe\" OR \"nbtstat.exe\" OR \"net.exe\" OR \"netsh.exe\" OR \"nslookup.exe\" OR \"ping.exe\" OR \"quser.exe\" OR \"qwinsta.exe\" OR \"reg.exe\" OR \"runas.exe\" OR \"sc.exe\" OR \"schtasks.exe\" OR \"ssh.exe\" OR \"systeminfo.exe\" OR \"taskkill.exe\" OR \"telnet.exe\" OR \"tracert.exe\" OR \"wscript.exe\" OR \"xcopy.exe\" OR \"pscp.exe\" OR \"copy.exe\" OR \"robocopy.exe\" OR \"certutil.exe\" OR \"vssadmin.exe\" OR \"powershell.exe\" OR \"wevtutil.exe\" OR \"psexec.exe\" OR \"bcedit.exe\" OR \"wbadmin.exe\" OR \"icacls.exe\" OR \"diskpart.exe\"))\nindex: so-*\nmax_threshold: 5\nmetric_agg_key: _id\nmetric_agg_type: cardinality\nname: Quick Execution of a Series of Suspicious Commands\npriority: 4\nquery_key: MachineName.keyword\nrealert:\n  minutes: 0\ntype: metric_aggregation\n
\n}}'),(8560,'Issue',474,9,'{{collapse(View Sigma)\n
\n\ntitle: Quick Execution of a Series of Suspicious Commands\nid: 61ab5496-748e-4818-a92f-de78e20fe7f1\ndescription: Detects multiple suspicious process in a limited timeframe\nstatus: experimental\nreferences:\n- https://car.mitre.org/wiki/CAR-2013-04-002\nauthor: juju4\ndate: 2019/01/16\ntags:\n- car.2013-04-002\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - arp.exe\n    - at.exe\n    - attrib.exe\n    - cscript.exe\n    - dsquery.exe\n    - hostname.exe\n    - ipconfig.exe\n    - mimikatz.exe\n    - nbtstat.exe\n    - net.exe\n    - netsh.exe\n    - nslookup.exe\n    - ping.exe\n    - quser.exe\n    - qwinsta.exe\n    - reg.exe\n    - runas.exe\n    - sc.exe\n    - schtasks.exe\n    - ssh.exe\n    - systeminfo.exe\n    - taskkill.exe\n    - telnet.exe\n    - tracert.exe\n    - wscript.exe\n    - xcopy.exe\n    - pscp.exe\n    - copy.exe\n    - robocopy.exe\n    - certutil.exe\n    - vssadmin.exe\n    - powershell.exe\n    - wevtutil.exe\n    - psexec.exe\n    - bcedit.exe\n    - wbadmin.exe\n    - icacls.exe\n    - diskpart.exe\n  timeframe: 5m\n  condition: selection | count() by MachineName > 5\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: low\n\n
\n}}'),(8561,'Issue',475,1,'Windows Network Enumeration'),(8562,'Issue',475,2,'Endgame, JHasenbusch (ported for oscd.community)'),(8563,'Issue',475,8,'https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.yaml'),(8564,'Issue',475,10,'low'),(8565,'Issue',475,13,'community'),(8566,'Issue',475,14,'windows'),(8568,'Issue',475,11,'bbe12b620'),(8569,'Issue',475,12,'62510e69-616b-4078-b371-847da438cc03'),(8570,'Issue',475,16,'win-proc'),(8571,'Issue',475,17,''),(8572,'Issue',475,7,''),(8573,'Issue',475,3,'Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.'),(8574,'Issue',475,4,''),(8575,'Issue',475,5,'_False Positives_\nLegitimate use of net.exe utility by legitimate user\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8576,'Issue',475,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:*view*) AND (NOT (process.command_line.keyword:*\\\\*)))\nindex: so-*\nname: Windows Network Enumeration\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8577,'Issue',475,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows Network Enumeration\nid: 62510e69-616b-4078-b371-847da438cc03\nstatus: stable\ndescription: Identifies attempts to enumerate hosts in a network using the built-in\n  Windows net.exe tool.\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.yaml\nauthor: Endgame, JHasenbusch (ported for oscd.community)\ndate: 2018/10/30\nmodified: 2019/11/11\ntags:\n- attack.discovery\n- attack.t1018\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith:\n    - \\net.exe\n    - \\net1.exe\n    CommandLine|contains: view\n  filter:\n    CommandLine|contains: \\\\\n  condition: selection and not filter\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Legitimate use of net.exe utility by legitimate user\nlevel: low\n\n
\n}}'),(8578,'Issue',475,15,'T1018'),(8579,'Issue',476,1,'Net.exe User Account Creation'),(8580,'Issue',476,2,'Endgame, JHasenbusch (adapted to sigma for oscd.community)'),(8581,'Issue',476,8,'https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.yaml'),(8582,'Issue',476,10,'medium'),(8583,'Issue',476,13,'community'),(8584,'Issue',476,14,'windows'),(8586,'Issue',476,11,'c9bfceef1'),(8587,'Issue',476,12,'cd219ff3-fa99-45d4-8380-a7d15116c6dc'),(8588,'Issue',476,16,'win-proc'),(8589,'Issue',476,17,''),(8590,'Issue',476,7,''),(8591,'Issue',476,3,'Identifies creation of local users via the net.exe command'),(8592,'Issue',476,4,''),(8593,'Issue',476,5,'_False Positives_\nLegit user creation\nBetter use event ids for user creation rather than command line rules\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8594,'Issue',476,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:*user* AND process.command_line.keyword:*add*)\nindex: so-*\nname: Net.exe User Account Creation\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8595,'Issue',476,9,'{{collapse(View Sigma)\n
\n\ntitle: Net.exe User Account Creation\nid: cd219ff3-fa99-45d4-8380-a7d15116c6dc\nstatus: experimental\ndescription: Identifies creation of local users via the net.exe command\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.yaml\nauthor: Endgame, JHasenbusch (adapted to sigma for oscd.community)\ndate: 2018/10/30\nmodified: 2019/11/11\ntags:\n- attack.persistence\n- attack.credential_access\n- attack.t1136\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith:\n    - \\net.exe\n    - \\net1.exe\n    CommandLine|contains|all:\n    - user\n    - add\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Legit user creation\n- Better use event ids for user creation rather than command line rules\nlevel: medium\n\n
\n}}'),(8596,'Issue',476,15,'T1136'),(8597,'Issue',477,1,'Netsh'),(8598,'Issue',477,2,'Markus Neis'),(8599,'Issue',477,8,'https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)\nhttps://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf'),(8600,'Issue',477,10,'medium'),(8601,'Issue',477,13,'community'),(8602,'Issue',477,14,'windows'),(8604,'Issue',477,11,'bdbaabb5e'),(8605,'Issue',477,12,'cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c'),(8606,'Issue',477,16,'win-proc'),(8607,'Issue',477,17,''),(8608,'Issue',477,7,''),(8609,'Issue',477,3,'Allow Incoming Connections by Port or Application on Windows Firewall'),(8610,'Issue',477,4,''),(8611,'Issue',477,5,'_False Positives_\nLegitimate administration'),(8612,'Issue',477,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*netsh\\ firewall\\ add*))\nindex: so-*\nname: Netsh\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8613,'Issue',477,9,'{{collapse(View Sigma)\n
\n\ntitle: Netsh\nid: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c\ndescription: Allow Incoming Connections by Port or Application on Windows Firewall\nreferences:\n- https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)\n- https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf\ndate: 2019/01/29\ntags:\n- attack.lateral_movement\n- attack.command_and_control\n- attack.t1090\nstatus: experimental\nauthor: Markus Neis\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'*netsh firewall add*\'\n  condition: selection\nfalsepositives:\n- Legitimate administration\nlevel: medium\n\n
\n}}'),(8614,'Issue',477,15,'T1090'),(8615,'Issue',478,1,'Capture a Network Trace with netsh.exe'),(8616,'Issue',478,2,'Kutepov Anton, oscd.community'),(8617,'Issue',478,8,'https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/'),(8618,'Issue',478,10,'medium'),(8619,'Issue',478,13,'community'),(8620,'Issue',478,14,'windows'),(8622,'Issue',478,11,'0b2f94184'),(8623,'Issue',478,12,'d3c3861d-c504-4c77-ba55-224ba82d0118'),(8624,'Issue',478,16,'win-proc'),(8625,'Issue',478,17,''),(8626,'Issue',478,7,''),(8627,'Issue',478,3,'Detects capture a network trace via netsh.exe trace functionality'),(8628,'Issue',478,4,''),(8629,'Issue',478,5,'_False Positives_\nLegitimate administrator or user uses netsh.exe trace functionality for legitimate reason'),(8630,'Issue',478,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*netsh* AND process.command_line.keyword:*trace* AND process.command_line.keyword:*start*)\nindex: so-*\nname: Capture a Network Trace with netsh.exe\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8631,'Issue',478,9,'{{collapse(View Sigma)\n
\n\ntitle: Capture a Network Trace with netsh.exe\nid: d3c3861d-c504-4c77-ba55-224ba82d0118\nstatus: experimental\ndescription: Detects capture a network trace via netsh.exe trace functionality\nreferences:\n- https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/\nauthor: Kutepov Anton, oscd.community\ndate: 2019/10/24\ntags:\n- attack.discovery\n- attack.t1040\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains|all:\n    - netsh\n    - trace\n    - start\n  condition: selection\nfalsepositives:\n- Legitimate administrator or user uses netsh.exe trace functionality for legitimate\n  reason\nlevel: medium\n\n
\n}}'),(8632,'Issue',478,15,'T1040'),(8633,'Issue',479,1,'Netsh Port Forwarding'),(8634,'Issue',479,2,'Florian Roth'),(8635,'Issue',479,8,'https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html'),(8636,'Issue',479,10,'medium'),(8637,'Issue',479,13,'community'),(8638,'Issue',479,14,'windows'),(8640,'Issue',479,11,'6c81001f0'),(8641,'Issue',479,12,'322ed9ec-fcab-4f67-9a34-e7c6aef43614'),(8642,'Issue',479,16,'win-proc'),(8643,'Issue',479,17,''),(8644,'Issue',479,7,''),(8645,'Issue',479,3,'Detects netsh commands that configure a port forwarding'),(8646,'Issue',479,4,''),(8647,'Issue',479,5,'_False Positives_\nLegitimate administration'),(8648,'Issue',479,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(netsh\\ interface\\ portproxy\\ add\\ v4tov4\\ *))\nindex: so-*\nname: Netsh Port Forwarding\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8649,'Issue',479,9,'{{collapse(View Sigma)\n
\n\ntitle: Netsh Port Forwarding\nid: 322ed9ec-fcab-4f67-9a34-e7c6aef43614\ndescription: Detects netsh commands that configure a port forwarding\nreferences:\n- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html\ndate: 2019/01/29\ntags:\n- attack.lateral_movement\n- attack.command_and_control\n- attack.t1090\nstatus: experimental\nauthor: Florian Roth\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - netsh interface portproxy add v4tov4 *\n  condition: selection\nfalsepositives:\n- Legitimate administration\nlevel: medium\n\n
\n}}'),(8650,'Issue',479,15,'T1090'),(8651,'Issue',480,1,'Netsh RDP Port Forwarding'),(8652,'Issue',480,2,'Florian Roth'),(8653,'Issue',480,8,'https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html'),(8654,'Issue',480,10,'high'),(8655,'Issue',480,13,'community'),(8656,'Issue',480,14,'windows'),(8658,'Issue',480,11,'e26d39913'),(8659,'Issue',480,12,'782d6f3e-4c5d-4b8c-92a3-1d05fed72e63'),(8660,'Issue',480,16,'win-proc'),(8661,'Issue',480,17,''),(8662,'Issue',480,7,''),(8663,'Issue',480,3,'Detects netsh commands that configure a port forwarding of port 3389 used for RDP'),(8664,'Issue',480,4,''),(8665,'Issue',480,5,'_False Positives_\nLegitimate administration'),(8666,'Issue',480,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(netsh\\ i*\\ p*\\=3389\\ c*))\nindex: so-*\nname: Netsh RDP Port Forwarding\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8667,'Issue',480,9,'{{collapse(View Sigma)\n
\n\ntitle: Netsh RDP Port Forwarding\nid: 782d6f3e-4c5d-4b8c-92a3-1d05fed72e63\ndescription: Detects netsh commands that configure a port forwarding of port 3389\n  used for RDP\nreferences:\n- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html\ndate: 2019/01/29\ntags:\n- attack.lateral_movement\n- attack.t1021\n- car.2013-07-002\nstatus: experimental\nauthor: Florian Roth\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - netsh i* p*=3389 c*\n  condition: selection\nfalsepositives:\n- Legitimate administration\nlevel: high\n\n
\n}}'),(8668,'Issue',480,15,'T1021'),(8669,'Issue',481,1,'Network Sniffing'),(8670,'Issue',481,2,'Timur Zinniatullin, oscd.community'),(8671,'Issue',481,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml'),(8672,'Issue',481,10,'low'),(8673,'Issue',481,13,'community'),(8674,'Issue',481,14,'windows'),(8676,'Issue',481,11,'94c26afa0'),(8677,'Issue',481,12,'ba1f7802-adc7-48b4-9ecb-81e227fddfd5'),(8678,'Issue',481,16,'win-proc'),(8679,'Issue',481,17,''),(8680,'Issue',481,7,''),(8681,'Issue',481,3,'Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.'),(8682,'Issue',481,4,''),(8683,'Issue',481,5,'_False Positives_\nAdmin activity\n\n_Interesting Log Fields_\nImage\nCommandLine\nUser\nLogonGuid\nHashes\nParentProcessGuid\nParentCommandLine'),(8684,'Issue',481,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\tshark.exe AND process.command_line.keyword:*\\-i*) OR process.executable.keyword:*\\\\windump.exe))\nindex: so-*\nname: Network Sniffing\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8685,'Issue',481,9,'{{collapse(View Sigma)\n
\n\ntitle: Network Sniffing\nid: ba1f7802-adc7-48b4-9ecb-81e227fddfd5\nstatus: experimental\ndescription: Network sniffing refers to using the network interface on a system to\n  monitor or capture information sent over a wired or wireless connection. An adversary\n  may place a network interface into promiscuous mode to passively access data in\n  transit over the network, or use span ports to capture a larger amount of data.\nauthor: Timur Zinniatullin, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith: \\tshark.exe\n    CommandLine|contains: -i\n  - Image|endswith: \\windump.exe\n  condition: selection\nfalsepositives:\n- Admin activity\nfields:\n- Image\n- CommandLine\n- User\n- LogonGuid\n- Hashes\n- ParentProcessGuid\n- ParentCommandLine\nlevel: low\ntags:\n- attack.credential_access\n- attack.discovery\n- attack.t1040\n\n
\n}}'),(8686,'Issue',481,15,'T1040'),(8687,'Issue',482,1,'New Service Creation'),(8688,'Issue',482,2,'Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community'),(8689,'Issue',482,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1050/T1050.yaml'),(8690,'Issue',482,10,'low'),(8691,'Issue',482,13,'community'),(8692,'Issue',482,14,'windows'),(8694,'Issue',482,11,'6d821e19d'),(8695,'Issue',482,12,'7fe71fc9-de3b-432a-8d57-8c809efc10ab'),(8696,'Issue',482,16,'win-proc'),(8697,'Issue',482,17,''),(8698,'Issue',482,7,''),(8699,'Issue',482,3,'Detects creation if a new service'),(8700,'Issue',482,4,''),(8701,'Issue',482,5,'_False Positives_\nLegitimate administrator or user creates a service for legitimate reason'),(8702,'Issue',482,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\sc.exe AND process.command_line.keyword:*create* AND process.command_line.keyword:*binpath*) OR (process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:*new\\-service*)))\nindex: so-*\nname: New Service Creation\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8703,'Issue',482,9,'{{collapse(View Sigma)\n
\n\ntitle: New Service Creation\nid: 7fe71fc9-de3b-432a-8d57-8c809efc10ab\nstatus: experimental\ndescription: Detects creation if a new service\nauthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\ntags:\n- attack.persistence\n- attack.privilege_escalation\n- attack.t1050\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1050/T1050.yaml\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith: \\sc.exe\n    CommandLine|contains|all:\n    - create\n    - binpath\n  - Image|endswith: \\powershell.exe\n    CommandLine|contains: new-service\n  condition: selection\nfalsepositives:\n- Legitimate administrator or user creates a service for legitimate reason\nlevel: low\n\n
\n}}'),(8704,'Issue',482,15,'T1050'),(8705,'Issue',483,1,'Non Interactive PowerShell'),(8706,'Issue',483,2,'Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)'),(8707,'Issue',483,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md'),(8708,'Issue',483,10,'medium'),(8709,'Issue',483,13,'community'),(8710,'Issue',483,14,'windows'),(8712,'Issue',483,11,'1e5e14278'),(8713,'Issue',483,12,'f4bbd493-b796-416e-bbf2-121235348529'),(8714,'Issue',483,16,'win-proc'),(8715,'Issue',483,17,''),(8716,'Issue',483,7,''),(8717,'Issue',483,3,'Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent.'),(8718,'Issue',483,4,''),(8719,'Issue',483,5,'_False Positives_\nLegitimate programs executing PowerShell scripts'),(8720,'Issue',483,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\powershell.exe AND (NOT (process.parent.executable.keyword:*\\\\explorer.exe)))\nindex: so-*\nname: Non Interactive PowerShell\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8721,'Issue',483,9,'{{collapse(View Sigma)\n
\n\ntitle: Non Interactive PowerShell\nid: f4bbd493-b796-416e-bbf2-121235348529\ndescription: Detects non-interactive PowerShell activity by looking at powershell.exe\n  with not explorer.exe as a parent.\nstatus: experimental\ndate: 2019/09/12\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\powershell.exe\n  filter:\n    ParentImage|endswith: \\explorer.exe\n  condition: selection and not filter\nfalsepositives:\n- Legitimate programs executing PowerShell scripts\nlevel: medium\n\n
\n}}'),(8722,'Issue',483,15,'T1086'),(8723,'Issue',484,1,'Microsoft Office Product Spawning Windows Shell'),(8724,'Issue',484,2,'Michael Haag, Florian Roth, Markus Neis'),(8725,'Issue',484,8,'https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100\nhttps://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html'),(8726,'Issue',484,10,'high'),(8727,'Issue',484,13,'community'),(8728,'Issue',484,14,'windows'),(8730,'Issue',484,11,'6393d359f'),(8731,'Issue',484,12,'438025f9-5856-4663-83f7-52f878a70a50'),(8732,'Issue',484,16,'win-proc'),(8733,'Issue',484,17,''),(8734,'Issue',484,7,''),(8735,'Issue',484,3,'Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio.'),(8736,'Issue',484,4,''),(8737,'Issue',484,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8738,'Issue',484,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\WINWORD.EXE OR *\\\\EXCEL.EXE OR *\\\\POWERPNT.exe OR *\\\\MSPUB.exe OR *\\\\VISIO.exe OR *\\\\OUTLOOK.EXE) AND process.executable.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\sh.exe OR *\\\\bash.exe OR *\\\\scrcons.exe OR *\\\\schtasks.exe OR *\\\\regsvr32.exe OR *\\\\hh.exe OR *\\\\wmic.exe OR *\\\\mshta.exe OR *\\\\rundll32.exe OR *\\\\msiexec.exe OR *\\\\forfiles.exe OR *\\\\scriptrunner.exe OR *\\\\mftrace.exe OR *\\\\AppVLP.exe OR *\\\\svchost.exe))\nindex: so-*\nname: Microsoft Office Product Spawning Windows Shell\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8739,'Issue',484,9,'{{collapse(View Sigma)\n
\n\ntitle: Microsoft Office Product Spawning Windows Shell\nid: 438025f9-5856-4663-83f7-52f878a70a50\nstatus: experimental\ndescription: Detects a Windows command line executable started from Microsoft Word,\n  Excel, Powerpoint, Publisher and Visio.\nreferences:\n- https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100\n- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1059\n- attack.t1202\n- car.2013-02-003\n- car.2014-04-003\nauthor: Michael Haag, Florian Roth, Markus Neis\ndate: 2018/04/06\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage:\n    - \'*\\WINWORD.EXE\'\n    - \'*\\EXCEL.EXE\'\n    - \'*\\POWERPNT.exe\'\n    - \'*\\MSPUB.exe\'\n    - \'*\\VISIO.exe\'\n    - \'*\\OUTLOOK.EXE\'\n    Image:\n    - \'*\\cmd.exe\'\n    - \'*\\powershell.exe\'\n    - \'*\\wscript.exe\'\n    - \'*\\cscript.exe\'\n    - \'*\\sh.exe\'\n    - \'*\\bash.exe\'\n    - \'*\\scrcons.exe\'\n    - \'*\\schtasks.exe\'\n    - \'*\\regsvr32.exe\'\n    - \'*\\hh.exe\'\n    - \'*\\wmic.exe\'\n    - \'*\\mshta.exe\'\n    - \'*\\rundll32.exe\'\n    - \'*\\msiexec.exe\'\n    - \'*\\forfiles.exe\'\n    - \'*\\scriptrunner.exe\'\n    - \'*\\mftrace.exe\'\n    - \'*\\AppVLP.exe\'\n    - \'*\\svchost.exe\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(8740,'Issue',484,15,'T1059'),(8741,'Issue',484,15,'T1202'),(8742,'Issue',485,1,'MS Office Product Spawning Exe in User Dir'),(8743,'Issue',485,2,'Jason Lynch'),(8744,'Issue',485,8,'sha256=23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57c\nhttps://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign'),(8745,'Issue',485,10,'high'),(8746,'Issue',485,13,'community'),(8747,'Issue',485,14,'windows'),(8749,'Issue',485,11,'73473d045'),(8750,'Issue',485,12,'aa3a6f94-890e-4e22-b634-ffdfd54792cc'),(8751,'Issue',485,16,'win-proc'),(8752,'Issue',485,17,''),(8753,'Issue',485,7,''),(8754,'Issue',485,3,'Detects an executable in the users directory started from Microsoft Word, Excel, Powerpoint, Publisher or Visio'),(8755,'Issue',485,4,''),(8756,'Issue',485,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8757,'Issue',485,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\WINWORD.EXE OR *\\\\EXCEL.EXE OR *\\\\POWERPNT.exe OR *\\\\MSPUB.exe OR *\\\\VISIO.exe OR *\\\\OUTLOOK.EXE) AND process.executable.keyword:(C\\:\\\\users\\\\*.exe))\nindex: so-*\nname: MS Office Product Spawning Exe in User Dir\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8758,'Issue',485,9,'{{collapse(View Sigma)\n
\n\ntitle: MS Office Product Spawning Exe in User Dir\nid: aa3a6f94-890e-4e22-b634-ffdfd54792cc\nstatus: experimental\ndescription: Detects an executable in the users directory started from Microsoft Word,\n  Excel, Powerpoint, Publisher or Visio\nreferences:\n- sha256=23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57c\n- https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1059\n- attack.t1202\n- FIN7\n- car.2013-05-002\nauthor: Jason Lynch\ndate: 2019/04/02\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage:\n    - \'*\\WINWORD.EXE\'\n    - \'*\\EXCEL.EXE\'\n    - \'*\\POWERPNT.exe\'\n    - \'*\\MSPUB.exe\'\n    - \'*\\VISIO.exe\'\n    - \'*\\OUTLOOK.EXE\'\n    Image:\n    - C:\\users\\\\*.exe\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(8759,'Issue',485,15,'T1059'),(8760,'Issue',485,15,'T1202'),(8761,'Issue',486,1,'Executable Used by PlugX in Uncommon Location'),(8762,'Issue',486,2,'Florian Roth'),(8763,'Issue',486,8,'http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/\nhttps://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/'),(8764,'Issue',486,10,'high'),(8765,'Issue',486,13,'community'),(8766,'Issue',486,14,'windows'),(8768,'Issue',486,11,'7c4ef5068'),(8769,'Issue',486,12,'aeab5ec5-be14-471a-80e8-e344418305c2'),(8770,'Issue',486,16,'win-proc'),(8771,'Issue',486,17,''),(8772,'Issue',486,7,''),(8773,'Issue',486,3,'Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location'),(8774,'Issue',486,4,''),(8775,'Issue',486,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8776,'Issue',486,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((((((((((((process.executable.keyword:*\\\\CamMute.exe AND (NOT (process.executable.keyword:*\\\\Lenovo\\\\Communication\\ Utility\\\\*))) OR (process.executable.keyword:*\\\\chrome_frame_helper.exe AND (NOT (process.executable.keyword:*\\\\Google\\\\Chrome\\\\application\\\\*)))) OR (process.executable.keyword:*\\\\dvcemumanager.exe AND (NOT (process.executable.keyword:*\\\\Microsoft\\ Device\\ Emulator\\\\*)))) OR (process.executable.keyword:*\\\\Gadget.exe AND (NOT (process.executable.keyword:*\\\\Windows\\ Media\\ Player\\\\*)))) OR (process.executable.keyword:*\\\\hcc.exe AND (NOT (process.executable.keyword:*\\\\HTML\\ Help\\ Workshop\\\\*)))) OR (process.executable.keyword:*\\\\hkcmd.exe AND (NOT (process.executable.keyword:(*\\\\System32\\\\* OR *\\\\SysNative\\\\* OR *\\\\SysWowo64\\\\*))))) OR (process.executable.keyword:*\\\\Mc.exe AND (NOT (process.executable.keyword:(*\\\\Microsoft\\ Visual\\ Studio* OR *\\\\Microsoft\\ SDK* OR *\\\\Windows\\ Kit*))))) OR (process.executable.keyword:*\\\\MsMpEng.exe AND (NOT (process.executable.keyword:(*\\\\Microsoft\\ Security\\ Client\\\\* OR *\\\\Windows\\ Defender\\\\* OR *\\\\AntiMalware\\\\*))))) OR (process.executable.keyword:*\\\\msseces.exe AND (NOT (process.executable.keyword:(*\\\\Microsoft\\ Security\\ Center\\\\* OR *\\\\Microsoft\\ Security\\ Client\\\\* OR *\\\\Microsoft\\ Security\\ Essentials\\\\*))))) OR (process.executable.keyword:*\\\\OInfoP11.exe AND (NOT (process.executable.keyword:*\\\\Common\\ Files\\\\Microsoft\\ Shared\\\\*)))) OR (process.executable.keyword:*\\\\OleView.exe AND (NOT (process.executable.keyword:(*\\\\Microsoft\\ Visual\\ Studio* OR *\\\\Microsoft\\ SDK* OR *\\\\Windows\\ Kit* OR *\\\\Windows\\ Resource\\ Kit\\\\*))))) OR (process.executable.keyword:*\\\\rc.exe AND (NOT (process.executable.keyword:(*\\\\Microsoft\\ Visual\\ Studio* OR *\\\\Microsoft\\ SDK* OR *\\\\Windows\\ Kit* OR *\\\\Windows\\ Resource\\ Kit\\\\* OR *\\\\Microsoft.NET\\\\*))))))\nindex: so-*\nname: Executable Used by PlugX in Uncommon Location\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8777,'Issue',486,9,'{{collapse(View Sigma)\n
\n\ntitle: Executable Used by PlugX in Uncommon Location\nid: aeab5ec5-be14-471a-80e8-e344418305c2\nstatus: experimental\ndescription: Detects the execution of an executable that is typically used by PlugX\n  for DLL side loading started from an uncommon location\nreferences:\n- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/\n- https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/\nauthor: Florian Roth\ndate: 2017/06/12\ntags:\n- attack.s0013\n- attack.defense_evasion\n- attack.t1073\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_cammute:\n    Image: \'*\\CamMute.exe\'\n  filter_cammute:\n    Image: \'*\\Lenovo\\Communication Utility\\\\*\'\n  selection_chrome_frame:\n    Image: \'*\\chrome_frame_helper.exe\'\n  filter_chrome_frame:\n    Image: \'*\\Google\\Chrome\\application\\\\*\'\n  selection_devemu:\n    Image: \'*\\dvcemumanager.exe\'\n  filter_devemu:\n    Image: \'*\\Microsoft Device Emulator\\\\*\'\n  selection_gadget:\n    Image: \'*\\Gadget.exe\'\n  filter_gadget:\n    Image: \'*\\Windows Media Player\\\\*\'\n  selection_hcc:\n    Image: \'*\\hcc.exe\'\n  filter_hcc:\n    Image: \'*\\HTML Help Workshop\\\\*\'\n  selection_hkcmd:\n    Image: \'*\\hkcmd.exe\'\n  filter_hkcmd:\n    Image:\n    - \'*\\System32\\\\*\'\n    - \'*\\SysNative\\\\*\'\n    - \'*\\SysWowo64\\\\*\'\n  selection_mc:\n    Image: \'*\\Mc.exe\'\n  filter_mc:\n    Image:\n    - \'*\\Microsoft Visual Studio*\'\n    - \'*\\Microsoft SDK*\'\n    - \'*\\Windows Kit*\'\n  selection_msmpeng:\n    Image: \'*\\MsMpEng.exe\'\n  filter_msmpeng:\n    Image:\n    - \'*\\Microsoft Security Client\\\\*\'\n    - \'*\\Windows Defender\\\\*\'\n    - \'*\\AntiMalware\\\\*\'\n  selection_msseces:\n    Image: \'*\\msseces.exe\'\n  filter_msseces:\n    Image:\n    - \'*\\Microsoft Security Center\\\\*\'\n    - \'*\\Microsoft Security Client\\\\*\'\n    - \'*\\Microsoft Security Essentials\\\\*\'\n  selection_oinfo:\n    Image: \'*\\OInfoP11.exe\'\n  filter_oinfo:\n    Image: \'*\\Common Files\\Microsoft Shared\\\\*\'\n  selection_oleview:\n    Image: \'*\\OleView.exe\'\n  filter_oleview:\n    Image:\n    - \'*\\Microsoft Visual Studio*\'\n    - \'*\\Microsoft SDK*\'\n    - \'*\\Windows Kit*\'\n    - \'*\\Windows Resource Kit\\\\*\'\n  selection_rc:\n    Image: \'*\\rc.exe\'\n  filter_rc:\n    Image:\n    - \'*\\Microsoft Visual Studio*\'\n    - \'*\\Microsoft SDK*\'\n    - \'*\\Windows Kit*\'\n    - \'*\\Windows Resource Kit\\\\*\'\n    - \'*\\Microsoft.NET\\\\*\'\n  condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame\n    and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) or\n    ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc\n    ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc\n    ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not\n    filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview\n    and not filter_oleview ) or ( selection_rc and not filter_rc )\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(8778,'Issue',486,15,'T1073'),(8779,'Issue',487,1,'Possible Applocker Bypass'),(8780,'Issue',487,2,'juju4'),(8781,'Issue',487,8,'https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt\nhttps://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/'),(8782,'Issue',487,10,'low'),(8783,'Issue',487,13,'community'),(8784,'Issue',487,14,'windows'),(8786,'Issue',487,11,'d4a0bad42'),(8787,'Issue',487,12,'82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719'),(8788,'Issue',487,16,'win-proc'),(8789,'Issue',487,17,''),(8790,'Issue',487,7,''),(8791,'Issue',487,3,'Detects execution of executables that can be used to bypass Applocker whitelisting'),(8792,'Issue',487,4,''),(8793,'Issue',487,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment\nUsing installutil to add features for .NET applications (primarly would occur in developer environments)'),(8794,'Issue',487,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\msdt.exe* OR *\\\\installutil.exe* OR *\\\\regsvcs.exe* OR *\\\\regasm.exe* OR *\\\\msbuild.exe* OR *\\\\ieexec.exe*))\nindex: so-*\nname: Possible Applocker Bypass\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8795,'Issue',487,9,'{{collapse(View Sigma)\n
\n\ntitle: Possible Applocker Bypass\nid: 82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719\ndescription: Detects execution of executables that can be used to bypass Applocker\n  whitelisting\nstatus: experimental\nreferences:\n- https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt\n- https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/\nauthor: juju4\ndate: 2019/01/16\ntags:\n- attack.defense_evasion\n- attack.t1118\n- attack.t1121\n- attack.t1127\n- attack.t1170\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains:\n    - \\msdt.exe\n    - \\installutil.exe\n    - \\regsvcs.exe\n    - \\regasm.exe\n    - \\msbuild.exe\n    - \\ieexec.exe\n  condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\n- Using installutil to add features for .NET applications (primarly would occur in\n  developer environments)\nlevel: low\n\n
\n}}'),(8796,'Issue',487,15,'T1118'),(8797,'Issue',487,15,'T1121'),(8798,'Issue',487,15,'T1127'),(8799,'Issue',487,15,'T1170'),(8800,'Issue',488,1,'Detection of Possible Rotten Potato'),(8801,'Issue',488,2,'Teymur Kheirkhabarov'),(8802,'Issue',488,8,'https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\nhttps://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/'),(8803,'Issue',488,10,'high'),(8804,'Issue',488,13,'community'),(8805,'Issue',488,14,'windows'),(8807,'Issue',488,11,'c3d4efb18'),(8808,'Issue',488,12,'6c5808ee-85a2-4e56-8137-72e5876a5096'),(8809,'Issue',488,16,'win-proc'),(8810,'Issue',488,17,''),(8811,'Issue',488,7,''),(8812,'Issue',488,3,'Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE privileges'),(8813,'Issue',488,4,''),(8814,'Issue',488,5,'_False Positives_\nUnknown'),(8815,'Issue',488,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (ParentUser:(\"NT\\ AUTHORITY\\\\NETWORK\\ SERVICE\" OR \"NT\\ AUTHORITY\\\\LOCAL\\ SERVICE\") AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\") AND (NOT (process.executable.keyword:*\\\\rundll32.exe AND process.command_line.keyword:*DavSetCookie*)))\nindex: so-*\nname: Detection of Possible Rotten Potato\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8816,'Issue',488,9,'{{collapse(View Sigma)\n
\n\ntitle: Detection of Possible Rotten Potato\nid: 6c5808ee-85a2-4e56-8137-72e5876a5096\ndescription: Detection of child processes spawned with SYSTEM privileges by parents\n  with LOCAL SERVICE or NETWORK SERVICE privileges\nreferences:\n- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\n- https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/\ntags:\n- attack.privilege_escalation\n- attack.t1134\nstatus: experimental\nauthor: Teymur Kheirkhabarov\ndate: 2019/10/26\nmodified: 2019/11/11\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentUser:\n    - NT AUTHORITY\\NETWORK SERVICE\n    - NT AUTHORITY\\LOCAL SERVICE\n    User: NT AUTHORITY\\SYSTEM\n  rundllexception:\n    Image|endswith: \\rundll32.exe\n    CommandLine|contains: DavSetCookie\n  condition: selection and not rundllexception\nfalsepositives:\n- Unknown\nlevel: high\nenrichment:\n- EN_0001_cache_sysmon_event_id_1_info\n- EN_0002_enrich_sysmon_event_id_1_with_parent_info\n\n
\n}}'),(8817,'Issue',488,15,'T1134'),(8818,'Issue',489,1,'Powershell AMSI Bypass via .NET Reflection'),(8819,'Issue',489,2,'Markus Neis'),(8820,'Issue',489,8,'https://twitter.com/mattifestation/status/735261176745988096\nhttps://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120'),(8821,'Issue',489,10,'high'),(8822,'Issue',489,13,'community'),(8823,'Issue',489,14,'windows'),(8825,'Issue',489,11,'b5bdb996a'),(8826,'Issue',489,12,'30edb182-aa75-42c0-b0a9-e998bb29067c'),(8827,'Issue',489,16,'win-proc'),(8828,'Issue',489,17,''),(8829,'Issue',489,7,''),(8830,'Issue',489,3,'Detects Request to amsiInitFailed that can be used to disable AMSI Scanning'),(8831,'Issue',489,4,''),(8832,'Issue',489,5,'_False Positives_\nPotential Admin Activity'),(8833,'Issue',489,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*System.Management.Automation.AmsiUtils*) AND process.command_line.keyword:(*amsiInitFailed*))\nindex: so-*\nname: Powershell AMSI Bypass via .NET Reflection\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8834,'Issue',489,9,'{{collapse(View Sigma)\n
\n\ntitle: Powershell AMSI Bypass via .NET Reflection\nid: 30edb182-aa75-42c0-b0a9-e998bb29067c\nstatus: experimental\ndescription: Detects Request to amsiInitFailed that can be used to disable AMSI Scanning\nreferences:\n- https://twitter.com/mattifestation/status/735261176745988096\n- https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1086\nauthor: Markus Neis\ndate: 2018/08/17\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine:\n    - \'*System.Management.Automation.AmsiUtils*\'\n  selection2:\n    CommandLine:\n    - \'*amsiInitFailed*\'\n  condition: selection1 and selection2\nfalsepositives:\n- Potential Admin Activity\nlevel: high\n\n
\n}}'),(8835,'Issue',489,15,'T1086'),(8836,'Issue',490,1,'Audio Capture via PowerShell'),(8837,'Issue',490,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(8838,'Issue',490,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html'),(8839,'Issue',490,10,'medium'),(8840,'Issue',490,13,'community'),(8841,'Issue',490,14,'windows'),(8843,'Issue',490,11,'7f4dc80d2'),(8844,'Issue',490,12,'932fb0d8-692b-4b0f-a26e-5643a50fe7d6'),(8845,'Issue',490,16,'win-proc'),(8846,'Issue',490,17,''),(8847,'Issue',490,7,''),(8848,'Issue',490,3,'Detects audio capture via PowerShell Cmdlet'),(8849,'Issue',490,4,''),(8850,'Issue',490,5,'_False Positives_\nLegitimate audio capture by legitimate user'),(8851,'Issue',490,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*WindowsAudioDevice\\-Powershell\\-Cmdlet*)\nindex: so-*\nname: Audio Capture via PowerShell\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8852,'Issue',490,9,'{{collapse(View Sigma)\n
\n\ntitle: Audio Capture via PowerShell\nid: 932fb0d8-692b-4b0f-a26e-5643a50fe7d6\ndescription: Detects audio capture via PowerShell Cmdlet\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html\ntags:\n- attack.collection\n- attack.t1123\ndetection:\n  selection:\n    CommandLine|contains: WindowsAudioDevice-Powershell-Cmdlet\n  condition: selection\nfalsepositives:\n- Legitimate audio capture by legitimate user\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\n\n
\n}}'),(8853,'Issue',490,15,'T1123'),(8854,'Issue',491,1,'PowerShell Base64 Encoded Shellcode'),(8855,'Issue',491,2,'Florian Roth'),(8856,'Issue',491,8,'https://twitter.com/cyb3rops/status/1063072865992523776'),(8857,'Issue',491,10,'critical'),(8858,'Issue',491,13,'community'),(8859,'Issue',491,14,'windows'),(8861,'Issue',491,11,'5d3447e7d'),(8862,'Issue',491,12,'2d117e49-e626-4c7c-bd1f-c3c0147774c8'),(8863,'Issue',491,16,'win-proc'),(8864,'Issue',491,17,''),(8865,'Issue',491,7,''),(8866,'Issue',491,3,'Detects Base64 encoded Shellcode'),(8867,'Issue',491,4,''),(8868,'Issue',491,5,'_False Positives_\nUnknown'),(8869,'Issue',491,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*AAAAYInlM* AND process.command_line.keyword:(*OiCAAAAYInlM* OR *OiJAAAAYInlM*))\nindex: so-*\nname: PowerShell Base64 Encoded Shellcode\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8870,'Issue',491,9,'{{collapse(View Sigma)\n
\n\ntitle: PowerShell Base64 Encoded Shellcode\nid: 2d117e49-e626-4c7c-bd1f-c3c0147774c8\ndescription: Detects Base64 encoded Shellcode\nstatus: experimental\nreferences:\n- https://twitter.com/cyb3rops/status/1063072865992523776\nauthor: Florian Roth\ndate: 2018/11/17\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine: \'*AAAAYInlM*\'\n  selection2:\n    CommandLine:\n    - \'*OiCAAAAYInlM*\'\n    - \'*OiJAAAAYInlM*\'\n  condition: selection1 and selection2\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(8871,'Issue',491,15,'T1036'),(8872,'Issue',492,1,'Suspicious Bitsadmin Job via PowerShell'),(8873,'Issue',492,2,'Endgame, JHasenbusch (ported to sigma for oscd.community)'),(8874,'Issue',492,8,'https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md'),(8875,'Issue',492,10,'medium'),(8876,'Issue',492,13,'community'),(8877,'Issue',492,14,'windows'),(8879,'Issue',492,11,'8676c64ae'),(8880,'Issue',492,12,'f67dbfce-93bc-440d-86ad-a95ae8858c90'),(8881,'Issue',492,16,'win-proc'),(8882,'Issue',492,17,''),(8883,'Issue',492,7,''),(8884,'Issue',492,3,'Detect download by BITS jobs via PowerShell'),(8885,'Issue',492,4,''),(8886,'Issue',492,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8887,'Issue',492,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:*Start\\-BitsTransfer*)\nindex: so-*\nname: Suspicious Bitsadmin Job via PowerShell\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8888,'Issue',492,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Bitsadmin Job via PowerShell\nid: f67dbfce-93bc-440d-86ad-a95ae8858c90\nstatus: experimental\ndescription: Detect download by BITS jobs via PowerShell\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md\nauthor: Endgame, JHasenbusch (ported to sigma for oscd.community)\ndate: 2018/10/30\nmodified: 2019/11/11\ntags:\n- attack.defense_evasion\n- attack.persistence\n- attack.t1197\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\powershell.exe\n    CommandLine|contains: Start-BitsTransfer\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Unknown\nlevel: medium\n\n
\n}}'),(8889,'Issue',492,15,'T1197'),(8890,'Issue',493,1,'Detection of PowerShell Execution via DLL'),(8891,'Issue',493,2,'Markus Neis'),(8892,'Issue',493,8,'https://github.com/p3nt4/PowerShdll/blob/master/README.md'),(8893,'Issue',493,10,'high'),(8894,'Issue',493,13,'community'),(8895,'Issue',493,14,'windows'),(8897,'Issue',493,11,'35da2d6b7'),(8898,'Issue',493,12,'6812a10b-60ea-420c-832f-dfcc33b646ba'),(8899,'Issue',493,16,'win-proc'),(8900,'Issue',493,17,''),(8901,'Issue',493,7,''),(8902,'Issue',493,3,'Detects PowerShell Strings applied to rundllas seen in PowerShdll.dll'),(8903,'Issue',493,4,''),(8904,'Issue',493,5,'_False Positives_\nUnknown'),(8905,'Issue',493,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:(*\\\\rundll32.exe) OR process.pe.description.keyword:(*Windows\\-Hostprozess\\ \\(Rundll32\\)*)) AND process.command_line.keyword:(*Default.GetString* OR *FromBase64String*))\nindex: so-*\nname: Detection of PowerShell Execution via DLL\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8906,'Issue',493,9,'{{collapse(View Sigma)\n
\n\ntitle: Detection of PowerShell Execution via DLL\nid: 6812a10b-60ea-420c-832f-dfcc33b646ba\nstatus: experimental\ndescription: Detects PowerShell Strings applied to rundllas seen in PowerShdll.dll\nreferences:\n- https://github.com/p3nt4/PowerShdll/blob/master/README.md\ntags:\n- attack.execution\n- attack.t1086\n- car.2014-04-003\nauthor: Markus Neis\ndate: 2018/08/25\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image:\n    - \'*\\rundll32.exe\'\n  selection2:\n    Description:\n    - \'*Windows-Hostprozess (Rundll32)*\'\n  selection3:\n    CommandLine:\n    - \'*Default.GetString*\'\n    - \'*FromBase64String*\'\n  condition: (selection1 or selection2) and selection3\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(8907,'Issue',493,15,'T1086'),(8908,'Issue',494,1,'PowerShell Downgrade Attack'),(8909,'Issue',494,2,'Harish Segar (rule)'),(8910,'Issue',494,8,'http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/'),(8911,'Issue',494,10,'medium'),(8912,'Issue',494,13,'community'),(8913,'Issue',494,14,'windows'),(8915,'Issue',494,11,'7dd8ab307'),(8916,'Issue',494,12,'b3512211-c67e-4707-bedc-66efc7848863'),(8917,'Issue',494,16,'win-proc'),(8918,'Issue',494,17,''),(8919,'Issue',494,7,''),(8920,'Issue',494,3,'Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0'),(8921,'Issue',494,4,''),(8922,'Issue',494,5,'_False Positives_\nPenetration Test\nUnknown'),(8923,'Issue',494,6,'{{collapse(View ElastAlert Config)\n
\n\n\n
\n}}'),(8924,'Issue',494,9,'{{collapse(View Sigma)\n
\n\ntitle: PowerShell Downgrade Attack\nid: b3512211-c67e-4707-bedc-66efc7848863\nrelated:\n  - id: 6331d09b-4785-4c13-980f-f96661356249\n    type: derived\nstatus: experimental\ndescription: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0\nreferences:\n    - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/\ntags:\n    - attack.defense_evasion\n    - attack.execution\n    - attack.t1086\nauthor: Harish Segar (rule)\ndate: 2020/03/20\nfalsepositives:\n    - Penetration Test\n    - Unknown\nlevel: medium\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains: \n            - \' -version 2 \'\n            - \' -versio 2 \'\n            - \' -versi 2 \'\n            - \' -vers 2 \'\n            - \' -ver 2 \'\n            - \' -ve 2 \'        \n        Image|endswith: \'\\powershell.exe\'\n    condition: selection\n\n
\n}}'),(8925,'Issue',494,15,'T1086'),(8926,'Issue',495,1,'PowerShell Download from URL'),(8927,'Issue',495,2,'Florian Roth'),(8928,'Issue',495,8,'none'),(8929,'Issue',495,10,'medium'),(8930,'Issue',495,13,'community'),(8931,'Issue',495,14,'windows'),(8933,'Issue',495,11,'0058be94d'),(8934,'Issue',495,12,'3b6ab547-8ec2-4991-b9d2-2b06702a48d7'),(8935,'Issue',495,16,'win-proc'),(8936,'Issue',495,17,''),(8937,'Issue',495,7,''),(8938,'Issue',495,3,'Detects a Powershell process that contains download commands in its command line string'),(8939,'Issue',495,4,''),(8940,'Issue',495,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8941,'Issue',495,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:(*new\\-object\\ system.net.webclient\\).downloadstring\\(* OR *new\\-object\\ system.net.webclient\\).downloadfile\\(* OR *new\\-object\\ net.webclient\\).downloadstring\\(* OR *new\\-object\\ net.webclient\\).downloadfile\\(*))\nindex: so-*\nname: PowerShell Download from URL\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8942,'Issue',495,9,'{{collapse(View Sigma)\n
\n\ntitle: PowerShell Download from URL\nid: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7\nstatus: experimental\ndescription: Detects a Powershell process that contains download commands in its command\n  line string\nauthor: Florian Roth\ndate: 2019/01/16\ntags:\n- attack.t1086\n- attack.execution\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\powershell.exe\'\n    CommandLine:\n    - \'*new-object system.net.webclient).downloadstring(*\'\n    - \'*new-object system.net.webclient).downloadfile(*\'\n    - \'*new-object net.webclient).downloadstring(*\'\n    - \'*new-object net.webclient).downloadfile(*\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: medium\n\n
\n}}'),(8943,'Issue',495,15,'T1086'),(8944,'Issue',496,1,'FromBase64String Command Line'),(8945,'Issue',496,2,'Florian Roth'),(8946,'Issue',496,8,'https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639'),(8947,'Issue',496,10,'high'),(8948,'Issue',496,13,'community'),(8949,'Issue',496,14,'windows'),(8951,'Issue',496,11,'9f0eefc93'),(8952,'Issue',496,12,'e32d4572-9826-4738-b651-95fa63747e8a'),(8953,'Issue',496,16,'win-proc'),(8954,'Issue',496,17,''),(8955,'Issue',496,7,''),(8956,'Issue',496,3,'Detects suspicious FromBase64String expressions in command line arguments'),(8957,'Issue',496,4,''),(8958,'Issue',496,5,'_False Positives_\nAdministrative script libraries'),(8959,'Issue',496,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\:\\:FromBase64String\\(*)\nindex: so-*\nname: FromBase64String Command Line\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8960,'Issue',496,9,'{{collapse(View Sigma)\n
\n\ntitle: FromBase64String Command Line\nid: e32d4572-9826-4738-b651-95fa63747e8a\nstatus: experimental\ndescription: Detects suspicious FromBase64String expressions in command line arguments\nreferences:\n- https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639\nauthor: Florian Roth\ndate: 2020/01/29\ntags:\n- attack.t1027\n- attack.defense_evasion\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains: ::FromBase64String(\n  condition: selection\nfalsepositives:\n- Administrative script libraries\nlevel: high\n\n
\n}}'),(8961,'Issue',496,15,'T1027'),(8962,'Issue',497,1,'Suspicious PowerShell Parameter Substring'),(8963,'Issue',497,2,'Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)'),(8964,'Issue',497,8,'http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier'),(8965,'Issue',497,10,'high'),(8966,'Issue',497,13,'community'),(8967,'Issue',497,14,'windows'),(8969,'Issue',497,11,'5e2eb5a76'),(8970,'Issue',497,12,'36210e0d-5b19-485d-a087-c096088885f0'),(8971,'Issue',497,16,'win-proc'),(8972,'Issue',497,17,''),(8973,'Issue',497,7,''),(8974,'Issue',497,3,'Detects suspicious PowerShell invocation with a parameter substring'),(8975,'Issue',497,4,''),(8976,'Issue',497,5,'_False Positives_\nPenetration tests'),(8977,'Issue',497,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\Powershell.exe) AND process.command_line:(\"\\ \\-windowstyle\\ h\\ \" OR \"\\ \\-windowstyl\\ h\" OR \"\\ \\-windowsty\\ h\" OR \"\\ \\-windowst\\ h\" OR \"\\ \\-windows\\ h\" OR \"\\ \\-windo\\ h\" OR \"\\ \\-wind\\ h\" OR \"\\ \\-win\\ h\" OR \"\\ \\-wi\\ h\" OR \"\\ \\-win\\ h\\ \" OR \"\\ \\-win\\ hi\\ \" OR \"\\ \\-win\\ hid\\ \" OR \"\\ \\-win\\ hidd\\ \" OR \"\\ \\-win\\ hidde\\ \" OR \"\\ \\-NoPr\\ \" OR \"\\ \\-NoPro\\ \" OR \"\\ \\-NoProf\\ \" OR \"\\ \\-NoProfi\\ \" OR \"\\ \\-NoProfil\\ \" OR \"\\ \\-nonin\\ \" OR \"\\ \\-nonint\\ \" OR \"\\ \\-noninte\\ \" OR \"\\ \\-noninter\\ \" OR \"\\ \\-nonintera\\ \" OR \"\\ \\-noninterac\\ \" OR \"\\ \\-noninteract\\ \" OR \"\\ \\-noninteracti\\ \" OR \"\\ \\-noninteractiv\\ \" OR \"\\ \\-ec\\ \" OR \"\\ \\-encodedComman\\ \" OR \"\\ \\-encodedComma\\ \" OR \"\\ \\-encodedComm\\ \" OR \"\\ \\-encodedCom\\ \" OR \"\\ \\-encodedCo\\ \" OR \"\\ \\-encodedC\\ \" OR \"\\ \\-encoded\\ \" OR \"\\ \\-encode\\ \" OR \"\\ \\-encod\\ \" OR \"\\ \\-enco\\ \" OR \"\\ \\-en\\ \"))\nindex: so-*\nname: Suspicious PowerShell Parameter Substring\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8978,'Issue',497,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious PowerShell Parameter Substring\nid: 36210e0d-5b19-485d-a087-c096088885f0\nstatus: experimental\ndescription: Detects suspicious PowerShell invocation with a parameter substring\nreferences:\n- http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier\ntags:\n- attack.execution\n- attack.t1086\nauthor: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)\ndate: 2019/01/16\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\Powershell.exe\'\n    CommandLine:\n    - \' -windowstyle h \'\n    - \' -windowstyl h\'\n    - \' -windowsty h\'\n    - \' -windowst h\'\n    - \' -windows h\'\n    - \' -windo h\'\n    - \' -wind h\'\n    - \' -win h\'\n    - \' -wi h\'\n    - \' -win h \'\n    - \' -win hi \'\n    - \' -win hid \'\n    - \' -win hidd \'\n    - \' -win hidde \'\n    - \' -NoPr \'\n    - \' -NoPro \'\n    - \' -NoProf \'\n    - \' -NoProfi \'\n    - \' -NoProfil \'\n    - \' -nonin \'\n    - \' -nonint \'\n    - \' -noninte \'\n    - \' -noninter \'\n    - \' -nonintera \'\n    - \' -noninterac \'\n    - \' -noninteract \'\n    - \' -noninteracti \'\n    - \' -noninteractiv \'\n    - \' -ec \'\n    - \' -encodedComman \'\n    - \' -encodedComma \'\n    - \' -encodedComm \'\n    - \' -encodedCom \'\n    - \' -encodedCo \'\n    - \' -encodedC \'\n    - \' -encoded \'\n    - \' -encode \'\n    - \' -encod \'\n    - \' -enco \'\n    - \' -en \'\n  condition: selection\nfalsepositives:\n- Penetration tests\nlevel: high\n\n
\n}}'),(8979,'Issue',497,15,'T1086'),(8980,'Issue',498,1,'Suspicious XOR Encoded PowerShell Command Line'),(8981,'Issue',498,2,'Sami Ruohonen'),(8982,'Issue',498,8,'none'),(8983,'Issue',498,10,'medium'),(8984,'Issue',498,13,'community'),(8985,'Issue',498,14,'windows'),(8987,'Issue',498,11,'4d93efac2'),(8988,'Issue',498,12,'bb780e0c-16cf-4383-8383-1e5471db6cf9'),(8989,'Issue',498,16,'win-proc'),(8990,'Issue',498,17,''),(8991,'Issue',498,7,''),(8992,'Issue',498,3,'Detects suspicious powershell process which includes bxor command, alternatvide obfuscation method to b64 encoded commands.'),(8993,'Issue',498,4,''),(8994,'Issue',498,5,'_False Positives_\nunknown'),(8995,'Issue',498,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-bxor*))\nindex: so-*\nname: Suspicious XOR Encoded PowerShell Command Line\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8996,'Issue',498,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious XOR Encoded PowerShell Command Line\nid: bb780e0c-16cf-4383-8383-1e5471db6cf9\ndescription: Detects suspicious powershell process which includes bxor command, alternatvide\n  obfuscation method to b64 encoded commands.\nstatus: experimental\nauthor: Sami Ruohonen\ndate: 2018/09/05\ntags:\n- attack.execution\n- attack.t1086\ndetection:\n  selection:\n    CommandLine:\n    - \'* -bxor*\'\n  condition: selection\nfalsepositives:\n- unknown\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\n\n
\n}}'),(8997,'Issue',498,15,'T1086'),(8998,'Issue',499,1,'Default PowerSploit and Empire Schtasks Persistence'),(8999,'Issue',499,2,'Markus Neis, @Karneades'),(9000,'Issue',499,8,'https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1\nhttps://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/userland/schtasks.py\nhttps://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/elevated/schtasks.py'),(9001,'Issue',499,10,'high'),(9002,'Issue',499,13,'community'),(9003,'Issue',499,14,'windows'),(9005,'Issue',499,11,'52c48c3b3'),(9006,'Issue',499,12,'56c217c3-2de2-479b-990f-5c109ba8458f'),(9007,'Issue',499,16,'win-proc'),(9008,'Issue',499,17,''),(9009,'Issue',499,7,''),(9010,'Issue',499,3,'Detects the creation of a schtask via PowerSploit or Empire Default Configuration.'),(9011,'Issue',499,4,''),(9012,'Issue',499,5,'_False Positives_\nFalse positives are possible, depends on organisation and processes'),(9013,'Issue',499,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\powershell.exe) AND process.command_line.keyword:(*schtasks*\\/Create*\\/SC\\ *ONLOGON*\\/TN\\ *Updater*\\/TR\\ *powershell* OR *schtasks*\\/Create*\\/SC\\ *DAILY*\\/TN\\ *Updater*\\/TR\\ *powershell* OR *schtasks*\\/Create*\\/SC\\ *ONIDLE*\\/TN\\ *Updater*\\/TR\\ *powershell* OR *schtasks*\\/Create*\\/SC\\ *Updater*\\/TN\\ *Updater*\\/TR\\ *powershell*))\nindex: so-*\nname: Default PowerSploit and Empire Schtasks Persistence\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9014,'Issue',499,9,'{{collapse(View Sigma)\n
\n\ntitle: Default PowerSploit and Empire Schtasks Persistence\nid: 56c217c3-2de2-479b-990f-5c109ba8458f\nstatus: experimental\ndescription: Detects the creation of a schtask via PowerSploit or Empire Default Configuration.\nreferences:\n- https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1\n- https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/userland/schtasks.py\n- https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/elevated/schtasks.py\nauthor: Markus Neis, @Karneades\ndate: 2018/03/06\nlogsource:\n  product: windows\n  category: process_creation\ndetection:\n  selection:\n    ParentImage:\n    - \'*\\powershell.exe\'\n    CommandLine:\n    - \'*schtasks*/Create*/SC *ONLOGON*/TN *Updater*/TR *powershell*\'\n    - \'*schtasks*/Create*/SC *DAILY*/TN *Updater*/TR *powershell*\'\n    - \'*schtasks*/Create*/SC *ONIDLE*/TN *Updater*/TR *powershell*\'\n    - \'*schtasks*/Create*/SC *Updater*/TN *Updater*/TR *powershell*\'\n  condition: selection\ntags:\n- attack.execution\n- attack.persistence\n- attack.privilege_escalation\n- attack.t1053\n- attack.t1086\n- attack.s0111\n- attack.g0022\n- attack.g0060\n- car.2013-08-001\nfalsepositives:\n- False positives are possible, depends on organisation and processes\nlevel: high\n\n
\n}}'),(9015,'Issue',499,15,'T1053'),(9016,'Issue',499,15,'T1086'),(9017,'Issue',500,1,'Windows Processes Suspicious Parent Directory'),(9018,'Issue',500,2,'vburov'),(9019,'Issue',500,8,'https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2\nhttps://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/\nhttps://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf\nhttps://attack.mitre.org/techniques/T1036/'),(9020,'Issue',500,10,'low'),(9021,'Issue',500,13,'community'),(9022,'Issue',500,14,'windows'),(9024,'Issue',500,11,'c9688cc7f'),(9025,'Issue',500,12,'96036718-71cc-4027-a538-d1587e0006a7'),(9026,'Issue',500,16,'win-proc'),(9027,'Issue',500,17,''),(9028,'Issue',500,7,''),(9029,'Issue',500,3,'Detect suspicious parent processes of well-known Windows processes'),(9030,'Issue',500,4,''),(9031,'Issue',500,5,'_False Positives_\nSome security products seem to spawn these'),(9032,'Issue',500,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:(*\\\\svchost.exe OR *\\\\taskhost.exe OR *\\\\lsm.exe OR *\\\\lsass.exe OR *\\\\services.exe OR *\\\\lsaiso.exe OR *\\\\csrss.exe OR *\\\\wininit.exe OR *\\\\winlogon.exe) AND (NOT (process.parent.executable.keyword:(*\\\\System32\\\\* OR *\\\\SysWOW64\\\\* OR *\\\\SavService.exe OR *\\\\Windows\\ Defender\\\\*\\\\MsMpEng.exe)))) AND (NOT (NOT _exists_:process.parent.executable)))\nindex: so-*\nname: Windows Processes Suspicious Parent Directory\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9033,'Issue',500,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows Processes Suspicious Parent Directory\nid: 96036718-71cc-4027-a538-d1587e0006a7\nstatus: experimental\ndescription: Detect suspicious parent processes of well-known Windows processes\nauthor: vburov\nreferences:\n- https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2\n- https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/\n- https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf\n- https://attack.mitre.org/techniques/T1036/\ndate: 2019/02/23\nmodified: 2019/08/20\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\svchost.exe\'\n    - \'*\\taskhost.exe\'\n    - \'*\\lsm.exe\'\n    - \'*\\lsass.exe\'\n    - \'*\\services.exe\'\n    - \'*\\lsaiso.exe\'\n    - \'*\\csrss.exe\'\n    - \'*\\wininit.exe\'\n    - \'*\\winlogon.exe\'\n  filter:\n    ParentImage:\n    - \'*\\System32\\\\*\'\n    - \'*\\SysWOW64\\\\*\'\n    - \'*\\SavService.exe\'\n    - \'*\\Windows Defender\\\\*\\MsMpEng.exe\'\n  filter_null:\n    ParentImage:\n  condition: selection and not filter and not filter_null\nfalsepositives:\n- Some security products seem to spawn these\nlevel: low\n\n
\n}}'),(9034,'Issue',500,15,'T1036'),(9035,'Issue',501,1,'Bitsadmin Download'),(9036,'Issue',501,2,'Michael Haag'),(9037,'Issue',501,8,'https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin\nhttps://isc.sans.edu/diary/22264'),(9038,'Issue',501,10,'medium'),(9039,'Issue',501,13,'community'),(9040,'Issue',501,14,'windows'),(9042,'Issue',501,11,'0859ceb13'),(9043,'Issue',501,12,'d059842b-6b9d-4ed1-b5c3-5b89143c6ede'),(9044,'Issue',501,16,'win-proc'),(9045,'Issue',501,17,''),(9046,'Issue',501,7,''),(9047,'Issue',501,3,'Detects usage of bitsadmin downloading a file'),(9048,'Issue',501,4,''),(9049,'Issue',501,5,'_False Positives_\nSome legitimate apps use this, but limited.\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9050,'Issue',501,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:(*\\\\bitsadmin.exe) AND process.command_line.keyword:(*\\ \\/transfer\\ *)) OR process.command_line.keyword:(*copy\\ bitsadmin.exe*)))\nindex: so-*\nname: Bitsadmin Download\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9051,'Issue',501,9,'{{collapse(View Sigma)\n
\n\ntitle: Bitsadmin Download\nid: d059842b-6b9d-4ed1-b5c3-5b89143c6ede\nstatus: experimental\ndescription: Detects usage of bitsadmin downloading a file\nreferences:\n- https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin\n- https://isc.sans.edu/diary/22264\ntags:\n- attack.defense_evasion\n- attack.persistence\n- attack.t1197\n- attack.s0190\ndate: 2017/03/09\nmodified: 2019/12/06\nauthor: Michael Haag\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image:\n    - \'*\\bitsadmin.exe\'\n    CommandLine:\n    - \'* /transfer *\'\n  selection2:\n    CommandLine:\n    - \'*copy bitsadmin.exe*\'\n  condition: selection1 or selection2\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Some legitimate apps use this, but limited.\nlevel: medium\n\n
\n}}'),(9052,'Issue',501,15,'T1197'),(9053,'Issue',502,1,'Process Dump via Rundll32 and Comsvcs.dll'),(9054,'Issue',502,2,'Florian Roth'),(9055,'Issue',502,8,'https://twitter.com/shantanukhande/status/1229348874298388484'),(9056,'Issue',502,10,'high'),(9057,'Issue',502,13,'community'),(9058,'Issue',502,14,'windows'),(9060,'Issue',502,11,'f4af737c0'),(9061,'Issue',502,12,'646ea171-dded-4578-8a4d-65e9822892e3'),(9062,'Issue',502,16,'win-proc'),(9063,'Issue',502,17,''),(9064,'Issue',502,7,''),(9065,'Issue',502,3,'Detects a process memory dump performed via ordinal function 24 in comsvcs.dll'),(9066,'Issue',502,4,''),(9067,'Issue',502,5,'_False Positives_\nUnlikely, because no one should dump the process memory in that way'),(9068,'Issue',502,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*comsvcs.dll,#24* OR *comsvcs.dll,MiniDump*))\nindex: so-*\nname: Process Dump via Rundll32 and Comsvcs.dll\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9069,'Issue',502,9,'{{collapse(View Sigma)\n
\n\ntitle: Process Dump via Rundll32 and Comsvcs.dll\nid: 646ea171-dded-4578-8a4d-65e9822892e3\ndescription: Detects a process memory dump performed via ordinal function 24 in comsvcs.dll\nstatus: experimental\nreferences:\n- https://twitter.com/shantanukhande/status/1229348874298388484\nauthor: Florian Roth\ndate: 2020/02/18\ntags:\n- attack.defense_evasion\n- attack.t1036\n- attack.credential_access\n- attack.t1003\n- car.2013-05-009\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains:\n    - comsvcs.dll,#24\n    - comsvcs.dll,MiniDump\n  condition: selection\nfalsepositives:\n- Unlikely, because no one should dump the process memory in that way\nlevel: high\n\n
\n}}'),(9070,'Issue',502,15,'T1036'),(9071,'Issue',502,15,'T1003'),(9072,'Issue',503,1,'PsExec Service Start'),(9073,'Issue',503,2,'Florian Roth'),(9074,'Issue',503,8,'none'),(9075,'Issue',503,10,'low'),(9076,'Issue',503,13,'community'),(9077,'Issue',503,14,'windows'),(9079,'Issue',503,11,'15de28714'),(9080,'Issue',503,12,'3ede524d-21cc-472d-a3ce-d21b568d8db7'),(9081,'Issue',503,16,'win-proc'),(9082,'Issue',503,17,''),(9083,'Issue',503,7,''),(9084,'Issue',503,3,'Detects a PsExec service start'),(9085,'Issue',503,4,''),(9086,'Issue',503,5,'_False Positives_\nAdministrative activity'),(9087,'Issue',503,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ProcessCommandLine:\"C\\:\\\\Windows\\\\PSEXESVC.exe\")\nindex: so-*\nname: PsExec Service Start\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9088,'Issue',503,9,'{{collapse(View Sigma)\n
\n\ntitle: PsExec Service Start\nid: 3ede524d-21cc-472d-a3ce-d21b568d8db7\ndescription: Detects a PsExec service start\nauthor: Florian Roth\ndate: 2018/03/13\nmodified: 2012/12/11\ntags:\n- attack.execution\n- attack.t1035\n- attack.s0029\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ProcessCommandLine: C:\\Windows\\PSEXESVC.exe\n  condition: selection\nfalsepositives:\n- Administrative activity\nlevel: low\n\n
\n}}'),(9089,'Issue',503,15,'T1035'),(9090,'Issue',504,1,'Query Registry'),(9091,'Issue',504,2,'Timur Zinniatullin, oscd.community'),(9092,'Issue',504,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.yaml'),(9093,'Issue',504,10,'low'),(9094,'Issue',504,13,'community'),(9095,'Issue',504,14,'windows'),(9097,'Issue',504,11,'05ee88dcb'),(9098,'Issue',504,12,'970007b7-ce32-49d0-a4a4-fbef016950bd'),(9099,'Issue',504,16,'win-proc'),(9100,'Issue',504,17,''),(9101,'Issue',504,7,''),(9102,'Issue',504,3,'Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.'),(9103,'Issue',504,4,''),(9104,'Issue',504,5,'_False Positives_\n Unknown\n\n_Interesting Log Fields_\nImage\nCommandLine\nUser\nLogonGuid\nHashes\nParentProcessGuid\nParentCommandLine'),(9105,'Issue',504,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\reg.exe AND process.command_line.keyword:(*query* OR *save* OR *export*) AND process.command_line.keyword:(*currentVersion\\\\windows* OR *currentVersion\\\\runServicesOnce* OR *currentVersion\\\\runServices* OR *winlogon\\* OR *currentVersion\\\\shellServiceObjectDelayLoad* OR *currentVersion\\\\runOnce* OR *currentVersion\\\\runOnceEx* OR *currentVersion\\\\run* OR *currentVersion\\\\policies\\\\explorer\\\\run* OR *currentcontrolset\\\\services*))\nindex: so-*\nname: Query Registry\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9106,'Issue',504,9,'{{collapse(View Sigma)\n
\n\ntitle: Query Registry\nid: 970007b7-ce32-49d0-a4a4-fbef016950bd\nstatus: experimental\ndescription: Adversaries may interact with the Windows Registry to gather information\n  about the system, configuration, and installed software.\nauthor: Timur Zinniatullin, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.yaml\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_1:\n    Image|endswith: \\reg.exe\n    CommandLine|contains:\n    - query\n    - save\n    - export\n  selection_2:\n    CommandLine|contains:\n    - currentVersion\\windows\n    - currentVersion\\runServicesOnce\n    - currentVersion\\runServices\n    - winlogon\\\n    - currentVersion\\shellServiceObjectDelayLoad\n    - currentVersion\\runOnce\n    - currentVersion\\runOnceEx\n    - currentVersion\\run\n    - currentVersion\\policies\\explorer\\run\n    - currentcontrolset\\services\n  condition: selection_1 and selection_2\nfields:\n- Image\n- CommandLine\n- User\n- LogonGuid\n- Hashes\n- ParentProcessGuid\n- ParentCommandLine\nlevel: low\ntags:\n- attack.discovery\n- attack.t1012\n- attack.t1007\n\n
\n}}'),(9107,'Issue',504,15,'T1012'),(9108,'Issue',504,15,'T1007'),(9109,'Issue',505,1,'MSTSC Shadowing'),(9110,'Issue',505,2,'Florian Roth'),(9111,'Issue',505,8,'https://twitter.com/kmkz_security/status/1220694202301976576\nhttps://github.com/kmkz/Pentesting/blob/master/Post-Exploitation-Cheat-Sheet'),(9112,'Issue',505,10,'high'),(9113,'Issue',505,13,'community'),(9114,'Issue',505,14,'windows'),(9115,'Issue',505,15,''),(9116,'Issue',505,11,'8c3dc3ef9'),(9117,'Issue',505,12,'6ba5a05f-b095-4f0a-8654-b825f4f16334'),(9118,'Issue',505,16,'win-proc'),(9119,'Issue',505,17,''),(9120,'Issue',505,7,''),(9121,'Issue',505,3,'Detects RDP session hijacking by using MSTSC shadowing'),(9122,'Issue',505,4,''),(9123,'Issue',505,5,'_False Positives_\nUnknown'),(9124,'Issue',505,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*noconsentprompt* AND process.command_line.keyword:*shadow\\:*)\nindex: so-*\nname: MSTSC Shadowing\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9125,'Issue',505,9,'{{collapse(View Sigma)\n
\n\ntitle: MSTSC Shadowing\nid: 6ba5a05f-b095-4f0a-8654-b825f4f16334\ndescription: Detects RDP session hijacking by using MSTSC shadowing\nstatus: experimental\nauthor: Florian Roth\ndate: 2020/01/24\nreferences:\n- https://twitter.com/kmkz_security/status/1220694202301976576\n- https://github.com/kmkz/Pentesting/blob/master/Post-Exploitation-Cheat-Sheet\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains|all:\n    - noconsentprompt\n    - \'shadow:\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9126,'Issue',506,1,'Remote PowerShell Session'),(9127,'Issue',506,2,'Roberto Rodriguez @Cyb3rWard0g'),(9128,'Issue',506,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md'),(9129,'Issue',506,10,'medium'),(9130,'Issue',506,13,'community'),(9131,'Issue',506,14,'windows'),(9133,'Issue',506,11,'fe42832a8'),(9134,'Issue',506,12,'734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8'),(9135,'Issue',506,16,'win-proc'),(9136,'Issue',506,17,''),(9137,'Issue',506,7,''),(9138,'Issue',506,3,'Detects remote PowerShell sections by monitoring for wsmprovhost as a parent or child process (sign of an active ps remote session)'),(9139,'Issue',506,4,''),(9140,'Issue',506,5,'_False Positives_\nLegitimate usage of remote Powershell, e.g. for monitoring purposes\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(9141,'Issue',506,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:*\\\\wsmprovhost.exe OR process.parent.executable.keyword:*\\\\wsmprovhost.exe))\nindex: so-*\nname: Remote PowerShell Session\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9142,'Issue',506,9,'{{collapse(View Sigma)\n
\n\ntitle: Remote PowerShell Session\nid: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8\ndescription: Detects remote PowerShell sections by monitoring for wsmprovhost as a\n  parent or child process (sign of an active ps remote session)\nstatus: experimental\ndate: 2019/09/12\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith: \\wsmprovhost.exe\n  - ParentImage|endswith: \\wsmprovhost.exe\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Legitimate usage of remote Powershell, e.g. for monitoring purposes\nlevel: medium\n\n
\n}}'),(9143,'Issue',506,15,'T1086'),(9144,'Issue',507,1,'Discovery of a System Time'),(9145,'Issue',507,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(9146,'Issue',507,8,'https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md'),(9147,'Issue',507,10,'low'),(9148,'Issue',507,13,'community'),(9149,'Issue',507,14,'windows'),(9151,'Issue',507,11,'9639546cc'),(9152,'Issue',507,12,'b243b280-65fe-48df-ba07-6ddea7646427'),(9153,'Issue',507,16,'win-proc'),(9154,'Issue',507,17,''),(9155,'Issue',507,7,''),(9156,'Issue',507,3,'Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.'),(9157,'Issue',507,4,''),(9158,'Issue',507,5,'_False Positives_\nLegitimate use of the system utilities to discover system time for legitimate reason'),(9159,'Issue',507,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:*time*) OR (process.executable.keyword:*\\\\w32tm.exe AND process.command_line.keyword:*tz*) OR (process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:*Get\\-Date*)))\nindex: so-*\nname: Discovery of a System Time\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9160,'Issue',507,9,'{{collapse(View Sigma)\n
\n\ntitle: Discovery of a System Time\nid: b243b280-65fe-48df-ba07-6ddea7646427\ndescription: Identifies use of various commands to query a systems time. This technique\n  may be used before executing a scheduled task or to discover the time zone of a\n  target system.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md\ntags:\n- attack.discovery\n- attack.t1124\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith:\n    - \\net.exe\n    - \\net1.exe\n    CommandLine|contains: time\n  - Image|endswith: \\w32tm.exe\n    CommandLine|contains: tz\n  - Image|endswith: \\powershell.exe\n    CommandLine|contains: Get-Date\n  condition: selection\nfalsepositives:\n- Legitimate use of the system utilities to discover system time for legitimate reason\nlevel: low\n\n
\n}}'),(9161,'Issue',507,15,'T1124'),(9162,'Issue',508,1,'Renamed Binary'),(9163,'Issue',508,2,'Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements)'),(9164,'Issue',508,8,'https://attack.mitre.org/techniques/T1036/\nhttps://mgreen27.github.io/posts/2019/05/12/BinaryRename.html\nhttps://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html'),(9165,'Issue',508,10,'medium'),(9166,'Issue',508,13,'community'),(9167,'Issue',508,14,'windows'),(9169,'Issue',508,11,'b585cbf22'),(9170,'Issue',508,12,'36480ae1-a1cb-4eaa-a0d6-29801d7e9142'),(9171,'Issue',508,16,'win-proc'),(9172,'Issue',508,17,''),(9173,'Issue',508,7,''),(9174,'Issue',508,3,'Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.'),(9175,'Issue',508,4,''),(9176,'Issue',508,5,'_False Positives_\nCustom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist'),(9177,'Issue',508,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND OriginalFileName:(\"cmd.exe\" OR \"powershell.exe\" OR \"powershell_ise.exe\" OR \"psexec.exe\" OR \"psexec.c\" OR \"cscript.exe\" OR \"wscript.exe\" OR \"mshta.exe\" OR \"regsvr32.exe\" OR \"wmic.exe\" OR \"certutil.exe\" OR \"rundll32.exe\" OR \"cmstp.exe\" OR \"msiexec.exe\" OR \"7z.exe\" OR \"winrar.exe\" OR \"wevtutil.exe\" OR \"net.exe\" OR \"net1.exe\") AND (NOT (process.executable.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\powershell_ise.exe OR *\\\\psexec.exe OR *\\\\psexec64.exe OR *\\\\cscript.exe OR *\\\\wscript.exe OR *\\\\mshta.exe OR *\\\\regsvr32.exe OR *\\\\wmic.exe OR *\\\\certutil.exe OR *\\\\rundll32.exe OR *\\\\cmstp.exe OR *\\\\msiexec.exe OR *\\\\7z.exe OR *\\\\winrar.exe OR *\\\\wevtutil.exe OR *\\\\net.exe OR *\\\\net1.exe))))\nindex: so-*\nname: Renamed Binary\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9178,'Issue',508,9,'{{collapse(View Sigma)\n
\n\ntitle: Renamed Binary\nid: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142\nstatus: experimental\ndescription: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.\nauthor: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements), Andreas Hunkeler (@Karneades)\ndate: 2019/06/15\nmodified: 2019/11/11\nreferences:\n    - https://attack.mitre.org/techniques/T1036/\n    - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html\n    - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html\ntags:\n    - attack.t1036\n    - attack.defense_evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        OriginalFileName:\n            - \'cmd.exe\'\n            - \'powershell.exe\'\n            - \'powershell_ise.exe\'\n            - \'psexec.exe\'\n            - \'psexec.c\'  # old versions of psexec (2016 seen)\n            - \'cscript.exe\'\n            - \'wscript.exe\'\n            - \'mshta.exe\'\n            - \'regsvr32.exe\'\n            - \'wmic.exe\'\n            - \'certutil.exe\'\n            - \'rundll32.exe\'\n            - \'cmstp.exe\'\n            - \'msiexec.exe\'\n            - \'7z.exe\'\n            - \'winrar.exe\'\n            - \'wevtutil.exe\'\n            - \'net.exe\'\n            - \'net1.exe\'\n            - \'netsh.exe\'\n    filter:\n        Image|endswith:\n            - \'\\cmd.exe\'\n            - \'\\powershell.exe\'\n            - \'\\powershell_ise.exe\'\n            - \'\\psexec.exe\'\n            - \'\\psexec64.exe\'\n            - \'\\cscript.exe\'\n            - \'\\wscript.exe\'\n            - \'\\mshta.exe\'\n            - \'\\regsvr32.exe\'\n            - \'\\wmic.exe\'\n            - \'\\certutil.exe\'\n            - \'\\rundll32.exe\'\n            - \'\\cmstp.exe\'\n            - \'\\msiexec.exe\'\n            - \'\\7z.exe\'\n            - \'\\winrar.exe\'\n            - \'\\wevtutil.exe\'\n            - \'\\net.exe\'\n            - \'\\net1.exe\'\n            - \'\\netsh.exe\'\n    condition: selection and not filter\nfalsepositives:\n    - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist\nlevel: medium\n\n
\n}}'),(9179,'Issue',508,15,'T1036'),(9180,'Issue',509,1,'Highly Relevant Renamed Binary'),(9181,'Issue',509,2,'Matthew Green - @mgreen27, Florian Roth'),(9182,'Issue',509,8,'https://attack.mitre.org/techniques/T1036/\nhttps://mgreen27.github.io/posts/2019/05/12/BinaryRename.html\nhttps://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html'),(9183,'Issue',509,10,'high'),(9184,'Issue',509,13,'community'),(9185,'Issue',509,14,'windows'),(9187,'Issue',509,11,'11b349716'),(9188,'Issue',509,12,'0ba1da6d-b6ce-4366-828c-18826c9de23e'),(9189,'Issue',509,16,'win-proc'),(9190,'Issue',509,17,''),(9191,'Issue',509,7,''),(9192,'Issue',509,3,'Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.'),(9193,'Issue',509,4,''),(9194,'Issue',509,5,'_False Positives_\nCustom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist'),(9195,'Issue',509,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND OriginalFileName:(\"powershell.exe\" OR \"powershell_ise.exe\" OR \"psexec.exe\" OR \"psexec.c\" OR \"cscript.exe\" OR \"wscript.exe\" OR \"mshta.exe\" OR \"regsvr32.exe\" OR \"wmic.exe\" OR \"certutil.exe\" OR \"rundll32.exe\" OR \"cmstp.exe\" OR \"msiexec.exe\") AND (NOT (process.executable.keyword:(*\\\\powershell.exe OR *\\\\powershell_ise.exe OR *\\\\psexec.exe OR *\\\\psexec64.exe OR *\\\\cscript.exe OR *\\\\wscript.exe OR *\\\\mshta.exe OR *\\\\regsvr32.exe OR *\\\\wmic.exe OR *\\\\certutil.exe OR *\\\\rundll32.exe OR *\\\\cmstp.exe OR *\\\\msiexec.exe))))\nindex: so-*\nname: Highly Relevant Renamed Binary\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9196,'Issue',509,9,'{{collapse(View Sigma)\n
\n\ntitle: Highly Relevant Renamed Binary\nid: 0ba1da6d-b6ce-4366-828c-18826c9de23e\nstatus: experimental\ndescription: Detects the execution of a renamed binary often used by attackers or\n  malware leveraging new Sysmon OriginalFileName datapoint.\nauthor: Matthew Green - @mgreen27, Florian Roth\ndate: 2019/06/15\nreferences:\n- https://attack.mitre.org/techniques/T1036/\n- https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html\n- https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html\ntags:\n- attack.t1036\n- attack.defense_evasion\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    OriginalFileName:\n    - powershell.exe\n    - powershell_ise.exe\n    - psexec.exe\n    - psexec.c\n    - cscript.exe\n    - wscript.exe\n    - mshta.exe\n    - regsvr32.exe\n    - wmic.exe\n    - certutil.exe\n    - rundll32.exe\n    - cmstp.exe\n    - msiexec.exe\n  filter:\n    Image:\n    - \'*\\powershell.exe\'\n    - \'*\\powershell_ise.exe\'\n    - \'*\\psexec.exe\'\n    - \'*\\psexec64.exe\'\n    - \'*\\cscript.exe\'\n    - \'*\\wscript.exe\'\n    - \'*\\mshta.exe\'\n    - \'*\\regsvr32.exe\'\n    - \'*\\wmic.exe\'\n    - \'*\\certutil.exe\'\n    - \'*\\rundll32.exe\'\n    - \'*\\cmstp.exe\'\n    - \'*\\msiexec.exe\'\n  condition: selection and not filter\nfalsepositives:\n- Custom applications use renamed binaries adding slight change to binary name. Typically\n  this is easy to spot and add to whitelist\nlevel: high\n\n
\n}}'),(9197,'Issue',509,15,'T1036'),(9198,'Issue',510,1,'Execution of Renamed PaExec'),(9199,'Issue',510,2,'Jason Lynch'),(9200,'Issue',510,8,'sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc\nhttps://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf'),(9201,'Issue',510,10,'medium'),(9202,'Issue',510,13,'community'),(9203,'Issue',510,14,'windows'),(9205,'Issue',510,11,'53a0f9acd'),(9206,'Issue',510,12,'7b0666ad-3e38-4e3d-9bab-78b06de85f7b'),(9207,'Issue',510,16,'win-proc'),(9208,'Issue',510,17,''),(9209,'Issue',510,7,''),(9210,'Issue',510,3,'Detects execution of renamed paexec via imphash and executable product string'),(9211,'Issue',510,4,''),(9212,'Issue',510,5,'_False Positives_\nUnknown imphashes'),(9213,'Issue',510,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.pe.product.keyword:(*PAExec*) AND event_data.Imphash:(\"11D40A7B7876288F919AB819CC2D9802\" OR \"6444f8a34e99b8f7d9647de66aabe516\" OR \"dfd6aa3f7b2b1035b76b718f1ddc689f\" OR \"1a6cca4d5460b1710a12dea39e4a592c\")) AND (NOT (process.executable.keyword:*paexec*)))\nindex: so-*\nname: Execution of Renamed PaExec\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9214,'Issue',510,9,'{{collapse(View Sigma)\n
\n\ntitle: Execution of Renamed PaExec\nid: 7b0666ad-3e38-4e3d-9bab-78b06de85f7b\nstatus: experimental\ndescription: Detects execution of renamed paexec via imphash and executable product\n  string\nreferences:\n- sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc\n- https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf\ntags:\n- attack.defense_evasion\n- attack.t1036\n- FIN7\n- car.2013-05-009\ndate: 2019/04/17\nauthor: Jason Lynch\nfalsepositives:\n- Unknown imphashes\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Product:\n    - \'*PAExec*\'\n  selection2:\n    Imphash:\n    - 11D40A7B7876288F919AB819CC2D9802\n    - 6444f8a34e99b8f7d9647de66aabe516\n    - dfd6aa3f7b2b1035b76b718f1ddc689f\n    - 1a6cca4d5460b1710a12dea39e4a592c\n  filter1:\n    Image: \'*paexec*\'\n  condition: (selection1 and selection2) and not filter1\n\n
\n}}'),(9215,'Issue',510,15,'T1036'),(9216,'Issue',511,1,'Run PowerShell Script from ADS'),(9217,'Issue',511,2,'Sergey Soldatov, Kaspersky Lab, oscd.community'),(9218,'Issue',511,8,'https://github.com/p0shkatz/Get-ADS/blob/master/Get-ADS.ps1'),(9219,'Issue',511,10,'high'),(9220,'Issue',511,13,'community'),(9221,'Issue',511,14,'windows'),(9223,'Issue',511,11,'3297ebd01'),(9224,'Issue',511,12,'45a594aa-1fbd-4972-a809-ff5a99dd81b8'),(9225,'Issue',511,16,'win-proc'),(9226,'Issue',511,17,''),(9227,'Issue',511,7,''),(9228,'Issue',511,3,'Detects PowerShell script execution from Alternate Data Stream (ADS)'),(9229,'Issue',511,4,''),(9230,'Issue',511,5,'_False Positives_\nUnknown'),(9231,'Issue',511,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\powershell.exe AND process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:*Get\\-Content* AND process.command_line.keyword:*\\-Stream*)\nindex: so-*\nname: Run PowerShell Script from ADS\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9232,'Issue',511,9,'{{collapse(View Sigma)\n
\n\ntitle: Run PowerShell Script from ADS\nid: 45a594aa-1fbd-4972-a809-ff5a99dd81b8\nstatus: experimental\ndescription: Detects PowerShell script execution from Alternate Data Stream (ADS)\nreferences:\n- https://github.com/p0shkatz/Get-ADS/blob/master/Get-ADS.ps1\nauthor: Sergey Soldatov, Kaspersky Lab, oscd.community\ndate: 2019/10/30\ntags:\n- attack.defense_evasion\n- attack.t1096\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage|endswith: \\powershell.exe\n    Image|endswith: \\powershell.exe\n    CommandLine|contains|all:\n    - Get-Content\n    - -Stream\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9233,'Issue',511,15,'T1096'),(9234,'Issue',512,1,'Possible Shim Database Persistence via sdbinst.exe'),(9235,'Issue',512,2,'Markus Neis'),(9236,'Issue',512,8,'https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html'),(9237,'Issue',512,10,'high'),(9238,'Issue',512,13,'community'),(9239,'Issue',512,14,'windows'),(9241,'Issue',512,11,'1f62648d2'),(9242,'Issue',512,12,'517490a7-115a-48c6-8862-1a481504d5a8'),(9243,'Issue',512,16,'win-proc'),(9244,'Issue',512,17,''),(9245,'Issue',512,7,''),(9246,'Issue',512,3,'Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.'),(9247,'Issue',512,4,''),(9248,'Issue',512,5,'_False Positives_\nUnknown'),(9249,'Issue',512,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\sdbinst.exe) AND process.command_line.keyword:(*.sdb*))\nindex: so-*\nname: Possible Shim Database Persistence via sdbinst.exe\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9250,'Issue',512,9,'{{collapse(View Sigma)\n
\n\ntitle: Possible Shim Database Persistence via sdbinst.exe\nid: 517490a7-115a-48c6-8862-1a481504d5a8\nstatus: experimental\ndescription: Detects installation of a new shim using sdbinst.exe. A shim can be used\n  to load malicious DLLs into applications.\nreferences:\n- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html\ntags:\n- attack.persistence\n- attack.t1138\nauthor: Markus Neis\ndate: 2019/01/16\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\sdbinst.exe\'\n    CommandLine:\n    - \'*.sdb*\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9251,'Issue',512,15,'T1138'),(9252,'Issue',513,1,'Service Execution'),(9253,'Issue',513,2,'Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community'),(9254,'Issue',513,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.yaml'),(9255,'Issue',513,10,'low'),(9256,'Issue',513,13,'community'),(9257,'Issue',513,14,'windows'),(9259,'Issue',513,11,'0313836b2'),(9260,'Issue',513,12,'2a072a96-a086-49fa-bcb5-15cc5a619093'),(9261,'Issue',513,16,'win-proc'),(9262,'Issue',513,17,''),(9263,'Issue',513,7,''),(9264,'Issue',513,3,'Detects manual service execution (start) via system utilities'),(9265,'Issue',513,4,''),(9266,'Issue',513,5,'_False Positives_\nLegitimate administrator or user executes a service for legitimate reason'),(9267,'Issue',513,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:*\\ start\\ *)\nindex: so-*\nname: Service Execution\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9268,'Issue',513,9,'{{collapse(View Sigma)\n
\n\ntitle: Service Execution\nid: 2a072a96-a086-49fa-bcb5-15cc5a619093\nstatus: experimental\ndescription: Detects manual service execution (start) via system utilities\nauthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.yaml\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith:\n    - \\net.exe\n    - \\net1.exe\n    CommandLine|contains: \' start \'\n  condition: selection\nfalsepositives:\n- Legitimate administrator or user executes a service for legitimate reason\nlevel: low\ntags:\n- attack.execution\n- attack.t1035\n\n
\n}}'),(9269,'Issue',513,15,'T1035'),(9270,'Issue',514,1,'Stop Windows Service'),(9271,'Issue',514,2,'Jakob Weinzettl, oscd.community'),(9272,'Issue',514,8,'none'),(9273,'Issue',514,10,'low'),(9274,'Issue',514,13,'community'),(9275,'Issue',514,14,'windows'),(9277,'Issue',514,11,'f5cf59506'),(9278,'Issue',514,12,'eb87818d-db5d-49cc-a987-d5da331fbd90'),(9279,'Issue',514,16,'win-proc'),(9280,'Issue',514,17,''),(9281,'Issue',514,7,''),(9282,'Issue',514,3,'Detects a windows service to be stopped'),(9283,'Issue',514,4,''),(9284,'Issue',514,5,'_False Positives_\nAdministrator shutting down the service due to upgrade or removal purposes\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(9285,'Issue',514,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\sc.exe OR *\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:*stop*)\nindex: so-*\nname: Stop Windows Service\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9286,'Issue',514,9,'{{collapse(View Sigma)\n
\n\ntitle: Stop Windows Service\nid: eb87818d-db5d-49cc-a987-d5da331fbd90\ndescription: Detects a windows service to be stopped\nstatus: experimental\nauthor: Jakob Weinzettl, oscd.community\ndate: 2019/10/23\nmodified: 2019/11/08\ntags:\n- attack.impact\n- attack.t1489\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith:\n    - \\sc.exe\n    - \\net.exe\n    - \\net1.exe\n    CommandLine|contains: stop\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Administrator shutting down the service due to upgrade or removal purposes\nlevel: low\n\n
\n}}'),(9287,'Issue',514,15,'T1489'),(9288,'Issue',515,1,'Shadow Copies Access via Symlink'),(9289,'Issue',515,2,'Teymur Kheirkhabarov, oscd.community'),(9290,'Issue',515,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(9291,'Issue',515,10,'medium'),(9292,'Issue',515,13,'community'),(9293,'Issue',515,14,'windows'),(9295,'Issue',515,11,'42af87c98'),(9296,'Issue',515,12,'40b19fa6-d835-400c-b301-41f3a2baacaf'),(9297,'Issue',515,16,'win-proc'),(9298,'Issue',515,17,''),(9299,'Issue',515,7,''),(9300,'Issue',515,3,'Shadow Copies storage symbolic link creation using operating systems utilities'),(9301,'Issue',515,4,''),(9302,'Issue',515,5,'_False Positives_\nLegitimate administrator working with shadow copies, access for backup purposes'),(9303,'Issue',515,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*mklink* AND process.command_line.keyword:*HarddiskVolumeShadowCopy*)\nindex: so-*\nname: Shadow Copies Access via Symlink\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9304,'Issue',515,9,'{{collapse(View Sigma)\n
\n\ntitle: Shadow Copies Access via Symlink\nid: 40b19fa6-d835-400c-b301-41f3a2baacaf\ndescription: Shadow Copies storage symbolic link creation using operating systems\n  utilities\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/10/22\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains|all:\n    - mklink\n    - HarddiskVolumeShadowCopy\n  condition: selection\nfalsepositives:\n- Legitimate administrator working with shadow copies, access for backup purposes\nstatus: experimental\nlevel: medium\n\n
\n}}'),(9305,'Issue',515,15,'T1003'),(9306,'Issue',516,1,'Shadow Copies Creation Using Operating Systems Utilities'),(9307,'Issue',516,2,'Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community'),(9308,'Issue',516,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/'),(9309,'Issue',516,10,'medium'),(9310,'Issue',516,13,'community'),(9311,'Issue',516,14,'windows'),(9313,'Issue',516,11,'8093daa95'),(9314,'Issue',516,12,'b17ea6f7-6e90-447e-a799-e6c0a493d6ce'),(9315,'Issue',516,16,'win-proc'),(9316,'Issue',516,17,''),(9317,'Issue',516,7,''),(9318,'Issue',516,3,'Shadow Copies creation using operating systems utilities, possible credential access'),(9319,'Issue',516,4,''),(9320,'Issue',516,5,'_False Positives_\nLegitimate administrator working with shadow copies, access for backup purposes'),(9321,'Issue',516,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.NewProcessName.keyword:(*\\\\powershell.exe OR *\\\\wmic.exe OR *\\\\vssadmin.exe) AND process.command_line.keyword:*shadow* AND process.command_line.keyword:*create*)\nindex: so-*\nname: Shadow Copies Creation Using Operating Systems Utilities\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9322,'Issue',516,9,'{{collapse(View Sigma)\n
\n\ntitle: Shadow Copies Creation Using Operating Systems Utilities\nid: b17ea6f7-6e90-447e-a799-e6c0a493d6ce\ndescription: Shadow Copies creation using operating systems utilities, possible credential\n  access\nauthor: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/22\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    NewProcessName|endswith:\n    - \\powershell.exe\n    - \\wmic.exe\n    - \\vssadmin.exe\n    CommandLine|contains|all:\n    - shadow\n    - create\n  condition: selection\nfalsepositives:\n- Legitimate administrator working with shadow copies, access for backup purposes\nstatus: experimental\nlevel: medium\n\n
\n}}'),(9323,'Issue',516,15,'T1003'),(9324,'Issue',517,1,'Shadow Copies Deletion Using Operating Systems Utilities'),(9325,'Issue',517,2,'Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community'),(9326,'Issue',517,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nhttps://blog.talosintelligence.com/2017/05/wannacry.html\nhttps://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/\nhttps://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/\nhttps://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100'),(9327,'Issue',517,10,'critical'),(9328,'Issue',517,13,'community'),(9329,'Issue',517,14,'windows'),(9331,'Issue',517,11,'afac78337'),(9332,'Issue',517,12,'c947b146-0abc-4c87-9c64-b17e9d7274a2'),(9333,'Issue',517,16,'win-proc'),(9334,'Issue',517,17,''),(9335,'Issue',517,7,''),(9336,'Issue',517,3,'Shadow Copies deletion using operating systems utilities'),(9337,'Issue',517,4,''),(9338,'Issue',517,5,'_False Positives_\nLegitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9339,'Issue',517,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.NewProcessName.keyword:(*\\\\powershell.exe OR *\\\\wmic.exe OR *\\\\vssadmin.exe) AND process.command_line.keyword:*shadow* AND process.command_line.keyword:*delete*)\nindex: so-*\nname: Shadow Copies Deletion Using Operating Systems Utilities\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9340,'Issue',517,9,'{{collapse(View Sigma)\n
\n\ntitle: Shadow Copies Deletion Using Operating Systems Utilities\nid: c947b146-0abc-4c87-9c64-b17e9d7274a2\nstatus: stable\ndescription: Shadow Copies deletion using operating systems utilities\nauthor: Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/22\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n- https://blog.talosintelligence.com/2017/05/wannacry.html\n- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/\n- https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/\n- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100\ntags:\n- attack.defense_evasion\n- attack.impact\n- attack.t1070\n- attack.t1490\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    NewProcessName|endswith:\n    - \\powershell.exe\n    - \\wmic.exe\n    - \\vssadmin.exe\n    CommandLine|contains|all:\n    - shadow\n    - delete\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Legitimate Administrator deletes Shadow Copies using operating systems utilities\n  for legitimate reason\nlevel: critical\n\n
\n}}'),(9341,'Issue',517,15,'T1070'),(9342,'Issue',517,15,'T1490'),(9343,'Issue',518,1,'Windows Shell Spawning Suspicious Program'),(9344,'Issue',518,2,'Florian Roth'),(9345,'Issue',518,8,'https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html'),(9346,'Issue',518,10,'high'),(9347,'Issue',518,13,'community'),(9348,'Issue',518,14,'windows'),(9350,'Issue',518,11,'cbf52c91d'),(9351,'Issue',518,12,'3a6586ad-127a-4d3b-a677-1e6eacdf8fde'),(9352,'Issue',518,16,'win-proc'),(9353,'Issue',518,17,''),(9354,'Issue',518,7,''),(9355,'Issue',518,3,'Detects a suspicious child process of a Windows shell'),(9356,'Issue',518,4,''),(9357,'Issue',518,5,'_False Positives_\nAdministrative scripts\nMicrosoft SCCM\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9358,'Issue',518,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.parent.executable.keyword:(*\\\\mshta.exe OR *\\\\powershell.exe OR *\\\\rundll32.exe OR *\\\\cscript.exe OR *\\\\wscript.exe OR *\\\\wmiprvse.exe) AND process.executable.keyword:(*\\\\schtasks.exe OR *\\\\nslookup.exe OR *\\\\certutil.exe OR *\\\\bitsadmin.exe OR *\\\\mshta.exe)) AND (NOT (process.working_directory\".keyword:*\\\\ccmcache\\\\*)))\nindex: so-*\nname: Windows Shell Spawning Suspicious Program\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9359,'Issue',518,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows Shell Spawning Suspicious Program\nid: 3a6586ad-127a-4d3b-a677-1e6eacdf8fde\nstatus: experimental\ndescription: Detects a suspicious child process of a Windows shell\nreferences:\n- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html\nauthor: Florian Roth\ndate: 2018/04/06\nmodified: 2019/02/05\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1064\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage:\n    - \'*\\mshta.exe\'\n    - \'*\\powershell.exe\'\n    - \'*\\rundll32.exe\'\n    - \'*\\cscript.exe\'\n    - \'*\\wscript.exe\'\n    - \'*\\wmiprvse.exe\'\n    Image:\n    - \'*\\schtasks.exe\'\n    - \'*\\nslookup.exe\'\n    - \'*\\certutil.exe\'\n    - \'*\\bitsadmin.exe\'\n    - \'*\\mshta.exe\'\n  falsepositives:\n    CurrentDirectory: \'*\\ccmcache\\\\*\'\n  condition: selection and not falsepositives\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Administrative scripts\n- Microsoft SCCM\nlevel: high\n\n
\n}}'),(9360,'Issue',518,15,'T1064'),(9361,'Issue',519,1,'Audio Capture via SoundRecorder'),(9362,'Issue',519,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(9363,'Issue',519,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html'),(9364,'Issue',519,10,'medium'),(9365,'Issue',519,13,'community'),(9366,'Issue',519,14,'windows'),(9368,'Issue',519,11,'cb34e0e58'),(9369,'Issue',519,12,'83865853-59aa-449e-9600-74b9d89a6d6e'),(9370,'Issue',519,16,'win-proc'),(9371,'Issue',519,17,''),(9372,'Issue',519,7,''),(9373,'Issue',519,3,'Detect attacker collecting audio via SoundRecorder application'),(9374,'Issue',519,4,''),(9375,'Issue',519,5,'_False Positives_\nLegitimate audio capture by legitimate user'),(9376,'Issue',519,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\SoundRecorder.exe AND process.command_line.keyword:*\\/FILE*)\nindex: so-*\nname: Audio Capture via SoundRecorder\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9377,'Issue',519,9,'{{collapse(View Sigma)\n
\n\ntitle: Audio Capture via SoundRecorder\nid: 83865853-59aa-449e-9600-74b9d89a6d6e\ndescription: Detect attacker collecting audio via SoundRecorder application\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html\ntags:\n- attack.collection\n- attack.t1123\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\SoundRecorder.exe\n    CommandLine|contains: /FILE\n  condition: selection\nfalsepositives:\n- Legitimate audio capture by legitimate user\nlevel: medium\n\n
\n}}'),(9378,'Issue',519,15,'T1123'),(9379,'Issue',520,1,'Possible SPN Enumeration'),(9380,'Issue',520,2,'Markus Neis, keepwatch'),(9381,'Issue',520,8,'https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation'),(9382,'Issue',520,10,'medium'),(9383,'Issue',520,13,'community'),(9384,'Issue',520,14,'windows'),(9386,'Issue',520,11,'f2f2e56bb'),(9387,'Issue',520,12,'1eeed653-dbc8-4187-ad0c-eeebb20e6599'),(9388,'Issue',520,16,'win-proc'),(9389,'Issue',520,17,''),(9390,'Issue',520,7,''),(9391,'Issue',520,3,'Detects Service Principal Name Enumeration used for Kerberoasting'),(9392,'Issue',520,4,''),(9393,'Issue',520,5,'_False Positives_\nAdministrator Activity'),(9394,'Issue',520,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:*\\\\setspn.exe OR process.pe.description.keyword:*Query\\ or\\ reset\\ the\\ computer*\\ SPN\\ attribute*) AND process.command_line.keyword:*\\-q*)\nindex: so-*\nname: Possible SPN Enumeration\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9395,'Issue',520,9,'{{collapse(View Sigma)\n
\n\ntitle: Possible SPN Enumeration\nid: 1eeed653-dbc8-4187-ad0c-eeebb20e6599\ndescription: Detects Service Principal Name Enumeration used for Kerberoasting\nstatus: experimental\nreferences:\n- https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation\nauthor: Markus Neis, keepwatch\ndate: 2018/11/14\ntags:\n- attack.credential_access\n- attack.t1208\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_image:\n    Image: \'*\\setspn.exe\'\n  selection_desc:\n    Description: \'*Query or reset the computer* SPN attribute*\'\n  cmd:\n    CommandLine: \'*-q*\'\n  condition: (selection_image or selection_desc) and cmd\nfalsepositives:\n- Administrator Activity\nlevel: medium\n\n
\n}}'),(9396,'Issue',520,15,'T1208'),(9397,'Issue',521,1,'Possible Ransomware or Unauthorized MBR Modifications'),(9398,'Issue',521,2,'@neu5ron'),(9399,'Issue',521,8,'https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set'),(9400,'Issue',521,10,'medium'),(9401,'Issue',521,13,'community'),(9402,'Issue',521,14,'windows'),(9404,'Issue',521,11,'09cf8bf91'),(9405,'Issue',521,12,'c9fbe8e9-119d-40a6-9b59-dd58a5d84429'),(9406,'Issue',521,16,'win-proc'),(9407,'Issue',521,17,''),(9408,'Issue',521,7,''),(9409,'Issue',521,3,'Detects, possibly, malicious unauthorized usage of bcdedit.exe'),(9410,'Issue',521,4,''),(9411,'Issue',521,5,'_False Positives_\n Unknown'),(9412,'Issue',521,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.NewProcessName.keyword:*\\\\bcdedit.exe AND ProcessCommandLine.keyword:(*delete* OR *deletevalue* OR *import*))\nindex: so-*\nname: Possible Ransomware or Unauthorized MBR Modifications\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9413,'Issue',521,9,'{{collapse(View Sigma)\n
\n\ntitle: Possible Ransomware or Unauthorized MBR Modifications\nid: c9fbe8e9-119d-40a6-9b59-dd58a5d84429\nstatus: experimental\ndescription: Detects, possibly, malicious unauthorized usage of bcdedit.exe\nreferences:\n- https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set\nauthor: \'@neu5ron\'\ndate: 2019/02/07\ntags:\n- attack.defense_evasion\n- attack.t1070\n- attack.persistence\n- attack.t1067\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    NewProcessName: \'*\\bcdedit.exe\'\n    ProcessCommandLine:\n    - \'*delete*\'\n    - \'*deletevalue*\'\n    - \'*import*\'\n  condition: selection\nlevel: medium\n\n
\n}}'),(9414,'Issue',521,15,'T1070'),(9415,'Issue',521,15,'T1067'),(9416,'Issue',522,1,'Application Whitelisting Bypass via Bginfo'),(9417,'Issue',522,2,'Beyu Denis, oscd.community'),(9418,'Issue',522,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Bginfo.yml\nhttps://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/'),(9419,'Issue',522,10,'medium'),(9420,'Issue',522,13,'community'),(9421,'Issue',522,14,'windows'),(9423,'Issue',522,11,'6fd11c107'),(9424,'Issue',522,12,'aaf46cdc-934e-4284-b329-34aa701e3771'),(9425,'Issue',522,16,'win-proc'),(9426,'Issue',522,17,''),(9427,'Issue',522,7,''),(9428,'Issue',522,3,'Execute VBscript code that is referenced within the *.bgi file.'),(9429,'Issue',522,4,''),(9430,'Issue',522,5,'_False Positives_\nUnknown'),(9431,'Issue',522,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\bginfo.exe AND process.command_line.keyword:*\\/popup* AND process.command_line.keyword:*\\/nolicprompt*)\nindex: so-*\nname: Application Whitelisting Bypass via Bginfo\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9432,'Issue',522,9,'{{collapse(View Sigma)\n
\n\ntitle: Application Whitelisting Bypass via Bginfo\nid: aaf46cdc-934e-4284-b329-34aa701e3771\nstatus: experimental\ndescription: Execute VBscript code that is referenced within the *.bgi file.\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Bginfo.yml\n- https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/26\nmodified: 2019/11/04\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\bginfo.exe\n    CommandLine|contains|all:\n    - /popup\n    - /nolicprompt\n  condition: selection\nfalsepositives:\n- Unknown\n\n
\n}}'),(9433,'Issue',522,15,'T1218'),(9434,'Issue',523,1,'Suspicious Calculator Usage'),(9435,'Issue',523,2,'Florian Roth'),(9436,'Issue',523,8,'https://twitter.com/ItsReallyNick/status/1094080242686312448'),(9437,'Issue',523,10,'high'),(9438,'Issue',523,13,'community'),(9439,'Issue',523,14,'windows'),(9441,'Issue',523,11,'7ea9554ba'),(9442,'Issue',523,12,'737e618a-a410-49b5-bec3-9e55ff7fbc15'),(9443,'Issue',523,16,'win-proc'),(9444,'Issue',523,17,''),(9445,'Issue',523,7,''),(9446,'Issue',523,3,'Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion'),(9447,'Issue',523,4,''),(9448,'Issue',523,5,'_False Positives_\nUnknown'),(9449,'Issue',523,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:*\\\\calc.exe\\ * OR (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\calc.exe AND (NOT (process.executable.keyword:*\\\\Windows\\\\Sys*)))))\nindex: so-*\nname: Suspicious Calculator Usage\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9450,'Issue',523,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Calculator Usage\nid: 737e618a-a410-49b5-bec3-9e55ff7fbc15\ndescription: Detects suspicious use of calc.exe with command line parameters or in\n  a suspicious directory, which is likely caused by some PoC or detection evasion\nstatus: experimental\nreferences:\n- https://twitter.com/ItsReallyNick/status/1094080242686312448\nauthor: Florian Roth\ndate: 2019/02/09\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine: \'*\\calc.exe *\'\n  selection2:\n    Image: \'*\\calc.exe\'\n  filter2:\n    Image: \'*\\Windows\\Sys*\'\n  condition: selection1 or ( selection2 and not filter2 )\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9451,'Issue',523,15,'T1036'),(9452,'Issue',524,1,'Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner'),(9453,'Issue',524,2,'Beyu Denis, oscd.community'),(9454,'Issue',524,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Cdb.yml\nhttp://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html'),(9455,'Issue',524,10,'medium'),(9456,'Issue',524,13,'community'),(9457,'Issue',524,14,'windows'),(9459,'Issue',524,11,'ef8ab8f1c'),(9460,'Issue',524,12,'b5c7395f-e501-4a08-94d4-57fe7a9da9d2'),(9461,'Issue',524,16,'win-proc'),(9462,'Issue',524,17,''),(9463,'Issue',524,7,''),(9464,'Issue',524,3,'Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe.'),(9465,'Issue',524,4,''),(9466,'Issue',524,5,'_False Positives_\nLegitimate use of debugging tools'),(9467,'Issue',524,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\cdb.exe AND process.command_line.keyword:*\\-cf*)\nindex: so-*\nname: Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9468,'Issue',524,9,'{{collapse(View Sigma)\n
\n\ntitle: Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner\nid: b5c7395f-e501-4a08-94d4-57fe7a9da9d2\nstatus: experimental\ndescription: Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe.\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Cdb.yml\n- http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/26\nmodified: 2019/11/04\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\cdb.exe\n    CommandLine|contains: -cf\n  condition: selection\nfalsepositives:\n- Legitimate use of debugging tools\n\n
\n}}'),(9469,'Issue',524,15,'T1218'),(9470,'Issue',525,1,'Suspicious Certutil Command'),(9471,'Issue',525,2,'Florian Roth, juju4, keepwatch'),(9472,'Issue',525,8,'https://twitter.com/JohnLaTwC/status/835149808817991680\nhttps://twitter.com/subTee/status/888102593838362624\nhttps://twitter.com/subTee/status/888071631528235010\nhttps://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/\nhttps://www.trustedsec.com/2017/07/new-tool-release-nps_payload/\nhttps://twitter.com/egre55/status/1087685529016193025\nhttps://lolbas-project.github.io/lolbas/Binaries/Certutil/'),(9473,'Issue',525,10,'high'),(9474,'Issue',525,13,'community'),(9475,'Issue',525,14,'windows'),(9477,'Issue',525,11,'67ceb029c'),(9478,'Issue',525,12,'e011a729-98a6-4139-b5c4-bf6f6dd8239a'),(9479,'Issue',525,16,'win-proc'),(9480,'Issue',525,17,''),(9481,'Issue',525,7,''),(9482,'Issue',525,3,'Detects a suspicious Microsoft certutil execution with sub commands like \'decode\' sub command, which is sometimes used to decode malicious code with the built-in certutil utility'),(9483,'Issue',525,4,''),(9484,'Issue',525,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9485,'Issue',525,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-decode\\ * OR *\\ \\/decode\\ * OR *\\ \\-decodehex\\ * OR *\\ \\/decodehex\\ * OR *\\ \\-urlcache\\ * OR *\\ \\/urlcache\\ * OR *\\ \\-verifyctl\\ * OR *\\ \\/verifyctl\\ * OR *\\ \\-encode\\ * OR *\\ \\/encode\\ * OR *certutil*\\ \\-URL* OR *certutil*\\ \\/URL* OR *certutil*\\ \\-ping* OR *certutil*\\ \\/ping*))\nindex: so-*\nname: Suspicious Certutil Command\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9486,'Issue',525,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Certutil Command\nid: e011a729-98a6-4139-b5c4-bf6f6dd8239a\nstatus: experimental\ndescription: Detects a suspicious Microsoft certutil execution with sub commands like\n  \'decode\' sub command, which is sometimes used to decode malicious code with the\n  built-in certutil utility\nauthor: Florian Roth, juju4, keepwatch\nmodified: 2019/01/22\ndate: 2019/01/16\nreferences:\n- https://twitter.com/JohnLaTwC/status/835149808817991680\n- https://twitter.com/subTee/status/888102593838362624\n- https://twitter.com/subTee/status/888071631528235010\n- https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/\n- https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/\n- https://twitter.com/egre55/status/1087685529016193025\n- https://lolbas-project.github.io/lolbas/Binaries/Certutil/\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* -decode *\'\n    - \'* /decode *\'\n    - \'* -decodehex *\'\n    - \'* /decodehex *\'\n    - \'* -urlcache *\'\n    - \'* /urlcache *\'\n    - \'* -verifyctl *\'\n    - \'* /verifyctl *\'\n    - \'* -encode *\'\n    - \'* /encode *\'\n    - \'*certutil* -URL*\'\n    - \'*certutil* /URL*\'\n    - \'*certutil* -ping*\'\n    - \'*certutil* /ping*\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.defense_evasion\n- attack.t1140\n- attack.t1105\n- attack.s0189\n- attack.g0007\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: high\n\n
\n}}'),(9487,'Issue',525,15,'T1140'),(9488,'Issue',525,15,'T1105'),(9489,'Issue',526,1,'Certutil Encode'),(9490,'Issue',526,2,'Florian Roth'),(9491,'Issue',526,8,'https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil\nhttps://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/'),(9492,'Issue',526,10,'medium'),(9493,'Issue',526,13,'community'),(9494,'Issue',526,14,'windows'),(9495,'Issue',526,15,''),(9496,'Issue',526,11,'8b115c8b1'),(9497,'Issue',526,12,'e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a'),(9498,'Issue',526,16,'win-proc'),(9499,'Issue',526,17,''),(9500,'Issue',526,7,''),(9501,'Issue',526,3,'Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration'),(9502,'Issue',526,4,''),(9503,'Issue',526,5,'_False Positives_\nunknown'),(9504,'Issue',526,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(certutil\\ \\-f\\ \\-encode\\ * OR certutil.exe\\ \\-f\\ \\-encode\\ * OR certutil\\ \\-encode\\ \\-f\\ * OR certutil.exe\\ \\-encode\\ \\-f\\ *))\nindex: so-*\nname: Certutil Encode\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9505,'Issue',526,9,'{{collapse(View Sigma)\n
\n\ntitle: Certutil Encode\nid: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a\nstatus: experimental\ndescription: Detects suspicious a certutil command that used to encode files, which\n  is sometimes used for data exfiltration\nreferences:\n- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil\n- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/\nauthor: Florian Roth\ndate: 2019/02/24\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - certutil -f -encode *\n    - certutil.exe -f -encode *\n    - certutil -encode -f *\n    - certutil.exe -encode -f *\n  condition: selection\nfalsepositives:\n- unknown\nlevel: medium\n\n
\n}}'),(9506,'Issue',527,1,'Suspicious Commandline Escape'),(9507,'Issue',527,2,'juju4'),(9508,'Issue',527,8,'https://twitter.com/vysecurity/status/885545634958385153\nhttps://twitter.com/Hexacorn/status/885553465417756673\nhttps://twitter.com/Hexacorn/status/885570278637678592\nhttps://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html\nhttp://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/'),(9509,'Issue',527,10,'low'),(9510,'Issue',527,13,'community'),(9511,'Issue',527,14,'windows'),(9513,'Issue',527,11,'2267c2557'),(9514,'Issue',527,12,'f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd'),(9515,'Issue',527,16,'win-proc'),(9516,'Issue',527,17,''),(9517,'Issue',527,7,''),(9518,'Issue',527,3,'Detects suspicious process that use escape characters'),(9519,'Issue',527,4,''),(9520,'Issue',527,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(9521,'Issue',527,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*h\\^t\\^t\\^p* OR *h\\\"t\\\"t\\\"p*))\nindex: so-*\nname: Suspicious Commandline Escape\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9522,'Issue',527,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Commandline Escape\nid: f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd\ndescription: Detects suspicious process that use escape characters\nstatus: experimental\nreferences:\n- https://twitter.com/vysecurity/status/885545634958385153\n- https://twitter.com/Hexacorn/status/885553465417756673\n- https://twitter.com/Hexacorn/status/885570278637678592\n- https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html\n- http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/\nauthor: juju4\ndate: 2018/12/11\nmodified: 2020/03/14\ntags:\n- attack.defense_evasion\n- attack.t1140\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'*h^t^t^p*\'\n    - \'*h\"t\"t\"p*\'\n  condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: low\n\n
\n}}'),(9523,'Issue',527,15,'T1140'),(9524,'Issue',528,1,'Command Line Execution with Suspicious URL and AppData Strings'),(9525,'Issue',528,2,'Florian Roth'),(9526,'Issue',528,8,'https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100\nhttps://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100'),(9527,'Issue',528,10,'medium'),(9528,'Issue',528,13,'community'),(9529,'Issue',528,14,'windows'),(9531,'Issue',528,11,'6f1a08e1b'),(9532,'Issue',528,12,'1ac8666b-046f-4201-8aba-1951aaec03a3'),(9533,'Issue',528,16,'win-proc'),(9534,'Issue',528,17,''),(9535,'Issue',528,7,''),(9536,'Issue',528,3,'Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)'),(9537,'Issue',528,4,''),(9538,'Issue',528,5,'_False Positives_\nHigh\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9539,'Issue',528,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(cmd.exe\\ \\/c\\ *http\\:\\/\\/*%AppData% OR cmd.exe\\ \\/c\\ *https\\:\\/\\/*%AppData%))\nindex: so-*\nname: Command Line Execution with Suspicious URL and AppData Strings\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9540,'Issue',528,9,'{{collapse(View Sigma)\n
\n\ntitle: Command Line Execution with Suspicious URL and AppData Strings\nid: 1ac8666b-046f-4201-8aba-1951aaec03a3\nstatus: experimental\ndescription: Detects a suspicious command line execution that includes an URL and\n  AppData string in the command line parameters as used by several droppers (js/vbs\n  > powershell)\nreferences:\n- https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100\n- https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100\nauthor: Florian Roth\ndate: 2019/01/16\ntags:\n- attack.execution\n- attack.t1059\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - cmd.exe /c *http://*%AppData%\n    - cmd.exe /c *https://*%AppData%\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- High\nlevel: medium\n\n
\n}}'),(9541,'Issue',528,15,'T1059'),(9542,'Issue',529,1,'Suspicious Code Page Switch'),(9543,'Issue',529,2,'Florian Roth'),(9544,'Issue',529,8,'https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers\nhttps://twitter.com/cglyer/status/1183756892952248325'),(9545,'Issue',529,10,'medium'),(9546,'Issue',529,13,'community'),(9547,'Issue',529,14,'windows'),(9548,'Issue',529,15,''),(9549,'Issue',529,11,'29f880f96'),(9550,'Issue',529,12,'c7942406-33dd-4377-a564-0f62db0593a3'),(9551,'Issue',529,16,'win-proc'),(9552,'Issue',529,17,''),(9553,'Issue',529,7,''),(9554,'Issue',529,3,'Detects a code page switch in command line or batch scripts to a rare language'),(9555,'Issue',529,4,''),(9556,'Issue',529,5,'_False Positives_\nAdministrative activity (adjust code pages according to your organisation\'s region)\n\n_Interesting Log Fields_\nParentCommandLine'),(9557,'Issue',529,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(chcp*\\ 936 OR chcp*\\ 1258))\nindex: so-*\nname: Suspicious Code Page Switch\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9558,'Issue',529,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Code Page Switch\nid: c7942406-33dd-4377-a564-0f62db0593a3\nstatus: experimental\ndescription: Detects a code page switch in command line or batch scripts to a rare\n  language\nauthor: Florian Roth\ndate: 2019/10/14\nreferences:\n- https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers\n- https://twitter.com/cglyer/status/1183756892952248325\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - chcp* 936\n    - chcp* 1258\n  condition: selection\nfields:\n- ParentCommandLine\nfalsepositives:\n- Administrative activity (adjust code pages according to your organisation\'s region)\nlevel: medium\n\n
\n}}'),(9559,'Issue',530,1,'Reconnaissance Activity with Net Command'),(9560,'Issue',530,2,'Florian Roth, Markus Neis'),(9561,'Issue',530,8,'https://twitter.com/haroonmeer/status/939099379834658817\nhttps://twitter.com/c_APT_ure/status/939475433711722497\nhttps://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html'),(9562,'Issue',530,10,'medium'),(9563,'Issue',530,13,'community'),(9564,'Issue',530,14,'windows'),(9566,'Issue',530,11,'c51af1088'),(9567,'Issue',530,12,'2887e914-ce96-435f-8105-593937e90757'),(9568,'Issue',530,16,'win-proc'),(9569,'Issue',530,17,''),(9570,'Issue',530,7,''),(9571,'Issue',530,3,'Detects a set of commands often used in recon stages by different attack groups'),(9572,'Issue',530,4,''),(9573,'Issue',530,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(9574,'Issue',530,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(tasklist OR net\\ time OR systeminfo OR whoami OR nbtstat OR net\\ start OR *\\\\net1\\ start OR qprocess OR nslookup OR hostname.exe OR *\\\\net1\\ user\\ \\/domain OR *\\\\net1\\ group\\ \\/domain OR *\\\\net1\\ group\\ \\\"domain\\ admins\\\"\\ \\/domain OR *\\\\net1\\ group\\ \\\"Exchange\\ Trusted\\ Subsystem\\\"\\ \\/domain OR *\\\\net1\\ accounts\\ \\/domain OR *\\\\net1\\ user\\ net\\ localgroup\\ administrators OR netstat\\ \\-an))\nindex: so-*\nmax_threshold: 4\nmetric_agg_key: _id\nmetric_agg_type: cardinality\nname: Reconnaissance Activity with Net Command\npriority: 3\nquery_key: process.command_line.keyword\nrealert:\n  minutes: 0\ntype: metric_aggregation\n
\n}}'),(9575,'Issue',530,9,'{{collapse(View Sigma)\n
\n\ntitle: Reconnaissance Activity with Net Command\nid: 2887e914-ce96-435f-8105-593937e90757\nstatus: experimental\ndescription: Detects a set of commands often used in recon stages by different attack\n  groups\nreferences:\n- https://twitter.com/haroonmeer/status/939099379834658817\n- https://twitter.com/c_APT_ure/status/939475433711722497\n- https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html\nauthor: Florian Roth, Markus Neis\ndate: 2018/08/22\nmodified: 2018/12/11\ntags:\n- attack.discovery\n- attack.t1087\n- attack.t1082\n- car.2016-03-001\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - tasklist\n    - net time\n    - systeminfo\n    - whoami\n    - nbtstat\n    - net start\n    - \'*\\net1 start\'\n    - qprocess\n    - nslookup\n    - hostname.exe\n    - \'*\\net1 user /domain\'\n    - \'*\\net1 group /domain\'\n    - \'*\\net1 group \"domain admins\" /domain\'\n    - \'*\\net1 group \"Exchange Trusted Subsystem\" /domain\'\n    - \'*\\net1 accounts /domain\'\n    - \'*\\net1 user net localgroup administrators\'\n    - netstat -an\n  timeframe: 15s\n  condition: selection | count() by CommandLine > 4\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: medium\n\n
\n}}'),(9576,'Issue',530,15,'T1087'),(9577,'Issue',530,15,'T1082'),(9578,'Issue',531,1,'Suspicious Compression Tool Parameters'),(9579,'Issue',531,2,'Florian Roth, Samir Bousseaden'),(9580,'Issue',531,8,'https://twitter.com/SBousseaden/status/1184067445612535811'),(9581,'Issue',531,10,'high'),(9582,'Issue',531,13,'community'),(9583,'Issue',531,14,'windows'),(9585,'Issue',531,11,'ca20cc397'),(9586,'Issue',531,12,'27a72a60-7e5e-47b1-9d17-909c9abafdcd'),(9587,'Issue',531,16,'win-proc'),(9588,'Issue',531,17,''),(9589,'Issue',531,7,''),(9590,'Issue',531,3,'Detects suspicious command line arguments of common data compression tools'),(9591,'Issue',531,4,''),(9592,'Issue',531,5,'_False Positives_\nunknown'),(9593,'Issue',531,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (OriginalFileName.keyword:(7z*.exe OR *rar.exe OR *Command*Line*RAR*) AND process.command_line.keyword:(*\\ \\-p* OR *\\ \\-ta* OR *\\ \\-tb* OR *\\ \\-sdel* OR *\\ \\-dw* OR *\\ \\-hp*)) AND (NOT (process.parent.executable.keyword:C\\:\\\\Program*)))\nindex: so-*\nname: Suspicious Compression Tool Parameters\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9594,'Issue',531,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Compression Tool Parameters\nid: 27a72a60-7e5e-47b1-9d17-909c9abafdcd\nstatus: experimental\ndescription: Detects suspicious command line arguments of common data compression\n  tools\nreferences:\n- https://twitter.com/SBousseaden/status/1184067445612535811\ntags:\n- attack.exfiltration\n- attack.t1020\n- attack.t1002\nauthor: Florian Roth, Samir Bousseaden\ndate: 2019/10/15\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    OriginalFileName:\n    - 7z*.exe\n    - \'*rar.exe\'\n    - \'*Command*Line*RAR*\'\n    CommandLine:\n    - \'* -p*\'\n    - \'* -ta*\'\n    - \'* -tb*\'\n    - \'* -sdel*\'\n    - \'* -dw*\'\n    - \'* -hp*\'\n  falsepositive:\n    ParentImage: C:\\Program*\n  condition: selection and not falsepositive\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(9595,'Issue',531,15,'T1020'),(9596,'Issue',531,15,'T1002'),(9597,'Issue',532,1,'Process Dump via Comsvcs DLL'),(9598,'Issue',532,2,'Modexp (idea)'),(9599,'Issue',532,8,'https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/\nhttps://twitter.com/SBousseaden/status/1167417096374050817'),(9600,'Issue',532,10,'medium'),(9601,'Issue',532,13,'community'),(9602,'Issue',532,14,'windows'),(9604,'Issue',532,11,'01665fd2b'),(9605,'Issue',532,12,'09e6d5c0-05b8-4ff8-9eeb-043046ec774c'),(9606,'Issue',532,16,'win-proc'),(9607,'Issue',532,17,''),(9608,'Issue',532,7,''),(9609,'Issue',532,3,'Detects process memory dump via comsvcs.dll and rundll32'),(9610,'Issue',532,4,''),(9611,'Issue',532,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9612,'Issue',532,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:*\\\\rundll32.exe OR OriginalFileName:\"RUNDLL32.EXE\") AND process.command_line.keyword:(*comsvcs*MiniDump*full* OR *comsvcs*MiniDumpW*full*))\nindex: so-*\nname: Process Dump via Comsvcs DLL\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9613,'Issue',532,9,'{{collapse(View Sigma)\n
\n\ntitle: Process Dump via Comsvcs DLL\nid: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c\nstatus: experimental\ndescription: Detects process memory dump via comsvcs.dll and rundll32\nreferences:\n- https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/\n- https://twitter.com/SBousseaden/status/1167417096374050817\nauthor: Modexp (idea)\ndate: 2019/09/02\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  rundll_image:\n    Image: \'*\\rundll32.exe\'\n  rundll_ofn:\n    OriginalFileName: RUNDLL32.EXE\n  selection:\n    CommandLine:\n    - \'*comsvcs*MiniDump*full*\'\n    - \'*comsvcs*MiniDumpW*full*\'\n  condition: (rundll_image or rundll_ofn) and selection\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.credential_access\n- attack.t1003\nfalsepositives:\n- unknown\nlevel: medium\n\n
\n}}'),(9614,'Issue',532,15,'T1003'),(9615,'Issue',533,1,'Suspicious Control Panel DLL Load'),(9616,'Issue',533,2,'Florian Roth'),(9617,'Issue',533,8,'https://twitter.com/rikvduijn/status/853251879320662017'),(9618,'Issue',533,10,'high'),(9619,'Issue',533,13,'community'),(9620,'Issue',533,14,'windows'),(9622,'Issue',533,11,'7b06179ac'),(9623,'Issue',533,12,'d7eb979b-c2b5-4a6f-a3a7-c87ce6763819'),(9624,'Issue',533,16,'win-proc'),(9625,'Issue',533,17,''),(9626,'Issue',533,7,''),(9627,'Issue',533,3,'Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits'),(9628,'Issue',533,4,''),(9629,'Issue',533,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9630,'Issue',533,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.parent.executable.keyword:*\\\\System32\\\\control.exe AND process.command_line.keyword:*\\\\rundll32.exe\\ *) AND (NOT (process.command_line.keyword:*Shell32.dll*)))\nindex: so-*\nname: Suspicious Control Panel DLL Load\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9631,'Issue',533,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Control Panel DLL Load\nid: d7eb979b-c2b5-4a6f-a3a7-c87ce6763819\nstatus: experimental\ndescription: Detects suspicious Rundll32 execution from control.exe as used by Equation\n  Group and Exploit Kits\nauthor: Florian Roth\ndate: 2017/04/15\nreferences:\n- https://twitter.com/rikvduijn/status/853251879320662017\ntags:\n- attack.defense_evasion\n- attack.t1073\n- attack.t1085\n- car.2013-10-002\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\System32\\control.exe\'\n    CommandLine: \'*\\rundll32.exe *\'\n  filter:\n    CommandLine: \'*Shell32.dll*\'\n  condition: selection and not filter\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9632,'Issue',533,15,'T1073'),(9633,'Issue',533,15,'T1085'),(9634,'Issue',534,1,'Copy from Admin Share'),(9635,'Issue',534,2,'Florian Roth'),(9636,'Issue',534,8,'https://twitter.com/SBousseaden/status/1211636381086339073'),(9637,'Issue',534,10,'high'),(9638,'Issue',534,13,'community'),(9639,'Issue',534,14,'windows'),(9641,'Issue',534,11,'ec9ee9ed7'),(9642,'Issue',534,12,'855bc8b5-2ae8-402e-a9ed-b889e6df1900'),(9643,'Issue',534,16,'win-proc'),(9644,'Issue',534,17,''),(9645,'Issue',534,7,''),(9646,'Issue',534,3,'Detects a suspicious copy command from a remote C$ or ADMIN$ share'),(9647,'Issue',534,4,''),(9648,'Issue',534,5,'_False Positives_\nAdministrative scripts\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9649,'Issue',534,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*copy\\ *\\\\c$* OR *copy\\ *\\\\ADMIN$*))\nindex: so-*\nname: Copy from Admin Share\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9650,'Issue',534,9,'{{collapse(View Sigma)\n
\n\ntitle: Copy from Admin Share\nid: 855bc8b5-2ae8-402e-a9ed-b889e6df1900\nstatus: experimental\ndescription: Detects a suspicious copy command from a remote C$ or ADMIN$ share\nreferences:\n- https://twitter.com/SBousseaden/status/1211636381086339073\nauthor: Florian Roth\ndate: 2019/12/30\ntags:\n- attack.lateral_movement\n- attack.t1077\n- attack.t1105\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains:\n    - copy *\\c$\n    - copy *\\ADMIN$\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Administrative scripts\nlevel: high\n\n
\n}}'),(9651,'Issue',534,15,'T1077'),(9652,'Issue',534,15,'T1105'),(9653,'Issue',535,1,'Suspicious Parent of Csc.exe'),(9654,'Issue',535,2,'Florian Roth'),(9655,'Issue',535,8,'https://twitter.com/SBousseaden/status/1094924091256176641'),(9656,'Issue',535,10,'high'),(9657,'Issue',535,13,'community'),(9658,'Issue',535,14,'windows'),(9660,'Issue',535,11,'2a0ef0717'),(9661,'Issue',535,12,'b730a276-6b63-41b8-bcf8-55930c8fc6ee'),(9662,'Issue',535,16,'win-proc'),(9663,'Issue',535,17,''),(9664,'Issue',535,7,''),(9665,'Issue',535,3,'Detects a suspicious parent of csc.exe, which could by a sign of payload delivery'),(9666,'Issue',535,4,''),(9667,'Issue',535,5,'_False Positives_\nUnkown'),(9668,'Issue',535,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\csc.exe* AND process.parent.executable.keyword:(*\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\mshta.exe))\nindex: so-*\nname: Suspicious Parent of Csc.exe\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9669,'Issue',535,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Parent of Csc.exe\nid: b730a276-6b63-41b8-bcf8-55930c8fc6ee\ndescription: Detects a suspicious parent of csc.exe, which could by a sign of payload\n  delivery\nstatus: experimental\nreferences:\n- https://twitter.com/SBousseaden/status/1094924091256176641\nauthor: Florian Roth\ndate: 2019/02/11\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\csc.exe*\'\n    ParentImage:\n    - \'*\\wscript.exe\'\n    - \'*\\cscript.exe\'\n    - \'*\\mshta.exe\'\n  condition: selection\nfalsepositives:\n- Unkown\nlevel: high\n\n
\n}}'),(9670,'Issue',535,15,'T1036'),(9671,'Issue',536,1,'Suspicious Csc.exe Source File Folder'),(9672,'Issue',536,2,'Florian Roth'),(9673,'Issue',536,8,'https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/\nhttps://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf\nhttps://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/\nhttps://twitter.com/gN3mes1s/status/1206874118282448897'),(9674,'Issue',536,10,'high'),(9675,'Issue',536,13,'community'),(9676,'Issue',536,14,'windows'),(9678,'Issue',536,11,'7da368a8e'),(9679,'Issue',536,12,'dcaa3f04-70c3-427a-80b4-b870d73c94c4'),(9680,'Issue',536,16,'win-proc'),(9681,'Issue',536,17,''),(9682,'Issue',536,7,''),(9683,'Issue',536,3,'Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)'),(9684,'Issue',536,4,''),(9685,'Issue',536,5,'_False Positives_\nhttps://twitter.com/gN3mes1s/status/1206874118282448897\nhttps://twitter.com/gabriele_pippi/status/1206907900268072962'),(9686,'Issue',536,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:*\\\\csc.exe AND process.command_line.keyword:(*\\\\AppData\\\\* OR *\\\\Windows\\\\Temp\\\\*)) AND (NOT (process.parent.executable.keyword:(C\\:\\\\Program\\ Files* OR *\\\\sdiagnhost.exe OR *\\\\w3wp.exe))))\nindex: so-*\nname: Suspicious Csc.exe Source File Folder\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9687,'Issue',536,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Csc.exe Source File Folder\nid: dcaa3f04-70c3-427a-80b4-b870d73c94c4\ndescription: Detects a suspicious execution of csc.exe, which uses a source in a suspicious\n  folder (e.g. AppData)\nstatus: experimental\nreferences:\n- https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/\n- https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf\n- https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/\n- https://twitter.com/gN3mes1s/status/1206874118282448897\nauthor: Florian Roth\ndate: 2019/08/24\nmodified: 2019/12/17\ntags:\n- attack.defense_evasion\n- attack.t1500\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\csc.exe\'\n    CommandLine:\n    - \'*\\AppData\\\\*\'\n    - \'*\\Windows\\Temp\\\\*\'\n  filter:\n    ParentImage:\n    - C:\\Program Files*\n    - \'*\\sdiagnhost.exe\'\n    - \'*\\w3wp.exe\'\n  condition: selection and not filter\nfalsepositives:\n- https://twitter.com/gN3mes1s/status/1206874118282448897\n- https://twitter.com/gabriele_pippi/status/1206907900268072962\nlevel: high\n\n
\n}}'),(9688,'Issue',536,15,'T1500'),(9689,'Issue',537,1,'Curl Start Combination'),(9690,'Issue',537,2,'Sreeman'),(9691,'Issue',537,8,'https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983'),(9692,'Issue',537,10,'medium'),(9693,'Issue',537,13,'community'),(9694,'Issue',537,14,'windows'),(9696,'Issue',537,11,'cba091473'),(9697,'Issue',537,12,'21dd6d38-2b18-4453-9404-a0fe4a0cc288'),(9698,'Issue',537,16,'win-proc'),(9699,'Issue',537,17,''),(9700,'Issue',537,7,''),(9701,'Issue',537,3,'Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.'),(9702,'Issue',537,4,''),(9703,'Issue',537,5,'_False Positives_\nAdministrative scripts (installers)\n\n_Interesting Log Fields_\nParentImage\nCommandLine'),(9704,'Issue',537,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*curl*\\ start\\ *)\nindex: so-*\nname: Curl Start Combination\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9705,'Issue',537,9,'{{collapse(View Sigma)\n
\n\ntitle: Curl Start Combination\nid: 21dd6d38-2b18-4453-9404-a0fe4a0cc288\nstatus: experimental\ndescription: Adversaries can use curl to download payloads remotely and execute them.\n  Curl is included by default in Windows 10 build 17063 and later.\nreferences:\n- https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983\nauthor: Sreeman\ndate: 2020/01/13\ntags:\n- attack.execution\n- attack.t1218\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  condition: selection\n  selection:\n    CommandLine|contains: \'curl* start \'\nfalsepositives:\n- Administrative scripts (installers)\nfields:\n- ParentImage\n- CommandLine\nlevel: medium\n\n
\n}}'),(9706,'Issue',537,15,'T1218'),(9707,'Issue',538,1,'ZOHO Dctask64 Process Injection'),(9708,'Issue',538,2,'Florian Roth'),(9709,'Issue',538,8,'https://twitter.com/gN3mes1s/status/1222088214581825540\nhttps://twitter.com/gN3mes1s/status/1222095963789111296\nhttps://twitter.com/gN3mes1s/status/1222095371175911424'),(9710,'Issue',538,10,'high'),(9711,'Issue',538,13,'community'),(9712,'Issue',538,14,'windows'),(9714,'Issue',538,11,'fe9f76fc8'),(9715,'Issue',538,12,'6345b048-8441-43a7-9bed-541133633d7a'),(9716,'Issue',538,16,'win-proc'),(9717,'Issue',538,17,''),(9718,'Issue',538,7,''),(9719,'Issue',538,3,'Detects suspicious process injection using ZOHO\'s dctask64.exe'),(9720,'Issue',538,4,''),(9721,'Issue',538,5,'_False Positives_\nUnknown yet\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine\nParentImage'),(9722,'Issue',538,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\dctask64.exe) AND (NOT (process.command_line.keyword:(*DesktopCentral_Agent\\\\agent*))))\nindex: so-*\nname: ZOHO Dctask64 Process Injection\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9723,'Issue',538,9,'{{collapse(View Sigma)\n
\n\ntitle: ZOHO Dctask64 Process Injection\nid: 6345b048-8441-43a7-9bed-541133633d7a\nstatus: experimental\ndescription: Detects suspicious process injection using ZOHO\'s dctask64.exe\nreferences:\n- https://twitter.com/gN3mes1s/status/1222088214581825540\n- https://twitter.com/gN3mes1s/status/1222095963789111296\n- https://twitter.com/gN3mes1s/status/1222095371175911424\nauthor: Florian Roth\ndate: 2020/01/28\ntags:\n- attack.defense_evasion\n- attack.t1055\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith:\n    - \\dctask64.exe\n  filter:\n    CommandLine|contains:\n    - DesktopCentral_Agent\\agent\n  condition: selection and not filter\nfields:\n- CommandLine\n- ParentCommandLine\n- ParentImage\nfalsepositives:\n- Unknown yet\nlevel: high\n\n
\n}}'),(9724,'Issue',538,15,'T1055'),(9725,'Issue',539,1,'Devtoolslauncher.exe Executes Specified Binary'),(9726,'Issue',539,2,'Beyu Denis, oscd.community (rule), @_felamos (idea)'),(9727,'Issue',539,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Devtoolslauncher.yml\nhttps://twitter.com/_felamos/status/1179811992841797632'),(9728,'Issue',539,10,'critical'),(9729,'Issue',539,13,'community'),(9730,'Issue',539,14,'windows'),(9732,'Issue',539,11,'8beb4a23d'),(9733,'Issue',539,12,'cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6'),(9734,'Issue',539,16,'win-proc'),(9735,'Issue',539,17,''),(9736,'Issue',539,7,''),(9737,'Issue',539,3,'The Devtoolslauncher.exe executes other binary'),(9738,'Issue',539,4,''),(9739,'Issue',539,5,'_False Positives_\nLegitimate use of devtoolslauncher.exe by legitimate user'),(9740,'Issue',539,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\devtoolslauncher.exe AND process.command_line.keyword:*LaunchForDeploy*)\nindex: so-*\nname: Devtoolslauncher.exe Executes Specified Binary\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9741,'Issue',539,9,'{{collapse(View Sigma)\n
\n\ntitle: Devtoolslauncher.exe Executes Specified Binary\nid: cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6\nstatus: experimental\ndescription: The Devtoolslauncher.exe executes other binary\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Devtoolslauncher.yml\n- https://twitter.com/_felamos/status/1179811992841797632\nauthor: Beyu Denis, oscd.community (rule), @_felamos (idea)\ndate: 2019/10/12\nmodified: 2019/11/04\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlevel: critical\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\devtoolslauncher.exe\n    CommandLine|contains: LaunchForDeploy\n  condition: selection\nfalsepositives:\n- Legitimate use of devtoolslauncher.exe by legitimate user\n\n
\n}}'),(9742,'Issue',539,15,'T1218'),(9743,'Issue',540,1,'Direct Autorun Keys Modification'),(9744,'Issue',540,2,'Victor Sergeev, Daniil Yugoslavskiy, oscd.community'),(9745,'Issue',540,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml'),(9746,'Issue',540,10,'medium'),(9747,'Issue',540,13,'community'),(9748,'Issue',540,14,'windows'),(9750,'Issue',540,11,'8eab5e98e'),(9751,'Issue',540,12,'24357373-078f-44ed-9ac4-6d334a668a11'),(9752,'Issue',540,16,'win-proc'),(9753,'Issue',540,17,''),(9754,'Issue',540,7,''),(9755,'Issue',540,3,'Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.'),(9756,'Issue',540,4,''),(9757,'Issue',540,5,'_False Positives_\nLegitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason\nLegitimate administrator sets up autorun keys for legitimate reason\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9758,'Issue',540,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\reg.exe AND process.command_line.keyword:*add* AND process.command_line.keyword:(*\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon\\\\Shell* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User\\ Shell\\ Folders* OR *\\\\system\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\AlternateShell*))\nindex: so-*\nname: Direct Autorun Keys Modification\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9759,'Issue',540,9,'{{collapse(View Sigma)\n
\n\ntitle: Direct Autorun Keys Modification\nid: 24357373-078f-44ed-9ac4-6d334a668a11\ndescription: Detects direct modification of autostart extensibility point (ASEP) in\n  registry using reg.exe.\nstatus: experimental\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml\ntags:\n- attack.persistence\n- attack.t1060\ndate: 2019/10/25\nmodified: 2019/11/10\nauthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_1:\n    Image|endswith: \'*\\reg.exe\'\n    CommandLine|contains: add\n  selection_2:\n    CommandLine|contains:\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\Run\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n    - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit\n    - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\n    - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n    - \\system\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell\n  condition: selection_1 and selection_2\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Legitimate software automatically (mostly, during installation) sets up autorun\n  keys for legitimate reason\n- Legitimate administrator sets up autorun keys for legitimate reason\nlevel: medium\n\n
\n}}'),(9760,'Issue',540,15,'T1060'),(9761,'Issue',541,1,'Application Whitelisting Bypass via Dnx.exe'),(9762,'Issue',541,2,'Beyu Denis, oscd.community'),(9763,'Issue',541,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml\nhttps://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/'),(9764,'Issue',541,10,'medium'),(9765,'Issue',541,13,'community'),(9766,'Issue',541,14,'windows'),(9768,'Issue',541,11,'4f84e2c15'),(9769,'Issue',541,12,'81ebd28b-9607-4478-bf06-974ed9d53ed7'),(9770,'Issue',541,16,'win-proc'),(9771,'Issue',541,17,''),(9772,'Issue',541,7,''),(9773,'Issue',541,3,'Execute C# code located in the consoleapp folder'),(9774,'Issue',541,4,''),(9775,'Issue',541,5,'_False Positives_\nLegitimate use of dnx.exe by legitimate user'),(9776,'Issue',541,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\dnx.exe)\nindex: so-*\nname: Application Whitelisting Bypass via Dnx.exe\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9777,'Issue',541,9,'{{collapse(View Sigma)\n
\n\ntitle: Application Whitelisting Bypass via Dnx.exe\nid: 81ebd28b-9607-4478-bf06-974ed9d53ed7\nstatus: experimental\ndescription: Execute C# code located in the consoleapp folder\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml\n- https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/26\nmodified: 2019/11/04\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\dnx.exe\n  condition: selection\nfalsepositives:\n- Legitimate use of dnx.exe by legitimate user\n\n
\n}}'),(9778,'Issue',541,15,'T1218'),(9779,'Issue',542,1,'Suspicious Double Extension'),(9780,'Issue',542,2,'Florian Roth (rule), @blu3_team (idea)'),(9781,'Issue',542,8,'https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html\nhttps://twitter.com/blackorbird/status/1140519090961825792'),(9782,'Issue',542,10,'critical'),(9783,'Issue',542,13,'community'),(9784,'Issue',542,14,'windows'),(9786,'Issue',542,11,'17b387ea8'),(9787,'Issue',542,12,'1cdd9a09-06c9-4769-99ff-626e2b3991b8'),(9788,'Issue',542,16,'win-proc'),(9789,'Issue',542,17,''),(9790,'Issue',542,7,''),(9791,'Issue',542,3,'Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns'),(9792,'Issue',542,4,''),(9793,'Issue',542,5,'_False Positives_\nUnknown'),(9794,'Issue',542,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*.doc.exe OR *.docx.exe OR *.xls.exe OR *.xlsx.exe OR *.ppt.exe OR *.pptx.exe OR *.rtf.exe OR *.pdf.exe OR *.txt.exe OR *\\ \\ \\ \\ \\ \\ .exe OR *______.exe))\nindex: so-*\nname: Suspicious Double Extension\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9795,'Issue',542,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Double Extension\nid: 1cdd9a09-06c9-4769-99ff-626e2b3991b8\ndescription: Detects suspicious use of an .exe extension after a non-executable file\n  extension like .pdf.exe, a set of spaces or underlines to cloak the executable file\n  in spear phishing campaigns\nreferences:\n- https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html\n- https://twitter.com/blackorbird/status/1140519090961825792\nauthor: Florian Roth (rule), @blu3_team (idea)\ndate: 2019/06/26\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*.doc.exe\'\n    - \'*.docx.exe\'\n    - \'*.xls.exe\'\n    - \'*.xlsx.exe\'\n    - \'*.ppt.exe\'\n    - \'*.pptx.exe\'\n    - \'*.rtf.exe\'\n    - \'*.pdf.exe\'\n    - \'*.txt.exe\'\n    - \'*      .exe\'\n    - \'*______.exe\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(9796,'Issue',542,15,'T1193'),(9797,'Issue',543,1,'Application Whitelisting Bypass via Dxcap.exe'),(9798,'Issue',543,2,'Beyu Denis, oscd.community'),(9799,'Issue',543,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dxcap.yml\nhttps://twitter.com/harr0ey/status/992008180904419328'),(9800,'Issue',543,10,'medium'),(9801,'Issue',543,13,'community'),(9802,'Issue',543,14,'windows'),(9804,'Issue',543,11,'21213eb67'),(9805,'Issue',543,12,'60f16a96-db70-42eb-8f76-16763e333590'),(9806,'Issue',543,16,'win-proc'),(9807,'Issue',543,17,''),(9808,'Issue',543,7,''),(9809,'Issue',543,3,'Detects execution of of Dxcap.exe'),(9810,'Issue',543,4,''),(9811,'Issue',543,5,'_False Positives_\nLegitimate execution of dxcap.exe by legitimate user'),(9812,'Issue',543,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\dxcap.exe AND process.command_line.keyword:*\\-c* AND process.command_line.keyword:*.exe*)\nindex: so-*\nname: Application Whitelisting Bypass via Dxcap.exe\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9813,'Issue',543,9,'{{collapse(View Sigma)\n
\n\ntitle: Application Whitelisting Bypass via Dxcap.exe\nid: 60f16a96-db70-42eb-8f76-16763e333590\nstatus: experimental\ndescription: Detects execution of of Dxcap.exe\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dxcap.yml\n- https://twitter.com/harr0ey/status/992008180904419328\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/26\nmodified: 2019/11/04\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\dxcap.exe\n    CommandLine|contains|all:\n    - -c\n    - .exe\n  condition: selection\nfalsepositives:\n- Legitimate execution of dxcap.exe by legitimate user\n\n
\n}}'),(9814,'Issue',543,15,'T1218'),(9815,'Issue',544,1,'Suspicious Eventlog Clear or Configuration Using Wevtutil'),(9816,'Issue',544,2,'Ecco, Daniil Yugoslavskiy, oscd.community'),(9817,'Issue',544,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html'),(9818,'Issue',544,10,'high'),(9819,'Issue',544,13,'community'),(9820,'Issue',544,14,'windows'),(9822,'Issue',544,11,'63dddab3d'),(9823,'Issue',544,12,'cc36992a-4671-4f21-a91d-6c2b72a2edf5'),(9824,'Issue',544,16,'win-proc'),(9825,'Issue',544,17,''),(9826,'Issue',544,7,''),(9827,'Issue',544,3,'Detects clearing or configuration of eventlogs uwing wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others)'),(9828,'Issue',544,4,''),(9829,'Issue',544,5,'_False Positives_\nAdmin activity\nScripts and administrative tools used in the monitored environment'),(9830,'Issue',544,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (((process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:(*Clear\\-EventLog* OR *Remove\\-EventLog* OR *Limit\\-EventLog*)) OR (process.executable.keyword:*\\\\wmic.exe AND process.command_line.keyword:*\\ ClearEventLog\\ *)) OR (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\wevtutil.exe AND process.command_line.keyword:(*clear\\-log* OR *\\ cl\\ * OR *set\\-log* OR *\\ sl\\ *))))\nindex: so-*\nname: Suspicious Eventlog Clear or Configuration Using Wevtutil\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9831,'Issue',544,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Eventlog Clear or Configuration Using Wevtutil\nid: cc36992a-4671-4f21-a91d-6c2b72a2edf5\ndescription: Detects clearing or configuration of eventlogs uwing wevtutil, powershell\n  and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others)\nauthor: Ecco, Daniil Yugoslavskiy, oscd.community\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html\ndate: 2019/09/26\nmodified: 2019/11/11\ntags:\n- attack.defense_evasion\n- attack.t1070\n- car.2016-04-002\nlevel: high\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_wevtutil_binary:\n    Image|endswith: \\wevtutil.exe\n  selection_wevtutil_command:\n    CommandLine|contains:\n    - clear-log\n    - \' cl \'\n    - set-log\n    - \' sl \'\n  selection_other_ps:\n    Image|endswith: \\powershell.exe\n    CommandLine|contains:\n    - Clear-EventLog\n    - Remove-EventLog\n    - Limit-EventLog\n  selection_other_wmic:\n    Image|endswith: \\wmic.exe\n    CommandLine|contains: \' ClearEventLog \'\n  condition: 1 of selection_other_* or (selection_wevtutil_binary and selection_wevtutil_command)\nfalsepositives:\n- Admin activity\n- Scripts and administrative tools used in the monitored environment\n\n
\n}}'),(9832,'Issue',544,15,'T1070'),(9833,'Issue',545,1,'Executables Started in Suspicious Folder'),(9834,'Issue',545,2,'Florian Roth'),(9835,'Issue',545,8,'https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt\nhttps://www.secureworks.com/research/bronze-butler-targets-japanese-businesses\nhttps://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/\nhttps://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md'),(9836,'Issue',545,10,'high'),(9837,'Issue',545,13,'community'),(9838,'Issue',545,14,'windows'),(9840,'Issue',545,11,'a3054aa4c'),(9841,'Issue',545,12,'7a38aa19-86a9-4af7-ac51-6bfe4e59f254'),(9842,'Issue',545,16,'win-proc'),(9843,'Issue',545,17,''),(9844,'Issue',545,7,''),(9845,'Issue',545,3,'Detects process starts of binaries from a suspicious folder'),(9846,'Issue',545,4,''),(9847,'Issue',545,5,'_False Positives_\nUnknown'),(9848,'Issue',545,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(C\\:\\\\PerfLogs\\\\* OR C\\:\\\\$Recycle.bin\\\\* OR C\\:\\\\Intel\\\\Logs\\\\* OR C\\:\\\\Users\\\\Default\\\\* OR C\\:\\\\Users\\\\Public\\\\* OR C\\:\\\\Users\\\\NetworkService\\\\* OR C\\:\\\\Windows\\\\Fonts\\\\* OR C\\:\\\\Windows\\\\Debug\\\\* OR C\\:\\\\Windows\\\\Media\\\\* OR C\\:\\\\Windows\\\\Help\\\\* OR C\\:\\\\Windows\\\\addins\\\\* OR C\\:\\\\Windows\\\\repair\\\\* OR C\\:\\\\Windows\\\\security\\\\* OR *\\\\RSA\\\\MachineKeys\\\\* OR C\\:\\\\Windows\\\\system32\\\\config\\\\systemprofile\\\\* OR C\\:\\\\Windows\\\\Tasks\\\\* OR C\\:\\\\Windows\\\\System32\\\\Tasks\\\\*))\nindex: so-*\nname: Executables Started in Suspicious Folder\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9849,'Issue',545,9,'{{collapse(View Sigma)\n
\n\ntitle: Executables Started in Suspicious Folder\nid: 7a38aa19-86a9-4af7-ac51-6bfe4e59f254\nstatus: experimental\ndescription: Detects process starts of binaries from a suspicious folder\nauthor: Florian Roth\ndate: 2017/10/14\nmodified: 2019/02/21\nreferences:\n- https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt\n- https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses\n- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/\n- https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - C:\\PerfLogs\\\\*\n    - C:\\$Recycle.bin\\\\*\n    - C:\\Intel\\Logs\\\\*\n    - C:\\Users\\Default\\\\*\n    - C:\\Users\\Public\\\\*\n    - C:\\Users\\NetworkService\\\\*\n    - C:\\Windows\\Fonts\\\\*\n    - C:\\Windows\\Debug\\\\*\n    - C:\\Windows\\Media\\\\*\n    - C:\\Windows\\Help\\\\*\n    - C:\\Windows\\addins\\\\*\n    - C:\\Windows\\repair\\\\*\n    - C:\\Windows\\security\\\\*\n    - \'*\\RSA\\MachineKeys\\\\*\'\n    - C:\\Windows\\system32\\config\\systemprofile\\\\*\n    - C:\\Windows\\Tasks\\\\*\n    - C:\\Windows\\System32\\Tasks\\\\*\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9850,'Issue',545,15,'T1036'),(9851,'Issue',546,1,'Execution in Non-Executable Folder'),(9852,'Issue',546,2,'Florian Roth'),(9853,'Issue',546,8,'none'),(9854,'Issue',546,10,'high'),(9855,'Issue',546,13,'community'),(9856,'Issue',546,14,'windows'),(9858,'Issue',546,11,'a7b3dd43a'),(9859,'Issue',546,12,'3dfd06d2-eaf4-4532-9555-68aca59f57c4'),(9860,'Issue',546,16,'win-proc'),(9861,'Issue',546,17,''),(9862,'Issue',546,7,''),(9863,'Issue',546,3,'Detects a suspicious exection from an uncommon folder'),(9864,'Issue',546,4,''),(9865,'Issue',546,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9866,'Issue',546,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\$Recycle.bin OR *\\\\Users\\\\All\\ Users\\\\* OR *\\\\Users\\\\Default\\\\* OR *\\\\Users\\\\Public\\\\* OR C\\:\\\\Perflogs\\\\* OR *\\\\config\\\\systemprofile\\\\* OR *\\\\Windows\\\\Fonts\\\\* OR *\\\\Windows\\\\IME\\\\* OR *\\\\Windows\\\\addins\\\\*))\nindex: so-*\nname: Execution in Non-Executable Folder\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9867,'Issue',546,9,'{{collapse(View Sigma)\n
\n\ntitle: Execution in Non-Executable Folder\nid: 3dfd06d2-eaf4-4532-9555-68aca59f57c4\nstatus: experimental\ndescription: Detects a suspicious exection from an uncommon folder\nauthor: Florian Roth\ndate: 2019/01/16\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\$Recycle.bin\'\n    - \'*\\Users\\All Users\\\\*\'\n    - \'*\\Users\\Default\\\\*\'\n    - \'*\\Users\\Public\\\\*\'\n    - C:\\Perflogs\\\\*\n    - \'*\\config\\systemprofile\\\\*\'\n    - \'*\\Windows\\Fonts\\\\*\'\n    - \'*\\Windows\\IME\\\\*\'\n    - \'*\\Windows\\addins\\\\*\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9868,'Issue',546,15,'T1036'),(9869,'Issue',547,1,'Execution in Webserver Root Folder'),(9870,'Issue',547,2,'Florian Roth'),(9871,'Issue',547,8,'none'),(9872,'Issue',547,10,'medium'),(9873,'Issue',547,13,'community'),(9874,'Issue',547,14,'windows'),(9876,'Issue',547,11,'3e95069d6'),(9877,'Issue',547,12,'35efb964-e6a5-47ad-bbcd-19661854018d'),(9878,'Issue',547,16,'win-proc'),(9879,'Issue',547,17,''),(9880,'Issue',547,7,''),(9881,'Issue',547,3,'Detects a suspicious program execution in a web service root folder (filter out false positives)'),(9882,'Issue',547,4,''),(9883,'Issue',547,5,'_False Positives_\nVarious applications\nTools that include ping or nslookup command invocations\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9884,'Issue',547,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\wwwroot\\\\* OR *\\\\wmpub\\\\* OR *\\\\htdocs\\\\*) AND (NOT (process.executable.keyword:(*bin\\\\* OR *\\\\Tools\\\\* OR *\\\\SMSComponent\\\\*) AND process.parent.executable.keyword:(*\\\\services.exe))))\nindex: so-*\nname: Execution in Webserver Root Folder\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9885,'Issue',547,9,'{{collapse(View Sigma)\n
\n\ntitle: Execution in Webserver Root Folder\nid: 35efb964-e6a5-47ad-bbcd-19661854018d\nstatus: experimental\ndescription: Detects a suspicious program execution in a web service root folder (filter\n  out false positives)\nauthor: Florian Roth\ndate: 2019/01/16\ntags:\n- attack.persistence\n- attack.t1100\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\wwwroot\\\\*\'\n    - \'*\\wmpub\\\\*\'\n    - \'*\\htdocs\\\\*\'\n  filter:\n    Image:\n    - \'*bin\\\\*\'\n    - \'*\\Tools\\\\*\'\n    - \'*\\SMSComponent\\\\*\'\n    ParentImage:\n    - \'*\\services.exe\'\n  condition: selection and not filter\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Various applications\n- Tools that include ping or nslookup command invocations\nlevel: medium\n\n
\n}}'),(9886,'Issue',547,15,'T1100'),(9887,'Issue',548,1,'Firewall Disabled via Netsh'),(9888,'Issue',548,2,'Fatih Sirin'),(9889,'Issue',548,8,'https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/\nhttps://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/'),(9890,'Issue',548,10,'medium'),(9891,'Issue',548,13,'community'),(9892,'Issue',548,14,'windows'),(9893,'Issue',548,15,''),(9894,'Issue',548,11,'525bbf871'),(9895,'Issue',548,12,'57c4bf16-227f-4394-8ec7-1b745ee061c3'),(9896,'Issue',548,16,'win-proc'),(9897,'Issue',548,17,''),(9898,'Issue',548,7,''),(9899,'Issue',548,3,'Detects netsh commands that turns off the Windows firewall'),(9900,'Issue',548,4,''),(9901,'Issue',548,5,'_False Positives_\nLegitimate administration'),(9902,'Issue',548,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(netsh\\ firewall\\ set\\ opmode\\ mode\\=disable OR netsh\\ advfirewall\\ set\\ *\\ state\\ off))\nindex: so-*\nname: Firewall Disabled via Netsh\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9903,'Issue',548,9,'{{collapse(View Sigma)\n
\n\ntitle: Firewall Disabled via Netsh\nid: 57c4bf16-227f-4394-8ec7-1b745ee061c3\ndescription: Detects netsh commands that turns off the Windows firewall\nreferences:\n- https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/\n- https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/\ndate: 2019/11/01\nstatus: experimental\nauthor: Fatih Sirin\ntags:\n- attack.defense_evasion\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - netsh firewall set opmode mode=disable\n    - netsh advfirewall set * state off\n  condition: selection\nfalsepositives:\n- Legitimate administration\nlevel: medium\n\n
\n}}'),(9904,'Issue',549,1,'Fsutil Suspicious Invocation'),(9905,'Issue',549,2,'Ecco, E.M. Anhaus, oscd.community'),(9906,'Issue',549,8,'https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html'),(9907,'Issue',549,10,'high'),(9908,'Issue',549,13,'community'),(9909,'Issue',549,14,'windows'),(9911,'Issue',549,11,'b3585220b'),(9912,'Issue',549,12,'add64136-62e5-48ea-807e-88638d02df1e'),(9913,'Issue',549,16,'win-proc'),(9914,'Issue',549,17,''),(9915,'Issue',549,7,''),(9916,'Issue',549,3,'Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size..). Might be used by ransomwares during the attack (seen by NotPetya and others)'),(9917,'Issue',549,4,''),(9918,'Issue',549,5,'_False Positives_\nAdmin activity\nScripts and administrative tools used in the monitored environment'),(9919,'Issue',549,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:*\\\\fsutil.exe OR OriginalFileName:\"fsutil.exe\") AND process.command_line.keyword:(*deletejournal* OR *createjournal*))\nindex: so-*\nname: Fsutil Suspicious Invocation\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9920,'Issue',549,9,'{{collapse(View Sigma)\n
\n\ntitle: Fsutil Suspicious Invocation\nid: add64136-62e5-48ea-807e-88638d02df1e\ndescription: Detects suspicious parameters of fsutil (deleting USN journal, configuring\n  it with small size..). Might be used by ransomwares during the attack (seen by NotPetya\n  and others)\nauthor: Ecco, E.M. Anhaus, oscd.community\ndate: 2019/09/26\nmodified: 2019/11/11\nlevel: high\nreferences:\n- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html\ntags:\n- attack.defense_evasion\n- attack.t1070\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  binary_1:\n    Image|endswith: \\fsutil.exe\n  binary_2:\n    OriginalFileName: fsutil.exe\n  selection:\n    CommandLine|contains:\n    - deletejournal\n    - createjournal\n  condition: (1 of binary_*) and selection\nfalsepositives:\n- Admin activity\n- Scripts and administrative tools used in the monitored environment\n\n
\n}}'),(9921,'Issue',549,15,'T1070'),(9922,'Issue',550,1,'Suspicious GUP Usage'),(9923,'Issue',550,2,'Florian Roth'),(9924,'Issue',550,8,'https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html'),(9925,'Issue',550,10,'high'),(9926,'Issue',550,13,'community'),(9927,'Issue',550,14,'windows'),(9929,'Issue',550,11,'64acf349c'),(9930,'Issue',550,12,'0a4f6091-223b-41f6-8743-f322ec84930b'),(9931,'Issue',550,16,'win-proc'),(9932,'Issue',550,17,''),(9933,'Issue',550,7,''),(9934,'Issue',550,3,'Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks'),(9935,'Issue',550,4,''),(9936,'Issue',550,5,'_False Positives_\nExecution of tools named GUP.exe and located in folders different than Notepad++\\updater'),(9937,'Issue',550,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\GUP.exe AND (NOT (process.executable.keyword:(C\\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Notepad\\+\\+\\\\updater\\\\gup.exe OR C\\:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Notepad\\+\\+\\\\updater\\\\gup.exe OR C\\:\\\\Program\\ Files\\\\Notepad\\+\\+\\\\updater\\\\gup.exe OR C\\:\\\\Program\\ Files\\ \\(x86\\)\\\\Notepad\\+\\+\\\\updater\\\\gup.exe))))\nindex: so-*\nname: Suspicious GUP Usage\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9938,'Issue',550,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious GUP Usage\nid: 0a4f6091-223b-41f6-8743-f322ec84930b\ndescription: Detects execution of the Notepad++ updater in a suspicious directory,\n  which is often used in DLL side-loading attacks\nstatus: experimental\nreferences:\n- https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html\ntags:\n- attack.defense_evasion\n- attack.t1073\nauthor: Florian Roth\ndate: 2019/02/06\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\GUP.exe\'\n  filter:\n    Image:\n    - C:\\Users\\\\*\\AppData\\Local\\Notepad++\\updater\\gup.exe\n    - C:\\Users\\\\*\\AppData\\Roaming\\Notepad++\\updater\\gup.exe\n    - C:\\Program Files\\Notepad++\\updater\\gup.exe\n    - C:\\Program Files (x86)\\Notepad++\\updater\\gup.exe\n  condition: selection and not filter\nfalsepositives:\n- Execution of tools named GUP.exe and located in folders different than Notepad++\\updater\nlevel: high\n\n
\n}}'),(9939,'Issue',550,15,'T1073'),(9940,'Issue',551,1,'IIS Native-Code Module Command Line Installation'),(9941,'Issue',551,2,'Florian Roth'),(9942,'Issue',551,8,'https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/'),(9943,'Issue',551,10,'medium'),(9944,'Issue',551,13,'community'),(9945,'Issue',551,14,'windows'),(9947,'Issue',551,11,'181436e25'),(9948,'Issue',551,12,'9465ddf4-f9e4-4ebd-8d98-702df3a93239'),(9949,'Issue',551,16,'win-proc'),(9950,'Issue',551,17,''),(9951,'Issue',551,7,''),(9952,'Issue',551,3,'Detects suspicious IIS native-code module installations via command line'),(9953,'Issue',551,4,''),(9954,'Issue',551,5,'_False Positives_\nUnknown as it may vary from organisation to arganisation how admins use to install IIS modules'),(9955,'Issue',551,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\APPCMD.EXE\\ install\\ module\\ \\/name\\:*))\nindex: so-*\nname: IIS Native-Code Module Command Line Installation\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9956,'Issue',551,9,'{{collapse(View Sigma)\n
\n\ntitle: IIS Native-Code Module Command Line Installation\nid: 9465ddf4-f9e4-4ebd-8d98-702df3a93239\ndescription: Detects suspicious IIS native-code module installations via command line\nstatus: experimental\nreferences:\n- https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/\nauthor: Florian Roth\ndate: 2012/12/11\ntags:\n- attack.persistence\n- attack.t1100\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'*\\APPCMD.EXE install module /name:*\'\n  condition: selection\nfalsepositives:\n- Unknown as it may vary from organisation to arganisation how admins use to install\n  IIS modules\nlevel: medium\n\n
\n}}'),(9957,'Issue',551,15,'T1100'),(9958,'Issue',552,1,'Suspicious MsiExec Directory'),(9959,'Issue',552,2,'Florian Roth'),(9960,'Issue',552,8,'https://twitter.com/200_okay_/status/1194765831911215104'),(9961,'Issue',552,10,'high'),(9962,'Issue',552,13,'community'),(9963,'Issue',552,14,'windows'),(9965,'Issue',552,11,'37c63b72b'),(9966,'Issue',552,12,'e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144'),(9967,'Issue',552,16,'win-proc'),(9968,'Issue',552,17,''),(9969,'Issue',552,7,''),(9970,'Issue',552,3,'Detects suspicious msiexec process starts in an uncommon directory'),(9971,'Issue',552,4,''),(9972,'Issue',552,5,'_False Positives_\nUnknown'),(9973,'Issue',552,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\msiexec.exe AND (NOT (process.executable.keyword:(C\\:\\\\Windows\\\\System32\\\\* OR C\\:\\\\Windows\\\\SysWOW64\\\\* OR C\\:\\\\Windows\\\\WinSxS\\\\*))))\nindex: so-*\nname: Suspicious MsiExec Directory\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9974,'Issue',552,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious MsiExec Directory\nid: e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144\nstatus: experimental\ndescription: Detects suspicious msiexec process starts in an uncommon directory\nreferences:\n- https://twitter.com/200_okay_/status/1194765831911215104\ntags:\n- attack.defense_evasion\n- attack.t1036\nauthor: Florian Roth\ndate: 2019/11/14\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\msiexec.exe\'\n  filter:\n    Image:\n    - C:\\Windows\\System32\\\\*\n    - C:\\Windows\\SysWOW64\\\\*\n    - C:\\Windows\\WinSxS\\\\*\n  condition: selection and not filter\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9975,'Issue',552,15,'T1036'),(9976,'Issue',553,1,'MsiExec Web Install'),(9977,'Issue',553,2,'Florian Roth'),(9978,'Issue',553,8,'https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/'),(9979,'Issue',553,10,'medium'),(9980,'Issue',553,13,'community'),(9981,'Issue',553,14,'windows'),(9982,'Issue',553,15,''),(9983,'Issue',553,11,'2175aa08b'),(9984,'Issue',553,12,'f7b5f842-a6af-4da5-9e95-e32478f3cd2f'),(9985,'Issue',553,16,'win-proc'),(9986,'Issue',553,17,''),(9987,'Issue',553,7,''),(9988,'Issue',553,3,'Detects suspicious msiexec process starts with web addreses as parameter'),(9989,'Issue',553,4,''),(9990,'Issue',553,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(9991,'Issue',553,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ msiexec*\\:\\/\\/*))\nindex: so-*\nname: MsiExec Web Install\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9992,'Issue',553,9,'{{collapse(View Sigma)\n
\n\ntitle: MsiExec Web Install\nid: f7b5f842-a6af-4da5-9e95-e32478f3cd2f\nstatus: experimental\ndescription: Detects suspicious msiexec process starts with web addreses as parameter\nreferences:\n- https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/\ntags:\n- attack.defense_evasion\nauthor: Florian Roth\ndate: 2018/02/09\nmodified: 2012/12/11\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* msiexec*://*\'\n  condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: medium\n\n
\n}}'),(9993,'Issue',554,1,'Malicious Payload Download via Office Binaries'),(9994,'Issue',554,2,'Beyu Denis, oscd.community'),(9995,'Issue',554,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Powerpnt.yml\nhttps://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191\nReegun J (OCBC Bank)'),(9996,'Issue',554,10,'high'),(9997,'Issue',554,13,'community'),(9998,'Issue',554,14,'windows'),(10000,'Issue',554,11,'8099ea1df'),(10001,'Issue',554,12,'0c79148b-118e-472b-bdb7-9b57b444cc19'),(10002,'Issue',554,16,'win-proc'),(10003,'Issue',554,17,''),(10004,'Issue',554,7,''),(10005,'Issue',554,3,'Downloads payload from remote server'),(10006,'Issue',554,4,''),(10007,'Issue',554,5,'_False Positives_\nUnknown'),(10008,'Issue',554,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\powerpnt.exe OR *\\\\winword.exe OR *\\\\excel.exe) AND process.command_line.keyword:*http*)\nindex: so-*\nname: Malicious Payload Download via Office Binaries\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10009,'Issue',554,9,'{{collapse(View Sigma)\n
\n\ntitle: Malicious Payload Download via Office Binaries\nid: 0c79148b-118e-472b-bdb7-9b57b444cc19\nstatus: experimental\ndescription: Downloads payload from remote server\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Powerpnt.yml\n- https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191\n- Reegun J (OCBC Bank)\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/26\nmodified: 2019/11/04\ntags:\n- attack.command_and_control\n- attack.t1105\nlevel: high\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith:\n    - \\powerpnt.exe\n    - \\winword.exe\n    - \\excel.exe\n    CommandLine|contains: http\n  condition: selection\nfalsepositives:\n- Unknown\n\n
\n}}'),(10010,'Issue',554,15,'T1105'),(10011,'Issue',555,1,'Net.exe Execution'),(10012,'Issue',555,2,'Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements)'),(10013,'Issue',555,8,'https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/\nhttps://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html'),(10014,'Issue',555,10,'low'),(10015,'Issue',555,13,'community'),(10016,'Issue',555,14,'windows'),(10018,'Issue',555,11,'8e384336b'),(10019,'Issue',555,12,'183e7ea8-ac4b-4c23-9aec-b3dac4e401ac'),(10020,'Issue',555,16,'win-proc'),(10021,'Issue',555,17,''),(10022,'Issue',555,7,''),(10023,'Issue',555,3,'Detects execution of Net.exe, whether suspicious or benign.'),(10024,'Issue',555,4,''),(10025,'Issue',555,5,'_False Positives_\nWill need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine.\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine\nParentCommandLine'),(10026,'Issue',555,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:(*\\ group* OR *\\ localgroup* OR *\\ user* OR *\\ view* OR *\\ share OR *\\ accounts* OR *\\ use* OR *\\ stop\\ *))\nindex: so-*\nname: Net.exe Execution\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10027,'Issue',555,9,'{{collapse(View Sigma)\n
\n\ntitle: Net.exe Execution\nid: 183e7ea8-ac4b-4c23-9aec-b3dac4e401ac\nstatus: experimental\ndescription: Detects execution of Net.exe, whether suspicious or benign.\nreferences:\n- https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/\n- https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html\n- https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html\n- https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html\nauthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community\n  (improvements)\ndate: 2019/01/16\ntags:\n- attack.s0039\n- attack.t1027\n- attack.t1049\n- attack.t1077\n- attack.t1135\n- attack.lateral_movement\n- attack.discovery\n- attack.defense_evasion\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\net.exe\'\n    - \'*\\net1.exe\'\n  cmdline:\n    CommandLine:\n    - \'* group*\'\n    - \'* localgroup*\'\n    - \'* user*\'\n    - \'* view*\'\n    - \'* share\'\n    - \'* accounts*\'\n    - \'* use*\'\n    - \'* stop *\'\n  condition: selection and cmdline\nfields:\n- ComputerName\n- User\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine\n  following the search for easy hunting by computer/CommandLine.\nlevel: low\n\n
\n}}'),(10028,'Issue',555,15,'T1027'),(10029,'Issue',555,15,'T1049'),(10030,'Issue',555,15,'T1077'),(10031,'Issue',555,15,'T1135'),(10032,'Issue',556,1,'Suspicious Netsh DLL Persistence'),(10033,'Issue',556,2,'Victor Sergeev, oscd.community'),(10034,'Issue',556,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1128/T1128.md'),(10035,'Issue',556,10,'high'),(10036,'Issue',556,13,'community'),(10037,'Issue',556,14,'windows'),(10039,'Issue',556,11,'bc3cec555'),(10040,'Issue',556,12,'56321594-9087-49d9-bf10-524fe8479452'),(10041,'Issue',556,16,'win-proc'),(10042,'Issue',556,17,''),(10043,'Issue',556,7,''),(10044,'Issue',556,3,'Detects persitence via netsh helper'),(10045,'Issue',556,4,''),(10046,'Issue',556,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine\nParentCommandLine'),(10047,'Issue',556,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\netsh.exe AND process.command_line.keyword:*add* AND process.command_line.keyword:*helper*)\nindex: so-*\nname: Suspicious Netsh DLL Persistence\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10048,'Issue',556,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Netsh DLL Persistence\nid: 56321594-9087-49d9-bf10-524fe8479452\ndescription: Detects persitence via netsh helper\nstatus: testing\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1128/T1128.md\ntags:\n    - attack.persistence\n    - attack.t1128\ndate: 2019/10/25\nmodified: 2019/10/25\nauthor: Victor Sergeev, oscd.community\nlogsource:\n    category: process_creation\n    product: windows   \ndetection:\n    selection:\n        Image|endswith: \'\\netsh.exe\'\n        CommandLine|contains|all:\n            - \'add\'\n            - \'helper\'\n    condition: selection\nfields:\n    - ComputerName\n    - User\n    - CommandLine\n    - ParentCommandLine\nfalsepositives:\n    - Unknown\nlevel: high\n\n
\n}}'),(10049,'Issue',556,15,'T1128'),(10050,'Issue',557,1,'Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)'),(10051,'Issue',557,2,'Thomas Patzke'),(10052,'Issue',557,8,'https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm'),(10053,'Issue',557,10,'high'),(10054,'Issue',557,13,'community'),(10055,'Issue',557,14,'windows'),(10057,'Issue',557,11,'49e9852da'),(10058,'Issue',557,12,'2afafd61-6aae-4df4-baed-139fa1f4c345'),(10059,'Issue',557,16,'win-proc'),(10060,'Issue',557,17,''),(10061,'Issue',557,7,''),(10062,'Issue',557,3,'Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)'),(10063,'Issue',557,4,''),(10064,'Issue',557,5,'_False Positives_\nNTDS maintenance'),(10065,'Issue',557,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\\\ntdsutil*)\nindex: so-*\nname: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10066,'Issue',557,9,'{{collapse(View Sigma)\n
\n\ntitle: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)\nid: 2afafd61-6aae-4df4-baed-139fa1f4c345\ndescription: Detects execution of ntdsutil.exe, which can be used for various attacks\n  against the NTDS database (NTDS.DIT)\nstatus: experimental\nreferences:\n- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm\nauthor: Thomas Patzke\ndate: 2019/01/16\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'*\\ntdsutil*\'\n  condition: selection\nfalsepositives:\n- NTDS maintenance\nlevel: high\n\n
\n}}'),(10067,'Issue',557,15,'T1003'),(10068,'Issue',558,1,'Application Whitelisting Bypass via DLL Loaded by odbcconf.exe'),(10069,'Issue',558,2,'Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community'),(10070,'Issue',558,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Odbcconf.yml\nhttps://twitter.com/Hexacorn/status/1187143326673330176'),(10071,'Issue',558,10,'medium'),(10072,'Issue',558,13,'community'),(10073,'Issue',558,14,'windows'),(10075,'Issue',558,11,'0c974e293'),(10076,'Issue',558,12,'65d2be45-8600-4042-b4c0-577a1ff8a60e'),(10077,'Issue',558,16,'win-proc'),(10078,'Issue',558,17,''),(10079,'Issue',558,7,''),(10080,'Issue',558,3,'Detects defence evasion attempt via odbcconf.exe execution to load DLL'),(10081,'Issue',558,4,''),(10082,'Issue',558,5,'_False Positives_\nLegitimate use of odbcconf.exe by legitimate user'),(10083,'Issue',558,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\odbcconf.exe AND process.command_line.keyword:(*\\-f* OR *regsvr*)) OR (process.parent.executable.keyword:*\\\\odbcconf.exe AND process.executable.keyword:*\\\\rundll32.exe)))\nindex: so-*\nname: Application Whitelisting Bypass via DLL Loaded by odbcconf.exe\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10084,'Issue',558,9,'{{collapse(View Sigma)\n
\n\ntitle: Application Whitelisting Bypass via DLL Loaded by odbcconf.exe\nid: 65d2be45-8600-4042-b4c0-577a1ff8a60e\ndescription: Detects defence evasion attempt via odbcconf.exe execution to load DLL\nstatus: experimental\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Odbcconf.yml\n- https://twitter.com/Hexacorn/status/1187143326673330176\nauthor: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/25\nmodified: 2019/11/07\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_1:\n    Image|endswith: \\odbcconf.exe\n    CommandLine|contains:\n    - -f\n    - regsvr\n  selection_2:\n    ParentImage|endswith: \\odbcconf.exe\n    Image|endswith: \\rundll32.exe\n  condition: selection_1 or selection_2\nlevel: medium\nfalsepositives:\n- Legitimate use of odbcconf.exe by legitimate user\n\n
\n}}'),(10085,'Issue',558,15,'T1218'),(10086,'Issue',559,1,'OpenWith.exe Executes Specified Binary'),(10087,'Issue',559,2,'Beyu Denis, oscd.community (rule), @harr0ey (idea)'),(10088,'Issue',559,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml\nhttps://twitter.com/harr0ey/status/991670870384021504'),(10089,'Issue',559,10,'high'),(10090,'Issue',559,13,'community'),(10091,'Issue',559,14,'windows'),(10093,'Issue',559,11,'1e6152842'),(10094,'Issue',559,12,'cec8e918-30f7-4e2d-9bfa-a59cc97ae60f'),(10095,'Issue',559,16,'win-proc'),(10096,'Issue',559,17,''),(10097,'Issue',559,7,''),(10098,'Issue',559,3,'The OpenWith.exe executes other binary'),(10099,'Issue',559,4,''),(10100,'Issue',559,5,'_False Positives_\nLegitimate use of OpenWith.exe by legitimate user'),(10101,'Issue',559,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\OpenWith.exe AND process.command_line.keyword:*\\/c*)\nindex: so-*\nname: OpenWith.exe Executes Specified Binary\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10102,'Issue',559,9,'{{collapse(View Sigma)\n
\n\ntitle: OpenWith.exe Executes Specified Binary\nid: cec8e918-30f7-4e2d-9bfa-a59cc97ae60f\nstatus: experimental\ndescription: The OpenWith.exe executes other binary\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml\n- https://twitter.com/harr0ey/status/991670870384021504\nauthor: Beyu Denis, oscd.community (rule), @harr0ey (idea)\ndate: 2019/10/12\nmodified: 2019/11/04\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlevel: high\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\OpenWith.exe\n    CommandLine|contains: /c\n  condition: selection\nfalsepositives:\n- Legitimate use of OpenWith.exe by legitimate user\n\n
\n}}'),(10103,'Issue',559,15,'T1218'),(10104,'Issue',560,1,'Suspicious Execution from Outlook'),(10105,'Issue',560,2,'Markus Neis'),(10106,'Issue',560,8,'https://github.com/sensepost/ruler\nhttps://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html'),(10107,'Issue',560,10,'high'),(10108,'Issue',560,13,'community'),(10109,'Issue',560,14,'windows'),(10111,'Issue',560,11,'294e47aa7'),(10112,'Issue',560,12,'e212d415-0e93-435f-9e1a-f29005bb4723'),(10113,'Issue',560,16,'win-proc'),(10114,'Issue',560,17,''),(10115,'Issue',560,7,''),(10116,'Issue',560,3,'Detects EnableUnsafeClientMailRules used for Script Execution from Outlook'),(10117,'Issue',560,4,''),(10118,'Issue',560,5,'_False Positives_\nunknown'),(10119,'Issue',560,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:*EnableUnsafeClientMailRules* OR (process.parent.executable.keyword:*\\\\outlook.exe AND process.command_line.keyword:\\\\\\\\*\\\\*.exe)))\nindex: so-*\nname: Suspicious Execution from Outlook\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10120,'Issue',560,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Execution from Outlook\nid: e212d415-0e93-435f-9e1a-f29005bb4723\nstatus: experimental\ndescription: Detects EnableUnsafeClientMailRules used for Script Execution from Outlook\nreferences:\n- https://github.com/sensepost/ruler\n- https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html\ntags:\n- attack.execution\n- attack.t1059\n- attack.t1202\nauthor: Markus Neis\ndate: 2018/12/27\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  clientMailRules:\n    CommandLine: \'*EnableUnsafeClientMailRules*\'\n  outlookExec:\n    ParentImage: \'*\\outlook.exe\'\n    CommandLine: \\\\\\\\*\\\\*.exe\n  condition: clientMailRules or outlookExec\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(10121,'Issue',560,15,'T1059'),(10122,'Issue',560,15,'T1202'),(10123,'Issue',561,1,'Execution in Outlook Temp Folder'),(10124,'Issue',561,2,'Florian Roth'),(10125,'Issue',561,8,'none'),(10126,'Issue',561,10,'high'),(10127,'Issue',561,13,'community'),(10128,'Issue',561,14,'windows'),(10130,'Issue',561,11,'1162b3913'),(10131,'Issue',561,12,'a018fdc3-46a3-44e5-9afb-2cd4af1d4b39'),(10132,'Issue',561,16,'win-proc'),(10133,'Issue',561,17,''),(10134,'Issue',561,7,''),(10135,'Issue',561,3,'Detects a suspicious program execution in Outlook temp folder'),(10136,'Issue',561,4,''),(10137,'Issue',561,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10138,'Issue',561,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\Temporary\\ Internet\\ Files\\\\Content.Outlook\\\\*)\nindex: so-*\nname: Execution in Outlook Temp Folder\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10139,'Issue',561,9,'{{collapse(View Sigma)\n
\n\ntitle: Execution in Outlook Temp Folder\nid: a018fdc3-46a3-44e5-9afb-2cd4af1d4b39\nstatus: experimental\ndescription: Detects a suspicious program execution in Outlook temp folder\nauthor: Florian Roth\ndate: 2019/10/01\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\Temporary Internet Files\\Content.Outlook\\\\*\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10140,'Issue',561,15,'T1193'),(10141,'Issue',562,1,'Ping Hex IP'),(10142,'Issue',562,2,'Florian Roth'),(10143,'Issue',562,8,'https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna\nhttps://twitter.com/vysecurity/status/977198418354491392'),(10144,'Issue',562,10,'high'),(10145,'Issue',562,13,'community'),(10146,'Issue',562,14,'windows'),(10148,'Issue',562,11,'478a5066b'),(10149,'Issue',562,12,'1a0d4aba-7668-4365-9ce4-6d79ab088dfd'),(10150,'Issue',562,16,'win-proc'),(10151,'Issue',562,17,''),(10152,'Issue',562,7,''),(10153,'Issue',562,3,'Detects a ping command that uses a hex encoded IP address'),(10154,'Issue',562,4,''),(10155,'Issue',562,5,'_False Positives_\nUnlikely, because no sane admin pings IP addresses in a hexadecimal form\n\n_Interesting Log Fields_\nParentCommandLine'),(10156,'Issue',562,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\ping.exe\\ 0x* OR *\\\\ping\\ 0x*))\nindex: so-*\nname: Ping Hex IP\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10157,'Issue',562,9,'{{collapse(View Sigma)\n
\n\ntitle: Ping Hex IP\nid: 1a0d4aba-7668-4365-9ce4-6d79ab088dfd\ndescription: Detects a ping command that uses a hex encoded IP address\nreferences:\n- https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna\n- https://twitter.com/vysecurity/status/977198418354491392\nauthor: Florian Roth\ndate: 2018/03/23\ntags:\n- attack.defense_evasion\n- attack.t1140\n- attack.t1027\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'*\\ping.exe 0x*\'\n    - \'*\\ping 0x*\'\n  condition: selection\nfields:\n- ParentCommandLine\nfalsepositives:\n- Unlikely, because no sane admin pings IP addresses in a hexadecimal form\nlevel: high\n\n
\n}}'),(10158,'Issue',562,15,'T1140'),(10159,'Issue',562,15,'T1027'),(10160,'Issue',563,1,'Empire PowerShell Launch Parameters'),(10161,'Issue',563,2,'Florian Roth'),(10162,'Issue',563,8,'https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165\nhttps://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191\nhttps://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178\nhttps://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64'),(10163,'Issue',563,10,'critical'),(10164,'Issue',563,13,'community'),(10165,'Issue',563,14,'windows'),(10167,'Issue',563,11,'182824220'),(10168,'Issue',563,12,'79f4ede3-402e-41c8-bc3e-ebbf5f162581'),(10169,'Issue',563,16,'win-proc'),(10170,'Issue',563,17,''),(10171,'Issue',563,7,''),(10172,'Issue',563,3,'Detects suspicious powershell command line parameters used in Empire'),(10173,'Issue',563,4,''),(10174,'Issue',563,5,'_False Positives_\n Unknown'),(10175,'Issue',563,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-NoP\\ \\-sta\\ \\-NonI\\ \\-W\\ Hidden\\ \\-Enc\\ * OR *\\ \\-noP\\ \\-sta\\ \\-w\\ 1\\ \\-enc\\ * OR *\\ \\-NoP\\ \\-NonI\\ \\-W\\ Hidden\\ \\-enc\\ *))\nindex: so-*\nname: Empire PowerShell Launch Parameters\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10176,'Issue',563,9,'{{collapse(View Sigma)\n
\n\ntitle: Empire PowerShell Launch Parameters\nid: 79f4ede3-402e-41c8-bc3e-ebbf5f162581\ndescription: Detects suspicious powershell command line parameters used in Empire\nstatus: experimental\nreferences:\n- https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165\n- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191\n- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178\n- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64\nauthor: Florian Roth\ndate: 2019/04/20\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* -NoP -sta -NonI -W Hidden -Enc *\'\n    - \'* -noP -sta -w 1 -enc *\'\n    - \'* -NoP -NonI -W Hidden -enc *\'\n  condition: selection\nlevel: critical\n\n
\n}}'),(10177,'Issue',563,15,'T1086'),(10178,'Issue',564,1,'Empire PowerShell UAC Bypass'),(10179,'Issue',564,2,'Ecco'),(10180,'Issue',564,8,'https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64\nhttps://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64'),(10181,'Issue',564,10,'critical'),(10182,'Issue',564,13,'community'),(10183,'Issue',564,14,'windows'),(10185,'Issue',564,11,'517422778'),(10186,'Issue',564,12,'3268b746-88d8-4cd3-bffc-30077d02c787'),(10187,'Issue',564,16,'win-proc'),(10188,'Issue',564,17,''),(10189,'Issue',564,7,''),(10190,'Issue',564,3,'Detects some Empire PowerShell UAC bypass methods'),(10191,'Issue',564,4,''),(10192,'Issue',564,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10193,'Issue',564,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-NoP\\ \\-NonI\\ \\-w\\ Hidden\\ \\-c\\ $x\\=$\\(\\(gp\\ HKCU\\:Software\\\\Microsoft\\\\Windows\\ Update\\).Update\\)* OR *\\ \\-NoP\\ \\-NonI\\ \\-c\\ $x\\=$\\(\\(gp\\ HKCU\\:Software\\\\Microsoft\\\\Windows\\ Update\\).Update\\);*))\nindex: so-*\nname: Empire PowerShell UAC Bypass\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10194,'Issue',564,9,'{{collapse(View Sigma)\n
\n\ntitle: Empire PowerShell UAC Bypass\nid: 3268b746-88d8-4cd3-bffc-30077d02c787\nstatus: experimental\ndescription: Detects some Empire PowerShell UAC bypass methods\nreferences:\n- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64\n- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64\nauthor: Ecco\ndate: 2019/08/30\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update)*\'\n    - \'* -NoP -NonI -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update);*\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1088\n- car.2019-04-001\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(10195,'Issue',564,15,'T1088'),(10196,'Issue',565,1,'Suspicious Encoded PowerShell Command Line'),(10197,'Issue',565,2,'Florian Roth, Markus Neis'),(10198,'Issue',565,8,'https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e'),(10199,'Issue',565,10,'high'),(10200,'Issue',565,13,'community'),(10201,'Issue',565,14,'windows'),(10203,'Issue',565,11,'9528c3459'),(10204,'Issue',565,12,'ca2092a1-c273-4878-9b4b-0d60115bf5ea'),(10205,'Issue',565,16,'win-proc'),(10206,'Issue',565,17,''),(10207,'Issue',565,7,''),(10208,'Issue',565,3,'Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)'),(10209,'Issue',565,4,''),(10210,'Issue',565,5,'_False Positives_\n Unknown'),(10211,'Issue',565,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-e\\ JAB* OR *\\ \\-e\\ \\ JAB* OR *\\ \\-e\\ \\ \\ JAB* OR *\\ \\-e\\ \\ \\ \\ JAB* OR *\\ \\-e\\ \\ \\ \\ \\ JAB* OR *\\ \\-e\\ \\ \\ \\ \\ \\ JAB* OR *\\ \\-en\\ JAB* OR *\\ \\-enc\\ JAB* OR *\\ \\-enc*\\ JAB* OR *\\ \\-w\\ hidden\\ \\-e*\\ JAB* OR *\\ BA\\^J\\ e\\- OR *\\ \\-e\\ SUVYI* OR *\\ \\-e\\ aWV4I* OR *\\ \\-e\\ SQBFAFgA* OR *\\ \\-e\\ aQBlAHgA* OR *\\ \\-enc\\ SUVYI* OR *\\ \\-enc\\ aWV4I* OR *\\ \\-enc\\ SQBFAFgA* OR *\\ \\-enc\\ aQBlAHgA*) AND (NOT (process.command_line.keyword:*\\ \\-ExecutionPolicy\\ remotesigned\\ *)))\nindex: so-*\nname: Suspicious Encoded PowerShell Command Line\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10212,'Issue',565,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Encoded PowerShell Command Line\nid: ca2092a1-c273-4878-9b4b-0d60115bf5ea\ndescription: Detects suspicious powershell process starts with base64 encoded commands\n  (e.g. Emotet)\nstatus: experimental\nreferences:\n- https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e\nauthor: Florian Roth, Markus Neis\ndate: 2018/09/03\nmodified: 2019/12/16\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* -e JAB*\'\n    - \'* -e  JAB*\'\n    - \'* -e   JAB*\'\n    - \'* -e    JAB*\'\n    - \'* -e     JAB*\'\n    - \'* -e      JAB*\'\n    - \'* -en JAB*\'\n    - \'* -enc JAB*\'\n    - \'* -enc* JAB*\'\n    - \'* -w hidden -e* JAB*\'\n    - \'* BA^J e-\'\n    - \'* -e SUVYI*\'\n    - \'* -e aWV4I*\'\n    - \'* -e SQBFAFgA*\'\n    - \'* -e aQBlAHgA*\'\n    - \'* -enc SUVYI*\'\n    - \'* -enc aWV4I*\'\n    - \'* -enc SQBFAFgA*\'\n    - \'* -enc aQBlAHgA*\'\n  falsepositive1:\n    CommandLine: \'* -ExecutionPolicy remotesigned *\'\n  condition: selection and not falsepositive1\nlevel: high\n\n
\n}}'),(10213,'Issue',565,15,'T1086'),(10214,'Issue',566,1,'Malicious Base64 Encoded PowerShell Keywords in Command Lines'),(10215,'Issue',566,2,'John Lambert (rule)'),(10216,'Issue',566,8,'http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/'),(10217,'Issue',566,10,'high'),(10218,'Issue',566,13,'community'),(10219,'Issue',566,14,'windows'),(10221,'Issue',566,11,'7ae9f0c0e'),(10222,'Issue',566,12,'f26c6093-6f14-4b12-800f-0fcb46f5ffd0'),(10223,'Issue',566,16,'win-proc'),(10224,'Issue',566,17,''),(10225,'Issue',566,7,''),(10226,'Issue',566,3,'Detects base64 encoded strings used in hidden malicious PowerShell command lines'),(10227,'Issue',566,4,''),(10228,'Issue',566,5,'_False Positives_\nPenetration tests'),(10229,'Issue',566,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:*\\ hidden\\ * AND process.command_line.keyword:(*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA* OR *aXRzYWRtaW4gL3RyYW5zZmVy* OR *IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA* OR *JpdHNhZG1pbiAvdHJhbnNmZX* OR *YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg* OR *Yml0c2FkbWluIC90cmFuc2Zlc* OR *AGMAaAB1AG4AawBfAHMAaQB6AGUA* OR *JABjAGgAdQBuAGsAXwBzAGkAegBlA* OR *JGNodW5rX3Npem* OR *QAYwBoAHUAbgBrAF8AcwBpAHoAZQ* OR *RjaHVua19zaXpl* OR *Y2h1bmtfc2l6Z* OR *AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A* OR *kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg* OR *lPLkNvbXByZXNzaW9u* OR *SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA* OR *SU8uQ29tcHJlc3Npb2* OR *Ty5Db21wcmVzc2lvb* OR *AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ* OR *kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA* OR *lPLk1lbW9yeVN0cmVhb* OR *SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A* OR *SU8uTWVtb3J5U3RyZWFt* OR *Ty5NZW1vcnlTdHJlYW* OR *4ARwBlAHQAQwBoAHUAbgBrA* OR *5HZXRDaHVua* OR *AEcAZQB0AEMAaAB1AG4Aaw* OR *LgBHAGUAdABDAGgAdQBuAGsA* OR *LkdldENodW5r* OR *R2V0Q2h1bm* OR *AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A* OR *QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA* OR *RIUkVBRF9JTkZPNj* OR *SFJFQURfSU5GTzY0* OR *VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA* OR *VEhSRUFEX0lORk82N* OR *AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA* OR *cmVhdGVSZW1vdGVUaHJlYW* OR *MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA* OR *NyZWF0ZVJlbW90ZVRocmVhZ* OR *Q3JlYXRlUmVtb3RlVGhyZWFk* OR *QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA* OR *0AZQBtAG0AbwB2AGUA* OR *1lbW1vdm* OR *AGUAbQBtAG8AdgBlA* OR *bQBlAG0AbQBvAHYAZQ* OR *bWVtbW92Z* OR *ZW1tb3Zl*))\nindex: so-*\nname: Malicious Base64 Encoded PowerShell Keywords in Command Lines\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10230,'Issue',566,9,'{{collapse(View Sigma)\n
\n\ntitle: Malicious Base64 Encoded PowerShell Keywords in Command Lines\nid: f26c6093-6f14-4b12-800f-0fcb46f5ffd0\nstatus: experimental\ndescription: Detects base64 encoded strings used in hidden malicious PowerShell command\n  lines\nreferences:\n- http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/\ntags:\n- attack.execution\n- attack.t1086\nauthor: John Lambert (rule)\ndate: 2019/01/16\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  encoded:\n    Image: \'*\\powershell.exe\'\n    CommandLine: \'* hidden *\'\n  selection:\n    CommandLine:\n    - \'*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA*\'\n    - \'*aXRzYWRtaW4gL3RyYW5zZmVy*\'\n    - \'*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA*\'\n    - \'*JpdHNhZG1pbiAvdHJhbnNmZX*\'\n    - \'*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg*\'\n    - \'*Yml0c2FkbWluIC90cmFuc2Zlc*\'\n    - \'*AGMAaAB1AG4AawBfAHMAaQB6AGUA*\'\n    - \'*JABjAGgAdQBuAGsAXwBzAGkAegBlA*\'\n    - \'*JGNodW5rX3Npem*\'\n    - \'*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ*\'\n    - \'*RjaHVua19zaXpl*\'\n    - \'*Y2h1bmtfc2l6Z*\'\n    - \'*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A*\'\n    - \'*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg*\'\n    - \'*lPLkNvbXByZXNzaW9u*\'\n    - \'*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA*\'\n    - \'*SU8uQ29tcHJlc3Npb2*\'\n    - \'*Ty5Db21wcmVzc2lvb*\'\n    - \'*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ*\'\n    - \'*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA*\'\n    - \'*lPLk1lbW9yeVN0cmVhb*\'\n    - \'*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A*\'\n    - \'*SU8uTWVtb3J5U3RyZWFt*\'\n    - \'*Ty5NZW1vcnlTdHJlYW*\'\n    - \'*4ARwBlAHQAQwBoAHUAbgBrA*\'\n    - \'*5HZXRDaHVua*\'\n    - \'*AEcAZQB0AEMAaAB1AG4Aaw*\'\n    - \'*LgBHAGUAdABDAGgAdQBuAGsA*\'\n    - \'*LkdldENodW5r*\'\n    - \'*R2V0Q2h1bm*\'\n    - \'*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A*\'\n    - \'*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA*\'\n    - \'*RIUkVBRF9JTkZPNj*\'\n    - \'*SFJFQURfSU5GTzY0*\'\n    - \'*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA*\'\n    - \'*VEhSRUFEX0lORk82N*\'\n    - \'*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA*\'\n    - \'*cmVhdGVSZW1vdGVUaHJlYW*\'\n    - \'*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA*\'\n    - \'*NyZWF0ZVJlbW90ZVRocmVhZ*\'\n    - \'*Q3JlYXRlUmVtb3RlVGhyZWFk*\'\n    - \'*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA*\'\n    - \'*0AZQBtAG0AbwB2AGUA*\'\n    - \'*1lbW1vdm*\'\n    - \'*AGUAbQBtAG8AdgBlA*\'\n    - \'*bQBlAG0AbQBvAHYAZQ*\'\n    - \'*bWVtbW92Z*\'\n    - \'*ZW1tb3Zl*\'\n  condition: encoded and selection\nfalsepositives:\n- Penetration tests\nlevel: high\n\n
\n}}'),(10231,'Issue',566,15,'T1086'),(10232,'Issue',567,1,'Suspicious PowerShell Invocation Based on Parent Process'),(10233,'Issue',567,2,'Florian Roth'),(10234,'Issue',567,8,'https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/'),(10235,'Issue',567,10,'medium'),(10236,'Issue',567,13,'community'),(10237,'Issue',567,14,'windows'),(10239,'Issue',567,11,'770115f6d'),(10240,'Issue',567,12,'95eadcb2-92e4-4ed1-9031-92547773a6db'),(10241,'Issue',567,16,'win-proc'),(10242,'Issue',567,17,''),(10243,'Issue',567,7,''),(10244,'Issue',567,3,'Detects suspicious powershell invocations from interpreters or unusual programs'),(10245,'Issue',567,4,''),(10246,'Issue',567,5,'_False Positives_\nMicrosoft Operations Manager (MOM)\nOther scripts\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10247,'Issue',567,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.parent.executable.keyword:(*\\\\wscript.exe OR *\\\\cscript.exe) AND process.executable.keyword:(*\\\\powershell.exe)) AND (NOT (process.working_directory\".keyword:*\\\\Health\\ Service\\ State\\\\*)))\nindex: so-*\nname: Suspicious PowerShell Invocation Based on Parent Process\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10248,'Issue',567,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious PowerShell Invocation Based on Parent Process\nid: 95eadcb2-92e4-4ed1-9031-92547773a6db\nstatus: experimental\ndescription: Detects suspicious powershell invocations from interpreters or unusual\n  programs\nauthor: Florian Roth\ndate: 2019/01/16\nreferences:\n- https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage:\n    - \'*\\wscript.exe\'\n    - \'*\\cscript.exe\'\n    Image:\n    - \'*\\powershell.exe\'\n  falsepositive:\n    CurrentDirectory: \'*\\Health Service State\\\\*\'\n  condition: selection and not falsepositive\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Microsoft Operations Manager (MOM)\n- Other scripts\nlevel: medium\n\n
\n}}'),(10249,'Issue',567,15,'T1086'),(10250,'Issue',568,1,'Suspicious Use of Procdump'),(10251,'Issue',568,2,'Florian Roth'),(10252,'Issue',568,8,'Internal Research'),(10253,'Issue',568,10,'high'),(10254,'Issue',568,13,'community'),(10255,'Issue',568,14,'windows'),(10257,'Issue',568,11,'5a6ba744a'),(10258,'Issue',568,12,'5afee48e-67dd-4e03-a783-f74259dcf998'),(10259,'Issue',568,16,'win-proc'),(10260,'Issue',568,17,''),(10261,'Issue',568,7,''),(10262,'Issue',568,3,'Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we\'re also able to catch cases in which the attacker has renamed the procdump executable.'),(10263,'Issue',568,4,''),(10264,'Issue',568,5,'_False Positives_\nUnlikely, because no one should dump an lsass process memory\nAnother tool that uses the command line switches of Procdump'),(10265,'Issue',568,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-ma\\ *) AND process.command_line.keyword:(*\\ lsass*)) OR process.command_line.keyword:(*\\ \\-ma\\ ls*)))\nindex: so-*\nname: Suspicious Use of Procdump\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10266,'Issue',568,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Use of Procdump\nid: 5afee48e-67dd-4e03-a783-f74259dcf998\ndescription: Detects suspicious uses of the SysInternals Procdump utility by using\n  a special command line parameter in combination with the lsass.exe process. This\n  way we\'re also able to catch cases in which the attacker has renamed the procdump\n  executable.\nstatus: experimental\nreferences:\n- Internal Research\nauthor: Florian Roth\ndate: 2018/10/30\nmodified: 2019/10/14\ntags:\n- attack.defense_evasion\n- attack.t1036\n- attack.credential_access\n- attack.t1003\n- car.2013-05-009\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine:\n    - \'* -ma *\'\n  selection2:\n    CommandLine:\n    - \'* lsass*\'\n  selection3:\n    CommandLine:\n    - \'* -ma ls*\'\n  condition: ( selection1 and selection2 ) or selection3\nfalsepositives:\n- Unlikely, because no one should dump an lsass process memory\n- Another tool that uses the command line switches of Procdump\nlevel: high\n\n
\n}}'),(10267,'Issue',568,15,'T1036'),(10268,'Issue',568,15,'T1003'),(10269,'Issue',569,1,'Suspicious Process Creation'),(10270,'Issue',569,2,'Florian Roth, Daniil Yugoslavskiy, oscd.community (update)'),(10271,'Issue',569,8,'https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/\nhttps://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s\nhttps://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/\nhttps://twitter.com/subTee/status/872244674609676288\nhttps://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-tool-examples\nhttps://tyranidslair.blogspot.ca/2017/07/dg-on-windows-10-s-executing-arbitrary.html\nhttps://www.trustedsec.com/2017/07/new-tool-release-nps_payload/\nhttps://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html\nhttps://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat\nhttps://twitter.com/vector_sec/status/896049052642533376\nhttp://security-research.dyndns.org/pub/slides/FIRST-TC-2018/FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf'),(10272,'Issue',569,10,'medium'),(10273,'Issue',569,13,'community'),(10274,'Issue',569,14,'windows'),(10275,'Issue',569,15,''),(10276,'Issue',569,11,'fb8d9b1f4'),(10277,'Issue',569,12,'5f0f47a5-cb16-4dbe-9e31-e8d976d73de3'),(10278,'Issue',569,16,'win-proc'),(10279,'Issue',569,17,''),(10280,'Issue',569,7,''),(10281,'Issue',569,3,'Detects suspicious process starts on Windows systems based on keywords'),(10282,'Issue',569,4,''),(10283,'Issue',569,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(10284,'Issue',569,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ sekurlsa\\:* OR net\\ localgroup\\ administrators\\ *\\ \\/add OR net\\ group\\ \\\"Domain\\ Admins\\\"\\ *\\ \\/ADD\\ \\/DOMAIN OR certutil.exe\\ *\\-urlcache*\\ http* OR certutil.exe\\ *\\-urlcache*\\ ftp* OR netsh\\ advfirewall\\ firewall\\ *\\\\AppData\\\\* OR attrib\\ \\+S\\ \\+H\\ \\+R\\ *\\\\AppData\\\\* OR schtasks*\\ \\/create\\ *\\\\AppData\\\\* OR schtasks*\\ \\/sc\\ minute* OR *\\\\Regasm.exe\\ *\\\\AppData\\\\* OR *\\\\Regasm\\ *\\\\AppData\\\\* OR *\\\\bitsadmin*\\ \\/transfer* OR *\\\\certutil.exe\\ *\\ \\-decode\\ * OR *\\\\certutil.exe\\ *\\ \\-decodehex\\ * OR *\\\\certutil.exe\\ \\-ping\\ * OR icacls\\ *\\ \\/grant\\ Everyone\\:F\\ \\/T\\ \\/C\\ \\/Q OR *\\ wbadmin.exe\\ delete\\ catalog\\ \\-quiet* OR *\\\\wscript.exe\\ *.jse OR *\\\\wscript.exe\\ *.js OR *\\\\wscript.exe\\ *.vba OR *\\\\wscript.exe\\ *.vbe OR *\\\\cscript.exe\\ *.jse OR *\\\\cscript.exe\\ *.js OR *\\\\cscript.exe\\ *.vba OR *\\\\cscript.exe\\ *.vbe OR *\\\\fodhelper.exe OR *waitfor*\\/s* OR *waitfor*\\/si\\ persist* OR *remote*\\/s* OR *remote*\\/c* OR *remote*\\/q* OR *AddInProcess* OR *\\ \\/stext\\ * OR *\\ \\/scomma\\ * OR *\\ \\/stab\\ * OR *\\ \\/stabular\\ * OR *\\ \\/shtml\\ * OR *\\ \\/sverhtml\\ * OR *\\ \\/sxml\\ *))\nindex: so-*\nname: Suspicious Process Creation\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10285,'Issue',569,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Process Creation\nid: 5f0f47a5-cb16-4dbe-9e31-e8d976d73de3\ndescription: Detects suspicious process starts on Windows systems based on keywords\nstatus: experimental\nreferences:\n- https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/\n- https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s\n- https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/\n- https://twitter.com/subTee/status/872244674609676288\n- https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-tool-examples\n- https://tyranidslair.blogspot.ca/2017/07/dg-on-windows-10-s-executing-arbitrary.html\n- https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/\n- https://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html\n- https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat\n- https://twitter.com/vector_sec/status/896049052642533376\n- http://security-research.dyndns.org/pub/slides/FIRST-TC-2018/FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf\nauthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update)\ndate: 2018/01/01\nmodified: 2019/11/01\ntags:\n- car.2013-07-001\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* sekurlsa:*\'\n    - net localgroup administrators * /add\n    - net group \"Domain Admins\" * /ADD /DOMAIN\n    - certutil.exe *-urlcache* http*\n    - certutil.exe *-urlcache* ftp*\n    - netsh advfirewall firewall *\\AppData\\\\*\n    - attrib +S +H +R *\\AppData\\\\*\n    - schtasks* /create *\\AppData\\\\*\n    - schtasks* /sc minute*\n    - \'*\\Regasm.exe *\\AppData\\\\*\'\n    - \'*\\Regasm *\\AppData\\\\*\'\n    - \'*\\bitsadmin* /transfer*\'\n    - \'*\\certutil.exe * -decode *\'\n    - \'*\\certutil.exe * -decodehex *\'\n    - \'*\\certutil.exe -ping *\'\n    - icacls * /grant Everyone:F /T /C /Q\n    - \'* wbadmin.exe delete catalog -quiet*\'\n    - \'*\\wscript.exe *.jse\'\n    - \'*\\wscript.exe *.js\'\n    - \'*\\wscript.exe *.vba\'\n    - \'*\\wscript.exe *.vbe\'\n    - \'*\\cscript.exe *.jse\'\n    - \'*\\cscript.exe *.js\'\n    - \'*\\cscript.exe *.vba\'\n    - \'*\\cscript.exe *.vbe\'\n    - \'*\\fodhelper.exe\'\n    - \'*waitfor*/s*\'\n    - \'*waitfor*/si persist*\'\n    - \'*remote*/s*\'\n    - \'*remote*/c*\'\n    - \'*remote*/q*\'\n    - \'*AddInProcess*\'\n    - \'* /stext *\'\n    - \'* /scomma *\'\n    - \'* /stab *\'\n    - \'* /stabular *\'\n    - \'* /shtml *\'\n    - \'* /sverhtml *\'\n    - \'* /sxml *\'\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: medium\n\n
\n}}'),(10286,'Issue',570,1,'Suspicious Program Location Process Starts'),(10287,'Issue',570,2,'Florian Roth'),(10288,'Issue',570,8,'https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo'),(10289,'Issue',570,10,'high'),(10290,'Issue',570,13,'community'),(10291,'Issue',570,14,'windows'),(10293,'Issue',570,11,'8bd722168'),(10294,'Issue',570,12,'f50bfd8b-e2a3-4c15-9373-7900b5a4c6d5'),(10295,'Issue',570,16,'win-proc'),(10296,'Issue',570,17,''),(10297,'Issue',570,7,''),(10298,'Issue',570,3,'Detects programs running in suspicious files system locations'),(10299,'Issue',570,4,''),(10300,'Issue',570,5,'_False Positives_\nunknown'),(10301,'Issue',570,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\$Recycle.bin OR *\\\\Users\\\\Public\\\\* OR C\\:\\\\Perflogs\\\\* OR *\\\\Windows\\\\Fonts\\\\* OR *\\\\Windows\\\\IME\\\\* OR *\\\\Windows\\\\addins\\\\* OR *\\\\Windows\\\\debug\\\\*))\nindex: so-*\nname: Suspicious Program Location Process Starts\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10302,'Issue',570,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Program Location Process Starts\nid: f50bfd8b-e2a3-4c15-9373-7900b5a4c6d5\nstatus: experimental\ndescription: Detects programs running in suspicious files system locations\nreferences:\n- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo\ntags:\n- attack.defense_evasion\n- attack.t1036\nauthor: Florian Roth\ndate: 2019/01/15\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\$Recycle.bin\'\n    - \'*\\Users\\Public\\\\*\'\n    - C:\\Perflogs\\\\*\n    - \'*\\Windows\\Fonts\\\\*\'\n    - \'*\\Windows\\IME\\\\*\'\n    - \'*\\Windows\\addins\\\\*\'\n    - \'*\\Windows\\debug\\\\*\'\n  condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(10303,'Issue',570,15,'T1036'),(10304,'Issue',571,1,'PowerShell Script Run in AppData'),(10305,'Issue',571,2,'Florian Roth'),(10306,'Issue',571,8,'https://twitter.com/JohnLaTwC/status/1082851155481288706\nhttps://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03'),(10307,'Issue',571,10,'medium'),(10308,'Issue',571,13,'community'),(10309,'Issue',571,14,'windows'),(10311,'Issue',571,11,'42ba455ec'),(10312,'Issue',571,12,'ac175779-025a-4f12-98b0-acdaeb77ea85'),(10313,'Issue',571,16,'win-proc'),(10314,'Issue',571,17,''),(10315,'Issue',571,7,''),(10316,'Issue',571,3,'Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder'),(10317,'Issue',571,4,''),(10318,'Issue',571,5,'_False Positives_\nAdministrative scripts'),(10319,'Issue',571,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\/c\\ powershell*\\\\AppData\\\\Local\\\\* OR *\\ \\/c\\ powershell*\\\\AppData\\\\Roaming\\\\*))\nindex: so-*\nname: PowerShell Script Run in AppData\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10320,'Issue',571,9,'{{collapse(View Sigma)\n
\n\ntitle: PowerShell Script Run in AppData\nid: ac175779-025a-4f12-98b0-acdaeb77ea85\nstatus: experimental\ndescription: Detects a suspicious command line execution that invokes PowerShell with\n  reference to an AppData folder\nreferences:\n- https://twitter.com/JohnLaTwC/status/1082851155481288706\n- https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03\ntags:\n- attack.execution\n- attack.t1086\nauthor: Florian Roth\ndate: 2019/01/09\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* /c powershell*\\AppData\\Local\\\\*\'\n    - \'* /c powershell*\\AppData\\Roaming\\\\*\'\n  condition: selection\nfalsepositives:\n- Administrative scripts\nlevel: medium\n\n
\n}}'),(10321,'Issue',571,15,'T1086'),(10322,'Issue',572,1,'PowerShell DownloadFile'),(10323,'Issue',572,2,'Florian Roth'),(10324,'Issue',572,8,'https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html'),(10325,'Issue',572,10,'high'),(10326,'Issue',572,13,'community'),(10327,'Issue',572,14,'windows'),(10329,'Issue',572,11,'9c624cc24'),(10330,'Issue',572,12,'8f70ac5f-1f6f-4f8e-b454-db19561216c5'),(10331,'Issue',572,16,'win-proc'),(10332,'Issue',572,17,''),(10333,'Issue',572,7,''),(10334,'Issue',572,3,'Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line'),(10335,'Issue',572,4,''),(10336,'Issue',572,5,'_False Positives_\nUnknown'),(10337,'Issue',572,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*powershell* AND process.command_line.keyword:*.DownloadFile* AND process.command_line.keyword:*System.Net.WebClient*)\nindex: so-*\nname: PowerShell DownloadFile\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10338,'Issue',572,9,'{{collapse(View Sigma)\n
\n\ntitle: PowerShell DownloadFile\nid: 8f70ac5f-1f6f-4f8e-b454-db19561216c5\nstatus: experimental\ndescription: Detects the execution of powershell, a WebClient object creation and\n  the invocation of DownloadFile in a single command line\nreferences:\n- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html\nauthor: Florian Roth\ndate: 2020/03/25\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains|all:\n    - powershell\n    - .DownloadFile\n    - System.Net.WebClient\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10339,'Issue',572,15,'T1086'),(10340,'Issue',573,1,'Psr.exe Capture Screenshots'),(10341,'Issue',573,2,'Beyu Denis, oscd.community'),(10342,'Issue',573,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Psr.yml\nhttps://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf'),(10343,'Issue',573,10,'medium'),(10344,'Issue',573,13,'community'),(10345,'Issue',573,14,'windows'),(10347,'Issue',573,11,'5688f942b'),(10348,'Issue',573,12,'2158f96f-43c2-43cb-952a-ab4580f32382'),(10349,'Issue',573,16,'win-proc'),(10350,'Issue',573,17,''),(10351,'Issue',573,7,''),(10352,'Issue',573,3,'The psr.exe captures desktop screenshots and saves them on the local machine'),(10353,'Issue',573,4,''),(10354,'Issue',573,5,'_False Positives_\nUnknown'),(10355,'Issue',573,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\Psr.exe AND process.command_line.keyword:*\\/start*)\nindex: so-*\nname: Psr.exe Capture Screenshots\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10356,'Issue',573,9,'{{collapse(View Sigma)\n
\n\ntitle: Psr.exe Capture Screenshots\nid: 2158f96f-43c2-43cb-952a-ab4580f32382\nstatus: experimental\ndescription: The psr.exe captures desktop screenshots and saves them on the local\n  machine\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Psr.yml\n- https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/12\nmodified: 2019/11/04\ntags:\n- attack.persistence\n- attack.t1218\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\Psr.exe\n    CommandLine|contains: /start\n  condition: selection\nfalsepositives:\n- Unknown\n\n
\n}}'),(10357,'Issue',573,15,'T1218'),(10358,'Issue',574,1,'Suspicious RASdial Activity'),(10359,'Issue',574,2,'juju4'),(10360,'Issue',574,8,'https://twitter.com/subTee/status/891298217907830785'),(10361,'Issue',574,10,'medium'),(10362,'Issue',574,13,'community'),(10363,'Issue',574,14,'windows'),(10365,'Issue',574,11,'5b5babf55'),(10366,'Issue',574,12,'6bba49bf-7f8c-47d6-a1bb-6b4dece4640e'),(10367,'Issue',574,16,'win-proc'),(10368,'Issue',574,17,''),(10369,'Issue',574,7,''),(10370,'Issue',574,3,'Detects suspicious process related to rasdial.exe'),(10371,'Issue',574,4,''),(10372,'Issue',574,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(10373,'Issue',574,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line:(\"rasdial\"))\nindex: so-*\nname: Suspicious RASdial Activity\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10374,'Issue',574,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious RASdial Activity\nid: 6bba49bf-7f8c-47d6-a1bb-6b4dece4640e\ndescription: Detects suspicious process related to rasdial.exe\nstatus: experimental\nreferences:\n- https://twitter.com/subTee/status/891298217907830785\nauthor: juju4\ndate: 2019/01/16\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1064\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - rasdial\n  condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: medium\n\n
\n}}'),(10375,'Issue',574,15,'T1064'),(10376,'Issue',575,1,'Suspicious Reconnaissance Activity'),(10377,'Issue',575,2,'Florian Roth'),(10378,'Issue',575,8,'none'),(10379,'Issue',575,10,'medium'),(10380,'Issue',575,13,'community'),(10381,'Issue',575,14,'windows'),(10383,'Issue',575,11,'b1f48d3a8'),(10384,'Issue',575,12,'d95de845-b83c-4a9a-8a6a-4fc802ebf6c0'),(10385,'Issue',575,16,'win-proc'),(10386,'Issue',575,17,''),(10387,'Issue',575,7,''),(10388,'Issue',575,3,'Detects suspicious command line activity on Windows systems'),(10389,'Issue',575,4,''),(10390,'Issue',575,5,'_False Positives_\nInventory tool runs\nPenetration tests\nAdministrative activity\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10391,'Issue',575,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line:(\"net\\ group\\ \\\"domain\\ admins\\\"\\ \\/domain\" OR \"net\\ localgroup\\ administrators\"))\nindex: so-*\nname: Suspicious Reconnaissance Activity\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10392,'Issue',575,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Reconnaissance Activity\nid: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0\nstatus: experimental\ndescription: Detects suspicious command line activity on Windows systems\nauthor: Florian Roth\ndate: 2019/01/16\ntags:\n- attack.discovery\n- attack.t1087\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - net group \"domain admins\" /domain\n    - net localgroup administrators\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Inventory tool runs\n- Penetration tests\n- Administrative activity\nanalysis:\n  recommendation: Check if the user that executed the commands is suspicious (e.g.\n    service accounts, LOCAL_SYSTEM)\nlevel: medium\n\n
\n}}'),(10393,'Issue',575,15,'T1087'),(10394,'Issue',576,1,'Regsvr32 Anomaly'),(10395,'Issue',576,2,'Florian Roth'),(10396,'Issue',576,8,'https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html'),(10397,'Issue',576,10,'high'),(10398,'Issue',576,13,'community'),(10399,'Issue',576,14,'windows'),(10401,'Issue',576,11,'e316d1d1d'),(10402,'Issue',576,12,'8e2b24c9-4add-46a0-b4bb-0057b4e6187d'),(10403,'Issue',576,16,'win-proc'),(10404,'Issue',576,17,''),(10405,'Issue',576,7,''),(10406,'Issue',576,3,'Detects various anomalies in relation to regsvr32.exe'),(10407,'Issue',576,4,''),(10408,'Issue',576,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10409,'Issue',576,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\regsvr32.exe AND process.command_line.keyword:*\\\\Temp\\\\*) OR (process.executable.keyword:*\\\\regsvr32.exe AND process.parent.executable.keyword:*\\\\powershell.exe) OR (process.executable.keyword:*\\\\regsvr32.exe AND process.parent.executable.keyword:*\\\\cmd.exe) OR (process.executable.keyword:*\\\\regsvr32.exe AND process.command_line.keyword:(*\\/i\\:http*\\ scrobj.dll OR *\\/i\\:ftp*\\ scrobj.dll)) OR (process.executable.keyword:*\\\\wscript.exe AND process.parent.executable.keyword:*\\\\regsvr32.exe) OR (process.executable.keyword:*\\\\EXCEL.EXE AND process.command_line.keyword:*..\\\\..\\\\..\\\\Windows\\\\System32\\\\regsvr32.exe\\ *)))\nindex: so-*\nname: Regsvr32 Anomaly\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10410,'Issue',576,9,'{{collapse(View Sigma)\n
\n\ntitle: Regsvr32 Anomaly\nid: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d\nstatus: experimental\ndescription: Detects various anomalies in relation to regsvr32.exe\nauthor: Florian Roth\ndate: 2019/01/16\nreferences:\n- https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html\ntags:\n- attack.t1117\n- attack.defense_evasion\n- attack.execution\n- car.2019-04-002\n- car.2019-04-003\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image: \'*\\regsvr32.exe\'\n    CommandLine: \'*\\Temp\\\\*\'\n  selection2:\n    Image: \'*\\regsvr32.exe\'\n    ParentImage: \'*\\powershell.exe\'\n  selection3:\n    Image: \'*\\regsvr32.exe\'\n    ParentImage: \'*\\cmd.exe\'\n  selection4:\n    Image: \'*\\regsvr32.exe\'\n    CommandLine:\n    - \'*/i:http* scrobj.dll\'\n    - \'*/i:ftp* scrobj.dll\'\n  selection5:\n    Image: \'*\\wscript.exe\'\n    ParentImage: \'*\\regsvr32.exe\'\n  selection6:\n    Image: \'*\\EXCEL.EXE\'\n    CommandLine: \'*..\\..\\..\\Windows\\System32\\regsvr32.exe *\'\n  condition: 1 of them\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10411,'Issue',576,15,'T1117'),(10412,'Issue',577,1,'Renamed ZOHO Dctask64'),(10413,'Issue',577,2,'Florian Roth'),(10414,'Issue',577,8,'https://twitter.com/gN3mes1s/status/1222088214581825540\nhttps://twitter.com/gN3mes1s/status/1222095963789111296\nhttps://twitter.com/gN3mes1s/status/1222095371175911424'),(10415,'Issue',577,10,'high'),(10416,'Issue',577,13,'community'),(10417,'Issue',577,14,'windows'),(10419,'Issue',577,11,'393865805'),(10420,'Issue',577,12,'340a090b-c4e9-412e-bb36-b4b16fe96f9b'),(10421,'Issue',577,16,'win-proc'),(10422,'Issue',577,17,''),(10423,'Issue',577,7,''),(10424,'Issue',577,3,'Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation'),(10425,'Issue',577,4,''),(10426,'Issue',577,5,'_False Positives_\nUnknown yet\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine\nParentImage'),(10427,'Issue',577,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.Imphash:\"6834B1B94E49701D77CCB3C0895E1AFD\" AND (NOT (process.executable.keyword:*\\\\dctask64.exe)))\nindex: so-*\nname: Renamed ZOHO Dctask64\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10428,'Issue',577,9,'{{collapse(View Sigma)\n
\n\ntitle: Renamed ZOHO Dctask64\nid: 340a090b-c4e9-412e-bb36-b4b16fe96f9b\nstatus: experimental\ndescription: Detects a renamed dctask64.exe used for process injection, command execution,\n  process creation with a signed binary by ZOHO Corporation\nreferences:\n- https://twitter.com/gN3mes1s/status/1222088214581825540\n- https://twitter.com/gN3mes1s/status/1222095963789111296\n- https://twitter.com/gN3mes1s/status/1222095371175911424\nauthor: Florian Roth\ndate: 2020/01/28\ntags:\n- attack.defense_evasion\n- attack.t1055\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Imphash: 6834B1B94E49701D77CCB3C0895E1AFD\n  filter:\n    Image|endswith: \\dctask64.exe\n  condition: selection and not filter\nfields:\n- CommandLine\n- ParentCommandLine\n- ParentImage\nfalsepositives:\n- Unknown yet\nlevel: high\n\n
\n}}'),(10429,'Issue',577,15,'T1055'),(10430,'Issue',578,1,'Suspicious Process Start Locations'),(10431,'Issue',578,2,'juju4'),(10432,'Issue',578,8,'https://car.mitre.org/wiki/CAR-2013-05-002'),(10433,'Issue',578,10,'medium'),(10434,'Issue',578,13,'community'),(10435,'Issue',578,14,'windows'),(10437,'Issue',578,11,'a6272c5e4'),(10438,'Issue',578,12,'15b75071-74cc-47e0-b4c6-b43744a62a2b'),(10439,'Issue',578,16,'win-proc'),(10440,'Issue',578,17,''),(10441,'Issue',578,7,''),(10442,'Issue',578,3,'Detects suspicious process run from unusual locations'),(10443,'Issue',578,4,''),(10444,'Issue',578,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(10445,'Issue',578,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\:\\\\RECYCLER\\\\* OR *\\:\\\\SystemVolumeInformation\\\\* OR C\\:\\\\Windows\\\\Tasks\\\\* OR C\\:\\\\Windows\\\\debug\\\\* OR C\\:\\\\Windows\\\\fonts\\\\* OR C\\:\\\\Windows\\\\help\\\\* OR C\\:\\\\Windows\\\\drivers\\\\* OR C\\:\\\\Windows\\\\addins\\\\* OR C\\:\\\\Windows\\\\cursors\\\\* OR C\\:\\\\Windows\\\\system32\\\\tasks\\\\*))\nindex: so-*\nname: Suspicious Process Start Locations\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10446,'Issue',578,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Process Start Locations\nid: 15b75071-74cc-47e0-b4c6-b43744a62a2b\ndescription: Detects suspicious process run from unusual locations\nstatus: experimental\nreferences:\n- https://car.mitre.org/wiki/CAR-2013-05-002\nauthor: juju4\ndate: 2019/01/16\ntags:\n- attack.defense_evasion\n- attack.t1036\n- car.2013-05-002\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*:\\RECYCLER\\\\*\'\n    - \'*:\\SystemVolumeInformation\\\\*\'\n    - C:\\\\Windows\\\\Tasks\\\\*\n    - C:\\\\Windows\\\\debug\\\\*\n    - C:\\\\Windows\\\\fonts\\\\*\n    - C:\\\\Windows\\\\help\\\\*\n    - C:\\\\Windows\\\\drivers\\\\*\n    - C:\\\\Windows\\\\addins\\\\*\n    - C:\\\\Windows\\\\cursors\\\\*\n    - C:\\\\Windows\\\\system32\\tasks\\\\*\n  condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: medium\n\n
\n}}'),(10447,'Issue',578,15,'T1036'),(10448,'Issue',579,1,'Suspicious Rundll32 Activity'),(10449,'Issue',579,2,'juju4'),(10450,'Issue',579,8,'http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/\nhttps://twitter.com/Hexacorn/status/885258886428725250\nhttps://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52'),(10451,'Issue',579,10,'medium'),(10452,'Issue',579,13,'community'),(10453,'Issue',579,14,'windows'),(10455,'Issue',579,11,'c359373f5'),(10456,'Issue',579,12,'e593cf51-88db-4ee1-b920-37e89012a3c9'),(10457,'Issue',579,16,'win-proc'),(10458,'Issue',579,17,''),(10459,'Issue',579,7,''),(10460,'Issue',579,3,'Detects suspicious process related to rundll32 based on arguments'),(10461,'Issue',579,4,''),(10462,'Issue',579,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(10463,'Issue',579,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\rundll32.exe*\\ url.dll,*OpenURL\\ * OR *\\\\rundll32.exe*\\ url.dll,*OpenURLA\\ * OR *\\\\rundll32.exe*\\ url.dll,*FileProtocolHandler\\ * OR *\\\\rundll32.exe*\\ zipfldr.dll,*RouteTheCall\\ * OR *\\\\rundll32.exe*\\ Shell32.dll,*Control_RunDLL\\ * OR *\\\\rundll32.exe\\ javascript\\:* OR *\\ url.dll,*OpenURL\\ * OR *\\ url.dll,*OpenURLA\\ * OR *\\ url.dll,*FileProtocolHandler\\ * OR *\\ zipfldr.dll,*RouteTheCall\\ * OR *\\ Shell32.dll,*Control_RunDLL\\ * OR *\\ javascript\\:* OR *.RegisterXLL*))\nindex: so-*\nname: Suspicious Rundll32 Activity\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10464,'Issue',579,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Rundll32 Activity\nid: e593cf51-88db-4ee1-b920-37e89012a3c9\ndescription: Detects suspicious process related to rundll32 based on arguments\nstatus: experimental\nreferences:\n- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/\n- https://twitter.com/Hexacorn/status/885258886428725250\n- https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1085\nauthor: juju4\ndate: 2019/01/16\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'*\\rundll32.exe* url.dll,*OpenURL *\'\n    - \'*\\rundll32.exe* url.dll,*OpenURLA *\'\n    - \'*\\rundll32.exe* url.dll,*FileProtocolHandler *\'\n    - \'*\\rundll32.exe* zipfldr.dll,*RouteTheCall *\'\n    - \'*\\rundll32.exe* Shell32.dll,*Control_RunDLL *\'\n    - \'*\\rundll32.exe javascript:*\'\n    - \'* url.dll,*OpenURL *\'\n    - \'* url.dll,*OpenURLA *\'\n    - \'* url.dll,*FileProtocolHandler *\'\n    - \'* zipfldr.dll,*RouteTheCall *\'\n    - \'* Shell32.dll,*Control_RunDLL *\'\n    - \'* javascript:*\'\n    - \'*.RegisterXLL*\'\n  condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: medium\n\n
\n}}'),(10465,'Issue',579,15,'T1085'),(10466,'Issue',580,1,'Suspicious Call by Ordinal'),(10467,'Issue',580,2,'Florian Roth'),(10468,'Issue',580,8,'https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/\nhttps://github.com/Neo23x0/DLLRunner\nhttps://twitter.com/cyb3rops/status/1186631731543236608'),(10469,'Issue',580,10,'high'),(10470,'Issue',580,13,'community'),(10471,'Issue',580,14,'windows'),(10473,'Issue',580,11,'b8fe700a1'),(10474,'Issue',580,12,'e79a9e79-eb72-4e78-a628-0e7e8f59e89c'),(10475,'Issue',580,16,'win-proc'),(10476,'Issue',580,17,''),(10477,'Issue',580,7,''),(10478,'Issue',580,3,'Detects suspicious calls of DLLs in rundll32.dll exports by ordinal'),(10479,'Issue',580,4,''),(10480,'Issue',580,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment\nWindows contol panel elements have been identified as source (mmc)'),(10481,'Issue',580,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\\\rundll32.exe\\ *,#*)\nindex: so-*\nname: Suspicious Call by Ordinal\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10482,'Issue',580,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Call by Ordinal\nid: e79a9e79-eb72-4e78-a628-0e7e8f59e89c\ndescription: Detects suspicious calls of DLLs in rundll32.dll exports by ordinal\nstatus: experimental\nreferences:\n- https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/\n- https://github.com/Neo23x0/DLLRunner\n- https://twitter.com/cyb3rops/status/1186631731543236608\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1085\nauthor: Florian Roth\ndate: 2019/10/22\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'*\\rundll32.exe *,#*\'\n  condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\n- Windows contol panel elements have been identified as source (mmc)\nlevel: high\n\n
\n}}'),(10483,'Issue',580,15,'T1085'),(10484,'Issue',581,1,'Scheduled Task Creation'),(10485,'Issue',581,2,'Florian Roth'),(10486,'Issue',581,8,'none'),(10487,'Issue',581,10,'low'),(10488,'Issue',581,13,'community'),(10489,'Issue',581,14,'windows'),(10491,'Issue',581,11,'337aa5b57'),(10492,'Issue',581,12,'92626ddd-662c-49e3-ac59-f6535f12d189'),(10493,'Issue',581,16,'win-proc'),(10494,'Issue',581,17,''),(10495,'Issue',581,7,''),(10496,'Issue',581,3,'Detects the creation of scheduled tasks in user session'),(10497,'Issue',581,4,''),(10498,'Issue',581,5,'_False Positives_\nAdministrative activity\nSoftware installation\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10499,'Issue',581,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:*\\\\schtasks.exe AND process.command_line.keyword:*\\ \\/create\\ *) AND (NOT (event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\")))\nindex: so-*\nname: Scheduled Task Creation\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10500,'Issue',581,9,'{{collapse(View Sigma)\n
\n\ntitle: Scheduled Task Creation\nid: 92626ddd-662c-49e3-ac59-f6535f12d189\nstatus: experimental\ndescription: Detects the creation of scheduled tasks in user session\nauthor: Florian Roth\ndate: 2019/01/16\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\schtasks.exe\'\n    CommandLine: \'* /create *\'\n  filter:\n    User: NT AUTHORITY\\SYSTEM\n  condition: selection and not filter\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.execution\n- attack.persistence\n- attack.privilege_escalation\n- attack.t1053\n- attack.s0111\n- car.2013-08-001\nfalsepositives:\n- Administrative activity\n- Software installation\nlevel: low\n\n
\n}}'),(10501,'Issue',581,15,'T1053'),(10502,'Issue',582,1,'WSF/JSE/JS/VBA/VBE File Execution'),(10503,'Issue',582,2,'Michael Haag'),(10504,'Issue',582,8,'none'),(10505,'Issue',582,10,'medium'),(10506,'Issue',582,13,'community'),(10507,'Issue',582,14,'windows'),(10509,'Issue',582,11,'6ed3e4c86'),(10510,'Issue',582,12,'1e33157c-53b1-41ad-bbcc-780b80b58288'),(10511,'Issue',582,16,'win-proc'),(10512,'Issue',582,17,''),(10513,'Issue',582,7,''),(10514,'Issue',582,3,'Detects suspicious file execution by wscript and cscript'),(10515,'Issue',582,4,''),(10516,'Issue',582,5,'_False Positives_\nWill need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy.\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10517,'Issue',582,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\wscript.exe OR *\\\\cscript.exe) AND process.command_line.keyword:(*.jse OR *.vbe OR *.js OR *.vba))\nindex: so-*\nname: WSF/JSE/JS/VBA/VBE File Execution\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10518,'Issue',582,9,'{{collapse(View Sigma)\n
\n\ntitle: WSF/JSE/JS/VBA/VBE File Execution\nid: 1e33157c-53b1-41ad-bbcc-780b80b58288\nstatus: experimental\ndescription: Detects suspicious file execution by wscript and cscript\nauthor: Michael Haag\ndate: 2019/01/16\ntags:\n- attack.execution\n- attack.t1064\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\wscript.exe\'\n    - \'*\\cscript.exe\'\n    CommandLine:\n    - \'*.jse\'\n    - \'*.vbe\'\n    - \'*.js\'\n    - \'*.vba\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Will need to be tuned. I recommend adding the user profile path in CommandLine if\n  it is getting too noisy.\nlevel: medium\n\n
\n}}'),(10519,'Issue',582,15,'T1064'),(10520,'Issue',583,1,'Suspicious Service Path Modification'),(10521,'Issue',583,2,'Victor Sergeev, oscd.community'),(10522,'Issue',583,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1031/T1031.yaml'),(10523,'Issue',583,10,'high'),(10524,'Issue',583,13,'community'),(10525,'Issue',583,14,'windows'),(10527,'Issue',583,11,'4809892f5'),(10528,'Issue',583,12,'138d3531-8793-4f50-a2cd-f291b2863d78'),(10529,'Issue',583,16,'win-proc'),(10530,'Issue',583,17,''),(10531,'Issue',583,7,''),(10532,'Issue',583,3,'Detects service path modification to powershell/cmd'),(10533,'Issue',583,4,''),(10534,'Issue',583,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10535,'Issue',583,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\sc.exe AND process.command_line.keyword:*config* AND process.command_line.keyword:*binpath* AND process.command_line.keyword:(*powershell* OR *cmd*))\nindex: so-*\nname: Suspicious Service Path Modification\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10536,'Issue',583,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Service Path Modification\nid: 138d3531-8793-4f50-a2cd-f291b2863d78\ndescription: Detects service path modification to powershell/cmd\nstatus: experimental\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1031/T1031.yaml\ntags:\n- attack.persistence\n- attack.t1031\ndate: 2019/10/21\nmodified: 2019/11/10\nauthor: Victor Sergeev, oscd.community\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_1:\n    Image|endswith: \\sc.exe\n    CommandLine|contains|all:\n    - config\n    - binpath\n  selection_2:\n    CommandLine|contains:\n    - powershell\n    - cmd\n  condition: selection_1 and selection_2\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10537,'Issue',583,15,'T1031'),(10538,'Issue',584,1,'Squirrel Lolbin'),(10539,'Issue',584,2,'Karneades / Markus Neis'),(10540,'Issue',584,8,'http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/\nhttp://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/'),(10541,'Issue',584,10,'high'),(10542,'Issue',584,13,'community'),(10543,'Issue',584,14,'windows'),(10544,'Issue',584,15,''),(10545,'Issue',584,11,'820e704e9'),(10546,'Issue',584,12,'fa4b21c9-0057-4493-b289-2556416ae4d7'),(10547,'Issue',584,16,'win-proc'),(10548,'Issue',584,17,''),(10549,'Issue',584,7,''),(10550,'Issue',584,3,'Detects Possible Squirrel Packages Manager as Lolbin'),(10551,'Issue',584,4,''),(10552,'Issue',584,5,'_False Positives_\n1Clipboard\nBeaker Browser\nCaret\nCollectie\nDiscord\nFigma\nFlow\nGhost\nGitHub Desktop\nGitKraken\nHyper\nInsomnia\nJIBO\nKap\nKitematic\nNow Desktop\nPostman\nPostmanCanary\nRambox\nSimplenote\nSkype\nSlack\nSourceTree\nStride\nSvgsus\nWebTorrent\nWhatsApp\nWordPress.com\natom\ngitkraken\nslack\nteams'),(10553,'Issue',584,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\update.exe) AND process.command_line.keyword:(*\\-\\-processStart*.exe* OR *\\-\\-processStartAndWait*.exe* OR *\\-\\-createShortcut*.exe*))\nindex: so-*\nname: Squirrel Lolbin\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10554,'Issue',584,9,'{{collapse(View Sigma)\n
\n\ntitle: Squirrel Lolbin\nid: fa4b21c9-0057-4493-b289-2556416ae4d7\nstatus: experimental\ndescription: Detects Possible Squirrel Packages Manager as Lolbin\nreferences:\n- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/\n- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/\ntags:\n- attack.execution\nauthor: Karneades / Markus Neis\ndate: 2019/11/12\nfalsepositives:\n- 1Clipboard\n- Beaker Browser\n- Caret\n- Collectie\n- Discord\n- Figma\n- Flow\n- Ghost\n- GitHub Desktop\n- GitKraken\n- Hyper\n- Insomnia\n- JIBO\n- Kap\n- Kitematic\n- Now Desktop\n- Postman\n- PostmanCanary\n- Rambox\n- Simplenote\n- Skype\n- Slack\n- SourceTree\n- Stride\n- Svgsus\n- WebTorrent\n- WhatsApp\n- WordPress.com\n- atom\n- gitkraken\n- slack\n- teams\nlevel: high\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\update.exe\'\n    CommandLine:\n    - \'*--processStart*.exe*\'\n    - \'*--processStartAndWait*.exe*\'\n    - \'*--createShortcut*.exe*\'\n  condition: selection\n\n
\n}}'),(10555,'Issue',585,1,'Suspicious Svchost Process'),(10556,'Issue',585,2,'Florian Roth'),(10557,'Issue',585,8,'none'),(10558,'Issue',585,10,'high'),(10559,'Issue',585,13,'community'),(10560,'Issue',585,14,'windows'),(10562,'Issue',585,11,'e79b5ce03'),(10563,'Issue',585,12,'01d2e2a1-5f09-44f7-9fc1-24faa7479b6d'),(10564,'Issue',585,16,'win-proc'),(10565,'Issue',585,17,''),(10566,'Issue',585,7,''),(10567,'Issue',585,3,'Detects a suspicious svchost process start'),(10568,'Issue',585,4,''),(10569,'Issue',585,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10570,'Issue',585,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:*\\\\svchost.exe AND (NOT (process.parent.executable.keyword:(*\\\\services.exe OR *\\\\MsMpEng.exe OR *\\\\Mrt.exe OR *\\\\rpcnet.exe OR *\\\\svchost.exe)))) AND (NOT (NOT _exists_:process.parent.executable)))\nindex: so-*\nname: Suspicious Svchost Process\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10571,'Issue',585,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Svchost Process\nid: 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d\nstatus: experimental\ndescription: Detects a suspicious svchost process start\ntags:\n- attack.defense_evasion\n- attack.t1036\nauthor: Florian Roth\ndate: 2017/08/15\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\svchost.exe\'\n  filter:\n    ParentImage:\n    - \'*\\services.exe\'\n    - \'*\\MsMpEng.exe\'\n    - \'*\\Mrt.exe\'\n    - \'*\\rpcnet.exe\'\n    - \'*\\svchost.exe\'\n  filter_null:\n    ParentImage:\n  condition: selection and not filter and not filter_null\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10572,'Issue',585,15,'T1036'),(10573,'Issue',586,1,'Suspect Svchost Activity'),(10574,'Issue',586,2,'David Burkett'),(10575,'Issue',586,8,'https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2'),(10576,'Issue',586,10,'critical'),(10577,'Issue',586,13,'community'),(10578,'Issue',586,14,'windows'),(10580,'Issue',586,11,'df188a171'),(10581,'Issue',586,12,'16c37b52-b141-42a5-a3ea-bbe098444397'),(10582,'Issue',586,16,'win-proc'),(10583,'Issue',586,17,''),(10584,'Issue',586,7,''),(10585,'Issue',586,3,'It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.'),(10586,'Issue',586,4,''),(10587,'Issue',586,5,'_False Positives_\nrpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10588,'Issue',586,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND NOT _exists_:process.command_line AND process.executable.keyword:*\\\\svchost.exe) AND (NOT (process.parent.executable.keyword:(*\\\\rpcnet.exe OR *\\\\rpcnetp.exe))))\nindex: so-*\nname: Suspect Svchost Activity\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10589,'Issue',586,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspect Svchost Activity\nid: 16c37b52-b141-42a5-a3ea-bbe098444397\nstatus: experimental\ndescription: It is extremely abnormal for svchost.exe to spawn without any CLI arguments\n  and is normally observed when a malicious process spawns the process and injects\n  code into the process memory space.\nreferences:\n- https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2\nauthor: David Burkett\ndate: 2019/12/28\ntags:\n- attack.t1055\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine:\n  selection2:\n    Image: \'*\\svchost.exe\'\n  filter:\n    ParentImage:\n    - \'*\\rpcnet.exe\'\n    - \'*\\rpcnetp.exe\'\n  condition: (selection1 and selection2) and not filter\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf\nlevel: critical\n\n
\n}}'),(10590,'Issue',586,15,'T1055'),(10591,'Issue',587,1,'Sysprep on AppData Folder'),(10592,'Issue',587,2,'Florian Roth'),(10593,'Issue',587,8,'https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets\nhttps://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b'),(10594,'Issue',587,10,'medium'),(10595,'Issue',587,13,'community'),(10596,'Issue',587,14,'windows'),(10597,'Issue',587,15,''),(10598,'Issue',587,11,'ec7672eaa'),(10599,'Issue',587,12,'d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e'),(10600,'Issue',587,16,'win-proc'),(10601,'Issue',587,17,''),(10602,'Issue',587,7,''),(10603,'Issue',587,3,'Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)'),(10604,'Issue',587,4,''),(10605,'Issue',587,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(10606,'Issue',587,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\sysprep.exe\\ *\\\\AppData\\\\* OR sysprep.exe\\ *\\\\AppData\\\\*))\nindex: so-*\nname: Sysprep on AppData Folder\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10607,'Issue',587,9,'{{collapse(View Sigma)\n
\n\ntitle: Sysprep on AppData Folder\nid: d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e\nstatus: experimental\ndescription: Detects suspicious sysprep process start with AppData folder as target\n  (as used by Trojan Syndicasec in Thrip report by Symantec)\nreferences:\n- https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets\n- https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b\ntags:\n- attack.execution\nauthor: Florian Roth\ndate: 2018/06/22\nmodified: 2018/12/11\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'*\\sysprep.exe *\\AppData\\\\*\'\n    - sysprep.exe *\\AppData\\\\*\n  condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: medium\n\n
\n}}'),(10608,'Issue',588,1,'Suspicious SYSVOL Domain Group Policy Access'),(10609,'Issue',588,2,'Markus Neis'),(10610,'Issue',588,8,'https://adsecurity.org/?p=2288\nhttps://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100'),(10611,'Issue',588,10,'medium'),(10612,'Issue',588,13,'community'),(10613,'Issue',588,14,'windows'),(10615,'Issue',588,11,'3587e5ee1'),(10616,'Issue',588,12,'05f3c945-dcc8-4393-9f3d-af65077a8f86'),(10617,'Issue',588,16,'win-proc'),(10618,'Issue',588,17,''),(10619,'Issue',588,7,''),(10620,'Issue',588,3,'Detects Access to Domain Group Policies stored in SYSVOL'),(10621,'Issue',588,4,''),(10622,'Issue',588,5,'_False Positives_\nadministrative activity'),(10623,'Issue',588,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\\\SYSVOL\\\\*\\\\policies\\\\*)\nindex: so-*\nname: Suspicious SYSVOL Domain Group Policy Access\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10624,'Issue',588,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious SYSVOL Domain Group Policy Access\nid: 05f3c945-dcc8-4393-9f3d-af65077a8f86\nstatus: experimental\ndescription: Detects Access to Domain Group Policies stored in SYSVOL\nreferences:\n- https://adsecurity.org/?p=2288\n- https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100\nauthor: Markus Neis\ndate: 2018/04/09\nmodified: 2018/12/11\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'*\\SYSVOL\\\\*\\policies\\\\*\'\n  condition: selection\nfalsepositives:\n- administrative activity\nlevel: medium\n\n
\n}}'),(10625,'Issue',588,15,'T1003'),(10626,'Issue',589,1,'Taskmgr as LOCAL_SYSTEM'),(10627,'Issue',589,2,'Florian Roth'),(10628,'Issue',589,8,'none'),(10629,'Issue',589,10,'high'),(10630,'Issue',589,13,'community'),(10631,'Issue',589,14,'windows'),(10633,'Issue',589,11,'6bcf5f333'),(10634,'Issue',589,12,'9fff585c-c33e-4a86-b3cd-39312079a65f'),(10635,'Issue',589,16,'win-proc'),(10636,'Issue',589,17,''),(10637,'Issue',589,7,''),(10638,'Issue',589,3,'Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM'),(10639,'Issue',589,4,''),(10640,'Issue',589,5,'_False Positives_\nUnkown'),(10641,'Issue',589,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\" AND process.executable.keyword:*\\\\taskmgr.exe)\nindex: so-*\nname: Taskmgr as LOCAL_SYSTEM\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10642,'Issue',589,9,'{{collapse(View Sigma)\n
\n\ntitle: Taskmgr as LOCAL_SYSTEM\nid: 9fff585c-c33e-4a86-b3cd-39312079a65f\nstatus: experimental\ndescription: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM\ntags:\n- attack.defense_evasion\n- attack.t1036\nauthor: Florian Roth\ndate: 2018/03/18\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    User: NT AUTHORITY\\SYSTEM\n    Image: \'*\\taskmgr.exe\'\n  condition: selection\nfalsepositives:\n- Unkown\nlevel: high\n\n
\n}}'),(10643,'Issue',589,15,'T1036'),(10644,'Issue',590,1,'Taskmgr as Parent'),(10645,'Issue',590,2,'Florian Roth'),(10646,'Issue',590,8,'none'),(10647,'Issue',590,10,'low'),(10648,'Issue',590,13,'community'),(10649,'Issue',590,14,'windows'),(10651,'Issue',590,11,'0181905d0'),(10652,'Issue',590,12,'3d7679bd-0c00-440c-97b0-3f204273e6c7'),(10653,'Issue',590,16,'win-proc'),(10654,'Issue',590,17,''),(10655,'Issue',590,7,''),(10656,'Issue',590,3,'Detects the creation of a process from Windows task manager'),(10657,'Issue',590,4,''),(10658,'Issue',590,5,'_False Positives_\nAdministrative activity\n\n_Interesting Log Fields_\nImage\nCommandLine\nParentCommandLine'),(10659,'Issue',590,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\taskmgr.exe AND (NOT (process.executable.keyword:(*\\\\resmon.exe OR *\\\\mmc.exe OR *\\\\taskmgr.exe))))\nindex: so-*\nname: Taskmgr as Parent\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10660,'Issue',590,9,'{{collapse(View Sigma)\n
\n\ntitle: Taskmgr as Parent\nid: 3d7679bd-0c00-440c-97b0-3f204273e6c7\nstatus: experimental\ndescription: Detects the creation of a process from Windows task manager\ntags:\n- attack.defense_evasion\n- attack.t1036\nauthor: Florian Roth\ndate: 2018/03/13\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\taskmgr.exe\'\n  filter:\n    Image:\n    - \'*\\resmon.exe\'\n    - \'*\\mmc.exe\'\n    - \'*\\taskmgr.exe\'\n  condition: selection and not filter\nfields:\n- Image\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Administrative activity\nlevel: low\n\n
\n}}'),(10661,'Issue',590,15,'T1036'),(10662,'Issue',591,1,'Suspicious TSCON Start'),(10663,'Issue',591,2,'Florian Roth'),(10664,'Issue',591,8,'http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html\nhttps://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6'),(10665,'Issue',591,10,'high'),(10666,'Issue',591,13,'community'),(10667,'Issue',591,14,'windows'),(10669,'Issue',591,11,'884abbf53'),(10670,'Issue',591,12,'9847f263-4a81-424f-970c-875dab15b79b'),(10671,'Issue',591,16,'win-proc'),(10672,'Issue',591,17,''),(10673,'Issue',591,7,''),(10674,'Issue',591,3,'Detects a tscon.exe start as LOCAL SYSTEM'),(10675,'Issue',591,4,''),(10676,'Issue',591,5,'_False Positives_\nUnknown'),(10677,'Issue',591,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\" AND process.executable.keyword:*\\\\tscon.exe)\nindex: so-*\nname: Suspicious TSCON Start\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10678,'Issue',591,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious TSCON Start\nid: 9847f263-4a81-424f-970c-875dab15b79b\nstatus: experimental\ndescription: Detects a tscon.exe start as LOCAL SYSTEM\nreferences:\n- http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html\n- https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6\nauthor: Florian Roth\ndate: 2018/03/17\ntags:\n- attack.command_and_control\n- attack.t1219\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    User: NT AUTHORITY\\SYSTEM\n    Image: \'*\\tscon.exe\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10679,'Issue',591,15,'T1219'),(10680,'Issue',592,1,'Suspicious RDP Redirect Using TSCON'),(10681,'Issue',592,2,'Florian Roth'),(10682,'Issue',592,8,'http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html\nhttps://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6'),(10683,'Issue',592,10,'high'),(10684,'Issue',592,13,'community'),(10685,'Issue',592,14,'windows'),(10687,'Issue',592,11,'0ad8fd2d6'),(10688,'Issue',592,12,'f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb'),(10689,'Issue',592,16,'win-proc'),(10690,'Issue',592,17,''),(10691,'Issue',592,7,''),(10692,'Issue',592,3,'Detects a suspicious RDP session redirect using tscon.exe'),(10693,'Issue',592,4,''),(10694,'Issue',592,5,'_False Positives_\nUnknown'),(10695,'Issue',592,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\ \\/dest\\:rdp\\-tcp\\:*)\nindex: so-*\nname: Suspicious RDP Redirect Using TSCON\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10696,'Issue',592,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious RDP Redirect Using TSCON\nid: f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb\nstatus: experimental\ndescription: Detects a suspicious RDP session redirect using tscon.exe\nreferences:\n- http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html\n- https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6\ntags:\n- attack.lateral_movement\n- attack.privilege_escalation\n- attack.t1076\n- car.2013-07-002\nauthor: Florian Roth\ndate: 2018/03/17\nmodified: 2018/12/11\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'* /dest:rdp-tcp:*\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10697,'Issue',592,15,'T1076'),(10698,'Issue',593,1,'Suspicious Use of CSharp Interactive Console'),(10699,'Issue',593,2,'Michael R. (@nahamike01)'),(10700,'Issue',593,8,'https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/'),(10701,'Issue',593,10,'high'),(10702,'Issue',593,13,'community'),(10703,'Issue',593,14,'windows'),(10705,'Issue',593,11,'b2533edff'),(10706,'Issue',593,12,'a9e416a8-e613-4f8b-88b8-a7d1d1af2f61'),(10707,'Issue',593,16,'win-proc'),(10708,'Issue',593,17,''),(10709,'Issue',593,7,''),(10710,'Issue',593,3,'Detects the execution of CSharp interactive console by PowerShell'),(10711,'Issue',593,4,''),(10712,'Issue',593,5,'_False Positives_\nPossible depending on environment. Pair with other factors such as net connections, command-line args, etc.'),(10713,'Issue',593,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\csi.exe AND process.parent.executable.keyword:*\\\\powershell.exe AND OriginalFileName:\"csi.exe\")\nindex: so-*\nname: Suspicious Use of CSharp Interactive Console\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10714,'Issue',593,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Use of CSharp Interactive Console\nid: a9e416a8-e613-4f8b-88b8-a7d1d1af2f61\nstatus: experimental\ndescription: Detects the execution of CSharp interactive console by PowerShell\nreferences:\n- https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/\nauthor: Michael R. (@nahamike01)\ndate: 2020/03/08\ntags:\n- attack.execution\n- attack.t1127\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\csi.exe\n    ParentImage|endswith: \\powershell.exe\n    OriginalFileName: csi.exe\n  condition: selection\nfalsepositives:\n- Possible depending on environment. Pair with other factors such as net connections,\n  command-line args, etc.\nlevel: high\n\n
\n}}'),(10715,'Issue',593,15,'T1127'),(10716,'Issue',594,1,'Suspicious Userinit Child Process'),(10717,'Issue',594,2,'Florian Roth (rule), Samir Bousseaden (idea)'),(10718,'Issue',594,8,'https://twitter.com/SBousseaden/status/1139811587760562176'),(10719,'Issue',594,10,'medium'),(10720,'Issue',594,13,'community'),(10721,'Issue',594,14,'windows'),(10722,'Issue',594,15,''),(10723,'Issue',594,11,'afd4cadf2'),(10724,'Issue',594,12,'b655a06a-31c0-477a-95c2-3726b83d649d'),(10725,'Issue',594,16,'win-proc'),(10726,'Issue',594,17,''),(10727,'Issue',594,7,''),(10728,'Issue',594,3,'Detects a suspicious child process of userinit'),(10729,'Issue',594,4,''),(10730,'Issue',594,5,'_False Positives_\nAdministrative scripts\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10731,'Issue',594,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.parent.executable.keyword:*\\\\userinit.exe AND (NOT (process.command_line.keyword:*\\\\netlogon\\\\*))) AND (NOT (process.executable.keyword:*\\\\explorer.exe)))\nindex: so-*\nname: Suspicious Userinit Child Process\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10732,'Issue',594,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Userinit Child Process\nid: b655a06a-31c0-477a-95c2-3726b83d649d\nstatus: experimental\ndescription: Detects a suspicious child process of userinit\nreferences:\n- https://twitter.com/SBousseaden/status/1139811587760562176\nauthor: Florian Roth (rule), Samir Bousseaden (idea)\ndate: 2019/06/17\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\userinit.exe\'\n  filter1:\n    CommandLine: \'*\\\\netlogon\\\\*\'\n  filter2:\n    Image: \'*\\explorer.exe\'\n  condition: selection and not filter1 and not filter2\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Administrative scripts\nlevel: medium\n\n
\n}}'),(10733,'Issue',595,1,'Whoami Execution'),(10734,'Issue',595,2,'Florian Roth'),(10735,'Issue',595,8,'https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/\nhttps://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/'),(10736,'Issue',595,10,'high'),(10737,'Issue',595,13,'community'),(10738,'Issue',595,14,'windows'),(10740,'Issue',595,11,'28ff9a2dc'),(10741,'Issue',595,12,'e28a5a99-da44-436d-b7a0-2afc20a5f413'),(10742,'Issue',595,16,'win-proc'),(10743,'Issue',595,17,''),(10744,'Issue',595,7,''),(10745,'Issue',595,3,'Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators'),(10746,'Issue',595,4,''),(10747,'Issue',595,5,'_False Positives_\nAdmin activity\nScripts and administrative tools used in the monitored environment'),(10748,'Issue',595,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:*\\\\whoami.exe OR OriginalFileName:\"whoami.exe\"))\nindex: so-*\nname: Whoami Execution\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10749,'Issue',595,9,'{{collapse(View Sigma)\n
\n\ntitle: Whoami Execution\nid: e28a5a99-da44-436d-b7a0-2afc20a5f413\nstatus: experimental\ndescription: Detects the execution of whoami, which is often used by attackers after\n  exloitation / privilege escalation but rarely used by administrators\nreferences:\n- https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/\n- https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/\nauthor: Florian Roth\ndate: 2018/08/13\ntags:\n- attack.discovery\n- attack.t1033\n- car.2016-03-001\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\whoami.exe\'\n  selection2:\n    OriginalFileName: whoami.exe\n  condition: selection or selection2\nfalsepositives:\n- Admin activity\n- Scripts and administrative tools used in the monitored environment\nlevel: high\n\n
\n}}'),(10750,'Issue',595,15,'T1033'),(10751,'Issue',596,1,'Suspicious WMI Execution'),(10752,'Issue',596,2,'Michael Haag, Florian Roth, juju4'),(10753,'Issue',596,8,'https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/\nhttps://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1\nhttps://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/'),(10754,'Issue',596,10,'medium'),(10755,'Issue',596,13,'community'),(10756,'Issue',596,14,'windows'),(10758,'Issue',596,11,'c641d0d76'),(10759,'Issue',596,12,'526be59f-a573-4eea-b5f7-f0973207634d'),(10760,'Issue',596,16,'win-proc'),(10761,'Issue',596,17,''),(10762,'Issue',596,7,''),(10763,'Issue',596,3,'Detects WMI executing suspicious commands'),(10764,'Issue',596,4,''),(10765,'Issue',596,5,'_False Positives_\nWill need to be tuned\nIf using Splunk, I recommend | stats count by Computer,CommandLine following for easy hunting by Computer/CommandLine.\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10766,'Issue',596,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\wmic.exe) AND process.command_line.keyword:(*\\/NODE\\:*process\\ call\\ create\\ * OR *\\ path\\ AntiVirusProduct\\ get\\ * OR *\\ path\\ FirewallProduct\\ get\\ * OR *\\ shadowcopy\\ delete\\ *))\nindex: so-*\nname: Suspicious WMI Execution\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10767,'Issue',596,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious WMI Execution\nid: 526be59f-a573-4eea-b5f7-f0973207634d\nstatus: experimental\ndescription: Detects WMI executing suspicious commands\nreferences:\n- https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/\n- https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1\n- https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/\nauthor: Michael Haag, Florian Roth, juju4\ndate: 2019/01/16\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\wmic.exe\'\n    CommandLine:\n    - \'*/NODE:*process call create *\'\n    - \'* path AntiVirusProduct get *\'\n    - \'* path FirewallProduct get *\'\n    - \'* shadowcopy delete *\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.execution\n- attack.t1047\n- car.2016-03-002\nfalsepositives:\n- Will need to be tuned\n- If using Splunk, I recommend | stats count by Computer,CommandLine following for\n  easy hunting by Computer/CommandLine.\nlevel: medium\n\n
\n}}'),(10768,'Issue',596,15,'T1047'),(10769,'Issue',597,1,'Sysmon Driver Unload'),(10770,'Issue',597,2,'Kirill Kiryanov, oscd.community'),(10771,'Issue',597,8,'https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon'),(10772,'Issue',597,10,'high'),(10773,'Issue',597,13,'community'),(10774,'Issue',597,14,'windows'),(10775,'Issue',597,15,''),(10776,'Issue',597,11,'d7439c16c'),(10777,'Issue',597,12,'4d7cda18-1b12-4e52-b45c-d28653210df8'),(10778,'Issue',597,16,'win-proc'),(10779,'Issue',597,17,''),(10780,'Issue',597,7,''),(10781,'Issue',597,3,'Detect possible Sysmon driver unload'),(10782,'Issue',597,4,''),(10783,'Issue',597,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nDetails'),(10784,'Issue',597,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\fltmc.exe AND process.command_line.keyword:*unload* AND process.command_line.keyword:*sys*)\nindex: so-*\nname: Sysmon Driver Unload\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10785,'Issue',597,9,'{{collapse(View Sigma)\n
\n\ntitle: Sysmon Driver Unload\nid: 4d7cda18-1b12-4e52-b45c-d28653210df8\nstatus: experimental\nauthor: Kirill Kiryanov, oscd.community\ndescription: Detect possible Sysmon driver unload\ndate: 2019/10/23\nmodified: 2019/11/07\nreferences:\n- https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon\nlogsource:\n  product: windows\n  category: process_creation\ndetection:\n  selection:\n    Image|endswith: \\fltmc.exe\n    CommandLine|contains|all:\n    - unload\n    - sys\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\nfields:\n- CommandLine\n- Details\n\n
\n}}'),(10786,'Issue',598,1,'System File Execution Location Anomaly'),(10787,'Issue',598,2,'Florian Roth, Patrick Bareiss'),(10788,'Issue',598,8,'https://twitter.com/GelosSnake/status/934900723426439170'),(10789,'Issue',598,10,'high'),(10790,'Issue',598,13,'community'),(10791,'Issue',598,14,'windows'),(10793,'Issue',598,11,'c8ddca7b8'),(10794,'Issue',598,12,'e4a6b256-3e47-40fc-89d2-7a477edd6915'),(10795,'Issue',598,16,'win-proc'),(10796,'Issue',598,17,''),(10797,'Issue',598,7,''),(10798,'Issue',598,3,'Detects a Windows program executable started in a suspicious folder'),(10799,'Issue',598,4,''),(10800,'Issue',598,5,'_False Positives_\nExotic software\n\n_Interesting Log Fields_\nComputerName\nUser\nImage'),(10801,'Issue',598,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\svchost.exe OR *\\\\rundll32.exe OR *\\\\services.exe OR *\\\\powershell.exe OR *\\\\regsvr32.exe OR *\\\\spoolsv.exe OR *\\\\lsass.exe OR *\\\\smss.exe OR *\\\\csrss.exe OR *\\\\conhost.exe OR *\\\\wininit.exe OR *\\\\lsm.exe OR *\\\\winlogon.exe OR *\\\\explorer.exe OR *\\\\taskhost.exe) AND (NOT (process.executable.keyword:(C\\:\\\\Windows\\\\System32\\\\* OR C\\:\\\\Windows\\\\system32\\\\* OR C\\:\\\\Windows\\\\SysWow64\\\\* OR C\\:\\\\Windows\\\\SysWOW64\\\\* OR C\\:\\\\Windows\\\\explorer.exe OR C\\:\\\\Windows\\\\winsxs\\\\* OR C\\:\\\\Windows\\\\WinSxS\\\\* OR \\\\SystemRoot\\\\System32\\\\*))))\nindex: so-*\nname: System File Execution Location Anomaly\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10802,'Issue',598,9,'{{collapse(View Sigma)\n
\n\ntitle: System File Execution Location Anomaly\nid: e4a6b256-3e47-40fc-89d2-7a477edd6915\nstatus: experimental\ndescription: Detects a Windows program executable started in a suspicious folder\nreferences:\n- https://twitter.com/GelosSnake/status/934900723426439170\nauthor: Florian Roth, Patrick Bareiss\ndate: 2017/11/27\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\svchost.exe\'\n    - \'*\\rundll32.exe\'\n    - \'*\\services.exe\'\n    - \'*\\powershell.exe\'\n    - \'*\\regsvr32.exe\'\n    - \'*\\spoolsv.exe\'\n    - \'*\\lsass.exe\'\n    - \'*\\smss.exe\'\n    - \'*\\csrss.exe\'\n    - \'*\\conhost.exe\'\n    - \'*\\wininit.exe\'\n    - \'*\\lsm.exe\'\n    - \'*\\winlogon.exe\'\n    - \'*\\explorer.exe\'\n    - \'*\\taskhost.exe\'\n  filter:\n    Image:\n    - C:\\Windows\\System32\\\\*\n    - C:\\Windows\\system32\\\\*\n    - C:\\Windows\\SysWow64\\\\*\n    - C:\\Windows\\SysWOW64\\\\*\n    - C:\\Windows\\explorer.exe\n    - C:\\Windows\\winsxs\\\\*\n    - C:\\Windows\\WinSxS\\\\*\n    - \\SystemRoot\\System32\\\\*\n  condition: selection and not filter\nfields:\n- ComputerName\n- User\n- Image\nfalsepositives:\n- Exotic software\nlevel: high\n\n
\n}}'),(10803,'Issue',598,15,'T1036'),(10804,'Issue',599,1,'Tap Installer Execution'),(10805,'Issue',599,2,'Daniil Yugoslavskiy, Ian Davis, oscd.community'),(10806,'Issue',599,8,'none'),(10807,'Issue',599,10,'medium'),(10808,'Issue',599,13,'community'),(10809,'Issue',599,14,'windows'),(10811,'Issue',599,11,'f0f415f09'),(10812,'Issue',599,12,'99793437-3e16-439b-be0f-078782cf953d'),(10813,'Issue',599,16,'win-proc'),(10814,'Issue',599,17,''),(10815,'Issue',599,7,''),(10816,'Issue',599,3,'Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques'),(10817,'Issue',599,4,''),(10818,'Issue',599,5,'_False Positives_\nLegitimate OpenVPN TAP insntallation'),(10819,'Issue',599,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\tapinstall.exe)\nindex: so-*\nname: Tap Installer Execution\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10820,'Issue',599,9,'{{collapse(View Sigma)\n
\n\ntitle: Tap Installer Execution\nid: 99793437-3e16-439b-be0f-078782cf953d\ndescription: Well-known TAP software installation. Possible preparation for data exfiltration\n  using tunneling techniques\nstatus: experimental\nauthor: Daniil Yugoslavskiy, Ian Davis, oscd.community\ndate: 2019/10/24\ntags:\n- attack.exfiltration\n- attack.t1048\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\tapinstall.exe\n  condition: selection\nfalsepositives:\n- Legitimate OpenVPN TAP insntallation\nlevel: medium\n\n
\n}}'),(10821,'Issue',599,15,'T1048'),(10822,'Issue',600,1,'Tasks Folder Evasion'),(10823,'Issue',600,2,'Sreeman'),(10824,'Issue',600,8,'https://twitter.com/subTee/status/1216465628946563073\nhttps://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26'),(10825,'Issue',600,10,'high'),(10826,'Issue',600,13,'community'),(10827,'Issue',600,14,'windows'),(10829,'Issue',600,11,'0eb37ce7b'),(10830,'Issue',600,12,'cc4e02ba-9c06-48e2-b09e-2500cace9ae0'),(10831,'Issue',600,16,'win-proc'),(10832,'Issue',600,17,''),(10833,'Issue',600,7,''),(10834,'Issue',600,3,'The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr'),(10835,'Issue',600,4,''),(10836,'Issue',600,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentProcess\nCommandLine'),(10837,'Issue',600,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (process.command_line.keyword:(*echo\\ * OR *copy\\ * OR *type\\ * OR *file\\ createnew*) AND process.command_line.keyword:(*\\ C\\:\\\\Windows\\\\System32\\\\Tasks\\* OR *\\ C\\:\\\\Windows\\\\SysWow64\\\\Tasks\\*))\nindex: so-*\nname: Tasks Folder Evasion\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10838,'Issue',600,9,'{{collapse(View Sigma)\n
\n\ntitle: Tasks Folder Evasion\nid: cc4e02ba-9c06-48e2-b09e-2500cace9ae0\nstatus: experimental\ndescription: The Tasks folder in system32 and syswow64 are globally writable paths.\n  Adversaries can take advantage of this and load or influence any script hosts or\n  ANY .NET Application in Tasks to load and execute a custom assembly into cscript,\n  wscript, regsvr32, mshta, eventvwr\nreferences:\n- https://twitter.com/subTee/status/1216465628946563073\n- https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26\ndate: 2020/01/13\nauthor: Sreeman\ntags:\n- attack.t1064\n- attack.t1211\n- attack.t1059\n- attack.defense_evasion\n- attack.persistence\nlogsource:\n  product: Windows\ndetection:\n  selection1:\n    CommandLine|contains:\n    - \'echo \'\n    - \'copy \'\n    - \'type \'\n    - file createnew\n  selection2:\n    CommandLine|contains:\n    - \' C:\\Windows\\System32\\Tasks\\\'\n    - \' C:\\Windows\\SysWow64\\Tasks\\\'\n  condition: selection1 and selection2\nfields:\n- CommandLine\n- ParentProcess\n- CommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10839,'Issue',600,15,'T1064'),(10840,'Issue',600,15,'T1211'),(10841,'Issue',600,15,'T1059'),(10842,'Issue',601,1,'Terminal Service Process Spawn'),(10843,'Issue',601,2,'Florian Roth'),(10844,'Issue',601,8,'https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/'),(10845,'Issue',601,10,'high'),(10846,'Issue',601,13,'community'),(10847,'Issue',601,14,'windows'),(10848,'Issue',601,15,''),(10849,'Issue',601,11,'b5e174d1b'),(10850,'Issue',601,12,'1012f107-b8f1-4271-af30-5aed2de89b39'),(10851,'Issue',601,16,'win-proc'),(10852,'Issue',601,17,''),(10853,'Issue',601,7,''),(10854,'Issue',601,3,'Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)'),(10855,'Issue',601,4,''),(10856,'Issue',601,5,'_False Positives_\nUnknown'),(10857,'Issue',601,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.command_line.keyword:*\\\\svchost.exe*termsvcs AND (NOT (process.executable.keyword:*\\\\rdpclip.exe)))\nindex: so-*\nname: Terminal Service Process Spawn\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10858,'Issue',601,9,'{{collapse(View Sigma)\n
\n\ntitle: Terminal Service Process Spawn\nid: 1012f107-b8f1-4271-af30-5aed2de89b39\nstatus: experimental\ndescription: Detects a process spawned by the terminal service server process (this\n  could be an indicator for an exploitation of CVE-2019-0708)\nreferences:\n- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/\nauthor: Florian Roth\ndate: 2019/05/22\ntags:\n- car.2013-07-002\nlogsource:\n  product: windows\n  category: process_creation\ndetection:\n  selection:\n    ParentCommandLine: \'*\\svchost.exe*termsvcs\'\n  filter:\n    Image: \'*\\rdpclip.exe\'\n  condition: selection and not filter\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10859,'Issue',602,1,'Domain Trust Discovery'),(10860,'Issue',602,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community'),(10861,'Issue',602,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md\nhttps://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html'),(10862,'Issue',602,10,'medium'),(10863,'Issue',602,13,'community'),(10864,'Issue',602,14,'windows'),(10866,'Issue',602,11,'c1662fb6e'),(10867,'Issue',602,12,'3bad990e-4848-4a78-9530-b427d854aac0'),(10868,'Issue',602,16,'win-proc'),(10869,'Issue',602,17,''),(10870,'Issue',602,7,''),(10871,'Issue',602,3,'Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts.'),(10872,'Issue',602,4,''),(10873,'Issue',602,5,'_False Positives_\nLegitimate use of the utilities by legitimate user for legitimate reason'),(10874,'Issue',602,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\nltest.exe AND process.command_line.keyword:*domain_trusts*) OR (process.executable.keyword:*\\\\dsquery.exe AND process.command_line.keyword:*trustedDomain*)))\nindex: so-*\nname: Domain Trust Discovery\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10875,'Issue',602,9,'{{collapse(View Sigma)\n
\n\ntitle: Domain Trust Discovery\nid: 3bad990e-4848-4a78-9530-b427d854aac0\ndescription: Identifies execution of nltest.exe and dsquery.exe for domain trust discovery.\n  This technique is used by attackers to enumerate Active Directory trusts.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md\n- https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html\ntags:\n- attack.discovery\n- attack.t1482\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith: \\nltest.exe\n    CommandLine|contains: domain_trusts\n  - Image|endswith: \\dsquery.exe\n    CommandLine|contains: trustedDomain\n  condition: selection\nfalsepositives:\n- Legitimate use of the utilities by legitimate user for legitimate reason\nlevel: medium\n\n
\n}}'),(10876,'Issue',602,15,'T1482'),(10877,'Issue',603,1,'Bypass UAC via CMSTP'),(10878,'Issue',603,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(10879,'Issue',603,8,'https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1191/T1191.md'),(10880,'Issue',603,10,'high'),(10881,'Issue',603,13,'community'),(10882,'Issue',603,14,'windows'),(10884,'Issue',603,11,'7c2726c72'),(10885,'Issue',603,12,'e66779cc-383e-4224-a3a4-267eeb585c40'),(10886,'Issue',603,16,'win-proc'),(10887,'Issue',603,17,''),(10888,'Issue',603,7,''),(10889,'Issue',603,3,'Detect child processes of automatically elevated instances of Microsoft Connection Manager Profile Installer (cmstp.exe).'),(10890,'Issue',603,4,''),(10891,'Issue',603,5,'_False Positives_\nLegitimate use of cmstp.exe utility by legitimate user\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(10892,'Issue',603,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\cmstp.exe AND process.command_line.keyword:(*\\/s* OR *\\/au*))\nindex: so-*\nname: Bypass UAC via CMSTP\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10893,'Issue',603,9,'{{collapse(View Sigma)\n
\n\ntitle: Bypass UAC via CMSTP\nid: e66779cc-383e-4224-a3a4-267eeb585c40\ndescription: Detect child processes of automatically elevated instances of Microsoft\n  Connection Manager Profile Installer (cmstp.exe).\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\nmodified: 2019/11/11\ndate: 2019/10/24\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1191/T1191.md\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1191\n- attack.t1088\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\cmstp.exe\n    CommandLine|contains:\n    - /s\n    - /au\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Legitimate use of cmstp.exe utility by legitimate user\nlevel: high\n\n
\n}}'),(10894,'Issue',603,15,'T1191'),(10895,'Issue',603,15,'T1088'),(10896,'Issue',604,1,'Bypass UAC via Fodhelper.exe'),(10897,'Issue',604,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community'),(10898,'Issue',604,8,'https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1088/T1088.md'),(10899,'Issue',604,10,'high'),(10900,'Issue',604,13,'community'),(10901,'Issue',604,14,'windows'),(10903,'Issue',604,11,'b29738791'),(10904,'Issue',604,12,'7f741dcf-fc22-4759-87b4-9ae8376676a2'),(10905,'Issue',604,16,'win-proc'),(10906,'Issue',604,17,''),(10907,'Issue',604,7,''),(10908,'Issue',604,3,'Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.'),(10909,'Issue',604,4,''),(10910,'Issue',604,5,'_False Positives_\nLegitimate use of fodhelper.exe utility by legitimate user\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(10911,'Issue',604,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\fodhelper.exe)\nindex: so-*\nname: Bypass UAC via Fodhelper.exe\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10912,'Issue',604,9,'{{collapse(View Sigma)\n
\n\ntitle: Bypass UAC via Fodhelper.exe\nid: 7f741dcf-fc22-4759-87b4-9ae8376676a2\ndescription: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries\n  use this technique to execute privileged processes.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1088/T1088.md\ntags:\n- attack.privilege_escalation\n- attack.t1088\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage|endswith: \\fodhelper.exe\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Legitimate use of fodhelper.exe utility by legitimate user\nlevel: high\n\n
\n}}'),(10913,'Issue',604,15,'T1088'),(10914,'Issue',605,1,'Bypass UAC via WSReset.exe'),(10915,'Issue',605,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community'),(10916,'Issue',605,8,'https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html'),(10917,'Issue',605,10,'high'),(10918,'Issue',605,13,'community'),(10919,'Issue',605,14,'windows'),(10921,'Issue',605,11,'88c9a0107'),(10922,'Issue',605,12,'d797268e-28a9-49a7-b9a8-2f5039011c5c'),(10923,'Issue',605,16,'win-proc'),(10924,'Issue',605,17,''),(10925,'Issue',605,7,''),(10926,'Issue',605,3,'Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.'),(10927,'Issue',605,4,''),(10928,'Issue',605,5,'_False Positives_\nUnknown'),(10929,'Issue',605,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\wsreset.exe AND (NOT (process.executable.keyword:*\\\\conhost.exe)))\nindex: so-*\nname: Bypass UAC via WSReset.exe\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10930,'Issue',605,9,'{{collapse(View Sigma)\n
\n\ntitle: Bypass UAC via WSReset.exe\nid: d797268e-28a9-49a7-b9a8-2f5039011c5c\ndescription: Identifies use of WSReset.exe to bypass User Account Control. Adversaries\n  use this technique to execute privileged processes.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html\ntags:\n- attack.privilege_escalation\n- attack.t1088\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage|endswith: \\wsreset.exe\n  filter:\n    Image|endswith: \\conhost.exe\n  condition: selection and not filter\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10931,'Issue',605,15,'T1088'),(10932,'Issue',606,1,'Possible Privilege Escalation via Weak Service Permissions'),(10933,'Issue',606,2,'Teymur Kheirkhabarov'),(10934,'Issue',606,8,'https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\nhttps://pentestlab.blog/2017/03/30/weak-service-permissions/'),(10935,'Issue',606,10,'high'),(10936,'Issue',606,13,'community'),(10937,'Issue',606,14,'windows'),(10939,'Issue',606,11,'20df1ec32'),(10940,'Issue',606,12,'d937b75f-a665-4480-88a5-2f20e9f9b22a'),(10941,'Issue',606,16,'win-proc'),(10942,'Issue',606,17,''),(10943,'Issue',606,7,''),(10944,'Issue',606,3,'Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand'),(10945,'Issue',606,4,''),(10946,'Issue',606,5,'_False Positives_\nUnknown'),(10947,'Issue',606,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\sc.exe AND IntegrityLevel:\"Medium\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.command_line.keyword:*config* AND process.command_line.keyword:*binPath*) OR (process.command_line.keyword:*failure* AND process.command_line.keyword:*command*)))\nindex: so-*\nname: Possible Privilege Escalation via Weak Service Permissions\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10948,'Issue',606,9,'{{collapse(View Sigma)\n
\n\ntitle: Possible Privilege Escalation via Weak Service Permissions\nid: d937b75f-a665-4480-88a5-2f20e9f9b22a\ndescription: Detection of sc.exe utility spawning by user with Medium integrity level\n  to change service ImagePath or FailureCommand\nreferences:\n- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\n- https://pentestlab.blog/2017/03/30/weak-service-permissions/\ntags:\n- attack.privilege_escalation\n- attack.t1134\nstatus: experimental\nauthor: Teymur Kheirkhabarov\ndate: 2019/10/26\nmodified: 2019/11/11\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  scbynonadmin:\n    Image|endswith: \\sc.exe\n    IntegrityLevel: Medium\n  binpath:\n    CommandLine|contains|all:\n    - config\n    - binPath\n  failurecommand:\n    CommandLine|contains|all:\n    - failure\n    - command\n  condition: scbynonadmin and (binpath or failurecommand)\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10949,'Issue',606,15,'T1134'),(10950,'Issue',607,1,'Java Running with Remote Debugging'),(10951,'Issue',607,2,'Florian Roth'),(10952,'Issue',607,8,'none'),(10953,'Issue',607,10,'medium'),(10954,'Issue',607,13,'community'),(10955,'Issue',607,14,'windows'),(10957,'Issue',607,11,'b24838b11'),(10958,'Issue',607,12,'8f88e3f6-2a49-48f5-a5c4-2f7eedf78710'),(10959,'Issue',607,16,'win-proc'),(10960,'Issue',607,17,''),(10961,'Issue',607,7,''),(10962,'Issue',607,3,'Detects a JAVA process running with remote debugging allowing more than just localhost to connect'),(10963,'Issue',607,4,''),(10964,'Issue',607,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10965,'Issue',607,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*transport\\=dt_socket,address\\=* AND (NOT (process.command_line.keyword:*address\\=127.0.0.1* OR process.command_line.keyword:*address\\=localhost*)))\nindex: so-*\nname: Java Running with Remote Debugging\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10966,'Issue',607,9,'{{collapse(View Sigma)\n
\n\ntitle: Java Running with Remote Debugging\nid: 8f88e3f6-2a49-48f5-a5c4-2f7eedf78710\ndescription: Detects a JAVA process running with remote debugging allowing more than\n  just localhost to connect\nauthor: Florian Roth\ndate: 2019/01/16\ntags:\n- attack.discovery\n- attack.t1046\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'*transport=dt_socket,address=*\'\n  exclusion:\n  - CommandLine: \'*address=127.0.0.1*\'\n  - CommandLine: \'*address=localhost*\'\n  condition: selection and not exclusion\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: medium\n\n
\n}}'),(10967,'Issue',607,15,'T1046'),(10968,'Issue',608,1,'Webshell Detection With Command Line Keywords'),(10969,'Issue',608,2,'Florian Roth'),(10970,'Issue',608,8,'none'),(10971,'Issue',608,10,'high'),(10972,'Issue',608,13,'community'),(10973,'Issue',608,14,'windows'),(10975,'Issue',608,11,'8d70dcff6'),(10976,'Issue',608,12,'bed2a484-9348-4143-8a8a-b801c979301c'),(10977,'Issue',608,16,'win-proc'),(10978,'Issue',608,17,''),(10979,'Issue',608,7,''),(10980,'Issue',608,3,'Detects certain command line parameters often used during reconnaissance activity via web shells'),(10981,'Issue',608,4,''),(10982,'Issue',608,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10983,'Issue',608,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\apache* OR *\\\\tomcat* OR *\\\\w3wp.exe OR *\\\\php\\-cgi.exe OR *\\\\nginx.exe OR *\\\\httpd.exe) AND process.command_line.keyword:(*whoami* OR *net\\ user\\ * OR *ping\\ \\-n\\ * OR *systeminfo OR *&cd&echo* OR *cd\\ \\/d*))\nindex: so-*\nname: Webshell Detection With Command Line Keywords\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10984,'Issue',608,9,'{{collapse(View Sigma)\n
\n\ntitle: Webshell Detection With Command Line Keywords\nid: bed2a484-9348-4143-8a8a-b801c979301c\ndescription: Detects certain command line parameters often used during reconnaissance\n  activity via web shells\nauthor: Florian Roth\nreference:\n- https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html\ndate: 2017/01/01\nmodified: 2019/10/26\ntags:\n- attack.privilege_escalation\n- attack.persistence\n- attack.t1100\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage:\n    - \'*\\apache*\'\n    - \'*\\tomcat*\'\n    - \'*\\w3wp.exe\'\n    - \'*\\php-cgi.exe\'\n    - \'*\\nginx.exe\'\n    - \'*\\httpd.exe\'\n    CommandLine:\n    - \'*whoami*\'\n    - \'*net user *\'\n    - \'*ping -n *\'\n    - \'*systeminfo\'\n    - \'*&cd&echo*\'\n    - \'*cd /d*\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(10985,'Issue',608,15,'T1100'),(10986,'Issue',609,1,'Shells Spawned by Web Servers'),(10987,'Issue',609,2,'Thomas Patzke'),(10988,'Issue',609,8,'none'),(10989,'Issue',609,10,'high'),(10990,'Issue',609,13,'community'),(10991,'Issue',609,14,'windows'),(10993,'Issue',609,11,'f05538a42'),(10994,'Issue',609,12,'8202070f-edeb-4d31-a010-a26c72ac5600'),(10995,'Issue',609,16,'win-proc'),(10996,'Issue',609,17,''),(10997,'Issue',609,7,''),(10998,'Issue',609,3,'Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack'),(10999,'Issue',609,4,''),(11000,'Issue',609,5,'_False Positives_\nParticular web applications may spawn a shell process legitimately\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(11001,'Issue',609,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\w3wp.exe OR *\\\\httpd.exe OR *\\\\nginx.exe OR *\\\\php\\-cgi.exe OR *\\\\tomcat.exe) AND process.executable.keyword:(*\\\\cmd.exe OR *\\\\sh.exe OR *\\\\bash.exe OR *\\\\powershell.exe OR *\\\\bitsadmin.exe))\nindex: so-*\nname: Shells Spawned by Web Servers\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11002,'Issue',609,9,'{{collapse(View Sigma)\n
\n\ntitle: Shells Spawned by Web Servers\nid: 8202070f-edeb-4d31-a010-a26c72ac5600\nstatus: experimental\ndescription: Web servers that spawn shell processes could be the result of a successfully\n  placed web shell or an other attack\nauthor: Thomas Patzke\ndate: 2019/01/16\nmodified: 2020/03/25\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage:\n    - \'*\\w3wp.exe\'\n    - \'*\\httpd.exe\'\n    - \'*\\nginx.exe\'\n    - \'*\\php-cgi.exe\'\n    - \'*\\tomcat.exe\'\n    Image:\n    - \'*\\cmd.exe\'\n    - \'*\\sh.exe\'\n    - \'*\\bash.exe\'\n    - \'*\\powershell.exe\'\n    - \'*\\bitsadmin.exe\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.privilege_escalation\n- attack.persistence\n- attack.t1100\nfalsepositives:\n- Particular web applications may spawn a shell process legitimately\nlevel: high\n\n
\n}}'),(11003,'Issue',609,15,'T1100'),(11004,'Issue',610,1,'Run Whoami as SYSTEM'),(11005,'Issue',610,2,'Teymur Kheirkhabarov'),(11006,'Issue',610,8,'https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment'),(11007,'Issue',610,10,'high'),(11008,'Issue',610,13,'community'),(11009,'Issue',610,14,'windows'),(11011,'Issue',610,11,'4e41dd00b'),(11012,'Issue',610,12,'80167ada-7a12-41ed-b8e9-aa47195c66a1'),(11013,'Issue',610,16,'win-proc'),(11014,'Issue',610,17,''),(11015,'Issue',610,7,''),(11016,'Issue',610,3,'Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation.'),(11017,'Issue',610,4,''),(11018,'Issue',610,5,'_False Positives_\nUnknown'),(11019,'Issue',610,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\" AND process.executable.keyword:*\\\\whoami.exe)\nindex: so-*\nname: Run Whoami as SYSTEM\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11020,'Issue',610,9,'{{collapse(View Sigma)\n
\n\ntitle: Run Whoami as SYSTEM\nid: 80167ada-7a12-41ed-b8e9-aa47195c66a1\nstatus: experimental\ndescription: Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of\n  a successful local privilege escalation.\nreferences:\n- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\nauthor: Teymur Kheirkhabarov\ndate: 2019/10/23\nmodified: 2019/11/11\ntags:\n- attack.discovery\n- attack.privilege_escalation\n- attack.t1033\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    User: NT AUTHORITY\\SYSTEM\n    Image|endswith: \\whoami.exe\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(11021,'Issue',610,15,'T1033'),(11022,'Issue',611,1,'Windows 10 Scheduled Task SandboxEscaper 0-day'),(11023,'Issue',611,2,'Olaf Hartong'),(11024,'Issue',611,8,'https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe'),(11025,'Issue',611,10,'high'),(11026,'Issue',611,13,'community'),(11027,'Issue',611,14,'windows'),(11029,'Issue',611,11,'3ff4919f0'),(11030,'Issue',611,12,'931b6802-d6a6-4267-9ffa-526f57f22aaf'),(11031,'Issue',611,16,'win-proc'),(11032,'Issue',611,17,''),(11033,'Issue',611,7,''),(11034,'Issue',611,3,'Detects Task Scheduler .job import arbitrary DACL write\\par'),(11035,'Issue',611,4,''),(11036,'Issue',611,5,'_False Positives_\nUnknown'),(11037,'Issue',611,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable:\"schtasks.exe\" AND process.command_line.keyword:*\\/change*\\/TN*\\/RU*\\/RP*)\nindex: so-*\nname: Windows 10 Scheduled Task SandboxEscaper 0-day\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11038,'Issue',611,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows 10 Scheduled Task SandboxEscaper 0-day\nid: 931b6802-d6a6-4267-9ffa-526f57f22aaf\nstatus: experimental\ndescription: Detects Task Scheduler .job import arbitrary DACL write\\par\nreferences:\n- https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe\nauthor: Olaf Hartong\ndate: 2019/05/22\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: schtasks.exe\n    CommandLine: \'*/change*/TN*/RU*/RP*\'\n  condition: selection\nfalsepositives:\n- Unknown\ntags:\n- attack.privilege_escalation\n- attack.execution\n- attack.t1053\n- car.2013-08-001\nlevel: high\n\n
\n}}'),(11039,'Issue',611,15,'T1053'),(11040,'Issue',612,1,'WMI Backdoor Exchange Transport Agent'),(11041,'Issue',612,2,'Florian Roth'),(11042,'Issue',612,8,'https://twitter.com/cglyer/status/1182389676876980224\nhttps://twitter.com/cglyer/status/1182391019633029120'),(11043,'Issue',612,10,'critical'),(11044,'Issue',612,13,'community'),(11045,'Issue',612,14,'windows'),(11047,'Issue',612,11,'a650229e3'),(11048,'Issue',612,12,'797011dc-44f4-4e6f-9f10-a8ceefbe566b'),(11049,'Issue',612,16,'win-proc'),(11050,'Issue',612,17,''),(11051,'Issue',612,7,''),(11052,'Issue',612,3,'Detects a WMi backdoor in Exchange Transport Agents via WMi event filters'),(11053,'Issue',612,4,''),(11054,'Issue',612,5,'_False Positives_\nUnknown'),(11055,'Issue',612,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\EdgeTransport.exe)\nindex: so-*\nname: WMI Backdoor Exchange Transport Agent\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11056,'Issue',612,9,'{{collapse(View Sigma)\n
\n\ntitle: WMI Backdoor Exchange Transport Agent\nid: 797011dc-44f4-4e6f-9f10-a8ceefbe566b\nstatus: experimental\ndescription: Detects a WMi backdoor in Exchange Transport Agents via WMi event filters\nauthor: Florian Roth\ndate: 2019/10/11\nreferences:\n- https://twitter.com/cglyer/status/1182389676876980224\n- https://twitter.com/cglyer/status/1182391019633029120\nlogsource:\n  category: process_creation\n  product: windows\ntags:\n- attack.persistence\n- attack.t1084\ndetection:\n  selection:\n    ParentImage: \'*\\EdgeTransport.exe\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(11057,'Issue',612,15,'T1084'),(11058,'Issue',613,1,'WMI Persistence - Script Event Consumer'),(11059,'Issue',613,2,'Thomas Patzke'),(11060,'Issue',613,8,'https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/'),(11061,'Issue',613,10,'high'),(11062,'Issue',613,13,'community'),(11063,'Issue',613,14,'windows'),(11065,'Issue',613,11,'8e6b7ecfd'),(11066,'Issue',613,12,'ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e'),(11067,'Issue',613,16,'win-proc'),(11068,'Issue',613,17,''),(11069,'Issue',613,7,''),(11070,'Issue',613,3,'Detects WMI script event consumers'),(11071,'Issue',613,4,''),(11072,'Issue',613,5,'_False Positives_\nLegitimate event consumers'),(11073,'Issue',613,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable:\"C\\:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe\" AND process.parent.executable:\"C\\:\\\\Windows\\\\System32\\\\svchost.exe\")\nindex: so-*\nname: WMI Persistence - Script Event Consumer\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11074,'Issue',613,9,'{{collapse(View Sigma)\n
\n\ntitle: WMI Persistence - Script Event Consumer\nid: ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e\nstatus: experimental\ndescription: Detects WMI script event consumers\nreferences:\n- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/\nauthor: Thomas Patzke\ndate: 2018/03/07\ntags:\n- attack.execution\n- attack.persistence\n- attack.t1047\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: C:\\WINDOWS\\system32\\wbem\\scrcons.exe\n    ParentImage: C:\\Windows\\System32\\svchost.exe\n  condition: selection\nfalsepositives:\n- Legitimate event consumers\nlevel: high\n\n
\n}}'),(11075,'Issue',613,15,'T1047'),(11076,'Issue',614,1,'WMI Spawning Windows PowerShell'),(11077,'Issue',614,2,'Markus Neis / @Karneades'),(11078,'Issue',614,8,'https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_shell_spawn_susp_program.yml\nhttps://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e'),(11079,'Issue',614,10,'high'),(11080,'Issue',614,13,'community'),(11081,'Issue',614,14,'windows'),(11083,'Issue',614,11,'127d6cb16'),(11084,'Issue',614,12,'692f0bec-83ba-4d04-af7e-e884a96059b6'),(11085,'Issue',614,16,'win-proc'),(11086,'Issue',614,17,''),(11087,'Issue',614,7,''),(11088,'Issue',614,3,'Detects WMI spawning PowerShell'),(11089,'Issue',614,4,''),(11090,'Issue',614,5,'_False Positives_\nAppvClient\nCCM'),(11091,'Issue',614,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\wmiprvse.exe) AND process.executable.keyword:(*\\\\powershell.exe))\nindex: so-*\nname: WMI Spawning Windows PowerShell\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11092,'Issue',614,9,'{{collapse(View Sigma)\n
\n\ntitle: WMI Spawning Windows PowerShell\nid: 692f0bec-83ba-4d04-af7e-e884a96059b6\nstatus: experimental\ndescription: Detects WMI spawning PowerShell\nreferences:\n- https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_shell_spawn_susp_program.yml\n- https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e\nauthor: Markus Neis / @Karneades\ndate: 2019/04/03\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1064\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage:\n    - \'*\\wmiprvse.exe\'\n    Image:\n    - \'*\\powershell.exe\'\n  condition: selection\nfalsepositives:\n- AppvClient\n- CCM\nlevel: high\n\n
\n}}'),(11093,'Issue',614,15,'T1064'),(11094,'Issue',615,1,'Wmiprvse Spawning Process'),(11095,'Issue',615,2,'Roberto Rodriguez @Cyb3rWard0g'),(11096,'Issue',615,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_win32_process_create_remote.md'),(11097,'Issue',615,10,'critical'),(11098,'Issue',615,13,'community'),(11099,'Issue',615,14,'windows'),(11101,'Issue',615,11,'eab53c8fb'),(11102,'Issue',615,12,'d21374ff-f574-44a7-9998-4a8c8bf33d7d'),(11103,'Issue',615,16,'win-proc'),(11104,'Issue',615,17,''),(11105,'Issue',615,7,''),(11106,'Issue',615,3,'Detects wmiprvse spawning processes'),(11107,'Issue',615,4,''),(11108,'Issue',615,5,'_False Positives_\nUnknown'),(11109,'Issue',615,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\WmiPrvSe.exe AND (NOT (LogonId:\"0x3e7\" OR Username:\"NT\\ AUTHORITY\\\\SYSTEM\")))\nindex: so-*\nname: Wmiprvse Spawning Process\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11110,'Issue',615,9,'{{collapse(View Sigma)\n
\n\ntitle: Wmiprvse Spawning Process\nid: d21374ff-f574-44a7-9998-4a8c8bf33d7d\ndescription: Detects wmiprvse spawning processes\nstatus: experimental\ndate: 2019/08/15\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_win32_process_create_remote.md\ntags:\n- attack.execution\n- attack.t1047\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage|endswith: \\WmiPrvSe.exe\n  filter:\n  - LogonId: \'0x3e7\'\n  - Username: NT AUTHORITY\\SYSTEM\n  condition: selection and not filter\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(11111,'Issue',615,15,'T1047'),(11112,'Issue',616,1,'Microsoft Workflow Compiler'),(11113,'Issue',616,2,'Nik Seetharaman'),(11114,'Issue',616,8,'https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb'),(11115,'Issue',616,10,'high'),(11116,'Issue',616,13,'community'),(11117,'Issue',616,14,'windows'),(11119,'Issue',616,11,'b7e329a1b'),(11120,'Issue',616,12,'419dbf2b-8a9b-4bea-bf99-7544b050ec8d'),(11121,'Issue',616,16,'win-proc'),(11122,'Issue',616,17,''),(11123,'Issue',616,7,''),(11124,'Issue',616,3,'Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.'),(11125,'Issue',616,4,''),(11126,'Issue',616,5,'_False Positives_\nLegitimate MWC use (unlikely in modern enterprise environments)\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(11127,'Issue',616,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\Microsoft.Workflow.Compiler.exe)\nindex: so-*\nname: Microsoft Workflow Compiler\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11128,'Issue',616,9,'{{collapse(View Sigma)\n
\n\ntitle: Microsoft Workflow Compiler\nid: 419dbf2b-8a9b-4bea-bf99-7544b050ec8d\nstatus: experimental\ndescription: Detects invocation of Microsoft Workflow Compiler, which may permit the\n  execution of arbitrary unsigned code.\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1127\nauthor: Nik Seetharaman\ndate: 2019/01/16\nreferences:\n- https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\Microsoft.Workflow.Compiler.exe\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Legitimate MWC use (unlikely in modern enterprise environments)\nlevel: high\n\n
\n}}'),(11129,'Issue',616,15,'T1127'),(11130,'Issue',617,1,'Wsreset UAC Bypass'),(11131,'Issue',617,2,'Florian Roth'),(11132,'Issue',617,8,'https://lolbas-project.github.io/lolbas/Binaries/Wsreset/\nhttps://www.activecyber.us/activelabs/windows-uac-bypass\nhttps://twitter.com/ReaQta/status/1222548288731217921'),(11133,'Issue',617,10,'high'),(11134,'Issue',617,13,'community'),(11135,'Issue',617,14,'windows'),(11137,'Issue',617,11,'a20c95e40'),(11138,'Issue',617,12,'bdc8918e-a1d5-49d1-9db7-ea0fd91aa2ae'),(11139,'Issue',617,16,'win-proc'),(11140,'Issue',617,17,''),(11141,'Issue',617,7,''),(11142,'Issue',617,3,'Detects a method that uses Wsreset.exe tool that can be used to reset the Windows Store to bypass UAC'),(11143,'Issue',617,4,''),(11144,'Issue',617,5,'_False Positives_\nUnknown sub processes of Wsreset.exe\n\n_Interesting Log Fields_\nCommandLine'),(11145,'Issue',617,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\WSreset.exe))\nindex: so-*\nname: Wsreset UAC Bypass\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11146,'Issue',617,9,'{{collapse(View Sigma)\n
\n\ntitle: Wsreset UAC Bypass\nid: bdc8918e-a1d5-49d1-9db7-ea0fd91aa2ae\nstatus: experimental\ndescription: Detects a method that uses Wsreset.exe tool that can be used to reset\n  the Windows Store to bypass UAC\nreferences:\n- https://lolbas-project.github.io/lolbas/Binaries/Wsreset/\n- https://www.activecyber.us/activelabs/windows-uac-bypass\n- https://twitter.com/ReaQta/status/1222548288731217921\nauthor: Florian Roth\ndate: 2020/01/30\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1088\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage|endswith:\n    - \\WSreset.exe\n  condition: selection\nfields:\n- CommandLine\nfalsepositives:\n- Unknown sub processes of Wsreset.exe\nlevel: high\n\n
\n}}'),(11147,'Issue',617,15,'T1088'),(11148,'Issue',618,1,'XSL Script Processing'),(11149,'Issue',618,2,'Timur Zinniatullin, oscd.community'),(11150,'Issue',618,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml'),(11151,'Issue',618,10,'medium'),(11152,'Issue',618,13,'community'),(11153,'Issue',618,14,'windows'),(11155,'Issue',618,11,'53788ea86'),(11156,'Issue',618,12,'05c36dd6-79d6-4a9a-97da-3db20298ab2d'),(11157,'Issue',618,16,'win-proc'),(11158,'Issue',618,17,''),(11159,'Issue',618,7,'gVP62XEBH72G5DlCexmq'),(11160,'Issue',618,3,'Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files, rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses'),(11161,'Issue',618,4,''),(11162,'Issue',618,5,'_False Positives_\nWMIC.exe FP depend on scripts and administrative methods used in the monitored environment\nmsxsl.exe is not installed by default so unlikely.'),(11163,'Issue',618,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\wmic.exe AND process.command_line.keyword:*\\/format*) OR process.executable.keyword:*\\\\msxsl.exe))\nindex: so-*\nname: XSL Script Processing\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11164,'Issue',618,9,'{{collapse(View Sigma)\r\n
\r\n\r\ntitle: XSL Script Processing\r\nid: 05c36dd6-79d6-4a9a-97da-3db20298ab2d\r\nstatus: experimental\r\ndescription: Extensible Stylesheet Language (XSL) files are commonly used to describe\r\n  the processing and rendering of data within XML files, rule detects when adversaries\r\n  abuse this functionality to execute arbitrary files while potentially bypassing\r\n  application whitelisting defenses\r\nauthor: Timur Zinniatullin, oscd.community\r\ndate: 2019/10/21\r\nmodified: 2019/11/04\r\nreferences:\r\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml\r\nlogsource:\r\n  category: process_creation\r\n  product: windows\r\ndetection:\r\n  selection:\r\n  - Image|endswith: \\wmic.exe\r\n    CommandLine|contains: /format\r\n  - Image|endswith: \\msxsl.exe\r\n  condition: selection\r\nfalsepositives:\r\n- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment\r\n- msxsl.exe is not installed by default so unlikely.\r\nlevel: medium\r\ntags:\r\n- attack.execution\r\n- attack.t1220\r\n\r\n
\r\n}}'),(11165,'Issue',618,15,'T1220'),(11184,'Issue',620,1,'New Sensitive Shared Resource'),(11185,'Issue',620,2,'Josh Brower'),(11186,'Issue',620,10,'medium'),(11187,'Issue',620,13,'imported'),(11188,'Issue',620,14,'osquery'),(11189,'Issue',620,8,'none'),(11191,'Issue',620,11,'8a0e88be7'),(11192,'Issue',620,12,'none'),(11193,'Issue',620,16,''),(11194,'Issue',620,17,''),(11195,'Issue',620,7,''),(11196,'Issue',620,3,'Network shares with loose access controls are common places that leak sensitive information. This play proactively looks for newly shared resources that likely contain sensitive data. Follow-up will be needed to confirm that appropriate access control is in place.'),(11197,'Issue',620,4,''),(11198,'Issue',620,5,'_False Positives_\nunknown'),(11199,'Issue',620,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((osquery.columns.qid:\"601\" AND osquery.columns.name.keyword:(*hr* OR *finance* OR *backup* OR *www* OR *scan*)) AND (NOT (osquery.result.counter:\"0\")))\nindex: so-osquery-*\nname: New Sensitive Shared Resource\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11200,'Issue',620,9,'{{collapse(View Sigma)\n
\n\ntitle: New Sensitive Shared Resource\ndescription: Network shares with loose access controls are common places that leak\n  sensitive information. This play proactively looks for newly shared resources that\n  likely contain sensitive data. Follow-up will be needed to confirm that appropriate\n  access control is in place.\nstatus: experimental\nauthor: Josh Brower\ntags:\n- attack.discovery\n- attack.t1135\nlogsource:\n  product: osquery\n  definition: select Description,Name,Path, \"601\" AS qid  from shared_resources where\n    type = 0 AND name <> \"print$\";\n  qid: 601\ndetection:\n  selection:\n    qid: 601\n    column_name:\n    - \'*hr*\'\n    - \'*finance*\'\n    - \'*backup*\'\n    - \'*www*\'\n    - \'*scan*\'\n  filter:\n    counter: 0\n  condition: selection and not filter\nfalsepositives:\n- unknown\nlevel: medium\ntasks:\n  1 - Check Share Permissions: Are share permissions set to an appropriate level?\n    They should be tied to the relevant AD Security Group.\n  2 - Contact System/Service Owner: If share permissions are not appropriate, contact\n    the system/service owner for remediation.\n\n
\n}}'),(11201,'Issue',620,15,'T1135'),(11202,'Issue',621,1,'Whoami Execution'),(11203,'Issue',621,2,'Florian Roth'),(11204,'Issue',621,10,'high'),(11205,'Issue',621,13,'imported'),(11206,'Issue',621,14,'windows'),(11207,'Issue',621,8,'https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/\nhttps://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/'),(11209,'Issue',621,11,'b2904c00a'),(11210,'Issue',621,12,'e28a5a99-da44-436d-b7a0-2afc20a5f413'),(11211,'Issue',621,16,''),(11212,'Issue',621,17,''),(11213,'Issue',621,7,''),(11214,'Issue',621,3,'Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators'),(11215,'Issue',621,4,''),(11216,'Issue',621,5,'_False Positives_\nAdmin activity\nScripts and administrative tools used in the monitored environment'),(11217,'Issue',621,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:*\\\\whoami.exe OR OriginalFileName:\"whoami.exe\"))\nindex: so-*\nname: Whoami Execution\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11218,'Issue',621,9,'{{collapse(View Sigma)\n
\n\ntitle: Whoami Execution\nid: e28a5a99-da44-436d-b7a0-2afc20a5f413\nstatus: experimental\ndescription: Detects the execution of whoami, which is often used by attackers after\n  exloitation / privilege escalation but rarely used by administrators\nreferences:\n- https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/\n- https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/\nauthor: Florian Roth\ndate: 2018/08/13\ntags:\n- attack.discovery\n- attack.t1033\n- car.2016-03-001\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\whoami.exe\'\n  selection2:\n    OriginalFileName: whoami.exe\n  condition: selection or selection2\nfalsepositives:\n- Admin activity\n- Scripts and administrative tools used in the monitored environment\nlevel: high\n\n
\n}}'),(11219,'Issue',621,15,'T1033'),(11220,'Issue',622,1,'Advanced IP Scanner'),(11221,'Issue',622,2,'@ROxPinTeddy'),(11222,'Issue',622,10,'medium'),(11223,'Issue',622,13,'community'),(11224,'Issue',622,14,'windows'),(11225,'Issue',622,8,'https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/\nhttps://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html'),(11227,'Issue',622,11,'28e0c60a4'),(11228,'Issue',622,12,'bef37fa2-f205-4a7b-b484-0759bfd5f86f'),(11229,'Issue',622,16,'win-proc'),(11230,'Issue',622,17,''),(11231,'Issue',622,7,''),(11232,'Issue',622,3,'Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.'),(11233,'Issue',622,4,''),(11234,'Issue',622,5,'_False Positives_\nLegitimate administrative use'),(11235,'Issue',622,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\advanced_ip_scanner*)\nindex: so-*\nname: Advanced IP Scanner\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11236,'Issue',622,9,'{{collapse(View Sigma)\n
\n\ntitle: Advanced IP Scanner\nid: bef37fa2-f205-4a7b-b484-0759bfd5f86f\nstatus: experimental\ndescription: Detects the use of Advanced IP Scanner. Seems to be a popular tool for\n  ransomware groups.\nreferences:\n- https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/\n- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\nauthor: \'@ROxPinTeddy\'\ndate: 2020/05/12\ntags:\n- attack.discovery\n- attack.t1046\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|contains: \\advanced_ip_scanner\n  condition: selection\nfalsepositives:\n- Legitimate administrative use\nlevel: medium\n\n
\n}}'),(11237,'Issue',622,15,'T1046'),(11238,'Issue',623,1,'Harvesting of Wifi Credentials Using netsh.exe'),(11239,'Issue',623,2,'Andreas Hunkeler (@Karneades)'),(11240,'Issue',623,10,'medium'),(11241,'Issue',623,13,'community'),(11242,'Issue',623,14,'windows'),(11243,'Issue',623,8,'https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/'),(11245,'Issue',623,11,'c7fcf9aee'),(11246,'Issue',623,12,'42b1a5b8-353f-4f10-b256-39de4467faff'),(11247,'Issue',623,16,'win-proc'),(11248,'Issue',623,17,''),(11249,'Issue',623,7,''),(11250,'Issue',623,3,'Detect the harvesting of wifi credentials using netsh.exe'),(11251,'Issue',623,4,''),(11252,'Issue',623,5,'_False Positives_\nLegitimate administrator or user uses netsh.exe wlan functionality for legitimate reason'),(11253,'Issue',623,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(netsh\\ wlan\\ s*\\ p*\\ k*\\=clear))\nindex: so-*\nname: Harvesting of Wifi Credentials Using netsh.exe\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11254,'Issue',623,9,'{{collapse(View Sigma)\n
\n\ntitle: Harvesting of Wifi Credentials Using netsh.exe\nid: 42b1a5b8-353f-4f10-b256-39de4467faff\nstatus: experimental\ndescription: Detect the harvesting of wifi credentials using netsh.exe\nreferences:\n- https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\nauthor: Andreas Hunkeler (@Karneades)\ndate: 2020/04/20\ntags:\n- attack.discovery\n- attack.t1040\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - netsh wlan s* p* k*=clear\n  condition: selection\nfalsepositives:\n- Legitimate administrator or user uses netsh.exe wlan functionality for legitimate\n  reason\nlevel: medium\n\n
\n}}'),(11255,'Issue',623,15,'T1040'); -/*!40000 ALTER TABLE `custom_values` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `documents` --- - -DROP TABLE IF EXISTS `documents`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `documents` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) NOT NULL DEFAULT '0', - `category_id` int(11) NOT NULL DEFAULT '0', - `title` varchar(255) NOT NULL DEFAULT '', - `description` text, - `created_on` timestamp NULL DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `documents_project_id` (`project_id`), - KEY `index_documents_on_category_id` (`category_id`), - KEY `index_documents_on_created_on` (`created_on`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `documents` --- - -LOCK TABLES `documents` WRITE; -/*!40000 ALTER TABLE `documents` DISABLE KEYS */; -/*!40000 ALTER TABLE `documents` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `email_addresses` --- - -DROP TABLE IF EXISTS `email_addresses`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `email_addresses` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `user_id` int(11) NOT NULL, - `address` varchar(255) NOT NULL, - `is_default` tinyint(1) NOT NULL DEFAULT '0', - `notify` tinyint(1) NOT NULL DEFAULT '1', - `created_on` datetime NOT NULL, - `updated_on` datetime NOT NULL, - PRIMARY KEY (`id`), - KEY `index_email_addresses_on_user_id` (`user_id`) -) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `email_addresses` --- - -LOCK TABLES `email_addresses` WRITE; -/*!40000 ALTER TABLE `email_addresses` DISABLE KEYS */; -INSERT INTO `email_addresses` VALUES (1,1,'admin@example.net',1,1,'2020-04-26 13:08:38','2020-04-26 13:08:38'),(2,8,'analyst@localhost.local',1,1,'2020-04-26 18:46:48','2020-04-26 18:46:48'),(3,9,'automation@localhost.local',1,1,'2020-04-26 18:47:46','2020-04-26 18:47:46'); -/*!40000 ALTER TABLE `email_addresses` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `enabled_modules` --- - -DROP TABLE IF EXISTS `enabled_modules`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `enabled_modules` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) DEFAULT NULL, - `name` varchar(255) NOT NULL, - PRIMARY KEY (`id`), - KEY `enabled_modules_project_id` (`project_id`) -) ENGINE=InnoDB AUTO_INCREMENT=3 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `enabled_modules` --- - -LOCK TABLES `enabled_modules` WRITE; -/*!40000 ALTER TABLE `enabled_modules` DISABLE KEYS */; -INSERT INTO `enabled_modules` VALUES (1,1,'sigma_editor'),(2,1,'issue_tracking'); -/*!40000 ALTER TABLE `enabled_modules` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `enumerations` --- - -DROP TABLE IF EXISTS `enumerations`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `enumerations` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `name` varchar(30) NOT NULL DEFAULT '', - `position` int(11) DEFAULT NULL, - `is_default` tinyint(1) NOT NULL DEFAULT '0', - `type` varchar(255) DEFAULT NULL, - `active` tinyint(1) NOT NULL DEFAULT '1', - `project_id` int(11) DEFAULT NULL, - `parent_id` int(11) DEFAULT NULL, - `position_name` varchar(30) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_enumerations_on_project_id` (`project_id`), - KEY `index_enumerations_on_id_and_type` (`id`,`type`) -) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `enumerations` --- - -LOCK TABLES `enumerations` WRITE; -/*!40000 ALTER TABLE `enumerations` DISABLE KEYS */; -INSERT INTO `enumerations` VALUES (1,'Normal',1,1,'IssuePriority',1,NULL,NULL,'default'); -/*!40000 ALTER TABLE `enumerations` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `groups_users` --- - -DROP TABLE IF EXISTS `groups_users`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `groups_users` ( - `group_id` int(11) NOT NULL, - `user_id` int(11) NOT NULL, - UNIQUE KEY `groups_users_ids` (`group_id`,`user_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `groups_users` --- - -LOCK TABLES `groups_users` WRITE; -/*!40000 ALTER TABLE `groups_users` DISABLE KEYS */; -INSERT INTO `groups_users` VALUES (5,8),(6,9),(7,1); -/*!40000 ALTER TABLE `groups_users` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `import_items` --- - -DROP TABLE IF EXISTS `import_items`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `import_items` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `import_id` int(11) NOT NULL, - `position` int(11) NOT NULL, - `obj_id` int(11) DEFAULT NULL, - `message` text, - `unique_id` varchar(255) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_import_items_on_import_id_and_unique_id` (`import_id`,`unique_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `import_items` --- - -LOCK TABLES `import_items` WRITE; -/*!40000 ALTER TABLE `import_items` DISABLE KEYS */; -/*!40000 ALTER TABLE `import_items` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `imports` --- - -DROP TABLE IF EXISTS `imports`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `imports` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `type` varchar(255) DEFAULT NULL, - `user_id` int(11) NOT NULL, - `filename` varchar(255) DEFAULT NULL, - `settings` text, - `total_items` int(11) DEFAULT NULL, - `finished` tinyint(1) NOT NULL DEFAULT '0', - `created_at` datetime NOT NULL, - `updated_at` datetime NOT NULL, - PRIMARY KEY (`id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `imports` --- - -LOCK TABLES `imports` WRITE; -/*!40000 ALTER TABLE `imports` DISABLE KEYS */; -/*!40000 ALTER TABLE `imports` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `issue_categories` --- - -DROP TABLE IF EXISTS `issue_categories`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `issue_categories` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) NOT NULL DEFAULT '0', - `name` varchar(60) NOT NULL DEFAULT '', - `assigned_to_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `issue_categories_project_id` (`project_id`), - KEY `index_issue_categories_on_assigned_to_id` (`assigned_to_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `issue_categories` --- - -LOCK TABLES `issue_categories` WRITE; -/*!40000 ALTER TABLE `issue_categories` DISABLE KEYS */; -/*!40000 ALTER TABLE `issue_categories` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `issue_relations` --- - -DROP TABLE IF EXISTS `issue_relations`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `issue_relations` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `issue_from_id` int(11) NOT NULL, - `issue_to_id` int(11) NOT NULL, - `relation_type` varchar(255) NOT NULL DEFAULT '', - `delay` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - UNIQUE KEY `index_issue_relations_on_issue_from_id_and_issue_to_id` (`issue_from_id`,`issue_to_id`), - KEY `index_issue_relations_on_issue_from_id` (`issue_from_id`), - KEY `index_issue_relations_on_issue_to_id` (`issue_to_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `issue_relations` --- - -LOCK TABLES `issue_relations` WRITE; -/*!40000 ALTER TABLE `issue_relations` DISABLE KEYS */; -/*!40000 ALTER TABLE `issue_relations` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `issue_statuses` --- - -DROP TABLE IF EXISTS `issue_statuses`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `issue_statuses` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `name` varchar(30) NOT NULL DEFAULT '', - `is_closed` tinyint(1) NOT NULL DEFAULT '0', - `position` int(11) DEFAULT NULL, - `default_done_ratio` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_issue_statuses_on_position` (`position`), - KEY `index_issue_statuses_on_is_closed` (`is_closed`) -) ENGINE=InnoDB AUTO_INCREMENT=7 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `issue_statuses` --- - -LOCK TABLES `issue_statuses` WRITE; -/*!40000 ALTER TABLE `issue_statuses` DISABLE KEYS */; -INSERT INTO `issue_statuses` VALUES (2,'Draft',0,1,NULL),(3,'Active',0,2,NULL),(4,'Inactive',0,3,NULL),(5,'Archived',0,4,NULL),(6,'Disabled',0,5,NULL); -/*!40000 ALTER TABLE `issue_statuses` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `issues` --- - -DROP TABLE IF EXISTS `issues`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `issues` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `tracker_id` int(11) NOT NULL, - `project_id` int(11) NOT NULL, - `subject` varchar(255) NOT NULL DEFAULT '', - `description` longtext, - `due_date` date DEFAULT NULL, - `category_id` int(11) DEFAULT NULL, - `status_id` int(11) NOT NULL, - `assigned_to_id` int(11) DEFAULT NULL, - `priority_id` int(11) NOT NULL, - `fixed_version_id` int(11) DEFAULT NULL, - `author_id` int(11) NOT NULL, - `lock_version` int(11) NOT NULL DEFAULT '0', - `created_on` timestamp NULL DEFAULT NULL, - `updated_on` timestamp NULL DEFAULT NULL, - `start_date` date DEFAULT NULL, - `done_ratio` int(11) NOT NULL DEFAULT '0', - `estimated_hours` float DEFAULT NULL, - `parent_id` int(11) DEFAULT NULL, - `root_id` int(11) DEFAULT NULL, - `lft` int(11) DEFAULT NULL, - `rgt` int(11) DEFAULT NULL, - `is_private` tinyint(1) NOT NULL DEFAULT '0', - `closed_on` datetime DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `issues_project_id` (`project_id`), - KEY `index_issues_on_status_id` (`status_id`), - KEY `index_issues_on_category_id` (`category_id`), - KEY `index_issues_on_assigned_to_id` (`assigned_to_id`), - KEY `index_issues_on_fixed_version_id` (`fixed_version_id`), - KEY `index_issues_on_tracker_id` (`tracker_id`), - KEY `index_issues_on_priority_id` (`priority_id`), - KEY `index_issues_on_author_id` (`author_id`), - KEY `index_issues_on_created_on` (`created_on`), - KEY `index_issues_on_root_id_and_lft_and_rgt` (`root_id`,`lft`,`rgt`), - KEY `index_issues_on_parent_id` (`parent_id`) -) ENGINE=InnoDB AUTO_INCREMENT=624 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `issues` --- - -LOCK TABLES `issues` WRITE; -/*!40000 ALTER TABLE `issues` DISABLE KEYS */; -INSERT INTO `issues` VALUES (313,1,1,'Executable in ADS',NULL,NULL,NULL,6,NULL,1,NULL,9,0,'2020-05-01 20:55:14','2020-05-01 20:55:14',NULL,0,NULL,NULL,313,1,2,0,NULL),(314,1,1,'Alternate PowerShell Hosts Module Load',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:15','2020-05-01 20:55:15',NULL,0,NULL,NULL,314,1,2,0,NULL),(315,1,1,'Alternate PowerShell Hosts Pipe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:15','2020-05-01 20:55:15',NULL,0,NULL,NULL,315,1,2,0,NULL),(316,1,1,'OceanLotus Registry Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:16','2020-05-01 20:55:16',NULL,0,NULL,NULL,316,1,2,0,NULL),(317,1,1,'Turla Group Named Pipes',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:16','2020-05-01 20:55:16',NULL,0,NULL,NULL,317,1,2,0,NULL),(318,1,1,'Autorun Keys Modification',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:17','2020-05-01 20:55:17',NULL,0,NULL,NULL,318,1,2,0,NULL),(319,1,1,'CACTUSTORCH Remote Thread Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:17','2020-05-01 20:55:17',NULL,0,NULL,NULL,319,1,2,0,NULL),(320,1,1,'CobaltStrike Process Injection',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:18','2020-05-01 20:55:18',NULL,0,NULL,NULL,320,1,2,0,NULL),(321,1,1,'CreateRemoteThread API and LoadLibrary',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:18','2020-05-01 20:55:19',NULL,0,NULL,NULL,321,1,2,0,NULL),(322,1,1,'Credentials Dumping Tools Accessing LSASS Memory',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:19','2020-05-01 20:55:19',NULL,0,NULL,NULL,322,1,2,0,NULL),(323,1,1,'Cred Dump Tools Dropped Files',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:20','2020-05-01 20:55:20',NULL,0,NULL,NULL,323,1,2,0,NULL),(324,1,1,'Cred Dump-Tools Named Pipes',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:20','2020-05-01 20:55:20',NULL,0,NULL,NULL,324,1,2,0,NULL),(325,1,1,'DHCP Callout DLL Installation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:21','2020-05-01 20:55:21',NULL,0,NULL,NULL,325,1,2,0,NULL),(326,1,1,'Disable Security Events Logging Adding Reg Key MiniNt',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:21','2020-05-01 20:55:21',NULL,0,NULL,NULL,326,1,2,0,NULL),(327,1,1,'Detection of SafetyKatz',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:22','2020-05-01 20:55:22',NULL,0,NULL,NULL,327,1,2,0,NULL),(328,1,1,'Suspicious In-Memory Module Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:22','2020-05-01 20:55:22',NULL,0,NULL,NULL,328,1,2,0,NULL),(329,1,1,'In-memory PowerShell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:23','2020-05-01 20:55:23',NULL,0,NULL,NULL,329,1,2,0,NULL),(330,1,1,'Suspect Svchost Memory Asccess',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:23','2020-05-01 20:55:24',NULL,0,NULL,NULL,330,1,2,0,NULL),(331,1,1,'LSASS Memory Dump',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:24','2020-05-01 20:55:24',NULL,0,NULL,NULL,331,1,2,0,NULL),(332,1,1,'LSASS Memory Dump File Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:24','2020-05-01 20:55:25',NULL,0,NULL,NULL,332,1,2,0,NULL),(333,1,1,'Malicious Named Pipe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:25','2020-05-01 20:55:25',NULL,0,NULL,NULL,333,1,2,0,NULL),(334,1,1,'Suspicious Typical Malware Back Connect Ports',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:26','2020-05-01 20:55:26',NULL,0,NULL,NULL,334,1,2,0,NULL),(335,1,1,'Malware Shellcode in Verclsid Target Process',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:27','2020-05-01 20:55:27',NULL,0,NULL,NULL,335,1,2,0,NULL),(336,1,1,'Mimikatz In-Memory',NULL,NULL,NULL,6,NULL,1,NULL,9,1,'2020-05-01 20:55:27','2020-05-01 20:55:28',NULL,0,NULL,NULL,336,1,2,0,NULL),(337,1,1,'Mimikatz through Windows Remote Management',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:28','2020-05-01 20:55:28',NULL,0,NULL,NULL,337,1,2,0,NULL),(338,1,1,'Dumping Lsass.exe Memory with MiniDumpWriteDump API',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:29','2020-05-01 20:55:29',NULL,0,NULL,NULL,338,1,2,0,NULL),(339,1,1,'Narrator\'s Feedback-Hub Persistence',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:29','2020-05-01 20:55:29',NULL,0,NULL,NULL,339,1,2,0,NULL),(340,1,1,'New DLL Added to AppCertDlls Registry Key',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:30','2020-05-01 20:55:30',NULL,0,NULL,NULL,340,1,2,0,NULL),(341,1,1,'New DLL Added to AppInit_DLLs Registry Key',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:30','2020-05-01 20:55:30',NULL,0,NULL,NULL,341,1,2,0,NULL),(342,1,1,'Password Dumper Remote Thread in LSASS',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:31','2020-05-01 20:55:31',NULL,0,NULL,NULL,342,1,2,0,NULL),(343,1,1,'Possible DNS Rebinding',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:31','2020-05-01 20:55:31',NULL,0,NULL,NULL,343,1,2,0,NULL),(344,1,1,'Possible Privilege Escalation via Service Permissions Weakness',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:32','2020-05-01 20:55:32',NULL,0,NULL,NULL,344,1,2,0,NULL),(345,1,1,'PowerShell Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:32','2020-05-01 20:55:33',NULL,0,NULL,NULL,345,1,2,0,NULL),(346,1,1,'Malicious PowerShell Commandlet Names',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:33','2020-05-01 20:55:33',NULL,0,NULL,NULL,346,1,2,0,NULL),(347,1,1,'PowerShell Network Connections',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:34','2020-05-01 20:55:34',NULL,0,NULL,NULL,347,1,2,0,NULL),(348,1,1,'QuarksPwDump Dump File',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:34','2020-05-01 20:55:34',NULL,0,NULL,NULL,348,1,2,0,NULL),(349,1,1,'Raw Disk Access Using Illegitimate Tools',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:35','2020-05-01 20:55:35',NULL,0,NULL,NULL,349,1,2,0,NULL),(350,1,1,'RDP Registry Modification',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:35','2020-05-01 20:55:36',NULL,0,NULL,NULL,350,1,2,0,NULL),(351,1,1,'RDP Over Reverse SSH Tunnel',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:36','2020-05-01 20:55:36',NULL,0,NULL,NULL,351,1,2,0,NULL),(352,1,1,'RDP Sensitive Settings Changed',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:37','2020-05-01 20:55:37',NULL,0,NULL,NULL,352,1,2,0,NULL),(353,1,1,'Windows Registry Persistence COM Key Linking',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:37','2020-05-01 20:55:37',NULL,0,NULL,NULL,353,1,2,0,NULL),(354,1,1,'Windows Registry Persistence COM Search Order Hijacking',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:38','2020-05-01 20:55:38',NULL,0,NULL,NULL,354,1,2,0,NULL),(355,1,1,'Windows Registry Trust Record Modification',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:38','2020-05-01 20:55:38',NULL,0,NULL,NULL,355,1,2,0,NULL),(356,1,1,'Regsvr32 Network Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:39','2020-05-01 20:55:39',NULL,0,NULL,NULL,356,1,2,0,NULL),(357,1,1,'Remote PowerShell Session',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:39','2020-05-01 20:55:39',NULL,0,NULL,NULL,357,1,2,0,NULL),(358,1,1,'Renamed jusched.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:40','2020-05-01 20:55:40',NULL,0,NULL,NULL,358,1,2,0,NULL),(359,1,1,'Renamed PowerShell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:40','2020-05-01 20:55:40',NULL,0,NULL,NULL,359,1,2,0,NULL),(360,1,1,'Renamed ProcDump',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:41','2020-05-01 20:55:41',NULL,0,NULL,NULL,360,1,2,0,NULL),(361,1,1,'Renamed PsExec',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:41','2020-05-01 20:55:42',NULL,0,NULL,NULL,361,1,2,0,NULL),(362,1,1,'Rundll32 Internet Connection',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:42','2020-05-01 20:55:42',NULL,0,NULL,NULL,362,1,2,0,NULL),(363,1,1,'Security Support Provider (SSP) Added to LSA Configuration',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:43','2020-05-01 20:55:43',NULL,0,NULL,NULL,363,1,2,0,NULL),(364,1,1,'Suspicious ADSI-Cache Usage By Unknown Tool',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:43','2020-05-01 20:55:43',NULL,0,NULL,NULL,364,1,2,0,NULL),(365,1,1,'Suspicious desktop.ini Action',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:44','2020-05-01 20:55:44',NULL,0,NULL,NULL,365,1,2,0,NULL),(366,1,1,'Suspicious RUN Key from Download',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:44','2020-05-01 20:55:44',NULL,0,NULL,NULL,366,1,2,0,NULL),(367,1,1,'Suspicious Driver Load from Temp',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:45','2020-05-01 20:55:45',NULL,0,NULL,NULL,367,1,2,0,NULL),(368,1,1,'Suspicious File Characteristics Due to Missing Fields',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:45','2020-05-01 20:55:45',NULL,0,NULL,NULL,368,1,2,0,NULL),(369,1,1,'Possible Process Hollowing Image Loading',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:46','2020-05-01 20:55:46',NULL,0,NULL,NULL,369,1,2,0,NULL),(370,1,1,'DLL Load via LSASS',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:46','2020-05-01 20:55:46',NULL,0,NULL,NULL,370,1,2,0,NULL),(371,1,1,'dotNET DLL Loaded Via Office Applications',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:47','2020-05-01 20:55:47',NULL,0,NULL,NULL,371,1,2,0,NULL),(372,1,1,'CLR DLL Loaded Via Office Applications',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:47','2020-05-01 20:55:47',NULL,0,NULL,NULL,372,1,2,0,NULL),(373,1,1,'GAC DLL Loaded Via Office Applications',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:48','2020-05-01 20:55:48',NULL,0,NULL,NULL,373,1,2,0,NULL),(374,1,1,'Active Directory Parsing DLL Loaded Via Office Applications',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:48','2020-05-01 20:55:49',NULL,0,NULL,NULL,374,1,2,0,NULL),(375,1,1,'Active Directory Kerberos DLL Loaded Via Office Applications',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:49','2020-05-01 20:55:49',NULL,0,NULL,NULL,375,1,2,0,NULL),(376,1,1,'PowerShell Rundll32 Remote Thread Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:49','2020-05-01 20:55:50',NULL,0,NULL,NULL,376,1,2,0,NULL),(377,1,1,'Suspicious PROCEXP152.sys File Created In TMP',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:50','2020-05-01 20:55:50',NULL,0,NULL,NULL,377,1,2,0,NULL),(378,1,1,'Suspicious Program Location with Network Connections',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:51','2020-05-01 20:55:51',NULL,0,NULL,NULL,378,1,2,0,NULL),(379,1,1,'Suspicious Outbound RDP Connections',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:51','2020-05-01 20:55:51',NULL,0,NULL,NULL,379,1,2,0,NULL),(380,1,1,'Registry Persistence via Explorer Run Key',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:52','2020-05-01 20:55:52',NULL,0,NULL,NULL,380,1,2,0,NULL),(381,1,1,'New RUN Key Pointing to Suspicious Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:52','2020-05-01 20:55:52',NULL,0,NULL,NULL,381,1,2,0,NULL),(382,1,1,'Suspicious Service Installed',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:53','2020-05-01 20:55:53',NULL,0,NULL,NULL,382,1,2,0,NULL),(383,1,1,'VBA DLL Loaded Via Microsoft Word',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:53','2020-05-01 20:55:53',NULL,0,NULL,NULL,383,1,2,0,NULL),(384,1,1,'Windows Mangement Instrumentation DLL Loaded Via Microsoft Word',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:54','2020-05-01 20:55:54',NULL,0,NULL,NULL,384,1,2,0,NULL),(385,1,1,'Suspicious Keyboard Layout Load',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:54','2020-05-01 20:55:54',NULL,0,NULL,NULL,385,1,2,0,NULL),(386,1,1,'Suspicious Outbound Kerberos Connection',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:55','2020-05-01 20:55:55',NULL,0,NULL,NULL,386,1,2,0,NULL),(387,1,1,'Suspicious Remote Thread Created',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:55','2020-05-01 20:55:55',NULL,0,NULL,NULL,387,1,2,0,NULL),(388,1,1,'Svchost DLL Search Order Hijack',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:56','2020-05-01 20:55:56',NULL,0,NULL,NULL,388,1,2,0,NULL),(389,1,1,'Hijack Legit RDP Session to Move Laterally',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:56','2020-05-01 20:55:57',NULL,0,NULL,NULL,389,1,2,0,NULL),(390,1,1,'UAC Bypass via Event Viewer',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:57','2020-05-01 20:55:57',NULL,0,NULL,NULL,390,1,2,0,NULL),(391,1,1,'UAC Bypass via Sdclt',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:57','2020-05-01 20:55:58',NULL,0,NULL,NULL,391,1,2,0,NULL),(392,1,1,'Unsigned Image Loaded Into LSASS Process',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:58','2020-05-01 20:55:58',NULL,0,NULL,NULL,392,1,2,0,NULL),(393,1,1,'Windows Webshell Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:59','2020-05-01 20:55:59',NULL,0,NULL,NULL,393,1,2,0,NULL),(394,1,1,'Microsoft Binary Github Communication',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:59','2020-05-01 20:55:59',NULL,0,NULL,NULL,394,1,2,0,NULL),(395,1,1,'Microsoft Binary Suspicious Communication Endpoint',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:00','2020-05-01 20:56:00',NULL,0,NULL,NULL,395,1,2,0,NULL),(396,1,1,'Registry Persistence Mechanisms',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:00','2020-05-01 20:56:00',NULL,0,NULL,NULL,396,1,2,0,NULL),(397,1,1,'WMI Event Subscription',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:01','2020-05-01 20:56:01',NULL,0,NULL,NULL,397,1,2,0,NULL),(398,1,1,'WMI Modules Loaded',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:01','2020-05-01 20:56:01',NULL,0,NULL,NULL,398,1,2,0,NULL),(399,1,1,'WMI Persistence - Command Line Event Consumer',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:02','2020-05-01 20:56:02',NULL,0,NULL,NULL,399,1,2,0,NULL),(400,1,1,'WMI Persistence - Script Event Consumer File Write',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:02','2020-05-01 20:56:02',NULL,0,NULL,NULL,400,1,2,0,NULL),(401,1,1,'Suspicious Scripting in a WMI Consumer',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:03','2020-05-01 20:56:03',NULL,0,NULL,NULL,401,1,2,0,NULL),(402,1,1,'APT29',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:03','2020-05-01 20:56:03',NULL,0,NULL,NULL,402,1,2,0,NULL),(403,1,1,'Baby Shark Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:04','2020-05-01 20:56:04',NULL,0,NULL,NULL,403,1,2,0,NULL),(404,1,1,'Judgement Panda Credential Access Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:04','2020-05-01 20:56:04',NULL,0,NULL,NULL,404,1,2,0,NULL),(405,1,1,'BlueMashroom DLL Load',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:05','2020-05-01 20:56:05',NULL,0,NULL,NULL,405,1,2,0,NULL),(406,1,1,'WMIExec VBS Script',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:05','2020-05-01 20:56:06',NULL,0,NULL,NULL,406,1,2,0,NULL),(407,1,1,'CrackMapExecWin',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:06','2020-05-01 20:56:06',NULL,0,NULL,NULL,407,1,2,0,NULL),(408,1,1,'Elise Backdoor',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:06','2020-05-01 20:56:07',NULL,0,NULL,NULL,408,1,2,0,NULL),(409,1,1,'Emissary Panda Malware SLLauncher',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:07','2020-05-01 20:56:07',NULL,0,NULL,NULL,409,1,2,0,NULL),(410,1,1,'Equation Group DLL_U Load',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:08','2020-05-01 20:56:08',NULL,0,NULL,NULL,410,1,2,0,NULL),(411,1,1,'Hurricane Panda Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:08','2020-05-01 20:56:08',NULL,0,NULL,NULL,411,1,2,0,NULL),(412,1,1,'Judgement Panda Exfil Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:09','2020-05-01 20:56:09',NULL,0,NULL,NULL,412,1,2,0,NULL),(413,1,1,'Mustang Panda Dropper',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:09','2020-05-01 20:56:09',NULL,0,NULL,NULL,413,1,2,0,NULL),(414,1,1,'Sofacy Trojan Loader Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:10','2020-05-01 20:56:10',NULL,0,NULL,NULL,414,1,2,0,NULL),(415,1,1,'Ps.exe Renamed SysInternals Tool',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:11','2020-05-01 20:56:11',NULL,0,NULL,NULL,415,1,2,0,NULL),(416,1,1,'TropicTrooper Campaign November 2018',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:11','2020-05-01 20:56:11',NULL,0,NULL,NULL,416,1,2,0,NULL),(417,1,1,'Winnti Malware HK University Campaign',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:12','2020-05-01 20:56:12',NULL,0,NULL,NULL,417,1,2,0,NULL),(418,1,1,'ZxShell Malware',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:12','2020-05-01 20:56:13',NULL,0,NULL,NULL,418,1,2,0,NULL),(419,1,1,'Hiding Files with Attrib.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:13','2020-05-01 20:56:13',NULL,0,NULL,NULL,419,1,2,0,NULL),(420,1,1,'Modification of Boot Configuration',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:14','2020-05-13 14:07:10',NULL,0,NULL,NULL,420,1,2,0,NULL),(421,1,1,'SquiblyTwo',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:14','2020-05-01 20:56:15',NULL,0,NULL,NULL,421,1,2,0,NULL),(422,1,1,'Change Default File Association',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:15','2020-05-01 20:56:15',NULL,0,NULL,NULL,422,1,2,0,NULL),(423,1,1,'Cmdkey Cached Credentials Recon',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:16','2020-05-01 20:56:16',NULL,0,NULL,NULL,423,1,2,0,NULL),(424,1,1,'CMSTP UAC Bypass via COM Object Access',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:16','2020-05-01 20:56:16',NULL,0,NULL,NULL,424,1,2,0,NULL),(425,1,1,'Control Panel Items',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:17','2020-05-01 20:56:17',NULL,0,NULL,NULL,425,1,2,0,NULL),(426,1,1,'Copying Sensitive Files with Credential Data',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:17','2020-05-01 20:56:17',NULL,0,NULL,NULL,426,1,2,0,NULL),(427,1,1,'Fireball Archer Install',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:18','2020-05-01 20:56:18',NULL,0,NULL,NULL,427,1,2,0,NULL),(428,1,1,'Data Compressed - rar.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:18','2020-05-01 20:56:19',NULL,0,NULL,NULL,428,1,2,0,NULL),(429,1,1,'Domain Trust Discovery',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:19','2020-05-01 20:56:19',NULL,0,NULL,NULL,429,1,2,0,NULL),(430,1,1,'Encoded FromBase64String',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:20','2020-05-01 20:56:20',NULL,0,NULL,NULL,430,1,2,0,NULL),(431,1,1,'Encoded IEX',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:20','2020-05-01 20:56:20',NULL,0,NULL,NULL,431,1,2,0,NULL),(432,1,1,'Disable of ETW Trace',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:21','2020-05-01 20:56:21',NULL,0,NULL,NULL,432,1,2,0,NULL),(433,1,1,'Exfiltration and Tunneling Tools Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:21','2020-05-01 20:56:21',NULL,0,NULL,NULL,433,1,2,0,NULL),(434,1,1,'Exploit for CVE-2015-1641',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:22','2020-05-01 20:56:22',NULL,0,NULL,NULL,434,1,2,0,NULL),(435,1,1,'Exploit for CVE-2017-0261',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:22','2020-05-01 20:56:22',NULL,0,NULL,NULL,435,1,2,0,NULL),(436,1,1,'Droppers Exploiting CVE-2017-11882',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:23','2020-05-01 20:56:23',NULL,0,NULL,NULL,436,1,2,0,NULL),(437,1,1,'Exploit for CVE-2017-8759',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:23','2020-05-01 20:56:24',NULL,0,NULL,NULL,437,1,2,0,NULL),(438,1,1,'Exploiting SetupComplete.cmd CVE-2019-1378',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:24','2020-05-01 20:56:24',NULL,0,NULL,NULL,438,1,2,0,NULL),(439,1,1,'Exploiting CVE-2019-1388',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:25','2020-05-01 20:56:25',NULL,0,NULL,NULL,439,1,2,0,NULL),(440,1,1,'Exploited CVE-2020-10189 Zoho ManageEngine',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:25','2020-05-01 20:56:25',NULL,0,NULL,NULL,440,1,2,0,NULL),(441,1,1,'File or Folder Permissions Modifications',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:26','2020-05-01 20:56:26',NULL,0,NULL,NULL,441,1,2,0,NULL),(442,1,1,'Grabbing Sensitive Hives via Reg Utility',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:26','2020-05-01 20:56:26',NULL,0,NULL,NULL,442,1,2,0,NULL),(443,1,1,'Bloodhound and Sharphound Hack Tool',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:27','2020-05-01 20:56:27',NULL,0,NULL,NULL,443,1,2,0,NULL),(444,1,1,'Koadic Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:27','2020-05-01 20:56:27',NULL,0,NULL,NULL,444,1,2,0,NULL),(445,1,1,'Rubeus Hack Tool',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:28','2020-05-01 20:56:28',NULL,0,NULL,NULL,445,1,2,0,NULL),(446,1,1,'SecurityXploded Tool',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:28','2020-05-01 20:56:28',NULL,0,NULL,NULL,446,1,2,0,NULL),(447,1,1,'HH.exe Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:29','2020-05-01 20:56:29',NULL,0,NULL,NULL,447,1,2,0,NULL),(448,1,1,'HTML Help Shell Spawn',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:29','2020-05-01 20:56:29',NULL,0,NULL,NULL,448,1,2,0,NULL),(449,1,1,'Suspicious HWP Sub Processes',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:30','2020-05-01 20:56:30',NULL,0,NULL,NULL,449,1,2,0,NULL),(450,1,1,'Impacket Lateralization Detection',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:30','2020-05-01 20:56:30',NULL,0,NULL,NULL,450,1,2,0,NULL),(451,1,1,'Indirect Command Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:31','2020-05-01 20:56:31',NULL,0,NULL,NULL,451,1,2,0,NULL),(452,1,1,'Suspicious Debugger Registration Cmdline',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:31','2020-05-01 20:56:31',NULL,0,NULL,NULL,452,1,2,0,NULL),(453,1,1,'Interactive AT Job',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:32','2020-05-01 20:56:32',NULL,0,NULL,NULL,453,1,2,0,NULL),(454,1,1,'Invoke-Obfuscation Obfuscated IEX Invocation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:32','2020-05-01 20:56:32',NULL,0,NULL,NULL,454,1,2,0,NULL),(455,1,1,'Windows Kernel and 3rd-Party Drivers Exploits Token Stealing',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:33','2020-05-01 20:56:33',NULL,0,NULL,NULL,455,1,2,0,NULL),(456,1,1,'MSHTA Spwaned by SVCHOST',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:33','2020-05-01 20:56:34',NULL,0,NULL,NULL,456,1,2,0,NULL),(457,1,1,'Local Accounts Discovery',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:34','2020-05-01 20:56:34',NULL,0,NULL,NULL,457,1,2,0,NULL),(458,1,1,'LSASS Memory Dumping',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:35','2020-05-01 20:56:35',NULL,0,NULL,NULL,458,1,2,0,NULL),(459,1,1,'Dridex Process Pattern',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:35','2020-05-01 20:56:35',NULL,0,NULL,NULL,459,1,2,0,NULL),(460,1,1,'DTRACK Process Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:36','2020-05-01 20:56:36',NULL,0,NULL,NULL,460,1,2,0,NULL),(461,1,1,'Emotet Process Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:36','2020-05-01 20:56:36',NULL,0,NULL,NULL,461,1,2,0,NULL),(462,1,1,'Formbook Process Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:37','2020-05-01 20:56:37',NULL,0,NULL,NULL,462,1,2,0,NULL),(463,1,1,'NotPetya Ransomware Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:37','2020-05-01 20:56:37',NULL,0,NULL,NULL,463,1,2,0,NULL),(464,1,1,'QBot Process Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:38','2020-05-01 20:56:38',NULL,0,NULL,NULL,464,1,2,0,NULL),(465,1,1,'Ryuk Ransomware',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:38','2020-05-01 20:56:38',NULL,0,NULL,NULL,465,1,2,0,NULL),(466,1,1,'WScript or CScript Dropper',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:39','2020-05-01 20:56:39',NULL,0,NULL,NULL,466,1,2,0,NULL),(467,1,1,'Trickbot Malware Recon Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:39','2020-05-01 20:56:39',NULL,0,NULL,NULL,467,1,2,0,NULL),(468,1,1,'WannaCry Ransomware',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:40','2020-05-01 20:56:40',NULL,0,NULL,NULL,468,1,2,0,NULL),(469,1,1,'MavInject Process Injection',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:40','2020-05-01 20:56:41',NULL,0,NULL,NULL,469,1,2,0,NULL),(470,1,1,'Meterpreter or Cobalt Strike Getsystem Service Start',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:41','2020-05-01 20:56:41',NULL,0,NULL,NULL,470,1,2,0,NULL),(471,1,1,'Mimikatz Command Line',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:42','2020-05-01 20:56:42',NULL,0,NULL,NULL,471,1,2,0,NULL),(472,1,1,'MMC Spawning Windows Shell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:42','2020-05-01 20:56:42',NULL,0,NULL,NULL,472,1,2,0,NULL),(473,1,1,'MSHTA Spawning Windows Shell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:43','2020-05-01 20:56:43',NULL,0,NULL,NULL,473,1,2,0,NULL),(474,1,1,'Quick Execution of a Series of Suspicious Commands',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:43','2020-05-01 20:56:43',NULL,0,NULL,NULL,474,1,2,0,NULL),(475,1,1,'Windows Network Enumeration',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:44','2020-05-01 20:56:44',NULL,0,NULL,NULL,475,1,2,0,NULL),(476,1,1,'Net.exe User Account Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:44','2020-05-01 20:56:44',NULL,0,NULL,NULL,476,1,2,0,NULL),(477,1,1,'Netsh',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:45','2020-05-01 20:56:45',NULL,0,NULL,NULL,477,1,2,0,NULL),(478,1,1,'Capture a Network Trace with netsh.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:45','2020-05-01 20:56:45',NULL,0,NULL,NULL,478,1,2,0,NULL),(479,1,1,'Netsh Port Forwarding',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:46','2020-05-01 20:56:46',NULL,0,NULL,NULL,479,1,2,0,NULL),(480,1,1,'Netsh RDP Port Forwarding',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:46','2020-05-01 20:56:46',NULL,0,NULL,NULL,480,1,2,0,NULL),(481,1,1,'Network Sniffing',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:47','2020-05-01 20:56:47',NULL,0,NULL,NULL,481,1,2,0,NULL),(482,1,1,'New Service Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:47','2020-05-01 20:56:48',NULL,0,NULL,NULL,482,1,2,0,NULL),(483,1,1,'Non Interactive PowerShell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:48','2020-05-01 20:56:48',NULL,0,NULL,NULL,483,1,2,0,NULL),(484,1,1,'Microsoft Office Product Spawning Windows Shell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:49','2020-05-01 20:56:49',NULL,0,NULL,NULL,484,1,2,0,NULL),(485,1,1,'MS Office Product Spawning Exe in User Dir',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:49','2020-05-01 20:56:49',NULL,0,NULL,NULL,485,1,2,0,NULL),(486,1,1,'Executable Used by PlugX in Uncommon Location',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:50','2020-05-01 20:56:50',NULL,0,NULL,NULL,486,1,2,0,NULL),(487,1,1,'Possible Applocker Bypass',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:50','2020-05-01 20:56:50',NULL,0,NULL,NULL,487,1,2,0,NULL),(488,1,1,'Detection of Possible Rotten Potato',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:51','2020-05-01 20:56:51',NULL,0,NULL,NULL,488,1,2,0,NULL),(489,1,1,'Powershell AMSI Bypass via .NET Reflection',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:51','2020-05-01 20:56:51',NULL,0,NULL,NULL,489,1,2,0,NULL),(490,1,1,'Audio Capture via PowerShell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:52','2020-05-01 20:56:52',NULL,0,NULL,NULL,490,1,2,0,NULL),(491,1,1,'PowerShell Base64 Encoded Shellcode',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:52','2020-05-01 20:56:52',NULL,0,NULL,NULL,491,1,2,0,NULL),(492,1,1,'Suspicious Bitsadmin Job via PowerShell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:53','2020-05-01 20:56:53',NULL,0,NULL,NULL,492,1,2,0,NULL),(493,1,1,'Detection of PowerShell Execution via DLL',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:53','2020-05-01 20:56:53',NULL,0,NULL,NULL,493,1,2,0,NULL),(494,1,1,'PowerShell Downgrade Attack',NULL,NULL,NULL,6,NULL,1,NULL,9,1,'2020-05-01 20:56:54','2020-05-13 14:07:11',NULL,0,NULL,NULL,494,1,2,0,NULL),(495,1,1,'PowerShell Download from URL',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:54','2020-05-01 20:56:54',NULL,0,NULL,NULL,495,1,2,0,NULL),(496,1,1,'FromBase64String Command Line',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:55','2020-05-01 20:56:55',NULL,0,NULL,NULL,496,1,2,0,NULL),(497,1,1,'Suspicious PowerShell Parameter Substring',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:55','2020-05-01 20:56:56',NULL,0,NULL,NULL,497,1,2,0,NULL),(498,1,1,'Suspicious XOR Encoded PowerShell Command Line',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:56','2020-05-01 20:56:56',NULL,0,NULL,NULL,498,1,2,0,NULL),(499,1,1,'Default PowerSploit and Empire Schtasks Persistence',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:56','2020-05-01 20:56:57',NULL,0,NULL,NULL,499,1,2,0,NULL),(500,1,1,'Windows Processes Suspicious Parent Directory',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:57','2020-05-01 20:56:57',NULL,0,NULL,NULL,500,1,2,0,NULL),(501,1,1,'Bitsadmin Download',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:58','2020-05-01 20:56:58',NULL,0,NULL,NULL,501,1,2,0,NULL),(502,1,1,'Process Dump via Rundll32 and Comsvcs.dll',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:58','2020-05-01 20:56:58',NULL,0,NULL,NULL,502,1,2,0,NULL),(503,1,1,'PsExec Service Start',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:59','2020-05-01 20:56:59',NULL,0,NULL,NULL,503,1,2,0,NULL),(504,1,1,'Query Registry',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:59','2020-05-01 20:56:59',NULL,0,NULL,NULL,504,1,2,0,NULL),(505,1,1,'MSTSC Shadowing',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:00','2020-05-01 20:57:00',NULL,0,NULL,NULL,505,1,2,0,NULL),(506,1,1,'Remote PowerShell Session',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:00','2020-05-01 20:57:00',NULL,0,NULL,NULL,506,1,2,0,NULL),(507,1,1,'Discovery of a System Time',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:01','2020-05-01 20:57:01',NULL,0,NULL,NULL,507,1,2,0,NULL),(508,1,1,'Renamed Binary',NULL,NULL,NULL,2,NULL,1,NULL,9,2,'2020-05-01 20:57:01','2020-05-13 14:07:11',NULL,0,NULL,NULL,508,1,2,0,NULL),(509,1,1,'Highly Relevant Renamed Binary',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:02','2020-05-01 20:57:02',NULL,0,NULL,NULL,509,1,2,0,NULL),(510,1,1,'Execution of Renamed PaExec',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:03','2020-05-01 20:57:03',NULL,0,NULL,NULL,510,1,2,0,NULL),(511,1,1,'Run PowerShell Script from ADS',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:03','2020-05-01 20:57:03',NULL,0,NULL,NULL,511,1,2,0,NULL),(512,1,1,'Possible Shim Database Persistence via sdbinst.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:04','2020-05-01 20:57:04',NULL,0,NULL,NULL,512,1,2,0,NULL),(513,1,1,'Service Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:04','2020-05-01 20:57:04',NULL,0,NULL,NULL,513,1,2,0,NULL),(514,1,1,'Stop Windows Service',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:05','2020-05-01 20:57:05',NULL,0,NULL,NULL,514,1,2,0,NULL),(515,1,1,'Shadow Copies Access via Symlink',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:05','2020-05-01 20:57:05',NULL,0,NULL,NULL,515,1,2,0,NULL),(516,1,1,'Shadow Copies Creation Using Operating Systems Utilities',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:06','2020-05-01 20:57:06',NULL,0,NULL,NULL,516,1,2,0,NULL),(517,1,1,'Shadow Copies Deletion Using Operating Systems Utilities',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:06','2020-05-01 20:57:06',NULL,0,NULL,NULL,517,1,2,0,NULL),(518,1,1,'Windows Shell Spawning Suspicious Program',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:07','2020-05-01 20:57:07',NULL,0,NULL,NULL,518,1,2,0,NULL),(519,1,1,'Audio Capture via SoundRecorder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:07','2020-05-01 20:57:07',NULL,0,NULL,NULL,519,1,2,0,NULL),(520,1,1,'Possible SPN Enumeration',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:08','2020-05-01 20:57:08',NULL,0,NULL,NULL,520,1,2,0,NULL),(521,1,1,'Possible Ransomware or Unauthorized MBR Modifications',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:08','2020-05-01 20:57:08',NULL,0,NULL,NULL,521,1,2,0,NULL),(522,1,1,'Application Whitelisting Bypass via Bginfo',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:09','2020-05-01 20:57:09',NULL,0,NULL,NULL,522,1,2,0,NULL),(523,1,1,'Suspicious Calculator Usage',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:09','2020-05-01 20:57:09',NULL,0,NULL,NULL,523,1,2,0,NULL),(524,1,1,'Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:10','2020-05-01 20:57:10',NULL,0,NULL,NULL,524,1,2,0,NULL),(525,1,1,'Suspicious Certutil Command',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:10','2020-05-01 20:57:10',NULL,0,NULL,NULL,525,1,2,0,NULL),(526,1,1,'Certutil Encode',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:11','2020-05-01 20:57:11',NULL,0,NULL,NULL,526,1,2,0,NULL),(527,1,1,'Suspicious Commandline Escape',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:11','2020-05-01 20:57:12',NULL,0,NULL,NULL,527,1,2,0,NULL),(528,1,1,'Command Line Execution with Suspicious URL and AppData Strings',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:12','2020-05-01 20:57:12',NULL,0,NULL,NULL,528,1,2,0,NULL),(529,1,1,'Suspicious Code Page Switch',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:12','2020-05-01 20:57:13',NULL,0,NULL,NULL,529,1,2,0,NULL),(530,1,1,'Reconnaissance Activity with Net Command',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:13','2020-05-01 20:57:13',NULL,0,NULL,NULL,530,1,2,0,NULL),(531,1,1,'Suspicious Compression Tool Parameters',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:14','2020-05-01 20:57:14',NULL,0,NULL,NULL,531,1,2,0,NULL),(532,1,1,'Process Dump via Comsvcs DLL',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:14','2020-05-01 20:57:14',NULL,0,NULL,NULL,532,1,2,0,NULL),(533,1,1,'Suspicious Control Panel DLL Load',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:15','2020-05-01 20:57:15',NULL,0,NULL,NULL,533,1,2,0,NULL),(534,1,1,'Copy from Admin Share',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:15','2020-05-01 20:57:15',NULL,0,NULL,NULL,534,1,2,0,NULL),(535,1,1,'Suspicious Parent of Csc.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:16','2020-05-01 20:57:16',NULL,0,NULL,NULL,535,1,2,0,NULL),(536,1,1,'Suspicious Csc.exe Source File Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:16','2020-05-01 20:57:16',NULL,0,NULL,NULL,536,1,2,0,NULL),(537,1,1,'Curl Start Combination',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:17','2020-05-01 20:57:17',NULL,0,NULL,NULL,537,1,2,0,NULL),(538,1,1,'ZOHO Dctask64 Process Injection',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:17','2020-05-01 20:57:17',NULL,0,NULL,NULL,538,1,2,0,NULL),(539,1,1,'Devtoolslauncher.exe Executes Specified Binary',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:18','2020-05-01 20:57:18',NULL,0,NULL,NULL,539,1,2,0,NULL),(540,1,1,'Direct Autorun Keys Modification',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:18','2020-05-01 20:57:18',NULL,0,NULL,NULL,540,1,2,0,NULL),(541,1,1,'Application Whitelisting Bypass via Dnx.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:19','2020-05-01 20:57:19',NULL,0,NULL,NULL,541,1,2,0,NULL),(542,1,1,'Suspicious Double Extension',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:19','2020-05-01 20:57:20',NULL,0,NULL,NULL,542,1,2,0,NULL),(543,1,1,'Application Whitelisting Bypass via Dxcap.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:20','2020-05-01 20:57:20',NULL,0,NULL,NULL,543,1,2,0,NULL),(544,1,1,'Suspicious Eventlog Clear or Configuration Using Wevtutil',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:21','2020-05-01 20:57:21',NULL,0,NULL,NULL,544,1,2,0,NULL),(545,1,1,'Executables Started in Suspicious Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:21','2020-05-01 20:57:21',NULL,0,NULL,NULL,545,1,2,0,NULL),(546,1,1,'Execution in Non-Executable Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:22','2020-05-01 20:57:22',NULL,0,NULL,NULL,546,1,2,0,NULL),(547,1,1,'Execution in Webserver Root Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:22','2020-05-01 20:57:22',NULL,0,NULL,NULL,547,1,2,0,NULL),(548,1,1,'Firewall Disabled via Netsh',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:23','2020-05-01 20:57:23',NULL,0,NULL,NULL,548,1,2,0,NULL),(549,1,1,'Fsutil Suspicious Invocation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:23','2020-05-01 20:57:23',NULL,0,NULL,NULL,549,1,2,0,NULL),(550,1,1,'Suspicious GUP Usage',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:24','2020-05-01 20:57:24',NULL,0,NULL,NULL,550,1,2,0,NULL),(551,1,1,'IIS Native-Code Module Command Line Installation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:24','2020-05-01 20:57:24',NULL,0,NULL,NULL,551,1,2,0,NULL),(552,1,1,'Suspicious MsiExec Directory',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:25','2020-05-01 20:57:25',NULL,0,NULL,NULL,552,1,2,0,NULL),(553,1,1,'MsiExec Web Install',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:25','2020-05-01 20:57:26',NULL,0,NULL,NULL,553,1,2,0,NULL),(554,1,1,'Malicious Payload Download via Office Binaries',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:26','2020-05-01 20:57:26',NULL,0,NULL,NULL,554,1,2,0,NULL),(555,1,1,'Net.exe Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:27','2020-05-01 20:57:27',NULL,0,NULL,NULL,555,1,2,0,NULL),(556,1,1,'Suspicious Netsh DLL Persistence',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:27','2020-05-13 14:07:11',NULL,0,NULL,NULL,556,1,2,0,NULL),(557,1,1,'Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:28','2020-05-01 20:57:28',NULL,0,NULL,NULL,557,1,2,0,NULL),(558,1,1,'Application Whitelisting Bypass via DLL Loaded by odbcconf.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:28','2020-05-01 20:57:28',NULL,0,NULL,NULL,558,1,2,0,NULL),(559,1,1,'OpenWith.exe Executes Specified Binary',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:29','2020-05-01 20:57:29',NULL,0,NULL,NULL,559,1,2,0,NULL),(560,1,1,'Suspicious Execution from Outlook',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:29','2020-05-01 20:57:29',NULL,0,NULL,NULL,560,1,2,0,NULL),(561,1,1,'Execution in Outlook Temp Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:30','2020-05-01 20:57:30',NULL,0,NULL,NULL,561,1,2,0,NULL),(562,1,1,'Ping Hex IP',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:30','2020-05-01 20:57:30',NULL,0,NULL,NULL,562,1,2,0,NULL),(563,1,1,'Empire PowerShell Launch Parameters',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:31','2020-05-01 20:57:31',NULL,0,NULL,NULL,563,1,2,0,NULL),(564,1,1,'Empire PowerShell UAC Bypass',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:31','2020-05-01 20:57:31',NULL,0,NULL,NULL,564,1,2,0,NULL),(565,1,1,'Suspicious Encoded PowerShell Command Line',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:32','2020-05-01 20:57:32',NULL,0,NULL,NULL,565,1,2,0,NULL),(566,1,1,'Malicious Base64 Encoded PowerShell Keywords in Command Lines',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:32','2020-05-01 20:57:33',NULL,0,NULL,NULL,566,1,2,0,NULL),(567,1,1,'Suspicious PowerShell Invocation Based on Parent Process',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:33','2020-05-01 20:57:33',NULL,0,NULL,NULL,567,1,2,0,NULL),(568,1,1,'Suspicious Use of Procdump',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:34','2020-05-01 20:57:34',NULL,0,NULL,NULL,568,1,2,0,NULL),(569,1,1,'Suspicious Process Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:34','2020-05-01 20:57:34',NULL,0,NULL,NULL,569,1,2,0,NULL),(570,1,1,'Suspicious Program Location Process Starts',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:35','2020-05-01 20:57:35',NULL,0,NULL,NULL,570,1,2,0,NULL),(571,1,1,'PowerShell Script Run in AppData',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:35','2020-05-01 20:57:35',NULL,0,NULL,NULL,571,1,2,0,NULL),(572,1,1,'PowerShell DownloadFile',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:36','2020-05-01 20:57:36',NULL,0,NULL,NULL,572,1,2,0,NULL),(573,1,1,'Psr.exe Capture Screenshots',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:36','2020-05-01 20:57:36',NULL,0,NULL,NULL,573,1,2,0,NULL),(574,1,1,'Suspicious RASdial Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:37','2020-05-01 20:57:37',NULL,0,NULL,NULL,574,1,2,0,NULL),(575,1,1,'Suspicious Reconnaissance Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:37','2020-05-01 20:57:37',NULL,0,NULL,NULL,575,1,2,0,NULL),(576,1,1,'Regsvr32 Anomaly',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:38','2020-05-01 20:57:38',NULL,0,NULL,NULL,576,1,2,0,NULL),(577,1,1,'Renamed ZOHO Dctask64',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:38','2020-05-01 20:57:38',NULL,0,NULL,NULL,577,1,2,0,NULL),(578,1,1,'Suspicious Process Start Locations',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:39','2020-05-01 20:57:39',NULL,0,NULL,NULL,578,1,2,0,NULL),(579,1,1,'Suspicious Rundll32 Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:39','2020-05-01 20:57:40',NULL,0,NULL,NULL,579,1,2,0,NULL),(580,1,1,'Suspicious Call by Ordinal',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:40','2020-05-01 20:57:40',NULL,0,NULL,NULL,580,1,2,0,NULL),(581,1,1,'Scheduled Task Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:41','2020-05-01 20:57:41',NULL,0,NULL,NULL,581,1,2,0,NULL),(582,1,1,'WSF/JSE/JS/VBA/VBE File Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:41','2020-05-01 20:57:41',NULL,0,NULL,NULL,582,1,2,0,NULL),(583,1,1,'Suspicious Service Path Modification',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:42','2020-05-01 20:57:42',NULL,0,NULL,NULL,583,1,2,0,NULL),(584,1,1,'Squirrel Lolbin',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:42','2020-05-01 20:57:42',NULL,0,NULL,NULL,584,1,2,0,NULL),(585,1,1,'Suspicious Svchost Process',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:43','2020-05-01 20:57:43',NULL,0,NULL,NULL,585,1,2,0,NULL),(586,1,1,'Suspect Svchost Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:43','2020-05-01 20:57:43',NULL,0,NULL,NULL,586,1,2,0,NULL),(587,1,1,'Sysprep on AppData Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:44','2020-05-01 20:57:44',NULL,0,NULL,NULL,587,1,2,0,NULL),(588,1,1,'Suspicious SYSVOL Domain Group Policy Access',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:44','2020-05-01 20:57:44',NULL,0,NULL,NULL,588,1,2,0,NULL),(589,1,1,'Taskmgr as LOCAL_SYSTEM',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:45','2020-05-01 20:57:45',NULL,0,NULL,NULL,589,1,2,0,NULL),(590,1,1,'Taskmgr as Parent',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:45','2020-05-01 20:57:45',NULL,0,NULL,NULL,590,1,2,0,NULL),(591,1,1,'Suspicious TSCON Start',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:46','2020-05-01 20:57:46',NULL,0,NULL,NULL,591,1,2,0,NULL),(592,1,1,'Suspicious RDP Redirect Using TSCON',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:46','2020-05-01 20:57:47',NULL,0,NULL,NULL,592,1,2,0,NULL),(593,1,1,'Suspicious Use of CSharp Interactive Console',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:47','2020-05-01 20:57:47',NULL,0,NULL,NULL,593,1,2,0,NULL),(594,1,1,'Suspicious Userinit Child Process',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:47','2020-05-01 20:57:48',NULL,0,NULL,NULL,594,1,2,0,NULL),(595,1,1,'Whoami Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:48','2020-05-01 20:57:48',NULL,0,NULL,NULL,595,1,2,0,NULL),(596,1,1,'Suspicious WMI Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:49','2020-05-01 20:57:49',NULL,0,NULL,NULL,596,1,2,0,NULL),(597,1,1,'Sysmon Driver Unload',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:49','2020-05-01 20:57:49',NULL,0,NULL,NULL,597,1,2,0,NULL),(598,1,1,'System File Execution Location Anomaly',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:50','2020-05-01 20:57:50',NULL,0,NULL,NULL,598,1,2,0,NULL),(599,1,1,'Tap Installer Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:50','2020-05-01 20:57:50',NULL,0,NULL,NULL,599,1,2,0,NULL),(600,1,1,'Tasks Folder Evasion',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:51','2020-05-01 20:57:51',NULL,0,NULL,NULL,600,1,2,0,NULL),(601,1,1,'Terminal Service Process Spawn',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:51','2020-05-01 20:57:51',NULL,0,NULL,NULL,601,1,2,0,NULL),(602,1,1,'Domain Trust Discovery',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:52','2020-05-01 20:57:52',NULL,0,NULL,NULL,602,1,2,0,NULL),(603,1,1,'Bypass UAC via CMSTP',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:52','2020-05-01 20:57:52',NULL,0,NULL,NULL,603,1,2,0,NULL),(604,1,1,'Bypass UAC via Fodhelper.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:53','2020-05-01 20:57:53',NULL,0,NULL,NULL,604,1,2,0,NULL),(605,1,1,'Bypass UAC via WSReset.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:53','2020-05-01 20:57:53',NULL,0,NULL,NULL,605,1,2,0,NULL),(606,1,1,'Possible Privilege Escalation via Weak Service Permissions',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:54','2020-05-01 20:57:54',NULL,0,NULL,NULL,606,1,2,0,NULL),(607,1,1,'Java Running with Remote Debugging',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:54','2020-05-01 20:57:55',NULL,0,NULL,NULL,607,1,2,0,NULL),(608,1,1,'Webshell Detection With Command Line Keywords',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:55','2020-05-01 20:57:55',NULL,0,NULL,NULL,608,1,2,0,NULL),(609,1,1,'Shells Spawned by Web Servers',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:55','2020-05-01 20:57:56',NULL,0,NULL,NULL,609,1,2,0,NULL),(610,1,1,'Run Whoami as SYSTEM',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:56','2020-05-01 20:57:56',NULL,0,NULL,NULL,610,1,2,0,NULL),(611,1,1,'Windows 10 Scheduled Task SandboxEscaper 0-day',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:57','2020-05-01 20:57:57',NULL,0,NULL,NULL,611,1,2,0,NULL),(612,1,1,'WMI Backdoor Exchange Transport Agent',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:57','2020-05-01 20:57:57',NULL,0,NULL,NULL,612,1,2,0,NULL),(613,1,1,'WMI Persistence - Script Event Consumer',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:58','2020-05-01 20:57:58',NULL,0,NULL,NULL,613,1,2,0,NULL),(614,1,1,'WMI Spawning Windows PowerShell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:58','2020-05-01 20:57:58',NULL,0,NULL,NULL,614,1,2,0,NULL),(615,1,1,'Wmiprvse Spawning Process',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:59','2020-05-01 20:57:59',NULL,0,NULL,NULL,615,1,2,0,NULL),(616,1,1,'Microsoft Workflow Compiler',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:59','2020-05-01 20:57:59',NULL,0,NULL,NULL,616,1,2,0,NULL),(617,1,1,'Wsreset UAC Bypass',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:58:00','2020-05-01 20:58:00',NULL,0,NULL,NULL,617,1,2,0,NULL),(618,1,1,'XSL Script Processing',NULL,NULL,NULL,4,NULL,1,NULL,9,3,'2020-05-01 20:58:00','2020-05-03 10:00:57',NULL,0,NULL,NULL,618,1,2,0,NULL),(620,1,1,'New Sensitive Shared Resource',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-13 13:30:57','2020-05-13 13:30:57',NULL,0,NULL,NULL,620,1,2,0,NULL),(621,1,1,'Whoami Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-13 14:05:41','2020-05-13 14:05:41',NULL,0,NULL,NULL,621,1,2,0,NULL),(622,1,1,'Advanced IP Scanner',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-13 14:07:09','2020-05-13 14:07:09',NULL,0,NULL,NULL,622,1,2,0,NULL),(623,1,1,'Harvesting of Wifi Credentials Using netsh.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-13 14:07:11','2020-05-13 14:07:11',NULL,0,NULL,NULL,623,1,2,0,NULL); -/*!40000 ALTER TABLE `issues` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `journal_details` --- - -DROP TABLE IF EXISTS `journal_details`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `journal_details` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `journal_id` int(11) NOT NULL DEFAULT '0', - `property` varchar(30) NOT NULL DEFAULT '', - `prop_key` varchar(30) NOT NULL DEFAULT '', - `old_value` longtext, - `value` longtext, - PRIMARY KEY (`id`), - KEY `journal_details_journal_id` (`journal_id`) -) ENGINE=InnoDB AUTO_INCREMENT=14 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `journal_details` --- - -LOCK TABLES `journal_details` WRITE; -/*!40000 ALTER TABLE `journal_details` DISABLE KEYS */; -INSERT INTO `journal_details` VALUES (5,621,'attr','status_id','2','3'),(6,621,'cf','9','{{collapse(View Sigma)\n
\n\ntitle: XSL Script Processing\nid: 05c36dd6-79d6-4a9a-97da-3db20298ab2d\nstatus: experimental\ndescription: Extensible Stylesheet Language (XSL) files are commonly used to describe\n  the processing and rendering of data within XML files, rule detects when adversaries\n  abuse this functionality to execute arbitrary files while potentially bypassing\n  application whitelisting defenses\nauthor: Timur Zinniatullin, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith: \\wmic.exe\n    CommandLine|contains: /format\n  - Image|endswith: \\msxsl.exe\n  condition: selection\nfalsepositives:\n- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment\n- msxsl.exe is not installed by default so unlikely.\nlevel: medium\ntags:\n- attack.execution\n- attack.t1220\n\n
\n}}','{{collapse(View Sigma)\r\n
\r\n\r\ntitle: XSL Script Processing\r\nid: 05c36dd6-79d6-4a9a-97da-3db20298ab2d\r\nstatus: experimental\r\ndescription: Extensible Stylesheet Language (XSL) files are commonly used to describe\r\n  the processing and rendering of data within XML files, rule detects when adversaries\r\n  abuse this functionality to execute arbitrary files while potentially bypassing\r\n  application whitelisting defenses\r\nauthor: Timur Zinniatullin, oscd.community\r\ndate: 2019/10/21\r\nmodified: 2019/11/04\r\nreferences:\r\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml\r\nlogsource:\r\n  category: process_creation\r\n  product: windows\r\ndetection:\r\n  selection:\r\n  - Image|endswith: \\wmic.exe\r\n    CommandLine|contains: /format\r\n  - Image|endswith: \\msxsl.exe\r\n  condition: selection\r\nfalsepositives:\r\n- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment\r\n- msxsl.exe is not installed by default so unlikely.\r\nlevel: medium\r\ntags:\r\n- attack.execution\r\n- attack.t1220\r\n\r\n
\r\n}}'),(7,622,'cf','7','','gVP62XEBH72G5DlCexmq'),(8,623,'attr','status_id','3','4'),(9,627,'cf','9','{{collapse(View Sigma)\n
\n\ntitle: Modification of Boot Configuration\nid: 1444443e-6757-43e4-9ea4-c8fc705f79a2\ndescription: Identifies use of the bcdedit command to delete boot configuration data.\n  This tactic is sometimes used as by malware or an attacker as a destructive technique.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html\ntags:\n- attack.impact\n- attack.t1490\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image|endswith: \\bcdedit.exe\n    CommandLine: set\n  selection2:\n  - CommandLine|contains|all:\n    - bootstatuspolicy\n    - ignoreallfailures\n  - CommandLine|contains|all:\n    - recoveryenabled\n    - no\n  condition: selection1 and selection2\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Unlikely\nlevel: high\n\n
\n}}','{{collapse(View Sigma)\n
\n\ntitle: Modification of Boot Configuration\nid: 1444443e-6757-43e4-9ea4-c8fc705f79a2\ndescription: Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive\n    technique.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml\n    - https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html\ntags:\n    - attack.impact\n    - attack.t1490\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection1:\n        Image|endswith: \\bcdedit.exe\n        CommandLine|contains: set\n    selection2:\n        - CommandLine|contains|all:\n            - bootstatuspolicy\n            - ignoreallfailures\n        - CommandLine|contains|all:\n            - recoveryenabled\n            - \'no\'\n    condition: selection1 and selection2\nfields:\n    - ComputerName\n    - User\n    - CommandLine\nfalsepositives:\n    - Unlikely\nlevel: high\n\n
\n}}'),(10,629,'cf','9','{{collapse(View Sigma)\n
\n\naction: global\ntitle: PowerShell Downgrade Attack\nid: b3512211-c67e-4707-bedc-66efc7848863\nrelated:\n- id: 6331d09b-4785-4c13-980f-f96661356249\n  type: derived\nstatus: experimental\ndescription: Detects PowerShell downgrade attack by comparing the host versions with\n  the actually used engine version 2.0\nreferences:\n- http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1086\nauthor: Harish Segar (rule)\ndate: 2020/03/20\nfalsepositives:\n- Penetration Test\n- Unknown\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains:\n    - \' -version 2 \'\n    - \' -versio 2 \'\n    - \' -versi 2 \'\n    - \' -vers 2 \'\n    - \' -ver 2 \'\n    - \' -ve 2 \'\n    Image|endswith: \\powershell.exe\n  condition: selection\n\n
\n}}','{{collapse(View Sigma)\n
\n\ntitle: PowerShell Downgrade Attack\nid: b3512211-c67e-4707-bedc-66efc7848863\nrelated:\n  - id: 6331d09b-4785-4c13-980f-f96661356249\n    type: derived\nstatus: experimental\ndescription: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0\nreferences:\n    - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/\ntags:\n    - attack.defense_evasion\n    - attack.execution\n    - attack.t1086\nauthor: Harish Segar (rule)\ndate: 2020/03/20\nfalsepositives:\n    - Penetration Test\n    - Unknown\nlevel: medium\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains: \n            - \' -version 2 \'\n            - \' -versio 2 \'\n            - \' -versi 2 \'\n            - \' -vers 2 \'\n            - \' -ver 2 \'\n            - \' -ve 2 \'        \n        Image|endswith: \'\\powershell.exe\'\n    condition: selection\n\n
\n}}'),(11,630,'cf','9','{{collapse(View Sigma)\n
\n\ntitle: Renamed Binary\nid: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142\nstatus: experimental\ndescription: Detects the execution of a renamed binary often used by attackers or\n  malware leveraging new Sysmon OriginalFileName datapoint.\nauthor: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community\n  (improvements)\ndate: 2019/06/15\nmodified: 2019/11/11\nreferences:\n- https://attack.mitre.org/techniques/T1036/\n- https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html\n- https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html\ntags:\n- attack.t1036\n- attack.defense_evasion\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    OriginalFileName:\n    - cmd.exe\n    - powershell.exe\n    - powershell_ise.exe\n    - psexec.exe\n    - psexec.c\n    - cscript.exe\n    - wscript.exe\n    - mshta.exe\n    - regsvr32.exe\n    - wmic.exe\n    - certutil.exe\n    - rundll32.exe\n    - cmstp.exe\n    - msiexec.exe\n    - 7z.exe\n    - winrar.exe\n    - wevtutil.exe\n    - net.exe\n    - net1.exe\n  filter:\n    Image|endswith:\n    - \\cmd.exe\n    - \\powershell.exe\n    - \\powershell_ise.exe\n    - \\psexec.exe\n    - \\psexec64.exe\n    - \\cscript.exe\n    - \\wscript.exe\n    - \\mshta.exe\n    - \\regsvr32.exe\n    - \\wmic.exe\n    - \\certutil.exe\n    - \\rundll32.exe\n    - \\cmstp.exe\n    - \\msiexec.exe\n    - \\7z.exe\n    - \\winrar.exe\n    - \\wevtutil.exe\n    - \\net.exe\n    - \\net1.exe\n  condition: selection and not filter\nfalsepositives:\n- Custom applications use renamed binaries adding slight change to binary name. Typically\n  this is easy to spot and add to whitelist\nlevel: medium\n\n
\n}}','{{collapse(View Sigma)\n
\n\ntitle: Renamed Binary\nid: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142\nstatus: experimental\ndescription: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.\nauthor: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements), Andreas Hunkeler (@Karneades)\ndate: 2019/06/15\nmodified: 2019/11/11\nreferences:\n    - https://attack.mitre.org/techniques/T1036/\n    - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html\n    - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html\ntags:\n    - attack.t1036\n    - attack.defense_evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        OriginalFileName:\n            - \'cmd.exe\'\n            - \'powershell.exe\'\n            - \'powershell_ise.exe\'\n            - \'psexec.exe\'\n            - \'psexec.c\'  # old versions of psexec (2016 seen)\n            - \'cscript.exe\'\n            - \'wscript.exe\'\n            - \'mshta.exe\'\n            - \'regsvr32.exe\'\n            - \'wmic.exe\'\n            - \'certutil.exe\'\n            - \'rundll32.exe\'\n            - \'cmstp.exe\'\n            - \'msiexec.exe\'\n            - \'7z.exe\'\n            - \'winrar.exe\'\n            - \'wevtutil.exe\'\n            - \'net.exe\'\n            - \'net1.exe\'\n            - \'netsh.exe\'\n    filter:\n        Image|endswith:\n            - \'\\cmd.exe\'\n            - \'\\powershell.exe\'\n            - \'\\powershell_ise.exe\'\n            - \'\\psexec.exe\'\n            - \'\\psexec64.exe\'\n            - \'\\cscript.exe\'\n            - \'\\wscript.exe\'\n            - \'\\mshta.exe\'\n            - \'\\regsvr32.exe\'\n            - \'\\wmic.exe\'\n            - \'\\certutil.exe\'\n            - \'\\rundll32.exe\'\n            - \'\\cmstp.exe\'\n            - \'\\msiexec.exe\'\n            - \'\\7z.exe\'\n            - \'\\winrar.exe\'\n            - \'\\wevtutil.exe\'\n            - \'\\net.exe\'\n            - \'\\net1.exe\'\n            - \'\\netsh.exe\'\n    condition: selection and not filter\nfalsepositives:\n    - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist\nlevel: medium\n\n
\n}}'),(12,631,'cf','9','{{collapse(View Sigma)\n
\n\ntitle: Suspicious Netsh DLL Persistence\nid: 56321594-9087-49d9-bf10-524fe8479452\ndescription: Detects persitence via netsh helper\nstatus: test\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1128/T1128.md\ntags:\n- attack.persistence\n- attack.t1128\ndate: 2019/10/25\nmodified: 2019/10/25\nauthor: Victor Sergeev, oscd.community\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\netsh.exe\n    CommandLine|contains|all:\n    - add\n    - helper\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}','{{collapse(View Sigma)\n
\n\ntitle: Suspicious Netsh DLL Persistence\nid: 56321594-9087-49d9-bf10-524fe8479452\ndescription: Detects persitence via netsh helper\nstatus: testing\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1128/T1128.md\ntags:\n    - attack.persistence\n    - attack.t1128\ndate: 2019/10/25\nmodified: 2019/10/25\nauthor: Victor Sergeev, oscd.community\nlogsource:\n    category: process_creation\n    product: windows   \ndetection:\n    selection:\n        Image|endswith: \'\\netsh.exe\'\n        CommandLine|contains|all:\n            - \'add\'\n            - \'helper\'\n    condition: selection\nfields:\n    - ComputerName\n    - User\n    - CommandLine\n    - ParentCommandLine\nfalsepositives:\n    - Unknown\nlevel: high\n\n
\n}}'); -/*!40000 ALTER TABLE `journal_details` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `journals` --- - -DROP TABLE IF EXISTS `journals`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `journals` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `journalized_id` int(11) NOT NULL DEFAULT '0', - `journalized_type` varchar(30) NOT NULL DEFAULT '', - `user_id` int(11) NOT NULL DEFAULT '0', - `notes` longtext, - `created_on` datetime NOT NULL, - `private_notes` tinyint(1) NOT NULL DEFAULT '0', - PRIMARY KEY (`id`), - KEY `journals_journalized_id` (`journalized_id`,`journalized_type`), - KEY `index_journals_on_user_id` (`user_id`), - KEY `index_journals_on_journalized_id` (`journalized_id`), - KEY `index_journals_on_created_on` (`created_on`) -) ENGINE=InnoDB AUTO_INCREMENT=633 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `journals` --- - -LOCK TABLES `journals` WRITE; -/*!40000 ALTER TABLE `journals` DISABLE KEYS */; -INSERT INTO `journals` VALUES (311,313,'Issue',9,'Play status set to Disabled - Sigmac error when generating ElastAlert config.','2020-05-01 20:55:14',0),(312,314,'Issue',9,'Play imported successfully.','2020-05-01 20:55:15',0),(313,315,'Issue',9,'Play imported successfully.','2020-05-01 20:55:15',0),(314,316,'Issue',9,'Play imported successfully.','2020-05-01 20:55:16',0),(315,317,'Issue',9,'Play imported successfully.','2020-05-01 20:55:16',0),(316,318,'Issue',9,'Play imported successfully.','2020-05-01 20:55:17',0),(317,319,'Issue',9,'Play imported successfully.','2020-05-01 20:55:17',0),(318,320,'Issue',9,'Play imported successfully.','2020-05-01 20:55:18',0),(319,321,'Issue',9,'Play imported successfully.','2020-05-01 20:55:19',0),(320,322,'Issue',9,'Play imported successfully.','2020-05-01 20:55:19',0),(321,323,'Issue',9,'Play imported successfully.','2020-05-01 20:55:20',0),(322,324,'Issue',9,'Play imported successfully.','2020-05-01 20:55:20',0),(323,325,'Issue',9,'Play imported successfully.','2020-05-01 20:55:21',0),(324,326,'Issue',9,'Play imported successfully.','2020-05-01 20:55:21',0),(325,327,'Issue',9,'Play imported successfully.','2020-05-01 20:55:22',0),(326,328,'Issue',9,'Play imported successfully.','2020-05-01 20:55:22',0),(327,329,'Issue',9,'Play imported successfully.','2020-05-01 20:55:23',0),(328,330,'Issue',9,'Play imported successfully.','2020-05-01 20:55:24',0),(329,331,'Issue',9,'Play imported successfully.','2020-05-01 20:55:24',0),(330,332,'Issue',9,'Play imported successfully.','2020-05-01 20:55:25',0),(331,333,'Issue',9,'Play imported successfully.','2020-05-01 20:55:25',0),(332,334,'Issue',9,'Play imported successfully.','2020-05-01 20:55:26',0),(333,335,'Issue',9,'Play imported successfully.','2020-05-01 20:55:27',0),(334,336,'Issue',9,'Play status set to Disabled - Sigmac error when generating ElastAlert config.','2020-05-01 20:55:28',0),(335,337,'Issue',9,'Play imported successfully.','2020-05-01 20:55:28',0),(336,338,'Issue',9,'Play imported successfully.','2020-05-01 20:55:29',0),(337,339,'Issue',9,'Play imported successfully.','2020-05-01 20:55:29',0),(338,340,'Issue',9,'Play imported successfully.','2020-05-01 20:55:30',0),(339,341,'Issue',9,'Play imported successfully.','2020-05-01 20:55:30',0),(340,342,'Issue',9,'Play imported successfully.','2020-05-01 20:55:31',0),(341,343,'Issue',9,'Play imported successfully.','2020-05-01 20:55:31',0),(342,344,'Issue',9,'Play imported successfully.','2020-05-01 20:55:32',0),(343,345,'Issue',9,'Play imported successfully.','2020-05-01 20:55:33',0),(344,346,'Issue',9,'Play imported successfully.','2020-05-01 20:55:33',0),(345,347,'Issue',9,'Play imported successfully.','2020-05-01 20:55:34',0),(346,348,'Issue',9,'Play imported successfully.','2020-05-01 20:55:34',0),(347,349,'Issue',9,'Play imported successfully.','2020-05-01 20:55:35',0),(348,350,'Issue',9,'Play imported successfully.','2020-05-01 20:55:36',0),(349,351,'Issue',9,'Play imported successfully.','2020-05-01 20:55:36',0),(350,352,'Issue',9,'Play imported successfully.','2020-05-01 20:55:37',0),(351,353,'Issue',9,'Play imported successfully.','2020-05-01 20:55:37',0),(352,354,'Issue',9,'Play imported successfully.','2020-05-01 20:55:38',0),(353,355,'Issue',9,'Play imported successfully.','2020-05-01 20:55:38',0),(354,356,'Issue',9,'Play imported successfully.','2020-05-01 20:55:39',0),(355,357,'Issue',9,'Play imported successfully.','2020-05-01 20:55:39',0),(356,358,'Issue',9,'Play imported successfully.','2020-05-01 20:55:40',0),(357,359,'Issue',9,'Play imported successfully.','2020-05-01 20:55:40',0),(358,360,'Issue',9,'Play imported successfully.','2020-05-01 20:55:41',0),(359,361,'Issue',9,'Play imported successfully.','2020-05-01 20:55:42',0),(360,362,'Issue',9,'Play imported successfully.','2020-05-01 20:55:42',0),(361,363,'Issue',9,'Play imported successfully.','2020-05-01 20:55:43',0),(362,364,'Issue',9,'Play imported successfully.','2020-05-01 20:55:43',0),(363,365,'Issue',9,'Play imported successfully.','2020-05-01 20:55:44',0),(364,366,'Issue',9,'Play imported successfully.','2020-05-01 20:55:44',0),(365,367,'Issue',9,'Play imported successfully.','2020-05-01 20:55:45',0),(366,368,'Issue',9,'Play imported successfully.','2020-05-01 20:55:45',0),(367,369,'Issue',9,'Play imported successfully.','2020-05-01 20:55:46',0),(368,370,'Issue',9,'Play imported successfully.','2020-05-01 20:55:46',0),(369,371,'Issue',9,'Play imported successfully.','2020-05-01 20:55:47',0),(370,372,'Issue',9,'Play imported successfully.','2020-05-01 20:55:47',0),(371,373,'Issue',9,'Play imported successfully.','2020-05-01 20:55:48',0),(372,374,'Issue',9,'Play imported successfully.','2020-05-01 20:55:49',0),(373,375,'Issue',9,'Play imported successfully.','2020-05-01 20:55:49',0),(374,376,'Issue',9,'Play imported successfully.','2020-05-01 20:55:50',0),(375,377,'Issue',9,'Play imported successfully.','2020-05-01 20:55:50',0),(376,378,'Issue',9,'Play imported successfully.','2020-05-01 20:55:51',0),(377,379,'Issue',9,'Play imported successfully.','2020-05-01 20:55:51',0),(378,380,'Issue',9,'Play imported successfully.','2020-05-01 20:55:52',0),(379,381,'Issue',9,'Play imported successfully.','2020-05-01 20:55:52',0),(380,382,'Issue',9,'Play imported successfully.','2020-05-01 20:55:53',0),(381,383,'Issue',9,'Play imported successfully.','2020-05-01 20:55:53',0),(382,384,'Issue',9,'Play imported successfully.','2020-05-01 20:55:54',0),(383,385,'Issue',9,'Play imported successfully.','2020-05-01 20:55:54',0),(384,386,'Issue',9,'Play imported successfully.','2020-05-01 20:55:55',0),(385,387,'Issue',9,'Play imported successfully.','2020-05-01 20:55:55',0),(386,388,'Issue',9,'Play imported successfully.','2020-05-01 20:55:56',0),(387,389,'Issue',9,'Play imported successfully.','2020-05-01 20:55:57',0),(388,390,'Issue',9,'Play imported successfully.','2020-05-01 20:55:57',0),(389,391,'Issue',9,'Play imported successfully.','2020-05-01 20:55:58',0),(390,392,'Issue',9,'Play imported successfully.','2020-05-01 20:55:58',0),(391,393,'Issue',9,'Play imported successfully.','2020-05-01 20:55:59',0),(392,394,'Issue',9,'Play imported successfully.','2020-05-01 20:55:59',0),(393,395,'Issue',9,'Play imported successfully.','2020-05-01 20:56:00',0),(394,396,'Issue',9,'Play imported successfully.','2020-05-01 20:56:00',0),(395,397,'Issue',9,'Play imported successfully.','2020-05-01 20:56:01',0),(396,398,'Issue',9,'Play imported successfully.','2020-05-01 20:56:01',0),(397,399,'Issue',9,'Play imported successfully.','2020-05-01 20:56:02',0),(398,400,'Issue',9,'Play imported successfully.','2020-05-01 20:56:02',0),(399,401,'Issue',9,'Play imported successfully.','2020-05-01 20:56:03',0),(400,402,'Issue',9,'Play imported successfully.','2020-05-01 20:56:03',0),(401,403,'Issue',9,'Play imported successfully.','2020-05-01 20:56:04',0),(402,404,'Issue',9,'Play imported successfully.','2020-05-01 20:56:04',0),(403,405,'Issue',9,'Play imported successfully.','2020-05-01 20:56:05',0),(404,406,'Issue',9,'Play imported successfully.','2020-05-01 20:56:06',0),(405,407,'Issue',9,'Play imported successfully.','2020-05-01 20:56:06',0),(406,408,'Issue',9,'Play imported successfully.','2020-05-01 20:56:07',0),(407,409,'Issue',9,'Play imported successfully.','2020-05-01 20:56:07',0),(408,410,'Issue',9,'Play imported successfully.','2020-05-01 20:56:08',0),(409,411,'Issue',9,'Play imported successfully.','2020-05-01 20:56:08',0),(410,412,'Issue',9,'Play imported successfully.','2020-05-01 20:56:09',0),(411,413,'Issue',9,'Play imported successfully.','2020-05-01 20:56:09',0),(412,414,'Issue',9,'Play imported successfully.','2020-05-01 20:56:10',0),(413,415,'Issue',9,'Play imported successfully.','2020-05-01 20:56:11',0),(414,416,'Issue',9,'Play imported successfully.','2020-05-01 20:56:11',0),(415,417,'Issue',9,'Play imported successfully.','2020-05-01 20:56:12',0),(416,418,'Issue',9,'Play imported successfully.','2020-05-01 20:56:13',0),(417,419,'Issue',9,'Play imported successfully.','2020-05-01 20:56:13',0),(418,420,'Issue',9,'Play imported successfully.','2020-05-01 20:56:14',0),(419,421,'Issue',9,'Play imported successfully.','2020-05-01 20:56:15',0),(420,422,'Issue',9,'Play imported successfully.','2020-05-01 20:56:15',0),(421,423,'Issue',9,'Play imported successfully.','2020-05-01 20:56:16',0),(422,424,'Issue',9,'Play imported successfully.','2020-05-01 20:56:16',0),(423,425,'Issue',9,'Play imported successfully.','2020-05-01 20:56:17',0),(424,426,'Issue',9,'Play imported successfully.','2020-05-01 20:56:17',0),(425,427,'Issue',9,'Play imported successfully.','2020-05-01 20:56:18',0),(426,428,'Issue',9,'Play imported successfully.','2020-05-01 20:56:19',0),(427,429,'Issue',9,'Play imported successfully.','2020-05-01 20:56:19',0),(428,430,'Issue',9,'Play imported successfully.','2020-05-01 20:56:20',0),(429,431,'Issue',9,'Play imported successfully.','2020-05-01 20:56:20',0),(430,432,'Issue',9,'Play imported successfully.','2020-05-01 20:56:21',0),(431,433,'Issue',9,'Play imported successfully.','2020-05-01 20:56:21',0),(432,434,'Issue',9,'Play imported successfully.','2020-05-01 20:56:22',0),(433,435,'Issue',9,'Play imported successfully.','2020-05-01 20:56:22',0),(434,436,'Issue',9,'Play imported successfully.','2020-05-01 20:56:23',0),(435,437,'Issue',9,'Play imported successfully.','2020-05-01 20:56:24',0),(436,438,'Issue',9,'Play imported successfully.','2020-05-01 20:56:24',0),(437,439,'Issue',9,'Play imported successfully.','2020-05-01 20:56:25',0),(438,440,'Issue',9,'Play imported successfully.','2020-05-01 20:56:25',0),(439,441,'Issue',9,'Play imported successfully.','2020-05-01 20:56:26',0),(440,442,'Issue',9,'Play imported successfully.','2020-05-01 20:56:26',0),(441,443,'Issue',9,'Play imported successfully.','2020-05-01 20:56:27',0),(442,444,'Issue',9,'Play imported successfully.','2020-05-01 20:56:27',0),(443,445,'Issue',9,'Play imported successfully.','2020-05-01 20:56:28',0),(444,446,'Issue',9,'Play imported successfully.','2020-05-01 20:56:28',0),(445,447,'Issue',9,'Play imported successfully.','2020-05-01 20:56:29',0),(446,448,'Issue',9,'Play imported successfully.','2020-05-01 20:56:29',0),(447,449,'Issue',9,'Play imported successfully.','2020-05-01 20:56:30',0),(448,450,'Issue',9,'Play imported successfully.','2020-05-01 20:56:30',0),(449,451,'Issue',9,'Play imported successfully.','2020-05-01 20:56:31',0),(450,452,'Issue',9,'Play imported successfully.','2020-05-01 20:56:31',0),(451,453,'Issue',9,'Play imported successfully.','2020-05-01 20:56:32',0),(452,454,'Issue',9,'Play imported successfully.','2020-05-01 20:56:32',0),(453,455,'Issue',9,'Play imported successfully.','2020-05-01 20:56:33',0),(454,456,'Issue',9,'Play imported successfully.','2020-05-01 20:56:34',0),(455,457,'Issue',9,'Play imported successfully.','2020-05-01 20:56:34',0),(456,458,'Issue',9,'Play imported successfully.','2020-05-01 20:56:35',0),(457,459,'Issue',9,'Play imported successfully.','2020-05-01 20:56:35',0),(458,460,'Issue',9,'Play imported successfully.','2020-05-01 20:56:36',0),(459,461,'Issue',9,'Play imported successfully.','2020-05-01 20:56:36',0),(460,462,'Issue',9,'Play imported successfully.','2020-05-01 20:56:37',0),(461,463,'Issue',9,'Play imported successfully.','2020-05-01 20:56:37',0),(462,464,'Issue',9,'Play imported successfully.','2020-05-01 20:56:38',0),(463,465,'Issue',9,'Play imported successfully.','2020-05-01 20:56:38',0),(464,466,'Issue',9,'Play imported successfully.','2020-05-01 20:56:39',0),(465,467,'Issue',9,'Play imported successfully.','2020-05-01 20:56:39',0),(466,468,'Issue',9,'Play imported successfully.','2020-05-01 20:56:40',0),(467,469,'Issue',9,'Play imported successfully.','2020-05-01 20:56:41',0),(468,470,'Issue',9,'Play imported successfully.','2020-05-01 20:56:41',0),(469,471,'Issue',9,'Play imported successfully.','2020-05-01 20:56:42',0),(470,472,'Issue',9,'Play imported successfully.','2020-05-01 20:56:42',0),(471,473,'Issue',9,'Play imported successfully.','2020-05-01 20:56:43',0),(472,474,'Issue',9,'Play imported successfully.','2020-05-01 20:56:43',0),(473,475,'Issue',9,'Play imported successfully.','2020-05-01 20:56:44',0),(474,476,'Issue',9,'Play imported successfully.','2020-05-01 20:56:44',0),(475,477,'Issue',9,'Play imported successfully.','2020-05-01 20:56:45',0),(476,478,'Issue',9,'Play imported successfully.','2020-05-01 20:56:45',0),(477,479,'Issue',9,'Play imported successfully.','2020-05-01 20:56:46',0),(478,480,'Issue',9,'Play imported successfully.','2020-05-01 20:56:46',0),(479,481,'Issue',9,'Play imported successfully.','2020-05-01 20:56:47',0),(480,482,'Issue',9,'Play imported successfully.','2020-05-01 20:56:48',0),(481,483,'Issue',9,'Play imported successfully.','2020-05-01 20:56:48',0),(482,484,'Issue',9,'Play imported successfully.','2020-05-01 20:56:49',0),(483,485,'Issue',9,'Play imported successfully.','2020-05-01 20:56:49',0),(484,486,'Issue',9,'Play imported successfully.','2020-05-01 20:56:50',0),(485,487,'Issue',9,'Play imported successfully.','2020-05-01 20:56:50',0),(486,488,'Issue',9,'Play imported successfully.','2020-05-01 20:56:51',0),(487,489,'Issue',9,'Play imported successfully.','2020-05-01 20:56:51',0),(488,490,'Issue',9,'Play imported successfully.','2020-05-01 20:56:52',0),(489,491,'Issue',9,'Play imported successfully.','2020-05-01 20:56:52',0),(490,492,'Issue',9,'Play imported successfully.','2020-05-01 20:56:53',0),(491,493,'Issue',9,'Play imported successfully.','2020-05-01 20:56:53',0),(492,494,'Issue',9,'Play status set to Disabled - Sigmac error when generating ElastAlert config.','2020-05-01 20:56:54',0),(493,495,'Issue',9,'Play imported successfully.','2020-05-01 20:56:54',0),(494,496,'Issue',9,'Play imported successfully.','2020-05-01 20:56:55',0),(495,497,'Issue',9,'Play imported successfully.','2020-05-01 20:56:56',0),(496,498,'Issue',9,'Play imported successfully.','2020-05-01 20:56:56',0),(497,499,'Issue',9,'Play imported successfully.','2020-05-01 20:56:57',0),(498,500,'Issue',9,'Play imported successfully.','2020-05-01 20:56:57',0),(499,501,'Issue',9,'Play imported successfully.','2020-05-01 20:56:58',0),(500,502,'Issue',9,'Play imported successfully.','2020-05-01 20:56:58',0),(501,503,'Issue',9,'Play imported successfully.','2020-05-01 20:56:59',0),(502,504,'Issue',9,'Play imported successfully.','2020-05-01 20:56:59',0),(503,505,'Issue',9,'Play imported successfully.','2020-05-01 20:57:00',0),(504,506,'Issue',9,'Play imported successfully.','2020-05-01 20:57:00',0),(505,507,'Issue',9,'Play imported successfully.','2020-05-01 20:57:01',0),(506,508,'Issue',9,'Play imported successfully.','2020-05-01 20:57:02',0),(507,509,'Issue',9,'Play imported successfully.','2020-05-01 20:57:02',0),(508,510,'Issue',9,'Play imported successfully.','2020-05-01 20:57:03',0),(509,511,'Issue',9,'Play imported successfully.','2020-05-01 20:57:03',0),(510,512,'Issue',9,'Play imported successfully.','2020-05-01 20:57:04',0),(511,513,'Issue',9,'Play imported successfully.','2020-05-01 20:57:04',0),(512,514,'Issue',9,'Play imported successfully.','2020-05-01 20:57:05',0),(513,515,'Issue',9,'Play imported successfully.','2020-05-01 20:57:05',0),(514,516,'Issue',9,'Play imported successfully.','2020-05-01 20:57:06',0),(515,517,'Issue',9,'Play imported successfully.','2020-05-01 20:57:06',0),(516,518,'Issue',9,'Play imported successfully.','2020-05-01 20:57:07',0),(517,519,'Issue',9,'Play imported successfully.','2020-05-01 20:57:07',0),(518,520,'Issue',9,'Play imported successfully.','2020-05-01 20:57:08',0),(519,521,'Issue',9,'Play imported successfully.','2020-05-01 20:57:08',0),(520,522,'Issue',9,'Play imported successfully.','2020-05-01 20:57:09',0),(521,523,'Issue',9,'Play imported successfully.','2020-05-01 20:57:09',0),(522,524,'Issue',9,'Play imported successfully.','2020-05-01 20:57:10',0),(523,525,'Issue',9,'Play imported successfully.','2020-05-01 20:57:11',0),(524,526,'Issue',9,'Play imported successfully.','2020-05-01 20:57:11',0),(525,527,'Issue',9,'Play imported successfully.','2020-05-01 20:57:12',0),(526,528,'Issue',9,'Play imported successfully.','2020-05-01 20:57:12',0),(527,529,'Issue',9,'Play imported successfully.','2020-05-01 20:57:13',0),(528,530,'Issue',9,'Play imported successfully.','2020-05-01 20:57:13',0),(529,531,'Issue',9,'Play imported successfully.','2020-05-01 20:57:14',0),(530,532,'Issue',9,'Play imported successfully.','2020-05-01 20:57:14',0),(531,533,'Issue',9,'Play imported successfully.','2020-05-01 20:57:15',0),(532,534,'Issue',9,'Play imported successfully.','2020-05-01 20:57:15',0),(533,535,'Issue',9,'Play imported successfully.','2020-05-01 20:57:16',0),(534,536,'Issue',9,'Play imported successfully.','2020-05-01 20:57:16',0),(535,537,'Issue',9,'Play imported successfully.','2020-05-01 20:57:17',0),(536,538,'Issue',9,'Play imported successfully.','2020-05-01 20:57:17',0),(537,539,'Issue',9,'Play imported successfully.','2020-05-01 20:57:18',0),(538,540,'Issue',9,'Play imported successfully.','2020-05-01 20:57:18',0),(539,541,'Issue',9,'Play imported successfully.','2020-05-01 20:57:19',0),(540,542,'Issue',9,'Play imported successfully.','2020-05-01 20:57:20',0),(541,543,'Issue',9,'Play imported successfully.','2020-05-01 20:57:20',0),(542,544,'Issue',9,'Play imported successfully.','2020-05-01 20:57:21',0),(543,545,'Issue',9,'Play imported successfully.','2020-05-01 20:57:21',0),(544,546,'Issue',9,'Play imported successfully.','2020-05-01 20:57:22',0),(545,547,'Issue',9,'Play imported successfully.','2020-05-01 20:57:22',0),(546,548,'Issue',9,'Play imported successfully.','2020-05-01 20:57:23',0),(547,549,'Issue',9,'Play imported successfully.','2020-05-01 20:57:23',0),(548,550,'Issue',9,'Play imported successfully.','2020-05-01 20:57:24',0),(549,551,'Issue',9,'Play imported successfully.','2020-05-01 20:57:24',0),(550,552,'Issue',9,'Play imported successfully.','2020-05-01 20:57:25',0),(551,553,'Issue',9,'Play imported successfully.','2020-05-01 20:57:26',0),(552,554,'Issue',9,'Play imported successfully.','2020-05-01 20:57:26',0),(553,555,'Issue',9,'Play imported successfully.','2020-05-01 20:57:27',0),(554,556,'Issue',9,'Play imported successfully.','2020-05-01 20:57:27',0),(555,557,'Issue',9,'Play imported successfully.','2020-05-01 20:57:28',0),(556,558,'Issue',9,'Play imported successfully.','2020-05-01 20:57:28',0),(557,559,'Issue',9,'Play imported successfully.','2020-05-01 20:57:29',0),(558,560,'Issue',9,'Play imported successfully.','2020-05-01 20:57:29',0),(559,561,'Issue',9,'Play imported successfully.','2020-05-01 20:57:30',0),(560,562,'Issue',9,'Play imported successfully.','2020-05-01 20:57:30',0),(561,563,'Issue',9,'Play imported successfully.','2020-05-01 20:57:31',0),(562,564,'Issue',9,'Play imported successfully.','2020-05-01 20:57:31',0),(563,565,'Issue',9,'Play imported successfully.','2020-05-01 20:57:32',0),(564,566,'Issue',9,'Play imported successfully.','2020-05-01 20:57:33',0),(565,567,'Issue',9,'Play imported successfully.','2020-05-01 20:57:33',0),(566,568,'Issue',9,'Play imported successfully.','2020-05-01 20:57:34',0),(567,569,'Issue',9,'Play imported successfully.','2020-05-01 20:57:34',0),(568,570,'Issue',9,'Play imported successfully.','2020-05-01 20:57:35',0),(569,571,'Issue',9,'Play imported successfully.','2020-05-01 20:57:35',0),(570,572,'Issue',9,'Play imported successfully.','2020-05-01 20:57:36',0),(571,573,'Issue',9,'Play imported successfully.','2020-05-01 20:57:36',0),(572,574,'Issue',9,'Play imported successfully.','2020-05-01 20:57:37',0),(573,575,'Issue',9,'Play imported successfully.','2020-05-01 20:57:37',0),(574,576,'Issue',9,'Play imported successfully.','2020-05-01 20:57:38',0),(575,577,'Issue',9,'Play imported successfully.','2020-05-01 20:57:38',0),(576,578,'Issue',9,'Play imported successfully.','2020-05-01 20:57:39',0),(577,579,'Issue',9,'Play imported successfully.','2020-05-01 20:57:40',0),(578,580,'Issue',9,'Play imported successfully.','2020-05-01 20:57:40',0),(579,581,'Issue',9,'Play imported successfully.','2020-05-01 20:57:41',0),(580,582,'Issue',9,'Play imported successfully.','2020-05-01 20:57:41',0),(581,583,'Issue',9,'Play imported successfully.','2020-05-01 20:57:42',0),(582,584,'Issue',9,'Play imported successfully.','2020-05-01 20:57:42',0),(583,585,'Issue',9,'Play imported successfully.','2020-05-01 20:57:43',0),(584,586,'Issue',9,'Play imported successfully.','2020-05-01 20:57:43',0),(585,587,'Issue',9,'Play imported successfully.','2020-05-01 20:57:44',0),(586,588,'Issue',9,'Play imported successfully.','2020-05-01 20:57:44',0),(587,589,'Issue',9,'Play imported successfully.','2020-05-01 20:57:45',0),(588,590,'Issue',9,'Play imported successfully.','2020-05-01 20:57:45',0),(589,591,'Issue',9,'Play imported successfully.','2020-05-01 20:57:46',0),(590,592,'Issue',9,'Play imported successfully.','2020-05-01 20:57:47',0),(591,593,'Issue',9,'Play imported successfully.','2020-05-01 20:57:47',0),(592,594,'Issue',9,'Play imported successfully.','2020-05-01 20:57:48',0),(593,595,'Issue',9,'Play imported successfully.','2020-05-01 20:57:48',0),(594,596,'Issue',9,'Play imported successfully.','2020-05-01 20:57:49',0),(595,597,'Issue',9,'Play imported successfully.','2020-05-01 20:57:49',0),(596,598,'Issue',9,'Play imported successfully.','2020-05-01 20:57:50',0),(597,599,'Issue',9,'Play imported successfully.','2020-05-01 20:57:50',0),(598,600,'Issue',9,'Play imported successfully.','2020-05-01 20:57:51',0),(599,601,'Issue',9,'Play imported successfully.','2020-05-01 20:57:51',0),(600,602,'Issue',9,'Play imported successfully.','2020-05-01 20:57:52',0),(601,603,'Issue',9,'Play imported successfully.','2020-05-01 20:57:52',0),(602,604,'Issue',9,'Play imported successfully.','2020-05-01 20:57:53',0),(603,605,'Issue',9,'Play imported successfully.','2020-05-01 20:57:53',0),(604,606,'Issue',9,'Play imported successfully.','2020-05-01 20:57:54',0),(605,607,'Issue',9,'Play imported successfully.','2020-05-01 20:57:55',0),(606,608,'Issue',9,'Play imported successfully.','2020-05-01 20:57:55',0),(607,609,'Issue',9,'Play imported successfully.','2020-05-01 20:57:56',0),(608,610,'Issue',9,'Play imported successfully.','2020-05-01 20:57:56',0),(609,611,'Issue',9,'Play imported successfully.','2020-05-01 20:57:57',0),(610,612,'Issue',9,'Play imported successfully.','2020-05-01 20:57:57',0),(611,613,'Issue',9,'Play imported successfully.','2020-05-01 20:57:58',0),(612,614,'Issue',9,'Play imported successfully.','2020-05-01 20:57:58',0),(613,615,'Issue',9,'Play imported successfully.','2020-05-01 20:57:59',0),(614,616,'Issue',9,'Play imported successfully.','2020-05-01 20:57:59',0),(615,617,'Issue',9,'Play imported successfully.','2020-05-01 20:58:00',0),(616,618,'Issue',9,'Play imported successfully.','2020-05-01 20:58:00',0),(621,618,'Issue',8,'','2020-05-03 09:59:49',0),(622,618,'Issue',9,'','2020-05-03 10:00:04',0),(623,618,'Issue',8,'','2020-05-03 10:00:57',0),(624,620,'Issue',9,'Play imported successfully.','2020-05-13 13:30:57',0),(625,621,'Issue',9,'Play imported successfully.','2020-05-13 14:05:41',0),(626,622,'Issue',9,'Play imported successfully.','2020-05-13 14:07:09',0),(627,420,'Issue',9,'','2020-05-13 14:07:10',0),(628,623,'Issue',9,'Play imported successfully.','2020-05-13 14:07:11',0),(629,494,'Issue',9,'','2020-05-13 14:07:11',0),(630,508,'Issue',9,'','2020-05-13 14:07:11',0),(631,556,'Issue',9,'','2020-05-13 14:07:11',0); -/*!40000 ALTER TABLE `journals` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `member_roles` --- - -DROP TABLE IF EXISTS `member_roles`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `member_roles` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `member_id` int(11) NOT NULL, - `role_id` int(11) NOT NULL, - `inherited_from` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_member_roles_on_member_id` (`member_id`), - KEY `index_member_roles_on_role_id` (`role_id`), - KEY `index_member_roles_on_inherited_from` (`inherited_from`) -) ENGINE=InnoDB AUTO_INCREMENT=8 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `member_roles` --- - -LOCK TABLES `member_roles` WRITE; -/*!40000 ALTER TABLE `member_roles` DISABLE KEYS */; -INSERT INTO `member_roles` VALUES (1,1,5,NULL),(2,2,3,NULL),(3,3,4,NULL),(4,4,5,1),(5,5,3,2),(7,7,4,3); -/*!40000 ALTER TABLE `member_roles` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `members` --- - -DROP TABLE IF EXISTS `members`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `members` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `user_id` int(11) NOT NULL DEFAULT '0', - `project_id` int(11) NOT NULL DEFAULT '0', - `created_on` timestamp NULL DEFAULT NULL, - `mail_notification` tinyint(1) NOT NULL DEFAULT '0', - PRIMARY KEY (`id`), - UNIQUE KEY `index_members_on_user_id_and_project_id` (`user_id`,`project_id`), - KEY `index_members_on_user_id` (`user_id`), - KEY `index_members_on_project_id` (`project_id`) -) ENGINE=InnoDB AUTO_INCREMENT=8 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `members` --- - -LOCK TABLES `members` WRITE; -/*!40000 ALTER TABLE `members` DISABLE KEYS */; -INSERT INTO `members` VALUES (1,6,1,'2020-04-26 18:44:14',0),(2,5,1,'2020-04-26 18:44:23',0),(3,7,1,'2020-04-26 18:45:27',0),(4,9,1,'2020-04-26 18:47:51',0),(5,8,1,'2020-04-26 18:48:00',0),(7,1,1,'2020-05-01 16:42:56',0); -/*!40000 ALTER TABLE `members` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `messages` --- - -DROP TABLE IF EXISTS `messages`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `messages` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `board_id` int(11) NOT NULL, - `parent_id` int(11) DEFAULT NULL, - `subject` varchar(255) NOT NULL DEFAULT '', - `content` text, - `author_id` int(11) DEFAULT NULL, - `replies_count` int(11) NOT NULL DEFAULT '0', - `last_reply_id` int(11) DEFAULT NULL, - `created_on` datetime NOT NULL, - `updated_on` datetime NOT NULL, - `locked` tinyint(1) DEFAULT '0', - `sticky` int(11) DEFAULT '0', - PRIMARY KEY (`id`), - KEY `messages_board_id` (`board_id`), - KEY `messages_parent_id` (`parent_id`), - KEY `index_messages_on_last_reply_id` (`last_reply_id`), - KEY `index_messages_on_author_id` (`author_id`), - KEY `index_messages_on_created_on` (`created_on`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `messages` --- - -LOCK TABLES `messages` WRITE; -/*!40000 ALTER TABLE `messages` DISABLE KEYS */; -/*!40000 ALTER TABLE `messages` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `news` --- - -DROP TABLE IF EXISTS `news`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `news` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) DEFAULT NULL, - `title` varchar(60) NOT NULL DEFAULT '', - `summary` varchar(255) DEFAULT '', - `description` text, - `author_id` int(11) NOT NULL DEFAULT '0', - `created_on` timestamp NULL DEFAULT NULL, - `comments_count` int(11) NOT NULL DEFAULT '0', - PRIMARY KEY (`id`), - KEY `news_project_id` (`project_id`), - KEY `index_news_on_author_id` (`author_id`), - KEY `index_news_on_created_on` (`created_on`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `news` --- - -LOCK TABLES `news` WRITE; -/*!40000 ALTER TABLE `news` DISABLE KEYS */; -/*!40000 ALTER TABLE `news` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `open_id_authentication_associations` --- - -DROP TABLE IF EXISTS `open_id_authentication_associations`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `open_id_authentication_associations` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `issued` int(11) DEFAULT NULL, - `lifetime` int(11) DEFAULT NULL, - `handle` varchar(255) DEFAULT NULL, - `assoc_type` varchar(255) DEFAULT NULL, - `server_url` blob, - `secret` blob, - PRIMARY KEY (`id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `open_id_authentication_associations` --- - -LOCK TABLES `open_id_authentication_associations` WRITE; -/*!40000 ALTER TABLE `open_id_authentication_associations` DISABLE KEYS */; -/*!40000 ALTER TABLE `open_id_authentication_associations` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `open_id_authentication_nonces` --- - -DROP TABLE IF EXISTS `open_id_authentication_nonces`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `open_id_authentication_nonces` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `timestamp` int(11) NOT NULL, - `server_url` varchar(255) DEFAULT NULL, - `salt` varchar(255) NOT NULL, - PRIMARY KEY (`id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `open_id_authentication_nonces` --- - -LOCK TABLES `open_id_authentication_nonces` WRITE; -/*!40000 ALTER TABLE `open_id_authentication_nonces` DISABLE KEYS */; -/*!40000 ALTER TABLE `open_id_authentication_nonces` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `projects` --- - -DROP TABLE IF EXISTS `projects`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `projects` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `name` varchar(255) NOT NULL DEFAULT '', - `description` text, - `homepage` varchar(255) DEFAULT '', - `is_public` tinyint(1) NOT NULL DEFAULT '1', - `parent_id` int(11) DEFAULT NULL, - `created_on` timestamp NULL DEFAULT NULL, - `updated_on` timestamp NULL DEFAULT NULL, - `identifier` varchar(255) DEFAULT NULL, - `status` int(11) NOT NULL DEFAULT '1', - `lft` int(11) DEFAULT NULL, - `rgt` int(11) DEFAULT NULL, - `inherit_members` tinyint(1) NOT NULL DEFAULT '0', - `default_version_id` int(11) DEFAULT NULL, - `default_assigned_to_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_projects_on_lft` (`lft`), - KEY `index_projects_on_rgt` (`rgt`) -) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `projects` --- - -LOCK TABLES `projects` WRITE; -/*!40000 ALTER TABLE `projects` DISABLE KEYS */; -INSERT INTO `projects` VALUES (1,'Detection Playbooks','','',0,NULL,'2020-04-26 13:13:01','2020-04-26 13:13:01','detection-playbooks',1,1,2,0,NULL,NULL); -/*!40000 ALTER TABLE `projects` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `projects_trackers` --- - -DROP TABLE IF EXISTS `projects_trackers`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `projects_trackers` ( - `project_id` int(11) NOT NULL DEFAULT '0', - `tracker_id` int(11) NOT NULL DEFAULT '0', - UNIQUE KEY `projects_trackers_unique` (`project_id`,`tracker_id`), - KEY `projects_trackers_project_id` (`project_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `projects_trackers` --- - -LOCK TABLES `projects_trackers` WRITE; -/*!40000 ALTER TABLE `projects_trackers` DISABLE KEYS */; -INSERT INTO `projects_trackers` VALUES (1,1); -/*!40000 ALTER TABLE `projects_trackers` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `queries` --- - -DROP TABLE IF EXISTS `queries`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `queries` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) DEFAULT NULL, - `name` varchar(255) NOT NULL DEFAULT '', - `filters` text, - `user_id` int(11) NOT NULL DEFAULT '0', - `column_names` text, - `sort_criteria` text, - `group_by` varchar(255) DEFAULT NULL, - `type` varchar(255) DEFAULT NULL, - `visibility` int(11) DEFAULT '0', - `options` text, - PRIMARY KEY (`id`), - KEY `index_queries_on_project_id` (`project_id`), - KEY `index_queries_on_user_id` (`user_id`) -) ENGINE=InnoDB AUTO_INCREMENT=9 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `queries` --- - -LOCK TABLES `queries` WRITE; -/*!40000 ALTER TABLE `queries` DISABLE KEYS */; -INSERT INTO `queries` VALUES (3,1,'All Plays','---\ntracker_id:\n :operator: \"=\"\n :values:\n - \'1\'\n',1,NULL,'---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(4,NULL,'Disabled Plays','---\nstatus_id:\n :operator: \"=\"\n :values:\n - \'6\'\n',1,NULL,'---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(5,NULL,'Draft Plays','---\nstatus_id:\n :operator: \"=\"\n :values:\n - \'2\'\n',1,NULL,'---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(6,NULL,'Playbook - Community Sigma','---\ncf_13:\n :operator: \"=\"\n :values:\n - community\n',1,'---\n- :status\n- :cf_10\n- :cf_14\n- :cf_16\n- :cf_1\n- :updated_on\n','---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(8,NULL,'Playbook - Internal','---\ncf_13:\n :operator: \"=\"\n :values:\n - Internal\n',1,'---\n- :status\n- :cf_10\n- :cf_14\n- :cf_16\n- :cf_1\n- :updated_on\n','---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'); -/*!40000 ALTER TABLE `queries` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `queries_roles` --- - -DROP TABLE IF EXISTS `queries_roles`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `queries_roles` ( - `query_id` int(11) NOT NULL, - `role_id` int(11) NOT NULL, - UNIQUE KEY `queries_roles_ids` (`query_id`,`role_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `queries_roles` --- - -LOCK TABLES `queries_roles` WRITE; -/*!40000 ALTER TABLE `queries_roles` DISABLE KEYS */; -/*!40000 ALTER TABLE `queries_roles` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `repositories` --- - -DROP TABLE IF EXISTS `repositories`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `repositories` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) NOT NULL DEFAULT '0', - `url` varchar(255) NOT NULL DEFAULT '', - `login` varchar(60) DEFAULT '', - `password` varchar(255) DEFAULT '', - `root_url` varchar(255) DEFAULT '', - `type` varchar(255) DEFAULT NULL, - `path_encoding` varchar(64) DEFAULT NULL, - `log_encoding` varchar(64) DEFAULT NULL, - `extra_info` longtext, - `identifier` varchar(255) DEFAULT NULL, - `is_default` tinyint(1) DEFAULT '0', - `created_on` timestamp NULL DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_repositories_on_project_id` (`project_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `repositories` --- - -LOCK TABLES `repositories` WRITE; -/*!40000 ALTER TABLE `repositories` DISABLE KEYS */; -/*!40000 ALTER TABLE `repositories` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `roles` --- - -DROP TABLE IF EXISTS `roles`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `roles` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `name` varchar(255) NOT NULL DEFAULT '', - `position` int(11) DEFAULT NULL, - `assignable` tinyint(1) DEFAULT '1', - `builtin` int(11) NOT NULL DEFAULT '0', - `permissions` text, - `issues_visibility` varchar(30) NOT NULL DEFAULT 'default', - `users_visibility` varchar(30) NOT NULL DEFAULT 'all', - `time_entries_visibility` varchar(30) NOT NULL DEFAULT 'all', - `all_roles_managed` tinyint(1) NOT NULL DEFAULT '1', - `settings` text, - PRIMARY KEY (`id`) -) ENGINE=InnoDB AUTO_INCREMENT=6 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `roles` --- - -LOCK TABLES `roles` WRITE; -/*!40000 ALTER TABLE `roles` DISABLE KEYS */; -INSERT INTO `roles` VALUES (1,'Non member',0,1,1,NULL,'default','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'0\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n'),(2,'Anonymous',0,1,2,NULL,'default','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'0\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n'),(3,'Security-Analyst',1,0,0,'---\n- :save_queries\n- :view_issues\n- :edit_issues\n- :add_issue_notes\n- :edit_issue_notes\n- :sigma_editor\n','all','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'1\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\n delete_issues: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n delete_issues: []\n'),(4,'SuperAdmin',2,0,0,'---\n- :add_project\n- :edit_project\n- :close_project\n- :select_project_modules\n- :manage_members\n- :manage_versions\n- :add_subprojects\n- :manage_public_queries\n- :save_queries\n- :manage_hook\n- :view_messages\n- :add_messages\n- :edit_messages\n- :edit_own_messages\n- :delete_messages\n- :delete_own_messages\n- :manage_boards\n- :view_calendar\n- :view_documents\n- :add_documents\n- :edit_documents\n- :delete_documents\n- :view_files\n- :manage_files\n- :view_gantt\n- :view_issues\n- :edit_issues\n- :edit_own_issues\n- :copy_issues\n- :manage_issue_relations\n- :manage_subtasks\n- :set_issues_private\n- :set_own_issues_private\n- :add_issue_notes\n- :edit_issue_notes\n- :edit_own_issue_notes\n- :view_private_notes\n- :set_notes_private\n- :delete_issues\n- :view_issue_watchers\n- :add_issue_watchers\n- :delete_issue_watchers\n- :import_issues\n- :manage_categories\n- :view_news\n- :manage_news\n- :comment_news\n- :view_changesets\n- :browse_repository\n- :commit_access\n- :manage_related_issues\n- :manage_repository\n- :sigma_editor\n- :view_time_entries\n- :log_time\n- :edit_time_entries\n- :edit_own_time_entries\n- :manage_project_activities\n- :log_time_for_other_users\n- :import_time_entries\n- :view_wiki_pages\n- :view_wiki_edits\n- :export_wiki_pages\n- :edit_wiki_pages\n- :rename_wiki_pages\n- :delete_wiki_pages\n- :delete_wiki_pages_attachments\n- :protect_wiki_pages\n- :manage_wiki\n','default','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'1\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\n delete_issues: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n delete_issues: []\n'),(5,'Automation',3,0,0,'---\n- :view_issues\n- :add_issues\n- :edit_issues\n- :add_issue_notes\n- :edit_issue_notes\n- :import_issues\n- :sigma_editor\n','default','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'1\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\n delete_issues: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n delete_issues: []\n'); -/*!40000 ALTER TABLE `roles` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `roles_managed_roles` --- - -DROP TABLE IF EXISTS `roles_managed_roles`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `roles_managed_roles` ( - `role_id` int(11) NOT NULL, - `managed_role_id` int(11) NOT NULL, - UNIQUE KEY `index_roles_managed_roles_on_role_id_and_managed_role_id` (`role_id`,`managed_role_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `roles_managed_roles` --- - -LOCK TABLES `roles_managed_roles` WRITE; -/*!40000 ALTER TABLE `roles_managed_roles` DISABLE KEYS */; -/*!40000 ALTER TABLE `roles_managed_roles` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `schema_migrations` --- - -DROP TABLE IF EXISTS `schema_migrations`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `schema_migrations` ( - `version` varchar(255) NOT NULL, - PRIMARY KEY (`version`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `schema_migrations` --- - -LOCK TABLES `schema_migrations` WRITE; -/*!40000 ALTER TABLE `schema_migrations` DISABLE KEYS */; -INSERT INTO `schema_migrations` VALUES ('1'),('1-redmine_webhook'),('10'),('100'),('101'),('102'),('103'),('104'),('105'),('106'),('107'),('108'),('11'),('12'),('13'),('14'),('15'),('16'),('17'),('18'),('19'),('2'),('20'),('20090214190337'),('20090312172426'),('20090312194159'),('20090318181151'),('20090323224724'),('20090401221305'),('20090401231134'),('20090403001910'),('20090406161854'),('20090425161243'),('20090503121501'),('20090503121505'),('20090503121510'),('20090614091200'),('20090704172350'),('20090704172355'),('20090704172358'),('20091010093521'),('20091017212227'),('20091017212457'),('20091017212644'),('20091017212938'),('20091017213027'),('20091017213113'),('20091017213151'),('20091017213228'),('20091017213257'),('20091017213332'),('20091017213444'),('20091017213536'),('20091017213642'),('20091017213716'),('20091017213757'),('20091017213835'),('20091017213910'),('20091017214015'),('20091017214107'),('20091017214136'),('20091017214236'),('20091017214308'),('20091017214336'),('20091017214406'),('20091017214440'),('20091017214519'),('20091017214611'),('20091017214644'),('20091017214720'),('20091017214750'),('20091025163651'),('20091108092559'),('20091114105931'),('20091123212029'),('20091205124427'),('20091220183509'),('20091220183727'),('20091220184736'),('20091225164732'),('20091227112908'),('20100129193402'),('20100129193813'),('20100221100219'),('20100313132032'),('20100313171051'),('20100705164950'),('20100819172912'),('20101104182107'),('20101107130441'),('20101114115114'),('20101114115359'),('20110220160626'),('20110223180944'),('20110223180953'),('20110224000000'),('20110226120112'),('20110226120132'),('20110227125750'),('20110228000000'),('20110228000100'),('20110401192910'),('20110408103312'),('20110412065600'),('20110511000000'),('20110902000000'),('20111201201315'),('20120115143024'),('20120115143100'),('20120115143126'),('20120127174243'),('20120205111326'),('20120223110929'),('20120301153455'),('20120422150750'),('20120705074331'),('20120707064544'),('20120714122000'),('20120714122100'),('20120714122200'),('20120731164049'),('20120930112914'),('20121026002032'),('20121026003537'),('20121209123234'),('20121209123358'),('20121213084931'),('20130110122628'),('20130201184705'),('20130202090625'),('20130207175206'),('20130207181455'),('20130215073721'),('20130215111127'),('20130215111141'),('20130217094251'),('20130602092539'),('20130710182539'),('20130713104233'),('20130713111657'),('20130729070143'),('20130911193200'),('20131004113137'),('20131005100610'),('20131124175346'),('20131210180802'),('20131214094309'),('20131215104612'),('20131218183023'),('20140228130325'),('20140903143914'),('20140920094058'),('20141029181752'),('20141029181824'),('20141109112308'),('20141122124142'),('20150113194759'),('20150113211532'),('20150113213922'),('20150113213955'),('20150208105930'),('20150510083747'),('20150525103953'),('20150526183158'),('20150528084820'),('20150528092912'),('20150528093249'),('20150725112753'),('20150730122707'),('20150730122735'),('20150921204850'),('20150921210243'),('20151020182334'),('20151020182731'),('20151021184614'),('20151021185456'),('20151021190616'),('20151024082034'),('20151025072118'),('20151031095005'),('20160404080304'),('20160416072926'),('20160529063352'),('20161001122012'),('20161002133421'),('20161010081301'),('20161010081528'),('20161010081600'),('20161126094932'),('20161220091118'),('20170207050700'),('20170302015225'),('20170309214320'),('20170320051650'),('20170418090031'),('20170419144536'),('20170723112801'),('20180501132547'),('20180913072918'),('20180923082945'),('20180923091603'),('20190315094151'),('20190315102101'),('20190510070108'),('20190620135549'),('21'),('22'),('23'),('24'),('25'),('26'),('27'),('28'),('29'),('3'),('30'),('31'),('32'),('33'),('34'),('35'),('36'),('37'),('38'),('39'),('4'),('40'),('41'),('42'),('43'),('44'),('45'),('46'),('47'),('48'),('49'),('5'),('50'),('51'),('52'),('53'),('54'),('55'),('56'),('57'),('58'),('59'),('6'),('60'),('61'),('62'),('63'),('64'),('65'),('66'),('67'),('68'),('69'),('7'),('70'),('71'),('72'),('73'),('74'),('75'),('76'),('77'),('78'),('79'),('8'),('80'),('81'),('82'),('83'),('84'),('85'),('86'),('87'),('88'),('89'),('9'),('90'),('91'),('92'),('93'),('94'),('95'),('96'),('97'),('98'),('99'); -/*!40000 ALTER TABLE `schema_migrations` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `settings` --- - -DROP TABLE IF EXISTS `settings`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `settings` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `name` varchar(255) NOT NULL DEFAULT '', - `value` text, - `updated_on` timestamp NULL DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_settings_on_name` (`name`) -) ENGINE=InnoDB AUTO_INCREMENT=71 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `settings` --- - -LOCK TABLES `settings` WRITE; -/*!40000 ALTER TABLE `settings` DISABLE KEYS */; -INSERT INTO `settings` VALUES (1,'ui_theme','circle','2020-04-26 13:11:26'),(2,'default_language','en','2020-04-26 13:11:26'),(3,'force_default_language_for_anonymous','0','2020-04-26 13:11:26'),(4,'force_default_language_for_loggedin','0','2020-04-26 13:11:26'),(5,'start_of_week','','2020-04-26 13:11:26'),(6,'date_format','','2020-04-26 13:11:26'),(7,'time_format','','2020-04-26 13:11:26'),(8,'timespan_format','decimal','2020-04-26 13:11:26'),(9,'user_format','firstname_lastname','2020-05-02 12:45:00'),(10,'gravatar_enabled','1','2020-05-02 12:41:07'),(11,'thumbnails_enabled','1','2020-04-26 13:11:26'),(12,'thumbnails_size','100','2020-04-26 13:11:26'),(13,'new_item_menu_tab','0','2020-04-26 13:11:30'),(14,'login_required','1','2020-04-26 13:11:54'),(15,'autologin','0','2020-04-26 13:11:54'),(16,'self_registration','0','2020-04-26 13:11:54'),(17,'show_custom_fields_on_registration','0','2020-04-26 13:11:54'),(18,'password_min_length','8','2020-04-26 13:11:54'),(19,'password_required_char_classes','--- []\n','2020-04-26 13:11:54'),(20,'password_max_age','0','2020-04-26 13:11:54'),(21,'lost_password','1','2020-04-26 13:11:54'),(22,'openid','0','2020-04-26 13:11:55'),(23,'session_lifetime','0','2020-04-26 13:11:55'),(24,'session_timeout','0','2020-04-26 13:11:55'),(25,'rest_api_enabled','1','2020-04-26 13:11:58'),(26,'jsonp_enabled','0','2020-04-26 13:11:58'),(27,'default_projects_public','0','2020-04-26 13:12:21'),(28,'default_projects_modules','---\n- sigma_editor\n','2020-04-26 13:12:21'),(29,'default_projects_tracker_ids','--- []\n','2020-04-26 13:12:21'),(30,'sequential_project_identifiers','0','2020-04-26 13:12:21'),(31,'project_list_defaults','---\n:column_names:\n- name\n- identifier\n- short_description\n','2020-04-26 13:12:21'),(32,'app_title','Playbook','2020-04-26 18:17:51'),(33,'welcome_text','','2020-04-26 18:17:51'),(34,'per_page_options','25,75,150','2020-05-02 12:41:38'),(35,'search_results_per_page','10','2020-04-26 18:17:51'),(36,'activity_days_default','30','2020-04-26 18:17:51'),(37,'host_name','localhost:3000','2020-04-26 18:17:51'),(38,'protocol','http','2020-04-26 18:17:51'),(39,'text_formatting','textile','2020-04-26 18:17:51'),(40,'cache_formatted_text','0','2020-04-26 18:17:51'),(41,'wiki_compression','','2020-04-26 18:17:51'),(42,'feeds_limit','15','2020-04-26 18:17:51'),(43,'plugin_redmine_playbook','--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nproject: \'1\'\nconvert_url: http://10.66.166.178:7000/playbook/sigmac\ncreate_url: http://10.66.166.178:7000/playbook/play','2020-05-02 12:39:20'),(44,'cross_project_issue_relations','0','2020-05-01 16:27:33'),(45,'link_copied_issue','no','2020-05-01 16:27:33'),(46,'cross_project_subtasks','','2020-05-01 16:27:33'),(47,'close_duplicate_issues','0','2020-05-01 16:27:33'),(48,'issue_group_assignment','0','2020-05-01 16:27:33'),(49,'default_issue_start_date_to_creation_date','1','2020-05-01 16:27:33'),(50,'display_subprojects_issues','0','2020-05-01 16:27:33'),(51,'issue_done_ratio','issue_field','2020-05-01 16:27:33'),(52,'non_working_week_days','---\n- \'6\'\n- \'7\'\n','2020-05-01 16:27:33'),(53,'issues_export_limit','500','2020-05-01 16:27:33'),(54,'gantt_items_limit','500','2020-05-01 16:27:33'),(55,'gantt_months_limit','24','2020-05-01 16:27:33'),(56,'parent_issue_dates','derived','2020-05-01 16:27:33'),(57,'parent_issue_priority','derived','2020-05-01 16:27:33'),(58,'parent_issue_done_ratio','derived','2020-05-01 16:27:33'),(59,'issue_list_default_columns','---\n- status\n- cf_10\n- cf_13\n- cf_14\n- cf_1\n- updated_on\n','2020-05-01 19:32:13'),(60,'issue_list_default_totals','--- []\n','2020-05-01 16:27:33'),(61,'enabled_scm','--- []\n','2020-05-01 16:27:47'),(62,'autofetch_changesets','0','2020-05-01 16:27:47'),(63,'sys_api_enabled','0','2020-05-01 16:27:47'),(64,'repository_log_display_limit','100','2020-05-01 16:27:47'),(65,'commit_logs_formatting','1','2020-05-01 16:27:47'),(66,'commit_ref_keywords','refs,references,IssueID','2020-05-01 16:27:47'),(67,'commit_cross_project_ref','0','2020-05-01 16:27:47'),(68,'commit_logtime_enabled','0','2020-05-01 16:27:47'),(69,'commit_update_keywords','--- []\n','2020-05-01 16:27:47'),(70,'gravatar_default','','2020-05-02 12:41:07'); -/*!40000 ALTER TABLE `settings` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `time_entries` --- - -DROP TABLE IF EXISTS `time_entries`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `time_entries` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) NOT NULL, - `author_id` int(11) DEFAULT NULL, - `user_id` int(11) NOT NULL, - `issue_id` int(11) DEFAULT NULL, - `hours` float NOT NULL, - `comments` varchar(1024) DEFAULT NULL, - `activity_id` int(11) NOT NULL, - `spent_on` date NOT NULL, - `tyear` int(11) NOT NULL, - `tmonth` int(11) NOT NULL, - `tweek` int(11) NOT NULL, - `created_on` datetime NOT NULL, - `updated_on` datetime NOT NULL, - PRIMARY KEY (`id`), - KEY `time_entries_project_id` (`project_id`), - KEY `time_entries_issue_id` (`issue_id`), - KEY `index_time_entries_on_activity_id` (`activity_id`), - KEY `index_time_entries_on_user_id` (`user_id`), - KEY `index_time_entries_on_created_on` (`created_on`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `time_entries` --- - -LOCK TABLES `time_entries` WRITE; -/*!40000 ALTER TABLE `time_entries` DISABLE KEYS */; -/*!40000 ALTER TABLE `time_entries` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `tokens` --- - -DROP TABLE IF EXISTS `tokens`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `tokens` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `user_id` int(11) NOT NULL DEFAULT '0', - `action` varchar(30) NOT NULL DEFAULT '', - `value` varchar(40) NOT NULL DEFAULT '', - `created_on` datetime NOT NULL, - `updated_on` timestamp NULL DEFAULT NULL, - PRIMARY KEY (`id`), - UNIQUE KEY `tokens_value` (`value`), - KEY `index_tokens_on_user_id` (`user_id`) -) ENGINE=InnoDB AUTO_INCREMENT=55 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `tokens` --- - -LOCK TABLES `tokens` WRITE; -/*!40000 ALTER TABLE `tokens` DISABLE KEYS */; -INSERT INTO `tokens` VALUES (3,1,'feeds','6e5575602e1227c188cd85ef6d12608bb8701193','2020-04-26 13:10:46','2020-04-26 13:10:46'),(4,1,'session','999412fa9badda7423c6c654d6364c32c20b3eac','2020-04-26 18:07:03','2020-04-26 18:12:02'),(5,1,'session','124ad4acbf87a942426350e7ad028c1d119c3851','2020-04-26 18:17:11','2020-04-26 18:19:24'),(8,8,'feeds','1f28542e983dc0a3abfc81013ff7f008f1cb6800','2020-04-26 18:50:50','2020-04-26 18:50:50'),(9,1,'session','2890c663e0552f26ddb92acad6ab3b6d05b92915','2020-04-26 18:51:15','2020-04-26 18:51:15'),(19,1,'session','b7ffb106ea0b34650dd9c1770f74c2b0ffe166b2','2020-05-01 16:52:33','2020-05-01 18:02:30'),(20,1,'session','f44cfcf918eef59ffda47991c431d9c2b2ac6113','2020-05-01 18:05:56','2020-05-01 18:05:56'),(23,9,'feeds','211918c9d7168979b5dc19bebb14573b928a5067','2020-05-01 18:26:17','2020-05-01 18:26:17'),(25,9,'api','de6639318502476f2fa5aa06f43f51fb389a3d7f','2020-05-01 18:26:31','2020-05-01 18:26:31'),(36,8,'session','47616205d262d3e3f05665038888edc463b872d9','2020-05-01 19:41:12','2020-05-01 19:44:24'),(39,8,'session','a4d98ddceb539f8a5d2f99ee4f4274f711f6dc14','2020-05-01 20:40:23','2020-05-01 20:40:27'),(45,8,'session','b7346c8089e9b6237d9438f7c08ce014ad46d5d2','2020-05-03 09:13:00','2020-05-03 10:01:34'),(46,1,'session','2d0c8f8ae641c06d8c2362746846440d465d53c0','2020-05-06 20:48:01','2020-05-06 20:48:07'),(47,8,'session','1adb4bf696b7a4eafedf633cef7dee28e138ec01','2020-05-06 20:52:43','2020-05-06 20:52:48'),(54,8,'session','c1d788feea4bc194f6b24005943807b477bc1fb8','2020-05-13 14:23:44','2020-05-13 14:29:25'); -/*!40000 ALTER TABLE `tokens` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `trackers` --- - -DROP TABLE IF EXISTS `trackers`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `trackers` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `name` varchar(30) NOT NULL DEFAULT '', - `description` varchar(255) DEFAULT NULL, - `is_in_chlog` tinyint(1) NOT NULL DEFAULT '0', - `position` int(11) DEFAULT NULL, - `is_in_roadmap` tinyint(1) NOT NULL DEFAULT '1', - `fields_bits` int(11) DEFAULT '0', - `default_status_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`) -) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `trackers` --- - -LOCK TABLES `trackers` WRITE; -/*!40000 ALTER TABLE `trackers` DISABLE KEYS */; -INSERT INTO `trackers` VALUES (1,'Play','',0,1,0,255,2); -/*!40000 ALTER TABLE `trackers` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `user_preferences` --- - -DROP TABLE IF EXISTS `user_preferences`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `user_preferences` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `user_id` int(11) NOT NULL DEFAULT '0', - `others` text, - `hide_mail` tinyint(1) DEFAULT '1', - `time_zone` varchar(255) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_user_preferences_on_user_id` (`user_id`) -) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `user_preferences` --- - -LOCK TABLES `user_preferences` WRITE; -/*!40000 ALTER TABLE `user_preferences` DISABLE KEYS */; -INSERT INTO `user_preferences` VALUES (1,1,'---\n:no_self_notified: \'1\'\n:my_page_layout:\n left:\n - issuesassignedtome\n right:\n - issuesreportedbyme\n:my_page_settings: {}\n:comments_sorting: asc\n:warn_on_leaving_unsaved: \'1\'\n:textarea_font: \'\'\n:recently_used_projects: 3\n:history_default_tab: notes\n:recently_used_project_ids: \'1\'\n',1,''),(2,8,'---\n:no_self_notified: \'1\'\n:comments_sorting: asc\n:warn_on_leaving_unsaved: \'1\'\n:textarea_font: \'\'\n:recently_used_projects: 3\n:history_default_tab: notes\n:my_page_layout:\n left:\n - issuesassignedtome\n right:\n - issuesreportedbyme\n:my_page_settings: {}\n:recently_used_project_ids: \'1\'\n',1,''),(3,9,'---\n:no_self_notified: \'1\'\n:comments_sorting: asc\n:warn_on_leaving_unsaved: \'1\'\n:textarea_font: \'\'\n:recently_used_projects: 3\n:history_default_tab: notes\n:my_page_layout:\n left:\n - issuesassignedtome\n right:\n - issuesreportedbyme\n:my_page_settings: {}\n:recently_used_project_ids: \'1\'\n',1,''); -/*!40000 ALTER TABLE `user_preferences` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `users` --- - -DROP TABLE IF EXISTS `users`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `users` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `login` varchar(255) NOT NULL DEFAULT '', - `hashed_password` varchar(40) NOT NULL DEFAULT '', - `firstname` varchar(30) NOT NULL DEFAULT '', - `lastname` varchar(255) NOT NULL DEFAULT '', - `admin` tinyint(1) NOT NULL DEFAULT '0', - `status` int(11) NOT NULL DEFAULT '1', - `last_login_on` datetime DEFAULT NULL, - `language` varchar(5) DEFAULT '', - `auth_source_id` int(11) DEFAULT NULL, - `created_on` timestamp NULL DEFAULT NULL, - `updated_on` timestamp NULL DEFAULT NULL, - `type` varchar(255) DEFAULT NULL, - `identity_url` varchar(255) DEFAULT NULL, - `mail_notification` varchar(255) NOT NULL DEFAULT '', - `salt` varchar(64) DEFAULT NULL, - `must_change_passwd` tinyint(1) NOT NULL DEFAULT '0', - `passwd_changed_on` datetime DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_users_on_id_and_type` (`id`,`type`), - KEY `index_users_on_auth_source_id` (`auth_source_id`), - KEY `index_users_on_type` (`type`) -) ENGINE=InnoDB AUTO_INCREMENT=10 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `users` --- - -LOCK TABLES `users` WRITE; -/*!40000 ALTER TABLE `users` DISABLE KEYS */; -INSERT INTO `users` VALUES (1,'admin','95535e9f7a386c412f20134ebb869c00cf346477','Admin','Admin',1,1,'2020-05-13 14:22:22','',NULL,'2020-04-26 13:08:34','2020-04-26 13:10:45','User',NULL,'all','5ceb2c95ce1593d4ba034d385ceefb2f',0,'2020-04-26 13:10:27'),(2,'','','','Anonymous users',0,1,NULL,'',NULL,'2020-04-26 13:08:38','2020-04-26 13:08:38','GroupAnonymous',NULL,'',NULL,0,NULL),(3,'','','','Non member users',0,1,NULL,'',NULL,'2020-04-26 13:08:38','2020-04-26 13:08:38','GroupNonMember',NULL,'',NULL,0,NULL),(4,'','','','Anonymous',0,0,NULL,'',NULL,'2020-04-26 13:09:44','2020-04-26 13:09:44','AnonymousUser',NULL,'only_my_events',NULL,0,NULL),(5,'','','','Analysts',0,1,NULL,'',NULL,'2020-04-26 18:43:40','2020-04-26 18:43:40','Group',NULL,'',NULL,0,NULL),(6,'','','','Automation',0,1,NULL,'',NULL,'2020-04-26 18:43:47','2020-04-26 18:43:47','Group',NULL,'',NULL,0,NULL),(7,'','','','Admins',0,1,NULL,'',NULL,'2020-04-26 18:43:58','2020-04-26 18:43:58','Group',NULL,'',NULL,0,NULL),(8,'analyst','adfc2e9391aa2ce34a02ce5bcc225efe853ee6cc','analyst','analyst',0,1,'2020-05-13 14:23:44','en',NULL,'2020-04-26 18:46:48','2020-04-26 18:46:48','User',NULL,'none','6b5dc1c8429a1c7d69375d723f7e3207',0,'2020-04-26 18:46:48'),(9,'automation','d2e7d78af1f0c0637765ae8cf1a359c4a30034c9','SecOps','Automation',0,1,'2020-05-01 18:26:17','en',NULL,'2020-04-26 18:47:46','2020-05-01 18:26:10','User',NULL,'none','41043e596f70e327e34fc99c861f5b31',0,'2020-05-01 18:26:10'); -/*!40000 ALTER TABLE `users` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `versions` --- - -DROP TABLE IF EXISTS `versions`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `versions` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) NOT NULL DEFAULT '0', - `name` varchar(255) NOT NULL DEFAULT '', - `description` varchar(255) DEFAULT '', - `effective_date` date DEFAULT NULL, - `created_on` timestamp NULL DEFAULT NULL, - `updated_on` timestamp NULL DEFAULT NULL, - `wiki_page_title` varchar(255) DEFAULT NULL, - `status` varchar(255) DEFAULT 'open', - `sharing` varchar(255) NOT NULL DEFAULT 'none', - PRIMARY KEY (`id`), - KEY `versions_project_id` (`project_id`), - KEY `index_versions_on_sharing` (`sharing`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `versions` --- - -LOCK TABLES `versions` WRITE; -/*!40000 ALTER TABLE `versions` DISABLE KEYS */; -/*!40000 ALTER TABLE `versions` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `watchers` --- - -DROP TABLE IF EXISTS `watchers`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `watchers` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `watchable_type` varchar(255) NOT NULL DEFAULT '', - `watchable_id` int(11) NOT NULL DEFAULT '0', - `user_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `watchers_user_id_type` (`user_id`,`watchable_type`), - KEY `index_watchers_on_user_id` (`user_id`), - KEY `index_watchers_on_watchable_id_and_watchable_type` (`watchable_id`,`watchable_type`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `watchers` --- - -LOCK TABLES `watchers` WRITE; -/*!40000 ALTER TABLE `watchers` DISABLE KEYS */; -/*!40000 ALTER TABLE `watchers` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `webhooks` --- - -DROP TABLE IF EXISTS `webhooks`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `webhooks` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `url` varchar(255) DEFAULT NULL, - `project_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`) -) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `webhooks` --- - -LOCK TABLES `webhooks` WRITE; -/*!40000 ALTER TABLE `webhooks` DISABLE KEYS */; -INSERT INTO `webhooks` VALUES (1,'http://10.66.166.178:7000/playbook/webhook',1); -/*!40000 ALTER TABLE `webhooks` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `wiki_content_versions` --- - -DROP TABLE IF EXISTS `wiki_content_versions`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `wiki_content_versions` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `wiki_content_id` int(11) NOT NULL, - `page_id` int(11) NOT NULL, - `author_id` int(11) DEFAULT NULL, - `data` longblob, - `compression` varchar(6) DEFAULT '', - `comments` varchar(1024) DEFAULT '', - `updated_on` datetime NOT NULL, - `version` int(11) NOT NULL, - PRIMARY KEY (`id`), - KEY `wiki_content_versions_wcid` (`wiki_content_id`), - KEY `index_wiki_content_versions_on_updated_on` (`updated_on`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `wiki_content_versions` --- - -LOCK TABLES `wiki_content_versions` WRITE; -/*!40000 ALTER TABLE `wiki_content_versions` DISABLE KEYS */; -/*!40000 ALTER TABLE `wiki_content_versions` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `wiki_contents` --- - -DROP TABLE IF EXISTS `wiki_contents`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `wiki_contents` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `page_id` int(11) NOT NULL, - `author_id` int(11) DEFAULT NULL, - `text` longtext, - `comments` varchar(1024) DEFAULT '', - `updated_on` datetime NOT NULL, - `version` int(11) NOT NULL, - PRIMARY KEY (`id`), - KEY `wiki_contents_page_id` (`page_id`), - KEY `index_wiki_contents_on_author_id` (`author_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `wiki_contents` --- - -LOCK TABLES `wiki_contents` WRITE; -/*!40000 ALTER TABLE `wiki_contents` DISABLE KEYS */; -/*!40000 ALTER TABLE `wiki_contents` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `wiki_pages` --- - -DROP TABLE IF EXISTS `wiki_pages`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `wiki_pages` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `wiki_id` int(11) NOT NULL, - `title` varchar(255) NOT NULL, - `created_on` datetime NOT NULL, - `protected` tinyint(1) NOT NULL DEFAULT '0', - `parent_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `wiki_pages_wiki_id_title` (`wiki_id`,`title`), - KEY `index_wiki_pages_on_wiki_id` (`wiki_id`), - KEY `index_wiki_pages_on_parent_id` (`parent_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `wiki_pages` --- - -LOCK TABLES `wiki_pages` WRITE; -/*!40000 ALTER TABLE `wiki_pages` DISABLE KEYS */; -/*!40000 ALTER TABLE `wiki_pages` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `wiki_redirects` --- - -DROP TABLE IF EXISTS `wiki_redirects`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `wiki_redirects` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `wiki_id` int(11) NOT NULL, - `title` varchar(255) DEFAULT NULL, - `redirects_to` varchar(255) DEFAULT NULL, - `created_on` datetime NOT NULL, - `redirects_to_wiki_id` int(11) NOT NULL, - PRIMARY KEY (`id`), - KEY `wiki_redirects_wiki_id_title` (`wiki_id`,`title`), - KEY `index_wiki_redirects_on_wiki_id` (`wiki_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `wiki_redirects` --- - -LOCK TABLES `wiki_redirects` WRITE; -/*!40000 ALTER TABLE `wiki_redirects` DISABLE KEYS */; -/*!40000 ALTER TABLE `wiki_redirects` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `wikis` --- - -DROP TABLE IF EXISTS `wikis`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `wikis` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) NOT NULL, - `start_page` varchar(255) NOT NULL, - `status` int(11) NOT NULL DEFAULT '1', - PRIMARY KEY (`id`), - KEY `wikis_project_id` (`project_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `wikis` --- - -LOCK TABLES `wikis` WRITE; -/*!40000 ALTER TABLE `wikis` DISABLE KEYS */; -/*!40000 ALTER TABLE `wikis` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `workflows` --- - -DROP TABLE IF EXISTS `workflows`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `workflows` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `tracker_id` int(11) NOT NULL DEFAULT '0', - `old_status_id` int(11) NOT NULL DEFAULT '0', - `new_status_id` int(11) NOT NULL DEFAULT '0', - `role_id` int(11) NOT NULL DEFAULT '0', - `assignee` tinyint(1) NOT NULL DEFAULT '0', - `author` tinyint(1) NOT NULL DEFAULT '0', - `type` varchar(30) DEFAULT NULL, - `field_name` varchar(30) DEFAULT NULL, - `rule` varchar(30) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `wkfs_role_tracker_old_status` (`role_id`,`tracker_id`,`old_status_id`), - KEY `index_workflows_on_old_status_id` (`old_status_id`), - KEY `index_workflows_on_role_id` (`role_id`), - KEY `index_workflows_on_new_status_id` (`new_status_id`), - KEY `index_workflows_on_tracker_id` (`tracker_id`) -) ENGINE=InnoDB AUTO_INCREMENT=247 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `workflows` --- - -LOCK TABLES `workflows` WRITE; -/*!40000 ALTER TABLE `workflows` DISABLE KEYS */; -INSERT INTO `workflows` VALUES (116,1,2,0,3,0,0,'WorkflowPermission','project_id','readonly'),(117,1,2,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(118,1,2,0,3,0,0,'WorkflowPermission','subject','readonly'),(119,1,2,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(120,1,2,0,3,0,0,'WorkflowPermission','is_private','readonly'),(121,1,2,0,3,0,0,'WorkflowPermission','description','readonly'),(122,1,2,0,3,0,0,'WorkflowPermission','1','readonly'),(123,1,2,0,3,0,0,'WorkflowPermission','2','readonly'),(124,1,2,0,3,0,0,'WorkflowPermission','3','readonly'),(125,1,2,0,3,0,0,'WorkflowPermission','5','readonly'),(126,1,2,0,3,0,0,'WorkflowPermission','6','readonly'),(127,1,2,0,3,0,0,'WorkflowPermission','7','readonly'),(128,1,2,0,3,0,0,'WorkflowPermission','8','readonly'),(129,1,2,0,3,0,0,'WorkflowPermission','10','readonly'),(130,1,2,0,3,0,0,'WorkflowPermission','11','readonly'),(131,1,2,0,3,0,0,'WorkflowPermission','12','readonly'),(132,1,2,0,3,0,0,'WorkflowPermission','14','readonly'),(133,1,2,0,3,0,0,'WorkflowPermission','15','readonly'),(134,1,2,0,3,0,0,'WorkflowPermission','16','readonly'),(135,1,3,0,3,0,0,'WorkflowPermission','project_id','readonly'),(136,1,3,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(137,1,3,0,3,0,0,'WorkflowPermission','subject','readonly'),(138,1,3,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(139,1,3,0,3,0,0,'WorkflowPermission','is_private','readonly'),(140,1,3,0,3,0,0,'WorkflowPermission','description','readonly'),(141,1,3,0,3,0,0,'WorkflowPermission','1','readonly'),(142,1,3,0,3,0,0,'WorkflowPermission','2','readonly'),(143,1,3,0,3,0,0,'WorkflowPermission','3','readonly'),(144,1,3,0,3,0,0,'WorkflowPermission','5','readonly'),(145,1,3,0,3,0,0,'WorkflowPermission','6','readonly'),(146,1,3,0,3,0,0,'WorkflowPermission','7','readonly'),(147,1,3,0,3,0,0,'WorkflowPermission','8','readonly'),(148,1,3,0,3,0,0,'WorkflowPermission','10','readonly'),(149,1,3,0,3,0,0,'WorkflowPermission','11','readonly'),(150,1,3,0,3,0,0,'WorkflowPermission','12','readonly'),(151,1,3,0,3,0,0,'WorkflowPermission','14','readonly'),(152,1,3,0,3,0,0,'WorkflowPermission','15','readonly'),(153,1,3,0,3,0,0,'WorkflowPermission','16','readonly'),(154,1,4,0,3,0,0,'WorkflowPermission','project_id','readonly'),(155,1,4,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(156,1,4,0,3,0,0,'WorkflowPermission','subject','readonly'),(157,1,4,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(158,1,4,0,3,0,0,'WorkflowPermission','is_private','readonly'),(159,1,4,0,3,0,0,'WorkflowPermission','description','readonly'),(160,1,4,0,3,0,0,'WorkflowPermission','1','readonly'),(161,1,4,0,3,0,0,'WorkflowPermission','2','readonly'),(162,1,4,0,3,0,0,'WorkflowPermission','3','readonly'),(163,1,4,0,3,0,0,'WorkflowPermission','5','readonly'),(164,1,4,0,3,0,0,'WorkflowPermission','6','readonly'),(165,1,4,0,3,0,0,'WorkflowPermission','7','readonly'),(166,1,4,0,3,0,0,'WorkflowPermission','8','readonly'),(167,1,4,0,3,0,0,'WorkflowPermission','10','readonly'),(168,1,4,0,3,0,0,'WorkflowPermission','11','readonly'),(169,1,4,0,3,0,0,'WorkflowPermission','12','readonly'),(170,1,4,0,3,0,0,'WorkflowPermission','14','readonly'),(171,1,4,0,3,0,0,'WorkflowPermission','15','readonly'),(172,1,4,0,3,0,0,'WorkflowPermission','16','readonly'),(173,1,5,0,3,0,0,'WorkflowPermission','project_id','readonly'),(174,1,5,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(175,1,5,0,3,0,0,'WorkflowPermission','subject','readonly'),(176,1,5,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(177,1,5,0,3,0,0,'WorkflowPermission','is_private','readonly'),(178,1,5,0,3,0,0,'WorkflowPermission','description','readonly'),(179,1,5,0,3,0,0,'WorkflowPermission','1','readonly'),(180,1,5,0,3,0,0,'WorkflowPermission','2','readonly'),(181,1,5,0,3,0,0,'WorkflowPermission','3','readonly'),(182,1,5,0,3,0,0,'WorkflowPermission','5','readonly'),(183,1,5,0,3,0,0,'WorkflowPermission','6','readonly'),(184,1,5,0,3,0,0,'WorkflowPermission','7','readonly'),(185,1,5,0,3,0,0,'WorkflowPermission','8','readonly'),(186,1,5,0,3,0,0,'WorkflowPermission','10','readonly'),(187,1,5,0,3,0,0,'WorkflowPermission','11','readonly'),(188,1,5,0,3,0,0,'WorkflowPermission','12','readonly'),(189,1,5,0,3,0,0,'WorkflowPermission','14','readonly'),(190,1,5,0,3,0,0,'WorkflowPermission','15','readonly'),(191,1,5,0,3,0,0,'WorkflowPermission','16','readonly'),(192,1,6,0,3,0,0,'WorkflowPermission','project_id','readonly'),(193,1,6,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(194,1,6,0,3,0,0,'WorkflowPermission','subject','readonly'),(195,1,6,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(196,1,6,0,3,0,0,'WorkflowPermission','is_private','readonly'),(197,1,6,0,3,0,0,'WorkflowPermission','description','readonly'),(198,1,6,0,3,0,0,'WorkflowPermission','1','readonly'),(199,1,6,0,3,0,0,'WorkflowPermission','2','readonly'),(200,1,6,0,3,0,0,'WorkflowPermission','3','readonly'),(201,1,6,0,3,0,0,'WorkflowPermission','5','readonly'),(202,1,6,0,3,0,0,'WorkflowPermission','6','readonly'),(203,1,6,0,3,0,0,'WorkflowPermission','7','readonly'),(204,1,6,0,3,0,0,'WorkflowPermission','8','readonly'),(205,1,6,0,3,0,0,'WorkflowPermission','10','readonly'),(206,1,6,0,3,0,0,'WorkflowPermission','11','readonly'),(207,1,6,0,3,0,0,'WorkflowPermission','12','readonly'),(208,1,6,0,3,0,0,'WorkflowPermission','14','readonly'),(209,1,6,0,3,0,0,'WorkflowPermission','15','readonly'),(210,1,6,0,3,0,0,'WorkflowPermission','16','readonly'),(220,1,2,3,3,0,0,'WorkflowTransition',NULL,NULL),(221,1,2,3,4,0,0,'WorkflowTransition',NULL,NULL),(222,1,2,3,5,0,0,'WorkflowTransition',NULL,NULL),(223,1,2,6,3,0,0,'WorkflowTransition',NULL,NULL),(224,1,2,6,4,0,0,'WorkflowTransition',NULL,NULL),(225,1,2,6,5,0,0,'WorkflowTransition',NULL,NULL),(226,1,3,4,3,0,0,'WorkflowTransition',NULL,NULL),(227,1,3,4,4,0,0,'WorkflowTransition',NULL,NULL),(228,1,3,4,5,0,0,'WorkflowTransition',NULL,NULL),(229,1,4,5,3,0,0,'WorkflowTransition',NULL,NULL),(230,1,4,5,4,0,0,'WorkflowTransition',NULL,NULL),(231,1,4,5,5,0,0,'WorkflowTransition',NULL,NULL),(232,1,4,6,3,0,0,'WorkflowTransition',NULL,NULL),(233,1,4,6,4,0,0,'WorkflowTransition',NULL,NULL),(234,1,4,6,5,0,0,'WorkflowTransition',NULL,NULL),(235,1,6,3,3,0,0,'WorkflowTransition',NULL,NULL),(236,1,6,3,4,0,0,'WorkflowTransition',NULL,NULL),(237,1,6,3,5,0,0,'WorkflowTransition',NULL,NULL),(239,1,2,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(240,1,3,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(241,1,4,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(242,1,5,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(243,1,6,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(244,1,0,2,5,0,0,'WorkflowTransition',NULL,NULL),(245,1,0,2,4,0,0,'WorkflowTransition',NULL,NULL),(246,1,0,6,5,0,0,'WorkflowTransition',NULL,NULL); -/*!40000 ALTER TABLE `workflows` ENABLE KEYS */; -UNLOCK TABLES; -/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */; - -/*!40101 SET SQL_MODE=@OLD_SQL_MODE */; -/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */; -/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */; -/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */; -/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */; -/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */; -/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */; - --- Dump completed on 2020-05-13 15:01:33 From 4cedacf8fdbc4578c7d77f02e539b407ad6bb1da Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 2 Jul 2020 06:01:12 -0400 Subject: [PATCH 109/314] Improve curator verbiage in so-import-pcap --- salt/common/tools/sbin/so-import-pcap | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-import-pcap b/salt/common/tools/sbin/so-import-pcap index 72b713a98..2b68525f9 100755 --- a/salt/common/tools/sbin/so-import-pcap +++ b/salt/common/tools/sbin/so-import-pcap @@ -249,5 +249,5 @@ fi if [[ $STOP_CURATOR -eq 1 ]]; then echo "" - echo "CAUTION: Curator has been stopped and must be manually re-enabled via so-curator-start, once analysis is completed." + echo "CAUTION: Curator has been stopped. Use `so-curator-start` to start curator once the imported PCAP data is no longer needed. fi \ No newline at end of file From c7a3cc9c17f7aa05ee6d109f103353b71ef1e6d5 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 2 Jul 2020 08:58:14 -0400 Subject: [PATCH 110/314] [fix][revert] Change source in so-allow to correct path --- salt/common/tools/sbin/so-allow | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow index f069a3e4a..71c8f8c9b 100755 --- a/salt/common/tools/sbin/so-allow +++ b/salt/common/tools/sbin/so-allow @@ -15,7 +15,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -source ./so-common +. /usr/sbin/so-common local_salt_dir=/opt/so/saltstack/local From cf6a229f51a78e368546a0aea0a3e2f78da70acc Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 2 Jul 2020 12:07:24 -0400 Subject: [PATCH 111/314] Import now requires execution on a sensor node due to the need for zeek and suricata; Automatically stop curator if curator is installed --- salt/common/tools/sbin/so-import-pcap | 51 ++++++--------------------- 1 file changed, 10 insertions(+), 41 deletions(-) diff --git a/salt/common/tools/sbin/so-import-pcap b/salt/common/tools/sbin/so-import-pcap index 2b68525f9..9e54820e0 100755 --- a/salt/common/tools/sbin/so-import-pcap +++ b/salt/common/tools/sbin/so-import-pcap @@ -21,18 +21,9 @@ function usage { cat << EOF -Usage: $0 [options] [pcap-file-2] [pcap-file-N] +Usage: $0 [pcap-file-2] [pcap-file-N] -Imports one or more PCAP files for analysis. - -Options: - --stop-curator Use this option when importing PCAPs with older traffic, - otherwise the data will not be available for analysis. - CAUTION: Curator will remain disabled! If this is a - production installation then curator should be - re-enabled once analysis of the imported PCAP - data is completed. Use the 'so-curator-start' - command to re-enable curator. +Imports one or more PCAP files for analysis. If available, curator will be automatically stopped. EOF } @@ -98,35 +89,16 @@ function zeek() { -C -r /input.pcap local > $NSM_PATH/logs/console.log 2>&1 } -MORE_OPTIONS=1 -while [[ $# -gt 0 && $MORE_OPTIONS -eq 1 ]]; do - arg="$1" - case "$arg" in - "--stop-curator" ) - STOP_CURATOR=1 - shift - ;; - * ) - if [[ "$arg" == "--"* ]]; then - echo "Invalid option" - usage - exit 1 - else - MORE_OPTIONS=0 - fi - esac -done - # if no parameters supplied, display usage if [ $# -eq 0 ]; then usage exit 1 fi -# ensure this is a manager node -if [ ! -d /opt/so/conf/soc ]; then - echo "This procedure must be run on a manager node." - exit 2 +# ensure this is a sensor node +if [ ! -d /opt/so/conf/suricata ]; then + echo "This command must be run on a sensor node." + exit 3 fi # verify that all parameters are files @@ -134,11 +106,13 @@ for i in "$@"; do if ! [ -f "$i" ]; then usage echo "\"$i\" is not a valid file!" - exit 3 + exit 2 fi done -if [[ $STOP_CURATOR -eq 1 ]]; then +if ! [ -d /opt/so/conf/curator ]; then + echo "Curator is not installed on this node and cannot be stopped automatically." +else echo -n "Stopping curator..." so-curator-stop > /dev/null 2>&1 echo "Done" @@ -246,8 +220,3 @@ From: $START_OLDEST To: $END_NEWEST Please note that it may take 30 seconds or more for events to appear in Kibana. EOF fi - -if [[ $STOP_CURATOR -eq 1 ]]; then - echo "" - echo "CAUTION: Curator has been stopped. Use `so-curator-start` to start curator once the imported PCAP data is no longer needed. -fi \ No newline at end of file From 69ace6fbfa91ba0ea49d037d1d1caed050bada96 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 2 Jul 2020 12:16:56 -0400 Subject: [PATCH 112/314] Initial commit - Low Level Alerts --- salt/elastalert/files/rules/so/nids2hive.yaml | 52 ------------------- .../files/rules/so/suricata_thehive.yaml | 51 ++++++++++++++++++ .../files/rules/so/wazuh_thehive.yaml | 49 +++++++++++++++++ salt/soctopus/files/SOCtopus.conf | 2 +- salt/soctopus/init.sls | 3 +- 5 files changed, 102 insertions(+), 55 deletions(-) delete mode 100644 salt/elastalert/files/rules/so/nids2hive.yaml create mode 100644 salt/elastalert/files/rules/so/suricata_thehive.yaml create mode 100644 salt/elastalert/files/rules/so/wazuh_thehive.yaml diff --git a/salt/elastalert/files/rules/so/nids2hive.yaml b/salt/elastalert/files/rules/so/nids2hive.yaml deleted file mode 100644 index 097511d56..000000000 --- a/salt/elastalert/files/rules/so/nids2hive.yaml +++ /dev/null @@ -1,52 +0,0 @@ -{% set es = salt['pillar.get']('static:masterip', '') %} -{% set hivehost = salt['pillar.get']('static:masterip', '') %} -{% set hivekey = salt['pillar.get']('static:hivekey', '') %} -{% set MASTER = salt['pillar.get']('master:url_base', '') %} - -# hive.yaml -# Elastalert rule to forward IDS alerts from Security Onion to a specified TheHive instance. -# -es_host: {{es}} -es_port: 9200 -name: NIDS-Alert -type: frequency -index: "so-ids-*" -num_events: 1 -timeframe: - minutes: 10 -buffer_time: - minutes: 10 -allow_buffer_time_overlap: true -query_key: ["rule.uuid"] -realert: - days: 1 -filter: -- query: - query_string: - query: "event.module: suricata" - -alert: hivealerter - -hive_connection: - hive_host: http://{{hivehost}} - hive_port: 9000/thehive - hive_apikey: {{hivekey}} - -hive_proxies: - http: '' - https: '' - -hive_alert_config: - title: '{match[rule][name]}' - type: 'NIDS' - source: 'SecurityOnion' - description: "`Hunting Pivot:` \n\n \n\n `Kibana Dashboard - Signature Drilldown:` \n\n \n\n `Kibana Dashboard - Community_ID:` \n\n \n\n `IPs: `{match[source][ip]}:{match[source][port]} --> {match[destination][ip]}:{match[destination][port]} \n\n `Signature:`{match[rule][rule]}" - severity: 2 - tags: ['{match[rule][uuid]}','{match[source][ip]}','{match[destination][ip]}'] - tlp: 3 - status: 'New' - follow: True - -hive_observable_data_mapping: - - ip: '{match[source][ip]}' - - ip: '{match[destination][ip]}' diff --git a/salt/elastalert/files/rules/so/suricata_thehive.yaml b/salt/elastalert/files/rules/so/suricata_thehive.yaml new file mode 100644 index 000000000..82698b7a8 --- /dev/null +++ b/salt/elastalert/files/rules/so/suricata_thehive.yaml @@ -0,0 +1,51 @@ +{% set es = salt['pillar.get']('static:masterip', '') %} +{% set hivehost = salt['pillar.get']('static:masterip', '') %} +{% set hivekey = salt['pillar.get']('static:hivekey', '') %} +{% set MASTER = salt['pillar.get']('master:url_base', '') %} + +# Elastalert rule to forward Suricata alerts from Security Onion to a specified TheHive instance. +# +es_host: {{es}} +es_port: 9200 +name: Suricata-Alert +type: frequency +index: "so-ids-*" +num_events: 1 +timeframe: + minutes: 10 +buffer_time: + minutes: 10 +allow_buffer_time_overlap: true +query_key: ["rule.uuid","source.ip","destination.ip"] +realert: + days: 1 +filter: +- query: + query_string: + query: "event.module: suricata AND rule.severity:(1 OR 2)" + +alert: hivealerter + +hive_connection: + hive_host: http://{{hivehost}} + hive_port: 9000/thehive + hive_apikey: {{hivekey}} + +hive_proxies: + http: '' + https: '' + +hive_alert_config: + title: '{match[rule][name]}' + type: 'NIDS' + source: 'SecurityOnion' + description: "`SOC Hunt Pivot:` \n\n \n\n `Kibana Dashboard Pivot:` \n\n \n\n `IPs: `{match[source][ip]}:{match[source][port]} --> {match[destination][ip]}:{match[destination][port]} \n\n `Signature:`{match[rule][rule]}" + severity: 2 + tags: ['{match[rule][uuid]}','{match[source][ip]}','{match[destination][ip]}'] + tlp: 3 + status: 'New' + follow: True + +hive_observable_data_mapping: + - ip: '{match[source][ip]}' + - ip: '{match[destination][ip]}' diff --git a/salt/elastalert/files/rules/so/wazuh_thehive.yaml b/salt/elastalert/files/rules/so/wazuh_thehive.yaml new file mode 100644 index 000000000..1e275dce8 --- /dev/null +++ b/salt/elastalert/files/rules/so/wazuh_thehive.yaml @@ -0,0 +1,49 @@ +{% set es = salt['pillar.get']('static:masterip', '') %} +{% set hivehost = salt['pillar.get']('static:masterip', '') %} +{% set hivekey = salt['pillar.get']('static:hivekey', '') %} +{% set MASTER = salt['pillar.get']('master:url_base', '') %} + +# Elastalert rule to forward high level Wazuh alerts from Security Onion to a specified TheHive instance. +# +es_host: {{es}} +es_port: 9200 +name: Wazuh-Alert +type: frequency +index: "so-ossec-*" +num_events: 1 +timeframe: + minutes: 10 +buffer_time: + minutes: 10 +allow_buffer_time_overlap: true +realert: + days: 1 +filter: +- query: + query_string: + query: "event.module: ossec AND rule.level>=8" + +alert: hivealerter + +hive_connection: + hive_host: http://{{hivehost}} + hive_port: 9000/thehive + hive_apikey: {{hivekey}} + +hive_proxies: + http: '' + https: '' + +hive_alert_config: + title: '{match[rule][name]}' + type: 'wazuh' + source: 'SecurityOnion' + description: "`SOC Hunt Pivot:` \n\n \n\n `Kibana Dashboard Pivot:` \n\n " + severity: 2 + tags: ['{match[rule][id]}','{match[host][name]}'] + tlp: 3 + status: 'New' + follow: True + +hive_observable_data_mapping: + - other: '{match[host][name]}' diff --git a/salt/soctopus/files/SOCtopus.conf b/salt/soctopus/files/SOCtopus.conf index 71318b58d..d2c3eea2d 100644 --- a/salt/soctopus/files/SOCtopus.conf +++ b/salt/soctopus/files/SOCtopus.conf @@ -60,7 +60,7 @@ slack_url = YOURSLACKWORKSPACE slack_webhook = YOURSLACKWEBHOOK [playbook] -playbook_url = https://{{MASTER}}/playbook +playbook_url = http://{{MASTER}}:3200/playbook playbook_key = de6639318502476f2fa5aa06f43f51fb389a3d7f playbook_verifycert = no playbook_unit_test_index = playbook-testing diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls index 6630b32b5..6c06fecff 100644 --- a/salt/soctopus/init.sls +++ b/salt/soctopus/init.sls @@ -10,7 +10,7 @@ soctopusdir: - group: 939 - makedirs: True -soctopussync: +soctopus-sync: file.recurse: - name: /opt/so/conf/soctopus/templates - source: salt://soctopus/files/templates @@ -24,7 +24,6 @@ soctopusconf: - source: salt://soctopus/files/SOCtopus.conf - user: 939 - group: 939 - - replace: False - mode: 600 - template: jinja From bbc752b6d9ffcdf52937ace2bc2f8e2982fa2a4e Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 2 Jul 2020 13:32:19 -0400 Subject: [PATCH 113/314] Fix my typo --- files/firewall/hostgroups.local.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/files/firewall/hostgroups.local.yaml b/files/firewall/hostgroups.local.yaml index edb08e195..6426ae207 100644 --- a/files/firewall/hostgroups.local.yaml +++ b/files/firewall/hostgroups.local.yaml @@ -13,6 +13,7 @@ firewall: delete: insert: elasticsearch_rest: + ips: delete: insert: fleet: From 99d490bc06edd982c431f3840a0307e2164123af Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 2 Jul 2020 17:15:46 -0400 Subject: [PATCH 114/314] [fix][refactor] Move detect_ec2 and add echo statement --- setup/so-functions | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 033d6ef3c..7ab718dd3 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -583,6 +583,11 @@ configure_network_sensor() { fi } +detect_ec2() { + echo "Testing if setup is running on an EC2 instance" + if ( curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null ); then export is_ec2="true"; fi +} + detect_os() { # Detect Base OS @@ -1665,8 +1670,3 @@ es_heapsize() { export NODE_ES_HEAP_SIZE fi } - -detect_ec2() { - # Check if EC2 - if ( curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null ); then export is_ec2="true"; fi -} From 57bbb02c653803aebc1a797c05512bd1c23d7d6f Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 2 Jul 2020 17:17:46 -0400 Subject: [PATCH 115/314] [refactor][fix] Move nmcli status list gen to a function nmcli is only assured to be installed after detect_os is run so move this command to a function so it can run after detect_os --- setup/so-functions | 5 +++++ setup/so-setup | 1 + setup/so-variables | 3 --- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 7ab718dd3..00b00f3ab 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1318,6 +1318,11 @@ set_base_heapsizes() { ls_heapsize } +set_network_dev_status_list() { + readarray -t nmcli_dev_status_list <<< "$(nmcli -t -f DEVICE,STATE -c no dev status)" + export nmcli_dev_status_list +} + set_main_ip() { MAINIP=$(ip route get 1 | awk '{print $7;exit}') } diff --git a/setup/so-setup b/setup/so-setup index 4b172efed..775064f9f 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -109,6 +109,7 @@ export PATH=$PATH:../salt/common/tools/sbin got_root detect_os && detect_ec2 +set_network_dev_status_list if [ "$OS" == ubuntu ]; then update-alternatives --set newt-palette /etc/newt/palette.original >> $setup_log 2>&1 diff --git a/setup/so-variables b/setup/so-variables index bd5f8869d..1123562d9 100644 --- a/setup/so-variables +++ b/setup/so-variables @@ -44,6 +44,3 @@ export local_salt_dir=/opt/so/saltstack/local SCRIPTDIR=$(cd "$(dirname "$0")" && pwd) export SCRIPTDIR - -readarray -t nmcli_dev_status_list <<< "$(nmcli -t -f DEVICE,STATE -c no dev status)" -export nmcli_dev_status_list From 087080d583f9c159c28ff42528fb020068505201 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 6 Jul 2020 13:16:40 -0400 Subject: [PATCH 116/314] Add logix for logstash_settings --- setup/so-functions | 2 ++ 1 file changed, 2 insertions(+) diff --git a/setup/so-functions b/setup/so-functions index 0c8296c02..81f45cb7b 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1013,11 +1013,13 @@ node_pillar() { " es_port: $node_es_port"\ " log_size_limit: $log_size_limit"\ " cur_close_days: $CURCLOSEDAYS"\ + if [ "$install_type" != 'EVAL' ] || [ "$install_type" != 'HELIXSENSOR' ] || [ "$install_type" != 'MASTERSEARCH' ] || [ "$install_type" != 'STANDALONE' ]; then "logstash_settings:"\ " ls_pipeline_batch_size: $LSPIPELINEBATCH"\ " ls_input_threads: $LSINPUTTHREADS"\ " ls_batch_count: $LSINPUTBATCHCOUNT"\ " lsheap: $NODE_LS_HEAP_SIZE"\ + fi "" >> "$pillar_file" printf '%s\n' '----' >> "$setup_log" 2>&1 From 1016315196d773e8dba1d0a00ee551f2555c8592 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 6 Jul 2020 13:58:38 -0400 Subject: [PATCH 117/314] Change Logic for logstash --- setup/so-functions | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 81f45cb7b..8af0208ea 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1013,14 +1013,17 @@ node_pillar() { " es_port: $node_es_port"\ " log_size_limit: $log_size_limit"\ " cur_close_days: $CURCLOSEDAYS"\ - if [ "$install_type" != 'EVAL' ] || [ "$install_type" != 'HELIXSENSOR' ] || [ "$install_type" != 'MASTERSEARCH' ] || [ "$install_type" != 'STANDALONE' ]; then + "" >> "$pillar_file" + + if [ "$install_type" != 'EVAL' ] && [ "$install_type" != 'HELIXSENSOR' ] && [ "$install_type" != 'MASTERSEARCH' ] && [ "$install_type" != 'STANDALONE' ]; then + printf '%s\n'\ "logstash_settings:"\ " ls_pipeline_batch_size: $LSPIPELINEBATCH"\ " ls_input_threads: $LSINPUTTHREADS"\ " ls_batch_count: $LSINPUTBATCHCOUNT"\ " lsheap: $NODE_LS_HEAP_SIZE"\ - fi "" >> "$pillar_file" + fi printf '%s\n' '----' >> "$setup_log" 2>&1 cat "$pillar_file" >> "$setup_log" 2>&1 From b4e556496ba4e6c5f0a2948a71bc23d45e6003fc Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 6 Jul 2020 15:18:47 -0400 Subject: [PATCH 118/314] add elasticsearch_rest to assigned hostgroups where missing --- salt/firewall/assigned_hostgroups.map.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index c16a63c00..07f7d1650 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -135,6 +135,9 @@ role: beats_endpoint_ssl: portgroups: - {{ portgroups.beats_5644 }} + elasticsearch_rest: + portgroups: + - {{ portgroups.elasticsearch_rest }} osquery_endpoint: portgroups: - {{ portgroups.fleet_api }} @@ -210,6 +213,9 @@ role: beats_endpoint_ssl: portgroups: - {{ portgroups.beats_5644 }} + elasticsearch_rest: + portgroups: + - {{ portgroups.elasticsearch_rest }} osquery_endpoint: portgroups: - {{ portgroups.fleet_api }} @@ -288,6 +294,9 @@ role: beats_endpoint_ssl: portgroups: - {{ portgroups.beats_5644 }} + elasticsearch_rest: + portgroups: + - {{ portgroups.elasticsearch_rest }} osquery_endpoint: portgroups: - {{ portgroups.fleet_api }} @@ -394,6 +403,9 @@ role: portgroups: - {{ portgroups.elasticsearch_node }} - {{ portgroups.elasticsearch_rest }} + elasticsearch_rest: + portgroups: + - {{ portgroups.elasticsearch_rest }} INPUT: hostgroups: anywhere: From be3390a796436b0b84a226bf5e4b1827437f5cc1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 6 Jul 2020 15:53:21 -0400 Subject: [PATCH 119/314] Fix Logstash state --- salt/logstash/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index b42ea4546..e2494e57a 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -24,7 +24,7 @@ # Logstash Section - Decide which pillar to use {% set lsheap = salt['pillar.get']('logstash_settings:lsheap', '') %} -{% elif grains['role'] in ['so-eval','so-mastersearch', 'so-master', 'so-standalone'] %} +{% if grains['role'] in ['so-eval','so-mastersearch', 'so-master', 'so-standalone'] %} {% set freq = salt['pillar.get']('master:freq', '0') %} {% set dstats = salt['pillar.get']('master:domainstats', '0') %} {% set nodetype = salt['grains.get']('role', '') %} From f05e366d492f11f024877f2b4cbf38f90fa95aaf Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 6 Jul 2020 15:56:55 -0400 Subject: [PATCH 120/314] Fix salt upgrade script --- salt/common/tools/sbin/so-saltstack-update | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-saltstack-update b/salt/common/tools/sbin/so-saltstack-update index ce323025d..59c497487 100644 --- a/salt/common/tools/sbin/so-saltstack-update +++ b/salt/common/tools/sbin/so-saltstack-update @@ -30,7 +30,7 @@ clone_to_tmp() { copy_new_files() { # Copy new files over to the salt dir - cd /tmp/sogh/securityonion-saltstack + cd /tmp/sogh/securityonion git checkout $BRANCH rsync -a --exclude-from 'exclude-list.txt' salt $default_salt_dir/ rsync -a --exclude-from 'exclude-list.txt' pillar $default_salt_dir/ From 3b452ab597f3714d54c156e12237f8991107315d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 6 Jul 2020 16:39:43 -0400 Subject: [PATCH 121/314] Change grafana to use anon auth --- salt/grafana/etc/grafana.ini | 6 +++--- salt/nginx/etc/nginx.conf.so-eval | 1 + salt/nginx/etc/nginx.conf.so-master | 1 + salt/nginx/etc/nginx.conf.so-mastersearch | 1 + salt/nginx/etc/nginx.conf.so-standalone | 1 + 5 files changed, 7 insertions(+), 3 deletions(-) diff --git a/salt/grafana/etc/grafana.ini b/salt/grafana/etc/grafana.ini index 0327b8bc5..3486ff241 100644 --- a/salt/grafana/etc/grafana.ini +++ b/salt/grafana/etc/grafana.ini @@ -226,13 +226,13 @@ log_queries = #################################### Anonymous Auth ########################## [auth.anonymous] # enable anonymous access -;enabled = false +enabled = true # specify organization name that should be used for unauthenticated users -;org_name = Main Org. +org_name = Main Org. # specify role for unauthenticated users -;org_role = Viewer +org_role = Viewer #################################### Github Auth ########################## [auth.github] diff --git a/salt/nginx/etc/nginx.conf.so-eval b/salt/nginx/etc/nginx.conf.so-eval index 49ba4b2ef..7e3a9a401 100644 --- a/salt/nginx/etc/nginx.conf.so-eval +++ b/salt/nginx/etc/nginx.conf.so-eval @@ -183,6 +183,7 @@ http { } location /grafana/ { + auth_request /auth/sessions/whoami; rewrite /grafana/(.*) /$1 break; proxy_pass http://{{ masterip }}:3000/; proxy_read_timeout 90; diff --git a/salt/nginx/etc/nginx.conf.so-master b/salt/nginx/etc/nginx.conf.so-master index 34b5ea9cd..de3a3a6c1 100644 --- a/salt/nginx/etc/nginx.conf.so-master +++ b/salt/nginx/etc/nginx.conf.so-master @@ -183,6 +183,7 @@ http { } location /grafana/ { + auth_request /auth/sessions/whoami; rewrite /grafana/(.*) /$1 break; proxy_pass http://{{ masterip }}:3000/; proxy_read_timeout 90; diff --git a/salt/nginx/etc/nginx.conf.so-mastersearch b/salt/nginx/etc/nginx.conf.so-mastersearch index 7c8f8ff5d..952f18cd9 100644 --- a/salt/nginx/etc/nginx.conf.so-mastersearch +++ b/salt/nginx/etc/nginx.conf.so-mastersearch @@ -182,6 +182,7 @@ http { } location /grafana/ { + auth_request /auth/sessions/whoami; rewrite /grafana/(.*) /$1 break; proxy_pass http://{{ masterip }}:3000/; proxy_read_timeout 90; diff --git a/salt/nginx/etc/nginx.conf.so-standalone b/salt/nginx/etc/nginx.conf.so-standalone index 34b5ea9cd..de3a3a6c1 100644 --- a/salt/nginx/etc/nginx.conf.so-standalone +++ b/salt/nginx/etc/nginx.conf.so-standalone @@ -183,6 +183,7 @@ http { } location /grafana/ { + auth_request /auth/sessions/whoami; rewrite /grafana/(.*) /$1 break; proxy_pass http://{{ masterip }}:3000/; proxy_read_timeout 90; From be5f4b04c65822bc8f7dae334f6cad565a9df025 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 6 Jul 2020 17:21:23 -0400 Subject: [PATCH 122/314] Fix SSL Perms --- salt/ca/init.sls | 7 ++++++ salt/ssl/init.sls | 55 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 62 insertions(+) diff --git a/salt/ca/init.sls b/salt/ca/init.sls index f3a1d431e..60d7adb3a 100644 --- a/salt/ca/init.sls +++ b/salt/ca/init.sls @@ -44,3 +44,10 @@ send_x509_pem_entries_to_mine: - mine.send: - func: x509.get_pem_entries - glob_path: /etc/pki/ca.crt + +cakeyperms: + file.managed: + - replace: False + - name: /etc/pki/ca.key + - mode: 640 + - group: 939 diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index fb8e9571a..bd7ab24b7 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -52,6 +52,13 @@ m2cryptopkgs: bits: 4096 backup: True +influxkeyperms: + file.managed: + - replace: False + - name: /etc/pki/influxdb.key + - mode: 640 + - group: 939 + {% if grains['role'] in ['so-master', 'so-eval', 'so-helix', 'so-mastersearch', 'so-standalone'] %} # Request a cert and drop it where it needs to go to be distributed @@ -75,6 +82,13 @@ m2cryptopkgs: cmd.run: - name: "/usr/bin/openssl pkcs8 -in /etc/pki/filebeat.key -topk8 -out /etc/pki/filebeat.p8 -nocrypt" +filebeatkeyperms: + file.managed: + - replace: False + - name: /etc/pki/filebeat.key + - mode: 640 + - group: 939 + chownilogstashfilebeatp8: file.managed: - replace: False @@ -114,6 +128,13 @@ fbcrtlink: bits: 4096 backup: True +regkeyperms: + file.managed: + - replace: False + - name: /etc/pki/registry.key + - mode: 640 + - group: 939 + # Create a cert for the reverse proxy /etc/pki/masterssl.crt: x509.certificate_managed: @@ -129,6 +150,13 @@ fbcrtlink: bits: 4096 backup: True +msslkeyperms: + file.managed: + - replace: False + - name: /etc/pki/masterssl.key + - mode: 640 + - group: 939 + # Create a private key and cert for OSQuery /etc/pki/fleet.key: x509.private_key_managed: @@ -151,6 +179,13 @@ fbcrtlink: bits: 4096 backup: True +fleetkeyperms: + file.managed: + - replace: False + - name: /etc/pki/fleet.key + - mode: 640 + - group: 939 + {% endif %} {% if grains['role'] in ['so-sensor', 'so-master', 'so-node', 'so-eval', 'so-helix', 'so-mastersearch', 'so-heavynode', 'so-fleet', 'so-standalone'] %} @@ -183,6 +218,13 @@ filebeatpkcs: cmd.run: - name: "/usr/bin/openssl pkcs8 -in /opt/so/conf/filebeat/etc/pki/filebeat.key -topk8 -out /opt/so/conf/filebeat/etc/pki/filebeat.p8 -passout pass:" +filebeatkeyperms: + file.managed: + - replace: False + - name: /opt/so/conf/filebeat/etc/pki/filebeat.key + - mode: 640 + - group: 939 + chownfilebeatp8: file.managed: - replace: False @@ -211,6 +253,12 @@ chownfilebeatp8: bits: 4096 backup: True +msslkeyperms: + file.managed: + - replace: False + - name: /etc/pki/masterssl.key + - mode: 640 + - group: 939 # Create a private key and cert for Fleet /etc/pki/fleet.key: @@ -234,4 +282,11 @@ chownfilebeatp8: bits: 4096 backup: True +fleetkeyperms: + file.managed: + - replace: False + - name: /etc/pki/fleet.key + - mode: 640 + - group: 939 + {% endif %} From 291ac3c5977e7a77252de0f0a412b5ef9bc1ef44 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 6 Jul 2020 17:24:04 -0400 Subject: [PATCH 123/314] Fix SSL Perms --- salt/ssl/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index bd7ab24b7..db4bc97ea 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -82,7 +82,7 @@ influxkeyperms: cmd.run: - name: "/usr/bin/openssl pkcs8 -in /etc/pki/filebeat.key -topk8 -out /etc/pki/filebeat.p8 -nocrypt" -filebeatkeyperms: +fbperms: file.managed: - replace: False - name: /etc/pki/filebeat.key From e2c9184b2968678cfbef22d53112ac58892d30cd Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 7 Jul 2020 08:45:28 -0400 Subject: [PATCH 124/314] [fix][refactor] Don't use relative path in so-setup-network --- so-setup-network | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/so-setup-network b/so-setup-network index 2528ff14b..801782ad4 100755 --- a/so-setup-network +++ b/so-setup-network @@ -15,6 +15,6 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -cd setup || exit +cd "$(dirname "$0")/setup" || exit 255 ./so-setup network "$@" From 2fdd5fd77b43f2e9efa77324015d0afdd4758c33 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 7 Jul 2020 13:46:57 +0000 Subject: [PATCH 125/314] Fix pillar reference for Strelka/FB --- salt/filebeat/etc/filebeat.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 176365756..dede0060e 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -8,7 +8,7 @@ {%- set HOSTNAME = salt['grains.get']('host', '') %} {%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %} {%- set WAZUHENABLED = salt['pillar.get']('static:wazuh', '0') %} -{%- set STRELKAENABLED = salt['pillar.get']('static:strelka', '0') %} +{%- set STRELKAENABLED = salt['pillar.get']('strelka:enabled', '0') %} {%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%} {%- set FLEETNODE = salt['pillar.get']('static:fleet_node', False) -%} From 62cc02301e66da5df7e23bc370a490fe15e3aea0 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 7 Jul 2020 10:28:15 -0400 Subject: [PATCH 126/314] Do not attempt to install a plugin or bc command if already exists --- setup/so-functions | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index cd81074f2..3e4fa718b 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -617,7 +617,12 @@ detect_os() { systemctl start NetworkManager; } >> "$setup_log" 2<&1 fi - yum -y install yum-plugin-versionlock bc >> "$setup_log" 2>&1 + if ! command -v bc > /dev/null 2>&1; then + yum -y install bc >> "$setup_log" 2>&1 + fi + if ! yum versionlock > /dev/null 2>&1; then + yum -y install yum-plugin-versionlock >> "$setup_log" 2>&1 + fi elif [ -f /etc/os-release ]; then From c59096d9bd767ca1be06f2a538b15a6995a4f0c9 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 7 Jul 2020 10:42:12 -0400 Subject: [PATCH 127/314] rename node pillar to elasticsearch --- .../common/tools/sbin/so-elasticsearch-indices-rw | 2 +- salt/curator/files/action/close.yml | 2 +- salt/curator/files/action/delete.yml | 2 +- .../files/bin/so-curator-closed-delete-delete | 6 +++--- salt/curator/files/curator.yml | 2 +- salt/elastalert/init.sls | 2 +- salt/elasticsearch/files/elasticsearch.yml | 2 +- salt/elasticsearch/init.sls | 4 ++-- salt/firewall/hostgroups.yaml | 2 +- .../config/so/0900_input_redis.conf.jinja | 2 +- .../config/so/9000_output_zeek.conf.jinja | 2 +- .../config/so/9001_output_switch.conf.jinja | 2 +- .../config/so/9002_output_import.conf.jinja | 2 +- .../config/so/9004_output_flow.conf.jinja | 2 +- .../config/so/9026_output_dhcp.conf.jinja | 2 +- .../config/so/9029_output_esxi.conf.jinja | 2 +- .../config/so/9030_output_greensql.conf.jinja | 2 +- .../config/so/9031_output_iis.conf.jinja | 2 +- .../config/so/9032_output_mcafee.conf.jinja | 2 +- .../config/so/9033_output_snort.conf.jinja | 2 +- .../config/so/9034_output_syslog.conf.jinja | 2 +- .../config/so/9100_output_osquery.conf.jinja | 2 +- .../config/so/9200_output_firewall.conf.jinja | 2 +- .../config/so/9300_output_windows.conf.jinja | 2 +- .../config/so/9301_output_dns_windows.conf.jinja | 2 +- .../config/so/9400_output_suricata.conf.jinja | 2 +- .../config/so/9500_output_beats.conf.jinja | 2 +- .../config/so/9600_output_ossec.conf.jinja | 2 +- salt/mysql/init.sls | 2 +- salt/playbook/init.sls | 2 +- salt/telegraf/etc/telegraf.conf | 2 +- salt/wazuh/files/agent/ossec.conf | 2 +- salt/wazuh/files/agent/wazuh-register-agent | 2 +- setup/so-functions | 15 ++++++++------- setup/so-setup | 2 +- 35 files changed, 45 insertions(+), 44 deletions(-) diff --git a/salt/common/tools/sbin/so-elasticsearch-indices-rw b/salt/common/tools/sbin/so-elasticsearch-indices-rw index acc46ff0d..d49fd5f1b 100644 --- a/salt/common/tools/sbin/so-elasticsearch-indices-rw +++ b/salt/common/tools/sbin/so-elasticsearch-indices-rw @@ -15,7 +15,7 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -IP={{ salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('master:mainint', salt['pillar.get']('node:mainint', salt['pillar.get']('host:mainint')))))[0] }} +IP={{ salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('master:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] }} ESPORT=9200 THEHIVEESPORT=9400 diff --git a/salt/curator/files/action/close.yml b/salt/curator/files/action/close.yml index a65e9af3d..d0bd1d5d1 100644 --- a/salt/curator/files/action/close.yml +++ b/salt/curator/files/action/close.yml @@ -1,5 +1,5 @@ {%- if grains['role'] in ['so-node', 'so-searchnode', 'so-heavynode'] %} - {%- set cur_close_days = salt['pillar.get']('node:cur_close_days', '') -%} + {%- set cur_close_days = salt['pillar.get']('elasticsearch:cur_close_days', '') -%} {%- elif grains['role'] in ['so-eval', 'so-mastersearch', 'so-standalone'] %} {%- set cur_close_days = salt['pillar.get']('master:cur_close_days', '') -%} {%- endif -%} diff --git a/salt/curator/files/action/delete.yml b/salt/curator/files/action/delete.yml index 030bbbfac..f24f0b781 100644 --- a/salt/curator/files/action/delete.yml +++ b/salt/curator/files/action/delete.yml @@ -1,5 +1,5 @@ {%- if grains['role'] in ['so-node', 'so-searchnode', 'so-heavynode'] %} - {%- set log_size_limit = salt['pillar.get']('node:log_size_limit', '') -%} + {%- set log_size_limit = salt['pillar.get']('elasticsearch:log_size_limit', '') -%} {%- elif grains['role'] in ['so-eval', 'so-mastersearch', 'so-standalone'] %} {%- set log_size_limit = salt['pillar.get']('master:log_size_limit', '') -%} {%- endif %} diff --git a/salt/curator/files/bin/so-curator-closed-delete-delete b/salt/curator/files/bin/so-curator-closed-delete-delete index 9075752db..4a6458394 100755 --- a/salt/curator/files/bin/so-curator-closed-delete-delete +++ b/salt/curator/files/bin/so-curator-closed-delete-delete @@ -2,9 +2,9 @@ #!/bin/bash {%- if grains['role'] in ['so-node', 'so-searchnode', 'so-heavynode'] %} - {%- set ELASTICSEARCH_HOST = salt['pillar.get']('node:mainip', '') -%} - {%- set ELASTICSEARCH_PORT = salt['pillar.get']('node:es_port', '') -%} - {%- set LOG_SIZE_LIMIT = salt['pillar.get']('node:log_size_limit', '') -%} + {%- set ELASTICSEARCH_HOST = salt['pillar.get']('elasticsearch:mainip', '') -%} + {%- set ELASTICSEARCH_PORT = salt['pillar.get']('elasticsearch:es_port', '') -%} + {%- set LOG_SIZE_LIMIT = salt['pillar.get']('elasticsearch:log_size_limit', '') -%} {%- elif grains['role'] in ['so-eval', 'so-mastersearch', 'so-standalone'] %} {%- set ELASTICSEARCH_HOST = salt['pillar.get']('master:mainip', '') -%} {%- set ELASTICSEARCH_PORT = salt['pillar.get']('master:es_port', '') -%} diff --git a/salt/curator/files/curator.yml b/salt/curator/files/curator.yml index f6c238a08..e9b8a63ba 100644 --- a/salt/curator/files/curator.yml +++ b/salt/curator/files/curator.yml @@ -1,5 +1,5 @@ {% if grains['role'] in ['so-node', 'so-heavynode'] %} - {%- set elasticsearch = salt['pillar.get']('node:mainip', '') -%} + {%- set elasticsearch = salt['pillar.get']('elasticsearch:mainip', '') -%} {% elif grains['role'] in ['so-eval', 'so-mastersearch', 'so-standalone'] %} {%- set elasticsearch = salt['pillar.get']('master:mainip', '') -%} {%- endif %} diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index 3b0b3fafe..b79acf77f 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -20,7 +20,7 @@ {% set esip = salt['pillar.get']('master:mainip', '') %} {% set esport = salt['pillar.get']('master:es_port', '') %} {% elif grains['role'] == 'so-node' %} - {% set esalert = salt['pillar.get']('node:elastalert', '0') %} + {% set esalert = salt['pillar.get']('elasticsearch:elastalert', '0') %} {% endif %} # Elastalert diff --git a/salt/elasticsearch/files/elasticsearch.yml b/salt/elasticsearch/files/elasticsearch.yml index 271ef40cf..02dd42aa5 100644 --- a/salt/elasticsearch/files/elasticsearch.yml +++ b/salt/elasticsearch/files/elasticsearch.yml @@ -12,7 +12,7 @@ path.logs: /var/log/elasticsearch action.destructive_requires_name: true {%- else %} {%- set esclustername = salt['grains.get']('host', '') %} -{%- set nodeip = salt['pillar.get']('node:mainip', '') -%} +{%- set nodeip = salt['pillar.get']('elasticsearch:mainip', '') -%} cluster.name: "{{ esclustername }}" network.host: 0.0.0.0 discovery.zen.minimum_master_nodes: 1 diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 4e57f1342..7292c055e 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -26,8 +26,8 @@ {% set esclustername = salt['pillar.get']('master:esclustername', '') %} {% set esheap = salt['pillar.get']('master:esheap', '') %} {% elif grains['role'] in ['so-node','so-heavynode'] %} - {% set esclustername = salt['pillar.get']('node:esclustername', '') %} - {% set esheap = salt['pillar.get']('node:esheap', '') %} + {% set esclustername = salt['pillar.get']('elasticsearch:esclustername', '') %} + {% set esheap = salt['pillar.get']('elasticsearch:esheap', '') %} {% endif %} vm.max_map_count: diff --git a/salt/firewall/hostgroups.yaml b/salt/firewall/hostgroups.yaml index 5f28d1af3..bd303001b 100644 --- a/salt/firewall/hostgroups.yaml +++ b/salt/firewall/hostgroups.yaml @@ -19,4 +19,4 @@ firewall: ips: delete: insert: - - {{ salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('master:mainint', salt['pillar.get']('node:mainint', salt['pillar.get']('host:mainint')))))[0] }} \ No newline at end of file + - {{ salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('master:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] }} \ No newline at end of file diff --git a/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja b/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja index dc2f7c4ce..4d6595dd9 100644 --- a/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja +++ b/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja @@ -1,5 +1,5 @@ {%- if grains.role == 'so-heavynode' %} -{%- set MASTER = salt['pillar.get']('node:mainip', '') %} +{%- set MASTER = salt['pillar.get']('elasticsearch:mainip', '') %} {%- else %} {%- set MASTER = salt['pillar.get']('static:masterip', '') %} {% endif -%} diff --git a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja index 6def12650..987614a2c 100644 --- a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja +++ b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja @@ -1,7 +1,7 @@ {%- if grains['role'] == 'so-eval' -%} {%- set ES = salt['pillar.get']('master:mainip', '') -%} {%- else %} -{%- set ES = salt['pillar.get']('node:mainip', '') -%} +{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} # Author: Justin Henderson # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics diff --git a/salt/logstash/pipelines/config/so/9001_output_switch.conf.jinja b/salt/logstash/pipelines/config/so/9001_output_switch.conf.jinja index 824f29e34..8e5e5f200 100644 --- a/salt/logstash/pipelines/config/so/9001_output_switch.conf.jinja +++ b/salt/logstash/pipelines/config/so/9001_output_switch.conf.jinja @@ -1,7 +1,7 @@ {%- if grains['role'] == 'so-eval' -%} {%- set ES = salt['pillar.get']('master:mainip', '') -%} {%- else %} -{%- set ES = salt['pillar.get']('node:mainip', '') -%} +{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} # Author: Justin Henderson # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics diff --git a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja index b8c12d80f..9153d5c44 100644 --- a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja +++ b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja @@ -1,7 +1,7 @@ {%- if grains['role'] == 'so-eval' -%} {%- set ES = salt['pillar.get']('master:mainip', '') -%} {%- else %} -{%- set ES = salt['pillar.get']('node:mainip', '') -%} +{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} # Updated by: Doug Burks # Last Update: 5/16/2017 diff --git a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja index f830ffeb3..2e1e79f8b 100644 --- a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja +++ b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja @@ -1,7 +1,7 @@ {%- if grains['role'] == 'so-eval' -%} {%- set ES = salt['pillar.get']('master:mainip', '') -%} {%- else %} -{%- set ES = salt['pillar.get']('node:mainip', '') -%} +{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} # Author: Justin Henderson # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics diff --git a/salt/logstash/pipelines/config/so/9026_output_dhcp.conf.jinja b/salt/logstash/pipelines/config/so/9026_output_dhcp.conf.jinja index 0772841a8..3da9e83ef 100644 --- a/salt/logstash/pipelines/config/so/9026_output_dhcp.conf.jinja +++ b/salt/logstash/pipelines/config/so/9026_output_dhcp.conf.jinja @@ -1,7 +1,7 @@ {%- if grains['role'] == 'so-eval' -%} {%- set ES = salt['pillar.get']('master:mainip', '') -%} {%- else %} -{%- set ES = salt['pillar.get']('node:mainip', '') -%} +{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} # Author: Justin Henderson # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics diff --git a/salt/logstash/pipelines/config/so/9029_output_esxi.conf.jinja b/salt/logstash/pipelines/config/so/9029_output_esxi.conf.jinja index fc664564c..b84ab4ec9 100644 --- a/salt/logstash/pipelines/config/so/9029_output_esxi.conf.jinja +++ b/salt/logstash/pipelines/config/so/9029_output_esxi.conf.jinja @@ -1,7 +1,7 @@ {%- if grains['role'] == 'so-eval' -%} {%- set ES = salt['pillar.get']('master:mainip', '') -%} {%- else %} -{%- set ES = salt['pillar.get']('node:mainip', '') -%} +{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} # Author: Justin Henderson # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics diff --git a/salt/logstash/pipelines/config/so/9030_output_greensql.conf.jinja b/salt/logstash/pipelines/config/so/9030_output_greensql.conf.jinja index 1007d5f58..d6801530b 100644 --- a/salt/logstash/pipelines/config/so/9030_output_greensql.conf.jinja +++ b/salt/logstash/pipelines/config/so/9030_output_greensql.conf.jinja @@ -1,7 +1,7 @@ {%- if grains['role'] == 'so-eval' -%} {%- set ES = salt['pillar.get']('master:mainip', '') -%} {%- else %} -{%- set ES = salt['pillar.get']('node:mainip', '') -%} +{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} # Author: Justin Henderson # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics diff --git a/salt/logstash/pipelines/config/so/9031_output_iis.conf.jinja b/salt/logstash/pipelines/config/so/9031_output_iis.conf.jinja index f17616060..67616110f 100644 --- a/salt/logstash/pipelines/config/so/9031_output_iis.conf.jinja +++ b/salt/logstash/pipelines/config/so/9031_output_iis.conf.jinja @@ -1,7 +1,7 @@ {%- if grains['role'] == 'so-eval' -%} {%- set ES = salt['pillar.get']('master:mainip', '') -%} {%- else %} -{%- set ES = salt['pillar.get']('node:mainip', '') -%} +{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} # Author: Justin Henderson # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics diff --git a/salt/logstash/pipelines/config/so/9032_output_mcafee.conf.jinja b/salt/logstash/pipelines/config/so/9032_output_mcafee.conf.jinja index 9a6668619..c6641f671 100644 --- a/salt/logstash/pipelines/config/so/9032_output_mcafee.conf.jinja +++ b/salt/logstash/pipelines/config/so/9032_output_mcafee.conf.jinja @@ -1,7 +1,7 @@ {%- if grains['role'] == 'so-eval' -%} {%- set ES = salt['pillar.get']('master:mainip', '') -%} {%- else %} -{%- set ES = salt['pillar.get']('node:mainip', '') -%} +{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} # Author: Justin Henderson # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics diff --git a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja index fdcbb0eb1..0cc7a3b66 100644 --- a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja +++ b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja @@ -1,7 +1,7 @@ {%- if grains['role'] == 'so-eval' -%} {%- set ES = salt['pillar.get']('master:mainip', '') -%} {%- else %} -{%- set ES = salt['pillar.get']('node:mainip', '') -%} +{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} # Author: Justin Henderson # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics diff --git a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja index 7b35af576..59cae7b65 100644 --- a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja +++ b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja @@ -1,7 +1,7 @@ {%- if grains['role'] == 'so-eval' -%} {%- set ES = salt['pillar.get']('master:mainip', '') -%} {%- else %} -{%- set ES = salt['pillar.get']('node:mainip', '') -%} +{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} filter { diff --git a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja index d09aae10b..21ae77095 100644 --- a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja +++ b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja @@ -1,7 +1,7 @@ {%- if grains['role'] == 'so-eval' -%} {%- set ES = salt['pillar.get']('master:mainip', '') -%} {%- else %} -{%- set ES = salt['pillar.get']('node:mainip', '') -%} +{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} # Author: Josh Brower # Last Update: 12/29/2018 diff --git a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja index 41c82e21e..54c75873d 100644 --- a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja +++ b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja @@ -1,7 +1,7 @@ {%- if grains['role'] == 'so-eval' -%} {%- set ES = salt['pillar.get']('master:mainip', '') -%} {%- else %} -{%- set ES = salt['pillar.get']('node:mainip', '') -%} +{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} # Author: Justin Henderson # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics diff --git a/salt/logstash/pipelines/config/so/9300_output_windows.conf.jinja b/salt/logstash/pipelines/config/so/9300_output_windows.conf.jinja index 8b8a9299f..cddda5541 100644 --- a/salt/logstash/pipelines/config/so/9300_output_windows.conf.jinja +++ b/salt/logstash/pipelines/config/so/9300_output_windows.conf.jinja @@ -1,7 +1,7 @@ {%- if grains['role'] == 'so-eval' -%} {%- set ES = salt['pillar.get']('master:mainip', '') -%} {%- else %} -{%- set ES = salt['pillar.get']('node:mainip', '') -%} +{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} # Author: Justin Henderson # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics diff --git a/salt/logstash/pipelines/config/so/9301_output_dns_windows.conf.jinja b/salt/logstash/pipelines/config/so/9301_output_dns_windows.conf.jinja index fec703b1c..84fd1f5f7 100644 --- a/salt/logstash/pipelines/config/so/9301_output_dns_windows.conf.jinja +++ b/salt/logstash/pipelines/config/so/9301_output_dns_windows.conf.jinja @@ -1,7 +1,7 @@ {%- if grains['role'] == 'so-eval' -%} {%- set ES = salt['pillar.get']('master:mainip', '') -%} {%- else %} -{%- set ES = salt['pillar.get']('node:mainip', '') -%} +{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} # Author: Justin Henderson # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics diff --git a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja index e7e917727..1d36d774d 100644 --- a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja +++ b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja @@ -1,7 +1,7 @@ {%- if grains['role'] == 'so-eval' -%} {%- set ES = salt['pillar.get']('master:mainip', '') -%} {%- else %} -{%- set ES = salt['pillar.get']('node:mainip', '') -%} +{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} # Author: Justin Henderson # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics diff --git a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja index e50c04eee..932a194ab 100644 --- a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja +++ b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja @@ -1,7 +1,7 @@ {%- if grains['role'] == 'so-eval' -%} {%- set ES = salt['pillar.get']('master:mainip', '') -%} {%- else %} -{%- set ES = salt['pillar.get']('node:mainip', '') -%} +{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} output { diff --git a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja index 93bffca7d..5a8f9f5ba 100644 --- a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja +++ b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja @@ -1,7 +1,7 @@ {%- if grains['role'] == 'so-eval' -%} {%- set ES = salt['pillar.get']('master:mainip', '') -%} {%- else %} -{%- set ES = salt['pillar.get']('node:mainip', '') -%} +{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} # Author: Justin Henderson # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index c96be214c..6bb99d98c 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -2,7 +2,7 @@ {%- set MASTERIP = salt['pillar.get']('static:masterip', '') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} {% set MASTER = salt['grains.get']('master') %} -{% set MAINIP = salt['pillar.get']('node:mainip') %} +{% set MAINIP = salt['pillar.get']('elasticsearch:mainip') %} {% set FLEETARCH = salt['grains.get']('role') %} {% if FLEETARCH == "so-fleet" %} diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index 2282d8518..eca8bda40 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -1,7 +1,7 @@ {% set MASTERIP = salt['pillar.get']('master:mainip', '') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} {% set MASTER = salt['grains.get']('master') %} -{% set MAINIP = salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('master:mainint', salt['pillar.get']('node:mainint', salt['pillar.get']('host:mainint')))))[0] %} +{% set MAINIP = salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('master:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] %} {%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) -%} {%- set PLAYBOOKPASS = salt['pillar.get']('secrets:playbook', None) -%} diff --git a/salt/telegraf/etc/telegraf.conf b/salt/telegraf/etc/telegraf.conf index 3495a0a85..be99dc849 100644 --- a/salt/telegraf/etc/telegraf.conf +++ b/salt/telegraf/etc/telegraf.conf @@ -14,7 +14,7 @@ # for numbers and booleans they should be plain (ie, $INT_VAR, $BOOL_VAR) {%- set MASTER = grains['master'] %} -{% set NODEIP = salt['pillar.get']('node:mainip', '') %} +{% set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') %} {% set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %} {% set UNIQUEID = salt['pillar.get']('sensor:uniqueid', '') %} diff --git a/salt/wazuh/files/agent/ossec.conf b/salt/wazuh/files/agent/ossec.conf index 95d17bc8d..ffc7922b0 100644 --- a/salt/wazuh/files/agent/ossec.conf +++ b/salt/wazuh/files/agent/ossec.conf @@ -1,7 +1,7 @@ {%- if grains['role'] in ['so-master', 'so-eval', 'so-mastersearch', 'so-standalone'] %} {%- set ip = salt['pillar.get']('static:masterip', '') %} {%- elif grains['role'] == 'so-node' or grains['role'] == 'so-heavynode' %} - {%- set ip = salt['pillar.get']('node:mainip', '') %} + {%- set ip = salt['pillar.get']('elasticsearch:mainip', '') %} {%- elif grains['role'] == 'so-sensor' %} {%- set ip = salt['pillar.get']('sensor:mainip', '') %} {%- endif %} diff --git a/salt/wazuh/files/agent/wazuh-register-agent b/salt/wazuh/files/agent/wazuh-register-agent index c636cd899..b38474d8e 100755 --- a/salt/wazuh/files/agent/wazuh-register-agent +++ b/salt/wazuh/files/agent/wazuh-register-agent @@ -1,7 +1,7 @@ {%- if grains['role'] in ['so-master', 'so-eval', 'so-mastersearch', 'so-standalone'] %} {%- set ip = salt['pillar.get']('static:masterip', '') %} {%- elif grains['role'] == 'so-node' or grains['role'] == 'so-heavynode' %} - {%- set ip = salt['pillar.get']('node:mainip', '') %} + {%- set ip = salt['pillar.get']('elasticsearch:mainip', '') %} {%- elif grains['role'] == 'so-sensor' %} {%- set ip = salt['pillar.get']('sensor:mainip', '') %} {%- endif %} diff --git a/setup/so-functions b/setup/so-functions index cd81074f2..c52abbb97 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1004,7 +1004,7 @@ master_static() { " fleet_ip: N/A"\ " sensoronikey: $SENSORONIKEY"\ " wazuh: $WAZUH"\ - " masterupdate: $MASTERUPDATES"\ + " masterupdate: $MASTERUPDATES"\ "strelka:"\ " enabled: $STRELKA"\ " rules: $STRELKARULES"\ @@ -1047,22 +1047,26 @@ network_setup() { } >> "$setup_log" 2>&1 } -node_pillar() { +elasticsearch_pillar() { local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls # Create the node pillar printf '%s\n'\ - "node:"\ + "elasticsearch:"\ " mainip: $MAINIP"\ " mainint: $MNIC"\ " esheap: $NODE_ES_HEAP_SIZE"\ " esclustername: {{ grains.host }}"\ - " es_shard_count: $SHARDCOUNT"\ " node_type: $NODETYPE"\ " es_port: $node_es_port"\ " log_size_limit: $log_size_limit"\ " cur_close_days: $CURCLOSEDAYS"\ + " route_type: hot"\ + " index_settings:"\ + " so-zeek:"\ + " shards: 5"\ + " replicas: 0"\ "" >> "$pillar_file" if [ "$install_type" != 'EVAL' ] && [ "$install_type" != 'HELIXSENSOR' ] && [ "$install_type" != 'MASTERSEARCH' ] && [ "$install_type" != 'STANDALONE' ]; then @@ -1563,9 +1567,6 @@ set_node_type() { 'SEARCHNODE' | 'EVAL' | 'MASTERSEARCH' | 'HEAVYNODE' | 'STANDALONE') NODETYPE='search' ;; - 'PARSINGNODE') - NODETYPE='parser' - ;; 'HOTNODE') NODETYPE='hot' ;; diff --git a/setup/so-setup b/setup/so-setup index 775064f9f..22b47edfb 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -441,7 +441,7 @@ fi set_node_type >> $setup_log 2>&1 set_progress_str 19 'Generating search node pillar' - node_pillar >> $setup_log 2>&1 + elasticsearch_pillar >> $setup_log 2>&1 fi if [[ $is_minion ]]; then From e0570e1db7adfcf41e277d2d458b62e5c5e7a24a Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 7 Jul 2020 15:00:01 +0000 Subject: [PATCH 128/314] Add Zeek FUID for Strelka records --- salt/elasticsearch/files/ingest/strelka.file | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elasticsearch/files/ingest/strelka.file b/salt/elasticsearch/files/ingest/strelka.file index a2e08b799..ed80a4e5b 100644 --- a/salt/elasticsearch/files/ingest/strelka.file +++ b/salt/elasticsearch/files/ingest/strelka.file @@ -6,6 +6,7 @@ { "rename": { "field": "message2.scan", "target_field": "scan", "ignore_missing": true } }, { "rename": { "field": "message2.request", "target_field": "request", "ignore_missing": true } }, { "rename": { "field": "scan.hash", "target_field": "hash", "ignore_missing": true } }, + { "grok": { "field": "request.attributes.filename", "patterns": ["-%{WORD:log.id.fuid}-"] } }, { "remove": { "field": ["host", "path"], "ignore_missing": true } }, { "pipeline": { "name": "common" } } ] From ec89ab39ac58ae3c02441058c51194516a87ef0e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 7 Jul 2020 11:56:45 -0400 Subject: [PATCH 129/314] Update 9999_output_redis.conf.jinja --- salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja index 5bf2512d5..b50f72747 100644 --- a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja +++ b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja @@ -8,7 +8,7 @@ output { key => 'logstash:unparsed' congestion_interval => 1 congestion_threshold => 50000000 - batch ==> True + batch => True batch_events => {{ BATCH }} } } From 0b995533ea4fdb2f71b400e4b7200c9ba667e6f6 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 7 Jul 2020 13:01:29 -0400 Subject: [PATCH 130/314] [refactor] Only notify user of error found during setup --- setup/so-setup | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 775064f9f..6242d4a14 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -51,21 +51,22 @@ echo "---- Starting setup at $(date -u) ----" >> $setup_log 2>&1 automated=no function progress() { + local title='Security Onion Install' if grep -q "ERROR" $setup_log || [[ -s /var/spool/mail/root ]]; then if [[ -s /var/spool/mail/root ]]; then echo '[ ERROR ] /var/spool/mail/root grew unexpectedly' >> $setup_log 2>&1 fi - if [[ $automated == no ]]; then whiptail_setup_failed; else exit 1; fi - - if [[ -z $SKIP_REBOOT ]]; then shutdown -r now; else exit 1; fi - else - if [ $automated == no ]; then - whiptail --title "Security Onion Install" --gauge 'Please wait while installing' 6 60 0 - else - cat >> $setup_log 2>&1 - fi + export SO_ERROR=1 + export SKIP_REBOOT=1 + title="Error found, please check $setup_log" fi + + if [ $automated == no ]; then + whiptail --title "$title" --gauge 'Please wait while installing...' 6 60 0 # append to text + else + cat >> $setup_log 2>&1 + fi } if [[ -f automation/$automation && $(basename $automation) == $automation ]]; then From 1d47cec928fdeae930ac0f3f811e57459c0bf491 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 7 Jul 2020 13:02:58 -0400 Subject: [PATCH 131/314] [refactor] Move install_cleanup outside of whiptail functions --- setup/so-setup | 3 +++ setup/so-whiptail | 6 +----- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 6242d4a14..37004e9e6 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -633,3 +633,6 @@ fi if [[ -z $SKIP_REBOOT ]]; then shutdown -r now fi + +install_cleanup >> $setup_log 2>&1 + diff --git a/setup/so-whiptail b/setup/so-whiptail index 8c84d5345..e165ba351 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1036,17 +1036,13 @@ whiptail_setup_complete() { [ -n "$TESTING" ] && return whiptail --title "Security Onion Setup" --msgbox "Finished $install_type install. Press Ok to reboot." 8 75 - install_cleanup >> $setup_log 2>&1 - } whiptail_setup_failed() { [ -n "$TESTING" ] && return - whiptail --title "Security Onion Setup" --msgbox "Install had a problem. Please see $setup_log for details. Press Ok to reboot." 8 75 - install_cleanup >> $setup_log 2>&1 - + whiptail --title "Security Onion Setup" --msgbox "Install had a problem. Please see $setup_log for details. Press Ok to exit." 8 75 } whiptail_shard_count() { From 3815f7e58eaf27630203513fe94adab2c4a93391 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 7 Jul 2020 13:12:46 -0400 Subject: [PATCH 132/314] [refactor] Edit logic around setup failure/completion * Always run `install_cleanup` and `so-allow` * Change if statement to check whether `$success != 0` or if `$SO_ERROR` was set * Set `$IP` only for `so-allow` instead of exporting it --- setup/so-setup | 21 +++++++-------------- 1 file changed, 7 insertions(+), 14 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 37004e9e6..ede21760e 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -615,24 +615,17 @@ fi } | progress success=$(tail -10 $setup_log | grep Failed | awk '{ print $2}') -if [[ "$success" = 0 ]]; then - whiptail_setup_complete - if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then - export IP=$ALLOW_CIDR - so-allow -$ALLOW_ROLE >> $setup_log 2>&1 - fi - - if [[ $THEHIVE == 1 ]]; then - check_hive_init - fi -else - whiptail_setup_failed +if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then + IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1 fi -if [[ -z $SKIP_REBOOT ]]; then - shutdown -r now +if [[ $success != 0 || -z $SO_ERROR ]]; then whiptail_setup_failed +else + whiptail_setup_complete + if [[ $THEHIVE == 1 ]]; then check_hive_init; fi fi install_cleanup >> $setup_log 2>&1 +if [[ -z $SKIP_REBOOT ]]; then shutdown -r now; else exit; fi From f4f189cc50a1c38c7e46cbaede39927fc3308da1 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 7 Jul 2020 14:28:11 -0400 Subject: [PATCH 133/314] correct capitalization of true --- salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja index b50f72747..afa8d290a 100644 --- a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja +++ b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja @@ -8,7 +8,7 @@ output { key => 'logstash:unparsed' congestion_interval => 1 congestion_threshold => 50000000 - batch => True + batch => true batch_events => {{ BATCH }} } } From fff713db85f59191064e76142d3e07ed7ccb3b4a Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 7 Jul 2020 15:48:47 -0400 Subject: [PATCH 134/314] changes for https://github.com/Security-Onion-Solutions/securityonion/issues/825 --- salt/filebeat/etc/filebeat.yml | 297 +++++++++++++++++---------------- salt/filebeat/init.sls | 3 + 2 files changed, 154 insertions(+), 146 deletions(-) diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index dede0060e..6d33c1bdf 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -75,177 +75,181 @@ filebeat.modules: filebeat.inputs: #------------------------------ Log prospector -------------------------------- {%- if grains['role'] == 'so-sensor' or grains['role'] == "so-eval" or grains['role'] == "so-helix" or grains['role'] == "so-heavynode" or grains['role'] == "so-standalone" %} +- type: udp + enabled: true + host: "0.0.0.0:514" + fields: + module: syslog + dataset: syslog + pipeline: "syslog" + index: "so-syslog-%{+yyyy.MM.dd}" + processors: + - drop_fields: + fields: ["source", "prospector", "input", "offset", "beat"] + fields_under_root: true - - type: udp - enabled: true - host: "0.0.0.0:514" - fields: - module: syslog - dataset: syslog - pipeline: "syslog" - index: "so-syslog-%{+yyyy.MM.dd}" - processors: - - drop_fields: - fields: ["source", "prospector", "input", "offset", "beat"] - fields_under_root: true - - - type: tcp - enabled: true - host: "0.0.0.0:514" - fields: - module: syslog - dataset: syslog - pipeline: "syslog" - index: "so-syslog-%{+yyyy.MM.dd}" - processors: - - drop_fields: - fields: ["source", "prospector", "input", "offset", "beat"] - fields_under_root: true -{%- if BROVER != 'SURICATA' %} -{%- for LOGNAME in salt['pillar.get']('brologs:enabled', '') %} - - type: log - paths: - - /nsm/zeek/logs/current/{{ LOGNAME }}.log - fields: - module: zeek - dataset: {{ LOGNAME }} - category: network - processors: - - drop_fields: - fields: ["source", "prospector", "input", "offset", "beat"] - - fields_under_root: true - clean_removed: false - close_removed: false - - - type: log - paths: - - /nsm/import/*/zeek/logs/{{ LOGNAME }}.log - fields: - module: zeek - dataset: {{ LOGNAME }} - category: network - imported: true - processors: - - dissect: - tokenizer: "/nsm/import/%{import.id}/zeek/logs/%{import.file}" - field: "log.file.path" - target_prefix: "" - - drop_fields: - fields: ["source", "prospector", "input", "offset", "beat"] - - fields_under_root: true - clean_removed: false - close_removed: false -{%- endfor %} -{%- endif %} - - - type: log - paths: - - /nsm/suricata/eve*.json - fields: - module: suricata - dataset: common +- type: tcp + enabled: true + host: "0.0.0.0:514" + fields: + module: syslog + dataset: syslog + pipeline: "syslog" + index: "so-syslog-%{+yyyy.MM.dd}" + processors: + - drop_fields: + fields: ["source", "prospector", "input", "offset", "beat"] + fields_under_root: true + {%- if BROVER != 'SURICATA' %} + {%- for LOGNAME in salt['pillar.get']('brologs:enabled', '') %} +- type: log + paths: + - /nsm/zeek/logs/current/{{ LOGNAME }}.log + fields: + module: zeek + dataset: {{ LOGNAME }} category: network + processors: + - drop_fields: + fields: ["source", "prospector", "input", "offset", "beat"] + + fields_under_root: true + clean_removed: false + close_removed: false - processors: - - drop_fields: - fields: ["source", "prospector", "input", "offset", "beat"] - - fields_under_root: true - clean_removed: false - close_removed: false - - - type: log - paths: - - /nsm/import/*/suricata/eve*.json - fields: - module: suricata - dataset: common +- type: log + paths: + - /nsm/import/*/zeek/logs/{{ LOGNAME }}.log + fields: + module: zeek + dataset: {{ LOGNAME }} category: network - imported: true - processors: - - dissect: - tokenizer: "/nsm/import/%{import.id}/suricata/%{import.file}" - field: "log.file.path" - target_prefix: "" - - drop_fields: - fields: ["source", "prospector", "input", "offset", "beat"] + imported: true + processors: + - dissect: + tokenizer: "/nsm/import/%{import.id}/zeek/logs/%{import.file}" + field: "log.file.path" + target_prefix: "" + - drop_fields: + fields: ["source", "prospector", "input", "offset", "beat"] + + fields_under_root: true + clean_removed: false + close_removed: false + {%- endfor %} + {%- endif %} - fields_under_root: true - clean_removed: false - close_removed: false +- type: log + paths: + - /nsm/suricata/eve*.json + fields: + module: suricata + dataset: common + category: network + + processors: + - drop_fields: + fields: ["source", "prospector", "input", "offset", "beat"] + + fields_under_root: true + clean_removed: false + close_removed: false + +- type: log + paths: + - /nsm/import/*/suricata/eve*.json + fields: + module: suricata + dataset: common + category: network + imported: true + processors: + - dissect: + tokenizer: "/nsm/import/%{import.id}/suricata/%{import.file}" + field: "log.file.path" + target_prefix: "" + - drop_fields: + fields: ["source", "prospector", "input", "offset", "beat"] + + fields_under_root: true + clean_removed: false + close_removed: false {%- if STRELKAENABLED == 1 %} - - type: log - paths: - - /nsm/strelka/log/strelka.log - fields: - module: strelka - category: file - dataset: file +- type: log + paths: + - /nsm/strelka/log/strelka.log + fields: + module: strelka + category: file + dataset: file - processors: - - drop_fields: - fields: ["source", "prospector", "input", "offset", "beat"] + processors: + - drop_fields: + fields: ["source", "prospector", "input", "offset", "beat"] - fields_under_root: true - clean_removed: false - close_removed: false + fields_under_root: true + clean_removed: false + close_removed: false {%- endif %} {%- endif %} {%- if WAZUHENABLED == 1 %} - - type: log - paths: - - /wazuh/alerts/alerts.json - fields: - module: ossec - dataset: alert - category: host - processors: - - drop_fields: - fields: ["source", "prospector", "input", "offset", "beat"] +- type: log + paths: + - /wazuh/alerts/alerts.json + fields: + module: ossec + dataset: alert + category: host + processors: + - drop_fields: + fields: ["source", "prospector", "input", "offset", "beat"] - fields_under_root: true - clean_removed: false - close_removed: false - -# - type: log -# paths: -# - /wazuh/archives/archives.json -# fields: -# type: ossec_archive -# fields_under_root: true -# clean_removed: false -# close_removed: false + fields_under_root: true + clean_removed: false + close_removed: false {%- endif %} {%- if FLEETMASTER or FLEETNODE %} - - type: log - paths: - - /nsm/osquery/fleet/result.log - fields: - module: osquery - dataset: query_result - category: host +- type: log + paths: + - /nsm/osquery/fleet/result.log + fields: + module: osquery + dataset: query_result + category: host - processors: - - drop_fields: - fields: ["source", "prospector", "input", "offset", "beat"] + processors: + - drop_fields: + fields: ["source", "prospector", "input", "offset", "beat"] - fields_under_root: true - clean_removed: false - close_removed: false + fields_under_root: true + clean_removed: false + close_removed: false {%- endif %} +{%- if INPUTS %} +# USER PILLAR DEFINED INPUTS +{{ INPUTS | yaml(False) }} +{%- endif %} + +{% if OUTPUT -%} +# USER PILLAR DEFINED OUTPUT +{%- set types = OUTPUT.keys() | list %} +{%- set type = types[0] %} +output.{{ type }}: + {%- for i in OUTPUT[type].items() %} + {{ i[0] }}: {{ i[1]}} + {%- endfor %} +{%- else %} #----------------------------- Elasticsearch/Logstash output --------------------------------- -{%- if grains['role'] == "so-eval" %} + {%- if grains['role'] == "so-eval" %} output.elasticsearch: enabled: true hosts: ["{{ MASTER }}:9200"] @@ -269,7 +273,7 @@ output.elasticsearch: module: "strelka" setup.template.enabled: false -{%- else %} + {%- else %} output.logstash: # Boolean flag to enable or disable the output module. @@ -320,7 +324,8 @@ setup.template.enabled: false # https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-source-field.html #_source: #enabled: false -{%- endif %} + {%- endif %} +{% endif %} #============================== Kibana ===================================== # Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 95352010e..6fc06f582 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -46,6 +46,9 @@ filebeatconfsync: - user: 0 - group: 0 - template: jinja + - defaults: + INPUTS: {{ salt['pillar.get']('filebeat:config:inputs', {}) }} + OUTPUT: {{ salt['pillar.get']('filebeat:config:output', {}) }} so-filebeat: docker_container.running: - image: {{ MASTER }}:5000/soshybridhunter/so-filebeat:{{ VERSION }}{{ FEATURES }} From 3b50ce032aa89d918b738c68bbd62bfdc7b3aacb Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 7 Jul 2020 20:02:09 +0000 Subject: [PATCH 135/314] Add fields for exiftool keys --- salt/elasticsearch/files/ingest/strelka | 12 ------------ salt/elasticsearch/files/ingest/strelka.file | 12 ++++++++++++ 2 files changed, 12 insertions(+), 12 deletions(-) delete mode 100644 salt/elasticsearch/files/ingest/strelka diff --git a/salt/elasticsearch/files/ingest/strelka b/salt/elasticsearch/files/ingest/strelka deleted file mode 100644 index 39783c2ce..000000000 --- a/salt/elasticsearch/files/ingest/strelka +++ /dev/null @@ -1,12 +0,0 @@ -{ - "description" : "strelka", - "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.file", "target_field": "file", "ignore_missing": true } }, - { "rename": { "field": "message2.scan", "target_field": "scan", "ignore_missing": true } }, - { "rename": { "field": "message2.request", "target_field": "request", "ignore_missing": true } }, - { "rename": { "field": "scan.hash", "target_field": "file.hash", "ignore_missing": true } }, - { "remove": { "field": ["host", "path", "agent"], "ignore_missing": true } }, - { "pipeline": { "name": "common" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/strelka.file b/salt/elasticsearch/files/ingest/strelka.file index ed80a4e5b..cf9cb48f7 100644 --- a/salt/elasticsearch/files/ingest/strelka.file +++ b/salt/elasticsearch/files/ingest/strelka.file @@ -7,6 +7,18 @@ { "rename": { "field": "message2.request", "target_field": "request", "ignore_missing": true } }, { "rename": { "field": "scan.hash", "target_field": "hash", "ignore_missing": true } }, { "grok": { "field": "request.attributes.filename", "patterns": ["-%{WORD:log.id.fuid}-"] } }, + { "foreach": + { + "if": "ctx.scan?.exiftool?.keys !=null", + "field": "scan.exiftool.keys", + "processor":{ + "set": { + "field": "scan.exiftool.{{_ingest._value.key}}", + "value": "{{_ingest._value.value}}" + } + } + } + }, { "remove": { "field": ["host", "path"], "ignore_missing": true } }, { "pipeline": { "name": "common" } } ] From 1954a389b0b35b5aad4412781b41355eb6da4842 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 7 Jul 2020 16:12:07 -0400 Subject: [PATCH 136/314] Update so-functions --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 48e36f3d1..bcfc6f6eb 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -928,7 +928,7 @@ master_pillar() { " esheap: $ES_HEAP_SIZE"\ " esclustername: {{ grains.host }}"\ " freq: 0"\ - " domainstats: 0" > "$pillar_file" + " domainstats: 0" >> "$pillar_file" if [ "$install_type" = 'EVAL' ] || [ "$install_type" = 'HELIXSENSOR' ] || [ "$install_type" = 'MASTERSEARCH' ] || [ "$install_type" = 'STANDALONE' ]; then From cdce804c9f8197ce771fa3298a6c34225e6777d5 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 7 Jul 2020 17:36:49 -0400 Subject: [PATCH 137/314] Update 9700_output_strelka.conf.jinja --- .../logstash/pipelines/config/so/9700_output_strelka.conf.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja index 1e192a8ee..5116b86ea 100644 --- a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja +++ b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja @@ -1,7 +1,7 @@ {%- if grains['role'] == 'so-eval' -%} {%- set ES = salt['pillar.get']('master:mainip', '') -%} {%- else %} -{%- set ES = salt['pillar.get']('node:mainip', '') -%} +{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} # Author: Justin Henderson # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics From 72a98b33a79658d075c3f4e9ab89ca3fd4c84d5e Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 7 Jul 2020 17:38:23 -0400 Subject: [PATCH 138/314] [fix] Change test to check value of `$SO_ERROR` --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index eca5dbf23..b6ef14c3a 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -620,7 +620,7 @@ if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1 fi -if [[ $success != 0 || -z $SO_ERROR ]]; then whiptail_setup_failed +if [[ $success != 0 || $SO_ERROR == 1 ]]; then whiptail_setup_failed else whiptail_setup_complete if [[ $THEHIVE == 1 ]]; then check_hive_init; fi From b4b122dbd96addb97462b32d6e04dc3f15e2497b Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 7 Jul 2020 20:55:47 -0400 Subject: [PATCH 139/314] Fleet setup bugfix --- salt/common/tools/sbin/so-fleet-setup | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/tools/sbin/so-fleet-setup b/salt/common/tools/sbin/so-fleet-setup index 9801c803b..21aebc966 100644 --- a/salt/common/tools/sbin/so-fleet-setup +++ b/salt/common/tools/sbin/so-fleet-setup @@ -16,6 +16,7 @@ if [ ! "$(docker ps -q -f name=so-fleet)" ]; then fi docker exec so-fleet fleetctl config set --address https://localhost:8080 --tls-skip-verify --url-prefix /fleet +docker exec -it so-fleet bash -c 'while [[ "$(curl -s -o /dev/null --insecure -w ''%{http_code}'' https://localhost:8080/fleet)" != "301" ]]; do sleep 5; done' docker exec so-fleet fleetctl setup --email $1 --password $2 docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml From 987acaeb7b46f0b0cadf0c74741e6816baa1e2d1 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 8 Jul 2020 09:26:04 -0400 Subject: [PATCH 140/314] Add Wazuh Authd Port --- salt/wazuh/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index 6f8cf5029..3e0969359 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -90,6 +90,7 @@ so-wazuh: - port_bindings: - 0.0.0.0:1514:1514/udp - 0.0.0.0:1514:1514/tcp + - 0.0.0.0:1515:1515/tcp - 0.0.0.0:55000:55000 - binds: - /opt/so/wazuh:/var/ossec/data:rw From b25a3b69860d2ab0f02cf9037816ae468d32c1af Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 8 Jul 2020 09:39:37 -0400 Subject: [PATCH 141/314] Rename uids to uid --- salt/elasticsearch/files/ingest/zeek.files | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/zeek.files b/salt/elasticsearch/files/ingest/zeek.files index 53600180f..bcbbcaba0 100644 --- a/salt/elasticsearch/files/ingest/zeek.files +++ b/salt/elasticsearch/files/ingest/zeek.files @@ -10,7 +10,7 @@ { "rename": { "field": "message2.tx_hosts.0", "target_field": "source.ip", "ignore_missing": true } }, { "remove": { "field": "message2.rx_hosts", "ignore_missing": true } }, { "remove": { "field": "message2.tx_hosts", "ignore_missing": true } }, - { "rename": { "field": "message2.conn_uids", "target_field": "log.id.uids", "ignore_missing": true } }, + { "rename": { "field": "message2.conn_uids", "target_field": "log.id.uid", "ignore_missing": true } }, { "rename": { "field": "message2.source", "target_field": "file.source", "ignore_missing": true } }, { "rename": { "field": "message2.depth", "target_field": "file.depth", "ignore_missing": true } }, { "rename": { "field": "message2.analyzers", "target_field": "file.analyzer", "ignore_missing": true } }, From 5f6854224107bfb6b44f8ea3448ca951652c3335 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 8 Jul 2020 09:52:25 -0400 Subject: [PATCH 142/314] add pillar example for filebeat inputs/output --- salt/filebeat/pillar.example | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 salt/filebeat/pillar.example diff --git a/salt/filebeat/pillar.example b/salt/filebeat/pillar.example new file mode 100644 index 000000000..e1731b22e --- /dev/null +++ b/salt/filebeat/pillar.example @@ -0,0 +1,22 @@ +filebeat: + config: + inputs: + - type: log + paths: + - /nsm/mylogdir/mylog.log + fields: + module: mymodule + dataset: mydataset + category: mycategory + + processors: + - drop_fields: + fields: '["source", "prospector", "input", "offset", "beat"]' + + fields_under_root: true + clean_removed: false + close_removed: false + output: + file: + path: "/tmp/filebeat" + filename: filebeat \ No newline at end of file From fef803a86c3cf6a1a350ae45e62d7130728fd8c3 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Wed, 8 Jul 2020 10:41:14 -0400 Subject: [PATCH 143/314] Add ignore_failure to geoip processor calls #942 --- salt/elasticsearch/files/ingest/common | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/common b/salt/elasticsearch/files/ingest/common index d8de06f31..2f67a1ddc 100644 --- a/salt/elasticsearch/files/ingest/common +++ b/salt/elasticsearch/files/ingest/common @@ -6,7 +6,8 @@ "field": "destination.ip", "target_field": "destination.geo", "database_file": "GeoLite2-City.mmdb", - "ignore_missing": true, + "ignore_missing": true, + "ignore_failure": true, "properties": ["ip", "country_iso_code", "country_name", "continent_name", "region_iso_code", "region_name", "city_name", "timezone", "location"] } }, @@ -16,6 +17,7 @@ "target_field": "source.geo", "database_file": "GeoLite2-City.mmdb", "ignore_missing": true, + "ignore_failure": true, "properties": ["ip", "country_iso_code", "country_name", "continent_name", "region_iso_code", "region_name", "city_name", "timezone", "location"] } }, From 4cf31e1ee7c1c3de2a191cd6790745dd1497fb44 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 8 Jul 2020 10:55:40 -0400 Subject: [PATCH 144/314] Drop message field and original exiftool keys --- salt/elasticsearch/files/ingest/strelka.file | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/strelka.file b/salt/elasticsearch/files/ingest/strelka.file index cf9cb48f7..17c1dca62 100644 --- a/salt/elasticsearch/files/ingest/strelka.file +++ b/salt/elasticsearch/files/ingest/strelka.file @@ -19,7 +19,7 @@ } } }, - { "remove": { "field": ["host", "path"], "ignore_missing": true } }, + { "remove": { "field": ["host", "path", "message", "scan.exiftool.keys"], "ignore_missing": true } }, { "pipeline": { "name": "common" } } ] } From 59061926f09357cc43c171430db110d381c893a4 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 8 Jul 2020 15:37:20 -0400 Subject: [PATCH 145/314] pillarize yum.conf installonly_limit and proxy --- salt/top.sls | 1 + salt/yum/etc/yum.conf.jinja | 16 ++++++++++++++++ salt/yum/init.sls | 6 ++++++ 3 files changed, 23 insertions(+) create mode 100644 salt/yum/etc/yum.conf.jinja create mode 100644 salt/yum/init.sls diff --git a/salt/top.sls b/salt/top.sls index e2d2ef8c5..fbf9e32ef 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -13,6 +13,7 @@ base: 'os:CentOS': - match: grain + - yum - yum.packages '*': diff --git a/salt/yum/etc/yum.conf.jinja b/salt/yum/etc/yum.conf.jinja new file mode 100644 index 000000000..20ad0ce6f --- /dev/null +++ b/salt/yum/etc/yum.conf.jinja @@ -0,0 +1,16 @@ +[main] +cachedir=/var/cache/yum/$basearch/$releasever +keepcache=0 +debuglevel=2 +logfile=/var/log/yum.log +exactarch=1 +obsoletes=1 +gpgcheck=1 +plugins=1 +installonly_limit={{ salt['pillar.get']('yum:config:installonly_limit', 2) }} +bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum +distroverpkg=centos-release + +{% if salt['pillar.get']('static:masterupdate', '0') %} +proxy=http://{{ salt['pillar.get']('yum:config:proxy', salt['config.get']('master')) }}:3142 +{% endif %}%} \ No newline at end of file diff --git a/salt/yum/init.sls b/salt/yum/init.sls new file mode 100644 index 000000000..c91de908e --- /dev/null +++ b/salt/yum/init.sls @@ -0,0 +1,6 @@ +yumconf: + file.managed: + - name: /etc/yum.conf + - source: salt://yum/etc/yum.conf.jinja + - mode: 644 + - template: jinja \ No newline at end of file From f2cea273b62980dc123db42baea2c27a0ed520f8 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 8 Jul 2020 19:39:14 +0000 Subject: [PATCH 146/314] Add standalone evaluation for log_size_limit --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index bcfc6f6eb..d2915f4ff 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1433,7 +1433,7 @@ set_default_log_size() { local percentage case $INSTALLTYPE in - EVAL | HEAVYNODE) + STANDALONE | EVAL | HEAVYNODE) percentage=50 ;; *) From ce00d829e15595a35a9d711a6f4e8e462d0aa5e8 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 8 Jul 2020 23:26:48 -0400 Subject: [PATCH 147/314] Move EC2 to more generic cloud verbiage and check for GCP --- setup/so-functions | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index d2915f4ff..0b6f99142 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -505,10 +505,10 @@ configure_network_sensor() { # Set the MTU if [[ $NSMSETUP != 'ADVANCED' ]]; then - if [[ $is_ec2 ]]; then MTU=1575; else MTU=1500; fi + if [[ $is_cloud ]]; then MTU=1575; else MTU=1500; fi fi - if [[ $is_ec2 ]]; then + if [[ $is_cloud ]]; then INTERFACE=${BNICS[0]} local nmcli_con_arg="type ethernet" else @@ -553,7 +553,7 @@ configure_network_sensor() { ethtool -K "$BNIC" $i off >> "$setup_log" 2>&1 done - if [[ $is_ec2 ]]; then + if [[ $is_cloud ]]; then nmcli con up "$BNIC" >> "$setup_log" 2>&1 else # Check if the bond slave connection has already been created @@ -583,9 +583,9 @@ configure_network_sensor() { fi } -detect_ec2() { - echo "Testing if setup is running on an EC2 instance" - if ( curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null ); then export is_ec2="true"; fi +detect_cloud() { + echo "Testing if setup is running on a cloud instance" + if ( curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null ) || ( dmidecode -s bios-vendor | grep -q Google); then export is_cloud="true"; fi } detect_os() { From 889ba67d85ad5bd26102c52977907acfc4e5b40a Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 8 Jul 2020 23:27:46 -0400 Subject: [PATCH 148/314] Move EC2 to more generic cloud verbiage --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index b6ef14c3a..3f6d42380 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -109,7 +109,7 @@ export PATH=$PATH:../salt/common/tools/sbin got_root -detect_os && detect_ec2 +detect_os && detect_cloud set_network_dev_status_list if [ "$OS" == ubuntu ]; then From c01047fad21ff2e679ac6ae86f32cd3eb5922c33 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 8 Jul 2020 23:30:50 -0400 Subject: [PATCH 149/314] Add /dev/null --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 0b6f99142..5bbb319eb 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -585,7 +585,7 @@ configure_network_sensor() { detect_cloud() { echo "Testing if setup is running on a cloud instance" - if ( curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null ) || ( dmidecode -s bios-vendor | grep -q Google); then export is_cloud="true"; fi + if ( curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null ) || ( dmidecode -s bios-vendor | grep -q Google > /dev/null); then export is_cloud="true"; fi } detect_os() { From 8dfafffef068452968967e9c42251423e980aba8 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 9 Jul 2020 06:44:08 -0400 Subject: [PATCH 150/314] remove duplicate line for message2.conn_uids --- salt/elasticsearch/files/ingest/zeek.files | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/zeek.files b/salt/elasticsearch/files/ingest/zeek.files index bcbbcaba0..c5fefa85f 100644 --- a/salt/elasticsearch/files/ingest/zeek.files +++ b/salt/elasticsearch/files/ingest/zeek.files @@ -4,7 +4,6 @@ { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.fuid", "target_field": "log.id.fuid", "ignore_missing": true } }, - { "rename": { "field": "message2.conn_uids", "target_field": "log.id.uids", "ignore_missing": true } }, { "remove": { "field": "source", "ignore_missing": true } }, { "rename": { "field": "message2.rx_hosts.0", "target_field": "destination.ip", "ignore_missing": true } }, { "rename": { "field": "message2.tx_hosts.0", "target_field": "source.ip", "ignore_missing": true } }, From d539f1ddf8b5b36b7b5e45d3bed2efd3a0c70583 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 9 Jul 2020 08:51:53 -0400 Subject: [PATCH 151/314] fix typo --- salt/yum/etc/yum.conf.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/yum/etc/yum.conf.jinja b/salt/yum/etc/yum.conf.jinja index 20ad0ce6f..a370bbf4f 100644 --- a/salt/yum/etc/yum.conf.jinja +++ b/salt/yum/etc/yum.conf.jinja @@ -13,4 +13,4 @@ distroverpkg=centos-release {% if salt['pillar.get']('static:masterupdate', '0') %} proxy=http://{{ salt['pillar.get']('yum:config:proxy', salt['config.get']('master')) }}:3142 -{% endif %}%} \ No newline at end of file +{% endif %} \ No newline at end of file From 2c32c24bf068564d49743ce1edb6fc4941298191 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 9 Jul 2020 09:16:48 -0400 Subject: [PATCH 152/314] Fix logstash logic --- salt/logstash/etc/logstash.yml | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/salt/logstash/etc/logstash.yml b/salt/logstash/etc/logstash.yml index fc1df3d47..8f8dcec81 100644 --- a/salt/logstash/etc/logstash.yml +++ b/salt/logstash/etc/logstash.yml @@ -217,13 +217,8 @@ path.logs: /var/log/logstash # # Where to find custom plugins # path.plugins: [] -{% if grains['role'] == 'so-master' %} -{% set pipeline_workers = salt['pillar.get']('master:ls_pipeline_workers', '1') %} -{% set pipeline_batch = salt['pillar.get']('master:ls_pipeline_batch_size', '125') %} -{% else %} -{% set pipeline_workers = salt['pillar.get']('node:ls_pipeline_workers', '1') %} -{% set pipeline_batch = salt['pillar.get']('node:ls_pipeline_batch_size', '125') %} -{% endif %} +{% set pipeline_workers = salt['pillar.get']('logstash_settings:ls_pipeline_workers', '1') %} +{% set pipeline_batch = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', '125') %} pipeline.workers: {{ pipeline_workers }} pipeline.batch.size: {{ pipeline_batch }} From 9c2f7d574d36f41d5e1b948627747d7f25a15275 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 9 Jul 2020 11:19:02 -0400 Subject: [PATCH 153/314] Add ES settings to pillar --- .../templates/so/so-beats-template.json | 10 ++++++++++ .../templates/so/so-firewall-template.json | 10 ++++++++++ .../templates/so/so-ids-template.json | 10 ++++++++++ .../templates/so/so-import-template.json | 10 ++++++++++ .../templates/so/so-osquery-template.json | 10 ++++++++++ .../templates/so/so-ossec-template.json | 10 ++++++++++ .../templates/so/so-strelka-template.json | 10 ++++++++++ .../templates/so/so-syslog-template.json | 10 ++++++++++ setup/so-functions | 20 ++++++++++++++++++- 9 files changed, 99 insertions(+), 1 deletion(-) create mode 100644 salt/logstash/pipelines/templates/so/so-beats-template.json create mode 100644 salt/logstash/pipelines/templates/so/so-firewall-template.json create mode 100644 salt/logstash/pipelines/templates/so/so-ids-template.json create mode 100644 salt/logstash/pipelines/templates/so/so-import-template.json create mode 100644 salt/logstash/pipelines/templates/so/so-osquery-template.json create mode 100644 salt/logstash/pipelines/templates/so/so-ossec-template.json create mode 100644 salt/logstash/pipelines/templates/so/so-strelka-template.json create mode 100644 salt/logstash/pipelines/templates/so/so-syslog-template.json diff --git a/salt/logstash/pipelines/templates/so/so-beats-template.json b/salt/logstash/pipelines/templates/so/so-beats-template.json new file mode 100644 index 000000000..48459bc7a --- /dev/null +++ b/salt/logstash/pipelines/templates/so/so-beats-template.json @@ -0,0 +1,10 @@ +{ + "index_patterns": ["so-beats-*"], + "version":50001, + "order" : 11, + "settings":{ + "number_of_replicas":0, + "number_of_shards":1, + "index.refresh_interval":"30s" + } +} diff --git a/salt/logstash/pipelines/templates/so/so-firewall-template.json b/salt/logstash/pipelines/templates/so/so-firewall-template.json new file mode 100644 index 000000000..61a95c0e7 --- /dev/null +++ b/salt/logstash/pipelines/templates/so/so-firewall-template.json @@ -0,0 +1,10 @@ +{ + "index_patterns": ["so-zeek-*"], + "version":50001, + "order" : 11, + "settings":{ + "number_of_replicas":0, + "number_of_shards":1, + "index.refresh_interval":"30s" + } +} diff --git a/salt/logstash/pipelines/templates/so/so-ids-template.json b/salt/logstash/pipelines/templates/so/so-ids-template.json new file mode 100644 index 000000000..61a95c0e7 --- /dev/null +++ b/salt/logstash/pipelines/templates/so/so-ids-template.json @@ -0,0 +1,10 @@ +{ + "index_patterns": ["so-zeek-*"], + "version":50001, + "order" : 11, + "settings":{ + "number_of_replicas":0, + "number_of_shards":1, + "index.refresh_interval":"30s" + } +} diff --git a/salt/logstash/pipelines/templates/so/so-import-template.json b/salt/logstash/pipelines/templates/so/so-import-template.json new file mode 100644 index 000000000..61a95c0e7 --- /dev/null +++ b/salt/logstash/pipelines/templates/so/so-import-template.json @@ -0,0 +1,10 @@ +{ + "index_patterns": ["so-zeek-*"], + "version":50001, + "order" : 11, + "settings":{ + "number_of_replicas":0, + "number_of_shards":1, + "index.refresh_interval":"30s" + } +} diff --git a/salt/logstash/pipelines/templates/so/so-osquery-template.json b/salt/logstash/pipelines/templates/so/so-osquery-template.json new file mode 100644 index 000000000..61a95c0e7 --- /dev/null +++ b/salt/logstash/pipelines/templates/so/so-osquery-template.json @@ -0,0 +1,10 @@ +{ + "index_patterns": ["so-zeek-*"], + "version":50001, + "order" : 11, + "settings":{ + "number_of_replicas":0, + "number_of_shards":1, + "index.refresh_interval":"30s" + } +} diff --git a/salt/logstash/pipelines/templates/so/so-ossec-template.json b/salt/logstash/pipelines/templates/so/so-ossec-template.json new file mode 100644 index 000000000..61a95c0e7 --- /dev/null +++ b/salt/logstash/pipelines/templates/so/so-ossec-template.json @@ -0,0 +1,10 @@ +{ + "index_patterns": ["so-zeek-*"], + "version":50001, + "order" : 11, + "settings":{ + "number_of_replicas":0, + "number_of_shards":1, + "index.refresh_interval":"30s" + } +} diff --git a/salt/logstash/pipelines/templates/so/so-strelka-template.json b/salt/logstash/pipelines/templates/so/so-strelka-template.json new file mode 100644 index 000000000..61a95c0e7 --- /dev/null +++ b/salt/logstash/pipelines/templates/so/so-strelka-template.json @@ -0,0 +1,10 @@ +{ + "index_patterns": ["so-zeek-*"], + "version":50001, + "order" : 11, + "settings":{ + "number_of_replicas":0, + "number_of_shards":1, + "index.refresh_interval":"30s" + } +} diff --git a/salt/logstash/pipelines/templates/so/so-syslog-template.json b/salt/logstash/pipelines/templates/so/so-syslog-template.json new file mode 100644 index 000000000..61a95c0e7 --- /dev/null +++ b/salt/logstash/pipelines/templates/so/so-syslog-template.json @@ -0,0 +1,10 @@ +{ + "index_patterns": ["so-zeek-*"], + "version":50001, + "order" : 11, + "settings":{ + "number_of_replicas":0, + "number_of_shards":1, + "index.refresh_interval":"30s" + } +} diff --git a/setup/so-functions b/setup/so-functions index 5bbb319eb..68bd349bd 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1068,10 +1068,28 @@ elasticsearch_pillar() { " log_size_limit: $log_size_limit"\ " cur_close_days: $CURCLOSEDAYS"\ " route_type: hot"\ + " replicas: 0"\ + " true_cluster: False" + " true_cluster_name: so" " index_settings:"\ + " so-beats:"\ + " shards: 1"\ + " so-firewall:"\ + " shards: 1"\ + " so-ids:"\ + " shards: 1"\ + " so-import:"\ + " shards: 1"\ + " so-osquery:"\ + " shards: 1"\ + " so-ossec:"\ + " shards: 1"\ + " so-strelka:"\ + " shards: 1"\ + " so-syslog:"\ + " shards: 1"\ " so-zeek:"\ " shards: 5"\ - " replicas: 0"\ "" >> "$pillar_file" if [ "$install_type" != 'EVAL' ] && [ "$install_type" != 'HELIXSENSOR' ] && [ "$install_type" != 'MASTERSEARCH' ] && [ "$install_type" != 'STANDALONE' ]; then From 3cf31e2460467e06e2068eee6980bfd56e735d24 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 9 Jul 2020 11:27:06 -0400 Subject: [PATCH 154/314] https://github.com/Security-Onion-Solutions/securityonion/issues/404 --- .../assigned_hostgroups.local.map.yaml | 4 +- files/firewall/hostgroups.local.yaml | 2 +- pillar/docker/config.sls | 24 ++-- pillar/firewall/ports.sls | 2 +- pillar/logstash/{master.sls => manager.sls} | 2 +- pillar/top.sls | 12 +- salt/_modules/telegraf.py | 2 +- salt/ca/init.sls | 4 +- ...ster.map.jinja => fleet_manager.map.jinja} | 0 .../{master.map.jinja => manager.map.jinja} | 0 ...arch.map.jinja => managersearch.map.jinja} | 0 salt/common/maps/so-status.map.jinja | 18 +-- salt/common/tools/sbin/so-bro-logs | 4 +- salt/common/tools/sbin/so-docker-refresh | 16 +-- salt/common/tools/sbin/so-elastic-clear | 8 +- salt/common/tools/sbin/so-elastic-download | 6 +- .../tools/sbin/so-elasticsearch-indices-rw | 2 +- .../tools/sbin/so-elasticsearch-templates | 4 +- salt/common/tools/sbin/so-import-pcap | 14 +- .../common/tools/sbin/so-kibana-config-export | 10 +- salt/curator/files/action/close.yml | 4 +- salt/curator/files/action/delete.yml | 4 +- .../files/bin/so-curator-closed-delete-delete | 8 +- salt/curator/files/curator.yml | 4 +- salt/curator/init.sls | 6 +- salt/deprecated-bro/files/local.bro | 4 +- salt/deprecated-bro/files/local.bro.community | 4 +- salt/elastalert/files/elastalert_config.yaml | 4 +- .../files/rules/so/suricata_thehive.yaml | 8 +- .../files/rules/so/wazuh_thehive.yaml | 8 +- salt/elastalert/init.sls | 12 +- salt/elasticsearch/files/elasticsearch.yml | 4 +- salt/elasticsearch/init.sls | 12 +- salt/filebeat/etc/filebeat.yml | 12 +- salt/filebeat/init.sls | 8 +- salt/firewall/assigned_hostgroups.map.yaml | 26 ++-- salt/firewall/hostgroups.yaml | 2 +- salt/firewall/portgroups.yaml | 2 +- salt/fleet/event_gen-packages.sls | 4 +- salt/fleet/init.sls | 6 +- salt/fleet/install_package.sls | 2 +- .../master.json => manager/manager.json} | 0 .../managersearch.json} | 0 salt/grafana/etc/dashboards/dashboard.yml | 4 +- salt/grafana/etc/datasources/influxdb.yaml | 4 +- salt/grafana/init.sls | 32 ++--- salt/idstools/init.sls | 4 +- salt/influxdb/init.sls | 8 +- salt/kibana/bin/keepkibanahappy.sh | 2 +- salt/kibana/bin/so-kibana-config-load | 10 +- salt/kibana/etc/kibana.yml | 2 +- salt/kibana/init.sls | 10 +- salt/logstash/init.sls | 14 +- .../config/so/0900_input_redis.conf.jinja | 6 +- .../config/so/9000_output_zeek.conf.jinja | 2 +- .../config/so/9001_output_switch.conf.jinja | 2 +- .../config/so/9002_output_import.conf.jinja | 2 +- .../config/so/9004_output_flow.conf.jinja | 2 +- .../config/so/9026_output_dhcp.conf.jinja | 2 +- .../config/so/9029_output_esxi.conf.jinja | 2 +- .../config/so/9030_output_greensql.conf.jinja | 2 +- .../config/so/9031_output_iis.conf.jinja | 2 +- .../config/so/9032_output_mcafee.conf.jinja | 2 +- .../config/so/9033_output_snort.conf.jinja | 2 +- .../config/so/9034_output_syslog.conf.jinja | 2 +- .../config/so/9100_output_osquery.conf.jinja | 2 +- .../config/so/9200_output_firewall.conf.jinja | 2 +- .../config/so/9300_output_windows.conf.jinja | 2 +- .../so/9301_output_dns_windows.conf.jinja | 2 +- .../config/so/9400_output_suricata.conf.jinja | 2 +- .../config/so/9500_output_beats.conf.jinja | 2 +- .../config/so/9600_output_ossec.conf.jinja | 2 +- .../config/so/9700_output_strelka.conf.jinja | 2 +- .../config/so/9999_output_redis.conf.jinja | 4 +- salt/{master => manager}/files/acng/acng.conf | 0 salt/{master => manager}/files/add_minion.sh | 0 .../files/registry/scripts/so-docker-download | 6 +- salt/{master => manager}/init.sls | 10 +- salt/minio/init.sls | 4 +- salt/mysql/init.sls | 8 +- salt/nginx/etc/nginx.conf.so-eval | 32 ++--- ...x.conf.so-master => nginx.conf.so-manager} | 32 ++--- ...stersearch => nginx.conf.so-managersearch} | 32 ++--- salt/nginx/etc/nginx.conf.so-standalone | 32 ++--- salt/nginx/files/navigator_config.json | 2 +- salt/nginx/init.sls | 12 +- salt/nodered/files/nodered_load_flows | 2 +- salt/nodered/files/so_flows.json | 4 +- salt/pcap/files/sensoroni.json | 4 +- salt/pcap/init.sls | 6 +- salt/playbook/init.sls | 16 +-- salt/reactor/fleet.sls | 8 +- salt/redis/init.sls | 4 +- salt/soc/files/kratos/kratos.yaml | 2 +- salt/soc/files/soc/soc.json | 6 +- salt/soc/init.sls | 6 +- salt/soctopus/files/SOCtopus.conf | 12 +- .../files/templates/es-generic.template | 2 +- .../soctopus/files/templates/generic.template | 4 +- .../soctopus/files/templates/osquery.template | 4 +- salt/soctopus/init.sls | 10 +- salt/ssl/init.sls | 48 +++---- salt/strelka/files/backend/backend.yaml | 2 +- salt/strelka/files/filestream/filestream.yaml | 2 +- salt/strelka/files/frontend/frontend.yaml | 2 +- salt/strelka/files/manager/manager.yaml | 2 +- salt/strelka/init.sls | 16 +-- salt/suricata/init.sls | 4 +- salt/suricata/{master.sls => manager.sls} | 0 salt/suricata/suricata_config.map.jinja | 2 +- salt/tcpreplay/init.sls | 4 +- salt/telegraf/etc/telegraf.conf | 10 +- salt/telegraf/init.sls | 6 +- salt/thehive/etc/application.conf | 14 +- salt/thehive/etc/cortex-application.conf | 6 +- salt/thehive/init.sls | 12 +- salt/thehive/scripts/cortex_init | 6 +- salt/thehive/scripts/hive_init | 6 +- salt/top.sls | 66 +++++----- salt/utility/bin/crossthestreams | 6 +- salt/utility/bin/eval | 2 +- salt/utility/init.sls | 2 +- salt/wazuh/files/agent/ossec.conf | 4 +- salt/wazuh/files/agent/wazuh-register-agent | 4 +- salt/wazuh/files/wazuh-manager-whitelist | 8 +- salt/wazuh/init.sls | 4 +- salt/yum/etc/yum.conf.jinja | 4 +- salt/zeek/init.sls | 4 +- setup/automation/pm_standalone_defaults | 8 +- setup/so-functions | 120 +++++++++--------- setup/so-setup | 100 +++++++-------- setup/so-whiptail | 52 ++++---- upgrade/so-update-functions | 14 +- upgrade/soup | 2 +- 134 files changed, 609 insertions(+), 609 deletions(-) rename pillar/logstash/{master.sls => manager.sls} (92%) rename salt/common/maps/{fleet_master.map.jinja => fleet_manager.map.jinja} (100%) rename salt/common/maps/{master.map.jinja => manager.map.jinja} (100%) rename salt/common/maps/{mastersearch.map.jinja => managersearch.map.jinja} (100%) rename salt/grafana/dashboards/{master/master.json => manager/manager.json} (100%) rename salt/grafana/dashboards/{mastersearch/mastersearch.json => managersearch/managersearch.json} (100%) rename salt/{master => manager}/files/acng/acng.conf (100%) rename salt/{master => manager}/files/add_minion.sh (100%) rename salt/{master => manager}/files/registry/scripts/so-docker-download (88%) rename salt/{master => manager}/init.sls (87%) rename salt/nginx/etc/{nginx.conf.so-master => nginx.conf.so-manager} (91%) rename salt/nginx/etc/{nginx.conf.so-mastersearch => nginx.conf.so-managersearch} (91%) rename salt/suricata/{master.sls => manager.sls} (100%) diff --git a/files/firewall/assigned_hostgroups.local.map.yaml b/files/firewall/assigned_hostgroups.local.map.yaml index 6dff82823..5d9b662b6 100644 --- a/files/firewall/assigned_hostgroups.local.map.yaml +++ b/files/firewall/assigned_hostgroups.local.map.yaml @@ -13,8 +13,8 @@ role: fleet: heavynode: helixsensor: - master: - mastersearch: + manager: + managersearch: standalone: searchnode: sensor: \ No newline at end of file diff --git a/files/firewall/hostgroups.local.yaml b/files/firewall/hostgroups.local.yaml index 6426ae207..794105627 100644 --- a/files/firewall/hostgroups.local.yaml +++ b/files/firewall/hostgroups.local.yaml @@ -24,7 +24,7 @@ firewall: ips: delete: insert: - master: + manager: ips: delete: insert: diff --git a/pillar/docker/config.sls b/pillar/docker/config.sls index f8426b8cb..dd73f3aa9 100644 --- a/pillar/docker/config.sls +++ b/pillar/docker/config.sls @@ -1,12 +1,12 @@ -{%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%} +{%- set FLEETMANAGER = salt['pillar.get']('static:fleet_manager', False) -%} {%- set FLEETNODE = salt['pillar.get']('static:fleet_node', False) -%} -{% set WAZUH = salt['pillar.get']('master:wazuh', '0') %} -{% set THEHIVE = salt['pillar.get']('master:thehive', '0') %} -{% set PLAYBOOK = salt['pillar.get']('master:playbook', '0') %} -{% set FREQSERVER = salt['pillar.get']('master:freq', '0') %} -{% set DOMAINSTATS = salt['pillar.get']('master:domainstats', '0') %} +{% set WAZUH = salt['pillar.get']('manager:wazuh', '0') %} +{% set THEHIVE = salt['pillar.get']('manager:thehive', '0') %} +{% set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %} +{% set FREQSERVER = salt['pillar.get']('manager:freq', '0') %} +{% set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') %} {% set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %} -{% set GRAFANA = salt['pillar.get']('master:grafana', '0') %} +{% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} eval: containers: @@ -20,7 +20,7 @@ eval: - so-soc - so-kratos - so-idstools - {% if FLEETMASTER %} + {% if FLEETMANAGER %} - so-mysql - so-fleet - so-redis @@ -83,7 +83,7 @@ hot_node: - so-logstash - so-elasticsearch - so-curator -master_search: +manager_search: containers: - so-nginx - so-telegraf @@ -99,7 +99,7 @@ master_search: - so-elastalert - so-filebeat - so-soctopus - {% if FLEETMASTER %} + {% if FLEETMANAGER %} - so-mysql - so-fleet - so-redis @@ -122,7 +122,7 @@ master_search: {% if DOMAINSTATS != '0' %} - so-domainstats {% endif %} -master: +manager: containers: - so-dockerregistry - so-nginx @@ -141,7 +141,7 @@ master: - so-kibana - so-elastalert - so-filebeat - {% if FLEETMASTER %} + {% if FLEETMANAGER %} - so-mysql - so-fleet - so-redis diff --git a/pillar/firewall/ports.sls b/pillar/firewall/ports.sls index 29f711c13..4f7c06bec 100644 --- a/pillar/firewall/ports.sls +++ b/pillar/firewall/ports.sls @@ -17,7 +17,7 @@ firewall: - 5644 - 9822 udp: - master: + manager: ports: tcp: - 1514 diff --git a/pillar/logstash/master.sls b/pillar/logstash/manager.sls similarity index 92% rename from pillar/logstash/master.sls rename to pillar/logstash/manager.sls index 1ff41b43c..9c16d2625 100644 --- a/pillar/logstash/master.sls +++ b/pillar/logstash/manager.sls @@ -1,6 +1,6 @@ logstash: pipelines: - master: + manager: config: - so/0009_input_beats.conf - so/0010_input_hhbeats.conf diff --git a/pillar/top.sls b/pillar/top.sls index a691cf028..6eba800a9 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -6,10 +6,10 @@ base: - match: compound - zeek - '*_mastersearch or *_heavynode': + '*_managersearch or *_heavynode': - match: compound - logstash - - logstash.master + - logstash.manager - logstash.search '*_sensor': @@ -18,16 +18,16 @@ base: - healthcheck.sensor - minions.{{ grains.id }} - '*_master or *_mastersearch': + '*_manager or *_managersearch': - match: compound - static - data.* - secrets - minions.{{ grains.id }} - '*_master': + '*_manager': - logstash - - logstash.master + - logstash.manager '*_eval': - static @@ -39,7 +39,7 @@ base: '*_standalone': - logstash - - logstash.master + - logstash.manager - logstash.search - data.* - brologs diff --git a/salt/_modules/telegraf.py b/salt/_modules/telegraf.py index 6fa33f89a..aa98af039 100644 --- a/salt/_modules/telegraf.py +++ b/salt/_modules/telegraf.py @@ -6,7 +6,7 @@ import socket def send(data): - mainint = __salt__['pillar.get']('sensor:mainint', __salt__['pillar.get']('master:mainint')) + mainint = __salt__['pillar.get']('sensor:mainint', __salt__['pillar.get']('manager:mainint')) mainip = __salt__['grains.get']('ip_interfaces').get(mainint)[0] dstport = 8094 diff --git a/salt/ca/init.sls b/salt/ca/init.sls index 60d7adb3a..0def5677e 100644 --- a/salt/ca/init.sls +++ b/salt/ca/init.sls @@ -1,4 +1,4 @@ -{% set master = salt['grains.get']('master') %} +{% set manager = salt['grains.get']('manager') %} /etc/salt/minion.d/signing_policies.conf: file.managed: - source: salt://ca/files/signing_policies.conf @@ -20,7 +20,7 @@ pki_private_key: /etc/pki/ca.crt: x509.certificate_managed: - signing_private_key: /etc/pki/ca.key - - CN: {{ master }} + - CN: {{ manager }} - C: US - ST: Utah - L: Salt Lake City diff --git a/salt/common/maps/fleet_master.map.jinja b/salt/common/maps/fleet_manager.map.jinja similarity index 100% rename from salt/common/maps/fleet_master.map.jinja rename to salt/common/maps/fleet_manager.map.jinja diff --git a/salt/common/maps/master.map.jinja b/salt/common/maps/manager.map.jinja similarity index 100% rename from salt/common/maps/master.map.jinja rename to salt/common/maps/manager.map.jinja diff --git a/salt/common/maps/mastersearch.map.jinja b/salt/common/maps/managersearch.map.jinja similarity index 100% rename from salt/common/maps/mastersearch.map.jinja rename to salt/common/maps/managersearch.map.jinja diff --git a/salt/common/maps/so-status.map.jinja b/salt/common/maps/so-status.map.jinja index f67f4bcd6..f30291f90 100644 --- a/salt/common/maps/so-status.map.jinja +++ b/salt/common/maps/so-status.map.jinja @@ -18,14 +18,14 @@ } },grain='id', merge=salt['pillar.get']('docker')) %} -{% if role in ['eval', 'mastersearch', 'master', 'standalone'] %} - {{ append_containers('master', 'grafana', 0) }} - {{ append_containers('static', 'fleet_master', 0) }} - {{ append_containers('master', 'wazuh', 0) }} - {{ append_containers('master', 'thehive', 0) }} - {{ append_containers('master', 'playbook', 0) }} - {{ append_containers('master', 'freq', 0) }} - {{ append_containers('master', 'domainstats', 0) }} +{% if role in ['eval', 'managersearch', 'manager', 'standalone'] %} + {{ append_containers('manager', 'grafana', 0) }} + {{ append_containers('static', 'fleet_manager', 0) }} + {{ append_containers('manager', 'wazuh', 0) }} + {{ append_containers('manager', 'thehive', 0) }} + {{ append_containers('manager', 'playbook', 0) }} + {{ append_containers('manager', 'freq', 0) }} + {{ append_containers('manager', 'domainstats', 0) }} {% endif %} {% if role in ['eval', 'heavynode', 'sensor', 'standalone'] %} @@ -37,7 +37,7 @@ {% endif %} {% if role == 'searchnode' %} - {{ append_containers('master', 'wazuh', 0) }} + {{ append_containers('manager', 'wazuh', 0) }} {% endif %} {% if role == 'sensor' %} diff --git a/salt/common/tools/sbin/so-bro-logs b/salt/common/tools/sbin/so-bro-logs index 173d23029..4f55eb7f4 100755 --- a/salt/common/tools/sbin/so-bro-logs +++ b/salt/common/tools/sbin/so-bro-logs @@ -11,7 +11,7 @@ bro_logs_enabled() { } -whiptail_master_adv_service_brologs() { +whiptail_manager_adv_service_brologs() { BLOGS=$(whiptail --title "Security Onion Setup" --checklist "Please Select Logs to Send:" 24 78 12 \ "conn" "Connection Logging" ON \ @@ -54,5 +54,5 @@ whiptail_master_adv_service_brologs() { "x509" "x.509 Logs" ON 3>&1 1>&2 2>&3 ) } -whiptail_master_adv_service_brologs +whiptail_manager_adv_service_brologs bro_logs_enabled diff --git a/salt/common/tools/sbin/so-docker-refresh b/salt/common/tools/sbin/so-docker-refresh index d4796818d..bd9993570 100644 --- a/salt/common/tools/sbin/so-docker-refresh +++ b/salt/common/tools/sbin/so-docker-refresh @@ -21,13 +21,13 @@ got_root(){ fi } -master_check() { - # Check to see if this is a master - MASTERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}') - if [ $MASTERCHECK == 'so-eval' ] || [ $MASTERCHECK == 'so-master' ] || [ $MASTERCHECK == 'so-mastersearch' ] || [ $MASTERCHECK == 'so-standalone' ] || [ $MASTERCHECK == 'so-helix' ]; then - echo "This is a master. We can proceed" +manager_check() { + # Check to see if this is a manager + MANAGERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}') + if [ $MANAGERCHECK == 'so-eval' ] || [ $MANAGERCHECK == 'so-manager' ] || [ $MANAGERCHECK == 'so-managersearch' ] || [ $MANAGERCHECK == 'so-standalone' ] || [ $MANAGERCHECK == 'so-helix' ]; then + echo "This is a manager. We can proceed" else - echo "Please run soup on the master. The master controls all updates." + echo "Please run soup on the manager. The manager controls all updates." exit 1 fi } @@ -56,13 +56,13 @@ version_check() { fi } got_root -master_check +manager_check version_check # Use the hostname HOSTNAME=$(hostname) # List all the containers -if [ $MASTERCHECK != 'so-helix' ]; then +if [ $MANAGERCHECK != 'so-helix' ]; then TRUSTED_CONTAINERS=( \ "so-acng:$VERSION" \ "so-thehive-cortex:$VERSION" \ diff --git a/salt/common/tools/sbin/so-elastic-clear b/salt/common/tools/sbin/so-elastic-clear index f7030bc13..04c153f85 100755 --- a/salt/common/tools/sbin/so-elastic-clear +++ b/salt/common/tools/sbin/so-elastic-clear @@ -14,7 +14,7 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%} +{%- set MANAGERIP = salt['pillar.get']('static:managerip', '') -%} . /usr/sbin/so-common SKIP=0 @@ -50,7 +50,7 @@ done if [ $SKIP -ne 1 ]; then # List indices echo - curl {{ MASTERIP }}:9200/_cat/indices?v + curl {{ MANAGERIP }}:9200/_cat/indices?v echo # Inform user we are about to delete all data echo @@ -89,10 +89,10 @@ fi # Delete data echo "Deleting data..." -INDXS=$(curl -s -XGET {{ MASTERIP }}:9200/_cat/indices?v | egrep 'logstash|elastalert|so-' | awk '{ print $3 }') +INDXS=$(curl -s -XGET {{ MANAGERIP }}:9200/_cat/indices?v | egrep 'logstash|elastalert|so-' | awk '{ print $3 }') for INDX in ${INDXS} do - curl -XDELETE "{{ MASTERIP }}:9200/${INDX}" > /dev/null 2>&1 + curl -XDELETE "{{ MANAGERIP }}:9200/${INDX}" > /dev/null 2>&1 done #Start Logstash/Filebeat diff --git a/salt/common/tools/sbin/so-elastic-download b/salt/common/tools/sbin/so-elastic-download index 4c3406c74..b52d88c45 100755 --- a/salt/common/tools/sbin/so-elastic-download +++ b/salt/common/tools/sbin/so-elastic-download @@ -1,5 +1,5 @@ #!/bin/bash -MASTER=MASTER +MANAGER=MANAGER VERSION="HH1.1.4" TRUSTED_CONTAINERS=( \ "so-nginx:$VERSION" \ @@ -37,7 +37,7 @@ do echo "Downloading $i" docker pull --disable-content-trust=false docker.io/soshybridhunter/$i # Tag it with the new registry destination - docker tag soshybridhunter/$i $MASTER:5000/soshybridhunter/$i - docker push $MASTER:5000/soshybridhunter/$i + docker tag soshybridhunter/$i $MANAGER:5000/soshybridhunter/$i + docker push $MANAGER:5000/soshybridhunter/$i docker rmi soshybridhunter/$i done diff --git a/salt/common/tools/sbin/so-elasticsearch-indices-rw b/salt/common/tools/sbin/so-elasticsearch-indices-rw index d49fd5f1b..6e9eebe47 100644 --- a/salt/common/tools/sbin/so-elasticsearch-indices-rw +++ b/salt/common/tools/sbin/so-elasticsearch-indices-rw @@ -15,7 +15,7 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -IP={{ salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('master:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] }} +IP={{ salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('manager:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] }} ESPORT=9200 THEHIVEESPORT=9400 diff --git a/salt/common/tools/sbin/so-elasticsearch-templates b/salt/common/tools/sbin/so-elasticsearch-templates index 829e2a68d..6b3e19d30 100755 --- a/salt/common/tools/sbin/so-elasticsearch-templates +++ b/salt/common/tools/sbin/so-elasticsearch-templates @@ -1,4 +1,4 @@ -{% set MASTERIP = salt['pillar.get']('master:mainip', '') %} +{% set MANAGERIP = salt['pillar.get']('manager:mainip', '') %} #!/bin/bash # Copyright 2014,2015,2016,2017,2018,2019 Security Onion Solutions, LLC # @@ -16,7 +16,7 @@ # along with this program. If not, see . default_salt_dir=/opt/so/saltstack/default -ELASTICSEARCH_HOST="{{ MASTERIP}}" +ELASTICSEARCH_HOST="{{ MANAGERIP}}" ELASTICSEARCH_PORT=9200 #ELASTICSEARCH_AUTH="" diff --git a/salt/common/tools/sbin/so-import-pcap b/salt/common/tools/sbin/so-import-pcap index 9e54820e0..1d1fd5f70 100755 --- a/salt/common/tools/sbin/so-import-pcap +++ b/salt/common/tools/sbin/so-import-pcap @@ -15,9 +15,9 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set MASTER = salt['grains.get']('master') %} +{% set MANAGER = salt['grains.get']('manager') %} {% set VERSION = salt['pillar.get']('static:soversion') %} -{%- set MASTERIP = salt['pillar.get']('static:masterip') -%} +{%- set MANAGERIP = salt['pillar.get']('static:managerip') -%} function usage { cat << EOF @@ -30,13 +30,13 @@ EOF function pcapinfo() { PCAP=$1 ARGS=$2 - docker run --rm -v $PCAP:/input.pcap --entrypoint capinfos {{ MASTER }}:5000/soshybridhunter/so-pcaptools:{{ VERSION }} /input.pcap $ARGS + docker run --rm -v $PCAP:/input.pcap --entrypoint capinfos {{ MANAGER }}:5000/soshybridhunter/so-pcaptools:{{ VERSION }} /input.pcap $ARGS } function pcapfix() { PCAP=$1 PCAP_OUT=$2 - docker run --rm -v $PCAP:/input.pcap -v $PCAP_OUT:$PCAP_OUT --entrypoint pcapfix {{ MASTER }}:5000/soshybridhunter/so-pcaptools:{{ VERSION }} /input.pcap -o $PCAP_OUT > /dev/null 2>&1 + docker run --rm -v $PCAP:/input.pcap -v $PCAP_OUT:$PCAP_OUT --entrypoint pcapfix {{ MANAGER }}:5000/soshybridhunter/so-pcaptools:{{ VERSION }} /input.pcap -o $PCAP_OUT > /dev/null 2>&1 } function suricata() { @@ -57,7 +57,7 @@ function suricata() { -v ${NSM_PATH}/:/nsm/:rw \ -v $PCAP:/input.pcap:ro \ -v /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro \ - {{ MASTER }}:5000/soshybridhunter/so-suricata:{{ VERSION }} \ + {{ MANAGER }}:5000/soshybridhunter/so-suricata:{{ VERSION }} \ --runmode single -k none -r /input.pcap > $LOG_PATH/console.log 2>&1 } @@ -85,7 +85,7 @@ function zeek() { -v /opt/so/conf/zeek/bpf:/opt/zeek/etc/bpf:ro \ --entrypoint /opt/zeek/bin/zeek \ -w /nsm/zeek/logs \ - {{ MASTER }}:5000/soshybridhunter/so-zeek:{{ VERSION }} \ + {{ MANAGER }}:5000/soshybridhunter/so-zeek:{{ VERSION }} \ -C -r /input.pcap local > $NSM_PATH/logs/console.log 2>&1 } @@ -212,7 +212,7 @@ cat << EOF Import complete! You can use the following hyperlink to view data in the time range of your import. You can triple-click to quickly highlight the entire hyperlink and you can then copy it into your browser: -https://{{ MASTERIP }}/kibana/app/kibana#/dashboard/a8411b30-6d03-11ea-b301-3d6c35840645?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:'${START_OLDEST}T00:00:00.000Z',mode:absolute,to:'${END_NEWEST}T00:00:00.000Z')) +https://{{ MANAGERIP }}/kibana/app/kibana#/dashboard/a8411b30-6d03-11ea-b301-3d6c35840645?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:'${START_OLDEST}T00:00:00.000Z',mode:absolute,to:'${END_NEWEST}T00:00:00.000Z')) or you can manually set your Time Range to be: From: $START_OLDEST To: $END_NEWEST diff --git a/salt/common/tools/sbin/so-kibana-config-export b/salt/common/tools/sbin/so-kibana-config-export index f64e12a0e..8ee3f59b5 100755 --- a/salt/common/tools/sbin/so-kibana-config-export +++ b/salt/common/tools/sbin/so-kibana-config-export @@ -1,9 +1,9 @@ #!/bin/bash # -# {%- set FLEET_MASTER = salt['pillar.get']('static:fleet_master', False) -%} +# {%- set FLEET_MANAGER = salt['pillar.get']('static:fleet_manager', False) -%} # {%- set FLEET_NODE = salt['pillar.get']('static:fleet_node', False) -%} # {%- set FLEET_IP = salt['pillar.get']('static:fleet_ip', '') %} -# {%- set MASTER = salt['pillar.get']('master:url_base', '') %} +# {%- set MANAGER = salt['pillar.get']('manager:url_base', '') %} # # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC # @@ -20,7 +20,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -KIBANA_HOST={{ MASTER }} +KIBANA_HOST={{ MANAGER }} KSO_PORT=5601 OUTFILE="saved_objects.ndjson" curl -s -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -XPOST $KIBANA_HOST:$KSO_PORT/api/saved_objects/_export -d '{ "type": [ "index-pattern", "config", "visualization", "dashboard", "search" ], "excludeExportDetails": false }' > $OUTFILE @@ -29,7 +29,7 @@ curl -s -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -XPOST $KIBANA_H sed -i "s/$KIBANA_HOST/PLACEHOLDER/g" $OUTFILE # Clean up for Fleet, if applicable -# {% if FLEET_NODE or FLEET_MASTER %} +# {% if FLEET_NODE or FLEET_MANAGER %} # Fleet IP -sed -i "s/{{ MASTER }}/FLEETPLACEHOLDER/g" $OUTFILE +sed -i "s/{{ MANAGER }}/FLEETPLACEHOLDER/g" $OUTFILE # {% endif %} diff --git a/salt/curator/files/action/close.yml b/salt/curator/files/action/close.yml index d0bd1d5d1..fdbe9d450 100644 --- a/salt/curator/files/action/close.yml +++ b/salt/curator/files/action/close.yml @@ -1,7 +1,7 @@ {%- if grains['role'] in ['so-node', 'so-searchnode', 'so-heavynode'] %} {%- set cur_close_days = salt['pillar.get']('elasticsearch:cur_close_days', '') -%} -{%- elif grains['role'] in ['so-eval', 'so-mastersearch', 'so-standalone'] %} - {%- set cur_close_days = salt['pillar.get']('master:cur_close_days', '') -%} +{%- elif grains['role'] in ['so-eval', 'so-managersearch', 'so-standalone'] %} + {%- set cur_close_days = salt['pillar.get']('manager:cur_close_days', '') -%} {%- endif -%} --- diff --git a/salt/curator/files/action/delete.yml b/salt/curator/files/action/delete.yml index f24f0b781..5d7f26861 100644 --- a/salt/curator/files/action/delete.yml +++ b/salt/curator/files/action/delete.yml @@ -1,7 +1,7 @@ {%- if grains['role'] in ['so-node', 'so-searchnode', 'so-heavynode'] %} {%- set log_size_limit = salt['pillar.get']('elasticsearch:log_size_limit', '') -%} -{%- elif grains['role'] in ['so-eval', 'so-mastersearch', 'so-standalone'] %} - {%- set log_size_limit = salt['pillar.get']('master:log_size_limit', '') -%} +{%- elif grains['role'] in ['so-eval', 'so-managersearch', 'so-standalone'] %} + {%- set log_size_limit = salt['pillar.get']('manager:log_size_limit', '') -%} {%- endif %} --- # Remember, leave a key empty if there is no value. None will be a string, diff --git a/salt/curator/files/bin/so-curator-closed-delete-delete b/salt/curator/files/bin/so-curator-closed-delete-delete index 4a6458394..0d894db2f 100755 --- a/salt/curator/files/bin/so-curator-closed-delete-delete +++ b/salt/curator/files/bin/so-curator-closed-delete-delete @@ -5,10 +5,10 @@ {%- set ELASTICSEARCH_HOST = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- set ELASTICSEARCH_PORT = salt['pillar.get']('elasticsearch:es_port', '') -%} {%- set LOG_SIZE_LIMIT = salt['pillar.get']('elasticsearch:log_size_limit', '') -%} -{%- elif grains['role'] in ['so-eval', 'so-mastersearch', 'so-standalone'] %} - {%- set ELASTICSEARCH_HOST = salt['pillar.get']('master:mainip', '') -%} - {%- set ELASTICSEARCH_PORT = salt['pillar.get']('master:es_port', '') -%} - {%- set LOG_SIZE_LIMIT = salt['pillar.get']('master:log_size_limit', '') -%} +{%- elif grains['role'] in ['so-eval', 'so-managersearch', 'so-standalone'] %} + {%- set ELASTICSEARCH_HOST = salt['pillar.get']('manager:mainip', '') -%} + {%- set ELASTICSEARCH_PORT = salt['pillar.get']('manager:es_port', '') -%} + {%- set LOG_SIZE_LIMIT = salt['pillar.get']('manager:log_size_limit', '') -%} {%- endif -%} # Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC diff --git a/salt/curator/files/curator.yml b/salt/curator/files/curator.yml index e9b8a63ba..3b019923e 100644 --- a/salt/curator/files/curator.yml +++ b/salt/curator/files/curator.yml @@ -1,7 +1,7 @@ {% if grains['role'] in ['so-node', 'so-heavynode'] %} {%- set elasticsearch = salt['pillar.get']('elasticsearch:mainip', '') -%} -{% elif grains['role'] in ['so-eval', 'so-mastersearch', 'so-standalone'] %} - {%- set elasticsearch = salt['pillar.get']('master:mainip', '') -%} +{% elif grains['role'] in ['so-eval', 'so-managersearch', 'so-standalone'] %} + {%- set elasticsearch = salt['pillar.get']('manager:mainip', '') -%} {%- endif %} --- diff --git a/salt/curator/init.sls b/salt/curator/init.sls index 8d3147242..e43f7e91b 100644 --- a/salt/curator/init.sls +++ b/salt/curator/init.sls @@ -1,6 +1,6 @@ {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} -{% if grains['role'] in ['so-eval', 'so-node', 'so-mastersearch', 'so-heavynode', 'so-standalone'] %} +{% set MANAGER = salt['grains.get']('manager') %} +{% if grains['role'] in ['so-eval', 'so-node', 'so-managersearch', 'so-heavynode', 'so-standalone'] %} # Curator # Create the group curatorgroup: @@ -119,7 +119,7 @@ so-curatordeletecron: so-curator: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-curator:{{ VERSION }} + - image: {{ MANAGER }}:5000/soshybridhunter/so-curator:{{ VERSION }} - hostname: curator - name: so-curator - user: curator diff --git a/salt/deprecated-bro/files/local.bro b/salt/deprecated-bro/files/local.bro index afe4b94ca..30b216548 100644 --- a/salt/deprecated-bro/files/local.bro +++ b/salt/deprecated-bro/files/local.bro @@ -127,11 +127,11 @@ @load policy/hassh # You can load your own intel into: -# /opt/so/saltstack/bro/policy/intel/ on the master +# /opt/so/saltstack/bro/policy/intel/ on the manager @load intel # Load a custom Bro policy -# /opt/so/saltstack/bro/policy/custom/ on the master +# /opt/so/saltstack/bro/policy/custom/ on the manager #@load custom/somebropolicy.bro # Write logs in JSON diff --git a/salt/deprecated-bro/files/local.bro.community b/salt/deprecated-bro/files/local.bro.community index 2ae12d7f2..76b18587f 100644 --- a/salt/deprecated-bro/files/local.bro.community +++ b/salt/deprecated-bro/files/local.bro.community @@ -121,11 +121,11 @@ @load policy/ja3 # You can load your own intel into: -# /opt/so/saltstack/bro/policy/intel/ on the master +# /opt/so/saltstack/bro/policy/intel/ on the manager @load intel # Load a custom Bro policy -# /opt/so/saltstack/bro/policy/custom/ on the master +# /opt/so/saltstack/bro/policy/custom/ on the manager #@load custom/somebropolicy.bro # Use JSON diff --git a/salt/elastalert/files/elastalert_config.yaml b/salt/elastalert/files/elastalert_config.yaml index 2ecf08ffa..de3db8b0a 100644 --- a/salt/elastalert/files/elastalert_config.yaml +++ b/salt/elastalert/files/elastalert_config.yaml @@ -1,5 +1,5 @@ -{% set esip = salt['pillar.get']('master:mainip', '') %} -{% set esport = salt['pillar.get']('master:es_port', '') %} +{% set esip = salt['pillar.get']('manager:mainip', '') %} +{% set esport = salt['pillar.get']('manager:es_port', '') %} # This is the folder that contains the rule yaml files # Any .yaml file will be loaded as a rule rules_folder: /opt/elastalert/rules/ diff --git a/salt/elastalert/files/rules/so/suricata_thehive.yaml b/salt/elastalert/files/rules/so/suricata_thehive.yaml index 82698b7a8..cd887c9f9 100644 --- a/salt/elastalert/files/rules/so/suricata_thehive.yaml +++ b/salt/elastalert/files/rules/so/suricata_thehive.yaml @@ -1,7 +1,7 @@ -{% set es = salt['pillar.get']('static:masterip', '') %} -{% set hivehost = salt['pillar.get']('static:masterip', '') %} +{% set es = salt['pillar.get']('static:managerip', '') %} +{% set hivehost = salt['pillar.get']('static:managerip', '') %} {% set hivekey = salt['pillar.get']('static:hivekey', '') %} -{% set MASTER = salt['pillar.get']('master:url_base', '') %} +{% set MANAGER = salt['pillar.get']('manager:url_base', '') %} # Elastalert rule to forward Suricata alerts from Security Onion to a specified TheHive instance. # @@ -39,7 +39,7 @@ hive_alert_config: title: '{match[rule][name]}' type: 'NIDS' source: 'SecurityOnion' - description: "`SOC Hunt Pivot:` \n\n \n\n `Kibana Dashboard Pivot:` \n\n \n\n `IPs: `{match[source][ip]}:{match[source][port]} --> {match[destination][ip]}:{match[destination][port]} \n\n `Signature:`{match[rule][rule]}" + description: "`SOC Hunt Pivot:` \n\n \n\n `Kibana Dashboard Pivot:` \n\n \n\n `IPs: `{match[source][ip]}:{match[source][port]} --> {match[destination][ip]}:{match[destination][port]} \n\n `Signature:`{match[rule][rule]}" severity: 2 tags: ['{match[rule][uuid]}','{match[source][ip]}','{match[destination][ip]}'] tlp: 3 diff --git a/salt/elastalert/files/rules/so/wazuh_thehive.yaml b/salt/elastalert/files/rules/so/wazuh_thehive.yaml index 1e275dce8..ccb79e1e5 100644 --- a/salt/elastalert/files/rules/so/wazuh_thehive.yaml +++ b/salt/elastalert/files/rules/so/wazuh_thehive.yaml @@ -1,7 +1,7 @@ -{% set es = salt['pillar.get']('static:masterip', '') %} -{% set hivehost = salt['pillar.get']('static:masterip', '') %} +{% set es = salt['pillar.get']('static:managerip', '') %} +{% set hivehost = salt['pillar.get']('static:managerip', '') %} {% set hivekey = salt['pillar.get']('static:hivekey', '') %} -{% set MASTER = salt['pillar.get']('master:url_base', '') %} +{% set MANAGER = salt['pillar.get']('manager:url_base', '') %} # Elastalert rule to forward high level Wazuh alerts from Security Onion to a specified TheHive instance. # @@ -38,7 +38,7 @@ hive_alert_config: title: '{match[rule][name]}' type: 'wazuh' source: 'SecurityOnion' - description: "`SOC Hunt Pivot:` \n\n \n\n `Kibana Dashboard Pivot:` \n\n " + description: "`SOC Hunt Pivot:` \n\n \n\n `Kibana Dashboard Pivot:` \n\n " severity: 2 tags: ['{match[rule][id]}','{match[host][name]}'] tlp: 3 diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index b79acf77f..37c0e903e 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -13,12 +13,12 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} +{% set MANAGER = salt['grains.get']('manager') %} -{% if grains['role'] in ['so-eval','so-mastersearch', 'so-master', 'so-standalone'] %} - {% set esalert = salt['pillar.get']('master:elastalert', '1') %} - {% set esip = salt['pillar.get']('master:mainip', '') %} - {% set esport = salt['pillar.get']('master:es_port', '') %} +{% if grains['role'] in ['so-eval','so-managersearch', 'so-manager', 'so-standalone'] %} + {% set esalert = salt['pillar.get']('manager:elastalert', '1') %} + {% set esip = salt['pillar.get']('manager:mainip', '') %} + {% set esport = salt['pillar.get']('manager:es_port', '') %} {% elif grains['role'] == 'so-node' %} {% set esalert = salt['pillar.get']('elasticsearch:elastalert', '0') %} {% endif %} @@ -101,7 +101,7 @@ elastaconf: so-elastalert: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-elastalert:{{ VERSION }} + - image: {{ MANAGER }}:5000/soshybridhunter/so-elastalert:{{ VERSION }} - hostname: elastalert - name: so-elastalert - user: elastalert diff --git a/salt/elasticsearch/files/elasticsearch.yml b/salt/elasticsearch/files/elasticsearch.yml index 02dd42aa5..d5acdbcdb 100644 --- a/salt/elasticsearch/files/elasticsearch.yml +++ b/salt/elasticsearch/files/elasticsearch.yml @@ -1,5 +1,5 @@ -{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' %} -{%- set esclustername = salt['pillar.get']('master:esclustername', '') %} +{% if grains['role'] == 'so-manager' or grains['role'] == 'so-eval' %} +{%- set esclustername = salt['pillar.get']('manager:esclustername', '') %} cluster.name: "{{ esclustername }}" network.host: 0.0.0.0 diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 7292c055e..be0752665 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -13,7 +13,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} +{% set MANAGER = salt['grains.get']('manager') %} {% set FEATURES = salt['pillar.get']('elastic:features', False) %} {% if FEATURES %} @@ -22,9 +22,9 @@ {% set FEATURES = '' %} {% endif %} -{% if grains['role'] in ['so-eval','so-mastersearch', 'so-master', 'so-standalone'] %} - {% set esclustername = salt['pillar.get']('master:esclustername', '') %} - {% set esheap = salt['pillar.get']('master:esheap', '') %} +{% if grains['role'] in ['so-eval','so-managersearch', 'so-manager', 'so-standalone'] %} + {% set esclustername = salt['pillar.get']('manager:esclustername', '') %} + {% set esheap = salt['pillar.get']('manager:esheap', '') %} {% elif grains['role'] in ['so-node','so-heavynode'] %} {% set esclustername = salt['pillar.get']('elasticsearch:esclustername', '') %} {% set esheap = salt['pillar.get']('elasticsearch:esheap', '') %} @@ -101,7 +101,7 @@ eslogdir: so-elasticsearch: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-elasticsearch:{{ VERSION }}{{ FEATURES }} + - image: {{ MANAGER }}:5000/soshybridhunter/so-elasticsearch:{{ VERSION }}{{ FEATURES }} - hostname: elasticsearch - name: so-elasticsearch - user: elasticsearch @@ -141,7 +141,7 @@ so-elasticsearch-pipelines: - file: esyml - file: so-elasticsearch-pipelines-file -{% if grains['role'] in ['so-master', 'so-eval', 'so-mastersearch', 'so-standalone'] %} +{% if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone'] %} so-elasticsearch-templates: cmd.run: - name: /usr/sbin/so-elasticsearch-templates diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 6d33c1bdf..37f0ec9f4 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -1,7 +1,7 @@ {%- if grains.role == 'so-heavynode' %} -{%- set MASTER = salt['pillar.get']('sensor:mainip' '') %} +{%- set MANAGER = salt['pillar.get']('sensor:mainip' '') %} {%- else %} -{%- set MASTER = grains['master'] %} +{%- set MANAGER = grains['manager'] %} {%- endif %} @@ -9,7 +9,7 @@ {%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %} {%- set WAZUHENABLED = salt['pillar.get']('static:wazuh', '0') %} {%- set STRELKAENABLED = salt['pillar.get']('strelka:enabled', '0') %} -{%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%} +{%- set FLEETMANAGER = salt['pillar.get']('static:fleet_manager', False) -%} {%- set FLEETNODE = salt['pillar.get']('static:fleet_node', False) -%} name: {{ HOSTNAME }} @@ -214,7 +214,7 @@ filebeat.inputs: {%- endif %} -{%- if FLEETMASTER or FLEETNODE %} +{%- if FLEETMANAGER or FLEETNODE %} - type: log paths: @@ -252,7 +252,7 @@ output.{{ type }}: {%- if grains['role'] == "so-eval" %} output.elasticsearch: enabled: true - hosts: ["{{ MASTER }}:9200"] + hosts: ["{{ MANAGER }}:9200"] pipelines: - pipeline: "%{[module]}.%{[dataset]}" indices: @@ -280,7 +280,7 @@ output.logstash: enabled: true # The Logstash hosts - hosts: ["{{ MASTER }}:5644"] + hosts: ["{{ MANAGER }}:5644"] # Number of workers per Logstash host. #worker: 1 diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 6fc06f582..68b488569 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -12,8 +12,8 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} -{% set MASTERIP = salt['pillar.get']('static:masterip', '') %} +{% set MANAGER = salt['grains.get']('manager') %} +{% set MANAGERIP = salt['pillar.get']('static:managerip', '') %} {% set FEATURES = salt['pillar.get']('elastic:features', False) %} {% if FEATURES %} {% set FEATURES = "-features" %} @@ -51,10 +51,10 @@ filebeatconfsync: OUTPUT: {{ salt['pillar.get']('filebeat:config:output', {}) }} so-filebeat: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-filebeat:{{ VERSION }}{{ FEATURES }} + - image: {{ MANAGER }}:5000/soshybridhunter/so-filebeat:{{ VERSION }}{{ FEATURES }} - hostname: so-filebeat - user: root - - extra_hosts: {{ MASTER }}:{{ MASTERIP }} + - extra_hosts: {{ MANAGER }}:{{ MANAGERIP }} - binds: - /nsm:/nsm:ro - /opt/so/log/filebeat:/usr/share/filebeat/logs:rw diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index 07f7d1650..2500c604a 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -6,7 +6,7 @@ role: chain: DOCKER-USER: hostgroups: - master: + manager: portgroups: - {{ portgroups.wazuh_agent }} - {{ portgroups.wazuh_api }} @@ -85,12 +85,12 @@ role: - {{ portgroups.all }} minion: portgroups: - - {{ portgroups.salt_master }} - master: + - {{ portgroups.salt_manager }} + manager: chain: DOCKER-USER: hostgroups: - master: + manager: portgroups: - {{ portgroups.wazuh_agent }} - {{ portgroups.wazuh_api }} @@ -166,12 +166,12 @@ role: - {{ portgroups.all }} minion: portgroups: - - {{ portgroups.salt_master }} - mastersearch: + - {{ portgroups.salt_manager }} + managersearch: chain: DOCKER-USER: hostgroups: - master: + manager: portgroups: - {{ portgroups.wazuh_agent }} - {{ portgroups.wazuh_api }} @@ -247,12 +247,12 @@ role: - {{ portgroups.all }} minion: portgroups: - - {{ portgroups.salt_master }} + - {{ portgroups.salt_manager }} standalone: chain: DOCKER-USER: hostgroups: - master: + manager: portgroups: - {{ portgroups.wazuh_agent }} - {{ portgroups.wazuh_api }} @@ -328,12 +328,12 @@ role: - {{ portgroups.all }} minion: portgroups: - - {{ portgroups.salt_master }} + - {{ portgroups.salt_manager }} helixsensor: chain: DOCKER-USER: hostgroups: - master: + manager: portgroups: - {{ portgroups.wazuh_agent }} - {{ portgroups.playbook }} @@ -391,12 +391,12 @@ role: - {{ portgroups.all }} minion: portgroups: - - {{ portgroups.salt_master }} + - {{ portgroups.salt_manager }} searchnode: chain: DOCKER-USER: hostgroups: - master: + manager: portgroups: - {{ portgroups.elasticsearch_node }} dockernet: diff --git a/salt/firewall/hostgroups.yaml b/salt/firewall/hostgroups.yaml index bd303001b..5ff6b900b 100644 --- a/salt/firewall/hostgroups.yaml +++ b/salt/firewall/hostgroups.yaml @@ -19,4 +19,4 @@ firewall: ips: delete: insert: - - {{ salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('master:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] }} \ No newline at end of file + - {{ salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('manager:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] }} \ No newline at end of file diff --git a/salt/firewall/portgroups.yaml b/salt/firewall/portgroups.yaml index 7f09d1139..b8d86f253 100644 --- a/salt/firewall/portgroups.yaml +++ b/salt/firewall/portgroups.yaml @@ -61,7 +61,7 @@ firewall: redis: tcp: - 6379 - salt_master: + salt_manager: tcp: - 4505 - 4506 diff --git a/salt/fleet/event_gen-packages.sls b/salt/fleet/event_gen-packages.sls index e353eaf92..7c0ec9091 100644 --- a/salt/fleet/event_gen-packages.sls +++ b/salt/fleet/event_gen-packages.sls @@ -1,4 +1,4 @@ -{% set MASTER = salt['grains.get']('master') %} +{% set MANAGER = salt['grains.get']('manager') %} {% set ENROLLSECRET = salt['pillar.get']('secrets:fleet_enroll-secret') %} {% set CURRENTPACKAGEVERSION = salt['pillar.get']('static:fleet_packages-version') %} {% set VERSION = salt['pillar.get']('static:soversion') %} @@ -19,6 +19,6 @@ so/fleet: mainip: {{ grains.host }} enroll-secret: {{ ENROLLSECRET }} current-package-version: {{ CURRENTPACKAGEVERSION }} - master: {{ MASTER }} + manager: {{ MANAGER }} version: {{ VERSION }} \ No newline at end of file diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls index 65f32e213..d597f44d8 100644 --- a/salt/fleet/init.sls +++ b/salt/fleet/init.sls @@ -2,14 +2,14 @@ {%- set FLEETPASS = salt['pillar.get']('secrets:fleet', None) -%} {%- set FLEETJWT = salt['pillar.get']('secrets:fleet_jwt', None) -%} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} +{% set MANAGER = salt['grains.get']('manager') %} {% set FLEETARCH = salt['grains.get']('role') %} {% if FLEETARCH == "so-fleet" %} {% set MAININT = salt['pillar.get']('host:mainint') %} {% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %} {% else %} - {% set MAINIP = salt['pillar.get']('static:masterip') %} + {% set MAINIP = salt['pillar.get']('static:managerip') %} {% endif %} include: @@ -105,7 +105,7 @@ fleet_password_none: so-fleet: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-fleet:{{ VERSION }} + - image: {{ MANAGER }}:5000/soshybridhunter/so-fleet:{{ VERSION }} - hostname: so-fleet - port_bindings: - 0.0.0.0:8080:8080 diff --git a/salt/fleet/install_package.sls b/salt/fleet/install_package.sls index 3787d6111..d09de540c 100644 --- a/salt/fleet/install_package.sls +++ b/salt/fleet/install_package.sls @@ -1,4 +1,4 @@ -{%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%} +{%- set FLEETMANAGER = salt['pillar.get']('static:fleet_manager', False) -%} {%- set FLEETNODE = salt['pillar.get']('static:fleet_node', False) -%} {%- set FLEETHOSTNAME = salt['pillar.get']('static:fleet_hostname', False) -%} {%- set FLEETIP = salt['pillar.get']('static:fleet_ip', False) -%} diff --git a/salt/grafana/dashboards/master/master.json b/salt/grafana/dashboards/manager/manager.json similarity index 100% rename from salt/grafana/dashboards/master/master.json rename to salt/grafana/dashboards/manager/manager.json diff --git a/salt/grafana/dashboards/mastersearch/mastersearch.json b/salt/grafana/dashboards/managersearch/managersearch.json similarity index 100% rename from salt/grafana/dashboards/mastersearch/mastersearch.json rename to salt/grafana/dashboards/managersearch/managersearch.json diff --git a/salt/grafana/etc/dashboards/dashboard.yml b/salt/grafana/etc/dashboards/dashboard.yml index 9ae71e6a4..e08484044 100644 --- a/salt/grafana/etc/dashboards/dashboard.yml +++ b/salt/grafana/etc/dashboards/dashboard.yml @@ -9,14 +9,14 @@ providers: disableDeletion: false editable: true options: - path: /etc/grafana/grafana_dashboards/master + path: /etc/grafana/grafana_dashboards/manager - name: 'Master Search' folder: 'Master Search' type: file disableDeletion: false editable: true options: - path: /etc/grafana/grafana_dashboards/mastersearch + path: /etc/grafana/grafana_dashboards/managersearch - name: 'Sensor Nodes' folder: 'Sensor Nodes' type: file diff --git a/salt/grafana/etc/datasources/influxdb.yaml b/salt/grafana/etc/datasources/influxdb.yaml index c9f98dc57..c70fd7137 100644 --- a/salt/grafana/etc/datasources/influxdb.yaml +++ b/salt/grafana/etc/datasources/influxdb.yaml @@ -1,4 +1,4 @@ -{%- set MASTER = salt['pillar.get']('static:masterip', '') %} +{%- set MANAGER = salt['pillar.get']('static:managerip', '') %} apiVersion: 1 deleteDatasources: @@ -10,7 +10,7 @@ datasources: type: influxdb access: proxy database: telegraf - url: https://{{ MASTER }}:8086 + url: https://{{ MANAGER }}:8086 jsonData: tlsAuth: false tlsAuthWithCACert: false diff --git a/salt/grafana/init.sls b/salt/grafana/init.sls index d3c457944..c47381c26 100644 --- a/salt/grafana/init.sls +++ b/salt/grafana/init.sls @@ -1,8 +1,8 @@ -{% set GRAFANA = salt['pillar.get']('master:grafana', '0') %} -{% set MASTER = salt['grains.get']('master') %} +{% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} +{% set MANAGER = salt['grains.get']('manager') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% if grains['role'] in ['so-master', 'so-mastersearch', 'so-eval', 'so-standalone'] and GRAFANA == 1 %} +{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone'] and GRAFANA == 1 %} # Grafana all the things grafanadir: @@ -28,14 +28,14 @@ grafanadashdir: grafanadashmdir: file.directory: - - name: /opt/so/conf/grafana/grafana_dashboards/master + - name: /opt/so/conf/grafana/grafana_dashboards/manager - user: 939 - group: 939 - makedirs: True grafanadashmsdir: file.directory: - - name: /opt/so/conf/grafana/grafana_dashboards/mastersearch + - name: /opt/so/conf/grafana/grafana_dashboards/managersearch - user: 939 - group: 939 - makedirs: True @@ -76,17 +76,17 @@ grafanaconf: - template: jinja - source: salt://grafana/etc -{% if salt['pillar.get']('mastertab', False) %} -{% for SN, SNDATA in salt['pillar.get']('mastertab', {}).items() %} +{% if salt['pillar.get']('managertab', False) %} +{% for SN, SNDATA in salt['pillar.get']('managertab', {}).items() %} {% set NODETYPE = SN.split('_')|last %} {% set SN = SN | regex_replace('_' ~ NODETYPE, '') %} -dashboard-master: +dashboard-manager: file.managed: - - name: /opt/so/conf/grafana/grafana_dashboards/master/{{ SN }}-Master.json + - name: /opt/so/conf/grafana/grafana_dashboards/manager/{{ SN }}-Master.json - user: 939 - group: 939 - template: jinja - - source: salt://grafana/dashboards/master/master.json + - source: salt://grafana/dashboards/manager/manager.json - defaults: SERVERNAME: {{ SN }} MANINT: {{ SNDATA.manint }} @@ -99,17 +99,17 @@ dashboard-master: {% endfor %} {% endif %} -{% if salt['pillar.get']('mastersearchtab', False) %} -{% for SN, SNDATA in salt['pillar.get']('mastersearchtab', {}).items() %} +{% if salt['pillar.get']('managersearchtab', False) %} +{% for SN, SNDATA in salt['pillar.get']('managersearchtab', {}).items() %} {% set NODETYPE = SN.split('_')|last %} {% set SN = SN | regex_replace('_' ~ NODETYPE, '') %} -dashboard-mastersearch: +dashboard-managersearch: file.managed: - - name: /opt/so/conf/grafana/grafana_dashboards/mastersearch/{{ SN }}-MasterSearch.json + - name: /opt/so/conf/grafana/grafana_dashboards/managersearch/{{ SN }}-MasterSearch.json - user: 939 - group: 939 - template: jinja - - source: salt://grafana/dashboards/mastersearch/mastersearch.json + - source: salt://grafana/dashboards/managersearch/managersearch.json - defaults: SERVERNAME: {{ SN }} MANINT: {{ SNDATA.manint }} @@ -216,7 +216,7 @@ dashboard-{{ SN }}: so-grafana: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-grafana:{{ VERSION }} + - image: {{ MANAGER }}:5000/soshybridhunter/so-grafana:{{ VERSION }} - hostname: grafana - user: socore - binds: diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls index 078cb5b03..a73c21d72 100644 --- a/salt/idstools/init.sls +++ b/salt/idstools/init.sls @@ -13,7 +13,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} +{% set MANAGER = salt['grains.get']('manager') %} # IDSTools Setup idstoolsdir: file.directory: @@ -60,7 +60,7 @@ synclocalnidsrules: so-idstools: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-idstools:{{ VERSION }} + - image: {{ MANAGER }}:5000/soshybridhunter/so-idstools:{{ VERSION }} - hostname: so-idstools - user: socore - binds: diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index 774db2187..304018a12 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -1,9 +1,9 @@ -{% set GRAFANA = salt['pillar.get']('master:grafana', '0') %} -{% set MASTER = salt['grains.get']('master') %} +{% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} +{% set MANAGER = salt['grains.get']('manager') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% if grains['role'] in ['so-master', 'so-mastersearch', 'so-eval', 'so-standalone'] and GRAFANA == 1 %} +{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone'] and GRAFANA == 1 %} # Influx DB influxconfdir: @@ -26,7 +26,7 @@ influxdbconf: so-influxdb: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-influxdb:{{ VERSION }} + - image: {{ MANAGER }}:5000/soshybridhunter/so-influxdb:{{ VERSION }} - hostname: influxdb - environment: - INFLUXDB_HTTP_LOG_ENABLED=false diff --git a/salt/kibana/bin/keepkibanahappy.sh b/salt/kibana/bin/keepkibanahappy.sh index 28967ee24..e8534ec12 100644 --- a/salt/kibana/bin/keepkibanahappy.sh +++ b/salt/kibana/bin/keepkibanahappy.sh @@ -1,4 +1,4 @@ -{%- set ES = salt['pillar.get']('master:mainip', '') -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} # Wait for ElasticSearch to come up, so that we can query for version infromation echo -n "Waiting for ElasticSearch..." COUNT=0 diff --git a/salt/kibana/bin/so-kibana-config-load b/salt/kibana/bin/so-kibana-config-load index 81872fd6a..85ad00bc6 100644 --- a/salt/kibana/bin/so-kibana-config-load +++ b/salt/kibana/bin/so-kibana-config-load @@ -1,20 +1,20 @@ #!/bin/bash -# {%- set FLEET_MASTER = salt['pillar.get']('static:fleet_master', False) -%} +# {%- set FLEET_MANAGER = salt['pillar.get']('static:fleet_manager', False) -%} # {%- set FLEET_NODE = salt['pillar.get']('static:fleet_node', False) -%} -# {%- set MASTER = salt['pillar.get']('master:url_base', '') %} +# {%- set MANAGER = salt['pillar.get']('manager:url_base', '') %} KIBANA_VERSION="7.6.1" # Copy template file cp /opt/so/conf/kibana/saved_objects.ndjson.template /opt/so/conf/kibana/saved_objects.ndjson -# {% if FLEET_NODE or FLEET_MASTER %} +# {% if FLEET_NODE or FLEET_MANAGER %} # Fleet IP -sed -i "s/FLEETPLACEHOLDER/{{ MASTER }}/g" /opt/so/conf/kibana/saved_objects.ndjson +sed -i "s/FLEETPLACEHOLDER/{{ MANAGER }}/g" /opt/so/conf/kibana/saved_objects.ndjson # {% endif %} # SOCtopus and Master -sed -i "s/PLACEHOLDER/{{ MASTER }}/g" /opt/so/conf/kibana/saved_objects.ndjson +sed -i "s/PLACEHOLDER/{{ MANAGER }}/g" /opt/so/conf/kibana/saved_objects.ndjson # Load saved objects curl -X POST "localhost:5601/api/saved_objects/_import" -H "kbn-xsrf: true" --form file=@/opt/so/conf/kibana/saved_objects.ndjson > /dev/null 2>&1 diff --git a/salt/kibana/etc/kibana.yml b/salt/kibana/etc/kibana.yml index dd0d6faa9..4d19b251b 100644 --- a/salt/kibana/etc/kibana.yml +++ b/salt/kibana/etc/kibana.yml @@ -1,6 +1,6 @@ --- # Default Kibana configuration from kibana-docker. -{%- set ES = salt['pillar.get']('master:mainip', '') -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} server.name: kibana server.host: "0" server.basePath: /kibana diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index 6379d6ad0..74b59f9ca 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -1,5 +1,5 @@ {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} +{% set MANAGER = salt['grains.get']('manager') %} {% set FEATURES = salt['pillar.get']('elastic:features', False) %} {% if FEATURES %} {% set FEATURES = "-features" %} @@ -69,13 +69,13 @@ kibanabin: # Start the kibana docker so-kibana: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-kibana:{{ VERSION }}{{ FEATURES }} + - image: {{ MANAGER }}:5000/soshybridhunter/so-kibana:{{ VERSION }}{{ FEATURES }} - hostname: kibana - user: kibana - environment: - - ELASTICSEARCH_HOST={{ MASTER }} + - ELASTICSEARCH_HOST={{ MANAGER }} - ELASTICSEARCH_PORT=9200 - - MASTER={{ MASTER }} + - MANAGER={{ MANAGER }} - binds: - /opt/so/conf/kibana/etc:/usr/share/kibana/config:rw - /opt/so/log/kibana:/var/log/kibana:rw @@ -94,7 +94,7 @@ kibanadashtemplate: wait_for_kibana: module.run: - http.wait_for_successful_query: - - url: "http://{{MASTER}}:5601/api/saved_objects/_find?type=config" + - url: "http://{{MANAGER}}:5601/api/saved_objects/_find?type=config" - wait_for: 180 - onchanges: - file: kibanadashtemplate diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index e2494e57a..252f0efdc 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -13,7 +13,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} +{% set MANAGER = salt['grains.get']('manager') %} {% set FEATURES = salt['pillar.get']('elastic:features', False) %} {% if FEATURES %} @@ -24,13 +24,13 @@ # Logstash Section - Decide which pillar to use {% set lsheap = salt['pillar.get']('logstash_settings:lsheap', '') %} -{% if grains['role'] in ['so-eval','so-mastersearch', 'so-master', 'so-standalone'] %} - {% set freq = salt['pillar.get']('master:freq', '0') %} - {% set dstats = salt['pillar.get']('master:domainstats', '0') %} +{% if grains['role'] in ['so-eval','so-managersearch', 'so-manager', 'so-standalone'] %} + {% set freq = salt['pillar.get']('manager:freq', '0') %} + {% set dstats = salt['pillar.get']('manager:domainstats', '0') %} {% set nodetype = salt['grains.get']('role', '') %} {% elif grains['role'] == 'so-helix' %} - {% set freq = salt['pillar.get']('master:freq', '0') %} - {% set dstats = salt['pillar.get']('master:domainstats', '0') %} + {% set freq = salt['pillar.get']('manager:freq', '0') %} + {% set dstats = salt['pillar.get']('manager:domainstats', '0') %} {% set nodetype = salt['grains.get']('role', '') %} {% endif %} @@ -159,7 +159,7 @@ lslogdir: so-logstash: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-logstash:{{ VERSION }}{{ FEATURES }} + - image: {{ MANAGER }}:5000/soshybridhunter/so-logstash:{{ VERSION }}{{ FEATURES }} - hostname: so-logstash - name: so-logstash - user: logstash diff --git a/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja b/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja index 4d6595dd9..2ce204875 100644 --- a/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja +++ b/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja @@ -1,13 +1,13 @@ {%- if grains.role == 'so-heavynode' %} -{%- set MASTER = salt['pillar.get']('elasticsearch:mainip', '') %} +{%- set MANAGER = salt['pillar.get']('elasticsearch:mainip', '') %} {%- else %} -{%- set MASTER = salt['pillar.get']('static:masterip', '') %} +{%- set MANAGER = salt['pillar.get']('static:managerip', '') %} {% endif -%} {%- set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') %} input { redis { - host => '{{ MASTER }}' + host => '{{ MANAGER }}' data_type => 'list' key => 'logstash:unparsed' type => 'redis-input' diff --git a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja index 987614a2c..a1c93d6bc 100644 --- a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja +++ b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja @@ -1,5 +1,5 @@ {%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} diff --git a/salt/logstash/pipelines/config/so/9001_output_switch.conf.jinja b/salt/logstash/pipelines/config/so/9001_output_switch.conf.jinja index 8e5e5f200..7cffcf1f7 100644 --- a/salt/logstash/pipelines/config/so/9001_output_switch.conf.jinja +++ b/salt/logstash/pipelines/config/so/9001_output_switch.conf.jinja @@ -1,5 +1,5 @@ {%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} diff --git a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja index 9153d5c44..4d2fd7640 100644 --- a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja +++ b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja @@ -1,5 +1,5 @@ {%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} diff --git a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja index 2e1e79f8b..efba078b4 100644 --- a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja +++ b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja @@ -1,5 +1,5 @@ {%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} diff --git a/salt/logstash/pipelines/config/so/9026_output_dhcp.conf.jinja b/salt/logstash/pipelines/config/so/9026_output_dhcp.conf.jinja index 3da9e83ef..94c646fc3 100644 --- a/salt/logstash/pipelines/config/so/9026_output_dhcp.conf.jinja +++ b/salt/logstash/pipelines/config/so/9026_output_dhcp.conf.jinja @@ -1,5 +1,5 @@ {%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} diff --git a/salt/logstash/pipelines/config/so/9029_output_esxi.conf.jinja b/salt/logstash/pipelines/config/so/9029_output_esxi.conf.jinja index b84ab4ec9..474b08533 100644 --- a/salt/logstash/pipelines/config/so/9029_output_esxi.conf.jinja +++ b/salt/logstash/pipelines/config/so/9029_output_esxi.conf.jinja @@ -1,5 +1,5 @@ {%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} diff --git a/salt/logstash/pipelines/config/so/9030_output_greensql.conf.jinja b/salt/logstash/pipelines/config/so/9030_output_greensql.conf.jinja index d6801530b..434212c72 100644 --- a/salt/logstash/pipelines/config/so/9030_output_greensql.conf.jinja +++ b/salt/logstash/pipelines/config/so/9030_output_greensql.conf.jinja @@ -1,5 +1,5 @@ {%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} diff --git a/salt/logstash/pipelines/config/so/9031_output_iis.conf.jinja b/salt/logstash/pipelines/config/so/9031_output_iis.conf.jinja index 67616110f..3d931015c 100644 --- a/salt/logstash/pipelines/config/so/9031_output_iis.conf.jinja +++ b/salt/logstash/pipelines/config/so/9031_output_iis.conf.jinja @@ -1,5 +1,5 @@ {%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} diff --git a/salt/logstash/pipelines/config/so/9032_output_mcafee.conf.jinja b/salt/logstash/pipelines/config/so/9032_output_mcafee.conf.jinja index c6641f671..4bec9fd5e 100644 --- a/salt/logstash/pipelines/config/so/9032_output_mcafee.conf.jinja +++ b/salt/logstash/pipelines/config/so/9032_output_mcafee.conf.jinja @@ -1,5 +1,5 @@ {%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} diff --git a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja index 0cc7a3b66..bffd90a40 100644 --- a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja +++ b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja @@ -1,5 +1,5 @@ {%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} diff --git a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja index 59cae7b65..157c32941 100644 --- a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja +++ b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja @@ -1,5 +1,5 @@ {%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} diff --git a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja index 21ae77095..dc4e98401 100644 --- a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja +++ b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja @@ -1,5 +1,5 @@ {%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} diff --git a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja index 54c75873d..0ba8030bb 100644 --- a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja +++ b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja @@ -1,5 +1,5 @@ {%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} diff --git a/salt/logstash/pipelines/config/so/9300_output_windows.conf.jinja b/salt/logstash/pipelines/config/so/9300_output_windows.conf.jinja index cddda5541..5730661bf 100644 --- a/salt/logstash/pipelines/config/so/9300_output_windows.conf.jinja +++ b/salt/logstash/pipelines/config/so/9300_output_windows.conf.jinja @@ -1,5 +1,5 @@ {%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} diff --git a/salt/logstash/pipelines/config/so/9301_output_dns_windows.conf.jinja b/salt/logstash/pipelines/config/so/9301_output_dns_windows.conf.jinja index 84fd1f5f7..10acb9af6 100644 --- a/salt/logstash/pipelines/config/so/9301_output_dns_windows.conf.jinja +++ b/salt/logstash/pipelines/config/so/9301_output_dns_windows.conf.jinja @@ -1,5 +1,5 @@ {%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} diff --git a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja index 1d36d774d..ed1be775e 100644 --- a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja +++ b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja @@ -1,5 +1,5 @@ {%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} diff --git a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja index 932a194ab..fc2b81479 100644 --- a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja +++ b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja @@ -1,5 +1,5 @@ {%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} diff --git a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja index 5a8f9f5ba..20c4b7243 100644 --- a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja +++ b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja @@ -1,5 +1,5 @@ {%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} diff --git a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja index 5116b86ea..3b37c3af5 100644 --- a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja +++ b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja @@ -1,5 +1,5 @@ {%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} diff --git a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja index afa8d290a..5b9aaf80a 100644 --- a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja +++ b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja @@ -1,9 +1,9 @@ -{% set MASTER = salt['pillar.get']('static:masterip', '') %} +{% set MANAGER = salt['pillar.get']('static:managerip', '') %} {% set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %} output { redis { - host => '{{ MASTER }}' + host => '{{ MANAGER }}' data_type => 'list' key => 'logstash:unparsed' congestion_interval => 1 diff --git a/salt/master/files/acng/acng.conf b/salt/manager/files/acng/acng.conf similarity index 100% rename from salt/master/files/acng/acng.conf rename to salt/manager/files/acng/acng.conf diff --git a/salt/master/files/add_minion.sh b/salt/manager/files/add_minion.sh similarity index 100% rename from salt/master/files/add_minion.sh rename to salt/manager/files/add_minion.sh diff --git a/salt/master/files/registry/scripts/so-docker-download b/salt/manager/files/registry/scripts/so-docker-download similarity index 88% rename from salt/master/files/registry/scripts/so-docker-download rename to salt/manager/files/registry/scripts/so-docker-download index 1213ae72a..dcba7a531 100644 --- a/salt/master/files/registry/scripts/so-docker-download +++ b/salt/manager/files/registry/scripts/so-docker-download @@ -1,6 +1,6 @@ #!/bin/bash -MASTER={{ MASTER }} +MANAGER={{ MANAGER }} VERSION="HH1.2.2" TRUSTED_CONTAINERS=( \ "so-nginx:$VERSION" \ @@ -41,6 +41,6 @@ do # Pull down the trusted docker image docker pull --disable-content-trust=false docker.io/soshybridhunter/$i # Tag it with the new registry destination - docker tag soshybridhunter/$i $MASTER:5000/soshybridhunter/$i - docker push $MASTER:5000/soshybridhunter/$i + docker tag soshybridhunter/$i $MANAGER:5000/soshybridhunter/$i + docker push $MANAGER:5000/soshybridhunter/$i done diff --git a/salt/master/init.sls b/salt/manager/init.sls similarity index 87% rename from salt/master/init.sls rename to salt/manager/init.sls index 3c6b81e5e..9ca936b2a 100644 --- a/salt/master/init.sls +++ b/salt/manager/init.sls @@ -13,8 +13,8 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} -{% set masterproxy = salt['pillar.get']('static:masterupdate', '0') %} +{% set MANAGER = salt['grains.get']('manager') %} +{% set managerproxy = salt['pillar.get']('static:managerupdate', '0') %} socore_own_saltstack: file.directory: @@ -25,7 +25,7 @@ socore_own_saltstack: - user - group -{% if masterproxy == 1 %} +{% if managerproxy == 1 %} # Create the directories for apt-cacher-ng aptcacherconfdir: @@ -54,12 +54,12 @@ aptcacherlogdir: acngcopyconf: file.managed: - name: /opt/so/conf/aptcacher-ng/etc/acng.conf - - source: salt://master/files/acng/acng.conf + - source: salt://manager/files/acng/acng.conf # Install the apt-cacher-ng container so-aptcacherng: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-acng:{{ VERSION }} + - image: {{ MANAGER }}:5000/soshybridhunter/so-acng:{{ VERSION }} - hostname: so-acng - restart_policy: always - port_bindings: diff --git a/salt/minio/init.sls b/salt/minio/init.sls index 7b4dd5673..2d5941301 100644 --- a/salt/minio/init.sls +++ b/salt/minio/init.sls @@ -13,8 +13,8 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set access_key = salt['pillar.get']('master:access_key', '') %} -{% set access_secret = salt['pillar.get']('master:access_secret', '') %} +{% set access_key = salt['pillar.get']('manager:access_key', '') %} +{% set access_secret = salt['pillar.get']('manager:access_secret', '') %} # Minio Setup minioconfdir: diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index 6bb99d98c..928d14c1f 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -1,7 +1,7 @@ {%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) %} -{%- set MASTERIP = salt['pillar.get']('static:masterip', '') %} +{%- set MANAGERIP = salt['pillar.get']('static:managerip', '') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} +{% set MANAGER = salt['grains.get']('manager') %} {% set MAINIP = salt['pillar.get']('elasticsearch:mainip') %} {% set FLEETARCH = salt['grains.get']('role') %} @@ -9,7 +9,7 @@ {% set MAININT = salt['pillar.get']('host:mainint') %} {% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %} {% else %} - {% set MAINIP = salt['pillar.get']('static:masterip') %} + {% set MAINIP = salt['pillar.get']('static:managerip') %} {% endif %} # MySQL Setup @@ -71,7 +71,7 @@ mysql_password_none: so-mysql: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-mysql:{{ VERSION }} + - image: {{ MANAGER }}:5000/soshybridhunter/so-mysql:{{ VERSION }} - hostname: so-mysql - user: socore - port_bindings: diff --git a/salt/nginx/etc/nginx.conf.so-eval b/salt/nginx/etc/nginx.conf.so-eval index 7e3a9a401..2998a5bf2 100644 --- a/salt/nginx/etc/nginx.conf.so-eval +++ b/salt/nginx/etc/nginx.conf.so-eval @@ -1,5 +1,5 @@ -{%- set masterip = salt['pillar.get']('master:mainip', '') %} -{%- set FLEET_MASTER = salt['pillar.get']('static:fleet_master') %} +{%- set managerip = salt['pillar.get']('manager:mainip', '') %} +{%- set FLEET_MANAGER = salt['pillar.get']('static:fleet_manager') %} {%- set FLEET_NODE = salt['pillar.get']('static:fleet_node') %} {%- set FLEET_IP = salt['pillar.get']('static:fleet_ip', None) %} # For more information on configuration, see: @@ -66,7 +66,7 @@ http { return 301 https://$host$request_uri; } -{% if FLEET_MASTER %} +{% if FLEET_MANAGER %} server { listen 8090 ssl http2 default_server; server_name _; @@ -81,7 +81,7 @@ http { ssl_prefer_server_ciphers on; location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ { - grpc_pass grpcs://{{ masterip }}:8080; + grpc_pass grpcs://{{ managerip }}:8080; grpc_set_header Host $host; grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_buffering off; @@ -110,7 +110,7 @@ http { #include /etc/nginx/default.d/*.conf; location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) { - proxy_pass http://{{ masterip }}:9822; + proxy_pass http://{{ managerip }}:9822; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -124,7 +124,7 @@ http { location / { auth_request /auth/sessions/whoami; - proxy_pass http://{{ masterip }}:9822/; + proxy_pass http://{{ managerip }}:9822/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -138,7 +138,7 @@ http { location ~ ^/auth/.*?(whoami|login|logout|settings) { rewrite /auth/(.*) /$1 break; - proxy_pass http://{{ masterip }}:4433; + proxy_pass http://{{ managerip }}:4433; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -185,7 +185,7 @@ http { location /grafana/ { auth_request /auth/sessions/whoami; rewrite /grafana/(.*) /$1 break; - proxy_pass http://{{ masterip }}:3000/; + proxy_pass http://{{ managerip }}:3000/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -198,7 +198,7 @@ http { location /kibana/ { auth_request /auth/sessions/whoami; rewrite /kibana/(.*) /$1 break; - proxy_pass http://{{ masterip }}:5601/; + proxy_pass http://{{ managerip }}:5601/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -209,7 +209,7 @@ http { } location /nodered/ { - proxy_pass http://{{ masterip }}:1880/; + proxy_pass http://{{ managerip }}:1880/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -222,7 +222,7 @@ http { } location /playbook/ { - proxy_pass http://{{ masterip }}:3200/playbook/; + proxy_pass http://{{ managerip }}:3200/playbook/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -238,7 +238,7 @@ http { } {%- else %} location /fleet/ { - proxy_pass https://{{ masterip }}:8080; + proxy_pass https://{{ managerip }}:8080; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -250,7 +250,7 @@ http { {%- endif %} location /thehive/ { - proxy_pass http://{{ masterip }}:9000/thehive/; + proxy_pass http://{{ managerip }}:9000/thehive/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_http_version 1.1; # this is essential for chunked responses to work @@ -262,7 +262,7 @@ http { } location /cortex/ { - proxy_pass http://{{ masterip }}:9001/cortex/; + proxy_pass http://{{ managerip }}:9001/cortex/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_http_version 1.1; # this is essential for chunked responses to work @@ -274,7 +274,7 @@ http { } location /soctopus/ { - proxy_pass http://{{ masterip }}:7000/; + proxy_pass http://{{ managerip }}:7000/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -297,7 +297,7 @@ http { } location /sensoroniagents/ { - proxy_pass http://{{ masterip }}:9822/; + proxy_pass http://{{ managerip }}:9822/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; diff --git a/salt/nginx/etc/nginx.conf.so-master b/salt/nginx/etc/nginx.conf.so-manager similarity index 91% rename from salt/nginx/etc/nginx.conf.so-master rename to salt/nginx/etc/nginx.conf.so-manager index de3a3a6c1..bdb342cac 100644 --- a/salt/nginx/etc/nginx.conf.so-master +++ b/salt/nginx/etc/nginx.conf.so-manager @@ -1,5 +1,5 @@ -{%- set masterip = salt['pillar.get']('master:mainip', '') %} -{%- set FLEET_MASTER = salt['pillar.get']('static:fleet_master') %} +{%- set managerip = salt['pillar.get']('manager:mainip', '') %} +{%- set FLEET_MANAGER = salt['pillar.get']('static:fleet_manager') %} {%- set FLEET_NODE = salt['pillar.get']('static:fleet_node') %} {%- set FLEET_IP = salt['pillar.get']('static:fleet_ip', None) %} # For more information on configuration, see: @@ -66,7 +66,7 @@ http { return 301 https://$host$request_uri; } -{% if FLEET_MASTER %} +{% if FLEET_MANAGER %} server { listen 8090 ssl http2 default_server; server_name _; @@ -81,7 +81,7 @@ http { ssl_prefer_server_ciphers on; location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ { - grpc_pass grpcs://{{ masterip }}:8080; + grpc_pass grpcs://{{ managerip }}:8080; grpc_set_header Host $host; grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_buffering off; @@ -110,7 +110,7 @@ http { #include /etc/nginx/default.d/*.conf; location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) { - proxy_pass http://{{ masterip }}:9822; + proxy_pass http://{{ managerip }}:9822; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -124,7 +124,7 @@ http { location / { auth_request /auth/sessions/whoami; - proxy_pass http://{{ masterip }}:9822/; + proxy_pass http://{{ managerip }}:9822/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -138,7 +138,7 @@ http { location ~ ^/auth/.*?(whoami|login|logout|settings) { rewrite /auth/(.*) /$1 break; - proxy_pass http://{{ masterip }}:4433; + proxy_pass http://{{ managerip }}:4433; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -185,7 +185,7 @@ http { location /grafana/ { auth_request /auth/sessions/whoami; rewrite /grafana/(.*) /$1 break; - proxy_pass http://{{ masterip }}:3000/; + proxy_pass http://{{ managerip }}:3000/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -198,7 +198,7 @@ http { location /kibana/ { auth_request /auth/sessions/whoami; rewrite /kibana/(.*) /$1 break; - proxy_pass http://{{ masterip }}:5601/; + proxy_pass http://{{ managerip }}:5601/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -209,7 +209,7 @@ http { } location /nodered/ { - proxy_pass http://{{ masterip }}:1880/; + proxy_pass http://{{ managerip }}:1880/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -222,7 +222,7 @@ http { } location /playbook/ { - proxy_pass http://{{ masterip }}:3200/playbook/; + proxy_pass http://{{ managerip }}:3200/playbook/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -238,7 +238,7 @@ http { } {%- else %} location /fleet/ { - proxy_pass https://{{ masterip }}:8080; + proxy_pass https://{{ managerip }}:8080; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -250,7 +250,7 @@ http { {%- endif %} location /thehive/ { - proxy_pass http://{{ masterip }}:9000/thehive/; + proxy_pass http://{{ managerip }}:9000/thehive/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_http_version 1.1; # this is essential for chunked responses to work @@ -262,7 +262,7 @@ http { } location /cortex/ { - proxy_pass http://{{ masterip }}:9001/cortex/; + proxy_pass http://{{ managerip }}:9001/cortex/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_http_version 1.1; # this is essential for chunked responses to work @@ -274,7 +274,7 @@ http { } location /soctopus/ { - proxy_pass http://{{ masterip }}:7000/; + proxy_pass http://{{ managerip }}:7000/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -297,7 +297,7 @@ http { } location /sensoroniagents/ { - proxy_pass http://{{ masterip }}:9822/; + proxy_pass http://{{ managerip }}:9822/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; diff --git a/salt/nginx/etc/nginx.conf.so-mastersearch b/salt/nginx/etc/nginx.conf.so-managersearch similarity index 91% rename from salt/nginx/etc/nginx.conf.so-mastersearch rename to salt/nginx/etc/nginx.conf.so-managersearch index 952f18cd9..cb7576923 100644 --- a/salt/nginx/etc/nginx.conf.so-mastersearch +++ b/salt/nginx/etc/nginx.conf.so-managersearch @@ -1,5 +1,5 @@ -{%- set masterip = salt['pillar.get']('master:mainip', '') %} -{%- set FLEET_MASTER = salt['pillar.get']('static:fleet_master') %} +{%- set managerip = salt['pillar.get']('manager:mainip', '') %} +{%- set FLEET_MANAGER = salt['pillar.get']('static:fleet_manager') %} {%- set FLEET_NODE = salt['pillar.get']('static:fleet_node') %} {%- set FLEET_IP = salt['pillar.get']('static:fleet_ip', None) %} # For more information on configuration, see: @@ -66,7 +66,7 @@ http { return 301 https://$host$request_uri; } -{% if FLEET_MASTER %} +{% if FLEET_MANAGER %} server { listen 8090 ssl http2 default_server; server_name _; @@ -81,7 +81,7 @@ http { ssl_prefer_server_ciphers on; location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ { - grpc_pass grpcs://{{ masterip }}:8080; + grpc_pass grpcs://{{ managerip }}:8080; grpc_set_header Host $host; grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_buffering off; @@ -109,7 +109,7 @@ http { #include /etc/nginx/default.d/*.conf; location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) { - proxy_pass http://{{ masterip }}:9822; + proxy_pass http://{{ managerip }}:9822; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -123,7 +123,7 @@ http { location / { auth_request /auth/sessions/whoami; - proxy_pass http://{{ masterip }}:9822/; + proxy_pass http://{{ managerip }}:9822/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -137,7 +137,7 @@ http { location ~ ^/auth/.*?(whoami|login|logout|settings) { rewrite /auth/(.*) /$1 break; - proxy_pass http://{{ masterip }}:4433; + proxy_pass http://{{ managerip }}:4433; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -184,7 +184,7 @@ http { location /grafana/ { auth_request /auth/sessions/whoami; rewrite /grafana/(.*) /$1 break; - proxy_pass http://{{ masterip }}:3000/; + proxy_pass http://{{ managerip }}:3000/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -197,7 +197,7 @@ http { location /kibana/ { auth_request /auth/sessions/whoami; rewrite /kibana/(.*) /$1 break; - proxy_pass http://{{ masterip }}:5601/; + proxy_pass http://{{ managerip }}:5601/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -208,7 +208,7 @@ http { } location /nodered/ { - proxy_pass http://{{ masterip }}:1880/; + proxy_pass http://{{ managerip }}:1880/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -221,7 +221,7 @@ http { } location /playbook/ { - proxy_pass http://{{ masterip }}:3200/playbook/; + proxy_pass http://{{ managerip }}:3200/playbook/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -237,7 +237,7 @@ http { } {%- else %} location /fleet/ { - proxy_pass https://{{ masterip }}:8080; + proxy_pass https://{{ managerip }}:8080; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -249,7 +249,7 @@ http { {%- endif %} location /thehive/ { - proxy_pass http://{{ masterip }}:9000/thehive/; + proxy_pass http://{{ managerip }}:9000/thehive/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_http_version 1.1; # this is essential for chunked responses to work @@ -261,7 +261,7 @@ http { } location /cortex/ { - proxy_pass http://{{ masterip }}:9001/cortex/; + proxy_pass http://{{ managerip }}:9001/cortex/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_http_version 1.1; # this is essential for chunked responses to work @@ -273,7 +273,7 @@ http { } location /soctopus/ { - proxy_pass http://{{ masterip }}:7000/; + proxy_pass http://{{ managerip }}:7000/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -296,7 +296,7 @@ http { } location /sensoroniagents/ { - proxy_pass http://{{ masterip }}:9822/; + proxy_pass http://{{ managerip }}:9822/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; diff --git a/salt/nginx/etc/nginx.conf.so-standalone b/salt/nginx/etc/nginx.conf.so-standalone index de3a3a6c1..bdb342cac 100644 --- a/salt/nginx/etc/nginx.conf.so-standalone +++ b/salt/nginx/etc/nginx.conf.so-standalone @@ -1,5 +1,5 @@ -{%- set masterip = salt['pillar.get']('master:mainip', '') %} -{%- set FLEET_MASTER = salt['pillar.get']('static:fleet_master') %} +{%- set managerip = salt['pillar.get']('manager:mainip', '') %} +{%- set FLEET_MANAGER = salt['pillar.get']('static:fleet_manager') %} {%- set FLEET_NODE = salt['pillar.get']('static:fleet_node') %} {%- set FLEET_IP = salt['pillar.get']('static:fleet_ip', None) %} # For more information on configuration, see: @@ -66,7 +66,7 @@ http { return 301 https://$host$request_uri; } -{% if FLEET_MASTER %} +{% if FLEET_MANAGER %} server { listen 8090 ssl http2 default_server; server_name _; @@ -81,7 +81,7 @@ http { ssl_prefer_server_ciphers on; location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ { - grpc_pass grpcs://{{ masterip }}:8080; + grpc_pass grpcs://{{ managerip }}:8080; grpc_set_header Host $host; grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_buffering off; @@ -110,7 +110,7 @@ http { #include /etc/nginx/default.d/*.conf; location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) { - proxy_pass http://{{ masterip }}:9822; + proxy_pass http://{{ managerip }}:9822; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -124,7 +124,7 @@ http { location / { auth_request /auth/sessions/whoami; - proxy_pass http://{{ masterip }}:9822/; + proxy_pass http://{{ managerip }}:9822/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -138,7 +138,7 @@ http { location ~ ^/auth/.*?(whoami|login|logout|settings) { rewrite /auth/(.*) /$1 break; - proxy_pass http://{{ masterip }}:4433; + proxy_pass http://{{ managerip }}:4433; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -185,7 +185,7 @@ http { location /grafana/ { auth_request /auth/sessions/whoami; rewrite /grafana/(.*) /$1 break; - proxy_pass http://{{ masterip }}:3000/; + proxy_pass http://{{ managerip }}:3000/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -198,7 +198,7 @@ http { location /kibana/ { auth_request /auth/sessions/whoami; rewrite /kibana/(.*) /$1 break; - proxy_pass http://{{ masterip }}:5601/; + proxy_pass http://{{ managerip }}:5601/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -209,7 +209,7 @@ http { } location /nodered/ { - proxy_pass http://{{ masterip }}:1880/; + proxy_pass http://{{ managerip }}:1880/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -222,7 +222,7 @@ http { } location /playbook/ { - proxy_pass http://{{ masterip }}:3200/playbook/; + proxy_pass http://{{ managerip }}:3200/playbook/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -238,7 +238,7 @@ http { } {%- else %} location /fleet/ { - proxy_pass https://{{ masterip }}:8080; + proxy_pass https://{{ managerip }}:8080; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -250,7 +250,7 @@ http { {%- endif %} location /thehive/ { - proxy_pass http://{{ masterip }}:9000/thehive/; + proxy_pass http://{{ managerip }}:9000/thehive/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_http_version 1.1; # this is essential for chunked responses to work @@ -262,7 +262,7 @@ http { } location /cortex/ { - proxy_pass http://{{ masterip }}:9001/cortex/; + proxy_pass http://{{ managerip }}:9001/cortex/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_http_version 1.1; # this is essential for chunked responses to work @@ -274,7 +274,7 @@ http { } location /soctopus/ { - proxy_pass http://{{ masterip }}:7000/; + proxy_pass http://{{ managerip }}:7000/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -297,7 +297,7 @@ http { } location /sensoroniagents/ { - proxy_pass http://{{ masterip }}:9822/; + proxy_pass http://{{ managerip }}:9822/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; diff --git a/salt/nginx/files/navigator_config.json b/salt/nginx/files/navigator_config.json index 7e132cbf8..0c69995e3 100644 --- a/salt/nginx/files/navigator_config.json +++ b/salt/nginx/files/navigator_config.json @@ -1,4 +1,4 @@ -{%- set ip = salt['pillar.get']('static:masterip', '') %} +{%- set ip = salt['pillar.get']('static:managerip', '') %} { "enterprise_attack_url": "https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json", diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls index 73f14a7ed..2c6f55ef1 100644 --- a/salt/nginx/init.sls +++ b/salt/nginx/init.sls @@ -1,6 +1,6 @@ -{% set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) %} +{% set FLEETMANAGER = salt['pillar.get']('static:fleet_manager', False) %} {% set FLEETNODE = salt['pillar.get']('static:fleet_node', False) %} -{% set MASTER = salt['grains.get']('master') %} +{% set MANAGER = salt['grains.get']('manager') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} # Drop the correct nginx config based on role @@ -61,15 +61,15 @@ navigatordefaultlayer: so-nginx: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-nginx:{{ VERSION }} + - image: {{ MANAGER }}:5000/soshybridhunter/so-nginx:{{ VERSION }} - hostname: so-nginx - binds: - /opt/so/conf/nginx/nginx.conf:/etc/nginx/nginx.conf:ro - /opt/so/log/nginx/:/var/log/nginx:rw - /opt/so/tmp/nginx/:/var/lib/nginx:rw - /opt/so/tmp/nginx/:/run:rw - - /etc/pki/masterssl.crt:/etc/pki/nginx/server.crt:ro - - /etc/pki/masterssl.key:/etc/pki/nginx/server.key:ro + - /etc/pki/managerssl.crt:/etc/pki/nginx/server.crt:ro + - /etc/pki/managerssl.key:/etc/pki/nginx/server.key:ro - /opt/so/conf/fleet/packages:/opt/socore/html/packages # ATT&CK Navigator binds - /opt/so/conf/navigator/navigator_config.json:/opt/socore/html/navigator/assets/config.json:ro @@ -78,7 +78,7 @@ so-nginx: - port_bindings: - 80:80 - 443:443 - {%- if FLEETMASTER or FLEETNODE %} + {%- if FLEETMANAGER or FLEETNODE %} - 8090:8090 {%- endif %} - watch: diff --git a/salt/nodered/files/nodered_load_flows b/salt/nodered/files/nodered_load_flows index 5617b1022..985c1c49a 100644 --- a/salt/nodered/files/nodered_load_flows +++ b/salt/nodered/files/nodered_load_flows @@ -1,4 +1,4 @@ -{%- set ip = salt['pillar.get']('static:masterip', '') -%} +{%- set ip = salt['pillar.get']('static:managerip', '') -%} #!/bin/bash default_salt_dir=/opt/so/saltstack/default diff --git a/salt/nodered/files/so_flows.json b/salt/nodered/files/so_flows.json index 8ab8cbf81..ad780ceb9 100644 --- a/salt/nodered/files/so_flows.json +++ b/salt/nodered/files/so_flows.json @@ -1,4 +1,4 @@ -{%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%} +{%- set MANAGERIP = salt['pillar.get']('static:managerip', '') -%} {%- set HIVEKEY = salt['pillar.get']('static:hivekey', '') -%} {%- set CORTEXKEY = salt['pillar.get']('static:cortexkey', '') -%} -[{"id":"dca608c3.7d8af8","type":"tab","label":"TheHive - Webhook Events","disabled":false,"info":""},{"id":"4db74fa6.2556d","type":"tls-config","z":"","name":"","cert":"","key":"","ca":"","certname":"","keyname":"","caname":"","servername":"","verifyservercert":false},{"id":"aa6cf50d.a02fc8","type":"http in","z":"dca608c3.7d8af8","name":"TheHive Listener","url":"/thehive","method":"post","upload":false,"swaggerDoc":"","x":120,"y":780,"wires":[["2b92aebb.853dc2","2fce29bb.1b1376","82ad0f08.7a53f"]]},{"id":"2b92aebb.853dc2","type":"debug","z":"dca608c3.7d8af8","name":"","active":true,"tosidebar":true,"console":false,"tostatus":false,"complete":"payload","targetType":"msg","x":470,"y":940,"wires":[]},{"id":"a4ecb84a.805958","type":"switch","z":"dca608c3.7d8af8","name":"Operation","property":"payload.operation","propertyType":"msg","rules":[{"t":"eq","v":"Creation","vt":"str"},{"t":"eq","v":"Update","vt":"str"},{"t":"eq","v":"Delete","vt":"str"}],"checkall":"false","repair":false,"outputs":3,"x":580,"y":780,"wires":[["f1e954fd.3c21d8"],["65928861.c90a48"],["a259a26c.a21"]],"outputLabels":["Creation","Update","Delete"]},{"id":"f1e954fd.3c21d8","type":"switch","z":"dca608c3.7d8af8","name":"Creation","property":"payload.objectType","propertyType":"msg","rules":[{"t":"eq","v":"case","vt":"str"},{"t":"eq","v":"case_artifact","vt":"str"},{"t":"eq","v":"case_task","vt":"str"},{"t":"eq","v":"case_task_log","vt":"str"},{"t":"eq","v":"case_artifact_job","vt":"str"},{"t":"eq","v":"alert","vt":"str"},{"t":"eq","v":"user","vt":"str"}],"checkall":"false","repair":false,"outputs":7,"x":900,"y":480,"wires":[["e88b4cc2.f6afe"],["8c54e39.a1b4f2"],["64203fe8.e0ad5"],["3511de51.889a02"],["14544a8b.b6b2f5"],["44c595a4.45d45c"],["3eb4bedf.6e20a2"]],"inputLabels":["Operation"],"outputLabels":["case","case_artifact","case_task","case_task_log","action","alert","user"],"info":"No webhook data is received for the following events:\n\n- Creation of Dashboard\n- Creation of Case Templates\n"},{"id":"65928861.c90a48","type":"switch","z":"dca608c3.7d8af8","name":"Update","property":"payload.objectType","propertyType":"msg","rules":[{"t":"eq","v":"case","vt":"str"},{"t":"eq","v":"case_artifact","vt":"str"},{"t":"eq","v":"case_artifact_job","vt":"str"},{"t":"eq","v":"case_task","vt":"str"},{"t":"eq","v":"case_task_log","vt":"str"},{"t":"eq","v":"alert","vt":"str"},{"t":"eq","v":"user","vt":"str"}],"checkall":"false","repair":false,"outputs":7,"x":900,"y":860,"wires":[["eebe1748.1cd348"],["d703adc0.12fd1"],["2b738415.408d4c"],["6d97371a.406348"],["4ae621e1.9ae6"],["5786cee2.98109"],["54077728.447648"]],"inputLabels":["Operation"],"outputLabels":["case","case_artifact",null,"case_task","case_task_log","alert","user"]},{"id":"a259a26c.a21","type":"switch","z":"dca608c3.7d8af8","name":"Delete","property":"payload.objectType","propertyType":"msg","rules":[{"t":"eq","v":"case","vt":"str"},{"t":"eq","v":"case_artifact","vt":"str"},{"t":"eq","v":"case_task_log","vt":"str"}],"checkall":"false","repair":false,"outputs":3,"x":890,"y":1200,"wires":[["60c8bcfb.eff1f4"],["df708bab.348308"],["e9a8650c.e20cc8"]],"outputLabels":["case","case_artifact",""],"info":"Deleting a case task doesnt actually trigger a delete event. It triggers an `update` event where the status = cancelled"},{"id":"54077728.447648","type":"switch","z":"dca608c3.7d8af8","name":"User","property":"payload.object.status","propertyType":"msg","rules":[{"t":"eq","v":"Locked","vt":"str"},{"t":"eq","v":"Ok","vt":"str"}],"checkall":"false","repair":false,"outputs":2,"x":1130,"y":980,"wires":[["9429d6c5.5ac788"],["4e3e091c.d35388"]]},{"id":"9429d6c5.5ac788","type":"function","z":"dca608c3.7d8af8","name":"status: Locked","func":"msg.topic = \"[The Hive] A user account was locked\";\nmsg.from = \"from@example.com\";\nmsg.to = \"to@example.com\";\nreturn msg;","outputs":1,"noerr":0,"x":1380,"y":972,"wires":[[]],"info":"- User account was locked"},{"id":"4e3e091c.d35388","type":"function","z":"dca608c3.7d8af8","name":"status: Ok","func":"msg.topic = \"[The Hive] A user account was changed\";\nmsg.from = \"from@example.com\";\nmsg.to = \"to@example.com\";\nreturn msg;","outputs":1,"noerr":0,"x":1360,"y":1020,"wires":[[]],"info":"- User account was unlocked\n- User description was changed\n- User role was changed\n- User API key was added\n- User API key was revoked\n"},{"id":"485f3be.1ffcfc4","type":"function","z":"dca608c3.7d8af8","name":"status: Open","func":"// Fires when a Case is updated AND status = open\n// This can include things like TLP/PAP changes\n\nreturn msg;","outputs":1,"noerr":0,"x":1370,"y":660,"wires":[[]]},{"id":"eebe1748.1cd348","type":"switch","z":"dca608c3.7d8af8","name":"case","property":"payload.object.status","propertyType":"msg","rules":[{"t":"eq","v":"Open","vt":"str"}],"checkall":"true","repair":false,"outputs":1,"x":1130,"y":740,"wires":[["485f3be.1ffcfc4","e4b7b4bf.2fb828"]],"info":"- A case was modified"},{"id":"8c54e39.a1b4f2","type":"switch","z":"dca608c3.7d8af8","name":"case_artifact: Run Analyzer","property":"payload.object.dataType","propertyType":"msg","rules":[{"t":"eq","v":"ip","vt":"str"},{"t":"eq","v":"domain","vt":"str"}],"checkall":"true","repair":false,"outputs":2,"x":1600,"y":340,"wires":[["eb8cfeb7.a7118","a5dd8a8a.065b88"],["eb8cfeb7.a7118","a5dd8a8a.065b88"]],"info":"# References\n\n\n"},{"id":"2fce29bb.1b1376","type":"function","z":"dca608c3.7d8af8","name":"Add headers","func":"msg.thehive_url = 'https://{{ MASTERIP }}/thehive';\nmsg.cortex_url = 'https://{{ MASTERIP }}/cortex';\nmsg.cortex_id = 'CORTEX-SERVER-ID';\nreturn msg;","outputs":1,"noerr":0,"x":350,"y":780,"wires":[["a4ecb84a.805958"]]},{"id":"e4b7b4bf.2fb828","type":"function","z":"dca608c3.7d8af8","name":"status: Resolved","func":"// Fires when a case is closed (resolved)\n\nreturn msg;","outputs":1,"noerr":0,"x":1390,"y":720,"wires":[[]]},{"id":"e88b4cc2.f6afe","type":"function","z":"dca608c3.7d8af8","name":"case","func":"// Fires when a case is created\n// or when a responder is generated against a case\n\nreturn msg;","outputs":1,"noerr":0,"x":1130,"y":320,"wires":[[]]},{"id":"64203fe8.e0ad5","type":"function","z":"dca608c3.7d8af8","name":"case_task","func":"// Fires when a case task is created\nreturn msg;","outputs":1,"noerr":0,"x":1140,"y":400,"wires":[[]]},{"id":"3511de51.889a02","type":"function","z":"dca608c3.7d8af8","name":"case_task_log","func":"// Fires when a case task log is created\n\nreturn msg;","outputs":1,"noerr":0,"x":1163,"y":440,"wires":[[]]},{"id":"14544a8b.b6b2f5","type":"function","z":"dca608c3.7d8af8","name":"case_artifact_job","func":"// Fires when a Responder or Analyzser is Run on an existing observable\n\nreturn msg;","outputs":1,"noerr":0,"x":1173,"y":480,"wires":[[]]},{"id":"2b738415.408d4c","type":"function","z":"dca608c3.7d8af8","name":"case_artifact_job","func":"\nreturn msg;","outputs":1,"noerr":0,"x":1170,"y":820,"wires":[[]]},{"id":"3eb4bedf.6e20a2","type":"function","z":"dca608c3.7d8af8","name":"user","func":"// Fires when a user is created\n\nreturn msg;","outputs":1,"noerr":0,"x":1133,"y":560,"wires":[[]]},{"id":"d703adc0.12fd1","type":"function","z":"dca608c3.7d8af8","name":"case_artifact","func":"// Fires when an artifact is updated\nreturn msg;","outputs":1,"noerr":0,"x":1150,"y":780,"wires":[[]]},{"id":"6d97371a.406348","type":"function","z":"dca608c3.7d8af8","name":"case_task","func":"// Fires when a case task is updated\nreturn msg;","outputs":1,"noerr":0,"x":1140,"y":860,"wires":[[]]},{"id":"4ae621e1.9ae6","type":"function","z":"dca608c3.7d8af8","name":"case_task_log","func":"//Fires when a case_task_log is updated\n\nreturn msg;","outputs":1,"noerr":0,"x":1160,"y":900,"wires":[[]]},{"id":"60c8bcfb.eff1f4","type":"function","z":"dca608c3.7d8af8","name":"case","func":"//Fires when a case is deleted\nreturn msg;","outputs":1,"noerr":0,"x":1130,"y":1160,"wires":[[]]},{"id":"df708bab.348308","type":"function","z":"dca608c3.7d8af8","name":"case_artifact","func":"//Fires when a case_artifact is deleted\nreturn msg;","outputs":1,"noerr":0,"x":1150,"y":1200,"wires":[[]]},{"id":"e9a8650c.e20cc8","type":"function","z":"dca608c3.7d8af8","name":"case_task_log","func":"//Fires when a case_task_log is deleted\nreturn msg;","outputs":1,"noerr":0,"x":1160,"y":1240,"wires":[[]]},{"id":"5786cee2.98109","type":"function","z":"dca608c3.7d8af8","name":"alert","func":"//Fires when an alert is updated\nreturn msg;","outputs":1,"noerr":0,"x":1130,"y":940,"wires":[[]]},{"id":"44c595a4.45d45c","type":"change","z":"dca608c3.7d8af8","d":true,"name":"Convert Alert Msg to Artifacts","rules":[{"t":"move","p":"payload.object.artifacts","pt":"msg","to":"payload","tot":"msg"}],"action":"","property":"","from":"","to":"","reg":false,"x":1200,"y":520,"wires":[["6dcca25e.04bd2c"]]},{"id":"6dcca25e.04bd2c","type":"split","z":"dca608c3.7d8af8","name":"Split Artifacts","splt":"\\n","spltType":"str","arraySplt":1,"arraySpltType":"len","stream":false,"addname":"","x":1430,"y":520,"wires":[["767c84f2.c9ba2c"]]},{"id":"767c84f2.c9ba2c","type":"switch","z":"dca608c3.7d8af8","name":"alert: Run Analyzer","property":"payload.dataType","propertyType":"msg","rules":[{"t":"eq","v":"ip","vt":"str"},{"t":"eq","v":"domain","vt":"str"}],"checkall":"true","repair":false,"outputs":2,"x":1630,"y":400,"wires":[["eb8cfeb7.a7118","a5dd8a8a.065b88"],["a5dd8a8a.065b88","eb8cfeb7.a7118"]],"info":"# References\n\n\n"},{"id":"82ad0f08.7a53f","type":"http response","z":"dca608c3.7d8af8","name":"Ack Event Receipt","statusCode":"200","headers":{},"x":250,"y":940,"wires":[]},{"id":"a5dd8a8a.065b88","type":"function","z":"dca608c3.7d8af8","name":"Run Analyzer: CERT DNS","func":"msg.analyzer_id = \"4f28afc20d78f98df425e36e561af33f\";\n\nif (msg.payload.objectId) {\n msg.tag = \"case_artifact\"\n msg.artifact_id = msg.payload.objectId\n msg.url = msg.thehive_url + '/api/connector/cortex/job';\n msg.payload = {\n 'cortexId' : msg.cortex_id,\n 'artifactId': msg.artifact_id,\n 'analyzerId': msg.analyzer_id\n };\n}\nelse {\n msg.tag = \"observable\"\n msg.observable = msg.payload.data\n msg.dataType = msg.payload.dataType\n\n msg.url = msg.cortex_url + '/api/analyzer/' + msg.analyzer_id + '/run';\n msg.payload = {\n 'data' : msg.observable,\n 'dataType': msg.dataType \n };\n}\nreturn msg;","outputs":1,"noerr":0,"x":1930,"y":420,"wires":[["f050a09f.b2201"]]},{"id":"eb8cfeb7.a7118","type":"function","z":"dca608c3.7d8af8","name":"Run Analyzer: Urlscan","func":"msg.analyzer_id = \"54e51b62c6c8ddc3cbc3cbdd889a0557\";\n\nif (msg.payload.objectId) {\n msg.tag = \"case_artifact\"\n msg.artifact_id = msg.payload.objectId\n msg.url = msg.thehive_url + '/api/connector/cortex/job';\n msg.payload = {\n 'cortexId' : msg.cortex_id,\n 'artifactId': msg.artifact_id,\n 'analyzerId': msg.analyzer_id\n };\n}\nelse {\n msg.tag = \"observable\"\n msg.observable = msg.payload.data\n msg.dataType = msg.payload.dataType\n\n msg.url = msg.cortex_url + '/api/analyzer/' + msg.analyzer_id + '/run';\n msg.payload = {\n 'data' : msg.observable,\n 'dataType': msg.dataType \n };\n}\nreturn msg;","outputs":1,"noerr":0,"x":1920,"y":320,"wires":[["f050a09f.b2201"]]},{"id":"1c448528.3032fb","type":"http request","z":"dca608c3.7d8af8","name":"Submit to Cortex","method":"POST","ret":"obj","paytoqs":false,"url":"","tls":"4db74fa6.2556d","persist":false,"proxy":"","authType":"bearer","credentials": {"user": "", "password": "{{ CORTEXKEY }}"},"x":2450,"y":420,"wires":[["ea6614fb.752a78"]]},{"id":"ea6614fb.752a78","type":"debug","z":"dca608c3.7d8af8","name":"Debug","active":true,"tosidebar":true,"console":false,"tostatus":false,"complete":"true","targetType":"full","x":2670,"y":360,"wires":[]},{"id":"f050a09f.b2201","type":"switch","z":"dca608c3.7d8af8","name":"Cases vs Alerts","property":"tag","propertyType":"msg","rules":[{"t":"eq","v":"case_artifact","vt":"str"},{"t":"eq","v":"observable","vt":"str"}],"checkall":"true","repair":false,"outputs":2,"x":2200,"y":360,"wires":[["f7fca977.a73b28"],["1c448528.3032fb"]],"inputLabels":["Data"],"outputLabels":["Cases","Alerts"]},{"id":"f7fca977.a73b28","type":"http request","z":"dca608c3.7d8af8","name":"Submit to TheHive","method":"POST","ret":"obj","paytoqs":false,"url":"","tls":"4db74fa6.2556d","persist":false,"proxy":"","authType":"bearer","credentials": {"user": "", "password": "{{ HIVEKEY }}"},"x":2450,"y":280,"wires":[["ea6614fb.752a78"]]}] +[{"id":"dca608c3.7d8af8","type":"tab","label":"TheHive - Webhook Events","disabled":false,"info":""},{"id":"4db74fa6.2556d","type":"tls-config","z":"","name":"","cert":"","key":"","ca":"","certname":"","keyname":"","caname":"","servername":"","verifyservercert":false},{"id":"aa6cf50d.a02fc8","type":"http in","z":"dca608c3.7d8af8","name":"TheHive Listener","url":"/thehive","method":"post","upload":false,"swaggerDoc":"","x":120,"y":780,"wires":[["2b92aebb.853dc2","2fce29bb.1b1376","82ad0f08.7a53f"]]},{"id":"2b92aebb.853dc2","type":"debug","z":"dca608c3.7d8af8","name":"","active":true,"tosidebar":true,"console":false,"tostatus":false,"complete":"payload","targetType":"msg","x":470,"y":940,"wires":[]},{"id":"a4ecb84a.805958","type":"switch","z":"dca608c3.7d8af8","name":"Operation","property":"payload.operation","propertyType":"msg","rules":[{"t":"eq","v":"Creation","vt":"str"},{"t":"eq","v":"Update","vt":"str"},{"t":"eq","v":"Delete","vt":"str"}],"checkall":"false","repair":false,"outputs":3,"x":580,"y":780,"wires":[["f1e954fd.3c21d8"],["65928861.c90a48"],["a259a26c.a21"]],"outputLabels":["Creation","Update","Delete"]},{"id":"f1e954fd.3c21d8","type":"switch","z":"dca608c3.7d8af8","name":"Creation","property":"payload.objectType","propertyType":"msg","rules":[{"t":"eq","v":"case","vt":"str"},{"t":"eq","v":"case_artifact","vt":"str"},{"t":"eq","v":"case_task","vt":"str"},{"t":"eq","v":"case_task_log","vt":"str"},{"t":"eq","v":"case_artifact_job","vt":"str"},{"t":"eq","v":"alert","vt":"str"},{"t":"eq","v":"user","vt":"str"}],"checkall":"false","repair":false,"outputs":7,"x":900,"y":480,"wires":[["e88b4cc2.f6afe"],["8c54e39.a1b4f2"],["64203fe8.e0ad5"],["3511de51.889a02"],["14544a8b.b6b2f5"],["44c595a4.45d45c"],["3eb4bedf.6e20a2"]],"inputLabels":["Operation"],"outputLabels":["case","case_artifact","case_task","case_task_log","action","alert","user"],"info":"No webhook data is received for the following events:\n\n- Creation of Dashboard\n- Creation of Case Templates\n"},{"id":"65928861.c90a48","type":"switch","z":"dca608c3.7d8af8","name":"Update","property":"payload.objectType","propertyType":"msg","rules":[{"t":"eq","v":"case","vt":"str"},{"t":"eq","v":"case_artifact","vt":"str"},{"t":"eq","v":"case_artifact_job","vt":"str"},{"t":"eq","v":"case_task","vt":"str"},{"t":"eq","v":"case_task_log","vt":"str"},{"t":"eq","v":"alert","vt":"str"},{"t":"eq","v":"user","vt":"str"}],"checkall":"false","repair":false,"outputs":7,"x":900,"y":860,"wires":[["eebe1748.1cd348"],["d703adc0.12fd1"],["2b738415.408d4c"],["6d97371a.406348"],["4ae621e1.9ae6"],["5786cee2.98109"],["54077728.447648"]],"inputLabels":["Operation"],"outputLabels":["case","case_artifact",null,"case_task","case_task_log","alert","user"]},{"id":"a259a26c.a21","type":"switch","z":"dca608c3.7d8af8","name":"Delete","property":"payload.objectType","propertyType":"msg","rules":[{"t":"eq","v":"case","vt":"str"},{"t":"eq","v":"case_artifact","vt":"str"},{"t":"eq","v":"case_task_log","vt":"str"}],"checkall":"false","repair":false,"outputs":3,"x":890,"y":1200,"wires":[["60c8bcfb.eff1f4"],["df708bab.348308"],["e9a8650c.e20cc8"]],"outputLabels":["case","case_artifact",""],"info":"Deleting a case task doesnt actually trigger a delete event. It triggers an `update` event where the status = cancelled"},{"id":"54077728.447648","type":"switch","z":"dca608c3.7d8af8","name":"User","property":"payload.object.status","propertyType":"msg","rules":[{"t":"eq","v":"Locked","vt":"str"},{"t":"eq","v":"Ok","vt":"str"}],"checkall":"false","repair":false,"outputs":2,"x":1130,"y":980,"wires":[["9429d6c5.5ac788"],["4e3e091c.d35388"]]},{"id":"9429d6c5.5ac788","type":"function","z":"dca608c3.7d8af8","name":"status: Locked","func":"msg.topic = \"[The Hive] A user account was locked\";\nmsg.from = \"from@example.com\";\nmsg.to = \"to@example.com\";\nreturn msg;","outputs":1,"noerr":0,"x":1380,"y":972,"wires":[[]],"info":"- User account was locked"},{"id":"4e3e091c.d35388","type":"function","z":"dca608c3.7d8af8","name":"status: Ok","func":"msg.topic = \"[The Hive] A user account was changed\";\nmsg.from = \"from@example.com\";\nmsg.to = \"to@example.com\";\nreturn msg;","outputs":1,"noerr":0,"x":1360,"y":1020,"wires":[[]],"info":"- User account was unlocked\n- User description was changed\n- User role was changed\n- User API key was added\n- User API key was revoked\n"},{"id":"485f3be.1ffcfc4","type":"function","z":"dca608c3.7d8af8","name":"status: Open","func":"// Fires when a Case is updated AND status = open\n// This can include things like TLP/PAP changes\n\nreturn msg;","outputs":1,"noerr":0,"x":1370,"y":660,"wires":[[]]},{"id":"eebe1748.1cd348","type":"switch","z":"dca608c3.7d8af8","name":"case","property":"payload.object.status","propertyType":"msg","rules":[{"t":"eq","v":"Open","vt":"str"}],"checkall":"true","repair":false,"outputs":1,"x":1130,"y":740,"wires":[["485f3be.1ffcfc4","e4b7b4bf.2fb828"]],"info":"- A case was modified"},{"id":"8c54e39.a1b4f2","type":"switch","z":"dca608c3.7d8af8","name":"case_artifact: Run Analyzer","property":"payload.object.dataType","propertyType":"msg","rules":[{"t":"eq","v":"ip","vt":"str"},{"t":"eq","v":"domain","vt":"str"}],"checkall":"true","repair":false,"outputs":2,"x":1600,"y":340,"wires":[["eb8cfeb7.a7118","a5dd8a8a.065b88"],["eb8cfeb7.a7118","a5dd8a8a.065b88"]],"info":"# References\n\n\n"},{"id":"2fce29bb.1b1376","type":"function","z":"dca608c3.7d8af8","name":"Add headers","func":"msg.thehive_url = 'https://{{ MANAGERIP }}/thehive';\nmsg.cortex_url = 'https://{{ MANAGERIP }}/cortex';\nmsg.cortex_id = 'CORTEX-SERVER-ID';\nreturn msg;","outputs":1,"noerr":0,"x":350,"y":780,"wires":[["a4ecb84a.805958"]]},{"id":"e4b7b4bf.2fb828","type":"function","z":"dca608c3.7d8af8","name":"status: Resolved","func":"// Fires when a case is closed (resolved)\n\nreturn msg;","outputs":1,"noerr":0,"x":1390,"y":720,"wires":[[]]},{"id":"e88b4cc2.f6afe","type":"function","z":"dca608c3.7d8af8","name":"case","func":"// Fires when a case is created\n// or when a responder is generated against a case\n\nreturn msg;","outputs":1,"noerr":0,"x":1130,"y":320,"wires":[[]]},{"id":"64203fe8.e0ad5","type":"function","z":"dca608c3.7d8af8","name":"case_task","func":"// Fires when a case task is created\nreturn msg;","outputs":1,"noerr":0,"x":1140,"y":400,"wires":[[]]},{"id":"3511de51.889a02","type":"function","z":"dca608c3.7d8af8","name":"case_task_log","func":"// Fires when a case task log is created\n\nreturn msg;","outputs":1,"noerr":0,"x":1163,"y":440,"wires":[[]]},{"id":"14544a8b.b6b2f5","type":"function","z":"dca608c3.7d8af8","name":"case_artifact_job","func":"// Fires when a Responder or Analyzser is Run on an existing observable\n\nreturn msg;","outputs":1,"noerr":0,"x":1173,"y":480,"wires":[[]]},{"id":"2b738415.408d4c","type":"function","z":"dca608c3.7d8af8","name":"case_artifact_job","func":"\nreturn msg;","outputs":1,"noerr":0,"x":1170,"y":820,"wires":[[]]},{"id":"3eb4bedf.6e20a2","type":"function","z":"dca608c3.7d8af8","name":"user","func":"// Fires when a user is created\n\nreturn msg;","outputs":1,"noerr":0,"x":1133,"y":560,"wires":[[]]},{"id":"d703adc0.12fd1","type":"function","z":"dca608c3.7d8af8","name":"case_artifact","func":"// Fires when an artifact is updated\nreturn msg;","outputs":1,"noerr":0,"x":1150,"y":780,"wires":[[]]},{"id":"6d97371a.406348","type":"function","z":"dca608c3.7d8af8","name":"case_task","func":"// Fires when a case task is updated\nreturn msg;","outputs":1,"noerr":0,"x":1140,"y":860,"wires":[[]]},{"id":"4ae621e1.9ae6","type":"function","z":"dca608c3.7d8af8","name":"case_task_log","func":"//Fires when a case_task_log is updated\n\nreturn msg;","outputs":1,"noerr":0,"x":1160,"y":900,"wires":[[]]},{"id":"60c8bcfb.eff1f4","type":"function","z":"dca608c3.7d8af8","name":"case","func":"//Fires when a case is deleted\nreturn msg;","outputs":1,"noerr":0,"x":1130,"y":1160,"wires":[[]]},{"id":"df708bab.348308","type":"function","z":"dca608c3.7d8af8","name":"case_artifact","func":"//Fires when a case_artifact is deleted\nreturn msg;","outputs":1,"noerr":0,"x":1150,"y":1200,"wires":[[]]},{"id":"e9a8650c.e20cc8","type":"function","z":"dca608c3.7d8af8","name":"case_task_log","func":"//Fires when a case_task_log is deleted\nreturn msg;","outputs":1,"noerr":0,"x":1160,"y":1240,"wires":[[]]},{"id":"5786cee2.98109","type":"function","z":"dca608c3.7d8af8","name":"alert","func":"//Fires when an alert is updated\nreturn msg;","outputs":1,"noerr":0,"x":1130,"y":940,"wires":[[]]},{"id":"44c595a4.45d45c","type":"change","z":"dca608c3.7d8af8","d":true,"name":"Convert Alert Msg to Artifacts","rules":[{"t":"move","p":"payload.object.artifacts","pt":"msg","to":"payload","tot":"msg"}],"action":"","property":"","from":"","to":"","reg":false,"x":1200,"y":520,"wires":[["6dcca25e.04bd2c"]]},{"id":"6dcca25e.04bd2c","type":"split","z":"dca608c3.7d8af8","name":"Split Artifacts","splt":"\\n","spltType":"str","arraySplt":1,"arraySpltType":"len","stream":false,"addname":"","x":1430,"y":520,"wires":[["767c84f2.c9ba2c"]]},{"id":"767c84f2.c9ba2c","type":"switch","z":"dca608c3.7d8af8","name":"alert: Run Analyzer","property":"payload.dataType","propertyType":"msg","rules":[{"t":"eq","v":"ip","vt":"str"},{"t":"eq","v":"domain","vt":"str"}],"checkall":"true","repair":false,"outputs":2,"x":1630,"y":400,"wires":[["eb8cfeb7.a7118","a5dd8a8a.065b88"],["a5dd8a8a.065b88","eb8cfeb7.a7118"]],"info":"# References\n\n\n"},{"id":"82ad0f08.7a53f","type":"http response","z":"dca608c3.7d8af8","name":"Ack Event Receipt","statusCode":"200","headers":{},"x":250,"y":940,"wires":[]},{"id":"a5dd8a8a.065b88","type":"function","z":"dca608c3.7d8af8","name":"Run Analyzer: CERT DNS","func":"msg.analyzer_id = \"4f28afc20d78f98df425e36e561af33f\";\n\nif (msg.payload.objectId) {\n msg.tag = \"case_artifact\"\n msg.artifact_id = msg.payload.objectId\n msg.url = msg.thehive_url + '/api/connector/cortex/job';\n msg.payload = {\n 'cortexId' : msg.cortex_id,\n 'artifactId': msg.artifact_id,\n 'analyzerId': msg.analyzer_id\n };\n}\nelse {\n msg.tag = \"observable\"\n msg.observable = msg.payload.data\n msg.dataType = msg.payload.dataType\n\n msg.url = msg.cortex_url + '/api/analyzer/' + msg.analyzer_id + '/run';\n msg.payload = {\n 'data' : msg.observable,\n 'dataType': msg.dataType \n };\n}\nreturn msg;","outputs":1,"noerr":0,"x":1930,"y":420,"wires":[["f050a09f.b2201"]]},{"id":"eb8cfeb7.a7118","type":"function","z":"dca608c3.7d8af8","name":"Run Analyzer: Urlscan","func":"msg.analyzer_id = \"54e51b62c6c8ddc3cbc3cbdd889a0557\";\n\nif (msg.payload.objectId) {\n msg.tag = \"case_artifact\"\n msg.artifact_id = msg.payload.objectId\n msg.url = msg.thehive_url + '/api/connector/cortex/job';\n msg.payload = {\n 'cortexId' : msg.cortex_id,\n 'artifactId': msg.artifact_id,\n 'analyzerId': msg.analyzer_id\n };\n}\nelse {\n msg.tag = \"observable\"\n msg.observable = msg.payload.data\n msg.dataType = msg.payload.dataType\n\n msg.url = msg.cortex_url + '/api/analyzer/' + msg.analyzer_id + '/run';\n msg.payload = {\n 'data' : msg.observable,\n 'dataType': msg.dataType \n };\n}\nreturn msg;","outputs":1,"noerr":0,"x":1920,"y":320,"wires":[["f050a09f.b2201"]]},{"id":"1c448528.3032fb","type":"http request","z":"dca608c3.7d8af8","name":"Submit to Cortex","method":"POST","ret":"obj","paytoqs":false,"url":"","tls":"4db74fa6.2556d","persist":false,"proxy":"","authType":"bearer","credentials": {"user": "", "password": "{{ CORTEXKEY }}"},"x":2450,"y":420,"wires":[["ea6614fb.752a78"]]},{"id":"ea6614fb.752a78","type":"debug","z":"dca608c3.7d8af8","name":"Debug","active":true,"tosidebar":true,"console":false,"tostatus":false,"complete":"true","targetType":"full","x":2670,"y":360,"wires":[]},{"id":"f050a09f.b2201","type":"switch","z":"dca608c3.7d8af8","name":"Cases vs Alerts","property":"tag","propertyType":"msg","rules":[{"t":"eq","v":"case_artifact","vt":"str"},{"t":"eq","v":"observable","vt":"str"}],"checkall":"true","repair":false,"outputs":2,"x":2200,"y":360,"wires":[["f7fca977.a73b28"],["1c448528.3032fb"]],"inputLabels":["Data"],"outputLabels":["Cases","Alerts"]},{"id":"f7fca977.a73b28","type":"http request","z":"dca608c3.7d8af8","name":"Submit to TheHive","method":"POST","ret":"obj","paytoqs":false,"url":"","tls":"4db74fa6.2556d","persist":false,"proxy":"","authType":"bearer","credentials": {"user": "", "password": "{{ HIVEKEY }}"},"x":2450,"y":280,"wires":[["ea6614fb.752a78"]]}] diff --git a/salt/pcap/files/sensoroni.json b/salt/pcap/files/sensoroni.json index ed673d969..edcec2f6c 100644 --- a/salt/pcap/files/sensoroni.json +++ b/salt/pcap/files/sensoroni.json @@ -1,11 +1,11 @@ -{%- set MASTER = grains['master'] -%} +{%- set MANAGER = grains['manager'] -%} {%- set SENSORONIKEY = salt['pillar.get']('static:sensoronikey', '') -%} { "logFilename": "/opt/sensoroni/logs/sensoroni.log", "logLevel":"debug", "agent": { "pollIntervalMs": 10000, - "serverUrl": "https://{{ MASTER }}/sensoroniagents", + "serverUrl": "https://{{ MANAGER }}/sensoroniagents", "verifyCert": false, "modules": { "statickeyauth": { diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls index bcf09b765..a492ffc82 100644 --- a/salt/pcap/init.sls +++ b/salt/pcap/init.sls @@ -13,7 +13,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} +{% set MANAGER = salt['grains.get']('manager') %} {% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %} {% set BPF_STENO = salt['pillar.get']('steno:bpf', None) %} {% set BPF_COMPILED = "" %} @@ -129,7 +129,7 @@ sensoronilog: so-steno: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-steno:{{ VERSION }} + - image: {{ MANAGER }}:5000/soshybridhunter/so-steno:{{ VERSION }} - network_mode: host - privileged: True - port_bindings: @@ -146,7 +146,7 @@ so-steno: so-sensoroni: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-soc:{{ VERSION }} + - image: {{ MANAGER }}:5000/soshybridhunter/so-soc:{{ VERSION }} - network_mode: host - binds: - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index eca8bda40..da1461871 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -1,7 +1,7 @@ -{% set MASTERIP = salt['pillar.get']('master:mainip', '') %} +{% set MANAGERIP = salt['pillar.get']('manager:mainip', '') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} -{% set MAINIP = salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('master:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] %} +{% set MANAGER = salt['grains.get']('manager') %} +{% set MAINIP = salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('manager:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] %} {%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) -%} {%- set PLAYBOOKPASS = salt['pillar.get']('secrets:playbook', None) -%} @@ -40,7 +40,7 @@ query_playbookdbuser_grants: query_updatwebhooks: mysql_query.run: - database: playbook - - query: "update webhooks set url = 'http://{{MASTERIP}}:7000/playbook/webhook' where project_id = 1" + - query: "update webhooks set url = 'http://{{MANAGERIP}}:7000/playbook/webhook' where project_id = 1" - connection_host: {{ MAINIP }} - connection_port: 3306 - connection_user: root @@ -53,8 +53,8 @@ query_updatepluginurls: update settings set value = "--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess project: '1' - convert_url: http://{{MASTERIP}}:7000/playbook/sigmac - create_url: http://{{MASTERIP}}:7000/playbook/play" + convert_url: http://{{MANAGERIP}}:7000/playbook/sigmac + create_url: http://{{MANAGERIP}}:7000/playbook/play" where id = 43 - connection_host: {{ MAINIP }} - connection_port: 3306 @@ -73,11 +73,11 @@ playbook_password_none: so-playbook: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-playbook:{{ VERSION }} + - image: {{ MANAGER }}:5000/soshybridhunter/so-playbook:{{ VERSION }} - hostname: playbook - name: so-playbook - environment: - - REDMINE_DB_MYSQL={{ MASTERIP }} + - REDMINE_DB_MYSQL={{ MANAGERIP }} - REDMINE_DB_DATABASE=playbook - REDMINE_DB_USERNAME=playbookdbuser - REDMINE_DB_PASSWORD={{ PLAYBOOKPASS }} diff --git a/salt/reactor/fleet.sls b/salt/reactor/fleet.sls index 4b09abe0a..c29ab85ed 100644 --- a/salt/reactor/fleet.sls +++ b/salt/reactor/fleet.sls @@ -13,7 +13,7 @@ def run(): STATICFILE = f"{LOCAL_SALT_DIR}/pillar/static.sls" SECRETSFILE = f"{LOCAL_SALT_DIR}/pillar/secrets.sls" - if MINIONID.split('_')[-1] in ['master','eval','fleet','mastersearch','standalone']: + if MINIONID.split('_')[-1] in ['manager','eval','fleet','managersearch','standalone']: if ACTION == 'enablefleet': logging.info('so/fleet enablefleet reactor') @@ -27,7 +27,7 @@ def run(): if ROLE == 'so-fleet': line = re.sub(r'fleet_node: \S*', f"fleet_node: True", line.rstrip()) else: - line = re.sub(r'fleet_master: \S*', f"fleet_master: True", line.rstrip()) + line = re.sub(r'fleet_manager: \S*', f"fleet_manager: True", line.rstrip()) print(line) # Update the enroll secret in the secrets pillar @@ -50,7 +50,7 @@ def run(): PACKAGEVERSION = data['data']['current-package-version'] PACKAGEHOSTNAME = data['data']['package-hostname'] - MASTER = data['data']['master'] + MANAGER = data['data']['manager'] VERSION = data['data']['version'] ESECRET = data['data']['enroll-secret'] @@ -59,7 +59,7 @@ def run(): # Run Docker container that will build the packages gen_packages = subprocess.run(["docker", "run","--rm", "--mount", f"type=bind,source={LOCAL_SALT_DIR}/salt/fleet/packages,target=/output", \ - "--mount", "type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt", f"{ MASTER }:5000/soshybridhunter/so-fleet-launcher:{ VERSION }", \ + "--mount", "type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt", f"{ MANAGER }:5000/soshybridhunter/so-fleet-launcher:{ VERSION }", \ f"{ESECRET}", f"{PACKAGEHOSTNAME}:8090", f"{PACKAGEVERSION}.1.1"], stdout=subprocess.PIPE, encoding='ascii') # Update the 'packages-built' timestamp on the webpage (stored in the static pillar) diff --git a/salt/redis/init.sls b/salt/redis/init.sls index 5db53957c..ec36d164c 100644 --- a/salt/redis/init.sls +++ b/salt/redis/init.sls @@ -13,7 +13,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} +{% set MANAGER = salt['grains.get']('manager') %} # Redis Setup redisconfdir: @@ -47,7 +47,7 @@ redisconfsync: so-redis: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-redis:{{ VERSION }} + - image: {{ MANAGER }}:5000/soshybridhunter/so-redis:{{ VERSION }} - hostname: so-redis - user: socore - port_bindings: diff --git a/salt/soc/files/kratos/kratos.yaml b/salt/soc/files/kratos/kratos.yaml index 7939ec35b..2171971bc 100644 --- a/salt/soc/files/kratos/kratos.yaml +++ b/salt/soc/files/kratos/kratos.yaml @@ -1,4 +1,4 @@ -{%- set WEBACCESS = salt['pillar.get']('master:url_base', '') -%} +{%- set WEBACCESS = salt['pillar.get']('manager:url_base', '') -%} {%- set KRATOSKEY = salt['pillar.get']('kratos:kratoskey', '') -%} selfservice: diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 693c44aeb..7c7614a14 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -1,4 +1,4 @@ -{%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%} +{%- set MANAGERIP = salt['pillar.get']('static:managerip', '') -%} {%- set SENSORONIKEY = salt['pillar.get']('static:sensoronikey', '') -%} { "logFilename": "/opt/sensoroni/logs/sensoroni-server.log", @@ -12,10 +12,10 @@ "jobDir": "jobs" }, "kratos": { - "hostUrl": "http://{{ MASTERIP }}:4434/" + "hostUrl": "http://{{ MANAGERIP }}:4434/" }, "elastic": { - "hostUrl": "http://{{ MASTERIP }}:9200", + "hostUrl": "http://{{ MANAGERIP }}:9200", "username": "", "password": "", "verifyCert": false diff --git a/salt/soc/init.sls b/salt/soc/init.sls index cc2c9dfd6..bf7250e72 100644 --- a/salt/soc/init.sls +++ b/salt/soc/init.sls @@ -1,5 +1,5 @@ {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} +{% set MANAGER = salt['grains.get']('manager') %} socdir: file.directory: @@ -33,7 +33,7 @@ socsync: so-soc: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-soc:{{ VERSION }} + - image: {{ MANAGER }}:5000/soshybridhunter/so-soc:{{ VERSION }} - hostname: soc - name: so-soc - binds: @@ -84,7 +84,7 @@ kratossync: so-kratos: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-kratos:{{ VERSION }} + - image: {{ MANAGER }}:5000/soshybridhunter/so-kratos:{{ VERSION }} - hostname: kratos - name: so-kratos - binds: diff --git a/salt/soctopus/files/SOCtopus.conf b/salt/soctopus/files/SOCtopus.conf index d2c3eea2d..bdf4aafa9 100644 --- a/salt/soctopus/files/SOCtopus.conf +++ b/salt/soctopus/files/SOCtopus.conf @@ -1,10 +1,10 @@ -{%- set MASTER = salt['pillar.get']('master:url_base', '') %} +{%- set MANAGER = salt['pillar.get']('manager:url_base', '') %} {%- set HIVEKEY = salt['pillar.get']('static:hivekey', '') %} {%- set CORTEXKEY = salt['pillar.get']('static:cortexorguserkey', '') %} [es] -es_url = http://{{MASTER}}:9200 -es_ip = {{MASTER}} +es_url = http://{{MANAGER}}:9200 +es_ip = {{MANAGER}} es_user = YOURESUSER es_pass = YOURESPASS es_index_pattern = so-* @@ -12,7 +12,7 @@ es_verifycert = no [cortex] auto_analyze_alerts = no -cortex_url = https://{{MASTER}}/cortex/ +cortex_url = https://{{MANAGER}}/cortex/ cortex_key = {{ CORTEXKEY }} supported_analyzers = Urlscan_io_Search,CERTatPassiveDNS @@ -33,7 +33,7 @@ grr_user = YOURGRRUSER grr_pass = YOURGRRPASS [hive] -hive_url = https://{{MASTER}}/thehive/ +hive_url = https://{{MANAGER}}/thehive/ hive_key = {{ HIVEKEY }} hive_tlp = 3 hive_verifycert = no @@ -60,7 +60,7 @@ slack_url = YOURSLACKWORKSPACE slack_webhook = YOURSLACKWEBHOOK [playbook] -playbook_url = http://{{MASTER}}:3200/playbook +playbook_url = http://{{MANAGER}}:3200/playbook playbook_key = de6639318502476f2fa5aa06f43f51fb389a3d7f playbook_verifycert = no playbook_unit_test_index = playbook-testing diff --git a/salt/soctopus/files/templates/es-generic.template b/salt/soctopus/files/templates/es-generic.template index cdda8a19b..b56050741 100644 --- a/salt/soctopus/files/templates/es-generic.template +++ b/salt/soctopus/files/templates/es-generic.template @@ -1,4 +1,4 @@ -{% set ES = salt['pillar.get']('static:masterip', '') %} +{% set ES = salt['pillar.get']('static:managerip', '') %} alert: modules.so.playbook-es.PlaybookESAlerter elasticsearch_host: "{{ ES }}:9200" diff --git a/salt/soctopus/files/templates/generic.template b/salt/soctopus/files/templates/generic.template index 68dc040fc..4369a666e 100644 --- a/salt/soctopus/files/templates/generic.template +++ b/salt/soctopus/files/templates/generic.template @@ -1,5 +1,5 @@ -{% set es = salt['pillar.get']('static:masterip', '') %} -{% set hivehost = salt['pillar.get']('static:masterip', '') %} +{% set es = salt['pillar.get']('static:managerip', '') %} +{% set hivehost = salt['pillar.get']('static:managerip', '') %} {% set hivekey = salt['pillar.get']('static:hivekey', '') %} alert: hivealerter diff --git a/salt/soctopus/files/templates/osquery.template b/salt/soctopus/files/templates/osquery.template index 28ea29ee9..f49e4fdfe 100644 --- a/salt/soctopus/files/templates/osquery.template +++ b/salt/soctopus/files/templates/osquery.template @@ -1,5 +1,5 @@ -{% set es = salt['pillar.get']('static:masterip', '') %} -{% set hivehost = salt['pillar.get']('static:masterip', '') %} +{% set es = salt['pillar.get']('static:managerip', '') %} +{% set hivehost = salt['pillar.get']('static:managerip', '') %} {% set hivekey = salt['pillar.get']('static:hivekey', '') %} alert: hivealerter diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls index 6c06fecff..1621de936 100644 --- a/salt/soctopus/init.sls +++ b/salt/soctopus/init.sls @@ -1,7 +1,7 @@ {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} -{%- set MASTER_URL = salt['pillar.get']('master:url_base', '') %} -{%- set MASTER_IP = salt['pillar.get']('static:masterip', '') %} +{% set MANAGER = salt['grains.get']('manager') %} +{%- set MANAGER_URL = salt['pillar.get']('manager:url_base', '') %} +{%- set MANAGER_IP = salt['pillar.get']('static:managerip', '') %} soctopusdir: file.directory: @@ -50,7 +50,7 @@ playbookrulessync: so-soctopus: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-soctopus:{{ VERSION }} + - image: {{ MANAGER }}:5000/soshybridhunter/so-soctopus:{{ VERSION }} - hostname: soctopus - name: so-soctopus - binds: @@ -61,4 +61,4 @@ so-soctopus: - port_bindings: - 0.0.0.0:7000:7000 - extra_hosts: - - {{MASTER_URL}}:{{MASTER_IP}} + - {{MANAGER_URL}}:{{MANAGER_IP}} diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index db4bc97ea..1ef5e81c2 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -1,5 +1,5 @@ -{% set master = salt['grains.get']('master') %} -{% set masterip = salt['pillar.get']('static:masterip', '') %} +{% set manager = salt['grains.get']('manager') %} +{% set managerip = salt['pillar.get']('static:managerip', '') %} {% set HOSTNAME = salt['grains.get']('host') %} {% set global_ca_text = [] %} {% set global_ca_server = [] %} @@ -7,13 +7,13 @@ {% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %} {% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('static:fleet_custom_hostname', None) %} -{% if grains.id.split('_')|last in ['master', 'eval', 'standalone'] %} +{% if grains.id.split('_')|last in ['manager', 'eval', 'standalone'] %} {% set trusttheca_text = salt['mine.get'](grains.id, 'x509.get_pem_entries')[grains.id]['/etc/pki/ca.crt']|replace('\n', '') %} {% set ca_server = grains.id %} {% else %} {% set x509dict = salt['mine.get']('*', 'x509.get_pem_entries') %} {% for host in x509dict %} - {% if 'master' in host.split('_')|last or host.split('_')|last == 'standalone' %} + {% if 'manager' in host.split('_')|last or host.split('_')|last == 'standalone' %} {% do global_ca_text.append(x509dict[host].get('/etc/pki/ca.crt')|replace('\n', '')) %} {% do global_ca_server.append(host) %} {% endif %} @@ -43,7 +43,7 @@ m2cryptopkgs: - ca_server: {{ ca_server }} - signing_policy: influxdb - public_key: /etc/pki/influxdb.key - - CN: {{ master }} + - CN: {{ manager }} - days_remaining: 0 - days_valid: 820 - backup: True @@ -59,7 +59,7 @@ influxkeyperms: - mode: 640 - group: 939 -{% if grains['role'] in ['so-master', 'so-eval', 'so-helix', 'so-mastersearch', 'so-standalone'] %} +{% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone'] %} # Request a cert and drop it where it needs to go to be distributed /etc/pki/filebeat.crt: @@ -70,7 +70,7 @@ influxkeyperms: {% if grains.role == 'so-heavynode' %} - CN: {{grains.id}} {% else %} - - CN: {{master}} + - CN: {{manager}} {% endif %} - days_remaining: 0 - days_valid: 820 @@ -119,7 +119,7 @@ fbcrtlink: - ca_server: {{ ca_server }} - signing_policy: registry - public_key: /etc/pki/registry.key - - CN: {{ master }} + - CN: {{ manager }} - days_remaining: 0 - days_valid: 820 - backup: True @@ -136,31 +136,31 @@ regkeyperms: - group: 939 # Create a cert for the reverse proxy -/etc/pki/masterssl.crt: +/etc/pki/managerssl.crt: x509.certificate_managed: - ca_server: {{ ca_server }} - - signing_policy: masterssl - - public_key: /etc/pki/masterssl.key - - CN: {{ master }} + - signing_policy: managerssl + - public_key: /etc/pki/managerssl.key + - CN: {{ manager }} - days_remaining: 0 - days_valid: 820 - backup: True - managed_private_key: - name: /etc/pki/masterssl.key + name: /etc/pki/managerssl.key bits: 4096 backup: True msslkeyperms: file.managed: - replace: False - - name: /etc/pki/masterssl.key + - name: /etc/pki/managerssl.key - mode: 640 - group: 939 # Create a private key and cert for OSQuery /etc/pki/fleet.key: x509.private_key_managed: - - CN: {{ master }} + - CN: {{ manager }} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -169,8 +169,8 @@ msslkeyperms: /etc/pki/fleet.crt: x509.certificate_managed: - signing_private_key: /etc/pki/fleet.key - - CN: {{ master }} - - subjectAltName: DNS:{{ master }},IP:{{ masterip }} + - CN: {{ manager }} + - subjectAltName: DNS:{{ manager }},IP:{{ managerip }} - days_remaining: 0 - days_valid: 820 - backup: True @@ -187,7 +187,7 @@ fleetkeyperms: - group: 939 {% endif %} -{% if grains['role'] in ['so-sensor', 'so-master', 'so-node', 'so-eval', 'so-helix', 'so-mastersearch', 'so-heavynode', 'so-fleet', 'so-standalone'] %} +{% if grains['role'] in ['so-sensor', 'so-manager', 'so-node', 'so-eval', 'so-helix', 'so-managersearch', 'so-heavynode', 'so-fleet', 'so-standalone'] %} fbcertdir: file.directory: @@ -203,7 +203,7 @@ fbcertdir: {% if grains.role == 'so-heavynode' %} - CN: {{grains.id}} {% else %} - - CN: {{master}} + - CN: {{manager}} {% endif %} - days_remaining: 0 - days_valid: 820 @@ -238,25 +238,25 @@ chownfilebeatp8: {% if grains['role'] == 'so-fleet' %} # Create a cert for the reverse proxy -/etc/pki/masterssl.crt: +/etc/pki/managerssl.crt: x509.certificate_managed: - ca_server: {{ ca_server }} - - signing_policy: masterssl - - public_key: /etc/pki/masterssl.key + - signing_policy: managerssl + - public_key: /etc/pki/managerssl.key - CN: {{ HOSTNAME }} - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} {% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }} {% endif %} - days_remaining: 0 - days_valid: 820 - backup: True - managed_private_key: - name: /etc/pki/masterssl.key + name: /etc/pki/managerssl.key bits: 4096 backup: True msslkeyperms: file.managed: - replace: False - - name: /etc/pki/masterssl.key + - name: /etc/pki/managerssl.key - mode: 640 - group: 939 diff --git a/salt/strelka/files/backend/backend.yaml b/salt/strelka/files/backend/backend.yaml index 76a2ae3af..b25e5630d 100644 --- a/salt/strelka/files/backend/backend.yaml +++ b/salt/strelka/files/backend/backend.yaml @@ -2,7 +2,7 @@ {%- set mainint = salt['pillar.get']('sensor:mainint') %} {%- set ip = salt['grains.get']('ip_interfaces:' ~ mainint[0], salt['pillar.get']('sensor:mainip')) %} {%- else %} - {%- set ip = salt['pillar.get']('static:masterip') %} + {%- set ip = salt['pillar.get']('static:managerip') %} {%- endif -%} logging_cfg: '/etc/strelka/logging.yaml' limits: diff --git a/salt/strelka/files/filestream/filestream.yaml b/salt/strelka/files/filestream/filestream.yaml index c45fd8644..539e4314c 100644 --- a/salt/strelka/files/filestream/filestream.yaml +++ b/salt/strelka/files/filestream/filestream.yaml @@ -2,7 +2,7 @@ {%- set mainint = salt['pillar.get']('sensor:mainint') %} {%- set ip = salt['grains.get']('ip_interfaces:' ~ mainint[0], salt['pillar.get']('sensor:mainip')) %} {%- else %} - {%- set ip = salt['pillar.get']('static:masterip') %} + {%- set ip = salt['pillar.get']('static:managerip') %} {%- endif -%} conn: server: '{{ ip }}:57314' diff --git a/salt/strelka/files/frontend/frontend.yaml b/salt/strelka/files/frontend/frontend.yaml index 56df323f9..5d72f1e0d 100644 --- a/salt/strelka/files/frontend/frontend.yaml +++ b/salt/strelka/files/frontend/frontend.yaml @@ -2,7 +2,7 @@ {%- set mainint = salt['pillar.get']('sensor:mainint') %} {%- set ip = salt['grains.get']('ip_interfaces:' ~ mainint[0], salt['pillar.get']('sensor:mainip')) %} {%- else %} - {%- set ip = salt['pillar.get']('static:masterip') %} + {%- set ip = salt['pillar.get']('static:managerip') %} {%- endif -%} server: ":57314" coordinator: diff --git a/salt/strelka/files/manager/manager.yaml b/salt/strelka/files/manager/manager.yaml index 8a5966ac9..db9dd7f91 100644 --- a/salt/strelka/files/manager/manager.yaml +++ b/salt/strelka/files/manager/manager.yaml @@ -2,7 +2,7 @@ {%- set mainint = salt['pillar.get']('sensor:mainint') %} {%- set ip = salt['grains.get']('ip_interfaces:' ~ mainint[0], salt['pillar.get']('sensor:mainip')) %} {%- else %} - {%- set ip = salt['pillar.get']('static:masterip') %} + {%- set ip = salt['pillar.get']('static:managerip') %} {%- endif -%} coordinator: addr: '{{ ip }}:6380' diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index 4a422b642..a77b635fe 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -12,8 +12,8 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{%- set MASTER = grains['master'] %} -{%- set MASTERIP = salt['pillar.get']('static:masterip', '') %} +{%- set MANAGER = grains['manager'] %} +{%- set MANAGERIP = salt['pillar.get']('static:managerip', '') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} {%- set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') -%} @@ -79,7 +79,7 @@ strelkastagedir: strelka_coordinator: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-redis:{{ VERSION }} + - image: {{ MANAGER }}:5000/soshybridhunter/so-redis:{{ VERSION }} - name: so-strelka-coordinator - entrypoint: redis-server --save "" --appendonly no - port_bindings: @@ -87,7 +87,7 @@ strelka_coordinator: strelka_gatekeeper: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-redis:{{ VERSION }} + - image: {{ MANAGER }}:5000/soshybridhunter/so-redis:{{ VERSION }} - name: so-strelka-gatekeeper - entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru - port_bindings: @@ -95,7 +95,7 @@ strelka_gatekeeper: strelka_frontend: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-strelka-frontend:{{ VERSION }} + - image: {{ MANAGER }}:5000/soshybridhunter/so-strelka-frontend:{{ VERSION }} - binds: - /opt/so/conf/strelka/frontend/:/etc/strelka/:ro - /nsm/strelka/log/:/var/log/strelka/:rw @@ -107,7 +107,7 @@ strelka_frontend: strelka_backend: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-strelka-backend:{{ VERSION }} + - image: {{ MANAGER }}:5000/soshybridhunter/so-strelka-backend:{{ VERSION }} - binds: - /opt/so/conf/strelka/backend/:/etc/strelka/:ro - /opt/so/conf/strelka/rules/:/etc/yara/:ro @@ -117,7 +117,7 @@ strelka_backend: strelka_manager: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-strelka-manager:{{ VERSION }} + - image: {{ MANAGER }}:5000/soshybridhunter/so-strelka-manager:{{ VERSION }} - binds: - /opt/so/conf/strelka/manager/:/etc/strelka/:ro - name: so-strelka-manager @@ -125,7 +125,7 @@ strelka_manager: strelka_filestream: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-strelka-filestream:{{ VERSION }} + - image: {{ MANAGER }}:5000/soshybridhunter/so-strelka-filestream:{{ VERSION }} - binds: - /opt/so/conf/strelka/filestream/:/etc/strelka/:ro - /nsm/strelka:/nsm/strelka diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 11d178654..7790887d9 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -16,7 +16,7 @@ {% set interface = salt['pillar.get']('sensor:interface', 'bond0') %} {% set BROVER = salt['pillar.get']('static:broversion', '') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} +{% set MANAGER = salt['grains.get']('manager') %} {% set BPF_NIDS = salt['pillar.get']('nids:bpf') %} {% set BPF_STATUS = 0 %} @@ -132,7 +132,7 @@ suribpf: so-suricata: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-suricata:{{ VERSION }} + - image: {{ MANAGER }}:5000/soshybridhunter/so-suricata:{{ VERSION }} - privileged: True - environment: - INTERFACE={{ interface }} diff --git a/salt/suricata/master.sls b/salt/suricata/manager.sls similarity index 100% rename from salt/suricata/master.sls rename to salt/suricata/manager.sls diff --git a/salt/suricata/suricata_config.map.jinja b/salt/suricata/suricata_config.map.jinja index 6260c1ec1..557d4e519 100644 --- a/salt/suricata/suricata_config.map.jinja +++ b/salt/suricata/suricata_config.map.jinja @@ -11,7 +11,7 @@ HOME_NET: "[{{salt['pillar.get']('sensor:hnsensor')}}]" {% endload %} {% else %} {% load_yaml as homenet %} -HOME_NET: "[{{salt['pillar.get']('static:hnmaster', '')}}]" +HOME_NET: "[{{salt['pillar.get']('static:hnmanager', '')}}]" {% endload %} {% endif %} diff --git a/salt/tcpreplay/init.sls b/salt/tcpreplay/init.sls index 5a054bf5d..78c6a18c6 100644 --- a/salt/tcpreplay/init.sls +++ b/salt/tcpreplay/init.sls @@ -1,11 +1,11 @@ {% if grains['role'] == 'so-sensor' or grains['role'] == 'so-eval' %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} +{% set MANAGER = salt['grains.get']('manager') %} so-tcpreplay: docker_container.running: - network_mode: "host" - - image: {{ MASTER }}:5000/soshybridhunter/so-tcpreplay:{{ VERSION }} + - image: {{ MANAGER }}:5000/soshybridhunter/so-tcpreplay:{{ VERSION }} - name: so-tcpreplay - user: root - interactive: True diff --git a/salt/telegraf/etc/telegraf.conf b/salt/telegraf/etc/telegraf.conf index be99dc849..f768efe74 100644 --- a/salt/telegraf/etc/telegraf.conf +++ b/salt/telegraf/etc/telegraf.conf @@ -13,7 +13,7 @@ # them with $. For strings the variable must be within quotes (ie, "$STR_VAR"), # for numbers and booleans they should be plain (ie, $INT_VAR, $BOOL_VAR) -{%- set MASTER = grains['master'] %} +{%- set MANAGER = grains['manager'] %} {% set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') %} {% set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %} {% set UNIQUEID = salt['pillar.get']('sensor:uniqueid', '') %} @@ -98,7 +98,7 @@ ## urls will be written to each interval. # urls = ["unix:///var/run/influxdb.sock"] # urls = ["udp://127.0.0.1:8089"] - urls = ["https://{{ MASTER }}:8086"] + urls = ["https://{{ MANAGER }}:8086"] ## The target database for metrics; will be created as needed. @@ -616,13 +616,13 @@ # # Read stats from one or more Elasticsearch servers or clusters -{% if grains['role'] in ['so-master', 'so-eval', 'so-mastersearch', 'so-standalone'] %} +{% if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone'] %} [[inputs.elasticsearch]] # ## specify a list of one or more Elasticsearch servers # # you can add username and password to your url to use basic authentication: # # servers = ["http://user:pass@localhost:9200"] - servers = ["http://{{ MASTER }}:9200"] + servers = ["http://{{ MANAGER }}:9200"] {% elif grains['role'] in ['so-node', 'so-hotnode', 'so-warmnode', 'so-heavynode'] %} [[inputs.elasticsearch]] servers = ["http://{{ NODEIP }}:9200"] @@ -666,7 +666,7 @@ # # Read metrics from one or more commands that can output to stdout # ## Commands array -{% if grains['role'] in ['so-master', 'so-mastersearch'] %} +{% if grains['role'] in ['so-manager', 'so-managersearch'] %} [[inputs.exec]] commands = [ "/scripts/redis.sh", diff --git a/salt/telegraf/init.sls b/salt/telegraf/init.sls index 9ae0903b9..782707a44 100644 --- a/salt/telegraf/init.sls +++ b/salt/telegraf/init.sls @@ -1,4 +1,4 @@ -{% set MASTER = salt['grains.get']('master') %} +{% set MANAGER = salt['grains.get']('manager') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} # Add Telegraf to monitor all the things. @@ -36,7 +36,7 @@ tgrafconf: so-telegraf: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-telegraf:{{ VERSION }} + - image: {{ MANAGER }}:5000/soshybridhunter/so-telegraf:{{ VERSION }} - environment: - HOST_PROC=/host/proc - HOST_ETC=/host/etc @@ -53,7 +53,7 @@ so-telegraf: - /proc:/host/proc:ro - /nsm:/host/nsm:ro - /etc:/host/etc:ro - {% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-mastersearch' %} + {% if grains['role'] == 'so-manager' or grains['role'] == 'so-eval' or grains['role'] == 'so-managersearch' %} - /etc/pki/ca.crt:/etc/telegraf/ca.crt:ro {% else %} - /etc/ssl/certs/intca.crt:/etc/telegraf/ca.crt:ro diff --git a/salt/thehive/etc/application.conf b/salt/thehive/etc/application.conf index 8630cb386..f06c3f7c6 100644 --- a/salt/thehive/etc/application.conf +++ b/salt/thehive/etc/application.conf @@ -1,4 +1,4 @@ -{%- set MASTERIP = salt['pillar.get']('static:masterip', '') %} +{%- set MANAGERIP = salt['pillar.get']('static:managerip', '') %} {%- set CORTEXKEY = salt['pillar.get']('static:cortexorguserkey', '') %} # Secret Key @@ -6,7 +6,7 @@ # WARNING: If you deploy your application on several servers, make sure to use the same key. play.http.secret.key="letsdewdis" play.http.context=/thehive/ -search.uri = "http://{{ MASTERIP }}:9400" +search.uri = "http://{{ MANAGERIP }}:9400" # Elasticsearch search { # Name of the index @@ -14,8 +14,8 @@ search { # Name of the Elasticsearch cluster cluster = thehive # Address of the Elasticsearch instance - host = ["{{ MASTERIP }}:9500"] - #search.uri = "http://{{ MASTERIP }}:9500" + host = ["{{ MANAGERIP }}:9500"] + #search.uri = "http://{{ MANAGERIP }}:9500" # Scroll keepalive keepalive = 1m # Size of the page for scroll @@ -135,7 +135,7 @@ play.modules.enabled += connectors.cortex.CortexConnector cortex { "CORTEX-SERVER-ID" { - url = "http://{{ MASTERIP }}:9001/cortex/" + url = "http://{{ MANAGERIP }}:9001/cortex/" key = "{{ CORTEXKEY }}" # # HTTP client configuration (SSL and proxy) # ws {} @@ -210,9 +210,9 @@ misp { } webhooks { NodeRedWebHook { - url = "http://{{ MASTERIP }}:1880/thehive" + url = "http://{{ MANAGERIP }}:1880/thehive" } #SOCtopusWebHook { - # url = "http://{{ MASTERIP }}:7000/enrich" + # url = "http://{{ MANAGERIP }}:7000/enrich" #} } diff --git a/salt/thehive/etc/cortex-application.conf b/salt/thehive/etc/cortex-application.conf index 28fbe6791..b9cbe20cc 100644 --- a/salt/thehive/etc/cortex-application.conf +++ b/salt/thehive/etc/cortex-application.conf @@ -1,11 +1,11 @@ -{%- set MASTERIP = salt['pillar.get']('static:masterip', '') %} +{%- set MANAGERIP = salt['pillar.get']('static:managerip', '') %} # Secret Key # The secret key is used to secure cryptographic functions. # WARNING: If you deploy your application on several servers, make sure to use the same key. play.http.secret.key="letsdewdis" play.http.context=/cortex/ -search.uri = "http://{{ MASTERIP }}:9400" +search.uri = "http://{{ MANAGERIP }}:9400" # Elasticsearch search { @@ -14,7 +14,7 @@ search { # Name of the Elasticsearch cluster cluster = thehive # Address of the Elasticsearch instance - host = ["{{ MASTERIP }}:9500"] + host = ["{{ MANAGERIP }}:9500"] # Scroll keepalive keepalive = 1m # Size of the page for scroll diff --git a/salt/thehive/init.sls b/salt/thehive/init.sls index da07247c4..a1b9b50f1 100644 --- a/salt/thehive/init.sls +++ b/salt/thehive/init.sls @@ -1,6 +1,6 @@ -{% set MASTERIP = salt['pillar.get']('master:mainip', '') %} +{% set MANAGERIP = salt['pillar.get']('manager:mainip', '') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} +{% set MANAGER = salt['grains.get']('manager') %} thehiveconfdir: file.directory: - name: /opt/so/conf/thehive/etc @@ -71,7 +71,7 @@ thehiveesdata: so-thehive-es: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-thehive-es:{{ VERSION }} + - image: {{ MANAGER }}:5000/soshybridhunter/so-thehive-es:{{ VERSION }} - hostname: so-thehive-es - name: so-thehive-es - user: 939 @@ -99,7 +99,7 @@ so-thehive-es: # Install Cortex so-cortex: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-thehive-cortex:{{ VERSION }} + - image: {{ MANAGER }}:5000/soshybridhunter/so-thehive-cortex:{{ VERSION }} - hostname: so-cortex - name: so-cortex - user: 939 @@ -118,9 +118,9 @@ cortexscript: so-thehive: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-thehive:{{ VERSION }} + - image: {{ MANAGER }}:5000/soshybridhunter/so-thehive:{{ VERSION }} - environment: - - ELASTICSEARCH_HOST={{ MASTERIP }} + - ELASTICSEARCH_HOST={{ MANAGERIP }} - hostname: so-thehive - name: so-thehive - user: 939 diff --git a/salt/thehive/scripts/cortex_init b/salt/thehive/scripts/cortex_init index 063ae498d..1d0fe29f0 100644 --- a/salt/thehive/scripts/cortex_init +++ b/salt/thehive/scripts/cortex_init @@ -1,5 +1,5 @@ #!/bin/bash -{% set MASTERIP = salt['pillar.get']('static:masterip', '') %} +{% set MANAGERIP = salt['pillar.get']('static:managerip', '') %} {%- set CORTEXUSER = salt['pillar.get']('static:cortexuser', '') %} {%- set CORTEXPASSWORD = salt['pillar.get']('static:cortexpassword', '') %} {%- set CORTEXKEY = salt['pillar.get']('static:cortexkey', '') %} @@ -11,7 +11,7 @@ default_salt_dir=/opt/so/saltstack/default cortex_init(){ sleep 60 - CORTEX_IP="{{MASTERIP}}" + CORTEX_IP="{{MANAGERIP}}" CORTEX_USER="{{CORTEXUSER}}" CORTEX_PASSWORD="{{CORTEXPASSWORD}}" CORTEX_KEY="{{CORTEXKEY}}" @@ -54,7 +54,7 @@ if [ -f /opt/so/state/cortex.txt ]; then exit 0 else rm -f garbage_file - while ! wget -O garbage_file {{MASTERIP}}:9500 2>/dev/null + while ! wget -O garbage_file {{MANAGERIP}}:9500 2>/dev/null do echo "Waiting for Elasticsearch..." rm -f garbage_file diff --git a/salt/thehive/scripts/hive_init b/salt/thehive/scripts/hive_init index 296004e77..69ff72fa7 100755 --- a/salt/thehive/scripts/hive_init +++ b/salt/thehive/scripts/hive_init @@ -1,12 +1,12 @@ #!/bin/bash -{% set MASTERIP = salt['pillar.get']('static:masterip', '') %} +{% set MANAGERIP = salt['pillar.get']('static:managerip', '') %} {%- set THEHIVEUSER = salt['pillar.get']('static:hiveuser', '') %} {%- set THEHIVEPASSWORD = salt['pillar.get']('static:hivepassword', '') %} {%- set THEHIVEKEY = salt['pillar.get']('static:hivekey', '') %} thehive_init(){ sleep 120 - THEHIVE_IP="{{MASTERIP}}" + THEHIVE_IP="{{MANAGERIP}}" THEHIVE_USER="{{THEHIVEUSER}}" THEHIVE_PASSWORD="{{THEHIVEPASSWORD}}" THEHIVE_KEY="{{THEHIVEKEY}}" @@ -52,7 +52,7 @@ if [ -f /opt/so/state/thehive.txt ]; then exit 0 else rm -f garbage_file - while ! wget -O garbage_file {{MASTERIP}}:9400 2>/dev/null + while ! wget -O garbage_file {{MANAGERIP}}:9400 2>/dev/null do echo "Waiting for Elasticsearch..." rm -f garbage_file diff --git a/salt/top.sls b/salt/top.sls index fbf9e32ef..a04e75657 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -1,10 +1,10 @@ {%- set BROVER = salt['pillar.get']('static:broversion', '') -%} {%- set WAZUH = salt['pillar.get']('static:wazuh', '0') -%} -{%- set THEHIVE = salt['pillar.get']('master:thehive', '0') -%} -{%- set PLAYBOOK = salt['pillar.get']('master:playbook', '0') -%} -{%- set FREQSERVER = salt['pillar.get']('master:freq', '0') -%} -{%- set DOMAINSTATS = salt['pillar.get']('master:domainstats', '0') -%} -{%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%} +{%- set THEHIVE = salt['pillar.get']('manager:thehive', '0') -%} +{%- set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') -%} +{%- set FREQSERVER = salt['pillar.get']('manager:freq', '0') -%} +{%- set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') -%} +{%- set FLEETMANAGER = salt['pillar.get']('static:fleet_manager', False) -%} {%- set FLEETNODE = salt['pillar.get']('static:fleet_node', False) -%} {%- set STRELKA = salt['pillar.get']('strelka:enabled', '0') -%} @@ -30,7 +30,7 @@ base: - telegraf - firewall - idstools - - suricata.master + - suricata.manager - pcap - suricata - zeek @@ -56,7 +56,7 @@ base: - strelka {%- endif %} - filebeat - {%- if FLEETMASTER or FLEETNODE %} + {%- if FLEETMANAGER or FLEETNODE %} - fleet.install_package {%- endif %} - schedule @@ -65,7 +65,7 @@ base: - ca - ssl - registry - - master + - manager - common - nginx - telegraf @@ -74,9 +74,9 @@ base: - soc - firewall - idstools - - suricata.master + - suricata.manager - healthcheck - {%- if FLEETMASTER or FLEETNODE or PLAYBOOK != 0 %} + {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %} - mysql {%- endif %} {%- if WAZUH != 0 %} @@ -95,7 +95,7 @@ base: - filebeat - curator - elastalert - {%- if FLEETMASTER or FLEETNODE %} + {%- if FLEETMANAGER or FLEETNODE %} - fleet - redis - fleet.install_package @@ -117,7 +117,7 @@ base: {%- endif %} - '*_master': + '*_manager': - ca - ssl - registry @@ -128,11 +128,11 @@ base: - grafana - soc - firewall - - master + - manager - idstools - - suricata.master + - suricata.manager - redis - {%- if FLEETMASTER or FLEETNODE or PLAYBOOK != 0 %} + {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %} - mysql {%- endif %} {%- if WAZUH != 0 %} @@ -145,7 +145,7 @@ base: - filebeat - utility - schedule - {%- if FLEETMASTER or FLEETNODE %} + {%- if FLEETMANAGER or FLEETNODE %} - fleet - fleet.install_package {%- endif %} @@ -167,7 +167,7 @@ base: - ca - ssl - registry - - master + - manager - common - nginx - telegraf @@ -176,10 +176,10 @@ base: - soc - firewall - idstools - - suricata.master + - suricata.manager - healthcheck - redis - {%- if FLEETMASTER or FLEETNODE or PLAYBOOK != 0 %} + {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %} - mysql {%- endif %} {%- if WAZUH != 0 %} @@ -199,7 +199,7 @@ base: - filebeat - curator - elastalert - {%- if FLEETMASTER or FLEETNODE %} + {%- if FLEETMANAGER or FLEETNODE %} - fleet - redis - fleet.install_package @@ -227,7 +227,7 @@ base: - common - firewall - logstash - {%- if FLEETMASTER or FLEETNODE %} + {%- if FLEETMANAGER or FLEETNODE %} - fleet.install_package {%- endif %} - schedule @@ -239,7 +239,7 @@ base: - logstash - elasticsearch - curator - {%- if FLEETMASTER or FLEETNODE %} + {%- if FLEETMANAGER or FLEETNODE %} - fleet.install_package {%- endif %} - schedule @@ -249,7 +249,7 @@ base: - common - firewall - elasticsearch - {%- if FLEETMASTER or FLEETNODE %} + {%- if FLEETMANAGER or FLEETNODE %} - fleet.install_package {%- endif %} - schedule @@ -268,12 +268,12 @@ base: - elasticsearch - curator - filebeat - {%- if FLEETMASTER or FLEETNODE %} + {%- if FLEETMANAGER or FLEETNODE %} - fleet.install_package {%- endif %} - schedule - '*_mastersensor': + '*_managersensor': - common - nginx - telegraf @@ -281,13 +281,13 @@ base: - grafana - firewall - sensor - - master - {%- if FLEETMASTER or FLEETNODE %} + - manager + {%- if FLEETMANAGER or FLEETNODE %} - fleet.install_package {%- endif %} - schedule - '*_mastersearch': + '*_managersearch': - ca - ssl - registry @@ -298,11 +298,11 @@ base: - grafana - soc - firewall - - master + - manager - idstools - - suricata.master + - suricata.manager - redis - {%- if FLEETMASTER or FLEETNODE or PLAYBOOK != 0 %} + {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %} - mysql {%- endif %} {%- if WAZUH != 0 %} @@ -316,7 +316,7 @@ base: - filebeat - utility - schedule - {%- if FLEETMASTER or FLEETNODE %} + {%- if FLEETMANAGER or FLEETNODE %} - fleet - fleet.install_package {%- endif %} @@ -348,7 +348,7 @@ base: - elasticsearch - curator - filebeat - {%- if FLEETMASTER or FLEETNODE %} + {%- if FLEETMANAGER or FLEETNODE %} - fleet.install_package {%- endif %} - pcap diff --git a/salt/utility/bin/crossthestreams b/salt/utility/bin/crossthestreams index c8768230e..31cbdfceb 100644 --- a/salt/utility/bin/crossthestreams +++ b/salt/utility/bin/crossthestreams @@ -1,6 +1,6 @@ #!/bin/bash -{% set ES = salt['pillar.get']('master:mainip', '') %} -{%- set MASTER = grains['master'] %} +{% set ES = salt['pillar.get']('manager:mainip', '') %} +{%- set MANAGER = grains['manager'] %} # Wait for ElasticSearch to come up, so that we can query for version infromation echo -n "Waiting for ElasticSearch..." @@ -29,7 +29,7 @@ fi echo "Applying cross cluster search config..." curl -s -XPUT http://{{ ES }}:9200/_cluster/settings \ -H 'Content-Type: application/json' \ - -d "{\"persistent\": {\"search\": {\"remote\": {\"{{ MASTER }}\": {\"seeds\": [\"127.0.0.1:9300\"]}}}}}" + -d "{\"persistent\": {\"search\": {\"remote\": {\"{{ MANAGER }}\": {\"seeds\": [\"127.0.0.1:9300\"]}}}}}" # Add all the search nodes to cross cluster searching. diff --git a/salt/utility/bin/eval b/salt/utility/bin/eval index 7ff0ef886..87692e40f 100644 --- a/salt/utility/bin/eval +++ b/salt/utility/bin/eval @@ -1,5 +1,5 @@ #!/bin/bash -{% set ES = salt['pillar.get']('master:mainip', '') %} +{% set ES = salt['pillar.get']('manager:mainip', '') %} # Wait for ElasticSearch to come up, so that we can query for version infromation echo -n "Waiting for ElasticSearch..." diff --git a/salt/utility/init.sls b/salt/utility/init.sls index 87cfe8e87..00899f69a 100644 --- a/salt/utility/init.sls +++ b/salt/utility/init.sls @@ -1,5 +1,5 @@ # This state is for checking things -{% if grains['role'] in ['so-master', 'so-mastersearch', 'so-standalone'] %} +{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone'] %} # Make sure Cross Cluster is good. Will need some logic once we have hot/warm crossclusterson: cmd.script: diff --git a/salt/wazuh/files/agent/ossec.conf b/salt/wazuh/files/agent/ossec.conf index ffc7922b0..37971aa93 100644 --- a/salt/wazuh/files/agent/ossec.conf +++ b/salt/wazuh/files/agent/ossec.conf @@ -1,5 +1,5 @@ -{%- if grains['role'] in ['so-master', 'so-eval', 'so-mastersearch', 'so-standalone'] %} - {%- set ip = salt['pillar.get']('static:masterip', '') %} +{%- if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone'] %} + {%- set ip = salt['pillar.get']('static:managerip', '') %} {%- elif grains['role'] == 'so-node' or grains['role'] == 'so-heavynode' %} {%- set ip = salt['pillar.get']('elasticsearch:mainip', '') %} {%- elif grains['role'] == 'so-sensor' %} diff --git a/salt/wazuh/files/agent/wazuh-register-agent b/salt/wazuh/files/agent/wazuh-register-agent index b38474d8e..f2fd8693f 100755 --- a/salt/wazuh/files/agent/wazuh-register-agent +++ b/salt/wazuh/files/agent/wazuh-register-agent @@ -1,5 +1,5 @@ -{%- if grains['role'] in ['so-master', 'so-eval', 'so-mastersearch', 'so-standalone'] %} - {%- set ip = salt['pillar.get']('static:masterip', '') %} +{%- if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone'] %} + {%- set ip = salt['pillar.get']('static:managerip', '') %} {%- elif grains['role'] == 'so-node' or grains['role'] == 'so-heavynode' %} {%- set ip = salt['pillar.get']('elasticsearch:mainip', '') %} {%- elif grains['role'] == 'so-sensor' %} diff --git a/salt/wazuh/files/wazuh-manager-whitelist b/salt/wazuh/files/wazuh-manager-whitelist index 66dc13cd9..d39d68e36 100755 --- a/salt/wazuh/files/wazuh-manager-whitelist +++ b/salt/wazuh/files/wazuh-manager-whitelist @@ -1,4 +1,4 @@ -{%- set MASTERIP = salt['pillar.get']('static:masterip', '') %} +{%- set MANAGERIP = salt['pillar.get']('static:managerip', '') %} {%- set WAZUH_ENABLED = salt['pillar.get']('static:wazuh', '0') %} #!/bin/bash local_salt_dir=/opt/so/saltstack/local @@ -21,12 +21,12 @@ local_salt_dir=/opt/so/saltstack/local # Check if Wazuh enabled if [ {{ WAZUH_ENABLED }} ]; then WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf" - if ! grep -q "{{ MASTERIP }}" $WAZUH_MGR_CFG ; then + if ! grep -q "{{ MANAGERIP }}" $WAZUH_MGR_CFG ; then DATE=`date` sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG sed -i '/^$/N;/^\n$/D' $WAZUH_MGR_CFG - echo -e "\n \n {{ MASTERIP }}\n \n" >> $WAZUH_MGR_CFG - echo "Added whitelist entry for {{ MASTERIP }} in $WAZUH_MGR_CFG." + echo -e "\n \n {{ MANAGERIP }}\n \n" >> $WAZUH_MGR_CFG + echo "Added whitelist entry for {{ MANAGERIP }} in $WAZUH_MGR_CFG." echo fi fi diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index 3e0969359..6e8c757f1 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -1,6 +1,6 @@ {%- set HOSTNAME = salt['grains.get']('host', '') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} +{% set MANAGER = salt['grains.get']('manager') %} # Add ossec group ossecgroup: group.present: @@ -83,7 +83,7 @@ wazuhmgrwhitelist: so-wazuh: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-wazuh:{{ VERSION }} + - image: {{ MANAGER }}:5000/soshybridhunter/so-wazuh:{{ VERSION }} - hostname: {{HOSTNAME}}-wazuh-manager - name: so-wazuh - detach: True diff --git a/salt/yum/etc/yum.conf.jinja b/salt/yum/etc/yum.conf.jinja index a370bbf4f..81f981c1d 100644 --- a/salt/yum/etc/yum.conf.jinja +++ b/salt/yum/etc/yum.conf.jinja @@ -11,6 +11,6 @@ installonly_limit={{ salt['pillar.get']('yum:config:installonly_limit', 2) }} bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum distroverpkg=centos-release -{% if salt['pillar.get']('static:masterupdate', '0') %} -proxy=http://{{ salt['pillar.get']('yum:config:proxy', salt['config.get']('master')) }}:3142 +{% if salt['pillar.get']('static:managerupdate', '0') %} +proxy=http://{{ salt['pillar.get']('yum:config:proxy', salt['config.get']('manager')) }}:3142 {% endif %} \ No newline at end of file diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index 246b43c90..af8b2b4d6 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -1,5 +1,5 @@ {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} +{% set MANAGER = salt['grains.get']('manager') %} {% set BPF_ZEEK = salt['pillar.get']('zeek:bpf', {}) %} {% set BPF_STATUS = 0 %} {% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %} @@ -156,7 +156,7 @@ localzeeksync: so-zeek: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-zeek:{{ VERSION }} + - image: {{ MANAGER }}:5000/soshybridhunter/so-zeek:{{ VERSION }} - privileged: True - binds: - /nsm/zeek/logs:/nsm/zeek/logs:rw diff --git a/setup/automation/pm_standalone_defaults b/setup/automation/pm_standalone_defaults index ac0033f83..156697a28 100644 --- a/setup/automation/pm_standalone_defaults +++ b/setup/automation/pm_standalone_defaults @@ -32,7 +32,7 @@ BROVERSION=ZEEK # EVALADVANCED=BASIC GRAFANA=1 # HELIXAPIKEY= -HNMASTER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 +HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit HOSTNAME=standalone install_type=STANDALONE @@ -40,8 +40,8 @@ install_type=STANDALONE # LSINPUTTHREADS= # LSPIPELINEBATCH= # LSPIPELINEWORKERS= -MASTERADV=BASIC -MASTERUPDATES=1 +MANAGERADV=BASIC +MANAGERUPDATES=1 # MDNS= # MGATEWAY= # MIP= @@ -55,7 +55,7 @@ NIDS=Suricata # NODE_LS_HEAP_SIZE= NODESETUP=NODEBASIC NSMSETUP=BASIC -NODEUPDATES=MASTER +NODEUPDATES=MANAGER # OINKCODE= OSQUERY=1 # PATCHSCHEDULEDAYS= diff --git a/setup/so-functions b/setup/so-functions index 5bbb319eb..7741b4181 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -24,7 +24,7 @@ SOVERSION=$(cat ../VERSION) accept_salt_key_remote() { systemctl restart salt-minion - echo "Accept the key remotely on the master" >> "$setup_log" 2>&1 + echo "Accept the key remotely on the manager" >> "$setup_log" 2>&1 # Delete the key just in case. ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo salt-key -d "$MINION_ID" -y salt-call state.apply ca @@ -43,11 +43,11 @@ add_admin_user() { } -add_master_hostfile() { +add_manager_hostfile() { [ -n "$TESTING" ] && return - echo "Checking if I can resolve master. If not add to hosts file" >> "$setup_log" 2>&1 + echo "Checking if I can resolve manager. If not add to hosts file" >> "$setup_log" 2>&1 # Pop up an input to get the IP address MSRVIP=$(whiptail --title "Security Onion Setup" --inputbox \ "Enter your Master Server IP Address" 10 60 X.X.X.X 3>&1 1>&2 2>&3) @@ -60,7 +60,7 @@ addtotab_generate_templates() { local addtotab_path=$local_salt_dir/pillar/data - for i in evaltab mastersearchtab mastertab nodestab sensorstab standalonetab; do + for i in evaltab managersearchtab managertab nodestab sensorstab standalonetab; do printf '%s\n'\ "$i:"\ "" > "$addtotab_path"/$i.sls @@ -87,11 +87,11 @@ so_add_user() { fi } -add_socore_user_master() { +add_socore_user_manager() { so_add_user "socore" "939" "939" "/opt/so" >> "$setup_log" 2>&1 } -add_soremote_user_master() { +add_soremote_user_manager() { so_add_user "soremote" "947" "947" "/home/soremote" "$SOREMOTEPASS1" >> "$setup_log" 2>&1 } @@ -152,7 +152,7 @@ bro_logs_enabled() { "brologs:"\ " enabled:" > "$brologs_pillar" - if [ "$MASTERADV" = 'ADVANCED' ]; then + if [ "$MANAGERADV" = 'ADVANCED' ]; then for BLOG in "${BLOGS[@]}"; do echo " - $BLOG" | tr -d '"' >> "$brologs_pillar" done @@ -265,12 +265,12 @@ check_web_pass() { check_pass_match "$WEBPASSWD1" "$WEBPASSWD2" "WPMATCH" } -clear_master() { - # Clear out the old master public key in case this is a re-install. - # This only happens if you re-install the master. +clear_manager() { + # Clear out the old manager public key in case this is a re-install. + # This only happens if you re-install the manager. if [ -f /etc/salt/pki/minion/minion_master.pub ]; then { - echo "Clearing old master key"; + echo "Clearing old Salt master key"; rm -f /etc/salt/pki/minion/minion_master.pub; systemctl -q restart salt-minion; } >> "$setup_log" 2>&1 @@ -360,7 +360,7 @@ configure_minion() { 'helix') echo "master: $HOSTNAME" >> "$minion_config" ;; - 'master' | 'eval' | 'mastersearch' | 'standalone') + 'manager' | 'eval' | 'managersearch' | 'standalone') printf '%s\n'\ "master: $HOSTNAME"\ "mysql.host: '$MAINIP'"\ @@ -437,9 +437,9 @@ check_requirements() { fi } -copy_master_config() { +copy_salt_master_config() { - # Copy the master config template to the proper directory + # Copy the Salt master config template to the proper directory if [ "$setup_type" = 'iso' ]; then cp /root/SecurityOnion/files/master /etc/salt/master >> "$setup_log" 2>&1 else @@ -452,7 +452,7 @@ copy_master_config() { copy_minion_tmp_files() { case "$install_type" in - 'MASTER' | 'EVAL' | 'HELIXSENSOR' | 'MASTERSEARCH' | 'STANDALONE') + 'MANAGER' | 'EVAL' | 'HELIXSENSOR' | 'MANAGERSEARCH' | 'STANDALONE') echo "Copying pillar and salt files in $temp_install_dir to $local_salt_dir" cp -Rv "$temp_install_dir"/pillar/ $local_salt_dir/ >> "$setup_log" 2>&1 if [ -d "$temp_install_dir"/salt ] ; then @@ -461,12 +461,12 @@ copy_minion_tmp_files() { ;; *) { - echo "scp pillar and salt files in $temp_install_dir to master $local_salt_dir"; + echo "scp pillar and salt files in $temp_install_dir to manager $local_salt_dir"; ssh -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/pillar; ssh -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/schedules; scp -prv -i /root/.ssh/so.key "$temp_install_dir"/pillar/minions/* soremote@"$MSRV":/tmp/"$MINION_ID"/pillar/; scp -prv -i /root/.ssh/so.key "$temp_install_dir"/salt/patch/os/schedules/* soremote@"$MSRV":/tmp/"$MINION_ID"/schedules; - ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/master/files/add_minion.sh "$MINION_ID"; + ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/manager/files/add_minion.sh "$MINION_ID"; } >> "$setup_log" 2>&1 ;; esac @@ -479,8 +479,8 @@ copy_ssh_key() { mkdir -p /root/.ssh ssh-keygen -f /root/.ssh/so.key -t rsa -q -N "" < /dev/zero chown -R "$SUDO_USER":"$SUDO_USER" /root/.ssh - echo "Copying the SSH key to the master" - #Copy the key over to the master + echo "Copying the SSH key to the manager" + #Copy the key over to the manager ssh-copy-id -f -i /root/.ssh/so.key soremote@"$MSRV" } @@ -703,7 +703,7 @@ docker_install() { else case "$install_type" in - 'MASTER' | 'EVAL') + 'MANAGER' | 'EVAL') apt-get update >> "$setup_log" 2>&1 ;; *) @@ -733,7 +733,7 @@ docker_registry() { echo "Setting up Docker Registry" >> "$setup_log" 2>&1 mkdir -p /etc/docker >> "$setup_log" 2>&1 - # Make the host use the master docker registry + # Make the host use the manager docker registry if [ -n "$TURBO" ]; then local proxy="$TURBO"; else local proxy="https://$MSRV"; fi printf '%s\n'\ "{"\ @@ -832,7 +832,7 @@ firewall_generate_templates() { cp ../files/firewall/* /opt/so/saltstack/local/salt/firewall/ >> "$setup_log" 2>&1 - for i in analyst beats_endpoint sensor master minion osquery_endpoint search_node wazuh_endpoint; do + for i in analyst beats_endpoint sensor manager minion osquery_endpoint search_node wazuh_endpoint; do $default_salt_dir/salt/common/tools/sbin/so-firewall includehost "$i" 127.0.0.1 done @@ -846,7 +846,7 @@ fleet_pillar() { printf '%s\n'\ "fleet:"\ " mainip: $MAINIP"\ - " master: $MSRV"\ + " manager: $MSRV"\ "" > "$pillar_file" } @@ -883,7 +883,7 @@ got_root() { get_minion_type() { local minion_type case "$install_type" in - 'EVAL' | 'MASTERSEARCH' | 'MASTER' | 'SENSOR' | 'HEAVYNODE' | 'FLEET' | 'STANDALONE') + 'EVAL' | 'MANAGERSEARCH' | 'MANAGER' | 'SENSOR' | 'HEAVYNODE' | 'FLEET' | 'STANDALONE') minion_type=$(echo "$install_type" | tr '[:upper:]' '[:lower:]') ;; 'HELIXSENSOR') @@ -916,13 +916,13 @@ install_cleanup() { } -master_pillar() { +manager_pillar() { local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls - # Create the master pillar + # Create the manager pillar printf '%s\n'\ - "master:"\ + "manager:"\ " mainip: $MAINIP"\ " mainint: $MNIC"\ " esheap: $ES_HEAP_SIZE"\ @@ -931,7 +931,7 @@ master_pillar() { " domainstats: 0" >> "$pillar_file" - if [ "$install_type" = 'EVAL' ] || [ "$install_type" = 'HELIXSENSOR' ] || [ "$install_type" = 'MASTERSEARCH' ] || [ "$install_type" = 'STANDALONE' ]; then + if [ "$install_type" = 'EVAL' ] || [ "$install_type" = 'HELIXSENSOR' ] || [ "$install_type" = 'MANAGERSEARCH' ] || [ "$install_type" = 'STANDALONE' ]; then printf '%s\n'\ " mtu: $MTU" >> "$pillar_file" fi @@ -978,19 +978,19 @@ master_pillar() { cat "$pillar_file" >> "$setup_log" 2>&1 } -master_static() { +manager_static() { local static_pillar="$local_salt_dir/pillar/static.sls" # Create a static file for global values printf '%s\n'\ "static:"\ " soversion: $SOVERSION"\ - " hnmaster: $HNMASTER"\ + " hnmanager: $HNMANAGER"\ " ntpserver: $NTPSERVER"\ " proxy: $PROXY"\ " broversion: $BROVERSION"\ " ids: $NIDS"\ - " masterip: $MAINIP"\ + " managerip: $MAINIP"\ " hiveuser: hiveadmin"\ " hivepassword: hivechangeme"\ " hivekey: $HIVEKEY"\ @@ -1001,7 +1001,7 @@ master_static() { " cortexorguser: soadmin"\ " cortexorguserkey: $CORTEXORGUSERKEY"\ " fleet_custom_hostname: "\ - " fleet_master: False"\ + " fleet_manager: False"\ " fleet_node: False"\ " fleet_packages-timestamp: N/A"\ " fleet_packages-version: 1"\ @@ -1009,7 +1009,7 @@ master_static() { " fleet_ip: N/A"\ " sensoronikey: $SENSORONIKEY"\ " wazuh: $WAZUH"\ - " masterupdate: $MASTERUPDATES"\ + " managerupdate: $MANAGERUPDATES"\ "strelka:"\ " enabled: $STRELKA"\ " rules: $STRELKARULES"\ @@ -1074,7 +1074,7 @@ elasticsearch_pillar() { " replicas: 0"\ "" >> "$pillar_file" - if [ "$install_type" != 'EVAL' ] && [ "$install_type" != 'HELIXSENSOR' ] && [ "$install_type" != 'MASTERSEARCH' ] && [ "$install_type" != 'STANDALONE' ]; then + if [ "$install_type" != 'EVAL' ] && [ "$install_type" != 'HELIXSENSOR' ] && [ "$install_type" != 'MANAGERSEARCH' ] && [ "$install_type" != 'STANDALONE' ]; then printf '%s\n'\ "logstash_settings:"\ " ls_pipeline_batch_size: $LSPIPELINEBATCH"\ @@ -1162,11 +1162,11 @@ saltify() { set_progress_str 6 'Installing various dependencies' yum -y install wget nmap-ncat >> "$setup_log" 2>&1 case "$install_type" in - 'MASTER' | 'EVAL' | 'MASTERSEARCH' | 'FLEET' | 'HELIXSENSOR' | 'STANDALONE') + 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'FLEET' | 'HELIXSENSOR' | 'STANDALONE') reserve_group_ids >> "$setup_log" 2>&1 yum -y install epel-release >> "$setup_log" 2>&1 yum -y install sqlite argon2 curl mariadb-devel >> "$setup_log" 2>&1 - # Download Ubuntu Keys in case master updates = 1 + # Download Ubuntu Keys in case manager updates = 1 mkdir -p /opt/so/gpg >> "$setup_log" 2>&1 wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/apt/ubuntu/16.04/amd64/latest/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg >> "$setup_log" 2>&1 @@ -1177,7 +1177,7 @@ saltify() { systemctl enable salt-master >> "$setup_log" 2>&1 ;; *) - if [ "$MASTERUPDATES" = '1' ]; then + if [ "$MANAGERUPDATES" = '1' ]; then { # Create the GPG Public Key for the Salt Repo cp ./public_keys/salt.pem /etc/pki/rpm-gpg/saltstack-signing-key; @@ -1233,7 +1233,7 @@ saltify() { 'FLEET') if [ "$OSVER" != 'xenial' ]; then apt-get -y install python3-mysqldb >> "$setup_log" 2>&1; else apt-get -y install python-mysqldb >> "$setup_log" 2>&1; fi ;; - 'MASTER' | 'EVAL' | 'MASTERSEARCH' | 'STANDALONE') # TODO: should this also be HELIXSENSOR? + 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE') # TODO: should this also be HELIXSENSOR? if [ "$OSVER" != "xenial" ]; then local py_ver_url_path="/py3"; else local py_ver_url_path="/apt"; fi # Add saltstack repo(s) @@ -1263,9 +1263,9 @@ saltify() { apt-mark hold salt-master >> "$setup_log" 2>&1 ;; *) - # Copy down the gpg keys and install them from the master + # Copy down the gpg keys and install them from the manager mkdir "$temp_install_dir"/gpg >> "$setup_log" 2>&1 - echo "scp the gpg keys and install them from the master" >> "$setup_log" 2>&1 + echo "scp the gpg keys and install them from the manager" >> "$setup_log" 2>&1 scp -v -i /root/.ssh/so.key soremote@"$MSRV":/opt/so/gpg/* "$temp_install_dir"/gpg >> "$setup_log" 2>&1 echo "Using apt-key add to add SALTSTACK-GPG-KEY.pub and GPG-KEY-WAZUH" >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 @@ -1291,7 +1291,7 @@ saltify() { salt_checkin() { case "$install_type" in - 'MASTER' | 'EVAL' | 'HELIXSENSOR' | 'MASTERSEARCH' | 'STANDALONE') # Fix Mine usage + 'MANAGER' | 'EVAL' | 'HELIXSENSOR' | 'MANAGERSEARCH' | 'STANDALONE') # Fix Mine usage { echo "Building Certificate Authority"; salt-call state.apply ca; @@ -1359,7 +1359,7 @@ setup_salt_master_dirs() { cp -R ../salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1 fi - echo "Chown the salt dirs on the master for socore" >> "$setup_log" 2>&1 + echo "Chown the salt dirs on the manager for socore" >> "$setup_log" 2>&1 chown -R socore:socore /opt/so } @@ -1414,7 +1414,7 @@ sensor_pillar() { " brobpf:"\ " pcapbpf:"\ " nidsbpf:"\ - " master: $MSRV"\ + " manager: $MSRV"\ " mtu: $MTU"\ " uniqueid: $(date '+%s')" >> "$pillar_file" if [ "$HNSENSOR" != 'inherit' ]; then @@ -1460,7 +1460,7 @@ set_hostname() { set_hostname_iso - if [[ ! $install_type =~ ^(MASTER|EVAL|HELIXSENSOR|MASTERSEARCH|STANDALONE)$ ]]; then + if [[ ! $install_type =~ ^(MANAGER|EVAL|HELIXSENSOR|MANAGERSEARCH|STANDALONE)$ ]]; then if ! getent hosts "$MSRV"; then echo "$MSRVIP $MSRV" >> /etc/hosts fi @@ -1487,13 +1487,13 @@ set_initial_firewall_policy() { if [ -f $default_salt_dir/salt/common/tools/sbin/so-firewall ]; then chmod +x $default_salt_dir/salt/common/tools/sbin/so-firewall; fi case "$install_type" in - 'MASTER') - $default_salt_dir/salt/common/tools/sbin/so-firewall includehost master "$MAINIP" + 'MANAGER') + $default_salt_dir/salt/common/tools/sbin/so-firewall includehost manager "$MAINIP" $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost minion "$MAINIP" - $default_salt_dir/pillar/data/addtotab.sh mastertab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" + $default_salt_dir/pillar/data/addtotab.sh managertab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" ;; - 'EVAL' | 'MASTERSEARCH' | 'STANDALONE') - $default_salt_dir/salt/common/tools/sbin/so-firewall includehost master "$MAINIP" + 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE') + $default_salt_dir/salt/common/tools/sbin/so-firewall includehost manager "$MAINIP" $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP" $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP" $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP" @@ -1501,8 +1501,8 @@ set_initial_firewall_policy() { 'EVAL') $default_salt_dir/pillar/data/addtotab.sh evaltab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" $INTERFACE True ;; - 'MASTERSEARCH') - $default_salt_dir/pillar/data/addtotab.sh mastersearchtab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" + 'MANAGERSEARCH') + $default_salt_dir/pillar/data/addtotab.sh managersearchtab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" ;; 'STANDALONE') $default_salt_dir/pillar/data/addtotab.sh standalonetab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" $INTERFACE @@ -1510,7 +1510,7 @@ set_initial_firewall_policy() { esac ;; 'HELIXSENSOR') - $default_salt_dir/salt/common/tools/sbin/so-firewall includehost master "$MAINIP" + $default_salt_dir/salt/common/tools/sbin/so-firewall includehost manager "$MAINIP" $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP" $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost sensor "$MAINIP" ;; @@ -1569,7 +1569,7 @@ set_management_interface() { set_node_type() { case "$install_type" in - 'SEARCHNODE' | 'EVAL' | 'MASTERSEARCH' | 'HEAVYNODE' | 'STANDALONE') + 'SEARCHNODE' | 'EVAL' | 'MANAGERSEARCH' | 'HEAVYNODE' | 'STANDALONE') NODETYPE='search' ;; 'HOTNODE') @@ -1582,13 +1582,13 @@ set_node_type() { } set_updates() { - if [ "$MASTERUPDATES" = '1' ]; then + if [ "$MANAGERUPDATES" = '1' ]; then if [ "$OS" = 'centos' ]; then if ! grep -q "$MSRV" /etc/yum.conf; then echo "proxy=http://$MSRV:3142" >> /etc/yum.conf fi else - # Set it up so the updates roll through the master + # Set it up so the updates roll through the manager printf '%s\n'\ "Acquire::http::Proxy \"http://$MSRV:3142\";"\ "Acquire::https::Proxy \"http://$MSRV:3142\";" > /etc/apt/apt.conf.d/00Proxy @@ -1609,7 +1609,7 @@ update_sudoers() { echo "soremote ALL=(ALL) NOPASSWD:/usr/bin/salt-key" | tee -a /etc/sudoers echo "soremote ALL=(ALL) NOPASSWD:$default_salt_dir/salt/common/tools/sbin/so-firewall" | tee -a /etc/sudoers echo "soremote ALL=(ALL) NOPASSWD:$default_salt_dir/pillar/data/addtotab.sh" | tee -a /etc/sudoers - echo "soremote ALL=(ALL) NOPASSWD:$default_salt_dir/salt/master/files/add_minion.sh" | tee -a /etc/sudoers + echo "soremote ALL=(ALL) NOPASSWD:$default_salt_dir/salt/manager/files/add_minion.sh" | tee -a /etc/sudoers else echo "User soremote already granted sudo privileges" >> "$setup_log" 2>&1 fi @@ -1625,7 +1625,7 @@ update_packages() { } use_turbo_proxy() { - if [[ ! $install_type =~ ^(MASTER|EVAL|HELIXSENSOR|MASTERSEARCH|STANDALONE)$ ]]; then + if [[ ! $install_type =~ ^(MANAGER|EVAL|HELIXSENSOR|MANAGERSEARCH|STANDALONE)$ ]]; then echo "turbo is not supported on this install type" >> $setup_log 2>&1 return fi @@ -1649,7 +1649,7 @@ ls_heapsize() { fi case "$install_type" in - 'MASTERSEARCH' | 'HEAVYNODE' | 'HELIXSENSOR' | 'STANDALONE') + 'MANAGERSEARCH' | 'HEAVYNODE' | 'HELIXSENSOR' | 'STANDALONE') LS_HEAP_SIZE='1000m' ;; 'EVAL') @@ -1661,7 +1661,7 @@ ls_heapsize() { esac export LS_HEAP_SIZE - if [[ "$install_type" =~ ^(EVAL|MASTERSEARCH|STANDALONE)$ ]]; then + if [[ "$install_type" =~ ^(EVAL|MANAGERSEARCH|STANDALONE)$ ]]; then NODE_LS_HEAP_SIZE=LS_HEAP_SIZE export NODE_LS_HEAP_SIZE fi @@ -1683,7 +1683,7 @@ es_heapsize() { fi export ES_HEAP_SIZE - if [[ "$install_type" =~ ^(EVAL|MASTERSEARCH|STANDALONE)$ ]]; then + if [[ "$install_type" =~ ^(EVAL|MANAGERSEARCH|STANDALONE)$ ]]; then NODE_ES_HEAP_SIZE=ES_HEAP_SIZE export NODE_ES_HEAP_SIZE fi diff --git a/setup/so-setup b/setup/so-setup index 3f6d42380..8844e87ed 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -129,21 +129,21 @@ whiptail_install_type if [ "$install_type" = 'EVAL' ]; then is_node=true - is_master=true + is_manager=true is_sensor=true is_eval=true elif [ "$install_type" = 'STANDALONE' ]; then - is_master=true - is_distmaster=true + is_manager=true + is_distmanager=true is_node=true is_sensor=true -elif [ "$install_type" = 'MASTERSEARCH' ]; then - is_master=true - is_distmaster=true +elif [ "$install_type" = 'MANAGERSEARCH' ]; then + is_manager=true + is_distmanager=true is_node=true -elif [ "$install_type" = 'MASTER' ]; then - is_master=true - is_distmaster=true +elif [ "$install_type" = 'MANAGER' ]; then + is_manager=true + is_distmanager=true elif [ "$install_type" = 'SENSOR' ]; then is_sensor=true is_minion=true @@ -169,7 +169,7 @@ elif [[ $is_fleet_standalone ]]; then check_requirements "dist" "fleet" elif [[ $is_sensor && ! $is_eval ]]; then check_requirements "dist" "sensor" -elif [[ $is_distmaster || $is_minion ]]; then +elif [[ $is_distmanager || $is_minion ]]; then check_requirements "dist" fi @@ -214,15 +214,15 @@ if [[ $is_helix ]]; then RULESETUP=ETOPEN NSMSETUP=BASIC HNSENSOR=inherit - MASTERUPDATES=0 + MANAGERUPDATES=0 fi -if [[ $is_helix || ( $is_master && $is_node ) ]]; then +if [[ $is_helix || ( $is_manager && $is_node ) ]]; then RULESETUP=ETOPEN NSMSETUP=BASIC fi -if [[ $is_master && $is_node ]]; then +if [[ $is_manager && $is_node ]]; then LSPIPELINEWORKERS=1 LSPIPELINEBATCH=125 LSINPUTTHREADS=1 @@ -241,16 +241,16 @@ if [[ $is_helix || $is_sensor ]]; then calculate_useable_cores fi -if [[ $is_helix || $is_master ]]; then - whiptail_homenet_master +if [[ $is_helix || $is_manager ]]; then + whiptail_homenet_manager fi -if [[ $is_helix || $is_master || $is_node ]]; then +if [[ $is_helix || $is_manager || $is_node ]]; then set_base_heapsizes fi -if [[ $is_master && ! $is_eval ]]; then - whiptail_master_adv +if [[ $is_manager && ! $is_eval ]]; then + whiptail_manager_adv whiptail_bro_version whiptail_nids whiptail_rule_setup @@ -259,12 +259,12 @@ if [[ $is_master && ! $is_eval ]]; then whiptail_oinkcode fi - if [ "$MASTERADV" = 'ADVANCED' ] && [ "$BROVERSION" != 'SURICATA' ]; then - whiptail_master_adv_service_brologs + if [ "$MANAGERADV" = 'ADVANCED' ] && [ "$BROVERSION" != 'SURICATA' ]; then + whiptail_manager_adv_service_brologs fi fi -if [[ $is_master ]]; then +if [[ $is_manager ]]; then whiptail_components_adv_warning whiptail_enable_components if [[ $STRELKA == 1 ]]; then @@ -274,10 +274,10 @@ if [[ $is_master ]]; then get_redirect fi -if [[ $is_distmaster || ( $is_sensor || $is_node || $is_fleet_standalone ) && ! $is_eval ]]; then - whiptail_master_updates - if [[ $setup_type == 'network' && $MASTERUPDATES == 1 ]]; then - whiptail_master_updates_warning +if [[ $is_distmanager || ( $is_sensor || $is_node || $is_fleet_standalone ) && ! $is_eval ]]; then + whiptail_manager_updates + if [[ $setup_type == 'network' && $MANAGERUPDATES == 1 ]]; then + whiptail_manager_updates_warning fi fi @@ -285,7 +285,7 @@ if [[ $is_minion ]]; then whiptail_management_server fi -if [[ $is_distmaster ]]; then +if [[ $is_distmanager ]]; then collect_soremote_inputs fi @@ -349,20 +349,20 @@ fi { set_hostname; set_version; - clear_master; + clear_manager; } >> $setup_log 2>&1 -if [[ $is_master ]]; then +if [[ $is_manager ]]; then { generate_passwords; secrets_pillar; - add_socore_user_master; + add_socore_user_manager; } >> $setup_log 2>&1 fi -if [[ $is_master && ! $is_eval ]]; then - add_soremote_user_master >> $setup_log 2>&1 +if [[ $is_manager && ! $is_eval ]]; then + add_soremote_user_manager >> $setup_log 2>&1 fi set_main_ip >> $setup_log 2>&1 @@ -408,12 +408,12 @@ fi set_progress_str 9 'Initializing Salt minion' configure_minion "$minion_type" >> $setup_log 2>&1 - if [[ $is_master || $is_helix ]]; then + if [[ $is_manager || $is_helix ]]; then set_progress_str 10 'Configuring Salt master' { create_local_directories; addtotab_generate_templates; - copy_master_config; + copy_salt_master_config; setup_salt_master_dirs; firewall_generate_templates; } >> $setup_log 2>&1 @@ -421,11 +421,11 @@ fi set_progress_str 11 'Updating sudoers file for soremote user' update_sudoers >> $setup_log 2>&1 - set_progress_str 12 'Generating master static pillar' - master_static >> $setup_log 2>&1 + set_progress_str 12 'Generating manager static pillar' + manager_static >> $setup_log 2>&1 - set_progress_str 13 'Generating master pillar' - master_pillar >> $setup_log 2>&1 + set_progress_str 13 'Generating manager pillar' + manager_pillar >> $setup_log 2>&1 fi @@ -446,22 +446,22 @@ fi fi if [[ $is_minion ]]; then - set_progress_str 20 'Accepting Salt key on master' + set_progress_str 20 'Accepting Salt key on manager' accept_salt_key_remote >> $setup_log 2>&1 fi - if [[ $is_master ]]; then + if [[ $is_manager ]]; then set_progress_str 20 'Accepting Salt key' salt-key -ya "$MINION_ID" >> $setup_log 2>&1 fi - set_progress_str 21 'Copying minion pillars to master' + set_progress_str 21 'Copying minion pillars to manager' copy_minion_tmp_files >> $setup_log 2>&1 set_progress_str 22 'Generating CA and checking in' salt_checkin >> $setup_log 2>&1 - if [[ $is_master || $is_helix ]]; then + if [[ $is_manager || $is_helix ]]; then set_progress_str 25 'Configuring firewall' set_initial_firewall_policy >> $setup_log 2>&1 @@ -474,14 +474,14 @@ fi salt-call state.apply -l info registry >> $setup_log 2>&1 docker_seed_registry 2>> "$setup_log" # ~ 60% when finished - set_progress_str 60 "$(print_salt_state_apply 'master')" - salt-call state.apply -l info master >> $setup_log 2>&1 + set_progress_str 60 "$(print_salt_state_apply 'manager')" + salt-call state.apply -l info manager >> $setup_log 2>&1 set_progress_str 61 "$(print_salt_state_apply 'idstools')" salt-call state.apply -l info idstools >> $setup_log 2>&1 - set_progress_str 61 "$(print_salt_state_apply 'suricata.master')" - salt-call state.apply -l info suricata.master >> $setup_log 2>&1 + set_progress_str 61 "$(print_salt_state_apply 'suricata.manager')" + salt-call state.apply -l info suricata.manager >> $setup_log 2>&1 fi @@ -499,7 +499,7 @@ fi set_progress_str 64 "$(print_salt_state_apply 'nginx')" salt-call state.apply -l info nginx >> $setup_log 2>&1 - if [[ $is_master || $is_node ]]; then + if [[ $is_manager || $is_node ]]; then set_progress_str 64 "$(print_salt_state_apply 'elasticsearch')" salt-call state.apply -l info elasticsearch >> $setup_log 2>&1 fi @@ -520,7 +520,7 @@ fi salt-call state.apply -l info curator >> $setup_log 2>&1 fi - if [[ $is_master ]]; then + if [[ $is_manager ]]; then set_progress_str 69 "$(print_salt_state_apply 'soc')" salt-call state.apply -l info soc >> $setup_log 2>&1 @@ -584,12 +584,12 @@ fi fi fi - if [[ $is_master || $is_helix ]]; then + if [[ $is_manager || $is_helix ]]; then set_progress_str 81 "$(print_salt_state_apply 'utility')" salt-call state.apply -l info utility >> $setup_log 2>&1 fi - if [[ ( $is_helix || $is_master || $is_node ) && ! $is_eval ]]; then + if [[ ( $is_helix || $is_manager || $is_node ) && ! $is_eval ]]; then set_progress_str 82 "$(print_salt_state_apply 'logstash')" salt-call state.apply -l info logstash >> $setup_log 2>&1 @@ -601,7 +601,7 @@ fi filter_unused_nics >> $setup_log 2>&1 network_setup >> $setup_log 2>&1 - if [[ $is_master ]]; then + if [[ $is_manager ]]; then set_progress_str 87 'Adding user to SOC' add_web_user >> $setup_log 2>&1 fi diff --git a/setup/so-whiptail b/setup/so-whiptail index e165ba351..12fdecf99 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -405,23 +405,23 @@ whiptail_helix_apikey() { } -whiptail_homenet_master() { +whiptail_homenet_manager() { [ -n "$TESTING" ] && return - HNMASTER=$(whiptail --title "Security Onion Setup" --inputbox \ + HNMANAGER=$(whiptail --title "Security Onion Setup" --inputbox \ "Enter your HOME_NET separated by ," 10 75 10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus - export HNMASTER + export HNMANAGER } whiptail_homenet_sensor() { [ -n "$TESTING" ] && return - # Ask to inherit from master + # Ask to inherit from manager whiptail --title "Security Onion Setup" --yesno "Do you want to inherit the HOME_NET from the Master?" 8 75 local exitstatus=$? @@ -459,10 +459,10 @@ whiptail_install_type() { if [[ $install_type == "DISTRIBUTED" ]]; then install_type=$(whiptail --title "Security Onion Setup" --radiolist \ "Choose distributed node type:" 13 60 6 \ - "MASTER" "Start a new grid " ON \ + "MANAGER" "Start a new grid " ON \ "SENSOR" "Create a forward only sensor " OFF \ "SEARCHNODE" "Add a search node with parsing " OFF \ - "MASTERSEARCH" "Master + search node " OFF \ + "MANAGERSEARCH" "Master + search node " OFF \ "FLEET" "Dedicated Fleet Osquery Node " OFF \ "HEAVYNODE" "Sensor + Search Node " OFF \ 3>&1 1>&2 2>&3 @@ -606,20 +606,20 @@ whiptail_management_server() { whiptail_check_exitstatus $exitstatus if ! getent hosts "$MSRV"; then - add_master_hostfile + add_manager_hostfile fi } # Ask if you want to do advanced setup of the Master -whiptail_master_adv() { +whiptail_manager_adv() { [ -n "$TESTING" ] && return - MASTERADV=$(whiptail --title "Security Onion Setup" --radiolist \ - "Choose what type of master install:" 20 75 4 \ - "BASIC" "Install master with recommended settings" ON \ - "ADVANCED" "Do additional configuration to the master" OFF 3>&1 1>&2 2>&3 ) + MANAGERADV=$(whiptail --title "Security Onion Setup" --radiolist \ + "Choose what type of manager install:" 20 75 4 \ + "BASIC" "Install manager with recommended settings" ON \ + "ADVANCED" "Do additional configuration to the manager" OFF 3>&1 1>&2 2>&3 ) local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -627,7 +627,7 @@ whiptail_master_adv() { } # Ask which additional components to install -whiptail_master_adv_service_brologs() { +whiptail_manager_adv_service_brologs() { [ -n "$TESTING" ] && return @@ -792,7 +792,7 @@ whiptail_patch_name_new_schedule() { [ -n "$TESTING" ] && return PATCHSCHEDULENAME=$(whiptail --title "Security Onion Setup" --inputbox \ - "What name do you want to give this OS patch schedule? This schedule needs to be named uniquely. Available schedules can be found on the master under /opt/so/salt/patch/os/schedules/.yml" 10 75 3>&1 1>&2 2>&3) + "What name do you want to give this OS patch schedule? This schedule needs to be named uniquely. Available schedules can be found on the manager under /opt/so/salt/patch/os/schedules/.yml" 10 75 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -800,7 +800,7 @@ whiptail_patch_name_new_schedule() { while [[ -z "$PATCHSCHEDULENAME" ]]; do whiptail --title "Security Onion Setup" --msgbox "Please enter a name for this OS patch schedule." 8 75 PATCHSCHEDULENAME=$(whiptail --title "Security Onion Setup" --inputbox \ - "What name do you want to give this OS patch schedule? This schedule needs to be named uniquely. Available schedules can be found on the master under /opt/so/salt/patch/os/schedules/.yml" 10 75 3>&1 1>&2 2>&3) + "What name do you want to give this OS patch schedule? This schedule needs to be named uniquely. Available schedules can be found on the manager under /opt/so/salt/patch/os/schedules/.yml" 10 75 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus done @@ -851,7 +851,7 @@ whiptail_patch_schedule_import() { unset PATCHSCHEDULENAME PATCHSCHEDULENAME=$(whiptail --title "Security Onion Setup" --inputbox \ - "Enter the name of the OS patch schedule you want to inherit. Available schedules can be found on the master under /opt/so/salt/patch/os/schedules/.yml" 10 75 3>&1 1>&2 2>&3) + "Enter the name of the OS patch schedule you want to inherit. Available schedules can be found on the manager under /opt/so/salt/patch/os/schedules/.yml" 10 75 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -859,7 +859,7 @@ whiptail_patch_schedule_import() { while [[ -z "$PATCHSCHEDULENAME" ]]; do whiptail --title "Security Onion Setup" --msgbox "Please enter a name for the OS patch schedule you want to inherit." 8 75 PATCHSCHEDULENAME=$(whiptail --title "Security Onion Setup" --inputbox \ - "Enter the name of the OS patch schedule you want to inherit. Available schedules can be found on the master under /opt/so/salt/patch/os/schedules/.yml" 10 75 3>&1 1>&2 2>&3) + "Enter the name of the OS patch schedule you want to inherit. Available schedules can be found on the manager under /opt/so/salt/patch/os/schedules/.yml" 10 75 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -945,7 +945,7 @@ whiptail_rule_setup() { # Get pulled pork info RULESETUP=$(whiptail --title "Security Onion Setup" --radiolist \ - "Which IDS ruleset would you like to use?\n\nThis master server is responsible for downloading the IDS ruleset from the Internet.\n\nSensors then pull a copy of this ruleset from the master server.\n\nIf you select a commercial ruleset, it is your responsibility to purchase enough licenses for all of your sensors in compliance with your vendor's policies." 20 75 4 \ + "Which IDS ruleset would you like to use?\n\nThis manager server is responsible for downloading the IDS ruleset from the Internet.\n\nSensors then pull a copy of this ruleset from the manager server.\n\nIf you select a commercial ruleset, it is your responsibility to purchase enough licenses for all of your sensors in compliance with your vendor's policies." 20 75 4 \ "ETOPEN" "Emerging Threats Open" ON \ "ETPRO" "Emerging Threats PRO" OFF \ "TALOSET" "Snort Subscriber (Talos) and ET NoGPL rulesets" OFF \ @@ -1098,34 +1098,34 @@ whiptail_suricata_pins() { } -whiptail_master_updates() { +whiptail_manager_updates() { [ -n "$TESTING" ] && return local update_string update_string=$(whiptail --title "Security Onion Setup" --radiolist \ "How would you like to download OS package updates for your grid?:" 20 75 4 \ - "MASTER" "Master node is proxy for updates." ON \ + "MANAGER" "Master node is proxy for updates." ON \ "OPEN" "Each node connects to the Internet for updates" OFF 3>&1 1>&2 2>&3 ) local exitstatus=$? whiptail_check_exitstatus $exitstatus case "$update_string" in - 'MASTER') - MASTERUPDATES='1' + 'MANAGER') + MANAGERUPDATES='1' ;; *) - MASTERUPDATES='0' + MANAGERUPDATES='0' ;; esac } -whiptail_master_updates_warning() { +whiptail_manager_updates_warning() { [ -n "$TESTING" ] && return whiptail --title "Security Onion Setup"\ - --msgbox "Updating through the master node requires the master to have internet access, press ENTER to continue"\ + --msgbox "Updating through the manager node requires the manager to have internet access, press ENTER to continue"\ 8 75 local exitstatus=$? @@ -1138,7 +1138,7 @@ whiptail_node_updates() { NODEUPDATES=$(whiptail --title "Security Onion Setup" --radiolist \ "How would you like to download OS package updates for your grid?:" 20 75 4 \ - "MASTER" "Master node is proxy for updates." ON \ + "MANAGER" "Master node is proxy for updates." ON \ "OPEN" "Each node connects to the Internet for updates" OFF 3>&1 1>&2 2>&3 ) local exitstatus=$? diff --git a/upgrade/so-update-functions b/upgrade/so-update-functions index 8b7fcd312..a0a4b0288 100644 --- a/upgrade/so-update-functions +++ b/upgrade/so-update-functions @@ -32,7 +32,7 @@ fi HOSTNAME=$(hostname) # List all the containers -if [ $MASTERCHECK != 'so-helix' ]; then +if [ $MANAGERCHECK != 'so-helix' ]; then TRUSTED_CONTAINERS=( \ "so-acng:$BUILD$UPDATEVERSION" \ "so-thehive-cortex:$BUILD$UPDATEVERSION" \ @@ -136,13 +136,13 @@ detect_os() { } -master_check() { - # Check to see if this is a master - MASTERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}') - if [ $MASTERCHECK == 'so-eval' OR $MASTERCHECK == 'so-master' OR $MASTERCHECK == 'so-mastersearch' ]; then - echo "This is a master. We can proceed" +manager_check() { + # Check to see if this is a manager + MANAGERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}') + if [ $MANAGERCHECK == 'so-eval' OR $MANAGERCHECK == 'so-manager' OR $MANAGERCHECK == 'so-managersearch' ]; then + echo "This is a manager. We can proceed" else - echo "Please run soup on the master. The master controls all updates." + echo "Please run soup on the manager. The manager controls all updates." exit } diff --git a/upgrade/soup b/upgrade/soup index 19fa0203f..068782f04 100644 --- a/upgrade/soup +++ b/upgrade/soup @@ -19,7 +19,7 @@ SCRIPTDIR=$(dirname "$0") source $SCRIPTDIR/so-update-functions # Update Packages -master_check +manager_check update_all_packages update_held_packages From 96bcf9d9f3b5f878095d43fc418cf5b1a4336ed7 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 9 Jul 2020 11:51:55 -0400 Subject: [PATCH 155/314] Add temaplte files per index --- .../pipelines/templates/so/so-beats-template.json | 13 ++++++++----- .../pipelines/templates/so/so-common-template.json | 8 ++++---- .../templates/so/so-firewall-template.json | 13 ++++++++----- .../pipelines/templates/so/so-ids-template.json | 13 ++++++++----- .../pipelines/templates/so/so-import-template.json | 13 ++++++++----- .../templates/so/so-osquery-template.json | 13 ++++++++----- .../pipelines/templates/so/so-ossec-template.json | 13 ++++++++----- .../templates/so/so-strelka-template.json | 13 ++++++++----- .../pipelines/templates/so/so-syslog-template.json | 14 +++++++++----- .../pipelines/templates/so/so-zeek-template.json | 11 +++++++---- 10 files changed, 76 insertions(+), 48 deletions(-) diff --git a/salt/logstash/pipelines/templates/so/so-beats-template.json b/salt/logstash/pipelines/templates/so/so-beats-template.json index 48459bc7a..6d2cf7851 100644 --- a/salt/logstash/pipelines/templates/so/so-beats-template.json +++ b/salt/logstash/pipelines/templates/so/so-beats-template.json @@ -1,10 +1,13 @@ +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-beats:shards', 1) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-beats:refresh', '30s') %} { "index_patterns": ["so-beats-*"], - "version":50001, - "order" : 11, + "version": 50001, + "order": 11, "settings":{ - "number_of_replicas":0, - "number_of_shards":1, - "index.refresh_interval":"30s" + "number_of_replicas":{{ REPLICAS }}, + "number_of_shards":{{ SHARDS }}, + "index.refresh_interval":"{{ REFRESH }}" } } diff --git a/salt/logstash/pipelines/templates/so/so-common-template.json b/salt/logstash/pipelines/templates/so/so-common-template.json index 396e26c3c..1b4bb1206 100644 --- a/salt/logstash/pipelines/templates/so/so-common-template.json +++ b/salt/logstash/pipelines/templates/so/so-common-template.json @@ -1,15 +1,15 @@ { "index_patterns": ["so-ids-*", "so-firewall-*", "so-syslog-*", "so-zeek-*", "so-import-*", "so-ossec-*", "so-strelka-*", "so-beats-*", "so-osquery-*"], "version":50001, - "order" : 10, + "order":10, "settings":{ "number_of_replicas":0, "number_of_shards":1, "index.refresh_interval":"30s" }, "mappings":{ - "dynamic": false, - "date_detection": false, + "dynamic":false, + "date_detection":false, "properties":{ "@timestamp":{ "type":"date" @@ -19,7 +19,7 @@ }, "osquery":{ "type":"object", - "dynamic": true + "dynamic":true }, "geoip":{ "dynamic":true, diff --git a/salt/logstash/pipelines/templates/so/so-firewall-template.json b/salt/logstash/pipelines/templates/so/so-firewall-template.json index 61a95c0e7..7bc81fd12 100644 --- a/salt/logstash/pipelines/templates/so/so-firewall-template.json +++ b/salt/logstash/pipelines/templates/so/so-firewall-template.json @@ -1,10 +1,13 @@ +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-firewall:shards', 1) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-firewall:refresh', '30s') %} { - "index_patterns": ["so-zeek-*"], + "index_patterns": ["so-firewall-*"], "version":50001, - "order" : 11, + "order":11, "settings":{ - "number_of_replicas":0, - "number_of_shards":1, - "index.refresh_interval":"30s" + "number_of_replicas":{{ REPLICAS }}, + "number_of_shards":{{ SHARDS }}, + "index.refresh_interval":"{{ REFRESH }}" } } diff --git a/salt/logstash/pipelines/templates/so/so-ids-template.json b/salt/logstash/pipelines/templates/so/so-ids-template.json index 61a95c0e7..abf37319a 100644 --- a/salt/logstash/pipelines/templates/so/so-ids-template.json +++ b/salt/logstash/pipelines/templates/so/so-ids-template.json @@ -1,10 +1,13 @@ +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-ids:shards', 1) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-ids:refresh', '30s') %} { - "index_patterns": ["so-zeek-*"], + "index_patterns": ["so-ids-*"], "version":50001, - "order" : 11, + "order":11, "settings":{ - "number_of_replicas":0, - "number_of_shards":1, - "index.refresh_interval":"30s" + "number_of_replicas":{{ REPLICAS }}, + "number_of_shards":{{ SHARDS }}, + "index.refresh_interval":"{{ REFRESH }}" } } diff --git a/salt/logstash/pipelines/templates/so/so-import-template.json b/salt/logstash/pipelines/templates/so/so-import-template.json index 61a95c0e7..e4d68235d 100644 --- a/salt/logstash/pipelines/templates/so/so-import-template.json +++ b/salt/logstash/pipelines/templates/so/so-import-template.json @@ -1,10 +1,13 @@ +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-import:shards', 1) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-import:refresh', '30s') %} { - "index_patterns": ["so-zeek-*"], + "index_patterns": ["so-import-*"], "version":50001, - "order" : 11, + "order": 11, "settings":{ - "number_of_replicas":0, - "number_of_shards":1, - "index.refresh_interval":"30s" + "number_of_replicas":{{ REPLICAS }}, + "number_of_shards":{{ SHARDS }}, + "index.refresh_interval":"{{ REFRESH }}" } } diff --git a/salt/logstash/pipelines/templates/so/so-osquery-template.json b/salt/logstash/pipelines/templates/so/so-osquery-template.json index 61a95c0e7..47cb3ebab 100644 --- a/salt/logstash/pipelines/templates/so/so-osquery-template.json +++ b/salt/logstash/pipelines/templates/so/so-osquery-template.json @@ -1,10 +1,13 @@ +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-osquery:shards', 1) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-osquery:refresh', '30s') %} { - "index_patterns": ["so-zeek-*"], + "index_patterns": ["so-osquery-*"], "version":50001, - "order" : 11, + "order":11, "settings":{ - "number_of_replicas":0, - "number_of_shards":1, - "index.refresh_interval":"30s" + "number_of_replicas":{{ REPLICAS }}, + "number_of_shards":{{ SHARDS }}, + "index.refresh_interval":"{{ REFRESH }}" } } diff --git a/salt/logstash/pipelines/templates/so/so-ossec-template.json b/salt/logstash/pipelines/templates/so/so-ossec-template.json index 61a95c0e7..ce903e228 100644 --- a/salt/logstash/pipelines/templates/so/so-ossec-template.json +++ b/salt/logstash/pipelines/templates/so/so-ossec-template.json @@ -1,10 +1,13 @@ +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-ossec:shards', 1) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-ossec:refresh', '30s') %} { - "index_patterns": ["so-zeek-*"], + "index_patterns": ["so-ossec-*"], "version":50001, - "order" : 11, + "order":11, "settings":{ - "number_of_replicas":0, - "number_of_shards":1, - "index.refresh_interval":"30s" + "number_of_replicas":{{ REPLICAS }}, + "number_of_shards":{{ SHARDS }}, + "index.refresh_interval":"{{ REFRESH }}" } } diff --git a/salt/logstash/pipelines/templates/so/so-strelka-template.json b/salt/logstash/pipelines/templates/so/so-strelka-template.json index 61a95c0e7..2f7db541a 100644 --- a/salt/logstash/pipelines/templates/so/so-strelka-template.json +++ b/salt/logstash/pipelines/templates/so/so-strelka-template.json @@ -1,10 +1,13 @@ +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-strelka:shards', 1) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-strelka:refresh', '30s') %} { - "index_patterns": ["so-zeek-*"], + "index_patterns": ["so-strelka-*"], "version":50001, - "order" : 11, + "order":11, "settings":{ - "number_of_replicas":0, - "number_of_shards":1, - "index.refresh_interval":"30s" + "number_of_replicas":{{ REPLICAS }}, + "number_of_shards":{{ SHARDS }}, + "index.refresh_interval":"{{ REFRESH }}" } } diff --git a/salt/logstash/pipelines/templates/so/so-syslog-template.json b/salt/logstash/pipelines/templates/so/so-syslog-template.json index 61a95c0e7..47f8d78e6 100644 --- a/salt/logstash/pipelines/templates/so/so-syslog-template.json +++ b/salt/logstash/pipelines/templates/so/so-syslog-template.json @@ -1,10 +1,14 @@ +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-syslog:shards', 1) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-syslog:refresh', '30s') %} { - "index_patterns": ["so-zeek-*"], + "index_patterns": ["so-syslog-*"], "version":50001, - "order" : 11, + "order":11, "settings":{ - "number_of_replicas":0, - "number_of_shards":1, - "index.refresh_interval":"30s" + "number_of_replicas":{{ REPLICAS }}, + "number_of_shards":{{ SHARDS }}, + "index.refresh_interval":"{{ REFRESH }}" } } + diff --git a/salt/logstash/pipelines/templates/so/so-zeek-template.json b/salt/logstash/pipelines/templates/so/so-zeek-template.json index 61a95c0e7..616607f52 100644 --- a/salt/logstash/pipelines/templates/so/so-zeek-template.json +++ b/salt/logstash/pipelines/templates/so/so-zeek-template.json @@ -1,10 +1,13 @@ +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-zeek:shards', 1) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-zeek:refresh', '30s') %} { "index_patterns": ["so-zeek-*"], "version":50001, - "order" : 11, + "order":11, "settings":{ - "number_of_replicas":0, - "number_of_shards":1, - "index.refresh_interval":"30s" + "number_of_replicas":{{ REPLICAS }}, + "number_of_shards":{{ SHARDS }}, + "index.refresh_interval":"{{ REFRESH }}" } } From ca20279a09df2422cf636018fd0f2487e3bb62f5 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 9 Jul 2020 12:00:07 -0400 Subject: [PATCH 156/314] Add curator to static pillar --- setup/so-functions | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/setup/so-functions b/setup/so-functions index 68bd349bd..42f4f809b 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1013,6 +1013,11 @@ master_static() { "strelka:"\ " enabled: $STRELKA"\ " rules: $STRELKARULES"\ + "curator:"\ + " hot_warm: False"\ + " warm: 7"\ + " close: 30" + " delete: 45" "elastic:"\ " features: False" > "$static_pillar" From 357efac8739a06f6fa177c1338e24c9c3956739f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 9 Jul 2020 12:10:53 -0400 Subject: [PATCH 157/314] Add index specific curator settings --- setup/so-functions | 80 ++++++++++++++++++++++++++++++---------------- 1 file changed, 52 insertions(+), 28 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 42f4f809b..df3459872 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1015,11 +1015,59 @@ master_static() { " rules: $STRELKARULES"\ "curator:"\ " hot_warm: False"\ - " warm: 7"\ - " close: 30" - " delete: 45" "elastic:"\ - " features: False" > "$static_pillar" + " features: False"\ + "elasticsearch:"\ + " route_type: hot"\ + " replicas: 0"\ + " true_cluster: False" + " true_cluster_name: so" + " index_settings:"\ + " so-beats:"\ + " shards: 1"\ + " warm: 7"\ + " close: 30"\ + " delete: 45" + " so-firewall:"\ + " warm: 7"\ + " close: 30"\ + " delete: 45" + " shards: 1"\ + " so-ids:"\ + " shards: 1"\ + " warm: 7"\ + " close: 30"\ + " delete: 45" + " so-import:"\ + " warm: 7"\ + " close: 30"\ + " delete: 45" + " shards: 1"\ + " so-osquery:"\ + " shards: 1"\ + " warm: 7"\ + " close: 30"\ + " delete: 45" + " so-ossec:"\ + " shards: 1"\ + " warm: 7"\ + " close: 30"\ + " delete: 45" + " so-strelka:"\ + " shards: 1"\ + " warm: 7"\ + " close: 30"\ + " delete: 45" + " so-syslog:"\ + " shards: 1"\ + " warm: 7"\ + " close: 30"\ + " delete: 45" + " so-zeek:"\ + " shards: 5"\ + " warm: 7"\ + " close: 30"\ + " delete: 45" > "$static_pillar" printf '%s\n' '----' >> "$setup_log" 2>&1 cat "$static_pillar" >> "$setup_log" 2>&1 @@ -1071,30 +1119,6 @@ elasticsearch_pillar() { " node_type: $NODETYPE"\ " es_port: $node_es_port"\ " log_size_limit: $log_size_limit"\ - " cur_close_days: $CURCLOSEDAYS"\ - " route_type: hot"\ - " replicas: 0"\ - " true_cluster: False" - " true_cluster_name: so" - " index_settings:"\ - " so-beats:"\ - " shards: 1"\ - " so-firewall:"\ - " shards: 1"\ - " so-ids:"\ - " shards: 1"\ - " so-import:"\ - " shards: 1"\ - " so-osquery:"\ - " shards: 1"\ - " so-ossec:"\ - " shards: 1"\ - " so-strelka:"\ - " shards: 1"\ - " so-syslog:"\ - " shards: 1"\ - " so-zeek:"\ - " shards: 5"\ "" >> "$pillar_file" if [ "$install_type" != 'EVAL' ] && [ "$install_type" != 'HELIXSENSOR' ] && [ "$install_type" != 'MASTERSEARCH' ] && [ "$install_type" != 'STANDALONE' ]; then From 7c6677916a435dff2e44b74a7c222641b7a13024 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 9 Jul 2020 12:56:29 -0400 Subject: [PATCH 158/314] Curator actions --- salt/curator/files/action/delete.yml | 6 +--- salt/curator/files/action/so-beats-close.yml | 29 +++++++++++++++++++ .../{close.yml => so-firewall-close.yml} | 12 ++------ salt/curator/files/action/so-ids-close.yml | 29 +++++++++++++++++++ salt/curator/files/action/so-import-close.yml | 29 +++++++++++++++++++ .../curator/files/action/so-osquery-close.yml | 29 +++++++++++++++++++ salt/curator/files/action/so-ossec-close.yml | 29 +++++++++++++++++++ .../curator/files/action/so-strelka-close.yml | 29 +++++++++++++++++++ salt/curator/files/action/so-syslog-close.yml | 29 +++++++++++++++++++ salt/curator/files/action/so-zeek-close.yml | 29 +++++++++++++++++++ setup/so-functions | 4 +-- 11 files changed, 238 insertions(+), 16 deletions(-) create mode 100644 salt/curator/files/action/so-beats-close.yml rename salt/curator/files/action/{close.yml => so-firewall-close.yml} (58%) create mode 100644 salt/curator/files/action/so-ids-close.yml create mode 100644 salt/curator/files/action/so-import-close.yml create mode 100644 salt/curator/files/action/so-osquery-close.yml create mode 100644 salt/curator/files/action/so-ossec-close.yml create mode 100644 salt/curator/files/action/so-strelka-close.yml create mode 100644 salt/curator/files/action/so-syslog-close.yml create mode 100644 salt/curator/files/action/so-zeek-close.yml diff --git a/salt/curator/files/action/delete.yml b/salt/curator/files/action/delete.yml index f24f0b781..fb3945c1d 100644 --- a/salt/curator/files/action/delete.yml +++ b/salt/curator/files/action/delete.yml @@ -1,8 +1,4 @@ -{%- if grains['role'] in ['so-node', 'so-searchnode', 'so-heavynode'] %} - {%- set log_size_limit = salt['pillar.get']('elasticsearch:log_size_limit', '') -%} -{%- elif grains['role'] in ['so-eval', 'so-mastersearch', 'so-standalone'] %} - {%- set log_size_limit = salt['pillar.get']('master:log_size_limit', '') -%} -{%- endif %} +{%- set log_size_limit = salt['pillar.get']('elasticsearch:log_size_limit', '') -%} --- # Remember, leave a key empty if there is no value. None will be a string, # not a Python "NoneType" diff --git a/salt/curator/files/action/so-beats-close.yml b/salt/curator/files/action/so-beats-close.yml new file mode 100644 index 000000000..dbbcca1c8 --- /dev/null +++ b/salt/curator/files/action/so-beats-close.yml @@ -0,0 +1,29 @@ +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settins:so-beats:close', 30) -%} +--- +# Remember, leave a key empty if there is no value. None will be a string, +# not a Python "NoneType" +# +# Also remember that all examples have 'disable_action' set to True. If you +# want to use this action as a template, be sure to set this to False after +# copying it. +actions: + 1: + action: close + description: >- + Close Beats indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(logstash-beats.*|so-beats.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/close.yml b/salt/curator/files/action/so-firewall-close.yml similarity index 58% rename from salt/curator/files/action/close.yml rename to salt/curator/files/action/so-firewall-close.yml index d0bd1d5d1..46f0b39a9 100644 --- a/salt/curator/files/action/close.yml +++ b/salt/curator/files/action/so-firewall-close.yml @@ -1,9 +1,4 @@ -{%- if grains['role'] in ['so-node', 'so-searchnode', 'so-heavynode'] %} - {%- set cur_close_days = salt['pillar.get']('elasticsearch:cur_close_days', '') -%} -{%- elif grains['role'] in ['so-eval', 'so-mastersearch', 'so-standalone'] %} - {%- set cur_close_days = salt['pillar.get']('master:cur_close_days', '') -%} -{%- endif -%} - +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settins:so-firewall:close', 30) -%} --- # Remember, leave a key empty if there is no value. None will be a string, # not a Python "NoneType" @@ -15,8 +10,7 @@ actions: 1: action: close description: >- - Close indices older than {{cur_close_days}} days (based on index name), for logstash- - prefixed indices. + Close Firewall indices older than {{cur_close_days}} days. options: delete_aliases: False timeout_override: @@ -25,7 +19,7 @@ actions: filters: - filtertype: pattern kind: regex - value: '^(logstash-.*|so-.*)$' + value: '^(logstash-firewall.*|so-firewall.*)$' - filtertype: age source: name direction: older diff --git a/salt/curator/files/action/so-ids-close.yml b/salt/curator/files/action/so-ids-close.yml new file mode 100644 index 000000000..89f08d8d1 --- /dev/null +++ b/salt/curator/files/action/so-ids-close.yml @@ -0,0 +1,29 @@ +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settins:so-ids:close', 30) -%} +--- +# Remember, leave a key empty if there is no value. None will be a string, +# not a Python "NoneType" +# +# Also remember that all examples have 'disable_action' set to True. If you +# want to use this action as a template, be sure to set this to False after +# copying it. +actions: + 1: + action: close + description: >- + Close IDS indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(logstash-ids.*|so-ids.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/so-import-close.yml b/salt/curator/files/action/so-import-close.yml new file mode 100644 index 000000000..b9ee6e5da --- /dev/null +++ b/salt/curator/files/action/so-import-close.yml @@ -0,0 +1,29 @@ +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settins:so-import:close', 30) -%} +--- +# Remember, leave a key empty if there is no value. None will be a string, +# not a Python "NoneType" +# +# Also remember that all examples have 'disable_action' set to True. If you +# want to use this action as a template, be sure to set this to False after +# copying it. +actions: + 1: + action: close + description: >- + Close Import indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(logstash-import.*|so-import.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/so-osquery-close.yml b/salt/curator/files/action/so-osquery-close.yml new file mode 100644 index 000000000..152a41afa --- /dev/null +++ b/salt/curator/files/action/so-osquery-close.yml @@ -0,0 +1,29 @@ +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settins:so-osquery:close', 30) -%} +--- +# Remember, leave a key empty if there is no value. None will be a string, +# not a Python "NoneType" +# +# Also remember that all examples have 'disable_action' set to True. If you +# want to use this action as a template, be sure to set this to False after +# copying it. +actions: + 1: + action: close + description: >- + Close osquery indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(logstash-osquery.*|so-osquery.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/so-ossec-close.yml b/salt/curator/files/action/so-ossec-close.yml new file mode 100644 index 000000000..5ee8c91de --- /dev/null +++ b/salt/curator/files/action/so-ossec-close.yml @@ -0,0 +1,29 @@ +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settins:so-ossec:close', 30) -%} +--- +# Remember, leave a key empty if there is no value. None will be a string, +# not a Python "NoneType" +# +# Also remember that all examples have 'disable_action' set to True. If you +# want to use this action as a template, be sure to set this to False after +# copying it. +actions: + 1: + action: close + description: >- + Close ossec indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(logstash-ossec.*|so-ossec.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/so-strelka-close.yml b/salt/curator/files/action/so-strelka-close.yml new file mode 100644 index 000000000..a07ab94e8 --- /dev/null +++ b/salt/curator/files/action/so-strelka-close.yml @@ -0,0 +1,29 @@ +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settins:so-strelka:close', 30) -%} +--- +# Remember, leave a key empty if there is no value. None will be a string, +# not a Python "NoneType" +# +# Also remember that all examples have 'disable_action' set to True. If you +# want to use this action as a template, be sure to set this to False after +# copying it. +actions: + 1: + action: close + description: >- + Close Strelka indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(logstash-strelka.*|so-strelka.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/so-syslog-close.yml b/salt/curator/files/action/so-syslog-close.yml new file mode 100644 index 000000000..3aae50566 --- /dev/null +++ b/salt/curator/files/action/so-syslog-close.yml @@ -0,0 +1,29 @@ +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settins:so-syslog:close', 30) -%} +--- +# Remember, leave a key empty if there is no value. None will be a string, +# not a Python "NoneType" +# +# Also remember that all examples have 'disable_action' set to True. If you +# want to use this action as a template, be sure to set this to False after +# copying it. +actions: + 1: + action: close + description: >- + Close syslog indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(logstash-syslog.*|so-syslog.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/so-zeek-close.yml b/salt/curator/files/action/so-zeek-close.yml new file mode 100644 index 000000000..ec1ab9eff --- /dev/null +++ b/salt/curator/files/action/so-zeek-close.yml @@ -0,0 +1,29 @@ +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settins:so-zeek:close', 30) -%} +--- +# Remember, leave a key empty if there is no value. None will be a string, +# not a Python "NoneType" +# +# Also remember that all examples have 'disable_action' set to True. If you +# want to use this action as a template, be sure to set this to False after +# copying it. +actions: + 1: + action: close + description: >- + Close Zeek indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(logstash-zeek.*|so-zeek.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/setup/so-functions b/setup/so-functions index df3459872..6d71fbe44 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1040,8 +1040,8 @@ master_static() { " delete: 45" " so-import:"\ " warm: 7"\ - " close: 30"\ - " delete: 45" + " close: 7300"\ + " delete: 7301" " shards: 1"\ " so-osquery:"\ " shards: 1"\ From 823ee42120f8b2c5431a1b2c147a99a28b59f7d9 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 9 Jul 2020 13:45:24 -0400 Subject: [PATCH 159/314] https://github.com/Security-Onion-Solutions/securityonion/issues/404 --- README.md | 2 +- salt/common/tools/sbin/so-elastalert-create | 2 +- salt/grafana/dashboards/manager/manager.json | 4 ++-- .../dashboards/managersearch/managersearch.json | 2 +- salt/grafana/etc/dashboards/dashboard.yml | 8 ++++---- salt/grafana/init.sls | 4 ++-- salt/kibana/bin/so-kibana-config-load | 2 +- setup/so-functions | 2 +- setup/so-whiptail | 12 ++++++------ 9 files changed, 19 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index b425ee490..1cff4b355 100644 --- a/README.md +++ b/README.md @@ -57,7 +57,7 @@ - Fixed an issue where geoip was not properly parsed. - ATT&CK Navigator is now it's own state. - Standlone mode is now supported. -- Mastersearch previously used the same Grafana dashboard as a Search node. It now has its own dashboard that incorporates panels from the Master node and Search node dashboards. +- Managersearch previously used the same Grafana dashboard as a Search node. It now has its own dashboard that incorporates panels from the Manager node and Search node dashboards. ### Known Issues: diff --git a/salt/common/tools/sbin/so-elastalert-create b/salt/common/tools/sbin/so-elastalert-create index 0270503bf..683b53ed1 100755 --- a/salt/common/tools/sbin/so-elastalert-create +++ b/salt/common/tools/sbin/so-elastalert-create @@ -198,7 +198,7 @@ EOF read alertoption if [ $alertoption = "1" ] ; then - echo "Please enter the email address you want to send the alerts to. Note: Ensure the Master Server is configured for SMTP." + echo "Please enter the email address you want to send the alerts to. Note: Ensure the Manager Server is configured for SMTP." read emailaddress cat << EOF >> "$rulename.yaml" # (Required) diff --git a/salt/grafana/dashboards/manager/manager.json b/salt/grafana/dashboards/manager/manager.json index d1b2bf899..bf2580d34 100644 --- a/salt/grafana/dashboards/manager/manager.json +++ b/salt/grafana/dashboards/manager/manager.json @@ -12,7 +12,7 @@ } ] }, - "description": "This Dashboard provides a general overview of the Master", + "description": "This Dashboard provides a general overview of the Manager", "editable": true, "gnetId": 2381, "graphTooltip": 0, @@ -4162,7 +4162,7 @@ ] }, "timezone": "browser", - "title": "Master Node - {{ SERVERNAME }} Overview", + "title": "Manager Node - {{ SERVERNAME }} Overview", "uid": "{{ UID }}", "version": 3 } \ No newline at end of file diff --git a/salt/grafana/dashboards/managersearch/managersearch.json b/salt/grafana/dashboards/managersearch/managersearch.json index 5ed9f9617..485509477 100644 --- a/salt/grafana/dashboards/managersearch/managersearch.json +++ b/salt/grafana/dashboards/managersearch/managersearch.json @@ -13,7 +13,7 @@ } ] }, - "description": "This Dashboard provides a general overview of a MasterSearch Node", + "description": "This Dashboard provides a general overview of a ManagerSearch Node", "editable": true, "gnetId": 2381, "graphTooltip": 0, diff --git a/salt/grafana/etc/dashboards/dashboard.yml b/salt/grafana/etc/dashboards/dashboard.yml index e08484044..72f77f845 100644 --- a/salt/grafana/etc/dashboards/dashboard.yml +++ b/salt/grafana/etc/dashboards/dashboard.yml @@ -3,15 +3,15 @@ apiVersion: 1 providers: {%- if grains['role'] != 'so-eval' %} -- name: 'Master' - folder: 'Master' +- name: 'Manager' + folder: 'Manager' type: file disableDeletion: false editable: true options: path: /etc/grafana/grafana_dashboards/manager -- name: 'Master Search' - folder: 'Master Search' +- name: 'Manager Search' + folder: 'Manager Search' type: file disableDeletion: false editable: true diff --git a/salt/grafana/init.sls b/salt/grafana/init.sls index c47381c26..247a9215b 100644 --- a/salt/grafana/init.sls +++ b/salt/grafana/init.sls @@ -82,7 +82,7 @@ grafanaconf: {% set SN = SN | regex_replace('_' ~ NODETYPE, '') %} dashboard-manager: file.managed: - - name: /opt/so/conf/grafana/grafana_dashboards/manager/{{ SN }}-Master.json + - name: /opt/so/conf/grafana/grafana_dashboards/manager/{{ SN }}-Manager.json - user: 939 - group: 939 - template: jinja @@ -105,7 +105,7 @@ dashboard-manager: {% set SN = SN | regex_replace('_' ~ NODETYPE, '') %} dashboard-managersearch: file.managed: - - name: /opt/so/conf/grafana/grafana_dashboards/managersearch/{{ SN }}-MasterSearch.json + - name: /opt/so/conf/grafana/grafana_dashboards/managersearch/{{ SN }}-ManagerSearch.json - user: 939 - group: 939 - template: jinja diff --git a/salt/kibana/bin/so-kibana-config-load b/salt/kibana/bin/so-kibana-config-load index 85ad00bc6..f59d0c10d 100644 --- a/salt/kibana/bin/so-kibana-config-load +++ b/salt/kibana/bin/so-kibana-config-load @@ -13,7 +13,7 @@ cp /opt/so/conf/kibana/saved_objects.ndjson.template /opt/so/conf/kibana/saved_o sed -i "s/FLEETPLACEHOLDER/{{ MANAGER }}/g" /opt/so/conf/kibana/saved_objects.ndjson # {% endif %} -# SOCtopus and Master +# SOCtopus and Manager sed -i "s/PLACEHOLDER/{{ MANAGER }}/g" /opt/so/conf/kibana/saved_objects.ndjson # Load saved objects diff --git a/setup/so-functions b/setup/so-functions index 7741b4181..4fe573244 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -50,7 +50,7 @@ add_manager_hostfile() { echo "Checking if I can resolve manager. If not add to hosts file" >> "$setup_log" 2>&1 # Pop up an input to get the IP address MSRVIP=$(whiptail --title "Security Onion Setup" --inputbox \ - "Enter your Master Server IP Address" 10 60 X.X.X.X 3>&1 1>&2 2>&3) + "Enter your Manager Server IP Address" 10 60 X.X.X.X 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus diff --git a/setup/so-whiptail b/setup/so-whiptail index 12fdecf99..97181e94a 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -422,7 +422,7 @@ whiptail_homenet_sensor() { [ -n "$TESTING" ] && return # Ask to inherit from manager - whiptail --title "Security Onion Setup" --yesno "Do you want to inherit the HOME_NET from the Master?" 8 75 + whiptail --title "Security Onion Setup" --yesno "Do you want to inherit the HOME_NET from the Manager?" 8 75 local exitstatus=$? @@ -462,7 +462,7 @@ whiptail_install_type() { "MANAGER" "Start a new grid " ON \ "SENSOR" "Create a forward only sensor " OFF \ "SEARCHNODE" "Add a search node with parsing " OFF \ - "MANAGERSEARCH" "Master + search node " OFF \ + "MANAGERSEARCH" "Manager + search node " OFF \ "FLEET" "Dedicated Fleet Osquery Node " OFF \ "HEAVYNODE" "Sensor + Search Node " OFF \ 3>&1 1>&2 2>&3 @@ -600,7 +600,7 @@ whiptail_management_server() { [ -n "$TESTING" ] && return MSRV=$(whiptail --title "Security Onion Setup" --inputbox \ - "Enter your Master Server hostname. It is CASE SENSITIVE!" 10 75 XXXX 3>&1 1>&2 2>&3) + "Enter your Manager Server hostname. It is CASE SENSITIVE!" 10 75 XXXX 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -611,7 +611,7 @@ whiptail_management_server() { } -# Ask if you want to do advanced setup of the Master +# Ask if you want to do advanced setup of the Manager whiptail_manager_adv() { [ -n "$TESTING" ] && return @@ -1105,7 +1105,7 @@ whiptail_manager_updates() { local update_string update_string=$(whiptail --title "Security Onion Setup" --radiolist \ "How would you like to download OS package updates for your grid?:" 20 75 4 \ - "MANAGER" "Master node is proxy for updates." ON \ + "MANAGER" "Manager node is proxy for updates." ON \ "OPEN" "Each node connects to the Internet for updates" OFF 3>&1 1>&2 2>&3 ) local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -1138,7 +1138,7 @@ whiptail_node_updates() { NODEUPDATES=$(whiptail --title "Security Onion Setup" --radiolist \ "How would you like to download OS package updates for your grid?:" 20 75 4 \ - "MANAGER" "Master node is proxy for updates." ON \ + "MANAGER" "Manager node is proxy for updates." ON \ "OPEN" "Each node connects to the Internet for updates" OFF 3>&1 1>&2 2>&3 ) local exitstatus=$? From aea3099df6a8b6d6b1c467cf110be78c416ff3ff Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 9 Jul 2020 13:52:31 -0400 Subject: [PATCH 160/314] change wording --- setup/so-whiptail | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 97181e94a..a149a5632 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -617,7 +617,7 @@ whiptail_manager_adv() { [ -n "$TESTING" ] && return MANAGERADV=$(whiptail --title "Security Onion Setup" --radiolist \ - "Choose what type of manager install:" 20 75 4 \ + "Choose which type of manager to install:" 20 75 4 \ "BASIC" "Install manager with recommended settings" ON \ "ADVANCED" "Do additional configuration to the manager" OFF 3>&1 1>&2 2>&3 ) From 52f7111e1d3919150106ff2a2a87e4b47bba4221 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 9 Jul 2020 13:53:55 -0400 Subject: [PATCH 161/314] Feature - low level alerts --- .../elastalert/files/modules/so/playbook-es.py | 11 ++++++----- salt/elasticsearch/files/elasticsearch.yml | 1 + salt/elasticsearch/files/ingest/beats.common | 11 +++++++++-- salt/elasticsearch/files/ingest/common | 11 ++++++++--- salt/elasticsearch/files/ingest/ossec.alert | 3 +++ salt/elasticsearch/files/ingest/suricata.alert | 3 +++ salt/soctopus/files/SOCtopus.conf | 1 + .../files/templates/es-generic.template | 7 ------- salt/soctopus/files/templates/generic.template | 18 +++++++++++++++--- salt/soctopus/files/templates/osquery.template | 11 +++++++++++ setup/so-functions | 12 ------------ 11 files changed, 57 insertions(+), 32 deletions(-) delete mode 100644 salt/soctopus/files/templates/es-generic.template diff --git a/salt/elastalert/files/modules/so/playbook-es.py b/salt/elastalert/files/modules/so/playbook-es.py index 0ba3f3601..c794bdf12 100644 --- a/salt/elastalert/files/modules/so/playbook-es.py +++ b/salt/elastalert/files/modules/so/playbook-es.py @@ -1,6 +1,6 @@ # -*- coding: utf-8 -*- -from datetime import date +from time import gmtime, strftime import requests,json from elastalert.alerts import Alerter @@ -13,11 +13,12 @@ class PlaybookESAlerter(Alerter): def alert(self, matches): for match in matches: + today = strftime("%Y.%m.%d", gmtime()) + timestamp = strftime("%Y-%m-%d"'T'"%H:%M:%S", gmtime()) headers = {"Content-Type": "application/json"} - payload = {"play_title": self.rule['play_title'],"play_url": self.rule['play_url'],"sigma_level": self.rule['sigma_level'],"data": match} - today = str(date.today()) - url = f"http://{self.rule['elasticsearch_host']}/playbook-alerts-{today}/_doc/" + payload = {"rule.name": self.rule['play_title'],"event.severity": self.rule['event.severity'],"kibana_pivot": self.rule['kibana_pivot'],"soc_pivot": self.rule['soc_pivot'],"event.module": self.rule['event.module'],"event.dataset": self.rule['event.dataset'],"play_url": self.rule['play_url'],"sigma_level": self.rule['sigma_level'],"rule.category": self.rule['rule.category'],"data": match, "@timestamp": timestamp} + url = f"http://{self.rule['elasticsearch_host']}/so-playbook-alerts-{today}/_doc/" requests.post(url, data=json.dumps(payload), headers=headers, verify=False) def get_info(self): - return {'type': 'PlaybookESAlerter'} + return {'type': 'PlaybookESAlerter'} \ No newline at end of file diff --git a/salt/elasticsearch/files/elasticsearch.yml b/salt/elasticsearch/files/elasticsearch.yml index 271ef40cf..afb06057a 100644 --- a/salt/elasticsearch/files/elasticsearch.yml +++ b/salt/elasticsearch/files/elasticsearch.yml @@ -26,3 +26,4 @@ cluster.routing.allocation.disk.threshold_enabled: true cluster.routing.allocation.disk.watermark.low: 95% cluster.routing.allocation.disk.watermark.high: 98% cluster.routing.allocation.disk.watermark.flood_stage: 98% +script.max_compilations_rate: 1000/1m \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/beats.common b/salt/elasticsearch/files/ingest/beats.common index 0e93abb03..9ea586156 100644 --- a/salt/elasticsearch/files/ingest/beats.common +++ b/salt/elasticsearch/files/ingest/beats.common @@ -2,10 +2,17 @@ "description" : "beats.common", "processors" : [ {"community_id": {"if": "ctx.winlog.event_data?.Protocol != null", "field":["winlog.event_data.SourceIp","winlog.event_data.SourcePort","winlog.event_data.DestinationIp","winlog.event_data.DestinationPort","winlog.event_data.Protocol"],"target_field":"network.community_id"}}, - { "set": { "if": "ctx.winlog?.channel != null", "field": "dataset", "value": "wel-{{winlog.channel}}", "override": true } }, - { "set": { "if": "ctx.agent?.type != null", "field": "module", "value": "{{agent.type}}", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational'", "field": "event.module", "value": "sysmon", "override": true } }, + { "set": { "if": "ctx.winlog?.channel!= null", "field": "event.module", "value": "win_eventlog", "override": true, "ignore_failure": true } }, + { "set": { "if": "ctx.winlog?.channel != null", "field": "dataset", "value": "{{winlog.channel}}", "override": true } }, + { "set": { "if": "ctx.agent?.type != null", "field": "module", "value": "{{agent.type}}", "override": true } }, { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 3", "field": "event.category", "value": "host,process,network", "override": true } }, { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 1", "field": "event.category", "value": "host,process", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 1", "field": "event.dataset", "value": "process_creation", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 2", "field": "event.dataset", "value": "process_changed_file", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 3", "field": "event.dataset", "value": "network_connection", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 5", "field": "event.dataset", "value": "driver_loaded", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 6", "field": "event.dataset", "value": "image_loaded", "override": true } }, { "rename": { "field": "agent.hostname", "target_field": "agent.name", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.SubjectUserName", "target_field": "user.name", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.DestinationHostname", "target_field": "destination.hostname", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/common b/salt/elasticsearch/files/ingest/common index d8de06f31..0878c0463 100644 --- a/salt/elasticsearch/files/ingest/common +++ b/salt/elasticsearch/files/ingest/common @@ -34,14 +34,19 @@ "ignore_failure": true, "index_name_format": "yyyy.MM.dd" } - }, - { "rename": { "field": "module", "target_field": "event.module", "ignore_missing": true } }, - { "rename": { "field": "dataset", "target_field": "event.dataset", "ignore_missing": true } }, + }, + { "set": { "if": "ctx.event?.severity == 3", "field": "event.severity_label", "value": "low", "override": true } }, + { "set": { "if": "ctx.event?.severity == 5", "field": "event.severity_label", "value": "medium", "override": true } }, + { "set": { "if": "ctx.event?.severity == 7", "field": "event.severity_label", "value": "high", "override": true } }, + { "set": { "if": "ctx.event?.severity == 10", "field": "event.severity_label", "value": "critical", "override": true } }, + { "rename": { "field": "module", "target_field": "event.module", "ignore_failure": true, "ignore_missing": true } }, + { "rename": { "field": "dataset", "target_field": "event.dataset", "ignore_failure": true, "ignore_missing": true } }, { "rename": { "field": "category", "target_field": "event.category", "ignore_missing": true } }, { "rename": { "field": "message2.community_id", "target_field": "network.community_id", "ignore_failure": true, "ignore_missing": true } }, { "convert": { "field": "destination.port", "type": "integer", "ignore_failure": true, "ignore_missing": true } }, { "convert": { "field": "source.port", "type": "integer", "ignore_failure": true, "ignore_missing": true } }, { "convert": { "field": "log.id.uid", "type": "string", "ignore_failure": true, "ignore_missing": true } }, + { "convert": { "field": "event.severity", "type": "integer", "ignore_failure": true, "ignore_missing": true } }, { "remove": { "field": [ "index_name_prefix", "message2", "type" ], diff --git a/salt/elasticsearch/files/ingest/ossec.alert b/salt/elasticsearch/files/ingest/ossec.alert index 2aab7f630..7654bf255 100644 --- a/salt/elasticsearch/files/ingest/ossec.alert +++ b/salt/elasticsearch/files/ingest/ossec.alert @@ -49,6 +49,9 @@ { "set": { "if": "ctx.rule.level == 13", "field": "rule.category", "value": "Unusal error (high importance)" } }, { "set": { "if": "ctx.rule.level == 14", "field": "rule.category", "value": "High importance security event" } }, { "set": { "if": "ctx.rule.level == 15", "field": "rule.category", "value": "Severe attack" } }, + { "set": { "if": "ctx.rule.level <= 7", "field": "event.severity", "value": 1, "override": true } }, + { "set": { "if": "ctx.rule.level >= 8 && ctx.rule.level <= 11", "field": "event.severity", "value": 2, "override": true } }, + { "set": { "if": "ctx.rule.level >= 12", "field": "event.severity", "value": 3, "override": true } }, { "append": { "if": "ctx.rule.level != null", "field": "tags", "value": ["alert"] } }, { "remove": { "field": [ "predecoder", "decoder" ], "ignore_missing": true, "ignore_failure": false } }, { "pipeline": { "name": "common" } } diff --git a/salt/elasticsearch/files/ingest/suricata.alert b/salt/elasticsearch/files/ingest/suricata.alert index 82486adc6..5a0cfc4df 100644 --- a/salt/elasticsearch/files/ingest/suricata.alert +++ b/salt/elasticsearch/files/ingest/suricata.alert @@ -7,6 +7,9 @@ { "rename":{ "field": "rule.signature_id", "target_field": "rule.uuid", "ignore_failure": true } }, { "rename":{ "field": "rule.signature_id", "target_field": "rule.signature", "ignore_failure": true } }, { "rename":{ "field": "message2.payload_printable", "target_field": "network.data.decoded", "ignore_failure": true } }, + { "set": { "if": "ctx.rule.severity == 3", "field": "event.severity", "value": 1, "override": true } }, + { "set": { "if": "ctx.rule.severity == 2", "field": "event.severity", "value": 2, "override": true } }, + { "set": { "if": "ctx.rule.severity == 1", "field": "event.severity", "value": 3, "override": true } }, { "pipeline": { "name": "common" } } ] } diff --git a/salt/soctopus/files/SOCtopus.conf b/salt/soctopus/files/SOCtopus.conf index d2c3eea2d..e32aaf8da 100644 --- a/salt/soctopus/files/SOCtopus.conf +++ b/salt/soctopus/files/SOCtopus.conf @@ -61,6 +61,7 @@ slack_webhook = YOURSLACKWEBHOOK [playbook] playbook_url = http://{{MASTER}}:3200/playbook +playbook_ext_url = https://{{MASTER}}/playbook playbook_key = de6639318502476f2fa5aa06f43f51fb389a3d7f playbook_verifycert = no playbook_unit_test_index = playbook-testing diff --git a/salt/soctopus/files/templates/es-generic.template b/salt/soctopus/files/templates/es-generic.template deleted file mode 100644 index cdda8a19b..000000000 --- a/salt/soctopus/files/templates/es-generic.template +++ /dev/null @@ -1,7 +0,0 @@ -{% set ES = salt['pillar.get']('static:masterip', '') %} - -alert: modules.so.playbook-es.PlaybookESAlerter -elasticsearch_host: "{{ ES }}:9200" -play_title: "" -play_url: "https://{{ ES }}/playbook/issues/6000" -sigma_level: "" diff --git a/salt/soctopus/files/templates/generic.template b/salt/soctopus/files/templates/generic.template index 68dc040fc..0bdb6a2ba 100644 --- a/salt/soctopus/files/templates/generic.template +++ b/salt/soctopus/files/templates/generic.template @@ -1,6 +1,6 @@ -{% set es = salt['pillar.get']('static:masterip', '') %} -{% set hivehost = salt['pillar.get']('static:masterip', '') %} -{% set hivekey = salt['pillar.get']('static:hivekey', '') %} +{%- set es = salt['pillar.get']('static:masterip', '') %} +{%- set hivehost = salt['pillar.get']('static:masterip', '') %} +{%- set hivekey = salt['pillar.get']('static:hivekey', '') %} alert: hivealerter hive_connection: @@ -23,3 +23,15 @@ hive_alert_config: status: 'New' follow: True caseTemplate: '5000' + +alert: modules.so.playbook-es.PlaybookESAlerter +elasticsearch_host: "{{ es }}:9200" +play_title: "" +event.module: "playbook" +event.dataset: "alert" +event.severity: +rule.category: +play_url: "https://{{ es }}/playbook/issues/6000" +kibana_pivot: "https://{{es}}/kibana/app/kibana#/discover?_g=()&_a=(columns:!(_source),interval:auto,query:(language:lucene,query:'_id:{[_id]}'),sort:!('@timestamp',desc))" +soc_pivot: "https://{{es}}/#/hunt" +sigma_level: "" \ No newline at end of file diff --git a/salt/soctopus/files/templates/osquery.template b/salt/soctopus/files/templates/osquery.template index 28ea29ee9..90bc0743e 100644 --- a/salt/soctopus/files/templates/osquery.template +++ b/salt/soctopus/files/templates/osquery.template @@ -31,3 +31,14 @@ hive_alert_config: caseTemplate: '5000' +alert: modules.so.playbook-es.PlaybookESAlerter +elasticsearch_host: "{{ es }}:9200" +play_title: "" +event.module: "playbook" +event.dataset: "alert" +event.severity: +rule.category: +play_url: "https://{{ es }}/playbook/issues/6000" +kibana_pivot: "https://{{es}}/kibana/app/kibana#/discover?_g=()&_a=(columns:!(_source),interval:auto,query:(language:lucene,query:'_id:{[_id]}'),sort:!('@timestamp',desc))" +soc_pivot: "https://{{es}}/#/hunt" +sigma_level: "" \ No newline at end of file diff --git a/setup/so-functions b/setup/so-functions index fdfcf37eb..4d8951fb9 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -783,18 +783,6 @@ firewall_generate_templates() { } -fleet_pillar() { - - local pillar_file="$temp_install_dir"/pillar/minions/"$MINION_ID".sls - - # Create the fleet pillar - printf '%s\n'\ - "fleet:"\ - " mainip: $MAINIP"\ - " master: $MSRV"\ - "" > "$pillar_file" -} - generate_passwords(){ # Generate Random Passwords for Things MYSQLPASS=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 20 | head -n 1) From bdd0f64462d2dceddc0e541dd866b795befa3f72 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 9 Jul 2020 13:54:48 -0400 Subject: [PATCH 162/314] add period --- setup/so-whiptail | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index a149a5632..4d3d72c40 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1125,7 +1125,7 @@ whiptail_manager_updates_warning() { [ -n "$TESTING" ] && return whiptail --title "Security Onion Setup"\ - --msgbox "Updating through the manager node requires the manager to have internet access, press ENTER to continue"\ + --msgbox "Updating through the manager node requires the manager to have internet access, press ENTER to continue."\ 8 75 local exitstatus=$? From c5eff1d89eee1aa6203cd305acec6d49f4f03483 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 9 Jul 2020 14:47:55 -0400 Subject: [PATCH 163/314] [feat][WIP] Add option to run `so-allow -a ` during setup --- salt/common/tools/sbin/so-allow | 26 +++++++++++++------------- setup/so-setup | 4 +++- setup/so-whiptail | 26 +++++++++++++++++++++++--- 3 files changed, 39 insertions(+), 17 deletions(-) diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow index 71c8f8c9b..c6d3d6bf0 100755 --- a/salt/common/tools/sbin/so-allow +++ b/salt/common/tools/sbin/so-allow @@ -89,7 +89,7 @@ if [ "$SKIP" -eq 0 ]; then echo "[p] - Wazuh API - port 55000/tcp" echo "[r] - Wazuh registration service - 1515/tcp" echo "" - echo "Please enter your selection (a - analyst, b - beats, o - osquery, w - wazuh):" + echo "Please enter your selection:" read -r ROLE echo "Enter a single ip address or range to allow (example: 10.10.10.10 or 10.10.0.0/16):" read -r IP @@ -127,16 +127,16 @@ salt-call state.apply firewall queue=True if grep -q -R "wazuh: 1" $local_salt_dir/pillar/*; then # If analyst, add to Wazuh AR whitelist if [ "$FULLROLE" == "analyst" ]; then - WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf" - if ! grep -q "$IP" $WAZUH_MGR_CFG ; then - DATE=$(date) - sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG - sed -i '/^$/N;/^\n$/D' $WAZUH_MGR_CFG - echo -e "\n \n $IP\n \n" >> $WAZUH_MGR_CFG - echo "Added whitelist entry for $IP in $WAZUH_MGR_CFG." - echo - echo "Restarting OSSEC Server..." - /usr/sbin/so-wazuh-restart - fi - fi + WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf" + if ! grep -q "$IP" $WAZUH_MGR_CFG ; then + DATE=$(date) + sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG + sed -i '/^$/N;/^\n$/D' $WAZUH_MGR_CFG + echo -e "\n \n $IP\n \n" >> $WAZUH_MGR_CFG + echo "Added whitelist entry for $IP in $WAZUH_MGR_CFG." + echo + echo "Restarting OSSEC Server..." + /usr/sbin/so-wazuh-restart + fi + fi fi diff --git a/setup/so-setup b/setup/so-setup index 3f6d42380..0f28f1244 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -331,6 +331,8 @@ else FLEETNODEPASSWD1=$WEBPASSWD1 fi +if [[ $is_master ]]; then whiptail_so_allow; fi + whiptail_make_changes if [[ -n "$TURBO" ]]; then @@ -620,7 +622,7 @@ if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1 fi -if [[ $success != 0 || $SO_ERROR == 1 ]]; then whiptail_setup_failed +if [[ $success != 0 || -n $SO_ERROR ]]; then whiptail_setup_failed else whiptail_setup_complete if [[ $THEHIVE == 1 ]]; then check_hive_init; fi diff --git a/setup/so-whiptail b/setup/so-whiptail index e165ba351..0b34d3cb8 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -435,9 +435,7 @@ whiptail_homenet_sensor() { whiptail_check_exitstatus $exitstatus export HNSENSOR - fi - } whiptail_install_type() { @@ -1057,6 +1055,29 @@ whiptail_shard_count() { } +whiptail_so_allow() { + + [ -n "$TESTING" ] && return + + whiptail --title "Security Onion Setup" \ + --yesno "Do you want to run so-allow to allow access to the web tools?" \ + 8 75 + + local exitstatus=$? + + if [[ $exitstatus == 0 ]]; then + ALLOW_CIDR=$(whiptail --title "Security Onion Setup" \ + --inputbox "Enter a single ip address or range (in CIDR notation) to allow" \ + 10 75 125 3>&1 1>&2 2>&3) + local exitstatus=$? + + export ALLOW_ROLE='a' + export ALLOW_CIDR + fi + + whiptail_check_exitstatus $exitstatus +} + whiptail_strelka_rules() { [ -n "$TESTING" ] && return @@ -1073,7 +1094,6 @@ whiptail_strelka_rules() { export STRELKARULES fi - } whiptail_suricata_pins() { From 58d290aa5779fd53b5d00d155ce0db87c287ca9f Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 9 Jul 2020 15:32:19 -0400 Subject: [PATCH 164/314] Update so-setup --- setup/so-setup | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 3f6d42380..6ac24f33d 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -367,14 +367,14 @@ fi set_main_ip >> $setup_log 2>&1 +host_pillar >> $setup_log 2>&1 + if [[ $is_minion ]]; then set_updates >> $setup_log 2>&1 copy_ssh_key >> $setup_log 2>&1 fi -if [[ "$OSQUERY" = 1 ]]; then - host_pillar >> $setup_log 2>&1 -fi + # Begin install { From 5ca3ecf4bd8914c89de786dcc9bb1e068193ab2c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 9 Jul 2020 15:42:39 -0400 Subject: [PATCH 165/314] fix reference to master grain --- salt/ca/init.sls | 2 +- salt/common/tools/sbin/so-import-pcap | 2 +- salt/curator/init.sls | 2 +- salt/elastalert/init.sls | 2 +- salt/elasticsearch/init.sls | 2 +- salt/filebeat/init.sls | 2 +- salt/fleet/event_gen-packages.sls | 2 +- salt/fleet/init.sls | 2 +- salt/grafana/init.sls | 2 +- salt/idstools/init.sls | 2 +- salt/influxdb/init.sls | 2 +- salt/kibana/init.sls | 2 +- salt/logstash/init.sls | 2 +- salt/manager/init.sls | 2 +- salt/mysql/init.sls | 2 +- salt/nginx/init.sls | 2 +- salt/pcap/init.sls | 2 +- salt/playbook/init.sls | 2 +- salt/redis/init.sls | 2 +- salt/soc/init.sls | 2 +- salt/soctopus/init.sls | 2 +- salt/ssl/init.sls | 2 +- salt/suricata/init.sls | 2 +- salt/tcpreplay/init.sls | 2 +- salt/telegraf/init.sls | 2 +- salt/thehive/init.sls | 2 +- salt/wazuh/init.sls | 2 +- salt/zeek/init.sls | 2 +- 28 files changed, 28 insertions(+), 28 deletions(-) diff --git a/salt/ca/init.sls b/salt/ca/init.sls index 0def5677e..da442cc2a 100644 --- a/salt/ca/init.sls +++ b/salt/ca/init.sls @@ -1,4 +1,4 @@ -{% set manager = salt['grains.get']('manager') %} +{% set manager = salt['grains.get']('master') %} /etc/salt/minion.d/signing_policies.conf: file.managed: - source: salt://ca/files/signing_policies.conf diff --git a/salt/common/tools/sbin/so-import-pcap b/salt/common/tools/sbin/so-import-pcap index 1d1fd5f70..4ccea215f 100755 --- a/salt/common/tools/sbin/so-import-pcap +++ b/salt/common/tools/sbin/so-import-pcap @@ -15,7 +15,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set MANAGER = salt['grains.get']('manager') %} +{% set MANAGER = salt['grains.get']('master') %} {% set VERSION = salt['pillar.get']('static:soversion') %} {%- set MANAGERIP = salt['pillar.get']('static:managerip') -%} diff --git a/salt/curator/init.sls b/salt/curator/init.sls index e43f7e91b..b3ef08082 100644 --- a/salt/curator/init.sls +++ b/salt/curator/init.sls @@ -1,5 +1,5 @@ {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MANAGER = salt['grains.get']('manager') %} +{% set MANAGER = salt['grains.get']('master') %} {% if grains['role'] in ['so-eval', 'so-node', 'so-managersearch', 'so-heavynode', 'so-standalone'] %} # Curator # Create the group diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index 37c0e903e..9bfc8ded4 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -13,7 +13,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MANAGER = salt['grains.get']('manager') %} +{% set MANAGER = salt['grains.get']('master') %} {% if grains['role'] in ['so-eval','so-managersearch', 'so-manager', 'so-standalone'] %} {% set esalert = salt['pillar.get']('manager:elastalert', '1') %} diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index be0752665..14cc38434 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -13,7 +13,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MANAGER = salt['grains.get']('manager') %} +{% set MANAGER = salt['grains.get']('master') %} {% set FEATURES = salt['pillar.get']('elastic:features', False) %} {% if FEATURES %} diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 68b488569..8a2b868ce 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -12,7 +12,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MANAGER = salt['grains.get']('manager') %} +{% set MANAGER = salt['grains.get']('master') %} {% set MANAGERIP = salt['pillar.get']('static:managerip', '') %} {% set FEATURES = salt['pillar.get']('elastic:features', False) %} {% if FEATURES %} diff --git a/salt/fleet/event_gen-packages.sls b/salt/fleet/event_gen-packages.sls index 7c0ec9091..1cf7e331a 100644 --- a/salt/fleet/event_gen-packages.sls +++ b/salt/fleet/event_gen-packages.sls @@ -1,4 +1,4 @@ -{% set MANAGER = salt['grains.get']('manager') %} +{% set MANAGER = salt['grains.get']('master') %} {% set ENROLLSECRET = salt['pillar.get']('secrets:fleet_enroll-secret') %} {% set CURRENTPACKAGEVERSION = salt['pillar.get']('static:fleet_packages-version') %} {% set VERSION = salt['pillar.get']('static:soversion') %} diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls index d597f44d8..7858ca298 100644 --- a/salt/fleet/init.sls +++ b/salt/fleet/init.sls @@ -2,7 +2,7 @@ {%- set FLEETPASS = salt['pillar.get']('secrets:fleet', None) -%} {%- set FLEETJWT = salt['pillar.get']('secrets:fleet_jwt', None) -%} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MANAGER = salt['grains.get']('manager') %} +{% set MANAGER = salt['grains.get']('master') %} {% set FLEETARCH = salt['grains.get']('role') %} {% if FLEETARCH == "so-fleet" %} diff --git a/salt/grafana/init.sls b/salt/grafana/init.sls index 247a9215b..1f448f6f0 100644 --- a/salt/grafana/init.sls +++ b/salt/grafana/init.sls @@ -1,5 +1,5 @@ {% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} -{% set MANAGER = salt['grains.get']('manager') %} +{% set MANAGER = salt['grains.get']('master') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone'] and GRAFANA == 1 %} diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls index a73c21d72..68d14d397 100644 --- a/salt/idstools/init.sls +++ b/salt/idstools/init.sls @@ -13,7 +13,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MANAGER = salt['grains.get']('manager') %} +{% set MANAGER = salt['grains.get']('master') %} # IDSTools Setup idstoolsdir: file.directory: diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index 304018a12..6d6bfd328 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -1,5 +1,5 @@ {% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} -{% set MANAGER = salt['grains.get']('manager') %} +{% set MANAGER = salt['grains.get']('master') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index 74b59f9ca..792f41579 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -1,5 +1,5 @@ {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MANAGER = salt['grains.get']('manager') %} +{% set MANAGER = salt['grains.get']('master') %} {% set FEATURES = salt['pillar.get']('elastic:features', False) %} {% if FEATURES %} {% set FEATURES = "-features" %} diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index 252f0efdc..784db9525 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -13,7 +13,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MANAGER = salt['grains.get']('manager') %} +{% set MANAGER = salt['grains.get']('master') %} {% set FEATURES = salt['pillar.get']('elastic:features', False) %} {% if FEATURES %} diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 9ca936b2a..e1d8cdb12 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -13,7 +13,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MANAGER = salt['grains.get']('manager') %} +{% set MANAGER = salt['grains.get']('master') %} {% set managerproxy = salt['pillar.get']('static:managerupdate', '0') %} socore_own_saltstack: diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index 928d14c1f..e8120724c 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -1,7 +1,7 @@ {%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) %} {%- set MANAGERIP = salt['pillar.get']('static:managerip', '') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MANAGER = salt['grains.get']('manager') %} +{% set MANAGER = salt['grains.get']('master') %} {% set MAINIP = salt['pillar.get']('elasticsearch:mainip') %} {% set FLEETARCH = salt['grains.get']('role') %} diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls index 2c6f55ef1..8bbdced0f 100644 --- a/salt/nginx/init.sls +++ b/salt/nginx/init.sls @@ -1,6 +1,6 @@ {% set FLEETMANAGER = salt['pillar.get']('static:fleet_manager', False) %} {% set FLEETNODE = salt['pillar.get']('static:fleet_node', False) %} -{% set MANAGER = salt['grains.get']('manager') %} +{% set MANAGER = salt['grains.get']('master') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} # Drop the correct nginx config based on role diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls index a492ffc82..dc3db3c21 100644 --- a/salt/pcap/init.sls +++ b/salt/pcap/init.sls @@ -13,7 +13,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MANAGER = salt['grains.get']('manager') %} +{% set MANAGER = salt['grains.get']('master') %} {% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %} {% set BPF_STENO = salt['pillar.get']('steno:bpf', None) %} {% set BPF_COMPILED = "" %} diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index da1461871..6de1c121d 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -1,6 +1,6 @@ {% set MANAGERIP = salt['pillar.get']('manager:mainip', '') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MANAGER = salt['grains.get']('manager') %} +{% set MANAGER = salt['grains.get']('master') %} {% set MAINIP = salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('manager:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] %} {%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) -%} {%- set PLAYBOOKPASS = salt['pillar.get']('secrets:playbook', None) -%} diff --git a/salt/redis/init.sls b/salt/redis/init.sls index ec36d164c..4b61c35ef 100644 --- a/salt/redis/init.sls +++ b/salt/redis/init.sls @@ -13,7 +13,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MANAGER = salt['grains.get']('manager') %} +{% set MANAGER = salt['grains.get']('master') %} # Redis Setup redisconfdir: diff --git a/salt/soc/init.sls b/salt/soc/init.sls index bf7250e72..0490aa13d 100644 --- a/salt/soc/init.sls +++ b/salt/soc/init.sls @@ -1,5 +1,5 @@ {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MANAGER = salt['grains.get']('manager') %} +{% set MANAGER = salt['grains.get']('master') %} socdir: file.directory: diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls index 1621de936..11727e149 100644 --- a/salt/soctopus/init.sls +++ b/salt/soctopus/init.sls @@ -1,5 +1,5 @@ {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MANAGER = salt['grains.get']('manager') %} +{% set MANAGER = salt['grains.get']('master') %} {%- set MANAGER_URL = salt['pillar.get']('manager:url_base', '') %} {%- set MANAGER_IP = salt['pillar.get']('static:managerip', '') %} diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 1ef5e81c2..a0780ecf6 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -1,4 +1,4 @@ -{% set manager = salt['grains.get']('manager') %} +{% set manager = salt['grains.get']('master') %} {% set managerip = salt['pillar.get']('static:managerip', '') %} {% set HOSTNAME = salt['grains.get']('host') %} {% set global_ca_text = [] %} diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 7790887d9..0dc16e6b0 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -16,7 +16,7 @@ {% set interface = salt['pillar.get']('sensor:interface', 'bond0') %} {% set BROVER = salt['pillar.get']('static:broversion', '') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MANAGER = salt['grains.get']('manager') %} +{% set MANAGER = salt['grains.get']('master') %} {% set BPF_NIDS = salt['pillar.get']('nids:bpf') %} {% set BPF_STATUS = 0 %} diff --git a/salt/tcpreplay/init.sls b/salt/tcpreplay/init.sls index 78c6a18c6..460552bf8 100644 --- a/salt/tcpreplay/init.sls +++ b/salt/tcpreplay/init.sls @@ -1,6 +1,6 @@ {% if grains['role'] == 'so-sensor' or grains['role'] == 'so-eval' %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MANAGER = salt['grains.get']('manager') %} +{% set MANAGER = salt['grains.get']('master') %} so-tcpreplay: docker_container.running: diff --git a/salt/telegraf/init.sls b/salt/telegraf/init.sls index 782707a44..e75608c6a 100644 --- a/salt/telegraf/init.sls +++ b/salt/telegraf/init.sls @@ -1,4 +1,4 @@ -{% set MANAGER = salt['grains.get']('manager') %} +{% set MANAGER = salt['grains.get']('master') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} # Add Telegraf to monitor all the things. diff --git a/salt/thehive/init.sls b/salt/thehive/init.sls index a1b9b50f1..6d8ac494d 100644 --- a/salt/thehive/init.sls +++ b/salt/thehive/init.sls @@ -1,6 +1,6 @@ {% set MANAGERIP = salt['pillar.get']('manager:mainip', '') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MANAGER = salt['grains.get']('manager') %} +{% set MANAGER = salt['grains.get']('master') %} thehiveconfdir: file.directory: - name: /opt/so/conf/thehive/etc diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index 6e8c757f1..c4ca27d95 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -1,6 +1,6 @@ {%- set HOSTNAME = salt['grains.get']('host', '') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MANAGER = salt['grains.get']('manager') %} +{% set MANAGER = salt['grains.get']('master') %} # Add ossec group ossecgroup: group.present: diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index af8b2b4d6..d977900dc 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -1,5 +1,5 @@ {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MANAGER = salt['grains.get']('manager') %} +{% set MANAGER = salt['grains.get']('master') %} {% set BPF_ZEEK = salt['pillar.get']('zeek:bpf', {}) %} {% set BPF_STATUS = 0 %} {% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %} From 33179141a1bd5cb4ba7ee4988de86853cc1a9de4 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 9 Jul 2020 16:11:33 -0400 Subject: [PATCH 166/314] Enable PCAP pivots from imports --- salt/common/tools/sbin/so-import-pcap | 5 ++++- salt/pcap/files/sensoroni.json | 1 + 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-import-pcap b/salt/common/tools/sbin/so-import-pcap index 9e54820e0..0c99ede64 100755 --- a/salt/common/tools/sbin/so-import-pcap +++ b/salt/common/tools/sbin/so-import-pcap @@ -206,13 +206,16 @@ if [ "$INVALID_PCAPS" = "yes" ]; then echo "Please note! One or more pcaps was invalid! You can scroll up to see which ones were invalid." fi +START_OLDEST_SLASH=$(echo $START_OLDEST | sed -e 's/-/%2F/g') +END_NEWEST_SLASH=$(echo $END_NEWEST | sed -e 's/-/%2F/g') + if [ "$VALID_PCAPS" = "yes" ]; then cat << EOF Import complete! You can use the following hyperlink to view data in the time range of your import. You can triple-click to quickly highlight the entire hyperlink and you can then copy it into your browser: -https://{{ MASTERIP }}/kibana/app/kibana#/dashboard/a8411b30-6d03-11ea-b301-3d6c35840645?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:'${START_OLDEST}T00:00:00.000Z',mode:absolute,to:'${END_NEWEST}T00:00:00.000Z')) +https://{{ MASTERIP }}/#/hunt?q=%2a%20%7C%20groupby%20event.module%20event.dataset&t=${START_OLDEST_SLASH}%2000%3A00%3A00%20PM%20-%20${END_NEWEST_SLASH}%2000%3A00%3A00%20PM or you can manually set your Time Range to be: From: $START_OLDEST To: $END_NEWEST diff --git a/salt/pcap/files/sensoroni.json b/salt/pcap/files/sensoroni.json index ed673d969..654148f2a 100644 --- a/salt/pcap/files/sensoroni.json +++ b/salt/pcap/files/sensoroni.json @@ -8,6 +8,7 @@ "serverUrl": "https://{{ MASTER }}/sensoroniagents", "verifyCert": false, "modules": { + "importer": {}, "statickeyauth": { "apiKey": "{{ SENSORONIKEY }}" }, From 3c6465bb7f5347ce72f6ebe79fdd55954b8b9ea1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 9 Jul 2020 16:42:39 -0400 Subject: [PATCH 167/314] ES Jinja the config --- salt/elasticsearch/files/elasticsearch.yml | 24 +++++++-------- setup/so-functions | 36 +++++++++++++--------- 2 files changed, 32 insertions(+), 28 deletions(-) diff --git a/salt/elasticsearch/files/elasticsearch.yml b/salt/elasticsearch/files/elasticsearch.yml index 02dd42aa5..8833f801e 100644 --- a/salt/elasticsearch/files/elasticsearch.yml +++ b/salt/elasticsearch/files/elasticsearch.yml @@ -1,6 +1,11 @@ -{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' %} -{%- set esclustername = salt['pillar.get']('master:esclustername', '') %} -cluster.name: "{{ esclustername }}" +{%- set NODE_ROUTE_TYPE = salt['pillar.get']('elasticsearch:node_route_type', 'hot') %} +{%- if salt['pillar.get']('elasticsearch:hot_warm_enabled') or if salt['pillar.get']('elasticsearch:true_cluster')} +{%- set ESCLUSTERNAME = salt['pillar.get']('elasticsearch:true_cluster_name', '') %} +{%- else %} +{%- set ESCLUSTERNAME = salt['pillar.get']('elasticsearch:esclustername', '') %} +{%- endif %} +{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} +cluster.name: "{{ ESCLUSTERNAME }}" network.host: 0.0.0.0 # minimum_master_nodes need to be explicitly set when bound on a public IP @@ -10,19 +15,12 @@ discovery.zen.minimum_master_nodes: 1 # This is a test -- if this is here, then the volume is mounted correctly. path.logs: /var/log/elasticsearch action.destructive_requires_name: true -{%- else %} -{%- set esclustername = salt['grains.get']('host', '') %} -{%- set nodeip = salt['pillar.get']('elasticsearch:mainip', '') -%} -cluster.name: "{{ esclustername }}" -network.host: 0.0.0.0 -discovery.zen.minimum_master_nodes: 1 -path.logs: /var/log/elasticsearch -action.destructive_requires_name: true transport.bind_host: 0.0.0.0 -transport.publish_host: {{ nodeip }} +transport.publish_host: {{ NODEIP }} transport.publish_port: 9300 -{%- endif %} cluster.routing.allocation.disk.threshold_enabled: true cluster.routing.allocation.disk.watermark.low: 95% cluster.routing.allocation.disk.watermark.high: 98% cluster.routing.allocation.disk.watermark.flood_stage: 98% +node.attr.box_type: {{ NODE_ROUTE_TYPE }} +node.name: {{ esclustername }} diff --git a/setup/so-functions b/setup/so-functions index 6d71fbe44..8ee44ab1d 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1018,55 +1018,60 @@ master_static() { "elastic:"\ " features: False"\ "elasticsearch:"\ - " route_type: hot"\ " replicas: 0"\ - " true_cluster: False" - " true_cluster_name: so" + " true_cluster: False"\ + " true_cluster_name: so"\ + " discovery_nodes: 1"\ + " hot_warm_enabled: False"\ + " cluster_routing_allocation_disk.threshold_enabled: true"\ + " cluster_routing_allocation_disk_watermark_low: 95%"\ + " cluster_routing_allocation_disk_watermark_high: 98%"\ + " cluster_routing_allocation_disk_watermark_flood_stage: 98%"\ " index_settings:"\ " so-beats:"\ " shards: 1"\ " warm: 7"\ " close: 30"\ - " delete: 45" + " delete: 365" " so-firewall:"\ + " shards: 1"\ " warm: 7"\ " close: 30"\ - " delete: 45" - " shards: 1"\ + " delete: 365"\ " so-ids:"\ " shards: 1"\ " warm: 7"\ " close: 30"\ - " delete: 45" + " delete: 365"\ " so-import:"\ + " shards: 1"\ " warm: 7"\ - " close: 7300"\ - " delete: 7301" - " shards: 1"\ + " close: 73000"\ + " delete: 73001" " so-osquery:"\ " shards: 1"\ " warm: 7"\ " close: 30"\ - " delete: 45" + " delete: 365" " so-ossec:"\ " shards: 1"\ " warm: 7"\ " close: 30"\ - " delete: 45" + " delete: 365"\ " so-strelka:"\ " shards: 1"\ " warm: 7"\ " close: 30"\ - " delete: 45" + " delete: 365"\ " so-syslog:"\ " shards: 1"\ " warm: 7"\ " close: 30"\ - " delete: 45" + " delete: 365"\ " so-zeek:"\ " shards: 5"\ " warm: 7"\ - " close: 30"\ + " close: 365"\ " delete: 45" > "$static_pillar" printf '%s\n' '----' >> "$setup_log" 2>&1 @@ -1119,6 +1124,7 @@ elasticsearch_pillar() { " node_type: $NODETYPE"\ " es_port: $node_es_port"\ " log_size_limit: $log_size_limit"\ + " node_route_type: hot"\ "" >> "$pillar_file" if [ "$install_type" != 'EVAL' ] && [ "$install_type" != 'HELIXSENSOR' ] && [ "$install_type" != 'MASTERSEARCH' ] && [ "$install_type" != 'STANDALONE' ]; then From 6094d19b0bfec70c7b511c3ed5a26b4c8b625b2e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 9 Jul 2020 16:54:31 -0400 Subject: [PATCH 168/314] Make hot default --- salt/elasticsearch/files/elasticsearch.yml | 2 +- salt/logstash/pipelines/templates/so/so-common-template.json | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/salt/elasticsearch/files/elasticsearch.yml b/salt/elasticsearch/files/elasticsearch.yml index 8833f801e..ac27fb9b5 100644 --- a/salt/elasticsearch/files/elasticsearch.yml +++ b/salt/elasticsearch/files/elasticsearch.yml @@ -1,5 +1,5 @@ {%- set NODE_ROUTE_TYPE = salt['pillar.get']('elasticsearch:node_route_type', 'hot') %} -{%- if salt['pillar.get']('elasticsearch:hot_warm_enabled') or if salt['pillar.get']('elasticsearch:true_cluster')} +{%- if salt['pillar.get']('elasticsearch:hot_warm_enabled') or salt['pillar.get']('elasticsearch:true_cluster')} {%- set ESCLUSTERNAME = salt['pillar.get']('elasticsearch:true_cluster_name', '') %} {%- else %} {%- set ESCLUSTERNAME = salt['pillar.get']('elasticsearch:esclustername', '') %} diff --git a/salt/logstash/pipelines/templates/so/so-common-template.json b/salt/logstash/pipelines/templates/so/so-common-template.json index 1b4bb1206..a4da40765 100644 --- a/salt/logstash/pipelines/templates/so/so-common-template.json +++ b/salt/logstash/pipelines/templates/so/so-common-template.json @@ -5,7 +5,8 @@ "settings":{ "number_of_replicas":0, "number_of_shards":1, - "index.refresh_interval":"30s" + "index.refresh_interval":"30s", + "index.routing.allocation.require.box_type":"hot" }, "mappings":{ "dynamic":false, From ad6c9e7fe9349962ab13772120ff1c0167531632 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 9 Jul 2020 16:58:35 -0400 Subject: [PATCH 169/314] recurse actions for curator --- salt/curator/init.sls | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/salt/curator/init.sls b/salt/curator/init.sls index 8d3147242..049a1cae8 100644 --- a/salt/curator/init.sls +++ b/salt/curator/init.sls @@ -30,18 +30,10 @@ curlogdir: - user: 934 - group: 939 -curcloseconf: - file.managed: - - name: /opt/so/conf/curator/action/close.yml - - source: salt://curator/files/action/close.yml - - user: 934 - - group: 939 - - template: jinja - -curdelconf: - file.managed: - - name: /opt/so/conf/curator/action/delete.yml - - source: salt://curator/files/action/delete.yml +actionconfs: + file.recurse: + - name: /opt/so/conf/curator/action + - source: salt://curator/files/action - user: 934 - group: 939 - template: jinja From 9c2dcd2318f22b4876571b3848fbf54a3efdc119 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 9 Jul 2020 17:06:44 -0400 Subject: [PATCH 170/314] fix reference to master grain --- salt/filebeat/etc/filebeat.yml | 2 +- salt/pcap/files/sensoroni.json | 2 +- salt/strelka/init.sls | 2 +- salt/telegraf/etc/telegraf.conf | 2 +- salt/utility/bin/crossthestreams | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 37f0ec9f4..3011c59f0 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -1,7 +1,7 @@ {%- if grains.role == 'so-heavynode' %} {%- set MANAGER = salt['pillar.get']('sensor:mainip' '') %} {%- else %} -{%- set MANAGER = grains['manager'] %} +{%- set MANAGER = salt['grains.get']('master') %} {%- endif %} diff --git a/salt/pcap/files/sensoroni.json b/salt/pcap/files/sensoroni.json index edcec2f6c..1b383d915 100644 --- a/salt/pcap/files/sensoroni.json +++ b/salt/pcap/files/sensoroni.json @@ -1,4 +1,4 @@ -{%- set MANAGER = grains['manager'] -%} +{%- set MANAGER = salt['grains.get']('master') -%} {%- set SENSORONIKEY = salt['pillar.get']('static:sensoronikey', '') -%} { "logFilename": "/opt/sensoroni/logs/sensoroni.log", diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index a77b635fe..b34ee92da 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -12,7 +12,7 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{%- set MANAGER = grains['manager'] %} +{%- set MANAGER = salt['grains.get']('master') %} {%- set MANAGERIP = salt['pillar.get']('static:managerip', '') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} {%- set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') -%} diff --git a/salt/telegraf/etc/telegraf.conf b/salt/telegraf/etc/telegraf.conf index f768efe74..70ca7837f 100644 --- a/salt/telegraf/etc/telegraf.conf +++ b/salt/telegraf/etc/telegraf.conf @@ -13,7 +13,7 @@ # them with $. For strings the variable must be within quotes (ie, "$STR_VAR"), # for numbers and booleans they should be plain (ie, $INT_VAR, $BOOL_VAR) -{%- set MANAGER = grains['manager'] %} +{%- set MANAGER = salt['grains.get']('master') %} {% set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') %} {% set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %} {% set UNIQUEID = salt['pillar.get']('sensor:uniqueid', '') %} diff --git a/salt/utility/bin/crossthestreams b/salt/utility/bin/crossthestreams index 31cbdfceb..d21e3c1a4 100644 --- a/salt/utility/bin/crossthestreams +++ b/salt/utility/bin/crossthestreams @@ -1,6 +1,6 @@ #!/bin/bash {% set ES = salt['pillar.get']('manager:mainip', '') %} -{%- set MANAGER = grains['manager'] %} +{%- set MANAGER = salt['grains.get']('master') %} # Wait for ElasticSearch to come up, so that we can query for version infromation echo -n "Waiting for ElasticSearch..." From 9a7035326dc49e3e6341a7750c5cf4720a2bcbf5 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 9 Jul 2020 17:09:20 -0400 Subject: [PATCH 171/314] Update Logstash pillar --- pillar/logstash/eval.sls | 7 +++++++ pillar/logstash/search.sls | 8 ++++++++ 2 files changed, 15 insertions(+) diff --git a/pillar/logstash/eval.sls b/pillar/logstash/eval.sls index 39a87dc77..e76f16d72 100644 --- a/pillar/logstash/eval.sls +++ b/pillar/logstash/eval.sls @@ -18,4 +18,11 @@ logstash: templates: - so/so-beats-template.json - so/so-common-template.json + - so/so-firewall-template.json + - so/so-ids-template.json + - so/so-import-template.json + - so/so-osquery-template.json + - so/so-ossec-template.json + - so/so-strelka-template.json + - so/so-syslog-template.json - so/so-zeek-template.json diff --git a/pillar/logstash/search.sls b/pillar/logstash/search.sls index 6b3d0422e..033243956 100644 --- a/pillar/logstash/search.sls +++ b/pillar/logstash/search.sls @@ -12,5 +12,13 @@ logstash: - so/9600_output_ossec.conf.jinja - so/9700_output_strelka.conf.jinja templates: + - so/so-beats-template.json - so/so-common-template.json + - so/so-firewall-template.json + - so/so-ids-template.json + - so/so-import-template.json + - so/so-osquery-template.json + - so/so-ossec-template.json + - so/so-strelka-template.json + - so/so-syslog-template.json - so/so-zeek-template.json From b2e7a4221ca19cb300ba27ea8ac665cdd4c394d7 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 9 Jul 2020 17:19:17 -0400 Subject: [PATCH 172/314] master to manager for ssl signing policy --- salt/ca/files/signing_policies.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/ca/files/signing_policies.conf b/salt/ca/files/signing_policies.conf index e253f8911..b25a9935b 100644 --- a/salt/ca/files/signing_policies.conf +++ b/salt/ca/files/signing_policies.conf @@ -26,7 +26,7 @@ x509_signing_policies: - extendedKeyUsage: serverAuth - days_valid: 820 - copypath: /etc/pki/issued_certs/ - masterssl: + managerssl: - minions: '*' - signing_private_key: /etc/pki/ca.key - signing_cert: /etc/pki/ca.crt From 8ef18f90443df2401ad5cde7f714a04deb509472 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 9 Jul 2020 18:51:59 -0400 Subject: [PATCH 173/314] Fiz pillar --- setup/so-functions | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 8ee44ab1d..51d6d43e6 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1032,7 +1032,7 @@ master_static() { " shards: 1"\ " warm: 7"\ " close: 30"\ - " delete: 365" + " delete: 365"\ " so-firewall:"\ " shards: 1"\ " warm: 7"\ @@ -1044,15 +1044,15 @@ master_static() { " close: 30"\ " delete: 365"\ " so-import:"\ - " shards: 1"\ + " shards: 1"\ " warm: 7"\ " close: 73000"\ - " delete: 73001" + " delete: 73001"\ " so-osquery:"\ " shards: 1"\ " warm: 7"\ " close: 30"\ - " delete: 365" + " delete: 365"\ " so-ossec:"\ " shards: 1"\ " warm: 7"\ From 6bfd777d25f93d180525853f8ef4b6a67cc49171 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 9 Jul 2020 21:34:35 -0400 Subject: [PATCH 174/314] Enabled elastalert log --- salt/elastalert/files/elastalert_config.yaml | 22 ++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/salt/elastalert/files/elastalert_config.yaml b/salt/elastalert/files/elastalert_config.yaml index 2ecf08ffa..c7b8b52bb 100644 --- a/salt/elastalert/files/elastalert_config.yaml +++ b/salt/elastalert/files/elastalert_config.yaml @@ -86,3 +86,25 @@ alert_time_limit: index_settings: shards: 1 replicas: 0 + +logging: + version: 1 + incremental: false + disable_existing_loggers: false + formatters: + logline: + format: '%(asctime)s %(levelname)+8s %(name)+20s %(message)s' + + handlers: + file: + class : logging.FileHandler + formatter: logline + level: INFO + filename: /var/log/elastalert/elastalert.log + + loggers: + '': + level: INFO + handlers: + - file + propagate: false From 1a6c4c12b4a568ea6815a95542df1101e77296b6 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 9 Jul 2020 21:56:32 -0400 Subject: [PATCH 175/314] Fix elasticsearch yaml --- salt/elasticsearch/files/elasticsearch.yml | 4 ++-- .../{so-beats-template.json => so-beats-template.json.jinja} | 0 ...firewall-template.json => so-firewall-template.json.jinja} | 0 .../so/{so-ids-template.json => so-ids-template.json.jinja} | 0 ...{so-import-template.json => so-import-template.json.jinja} | 0 5 files changed, 2 insertions(+), 2 deletions(-) rename salt/logstash/pipelines/templates/so/{so-beats-template.json => so-beats-template.json.jinja} (100%) rename salt/logstash/pipelines/templates/so/{so-firewall-template.json => so-firewall-template.json.jinja} (100%) rename salt/logstash/pipelines/templates/so/{so-ids-template.json => so-ids-template.json.jinja} (100%) rename salt/logstash/pipelines/templates/so/{so-import-template.json => so-import-template.json.jinja} (100%) diff --git a/salt/elasticsearch/files/elasticsearch.yml b/salt/elasticsearch/files/elasticsearch.yml index ac27fb9b5..a38c3db87 100644 --- a/salt/elasticsearch/files/elasticsearch.yml +++ b/salt/elasticsearch/files/elasticsearch.yml @@ -1,5 +1,5 @@ {%- set NODE_ROUTE_TYPE = salt['pillar.get']('elasticsearch:node_route_type', 'hot') %} -{%- if salt['pillar.get']('elasticsearch:hot_warm_enabled') or salt['pillar.get']('elasticsearch:true_cluster')} +{%- if salt['pillar.get']('elasticsearch:hot_warm_enabled') or salt['pillar.get']('elasticsearch:true_cluster') %} {%- set ESCLUSTERNAME = salt['pillar.get']('elasticsearch:true_cluster_name', '') %} {%- else %} {%- set ESCLUSTERNAME = salt['pillar.get']('elasticsearch:esclustername', '') %} @@ -23,4 +23,4 @@ cluster.routing.allocation.disk.watermark.low: 95% cluster.routing.allocation.disk.watermark.high: 98% cluster.routing.allocation.disk.watermark.flood_stage: 98% node.attr.box_type: {{ NODE_ROUTE_TYPE }} -node.name: {{ esclustername }} +node.name: {{ ESCLUSTERNAME }} diff --git a/salt/logstash/pipelines/templates/so/so-beats-template.json b/salt/logstash/pipelines/templates/so/so-beats-template.json.jinja similarity index 100% rename from salt/logstash/pipelines/templates/so/so-beats-template.json rename to salt/logstash/pipelines/templates/so/so-beats-template.json.jinja diff --git a/salt/logstash/pipelines/templates/so/so-firewall-template.json b/salt/logstash/pipelines/templates/so/so-firewall-template.json.jinja similarity index 100% rename from salt/logstash/pipelines/templates/so/so-firewall-template.json rename to salt/logstash/pipelines/templates/so/so-firewall-template.json.jinja diff --git a/salt/logstash/pipelines/templates/so/so-ids-template.json b/salt/logstash/pipelines/templates/so/so-ids-template.json.jinja similarity index 100% rename from salt/logstash/pipelines/templates/so/so-ids-template.json rename to salt/logstash/pipelines/templates/so/so-ids-template.json.jinja diff --git a/salt/logstash/pipelines/templates/so/so-import-template.json b/salt/logstash/pipelines/templates/so/so-import-template.json.jinja similarity index 100% rename from salt/logstash/pipelines/templates/so/so-import-template.json rename to salt/logstash/pipelines/templates/so/so-import-template.json.jinja From f5114c034d7afa4433d98c4f6b815f42c9d92994 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 10 Jul 2020 05:52:10 -0400 Subject: [PATCH 176/314] change Log Type query in Hunt to include event.dataset in the groupby --- salt/soc/files/soc/soc.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 693c44aeb..670b44ab5 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -83,7 +83,7 @@ }, "queries": [ { "name": "Default Query", "description": "Show all events grouped by the origin host", "query": "* | groupby observer.name"}, - { "name": "Log Type", "description": "Show all events grouped by type", "query": "* | groupby event.module"}, + { "name": "Log Type", "description": "Show all events grouped by module and dataset", "query": "* | groupby event.module event.dataset"}, { "name": "Elastalerts", "description": "", "query": "_type:elastalert | groupby rule.name"}, { "name": "Alerts", "description": "Show all alerts grouped by alert source", "query": "event.dataset: alert | groupby event.module"}, { "name": "NIDS Alerts", "description": "Show all NIDS alerts grouped by alert name", "query": "event.category: network AND event.dataset: alert | groupby rule.name"}, From 2ce254dfb0b45cf9f30f333db23dfd98c2f19273 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 10 Jul 2020 06:00:36 -0400 Subject: [PATCH 177/314] add new DPD query to Hunt --- salt/soc/files/soc/soc.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 670b44ab5..aeb017e68 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -107,6 +107,7 @@ { "name": "DNS", "description": "DNS queries grouped by response code", "query": "event.dataset:dns | groupby dns.response.code_name destination.port"}, { "name": "DNS", "description": "DNS highest registered domain", "query": "event.dataset:dns | groupby dns.highest_registered_domain.keyword destination.port"}, { "name": "DNS", "description": "DNS grouped by parent domain", "query": "event.dataset:dns | groupby dns.parent_domain.keyword destination.port"}, + { "name": "DPD", "description": "Dynamic Protocol Detection errors", "query": "event.dataset:dpd | groupby error.reason"}, { "name": "Files", "description": "Files grouped by mimetype", "query": "event.dataset:file | groupby file.mime_type source.ip"}, { "name": "Files", "description": "Files grouped by source", "query": "event.dataset:file | groupby file.source source.ip"}, { "name": "FTP", "description": "FTP grouped by argument", "query": "event.dataset:ftp | groupby ftp.argument"}, From 3706aa76d8b6b26152d86d73a86d7c2ace5b93ba Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 10 Jul 2020 10:35:31 -0400 Subject: [PATCH 178/314] Add jinja extension --- pillar/logstash/search.sls | 18 +++++++++--------- ...ate.json => so-osquery-template.json.jinja} | 0 ...plate.json => so-ossec-template.json.jinja} | 0 ...ate.json => so-strelka-template.json.jinja} | 0 ...late.json => so-syslog-template.json.jinja} | 0 ...mplate.json => so-zeek-template.json.jinja} | 0 6 files changed, 9 insertions(+), 9 deletions(-) rename salt/logstash/pipelines/templates/so/{so-osquery-template.json => so-osquery-template.json.jinja} (100%) rename salt/logstash/pipelines/templates/so/{so-ossec-template.json => so-ossec-template.json.jinja} (100%) rename salt/logstash/pipelines/templates/so/{so-strelka-template.json => so-strelka-template.json.jinja} (100%) rename salt/logstash/pipelines/templates/so/{so-syslog-template.json => so-syslog-template.json.jinja} (100%) rename salt/logstash/pipelines/templates/so/{so-zeek-template.json => so-zeek-template.json.jinja} (100%) diff --git a/pillar/logstash/search.sls b/pillar/logstash/search.sls index 033243956..6602e0591 100644 --- a/pillar/logstash/search.sls +++ b/pillar/logstash/search.sls @@ -12,13 +12,13 @@ logstash: - so/9600_output_ossec.conf.jinja - so/9700_output_strelka.conf.jinja templates: - - so/so-beats-template.json + - so/so-beats-template.json.jinja - so/so-common-template.json - - so/so-firewall-template.json - - so/so-ids-template.json - - so/so-import-template.json - - so/so-osquery-template.json - - so/so-ossec-template.json - - so/so-strelka-template.json - - so/so-syslog-template.json - - so/so-zeek-template.json + - so/so-firewall-template.json.jinja + - so/so-ids-template.json.jinja + - so/so-import-template.json.jinja + - so/so-osquery-template.json.jinja + - so/so-ossec-template.json.jinja + - so/so-strelka-template.json.jinja + - so/so-syslog-template.json.jinja + - so/so-zeek-template.json.jinja diff --git a/salt/logstash/pipelines/templates/so/so-osquery-template.json b/salt/logstash/pipelines/templates/so/so-osquery-template.json.jinja similarity index 100% rename from salt/logstash/pipelines/templates/so/so-osquery-template.json rename to salt/logstash/pipelines/templates/so/so-osquery-template.json.jinja diff --git a/salt/logstash/pipelines/templates/so/so-ossec-template.json b/salt/logstash/pipelines/templates/so/so-ossec-template.json.jinja similarity index 100% rename from salt/logstash/pipelines/templates/so/so-ossec-template.json rename to salt/logstash/pipelines/templates/so/so-ossec-template.json.jinja diff --git a/salt/logstash/pipelines/templates/so/so-strelka-template.json b/salt/logstash/pipelines/templates/so/so-strelka-template.json.jinja similarity index 100% rename from salt/logstash/pipelines/templates/so/so-strelka-template.json rename to salt/logstash/pipelines/templates/so/so-strelka-template.json.jinja diff --git a/salt/logstash/pipelines/templates/so/so-syslog-template.json b/salt/logstash/pipelines/templates/so/so-syslog-template.json.jinja similarity index 100% rename from salt/logstash/pipelines/templates/so/so-syslog-template.json rename to salt/logstash/pipelines/templates/so/so-syslog-template.json.jinja diff --git a/salt/logstash/pipelines/templates/so/so-zeek-template.json b/salt/logstash/pipelines/templates/so/so-zeek-template.json.jinja similarity index 100% rename from salt/logstash/pipelines/templates/so/so-zeek-template.json rename to salt/logstash/pipelines/templates/so/so-zeek-template.json.jinja From 0a1b5f29ebf19e24d3de34619062e41c7a2322c7 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 10 Jul 2020 10:48:49 -0400 Subject: [PATCH 179/314] merge with dev and resolv conflicts --- salt/common/tools/sbin/so-import-pcap | 4 ---- salt/soctopus/files/SOCtopus.conf | 6 +----- salt/soctopus/files/templates/generic.template | 6 ------ setup/so-functions | 3 --- 4 files changed, 1 insertion(+), 18 deletions(-) diff --git a/salt/common/tools/sbin/so-import-pcap b/salt/common/tools/sbin/so-import-pcap index 72395d60c..1c77542f6 100755 --- a/salt/common/tools/sbin/so-import-pcap +++ b/salt/common/tools/sbin/so-import-pcap @@ -215,11 +215,7 @@ cat << EOF Import complete! You can use the following hyperlink to view data in the time range of your import. You can triple-click to quickly highlight the entire hyperlink and you can then copy it into your browser: -<<<<<<< HEAD https://{{ MANAGERIP }}/kibana/app/kibana#/dashboard/a8411b30-6d03-11ea-b301-3d6c35840645?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:'${START_OLDEST}T00:00:00.000Z',mode:absolute,to:'${END_NEWEST}T00:00:00.000Z')) -======= -https://{{ MASTERIP }}/#/hunt?q=%2a%20%7C%20groupby%20event.module%20event.dataset&t=${START_OLDEST_SLASH}%2000%3A00%3A00%20PM%20-%20${END_NEWEST_SLASH}%2000%3A00%3A00%20PM ->>>>>>> remotes/origin/dev or you can manually set your Time Range to be: From: $START_OLDEST To: $END_NEWEST diff --git a/salt/soctopus/files/SOCtopus.conf b/salt/soctopus/files/SOCtopus.conf index b194466a1..477113376 100644 --- a/salt/soctopus/files/SOCtopus.conf +++ b/salt/soctopus/files/SOCtopus.conf @@ -60,12 +60,8 @@ slack_url = YOURSLACKWORKSPACE slack_webhook = YOURSLACKWEBHOOK [playbook] -<<<<<<< HEAD playbook_url = http://{{MANAGER}}:3200/playbook -======= -playbook_url = http://{{MASTER}}:3200/playbook -playbook_ext_url = https://{{MASTER}}/playbook ->>>>>>> remotes/origin/dev +playbook_ext_url = https://{{MANAGER}}/playbook playbook_key = de6639318502476f2fa5aa06f43f51fb389a3d7f playbook_verifycert = no playbook_unit_test_index = playbook-testing diff --git a/salt/soctopus/files/templates/generic.template b/salt/soctopus/files/templates/generic.template index 28aa49d9b..7bb5a969d 100644 --- a/salt/soctopus/files/templates/generic.template +++ b/salt/soctopus/files/templates/generic.template @@ -1,12 +1,6 @@ -<<<<<<< HEAD {% set es = salt['pillar.get']('static:managerip', '') %} {% set hivehost = salt['pillar.get']('static:managerip', '') %} {% set hivekey = salt['pillar.get']('static:hivekey', '') %} -======= -{%- set es = salt['pillar.get']('static:masterip', '') %} -{%- set hivehost = salt['pillar.get']('static:masterip', '') %} -{%- set hivekey = salt['pillar.get']('static:hivekey', '') %} ->>>>>>> remotes/origin/dev alert: hivealerter hive_connection: diff --git a/setup/so-functions b/setup/so-functions index 2b53352e0..4fe573244 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -838,7 +838,6 @@ firewall_generate_templates() { } -<<<<<<< HEAD fleet_pillar() { local pillar_file="$temp_install_dir"/pillar/minions/"$MINION_ID".sls @@ -851,8 +850,6 @@ fleet_pillar() { "" > "$pillar_file" } -======= ->>>>>>> remotes/origin/dev generate_passwords(){ # Generate Random Passwords for Things MYSQLPASS=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 20 | head -n 1) From bbef7955b257aa5993f24d6f88b54ae96c7ba05c Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 10 Jul 2020 11:36:46 -0400 Subject: [PATCH 180/314] Update eval.sls --- pillar/logstash/eval.sls | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/pillar/logstash/eval.sls b/pillar/logstash/eval.sls index e76f16d72..d9e731e12 100644 --- a/pillar/logstash/eval.sls +++ b/pillar/logstash/eval.sls @@ -16,13 +16,13 @@ logstash: - so/9600_output_ossec.conf.jinja - so/9700_output_strelka.conf.jinja templates: - - so/so-beats-template.json + - so/so-beats-template.json.jinja - so/so-common-template.json - - so/so-firewall-template.json - - so/so-ids-template.json - - so/so-import-template.json - - so/so-osquery-template.json - - so/so-ossec-template.json - - so/so-strelka-template.json - - so/so-syslog-template.json - - so/so-zeek-template.json + - so/so-firewall-template.json.jinja + - so/so-ids-template.json.jinja + - so/so-import-template.json.jinja + - so/so-osquery-template.json.jinja + - so/so-ossec-template.json.jinja + - so/so-strelka-template.json.jinja + - so/so-syslog-template.json.jinja + - so/so-zeek-template.json.jinja From 5eb33d5ac7aeae18bf7b5fd95a7c3a3d18250bb5 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 10 Jul 2020 13:53:55 -0400 Subject: [PATCH 181/314] Logstash Import and Template Assignment --- pillar/logstash/eval.sls | 9 +++++++ pillar/logstash/search.sls | 9 +++++++ salt/filebeat/etc/filebeat.yml | 4 +++ .../config/so/9000_output_zeek.conf.jinja | 15 +---------- .../config/so/9001_output_switch.conf.jinja | 27 ------------------- .../config/so/9002_output_import.conf.jinja | 18 +++---------- .../config/so/9004_output_flow.conf.jinja | 19 +++---------- .../config/so/9026_output_dhcp.conf.jinja | 26 ------------------ .../config/so/9029_output_esxi.conf.jinja | 25 ----------------- .../config/so/9030_output_greensql.conf.jinja | 25 ----------------- .../config/so/9031_output_iis.conf.jinja | 26 ------------------ .../config/so/9032_output_mcafee.conf.jinja | 26 ------------------ .../config/so/9033_output_snort.conf.jinja | 19 +++---------- .../config/so/9034_output_syslog.conf.jinja | 12 ++------- .../config/so/9100_output_osquery.conf.jinja | 9 +++---- .../config/so/9200_output_firewall.conf.jinja | 19 +++---------- .../config/so/9300_output_windows.conf.jinja | 27 ------------------- .../so/9301_output_dns_windows.conf.jinja | 27 ------------------- .../config/so/9400_output_suricata.conf.jinja | 18 +++---------- .../config/so/9500_output_beats.conf.jinja | 7 +++-- .../config/so/9600_output_ossec.conf.jinja | 17 ++---------- .../config/so/9700_output_strelka.conf.jinja | 17 ++---------- .../config/so/9999_output_redis.conf.jinja | 1 - .../templates/so/so-flow-template.json.jinja | 13 +++++++++ setup/so-functions | 5 ++++ 25 files changed, 70 insertions(+), 350 deletions(-) delete mode 100644 salt/logstash/pipelines/config/so/9001_output_switch.conf.jinja delete mode 100644 salt/logstash/pipelines/config/so/9026_output_dhcp.conf.jinja delete mode 100644 salt/logstash/pipelines/config/so/9029_output_esxi.conf.jinja delete mode 100644 salt/logstash/pipelines/config/so/9030_output_greensql.conf.jinja delete mode 100644 salt/logstash/pipelines/config/so/9031_output_iis.conf.jinja delete mode 100644 salt/logstash/pipelines/config/so/9032_output_mcafee.conf.jinja delete mode 100644 salt/logstash/pipelines/config/so/9300_output_windows.conf.jinja delete mode 100644 salt/logstash/pipelines/config/so/9301_output_dns_windows.conf.jinja create mode 100644 salt/logstash/pipelines/templates/so/so-flow-template.json.jinja diff --git a/pillar/logstash/eval.sls b/pillar/logstash/eval.sls index d9e731e12..8613200fe 100644 --- a/pillar/logstash/eval.sls +++ b/pillar/logstash/eval.sls @@ -18,11 +18,20 @@ logstash: templates: - so/so-beats-template.json.jinja - so/so-common-template.json + - so/so-dhcp-template.json.jinja + - so/so-dns_windows-template.json.jinja + - so/so-esxi-template.json.jinja - so/so-firewall-template.json.jinja + - so/so-flow-template.json.jinja + - so/so-greensql-template.json.jinja - so/so-ids-template.json.jinja - so/so-import-template.json.jinja + - so/so-iss-template.json.jinja + - so/so-mcafee-template.json.jinja - so/so-osquery-template.json.jinja - so/so-ossec-template.json.jinja - so/so-strelka-template.json.jinja + - so/so-switch-template.json.jinja - so/so-syslog-template.json.jinja + - so/so-windows-template.json.jinja - so/so-zeek-template.json.jinja diff --git a/pillar/logstash/search.sls b/pillar/logstash/search.sls index 6602e0591..2203b8452 100644 --- a/pillar/logstash/search.sls +++ b/pillar/logstash/search.sls @@ -14,11 +14,20 @@ logstash: templates: - so/so-beats-template.json.jinja - so/so-common-template.json + - so/so-dhcp-template.json.jinja + - so/so-dns_windows-template.json.jinja + - so/so-esxi-template.json.jinja - so/so-firewall-template.json.jinja + - so/so-flow-template.json.jinja + - so/so-greensql-template.json.jinja - so/so-ids-template.json.jinja - so/so-import-template.json.jinja + - so/so-iss-template.json.jinja + - so/so-mcafee-template.json.jinja - so/so-osquery-template.json.jinja - so/so-ossec-template.json.jinja - so/so-strelka-template.json.jinja + - so/so-switch-template.json.jinja - so/so-syslog-template.json.jinja + - so/so-windows-template.json.jinja - so/so-zeek-template.json.jinja diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 6d33c1bdf..77dd29dd9 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -126,6 +126,8 @@ filebeat.inputs: category: network imported: true processors: + - add_tags: + tags: [import] - dissect: tokenizer: "/nsm/import/%{import.id}/zeek/logs/%{import.file}" field: "log.file.path" @@ -164,6 +166,8 @@ filebeat.inputs: category: network imported: true processors: + - add_tags: + tags: [import] - dissect: tokenizer: "/nsm/import/%{import.id}/suricata/%{import.file}" field: "log.file.path" diff --git a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja index 987614a2c..075aa0f93 100644 --- a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja +++ b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja @@ -3,21 +3,8 @@ {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 - - -filter { - if [module] =~ "zeek" { - mutate { - ##add_tag => [ "conf_file_9000"] - } - } -} output { - if [module] =~ "zeek" { + if [module] =~ "zeek" and "import" not in [tags] { elasticsearch { pipeline => "%{module}.%{dataset}" hosts => "{{ ES }}" diff --git a/salt/logstash/pipelines/config/so/9001_output_switch.conf.jinja b/salt/logstash/pipelines/config/so/9001_output_switch.conf.jinja deleted file mode 100644 index 8e5e5f200..000000000 --- a/salt/logstash/pipelines/config/so/9001_output_switch.conf.jinja +++ /dev/null @@ -1,27 +0,0 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 - -filter { - if "switch" in [tags] and "test_data" not in [tags] { - mutate { - ##add_tag => [ "conf_file_9001"] - } - } -} -output { - if "switch" in [tags] and "test_data" not in [tags] { - #stdout { codec => rubydebug } - elasticsearch { - hosts => "{{ ES }}" - index => "so-switch-%{+YYYY.MM.dd}" - template => "/so-common-template.json" - } - } -} diff --git a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja index 9153d5c44..f570e6171 100644 --- a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja +++ b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja @@ -3,24 +3,14 @@ {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} -# Updated by: Doug Burks -# Last Update: 5/16/2017 - -filter { - if "import" in [tags] and "test_data" not in [tags] { - mutate { - ##add_tag => [ "conf_file_9002"] - } - } -} output { - if "import" in [tags] and "test_data" not in [tags] { -# stdout { codec => rubydebug } + if "import" in [tags] { elasticsearch { + pipeline => "%{module}.%{dataset}" hosts => "{{ ES }}" index => "so-import-%{+YYYY.MM.dd}" - template_name => "so-common" - template => "/so-common-template.json" + template_name => "so-import" + template => "/so-import-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja index 2e1e79f8b..9d7b89f14 100644 --- a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja +++ b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja @@ -3,25 +3,14 @@ {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 - -filter { - if [event_type] == "sflow" and "test_data" not in [tags] { - mutate { - ##add_tag => [ "conf_file_9004"] - } - } -} output { - if [event_type] == "sflow" and "test_data" not in [tags] { - #stdout { codec => rubydebug } + if [event_type] == "sflow" { elasticsearch { hosts => "{{ ES }}" index => "so-flow-%{+YYYY.MM.dd}" - template => "/so-common-template.json" + template_name => "so-flow" + template => "/so-flow-template.json" + template_overwrite => true } } } diff --git a/salt/logstash/pipelines/config/so/9026_output_dhcp.conf.jinja b/salt/logstash/pipelines/config/so/9026_output_dhcp.conf.jinja deleted file mode 100644 index 3da9e83ef..000000000 --- a/salt/logstash/pipelines/config/so/9026_output_dhcp.conf.jinja +++ /dev/null @@ -1,26 +0,0 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 - -filter { - if [event_type] == "dhcp" and "test_data" not in [tags] { - mutate { - ##add_tag => [ "conf_file_9026"] - } - } -} -output { - if [event_type] == "dhcp" and "test_data" not in [tags] { - #stdout { codec => rubydebug } - elasticsearch { - hosts => "{{ ES }}" - template => "/so-common-template.json" - } - } -} diff --git a/salt/logstash/pipelines/config/so/9029_output_esxi.conf.jinja b/salt/logstash/pipelines/config/so/9029_output_esxi.conf.jinja deleted file mode 100644 index b84ab4ec9..000000000 --- a/salt/logstash/pipelines/config/so/9029_output_esxi.conf.jinja +++ /dev/null @@ -1,25 +0,0 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 - -filter { - if [event_type] == "esxi" and "test_data" not in [tags] { - mutate { - ##add_tag => [ "conf_file_9029"] - } - } -} -output { - if [event_type] == "esxi" and "test_data" not in [tags] { - elasticsearch { - hosts => "{{ ES }}" - template => "/so-common-template.json" - } - } -} diff --git a/salt/logstash/pipelines/config/so/9030_output_greensql.conf.jinja b/salt/logstash/pipelines/config/so/9030_output_greensql.conf.jinja deleted file mode 100644 index d6801530b..000000000 --- a/salt/logstash/pipelines/config/so/9030_output_greensql.conf.jinja +++ /dev/null @@ -1,25 +0,0 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 - -filter { - if [event_type] == "greensql" and "test_data" not in [tags] { - mutate { - ##add_tag => [ "conf_file_9030"] - } - } -} -output { - if [event_type] == "greensql" and "test_data" not in [tags] { - elasticsearch { - hosts => "{{ ES }}" - template => "/so-common-template.json" - } - } -} diff --git a/salt/logstash/pipelines/config/so/9031_output_iis.conf.jinja b/salt/logstash/pipelines/config/so/9031_output_iis.conf.jinja deleted file mode 100644 index 67616110f..000000000 --- a/salt/logstash/pipelines/config/so/9031_output_iis.conf.jinja +++ /dev/null @@ -1,26 +0,0 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 - -filter { - if [event_type] == "iis" and "test_data" not in [tags] { - mutate { - ##add_tag => [ "conf_file_9031"] - } - } -} -output { - if [event_type] == "iis" and "test_data" not in [tags] { - #stdout { codec => rubydebug } - elasticsearch { - hosts => "{{ ES }}" - template => "/so-common-template.json" - } - } -} diff --git a/salt/logstash/pipelines/config/so/9032_output_mcafee.conf.jinja b/salt/logstash/pipelines/config/so/9032_output_mcafee.conf.jinja deleted file mode 100644 index c6641f671..000000000 --- a/salt/logstash/pipelines/config/so/9032_output_mcafee.conf.jinja +++ /dev/null @@ -1,26 +0,0 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 - -filter { - if [event_type] == "mcafee" and "test_data" not in [tags] { - mutate { - ##add_tag => [ "conf_file_9032"] - } - } -} -output { - if [event_type] == "mcafee" and "test_data" not in [tags] { - #stdout { codec => rubydebug } - elasticsearch { - hosts => "{{ ES }}" - template => "/so-common-template.json" - } - } -} diff --git a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja index 0cc7a3b66..924081862 100644 --- a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja +++ b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja @@ -3,26 +3,13 @@ {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 - -filter { - if [event_type] == "ids" and "test_data" not in [tags] { - mutate { - ##add_tag => [ "conf_file_9033"] - } - } -} output { - if [event_type] == "ids" and "test_data" not in [tags] { - #stdout { codec => rubydebug } + if [event_type] == "ids" and "import" not in [tags] { elasticsearch { hosts => "{{ ES }}" index => "so-ids-%{+YYYY.MM.dd}" - template_name => "so-common" - template => "/so-common-template.json" + template_name => "so-ids" + template => "/so-ids-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja index 59cae7b65..dc520ba6d 100644 --- a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja +++ b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja @@ -3,22 +3,14 @@ {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} - -filter { - if [module] =~ "syslog" { - mutate { - ##add_tag => [ "conf_file_9000"] - } - } -} output { if [module] =~ "syslog" { elasticsearch { pipeline => "%{module}" hosts => "{{ ES }}" index => "so-syslog-%{+YYYY.MM.dd}" - template_name => "so-common" - template => "/so-common-template.json" + template_name => "so-syslog" + template => "/so-syslog-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja index 21ae77095..3351356dd 100644 --- a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja +++ b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja @@ -3,18 +3,15 @@ {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} -# Author: Josh Brower -# Last Update: 12/29/2018 -# Output to ES for osquery tagged logs - - output { if [module] =~ "osquery" { elasticsearch { pipeline => "%{module}.%{dataset}" hosts => "{{ ES }}" index => "so-osquery-%{+YYYY.MM.dd}" - template => "/so-common-template.json" + template_name => "so-osquery" + template => "/so-osquery-template.json" + template_overwrite => true } } } diff --git a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja index 54c75873d..39f78b07d 100644 --- a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja +++ b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja @@ -3,26 +3,13 @@ {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 - -filter { - if "firewall" in [tags] and "test_data" not in [tags] { - mutate { - ##add_tag => [ "conf_file_9200"] - } - } -} output { - if "firewall" in [tags] and "test_data" not in [tags] { -# stdout { codec => rubydebug } + if "firewall" in [tags] { elasticsearch { hosts => "{{ ES }}" index => "so-firewall-%{+YYYY.MM.dd}" - template_name => "so-common" - template => "/so-common-template.json" + template_name => "so-firewall" + template => "/so-firewall-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/config/so/9300_output_windows.conf.jinja b/salt/logstash/pipelines/config/so/9300_output_windows.conf.jinja deleted file mode 100644 index cddda5541..000000000 --- a/salt/logstash/pipelines/config/so/9300_output_windows.conf.jinja +++ /dev/null @@ -1,27 +0,0 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 - -filter { - if [event_type] == "windows" and "test_data" not in [tags] { - mutate { - ##add_tag => [ "conf_file_9300"] - } - } -} -output { - if [event_type] == "windows" and "test_data" not in [tags] { - #stdout { codec => rubydebug } - elasticsearch { - hosts => "{{ ES }}" - index => "so-windows-%{+YYYY.MM.dd}" - template => "/so-common-template.json" - } - } -} diff --git a/salt/logstash/pipelines/config/so/9301_output_dns_windows.conf.jinja b/salt/logstash/pipelines/config/so/9301_output_dns_windows.conf.jinja deleted file mode 100644 index 84fd1f5f7..000000000 --- a/salt/logstash/pipelines/config/so/9301_output_dns_windows.conf.jinja +++ /dev/null @@ -1,27 +0,0 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 - -filter { - if [event_type] == "dns" and "test_data" not in [tags] { - mutate { - ##add_tag => [ "conf_file_9301"] - } - } -} -output { - if [event_type] == "dns" and "test_data" not in [tags] { - #stdout { codec => rubydebug } - elasticsearch { - hosts => "{{ ES }}" - index => "so-%{+YYYY.MM.dd}" - template => "/so-common-template.json" - } - } -} diff --git a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja index 1d36d774d..48247ca9c 100644 --- a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja +++ b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja @@ -3,26 +3,14 @@ {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 - -filter { - if [module] == "suricata" { - mutate { - ##add_tag => [ "conf_file_9400"] - } - } -} output { - if [module] =~ "suricata" { + if [module] =~ "suricata" and "import" not in [tags] { elasticsearch { pipeline => "%{module}.%{dataset}" hosts => "{{ ES }}" index => "so-ids-%{+YYYY.MM.dd}" - template_name => "so-common" - template => "/so-common-template.json" + template_name => "so-ids" + template => "/so-ids-template.json" } } } diff --git a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja index 932a194ab..61a331873 100644 --- a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja +++ b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja @@ -3,15 +3,14 @@ {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} - output { - if "beat-ext" in [tags] { + if "beat-ext" in [tags] and "import" not in [tags] { elasticsearch { pipeline => "beats.common" hosts => "{{ ES }}" index => "so-beats-%{+YYYY.MM.dd}" - template_name => "so-common" - template => "/so-common-template.json" + template_name => "so-beats" + template => "/so-beats-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja index 5a8f9f5ba..7b9af4ee0 100644 --- a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja +++ b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja @@ -3,27 +3,14 @@ {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Updated by: Doug Burks -# Last Update: 9/19/2018 - -filter { - if [module] =~ "ossec" { - mutate { - ##add_tag => [ "conf_file_9600"] - } - } -} - output { if [module] =~ "ossec" { elasticsearch { pipeline => "%{module}.%{dataset}" hosts => "{{ ES }}" index => "so-ossec-%{+YYYY.MM.dd}" - template_name => "so-common" - template => "/so-common-template.json" + template_name => "so-ossec" + template => "/so-ossec-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja index 5116b86ea..e4869b4a5 100644 --- a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja +++ b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja @@ -3,27 +3,14 @@ {%- else %} {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 - - -filter { - if [module] =~ "strelka" { - mutate { - ##add_tag => [ "conf_file_9000"] - } - } -} output { if [event_type] =~ "strelka" { elasticsearch { pipeline => "%{module}.%{dataset}" hosts => "{{ ES }}" index => "so-strelka-%{+YYYY.MM.dd}" - template_name => "so-common" - template => "/so-common-template.json" + template_name => "so-strelka" + template => "/so-strelka-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja index afa8d290a..58bfc5b07 100644 --- a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja +++ b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja @@ -1,6 +1,5 @@ {% set MASTER = salt['pillar.get']('static:masterip', '') %} {% set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %} - output { redis { host => '{{ MASTER }}' diff --git a/salt/logstash/pipelines/templates/so/so-flow-template.json.jinja b/salt/logstash/pipelines/templates/so/so-flow-template.json.jinja new file mode 100644 index 000000000..6c8f2fa9f --- /dev/null +++ b/salt/logstash/pipelines/templates/so/so-flow-template.json.jinja @@ -0,0 +1,13 @@ +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-flow:shards', 1) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-flow:refresh', '30s') %} +{ + "index_patterns": ["so-flow-*"], + "version": 50001, + "order": 11, + "settings":{ + "number_of_replicas":{{ REPLICAS }}, + "number_of_shards":{{ SHARDS }}, + "index.refresh_interval":"{{ REFRESH }}" + } +} diff --git a/setup/so-functions b/setup/so-functions index 2eca9874d..4337d720c 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1026,6 +1026,11 @@ master_static() { " warm: 7"\ " close: 30"\ " delete: 365"\ + " so-flow:"\ + " shards: 1"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ " so-ids:"\ " shards: 1"\ " warm: 7"\ From 6e99ca600ff0ed4f078db25d55722979604a4baa Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 10 Jul 2020 17:56:40 +0000 Subject: [PATCH 182/314] Move zeek_clean to so-sensor-clean --- salt/common/init.sls | 10 ++ salt/common/tools/sbin/so-sensor-clean | 121 +++++++++++++++++++++++++ salt/zeek/init.sls | 26 +++--- 3 files changed, 144 insertions(+), 13 deletions(-) create mode 100644 salt/common/tools/sbin/so-sensor-clean diff --git a/salt/common/init.sls b/salt/common/init.sls index 0ecba198d..af2cb27b2 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -131,3 +131,13 @@ utilsyncscripts: - file_mode: 755 - template: jinja - source: salt://common/tools/sbin + +# Add sensor cleanup +/usr/sbin/so-sensor-clean: + cron.present: + - user: root + - minute: '*' + - hour: '*' + - daymonth: '*' + - month: '*' + - dayweek: '*' diff --git a/salt/common/tools/sbin/so-sensor-clean b/salt/common/tools/sbin/so-sensor-clean new file mode 100644 index 000000000..37ed69d9a --- /dev/null +++ b/salt/common/tools/sbin/so-sensor-clean @@ -0,0 +1,121 @@ +#!/bin/bash + +# Delete Zeek Logs based on defined CRIT_DISK_USAGE value + +# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +SENSOR_DIR='/nsm' +CRIT_DISK_USAGE=30 +CUR_USAGE=$(df -P $SENSOR_DIR | tail -1 | awk '{print $5}' | tr -d %) +LOG="/opt/so/log/sensor_clean.log" +TODAY=$(date -u "+%Y-%m-%d") + +clean () { + ## find the oldest Zeek logs directory + OLDEST_DIR=$(ls /nsm/zeek/logs/ | grep -v "current" | grep -v "stats" | grep -v "packetloss" | grep -v "zeek_clean" | sort | head -n 1) + if [ -z "$OLDEST_DIR" -o "$OLDEST_DIR" == ".." -o "$OLDEST_DIR" == "." ] + then + echo "$(date) - No old Zeek logs available to clean up in /nsm/zeek/logs/" >> $LOG + #exit 0 + else + echo "$(date) - Removing directory: /nsm/zeek/logs/$OLDEST_DIR" >> $LOG + rm -rf /nsm/zeek/logs/"$OLDEST_DIR" + fi + + + ## Remarking for now, as we are moving extracted files to /nsm/strelka/processed + ## find oldest files in extracted directory and exclude today + #OLDEST_EXTRACT=$(find /nsm/zeek/extracted/complete -type f -printf '%T+ %p\n' 2>/dev/null | sort | grep -v $TODAY | head -n 1) + #if [ -z "$OLDEST_EXTRACT" -o "$OLDEST_EXTRACT" == ".." -o "$OLDEST_EXTRACT" == "." ] + #then + # echo "$(date) - No old extracted files available to clean up in /nsm/zeek/extracted/complete" >> $LOG + #else + # OLDEST_EXTRACT_DATE=`echo $OLDEST_EXTRACT | awk '{print $1}' | cut -d+ -f1` + # OLDEST_EXTRACT_FILE=`echo $OLDEST_EXTRACT | awk '{print $2}'` + # echo "$(date) - Removing extracted files for $OLDEST_EXTRACT_DATE" >> $LOG + # find /nsm/zeek/extracted/complete -type f -printf '%T+ %p\n' | grep $OLDEST_EXTRACT_DATE | awk '{print $2}' |while read FILE + # do + # echo "$(date) - Removing extracted file: $FILE" >> $LOG + # rm -f "$FILE" + # done + #fi + + ## Clean up Zeek extracted files processed by Strelka + STRELKA_FILES='/nsm/strelka/processed' + OLDEST_STRELKA=$(find $STRELKA_FILES -type f -printf '%T+ %p\n' | sort -n | head -n 1 ) + if [ -z "$OLDEST_STRELKA" -o "$OLDEST_STRELKA" == ".." -o "$OLDEST_STRELKA" == "." ] + then + echo "$(date) - No old files available to clean up in $STRELKA_FILES" >> $LOG + else + OLDEST_STRELKA_DATE=`echo $OLDEST_STRELKA | awk '{print $1}' | cut -d+ -f1` + OLDEST_STRELKA_FILE=`echo $OLDEST_STRELKA | awk '{print $2}'` + echo "$(date) - Removing extracted files for $OLDEST_STRELKA_DATE" >> $LOG + find $STRELKA_FILES -type f -printf '%T+ %p\n' | grep $OLDEST_STRELKA_DATE | awk '{print $2}' |while read FILE + do + echo "$(date) - Removing file: $FILE" >> $LOG + rm -f "$FILE" + done + fi + + ## Clean up Suricata log files + SURICATA_LOGS='/nsm/suricata' + OLDEST_SURICATA=$(find $STRELKA_FILES -type f -printf '%T+ %p\n' | sort -n | head -n 1) + if [ -z "$OLDEST_SURICATA" -o "$OLDEST_SURICATA" == ".." -o "$OLDEST_SURICATA" == "." ] + then + echo "$(date) - No old files available to clean up in $SURICATA_LOGS" >> $LOG + else + OLDEST_SURICATA_DATE=`echo $OLDEST_SURICATA | awk '{print $1}' | cut -d+ -f1` + OLDEST_SURICATA_FILE=`echo $OLDEST_SURICATA | awk '{print $2}'` + echo "$(date) - Removing logs for $OLDEST_SURICATA_DATE" >> $LOG + find $SURICATA_LOGS -type f -printf '%T+ %p\n' | grep $OLDEST_SURICATA_DATE | awk '{print $2}' |while read FILE + do + echo "$(date) - Removing file: $FILE" >> $LOG + rm -f "$FILE" + done + fi + + ## Clean up extracted pcaps from Steno + PCAPS='/nsm/pcapout' + OLDEST_PCAP=$(find $PCAPS -type f -printf '%T+ %p\n' | sort -n | head -n 1 ) + if [ -z "$OLDEST_PCAP" -o "$OLDEST_PCAP" == ".." -o "$OLDEST_PCAP" == "." ] + then + echo "$(date) - No old files available to clean up in $PCAPS" >> $LOG + else + OLDEST_PCAP_DATE=`echo $OLDEST_PCAP | awk '{print $1}' | cut -d+ -f1` + OLDEST_PCAP_FILE=`echo $OLDEST_PCAP | awk '{print $2}'` + echo "$(date) - Removing extracted files for $OLDEST_PCAP_DATE" >> $LOG + find $PCAPS -type f -printf '%T+ %p\n' | grep $OLDEST_PCAP_DATE | awk '{print $2}' |while read FILE + do + echo "$(date) - Removing file: $FILE" >> $LOG + rm -f "$FILE" + done + fi +} + +# Check to see if we are already running +IS_RUNNING=$(ps aux | grep "sensor_clean" | grep -v grep | wc -l) +[ "$IS_RUNNING" -gt 2 ] && echo "$(date) - $IS_RUNNING sensor clean script processes running...exiting." >> $LOG && exit 0 + +if [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; then + while [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; + do + clean + CUR_USAGE=$(df -P $SENSOR_DIR | tail -1 | awk '{print $5}' | tr -d %) + done +else + echo "$(date) - Current usage value of $CUR_USAGE not greater than CRIT_DISK_USAGE value of $CRIT_DISK_USAGE..." >> $LOG +fi + diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index 246b43c90..1ce991907 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -86,20 +86,20 @@ nodecfgsync: - group: 939 - template: jinja -zeekcleanscript: - file.managed: - - name: /usr/local/bin/zeek_clean - - source: salt://zeek/cron/zeek_clean - - mode: 755 +#zeekcleanscript: +# file.managed: +# - name: /usr/local/bin/zeek_clean +# - source: salt://zeek/cron/zeek_clean +# - mode: 755 -/usr/local/bin/zeek_clean: - cron.present: - - user: root - - minute: '*' - - hour: '*' - - daymonth: '*' - - month: '*' - - dayweek: '*' +#/usr/local/bin/zeek_clean: +# cron.present: +# - user: root +# - minute: '*' +# - hour: '*' +# - daymonth: '*' +# - month: '*' +# - dayweek: '*' plcronscript: file.managed: From 811bbb4cb0cf6439232bfdc674634c02bf4d3f8c Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 10 Jul 2020 12:49:12 -0400 Subject: [PATCH 183/314] Require sudo to run an import --- salt/common/tools/sbin/so-import-pcap | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-import-pcap b/salt/common/tools/sbin/so-import-pcap index 0c99ede64..d6815c450 100755 --- a/salt/common/tools/sbin/so-import-pcap +++ b/salt/common/tools/sbin/so-import-pcap @@ -17,7 +17,9 @@ {% set MASTER = salt['grains.get']('master') %} {% set VERSION = salt['pillar.get']('static:soversion') %} -{%- set MASTERIP = salt['pillar.get']('static:masterip') -%} +{% set MASTERIP = salt['pillar.get']('static:masterip') %} + +. /usr/sbin/so-common function usage { cat << EOF @@ -220,6 +222,6 @@ https://{{ MASTERIP }}/#/hunt?q=%2a%20%7C%20groupby%20event.module%20event.datas or you can manually set your Time Range to be: From: $START_OLDEST To: $END_NEWEST -Please note that it may take 30 seconds or more for events to appear in Kibana. +Please note that it may take 30 seconds or more for events to appear in Onion Hunt. EOF fi From 358ef78cd940afe8f6c0f483cf8f0c659b6c973f Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 10 Jul 2020 13:58:46 -0400 Subject: [PATCH 184/314] Do not stop curator since imported data will now be placed into a longer term so-import index --- salt/common/tools/sbin/so-import-pcap | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/salt/common/tools/sbin/so-import-pcap b/salt/common/tools/sbin/so-import-pcap index d6815c450..289d27024 100755 --- a/salt/common/tools/sbin/so-import-pcap +++ b/salt/common/tools/sbin/so-import-pcap @@ -25,7 +25,8 @@ function usage { cat << EOF Usage: $0 [pcap-file-2] [pcap-file-N] -Imports one or more PCAP files for analysis. If available, curator will be automatically stopped. +Imports one or more PCAP files onto a sensor node. The PCAP traffic will be analyzed and +made available for review in the Security Onion toolset. EOF } @@ -112,14 +113,6 @@ for i in "$@"; do fi done -if ! [ -d /opt/so/conf/curator ]; then - echo "Curator is not installed on this node and cannot be stopped automatically." -else - echo -n "Stopping curator..." - so-curator-stop > /dev/null 2>&1 - echo "Done" -fi - # track if we have any valid or invalid pcaps INVALID_PCAPS="no" VALID_PCAPS="no" From 9730c4561dadc8a54ff6e19b3d319e175d35162a Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 10 Jul 2020 14:08:39 -0400 Subject: [PATCH 185/314] add elasticsearch pillar to manager --- setup/so-functions | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/setup/so-functions b/setup/so-functions index 909f4d865..f6c04172b 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -961,6 +961,16 @@ manager_pillar() { " playbook: $PLAYBOOK"\ " url_base: $REDIRECTIT"\ ""\ + "elasticsearch:"\ + " mainip: $MAINIP"\ + " mainint: $MNIC"\ + " esheap: $NODE_ES_HEAP_SIZE"\ + " esclustername: {{ grains.host }}"\ + " node_type: $NODETYPE"\ + " es_port: $node_es_port"\ + " log_size_limit: $log_size_limit"\ + " node_route_type: hot"\ + ""\ "logstash_settings:"\ " ls_pipeline_batch_size: 125"\ " ls_input_threads: 1"\ From 72aa91b7634dd9f6e52b7be56fbdc142cc417cb1 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 10 Jul 2020 14:38:03 -0400 Subject: [PATCH 186/314] [feat] Add message in setup and motd on where to access SOC --- ...te_reboot_required.jinja => so_motd.jinja} | 5 +++++ salt/motd/init.sls | 4 ++-- setup/so-functions | 6 +++--- setup/so-whiptail | 20 ++++++++++++++++--- 4 files changed, 27 insertions(+), 8 deletions(-) rename salt/motd/files/{package_update_reboot_required.jinja => so_motd.jinja} (86%) diff --git a/salt/motd/files/package_update_reboot_required.jinja b/salt/motd/files/so_motd.jinja similarity index 86% rename from salt/motd/files/package_update_reboot_required.jinja rename to salt/motd/files/so_motd.jinja index 6d94fc613..941aa2350 100644 --- a/salt/motd/files/package_update_reboot_required.jinja +++ b/salt/motd/files/so_motd.jinja @@ -1,4 +1,9 @@ {% set needs_restarting_check = salt['mine.get']('*', 'needs_restarting.check', tgt_type='glob') -%} +{% set url = salt['pillar.get']('master:url_base') -%} + + +Access the Security Onion web interface at https://{{ url }} +(You may need to run so-allow first if you haven't yet) {%- if needs_restarting_check %} {%- set minions_need_restarted = [] %} diff --git a/salt/motd/init.sls b/salt/motd/init.sls index 4dae979bf..06ad270a1 100644 --- a/salt/motd/init.sls +++ b/salt/motd/init.sls @@ -1,5 +1,5 @@ -package_update_reboot_required_motd: +so_motd: file.managed: - name: /etc/motd - - source: salt://motd/files/package_update_reboot_required.jinja + - source: salt://motd/files/so_motd.jinja - template: jinja diff --git a/setup/so-functions b/setup/so-functions index 63bed83dc..94caeba19 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -926,13 +926,13 @@ master_pillar() { case $REDIRECTINFO in 'IP') - REDIRECTIT="$MAINIP" + export REDIRECTIT="$MAINIP" ;; 'HOSTNAME') - REDIRECTIT=$HOSTNAME + export REDIRECTIT=$HOSTNAME ;; *) - REDIRECTIT="$REDIRECTHOST" + export REDIRECTIT="$REDIRECTHOST" ;; esac diff --git a/setup/so-whiptail b/setup/so-whiptail index 0b34d3cb8..20e4d7ee5 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1033,7 +1033,21 @@ whiptail_setup_complete() { [ -n "$TESTING" ] && return - whiptail --title "Security Onion Setup" --msgbox "Finished $install_type install. Press Ok to reboot." 8 75 + if [[ -n $ALLOW_CIDR ]]; then + local sentence_prefix="Access" + else + local sentence_prefix="Run so-allow after reboot to access" + fi + + read -r -d '' message <<- EOM + Finished ${install_type} install + + ${sentence_prefix} the web interface at https://${REDIRECTIT} + + Press ENTER to reboot + EOM + + whiptail --title "Security Onion Setup" --msgbox "$message" 12 75 } whiptail_setup_failed() { @@ -1068,7 +1082,7 @@ whiptail_so_allow() { if [[ $exitstatus == 0 ]]; then ALLOW_CIDR=$(whiptail --title "Security Onion Setup" \ --inputbox "Enter a single ip address or range (in CIDR notation) to allow" \ - 10 75 125 3>&1 1>&2 2>&3) + 10 75 3>&1 1>&2 2>&3) local exitstatus=$? export ALLOW_ROLE='a' @@ -1125,7 +1139,7 @@ whiptail_master_updates() { local update_string update_string=$(whiptail --title "Security Onion Setup" --radiolist \ "How would you like to download OS package updates for your grid?:" 20 75 4 \ - "MASTER" "Master node is proxy for updates." ON \ + "MASTER" "Master node is proxy for updates" ON \ "OPEN" "Each node connects to the Internet for updates" OFF 3>&1 1>&2 2>&3 ) local exitstatus=$? whiptail_check_exitstatus $exitstatus From 67c8836cd666226b93a9240bab2c013428ae1103 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 10 Jul 2020 14:39:02 -0400 Subject: [PATCH 187/314] [fix] Use 100GB min space for standalone also --- setup/so-functions | 6 +++--- setup/so-setup | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 94caeba19..a35393ddf 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -398,7 +398,7 @@ checkin_at_boot() { } check_requirements() { - local eval_or_dist=$1 + local standalone_or_dist=$1 local node_type=$2 # optional local req_mem local req_cores @@ -407,12 +407,12 @@ check_requirements() { readarray -t nic_list <<< "$(ip link| awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2}' | grep -vwe "bond0" | sed 's/ //g')" local num_nics=${#nic_list[@]} - if [[ "$eval_or_dist" == 'eval' ]]; then + if [[ "$standalone_or_dist" == 'standalone' ]]; then req_mem=12 req_cores=4 req_nics=2 req_storage=100 - elif [[ "$eval_or_dist" == 'dist' ]]; then + elif [[ "$standalone_or_dist" == 'dist' ]]; then req_mem=8 req_cores=4 req_storage=40 diff --git a/setup/so-setup b/setup/so-setup index 0f28f1244..d9bc73d27 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -163,8 +163,8 @@ elif [ "$install_type" = 'HELIXSENSOR' ]; then is_helix=true fi -if [[ $is_eval ]]; then - check_requirements "eval" +if [[ $is_master && $is_sensor ]]; then + check_requirements "standalone" elif [[ $is_fleet_standalone ]]; then check_requirements "dist" "fleet" elif [[ $is_sensor && ! $is_eval ]]; then From f56811e745b4c69ccb13c817175ce1ba44f9d6f7 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 10 Jul 2020 14:40:04 -0400 Subject: [PATCH 188/314] [feat] Use setup user+pass for TheHive, Cortex, and Fleet as well --- salt/thehive/scripts/cortex_init | 14 +++++++------- salt/thehive/scripts/hive_init | 8 ++++---- setup/so-functions | 11 ++++++----- setup/so-whiptail | 3 ++- 4 files changed, 19 insertions(+), 17 deletions(-) diff --git a/salt/thehive/scripts/cortex_init b/salt/thehive/scripts/cortex_init index 063ae498d..922ad45dc 100644 --- a/salt/thehive/scripts/cortex_init +++ b/salt/thehive/scripts/cortex_init @@ -1,11 +1,11 @@ #!/bin/bash -{% set MASTERIP = salt['pillar.get']('static:masterip', '') %} -{%- set CORTEXUSER = salt['pillar.get']('static:cortexuser', '') %} -{%- set CORTEXPASSWORD = salt['pillar.get']('static:cortexpassword', '') %} -{%- set CORTEXKEY = salt['pillar.get']('static:cortexkey', '') %} -{%- set CORTEXORGNAME = salt['pillar.get']('static:cortexorgname', '') %} -{%- set CORTEXORGUSER = salt['pillar.get']('static:cortexorguser', '') %} -{%- set CORTEXORGUSERKEY = salt['pillar.get']('static:cortexorguserkey', '') %} +# {%- set MASTERIP = salt['pillar.get']('static:masterip', '') %} +# {%- set CORTEXUSER = salt['pillar.get']('static:cortexuser', '') %} +# {%- set CORTEXPASSWORD = salt['pillar.get']('static:cortexpassword', 'cortexchangeme') %} +# {%- set CORTEXKEY = salt['pillar.get']('static:cortexkey', '') %} +# {%- set CORTEXORGNAME = salt['pillar.get']('static:cortexorgname', '') %} +# {%- set CORTEXORGUSER = salt['pillar.get']('static:cortexorguser', '') %} +# {%- set CORTEXORGUSERKEY = salt['pillar.get']('static:cortexorguserkey', '') %} default_salt_dir=/opt/so/saltstack/default diff --git a/salt/thehive/scripts/hive_init b/salt/thehive/scripts/hive_init index 296004e77..0163b45f3 100755 --- a/salt/thehive/scripts/hive_init +++ b/salt/thehive/scripts/hive_init @@ -1,8 +1,8 @@ #!/bin/bash -{% set MASTERIP = salt['pillar.get']('static:masterip', '') %} -{%- set THEHIVEUSER = salt['pillar.get']('static:hiveuser', '') %} -{%- set THEHIVEPASSWORD = salt['pillar.get']('static:hivepassword', '') %} -{%- set THEHIVEKEY = salt['pillar.get']('static:hivekey', '') %} +# {%- set MASTERIP = salt['pillar.get']('static:masterip', '') %} +# {%- set THEHIVEUSER = salt['pillar.get']('static:hiveuser', '') %} +# {%- set THEHIVEPASSWORD = salt['pillar.get']('static:hivepassword', 'hivechangeme') %} +# {%- set THEHIVEKEY = salt['pillar.get']('static:hivekey', '') %} thehive_init(){ sleep 120 diff --git a/setup/so-functions b/setup/so-functions index a35393ddf..d9ebf0d15 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -979,15 +979,16 @@ master_static() { " broversion: $BROVERSION"\ " ids: $NIDS"\ " masterip: $MAINIP"\ - " hiveuser: hiveadmin"\ - " hivepassword: hivechangeme"\ + " hiveuser: $WEBUSER"\ + " hivepassword: $WEBPASSWD1"\ " hivekey: $HIVEKEY"\ - " cortexuser: cortexadmin"\ - " cortexpassword: cortexchangeme"\ + " cortexuser: $WEBUSER"\ + " cortexpassword: $WEBPASSWD1"\ " cortexkey: $CORTEXKEY"\ " cortexorgname: SecurityOnion"\ - " cortexorguser: soadmin"\ + " cortexorguser: $WEBUSER"\ " cortexorguserkey: $CORTEXORGUSERKEY"\ + " grafanapassword: $WEBPASSWD1"\ " fleet_custom_hostname: "\ " fleet_master: False"\ " fleet_node: False"\ diff --git a/setup/so-whiptail b/setup/so-whiptail index 20e4d7ee5..3b8b13f79 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -252,7 +252,8 @@ whiptail_create_web_user() { [ -n "$TESTING" ] && return WEBUSER=$(whiptail --title "Security Onion Install" --inputbox \ - "Please enter an email address to create an administrator account for the web interface." 10 60 3>&1 1>&2 2>&3) + "Please enter an email address to create an administrator account for the web interface. \ + This will also be used for TheHive, Cortex, and Fleet" 10 60 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus From 37ab252e01f512de3fe1170b3ba065154b8cb97a Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 10 Jul 2020 19:30:08 +0000 Subject: [PATCH 189/314] Add sensor proc eval --- salt/common/init.sls | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/common/init.sls b/salt/common/init.sls index af2cb27b2..3515205ef 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -132,6 +132,7 @@ utilsyncscripts: - template: jinja - source: salt://common/tools/sbin +{% if role in ['eval', 'standalone', 'sensor', 'heavynode'] %} # Add sensor cleanup /usr/sbin/so-sensor-clean: cron.present: @@ -141,3 +142,4 @@ utilsyncscripts: - daymonth: '*' - month: '*' - dayweek: '*' +{% endif %} From d7f7fb801c91ec44a01e0203f0362f1f2541658f Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 10 Jul 2020 19:35:27 +0000 Subject: [PATCH 190/314] Set role --- salt/common/init.sls | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/common/init.sls b/salt/common/init.sls index 3515205ef..ef558d3e5 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -1,3 +1,5 @@ +{% set role = grains.id.split('_') | last %} + # Add socore Group socoregroup: group.present: From 46d572fa8cd8c319be3b59b92bb9c5ebbd72b39d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 10 Jul 2020 15:51:12 -0400 Subject: [PATCH 191/314] Fix Filebeat spacing --- pillar/logstash/eval.sls | 8 -------- pillar/logstash/search.sls | 8 -------- salt/filebeat/etc/filebeat.yml | 4 ++-- 3 files changed, 2 insertions(+), 18 deletions(-) diff --git a/pillar/logstash/eval.sls b/pillar/logstash/eval.sls index 8613200fe..fcdd13bb7 100644 --- a/pillar/logstash/eval.sls +++ b/pillar/logstash/eval.sls @@ -18,20 +18,12 @@ logstash: templates: - so/so-beats-template.json.jinja - so/so-common-template.json - - so/so-dhcp-template.json.jinja - - so/so-dns_windows-template.json.jinja - - so/so-esxi-template.json.jinja - so/so-firewall-template.json.jinja - so/so-flow-template.json.jinja - - so/so-greensql-template.json.jinja - so/so-ids-template.json.jinja - so/so-import-template.json.jinja - - so/so-iss-template.json.jinja - - so/so-mcafee-template.json.jinja - so/so-osquery-template.json.jinja - so/so-ossec-template.json.jinja - so/so-strelka-template.json.jinja - - so/so-switch-template.json.jinja - so/so-syslog-template.json.jinja - - so/so-windows-template.json.jinja - so/so-zeek-template.json.jinja diff --git a/pillar/logstash/search.sls b/pillar/logstash/search.sls index 2203b8452..9c069fd20 100644 --- a/pillar/logstash/search.sls +++ b/pillar/logstash/search.sls @@ -14,20 +14,12 @@ logstash: templates: - so/so-beats-template.json.jinja - so/so-common-template.json - - so/so-dhcp-template.json.jinja - - so/so-dns_windows-template.json.jinja - - so/so-esxi-template.json.jinja - so/so-firewall-template.json.jinja - so/so-flow-template.json.jinja - - so/so-greensql-template.json.jinja - so/so-ids-template.json.jinja - so/so-import-template.json.jinja - - so/so-iss-template.json.jinja - - so/so-mcafee-template.json.jinja - so/so-osquery-template.json.jinja - so/so-ossec-template.json.jinja - so/so-strelka-template.json.jinja - - so/so-switch-template.json.jinja - so/so-syslog-template.json.jinja - - so/so-windows-template.json.jinja - so/so-zeek-template.json.jinja diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 77dd29dd9..7b2289095 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -127,7 +127,7 @@ filebeat.inputs: imported: true processors: - add_tags: - tags: [import] + tags: [import] - dissect: tokenizer: "/nsm/import/%{import.id}/zeek/logs/%{import.file}" field: "log.file.path" @@ -167,7 +167,7 @@ filebeat.inputs: imported: true processors: - add_tags: - tags: [import] + tags: [import] - dissect: tokenizer: "/nsm/import/%{import.id}/suricata/%{import.file}" field: "log.file.path" From eb2dc0be4cb6559e7472ad301480c5510d7629cc Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 10 Jul 2020 17:17:33 -0400 Subject: [PATCH 192/314] Fix value --- salt/common/tools/sbin/so-sensor-clean | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-sensor-clean b/salt/common/tools/sbin/so-sensor-clean index 37ed69d9a..886b16fcd 100644 --- a/salt/common/tools/sbin/so-sensor-clean +++ b/salt/common/tools/sbin/so-sensor-clean @@ -18,7 +18,7 @@ # along with this program. If not, see . SENSOR_DIR='/nsm' -CRIT_DISK_USAGE=30 +CRIT_DISK_USAGE=90 CUR_USAGE=$(df -P $SENSOR_DIR | tail -1 | awk '{print $5}' | tr -d %) LOG="/opt/so/log/sensor_clean.log" TODAY=$(date -u "+%Y-%m-%d") From 547298fce0d9967fb10a965cae3bd51d1056cbd0 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 10 Jul 2020 17:34:33 -0400 Subject: [PATCH 193/314] [refactor] Hide output for cortex and thehive init scripts --- salt/thehive/init.sls | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/thehive/init.sls b/salt/thehive/init.sls index da07247c4..3ca913221 100644 --- a/salt/thehive/init.sls +++ b/salt/thehive/init.sls @@ -115,6 +115,7 @@ cortexscript: - source: salt://thehive/scripts/cortex_init - cwd: /opt/so - template: jinja + - hide_output: True so-thehive: docker_container.running: @@ -134,3 +135,4 @@ thehivescript: - source: salt://thehive/scripts/hive_init - cwd: /opt/so - template: jinja + - hide_output: True From ce7373501bb869665d2e7546f0b4b238e0e8c4fb Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 10 Jul 2020 17:58:47 -0400 Subject: [PATCH 194/314] [fix] Add fallback for hive + cortex users --- salt/thehive/scripts/cortex_init | 2 +- salt/thehive/scripts/hive_init | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/thehive/scripts/cortex_init b/salt/thehive/scripts/cortex_init index f653bc008..90980da9c 100644 --- a/salt/thehive/scripts/cortex_init +++ b/salt/thehive/scripts/cortex_init @@ -1,6 +1,6 @@ #!/bin/bash # {%- set MANAGERIP = salt['pillar.get']('static:managerip', '') %} -# {%- set CORTEXUSER = salt['pillar.get']('static:cortexuser', '') %} +# {%- set CORTEXUSER = salt['pillar.get']('static:cortexuser', 'cortexadmin') %} # {%- set CORTEXPASSWORD = salt['pillar.get']('static:cortexpassword', 'cortexchangeme') %} # {%- set CORTEXKEY = salt['pillar.get']('static:cortexkey', '') %} # {%- set CORTEXORGNAME = salt['pillar.get']('static:cortexorgname', '') %} diff --git a/salt/thehive/scripts/hive_init b/salt/thehive/scripts/hive_init index bcd911c1e..a8307c0d6 100755 --- a/salt/thehive/scripts/hive_init +++ b/salt/thehive/scripts/hive_init @@ -1,6 +1,6 @@ #!/bin/bash # {%- set MANAGERIP = salt['pillar.get']('static:managerip', '') %} -# {%- set THEHIVEUSER = salt['pillar.get']('static:hiveuser', '') %} +# {%- set THEHIVEUSER = salt['pillar.get']('static:hiveuser', 'hiveadmin') %} # {%- set THEHIVEPASSWORD = salt['pillar.get']('static:hivepassword', 'hivechangeme') %} # {%- set THEHIVEKEY = salt['pillar.get']('static:hivekey', '') %} From 4cfecae3b2dcef8f2ed1955619d6d255727f3305 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 10 Jul 2020 17:59:51 -0400 Subject: [PATCH 195/314] [ix] Remove grafanapassword pillar key --- setup/so-functions | 1 - 1 file changed, 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 487eb9a40..1f48e4939 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1010,7 +1010,6 @@ manager_static() { " cortexorgname: SecurityOnion"\ " cortexorguser: $WEBUSER"\ " cortexorguserkey: $CORTEXORGUSERKEY"\ - " grafanapassword: $WEBPASSWD1"\ " fleet_custom_hostname: "\ " fleet_manager: False"\ " fleet_node: False"\ From aee304e5d5f5be9986af3950fd76bd4cdd624a0d Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 10 Jul 2020 18:13:20 -0400 Subject: [PATCH 196/314] [fix] master -> manager --- setup/so-setup | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 42fa6c33a..4e12dc8b9 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -163,7 +163,7 @@ elif [ "$install_type" = 'HELIXSENSOR' ]; then is_helix=true fi -if [[ $is_master && $is_sensor ]]; then +if [[ $is_manager && $is_sensor ]]; then check_requirements "standalone" elif [[ $is_fleet_standalone ]]; then check_requirements "dist" "fleet" @@ -331,7 +331,7 @@ else FLEETNODEPASSWD1=$WEBPASSWD1 fi -if [[ $is_master ]]; then whiptail_so_allow; fi +if [[ $is_manager ]]; then whiptail_so_allow; fi whiptail_make_changes From f9c8f8cdcaeff0b72e8a6b7a79710f58fa119a75 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 10 Jul 2020 18:40:39 -0400 Subject: [PATCH 197/314] [fix] Set SKIP_REBOOT on any failure during setup --- setup/so-setup | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index ebce5861e..e1177c21c 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -58,7 +58,6 @@ function progress() { fi export SO_ERROR=1 - export SKIP_REBOOT=1 title="Error found, please check $setup_log" fi @@ -610,7 +609,7 @@ fi checkin_at_boot >> $setup_log 2>&1 set_progress_str 95 'Verifying setup' - salt-call -l info state.highstate >> $setup_log 2>&1 + salt-call -l info state.highstate >> $setup_log 2>&1 } | progress @@ -620,7 +619,9 @@ if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1 fi -if [[ $success != 0 || $SO_ERROR == 1 ]]; then whiptail_setup_failed +if [[ $success != 0 || $SO_ERROR == 1 ]]; then + SKIP_REBOOT=1 + whiptail_setup_failed else whiptail_setup_complete if [[ $THEHIVE == 1 ]]; then check_hive_init; fi From 605daaf66b977cbf706650037cde9f3ac016ce00 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 10 Jul 2020 18:45:34 -0400 Subject: [PATCH 198/314] [fix] Only check for disk space on a network install --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 08d6015ae..b05da56dd 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -420,7 +420,7 @@ check_requirements() { if [[ "$node_type" == 'fleet' ]]; then req_mem=4; fi fi - if (( $(echo "$free_space_root < $req_storage" | bc -l) )); then + if (( $(echo "$free_space_root < $req_storage" | bc -l) )) && [[ $setup_type == 'network' ]]; then whiptail_requirements_error "disk space" "${free_space_root} GB" "${req_storage} GB" fi From 65062d93f4a38029c7293eae121aa68b9224b03b Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Fri, 10 Jul 2020 19:43:43 -0400 Subject: [PATCH 199/314] Misc fixes --- salt/elasticsearch/files/ingest/beats.common | 18 +- salt/elasticsearch/files/ingest/common | 9 +- .../files/ingest/osquery.query_result | 20 +- .../templates/so/so-common-template.json | 6 +- salt/nginx/files/nav_layer_playbook.json | 2 +- salt/nginx/files/navigator_config.json | 2 +- salt/playbook/files/playbook-schema.sql | 1224 ----------------- salt/playbook/files/playbook_db_init.sql | 40 +- salt/playbook/files/redmine.db | Bin 2207744 -> 0 bytes 9 files changed, 65 insertions(+), 1256 deletions(-) delete mode 100644 salt/playbook/files/playbook-schema.sql delete mode 100644 salt/playbook/files/redmine.db diff --git a/salt/elasticsearch/files/ingest/beats.common b/salt/elasticsearch/files/ingest/beats.common index 9ea586156..5ca41e5f5 100644 --- a/salt/elasticsearch/files/ingest/beats.common +++ b/salt/elasticsearch/files/ingest/beats.common @@ -3,16 +3,26 @@ "processors" : [ {"community_id": {"if": "ctx.winlog.event_data?.Protocol != null", "field":["winlog.event_data.SourceIp","winlog.event_data.SourcePort","winlog.event_data.DestinationIp","winlog.event_data.DestinationPort","winlog.event_data.Protocol"],"target_field":"network.community_id"}}, { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational'", "field": "event.module", "value": "sysmon", "override": true } }, - { "set": { "if": "ctx.winlog?.channel!= null", "field": "event.module", "value": "win_eventlog", "override": true, "ignore_failure": true } }, - { "set": { "if": "ctx.winlog?.channel != null", "field": "dataset", "value": "{{winlog.channel}}", "override": true } }, + { "set": { "if": "ctx.winlog?.channel != null", "field": "event.module", "value": "windows_eventlog", "override": false, "ignore_failure": true } }, { "set": { "if": "ctx.agent?.type != null", "field": "module", "value": "{{agent.type}}", "override": true } }, { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 3", "field": "event.category", "value": "host,process,network", "override": true } }, { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 1", "field": "event.category", "value": "host,process", "override": true } }, { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 1", "field": "event.dataset", "value": "process_creation", "override": true } }, { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 2", "field": "event.dataset", "value": "process_changed_file", "override": true } }, { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 3", "field": "event.dataset", "value": "network_connection", "override": true } }, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 5", "field": "event.dataset", "value": "driver_loaded", "override": true } }, - { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 6", "field": "event.dataset", "value": "image_loaded", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 5", "field": "event.dataset", "value": "process_terminated", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 6", "field": "event.dataset", "value": "driver_loaded", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 7", "field": "event.dataset", "value": "image_loaded", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 8", "field": "event.dataset", "value": "create_remote_thread", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 9", "field": "event.dataset", "value": "raw_file_access_read", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 10", "field": "event.dataset", "value": "process_access", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 11", "field": "event.dataset", "value": "file_create", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 12", "field": "event.dataset", "value": "registry_create_delete", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 13", "field": "event.dataset", "value": "registry_value_set", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 14", "field": "event.dataset", "value": "registry_key_value_rename", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 15", "field": "event.dataset", "value": "file_create_stream_hash", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 16", "field": "event.dataset", "value": "config_change", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 22", "field": "event.dataset", "value": "dns_query", "override": true } }, { "rename": { "field": "agent.hostname", "target_field": "agent.name", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.SubjectUserName", "target_field": "user.name", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.DestinationHostname", "target_field": "destination.hostname", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/common b/salt/elasticsearch/files/ingest/common index 3bb19535e..9db5a039b 100644 --- a/salt/elasticsearch/files/ingest/common +++ b/salt/elasticsearch/files/ingest/common @@ -37,14 +37,15 @@ "index_name_format": "yyyy.MM.dd" } }, - { "set": { "if": "ctx.event?.severity == 3", "field": "event.severity_label", "value": "low", "override": true } }, - { "set": { "if": "ctx.event?.severity == 5", "field": "event.severity_label", "value": "medium", "override": true } }, - { "set": { "if": "ctx.event?.severity == 7", "field": "event.severity_label", "value": "high", "override": true } }, - { "set": { "if": "ctx.event?.severity == 10", "field": "event.severity_label", "value": "critical", "override": true } }, + { "set": { "if": "ctx.event?.severity == 1", "field": "event.severity_label", "value": "low", "override": true } }, + { "set": { "if": "ctx.event?.severity == 2", "field": "event.severity_label", "value": "medium", "override": true } }, + { "set": { "if": "ctx.event?.severity == 3", "field": "event.severity_label", "value": "high", "override": true } }, + { "set": { "if": "ctx.event?.severity == 4", "field": "event.severity_label", "value": "critical", "override": true } }, { "rename": { "field": "module", "target_field": "event.module", "ignore_failure": true, "ignore_missing": true } }, { "rename": { "field": "dataset", "target_field": "event.dataset", "ignore_failure": true, "ignore_missing": true } }, { "rename": { "field": "category", "target_field": "event.category", "ignore_missing": true } }, { "rename": { "field": "message2.community_id", "target_field": "network.community_id", "ignore_failure": true, "ignore_missing": true } }, + { "lowercase": { "field": "event.dataset", "ignore_failure": true, "ignore_missing": true } }, { "convert": { "field": "destination.port", "type": "integer", "ignore_failure": true, "ignore_missing": true } }, { "convert": { "field": "source.port", "type": "integer", "ignore_failure": true, "ignore_missing": true } }, { "convert": { "field": "log.id.uid", "type": "string", "ignore_failure": true, "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/osquery.query_result b/salt/elasticsearch/files/ingest/osquery.query_result index 5b37655f9..80ed32d73 100644 --- a/salt/elasticsearch/files/ingest/osquery.query_result +++ b/salt/elasticsearch/files/ingest/osquery.query_result @@ -31,7 +31,25 @@ { "rename": { "field": "message3.columns.remote_port", "target_field": "remote.port", "ignore_missing": true } }, { "rename": { "field": "message3.columns.process_name", "target_field": "process.name", "ignore_missing": true } }, { "rename": { "field": "message3.columns.eventid", "target_field": "event.code", "ignore_missing": true } }, - { "set": { "if": "ctx.message3.columns?.data != null", "field": "dataset", "value": "wel-{{message3.columns.source}}", "override": true } }, + { "set": { "if": "ctx.message3.columns?.source == 'Microsoft-Windows-Sysmon/Operational'", "field": "event.module", "value": "sysmon", "override": true } }, + { "set": { "if": "ctx.message3.columns?.source != null", "field": "event.module", "value": "windows_eventlog", "override": false, "ignore_failure": true } }, + { "set": { "if": "ctx.message3.columns?.source != 'Microsoft-Windows-Sysmon/Operational'", "field": "event.dataset", "value": "{{message3.columns.source}}", "override": true } }, + { "set": { "if": "ctx.message3.columns?.source == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 1", "field": "event.dataset", "value": "process_creation", "override": true } }, + { "set": { "if": "ctx.message3.columns?.source == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 2", "field": "event.dataset", "value": "process_changed_file", "override": true } }, + { "set": { "if": "ctx.message3.columns?.source == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 3", "field": "event.dataset", "value": "network_connection", "override": true } }, + { "set": { "if": "ctx.message3.columns?.source == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 5", "field": "event.dataset", "value": "process_terminated", "override": true } }, + { "set": { "if": "ctx.message3.columns?.source == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 6", "field": "event.dataset", "value": "driver_loaded", "override": true } }, + { "set": { "if": "ctx.message3.columns?.source == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 7", "field": "event.dataset", "value": "image_loaded", "override": true } }, + { "set": { "if": "ctx.message3.columns?.source == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 8", "field": "event.dataset", "value": "create_remote_thread", "override": true } }, + { "set": { "if": "ctx.message3.columns?.source == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 9", "field": "event.dataset", "value": "raw_file_access_read", "override": true } }, + { "set": { "if": "ctx.message3.columns?.source == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 10", "field": "event.dataset", "value": "process_access", "override": true } }, + { "set": { "if": "ctx.message3.columns?.source == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 11", "field": "event.dataset", "value": "file_create", "override": true } }, + { "set": { "if": "ctx.message3.columns?.source == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 12", "field": "event.dataset", "value": "registry_create_delete", "override": true } }, + { "set": { "if": "ctx.message3.columns?.source == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 13", "field": "event.dataset", "value": "registry_value_set", "override": true } }, + { "set": { "if": "ctx.message3.columns?.source == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 14", "field": "event.dataset", "value": "registry_key_value_rename", "override": true } }, + { "set": { "if": "ctx.message3.columns?.source == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 15", "field": "event.dataset", "value": "file_create_stream_hash", "override": true } }, + { "set": { "if": "ctx.message3.columns?.source == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 16", "field": "event.dataset", "value": "config_change", "override": true } }, + { "set": { "if": "ctx.message3.columns?.source == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 22", "field": "event.dataset", "value": "dns_query", "override": true } }, { "rename": { "field": "message3.columns.winlog.EventData.SubjectUserName", "target_field": "user.name", "ignore_missing": true } }, { "rename": { "field": "message3.columns.winlog.EventData.destinationHostname", "target_field": "destination.hostname", "ignore_missing": true } }, { "rename": { "field": "message3.columns.winlog.EventData.destinationIp", "target_field": "destination.ip", "ignore_missing": true } }, diff --git a/salt/logstash/pipelines/templates/so/so-common-template.json b/salt/logstash/pipelines/templates/so/so-common-template.json index 396e26c3c..86f07e079 100644 --- a/salt/logstash/pipelines/templates/so/so-common-template.json +++ b/salt/logstash/pipelines/templates/so/so-common-template.json @@ -1,5 +1,5 @@ { - "index_patterns": ["so-ids-*", "so-firewall-*", "so-syslog-*", "so-zeek-*", "so-import-*", "so-ossec-*", "so-strelka-*", "so-beats-*", "so-osquery-*"], + "index_patterns": ["so-ids-*", "so-firewall-*", "so-syslog-*", "so-zeek-*", "so-import-*", "so-ossec-*", "so-strelka-*", "so-beats-*", "so-osquery-*","so-playbook-*"], "version":50001, "order" : 10, "settings":{ @@ -380,6 +380,10 @@ "type":"object", "dynamic": true }, + "winlog":{ + "type":"object", + "dynamic": true + }, "x509":{ "type":"object", "dynamic": true diff --git a/salt/nginx/files/nav_layer_playbook.json b/salt/nginx/files/nav_layer_playbook.json index 43ed462b7..7b7f39098 100644 --- a/salt/nginx/files/nav_layer_playbook.json +++ b/salt/nginx/files/nav_layer_playbook.json @@ -1,6 +1,6 @@ { "name": "Playbook", - "version": "2.1", + "version": "2.2", "domain": "mitre-enterprise", "description": "Current Coverage of Playbook", "filters": { diff --git a/salt/nginx/files/navigator_config.json b/salt/nginx/files/navigator_config.json index 7e132cbf8..2b6bc1be0 100644 --- a/salt/nginx/files/navigator_config.json +++ b/salt/nginx/files/navigator_config.json @@ -16,7 +16,7 @@ "domain": "mitre-enterprise", - "custom_context_menu_items": [ {"label": "view related plays","url": " https://{{ip}}/playbook/projects/playbook-prod/issues?utf8=%E2%9C%93&set_filter=1&sort=id%3Adesc&f%5B%5D=status_id&op%5Bstatus_id%5D=o&f%5B%5D=cf_27&op%5Bcf_27%5D=%3D&f%5B%5D=&c%5B%5D=status&c%5B%5D=cf_24&c%5B%5D=cf_25&c%5B%5D=cf_6&c%5B%5D=updated_on&group_by=&t%5B%5D=&v%5Bcf_27%5D%5B%5D=~Technique_ID~"}], + "custom_context_menu_items": [ {"label": "view related plays","url": " https://{{ip}}/playbook/projects/detection-playbooks/issues?utf8=%E2%9C%93&set_filter=1&sort=id%3Adesc&f%5B%5D=cf_15&op%5Bcf_15%5D=%3D&f%5B%5D=&c%5B%5D=status&c%5B%5D=cf_10&c%5B%5D=cf_13&c%5B%5D=cf_18&c%5B%5D=cf_19&c%5B%5D=cf_1&c%5B%5D=updated_on&v%5Bcf_15%5D%5B%5D=~Technique_ID~"}], "default_layers": { "enabled": true, diff --git a/salt/playbook/files/playbook-schema.sql b/salt/playbook/files/playbook-schema.sql deleted file mode 100644 index 02eafcbdd..000000000 --- a/salt/playbook/files/playbook-schema.sql +++ /dev/null @@ -1,1224 +0,0 @@ --- MySQL dump 10.13 Distrib 5.7.24, for Linux (x86_64) --- --- Host: localhost Database: playbook --- ------------------------------------------------------ --- Server version 5.7.24 - -/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */; -/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */; -/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */; -/*!40101 SET NAMES utf8 */; -/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */; -/*!40103 SET TIME_ZONE='+00:00' */; -/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */; -/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */; -/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */; -/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */; - --- --- Table structure for table `ar_internal_metadata` --- - -DROP TABLE IF EXISTS `ar_internal_metadata`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `ar_internal_metadata` ( - `key` varchar(255) NOT NULL, - `value` varchar(255) DEFAULT NULL, - `created_at` datetime NOT NULL, - `updated_at` datetime NOT NULL, - PRIMARY KEY (`key`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `attachments` --- - -DROP TABLE IF EXISTS `attachments`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `attachments` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `container_id` int(11) DEFAULT NULL, - `container_type` varchar(30) DEFAULT NULL, - `filename` varchar(255) NOT NULL DEFAULT '', - `disk_filename` varchar(255) NOT NULL DEFAULT '', - `filesize` bigint(20) NOT NULL DEFAULT '0', - `content_type` varchar(255) DEFAULT '', - `digest` varchar(64) NOT NULL DEFAULT '', - `downloads` int(11) NOT NULL DEFAULT '0', - `author_id` int(11) NOT NULL DEFAULT '0', - `created_on` timestamp NULL DEFAULT NULL, - `description` varchar(255) DEFAULT NULL, - `disk_directory` varchar(255) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_attachments_on_author_id` (`author_id`), - KEY `index_attachments_on_created_on` (`created_on`), - KEY `index_attachments_on_container_id_and_container_type` (`container_id`,`container_type`), - KEY `index_attachments_on_disk_filename` (`disk_filename`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `auth_sources` --- - -DROP TABLE IF EXISTS `auth_sources`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `auth_sources` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `type` varchar(30) NOT NULL DEFAULT '', - `name` varchar(60) NOT NULL DEFAULT '', - `host` varchar(60) DEFAULT NULL, - `port` int(11) DEFAULT NULL, - `account` varchar(255) DEFAULT NULL, - `account_password` varchar(255) DEFAULT '', - `base_dn` varchar(255) DEFAULT NULL, - `attr_login` varchar(30) DEFAULT NULL, - `attr_firstname` varchar(30) DEFAULT NULL, - `attr_lastname` varchar(30) DEFAULT NULL, - `attr_mail` varchar(30) DEFAULT NULL, - `onthefly_register` tinyint(1) NOT NULL DEFAULT '0', - `tls` tinyint(1) NOT NULL DEFAULT '0', - `filter` text, - `timeout` int(11) DEFAULT NULL, - `verify_peer` tinyint(1) NOT NULL DEFAULT '1', - PRIMARY KEY (`id`), - KEY `index_auth_sources_on_id_and_type` (`id`,`type`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `boards` --- - -DROP TABLE IF EXISTS `boards`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `boards` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) NOT NULL, - `name` varchar(255) NOT NULL DEFAULT '', - `description` varchar(255) DEFAULT NULL, - `position` int(11) DEFAULT NULL, - `topics_count` int(11) NOT NULL DEFAULT '0', - `messages_count` int(11) NOT NULL DEFAULT '0', - `last_message_id` int(11) DEFAULT NULL, - `parent_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `boards_project_id` (`project_id`), - KEY `index_boards_on_last_message_id` (`last_message_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `changes` --- - -DROP TABLE IF EXISTS `changes`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `changes` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `changeset_id` int(11) NOT NULL, - `action` varchar(1) NOT NULL DEFAULT '', - `path` text NOT NULL, - `from_path` text, - `from_revision` varchar(255) DEFAULT NULL, - `revision` varchar(255) DEFAULT NULL, - `branch` varchar(255) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `changesets_changeset_id` (`changeset_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `changeset_parents` --- - -DROP TABLE IF EXISTS `changeset_parents`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `changeset_parents` ( - `changeset_id` int(11) NOT NULL, - `parent_id` int(11) NOT NULL, - KEY `changeset_parents_changeset_ids` (`changeset_id`), - KEY `changeset_parents_parent_ids` (`parent_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `changesets` --- - -DROP TABLE IF EXISTS `changesets`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `changesets` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `repository_id` int(11) NOT NULL, - `revision` varchar(255) NOT NULL, - `committer` varchar(255) DEFAULT NULL, - `committed_on` datetime NOT NULL, - `comments` longtext, - `commit_date` date DEFAULT NULL, - `scmid` varchar(255) DEFAULT NULL, - `user_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - UNIQUE KEY `changesets_repos_rev` (`repository_id`,`revision`), - KEY `index_changesets_on_user_id` (`user_id`), - KEY `index_changesets_on_repository_id` (`repository_id`), - KEY `index_changesets_on_committed_on` (`committed_on`), - KEY `changesets_repos_scmid` (`repository_id`,`scmid`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `changesets_issues` --- - -DROP TABLE IF EXISTS `changesets_issues`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `changesets_issues` ( - `changeset_id` int(11) NOT NULL, - `issue_id` int(11) NOT NULL, - UNIQUE KEY `changesets_issues_ids` (`changeset_id`,`issue_id`), - KEY `index_changesets_issues_on_issue_id` (`issue_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `comments` --- - -DROP TABLE IF EXISTS `comments`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `comments` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `commented_type` varchar(30) NOT NULL DEFAULT '', - `commented_id` int(11) NOT NULL DEFAULT '0', - `author_id` int(11) NOT NULL DEFAULT '0', - `content` text, - `created_on` datetime NOT NULL, - `updated_on` datetime NOT NULL, - PRIMARY KEY (`id`), - KEY `index_comments_on_commented_id_and_commented_type` (`commented_id`,`commented_type`), - KEY `index_comments_on_author_id` (`author_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `custom_field_enumerations` --- - -DROP TABLE IF EXISTS `custom_field_enumerations`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `custom_field_enumerations` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `custom_field_id` int(11) NOT NULL, - `name` varchar(255) NOT NULL, - `active` tinyint(1) NOT NULL DEFAULT '1', - `position` int(11) NOT NULL DEFAULT '1', - PRIMARY KEY (`id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `custom_fields` --- - -DROP TABLE IF EXISTS `custom_fields`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `custom_fields` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `type` varchar(30) NOT NULL DEFAULT '', - `name` varchar(30) NOT NULL DEFAULT '', - `field_format` varchar(30) NOT NULL DEFAULT '', - `possible_values` text, - `regexp` varchar(255) DEFAULT '', - `min_length` int(11) DEFAULT NULL, - `max_length` int(11) DEFAULT NULL, - `is_required` tinyint(1) NOT NULL DEFAULT '0', - `is_for_all` tinyint(1) NOT NULL DEFAULT '0', - `is_filter` tinyint(1) NOT NULL DEFAULT '0', - `position` int(11) DEFAULT NULL, - `searchable` tinyint(1) DEFAULT '0', - `default_value` text, - `editable` tinyint(1) DEFAULT '1', - `visible` tinyint(1) NOT NULL DEFAULT '1', - `multiple` tinyint(1) DEFAULT '0', - `format_store` text, - `description` text, - PRIMARY KEY (`id`), - KEY `index_custom_fields_on_id_and_type` (`id`,`type`) -) ENGINE=InnoDB AUTO_INCREMENT=18 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `custom_fields_projects` --- - -DROP TABLE IF EXISTS `custom_fields_projects`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `custom_fields_projects` ( - `custom_field_id` int(11) NOT NULL DEFAULT '0', - `project_id` int(11) NOT NULL DEFAULT '0', - UNIQUE KEY `index_custom_fields_projects_on_custom_field_id_and_project_id` (`custom_field_id`,`project_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `custom_fields_roles` --- - -DROP TABLE IF EXISTS `custom_fields_roles`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `custom_fields_roles` ( - `custom_field_id` int(11) NOT NULL, - `role_id` int(11) NOT NULL, - UNIQUE KEY `custom_fields_roles_ids` (`custom_field_id`,`role_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `custom_fields_trackers` --- - -DROP TABLE IF EXISTS `custom_fields_trackers`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `custom_fields_trackers` ( - `custom_field_id` int(11) NOT NULL DEFAULT '0', - `tracker_id` int(11) NOT NULL DEFAULT '0', - UNIQUE KEY `index_custom_fields_trackers_on_custom_field_id_and_tracker_id` (`custom_field_id`,`tracker_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `custom_values` --- - -DROP TABLE IF EXISTS `custom_values`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `custom_values` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `customized_type` varchar(30) NOT NULL DEFAULT '', - `customized_id` int(11) NOT NULL DEFAULT '0', - `custom_field_id` int(11) NOT NULL DEFAULT '0', - `value` longtext, - PRIMARY KEY (`id`), - KEY `custom_values_customized` (`customized_type`,`customized_id`), - KEY `index_custom_values_on_custom_field_id` (`custom_field_id`) -) ENGINE=InnoDB AUTO_INCREMENT=11184 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `documents` --- - -DROP TABLE IF EXISTS `documents`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `documents` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) NOT NULL DEFAULT '0', - `category_id` int(11) NOT NULL DEFAULT '0', - `title` varchar(255) NOT NULL DEFAULT '', - `description` text, - `created_on` timestamp NULL DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `documents_project_id` (`project_id`), - KEY `index_documents_on_category_id` (`category_id`), - KEY `index_documents_on_created_on` (`created_on`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `email_addresses` --- - -DROP TABLE IF EXISTS `email_addresses`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `email_addresses` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `user_id` int(11) NOT NULL, - `address` varchar(255) NOT NULL, - `is_default` tinyint(1) NOT NULL DEFAULT '0', - `notify` tinyint(1) NOT NULL DEFAULT '1', - `created_on` datetime NOT NULL, - `updated_on` datetime NOT NULL, - PRIMARY KEY (`id`), - KEY `index_email_addresses_on_user_id` (`user_id`) -) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `enabled_modules` --- - -DROP TABLE IF EXISTS `enabled_modules`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `enabled_modules` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) DEFAULT NULL, - `name` varchar(255) NOT NULL, - PRIMARY KEY (`id`), - KEY `enabled_modules_project_id` (`project_id`) -) ENGINE=InnoDB AUTO_INCREMENT=3 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `enumerations` --- - -DROP TABLE IF EXISTS `enumerations`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `enumerations` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `name` varchar(30) NOT NULL DEFAULT '', - `position` int(11) DEFAULT NULL, - `is_default` tinyint(1) NOT NULL DEFAULT '0', - `type` varchar(255) DEFAULT NULL, - `active` tinyint(1) NOT NULL DEFAULT '1', - `project_id` int(11) DEFAULT NULL, - `parent_id` int(11) DEFAULT NULL, - `position_name` varchar(30) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_enumerations_on_project_id` (`project_id`), - KEY `index_enumerations_on_id_and_type` (`id`,`type`) -) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `groups_users` --- - -DROP TABLE IF EXISTS `groups_users`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `groups_users` ( - `group_id` int(11) NOT NULL, - `user_id` int(11) NOT NULL, - UNIQUE KEY `groups_users_ids` (`group_id`,`user_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `import_items` --- - -DROP TABLE IF EXISTS `import_items`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `import_items` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `import_id` int(11) NOT NULL, - `position` int(11) NOT NULL, - `obj_id` int(11) DEFAULT NULL, - `message` text, - `unique_id` varchar(255) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_import_items_on_import_id_and_unique_id` (`import_id`,`unique_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `imports` --- - -DROP TABLE IF EXISTS `imports`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `imports` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `type` varchar(255) DEFAULT NULL, - `user_id` int(11) NOT NULL, - `filename` varchar(255) DEFAULT NULL, - `settings` text, - `total_items` int(11) DEFAULT NULL, - `finished` tinyint(1) NOT NULL DEFAULT '0', - `created_at` datetime NOT NULL, - `updated_at` datetime NOT NULL, - PRIMARY KEY (`id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `issue_categories` --- - -DROP TABLE IF EXISTS `issue_categories`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `issue_categories` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) NOT NULL DEFAULT '0', - `name` varchar(60) NOT NULL DEFAULT '', - `assigned_to_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `issue_categories_project_id` (`project_id`), - KEY `index_issue_categories_on_assigned_to_id` (`assigned_to_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `issue_relations` --- - -DROP TABLE IF EXISTS `issue_relations`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `issue_relations` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `issue_from_id` int(11) NOT NULL, - `issue_to_id` int(11) NOT NULL, - `relation_type` varchar(255) NOT NULL DEFAULT '', - `delay` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - UNIQUE KEY `index_issue_relations_on_issue_from_id_and_issue_to_id` (`issue_from_id`,`issue_to_id`), - KEY `index_issue_relations_on_issue_from_id` (`issue_from_id`), - KEY `index_issue_relations_on_issue_to_id` (`issue_to_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `issue_statuses` --- - -DROP TABLE IF EXISTS `issue_statuses`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `issue_statuses` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `name` varchar(30) NOT NULL DEFAULT '', - `is_closed` tinyint(1) NOT NULL DEFAULT '0', - `position` int(11) DEFAULT NULL, - `default_done_ratio` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_issue_statuses_on_position` (`position`), - KEY `index_issue_statuses_on_is_closed` (`is_closed`) -) ENGINE=InnoDB AUTO_INCREMENT=7 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `issues` --- - -DROP TABLE IF EXISTS `issues`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `issues` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `tracker_id` int(11) NOT NULL, - `project_id` int(11) NOT NULL, - `subject` varchar(255) NOT NULL DEFAULT '', - `description` longtext, - `due_date` date DEFAULT NULL, - `category_id` int(11) DEFAULT NULL, - `status_id` int(11) NOT NULL, - `assigned_to_id` int(11) DEFAULT NULL, - `priority_id` int(11) NOT NULL, - `fixed_version_id` int(11) DEFAULT NULL, - `author_id` int(11) NOT NULL, - `lock_version` int(11) NOT NULL DEFAULT '0', - `created_on` timestamp NULL DEFAULT NULL, - `updated_on` timestamp NULL DEFAULT NULL, - `start_date` date DEFAULT NULL, - `done_ratio` int(11) NOT NULL DEFAULT '0', - `estimated_hours` float DEFAULT NULL, - `parent_id` int(11) DEFAULT NULL, - `root_id` int(11) DEFAULT NULL, - `lft` int(11) DEFAULT NULL, - `rgt` int(11) DEFAULT NULL, - `is_private` tinyint(1) NOT NULL DEFAULT '0', - `closed_on` datetime DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `issues_project_id` (`project_id`), - KEY `index_issues_on_status_id` (`status_id`), - KEY `index_issues_on_category_id` (`category_id`), - KEY `index_issues_on_assigned_to_id` (`assigned_to_id`), - KEY `index_issues_on_fixed_version_id` (`fixed_version_id`), - KEY `index_issues_on_tracker_id` (`tracker_id`), - KEY `index_issues_on_priority_id` (`priority_id`), - KEY `index_issues_on_author_id` (`author_id`), - KEY `index_issues_on_created_on` (`created_on`), - KEY `index_issues_on_root_id_and_lft_and_rgt` (`root_id`,`lft`,`rgt`), - KEY `index_issues_on_parent_id` (`parent_id`) -) ENGINE=InnoDB AUTO_INCREMENT=620 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `journal_details` --- - -DROP TABLE IF EXISTS `journal_details`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `journal_details` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `journal_id` int(11) NOT NULL DEFAULT '0', - `property` varchar(30) NOT NULL DEFAULT '', - `prop_key` varchar(30) NOT NULL DEFAULT '', - `old_value` longtext, - `value` longtext, - PRIMARY KEY (`id`), - KEY `journal_details_journal_id` (`journal_id`) -) ENGINE=InnoDB AUTO_INCREMENT=9 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `journals` --- - -DROP TABLE IF EXISTS `journals`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `journals` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `journalized_id` int(11) NOT NULL DEFAULT '0', - `journalized_type` varchar(30) NOT NULL DEFAULT '', - `user_id` int(11) NOT NULL DEFAULT '0', - `notes` longtext, - `created_on` datetime NOT NULL, - `private_notes` tinyint(1) NOT NULL DEFAULT '0', - PRIMARY KEY (`id`), - KEY `journals_journalized_id` (`journalized_id`,`journalized_type`), - KEY `index_journals_on_user_id` (`user_id`), - KEY `index_journals_on_journalized_id` (`journalized_id`), - KEY `index_journals_on_created_on` (`created_on`) -) ENGINE=InnoDB AUTO_INCREMENT=624 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `member_roles` --- - -DROP TABLE IF EXISTS `member_roles`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `member_roles` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `member_id` int(11) NOT NULL, - `role_id` int(11) NOT NULL, - `inherited_from` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_member_roles_on_member_id` (`member_id`), - KEY `index_member_roles_on_role_id` (`role_id`), - KEY `index_member_roles_on_inherited_from` (`inherited_from`) -) ENGINE=InnoDB AUTO_INCREMENT=8 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `members` --- - -DROP TABLE IF EXISTS `members`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `members` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `user_id` int(11) NOT NULL DEFAULT '0', - `project_id` int(11) NOT NULL DEFAULT '0', - `created_on` timestamp NULL DEFAULT NULL, - `mail_notification` tinyint(1) NOT NULL DEFAULT '0', - PRIMARY KEY (`id`), - UNIQUE KEY `index_members_on_user_id_and_project_id` (`user_id`,`project_id`), - KEY `index_members_on_user_id` (`user_id`), - KEY `index_members_on_project_id` (`project_id`) -) ENGINE=InnoDB AUTO_INCREMENT=8 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `messages` --- - -DROP TABLE IF EXISTS `messages`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `messages` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `board_id` int(11) NOT NULL, - `parent_id` int(11) DEFAULT NULL, - `subject` varchar(255) NOT NULL DEFAULT '', - `content` text, - `author_id` int(11) DEFAULT NULL, - `replies_count` int(11) NOT NULL DEFAULT '0', - `last_reply_id` int(11) DEFAULT NULL, - `created_on` datetime NOT NULL, - `updated_on` datetime NOT NULL, - `locked` tinyint(1) DEFAULT '0', - `sticky` int(11) DEFAULT '0', - PRIMARY KEY (`id`), - KEY `messages_board_id` (`board_id`), - KEY `messages_parent_id` (`parent_id`), - KEY `index_messages_on_last_reply_id` (`last_reply_id`), - KEY `index_messages_on_author_id` (`author_id`), - KEY `index_messages_on_created_on` (`created_on`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `news` --- - -DROP TABLE IF EXISTS `news`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `news` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) DEFAULT NULL, - `title` varchar(60) NOT NULL DEFAULT '', - `summary` varchar(255) DEFAULT '', - `description` text, - `author_id` int(11) NOT NULL DEFAULT '0', - `created_on` timestamp NULL DEFAULT NULL, - `comments_count` int(11) NOT NULL DEFAULT '0', - PRIMARY KEY (`id`), - KEY `news_project_id` (`project_id`), - KEY `index_news_on_author_id` (`author_id`), - KEY `index_news_on_created_on` (`created_on`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `open_id_authentication_associations` --- - -DROP TABLE IF EXISTS `open_id_authentication_associations`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `open_id_authentication_associations` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `issued` int(11) DEFAULT NULL, - `lifetime` int(11) DEFAULT NULL, - `handle` varchar(255) DEFAULT NULL, - `assoc_type` varchar(255) DEFAULT NULL, - `server_url` blob, - `secret` blob, - PRIMARY KEY (`id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `open_id_authentication_nonces` --- - -DROP TABLE IF EXISTS `open_id_authentication_nonces`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `open_id_authentication_nonces` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `timestamp` int(11) NOT NULL, - `server_url` varchar(255) DEFAULT NULL, - `salt` varchar(255) NOT NULL, - PRIMARY KEY (`id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `projects` --- - -DROP TABLE IF EXISTS `projects`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `projects` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `name` varchar(255) NOT NULL DEFAULT '', - `description` text, - `homepage` varchar(255) DEFAULT '', - `is_public` tinyint(1) NOT NULL DEFAULT '1', - `parent_id` int(11) DEFAULT NULL, - `created_on` timestamp NULL DEFAULT NULL, - `updated_on` timestamp NULL DEFAULT NULL, - `identifier` varchar(255) DEFAULT NULL, - `status` int(11) NOT NULL DEFAULT '1', - `lft` int(11) DEFAULT NULL, - `rgt` int(11) DEFAULT NULL, - `inherit_members` tinyint(1) NOT NULL DEFAULT '0', - `default_version_id` int(11) DEFAULT NULL, - `default_assigned_to_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_projects_on_lft` (`lft`), - KEY `index_projects_on_rgt` (`rgt`) -) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `projects_trackers` --- - -DROP TABLE IF EXISTS `projects_trackers`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `projects_trackers` ( - `project_id` int(11) NOT NULL DEFAULT '0', - `tracker_id` int(11) NOT NULL DEFAULT '0', - UNIQUE KEY `projects_trackers_unique` (`project_id`,`tracker_id`), - KEY `projects_trackers_project_id` (`project_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `queries` --- - -DROP TABLE IF EXISTS `queries`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `queries` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) DEFAULT NULL, - `name` varchar(255) NOT NULL DEFAULT '', - `filters` text, - `user_id` int(11) NOT NULL DEFAULT '0', - `column_names` text, - `sort_criteria` text, - `group_by` varchar(255) DEFAULT NULL, - `type` varchar(255) DEFAULT NULL, - `visibility` int(11) DEFAULT '0', - `options` text, - PRIMARY KEY (`id`), - KEY `index_queries_on_project_id` (`project_id`), - KEY `index_queries_on_user_id` (`user_id`) -) ENGINE=InnoDB AUTO_INCREMENT=9 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `queries_roles` --- - -DROP TABLE IF EXISTS `queries_roles`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `queries_roles` ( - `query_id` int(11) NOT NULL, - `role_id` int(11) NOT NULL, - UNIQUE KEY `queries_roles_ids` (`query_id`,`role_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `repositories` --- - -DROP TABLE IF EXISTS `repositories`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `repositories` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) NOT NULL DEFAULT '0', - `url` varchar(255) NOT NULL DEFAULT '', - `login` varchar(60) DEFAULT '', - `password` varchar(255) DEFAULT '', - `root_url` varchar(255) DEFAULT '', - `type` varchar(255) DEFAULT NULL, - `path_encoding` varchar(64) DEFAULT NULL, - `log_encoding` varchar(64) DEFAULT NULL, - `extra_info` longtext, - `identifier` varchar(255) DEFAULT NULL, - `is_default` tinyint(1) DEFAULT '0', - `created_on` timestamp NULL DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_repositories_on_project_id` (`project_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `roles` --- - -DROP TABLE IF EXISTS `roles`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `roles` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `name` varchar(255) NOT NULL DEFAULT '', - `position` int(11) DEFAULT NULL, - `assignable` tinyint(1) DEFAULT '1', - `builtin` int(11) NOT NULL DEFAULT '0', - `permissions` text, - `issues_visibility` varchar(30) NOT NULL DEFAULT 'default', - `users_visibility` varchar(30) NOT NULL DEFAULT 'all', - `time_entries_visibility` varchar(30) NOT NULL DEFAULT 'all', - `all_roles_managed` tinyint(1) NOT NULL DEFAULT '1', - `settings` text, - PRIMARY KEY (`id`) -) ENGINE=InnoDB AUTO_INCREMENT=6 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `roles_managed_roles` --- - -DROP TABLE IF EXISTS `roles_managed_roles`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `roles_managed_roles` ( - `role_id` int(11) NOT NULL, - `managed_role_id` int(11) NOT NULL, - UNIQUE KEY `index_roles_managed_roles_on_role_id_and_managed_role_id` (`role_id`,`managed_role_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `schema_migrations` --- - -DROP TABLE IF EXISTS `schema_migrations`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `schema_migrations` ( - `version` varchar(255) NOT NULL, - PRIMARY KEY (`version`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `settings` --- - -DROP TABLE IF EXISTS `settings`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `settings` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `name` varchar(255) NOT NULL DEFAULT '', - `value` text, - `updated_on` timestamp NULL DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_settings_on_name` (`name`) -) ENGINE=InnoDB AUTO_INCREMENT=71 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `time_entries` --- - -DROP TABLE IF EXISTS `time_entries`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `time_entries` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) NOT NULL, - `author_id` int(11) DEFAULT NULL, - `user_id` int(11) NOT NULL, - `issue_id` int(11) DEFAULT NULL, - `hours` float NOT NULL, - `comments` varchar(1024) DEFAULT NULL, - `activity_id` int(11) NOT NULL, - `spent_on` date NOT NULL, - `tyear` int(11) NOT NULL, - `tmonth` int(11) NOT NULL, - `tweek` int(11) NOT NULL, - `created_on` datetime NOT NULL, - `updated_on` datetime NOT NULL, - PRIMARY KEY (`id`), - KEY `time_entries_project_id` (`project_id`), - KEY `time_entries_issue_id` (`issue_id`), - KEY `index_time_entries_on_activity_id` (`activity_id`), - KEY `index_time_entries_on_user_id` (`user_id`), - KEY `index_time_entries_on_created_on` (`created_on`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `tokens` --- - -DROP TABLE IF EXISTS `tokens`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `tokens` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `user_id` int(11) NOT NULL DEFAULT '0', - `action` varchar(30) NOT NULL DEFAULT '', - `value` varchar(40) NOT NULL DEFAULT '', - `created_on` datetime NOT NULL, - `updated_on` timestamp NULL DEFAULT NULL, - PRIMARY KEY (`id`), - UNIQUE KEY `tokens_value` (`value`), - KEY `index_tokens_on_user_id` (`user_id`) -) ENGINE=InnoDB AUTO_INCREMENT=46 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `trackers` --- - -DROP TABLE IF EXISTS `trackers`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `trackers` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `name` varchar(30) NOT NULL DEFAULT '', - `description` varchar(255) DEFAULT NULL, - `is_in_chlog` tinyint(1) NOT NULL DEFAULT '0', - `position` int(11) DEFAULT NULL, - `is_in_roadmap` tinyint(1) NOT NULL DEFAULT '1', - `fields_bits` int(11) DEFAULT '0', - `default_status_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`) -) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `user_preferences` --- - -DROP TABLE IF EXISTS `user_preferences`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `user_preferences` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `user_id` int(11) NOT NULL DEFAULT '0', - `others` text, - `hide_mail` tinyint(1) DEFAULT '1', - `time_zone` varchar(255) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_user_preferences_on_user_id` (`user_id`) -) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `users` --- - -DROP TABLE IF EXISTS `users`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `users` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `login` varchar(255) NOT NULL DEFAULT '', - `hashed_password` varchar(40) NOT NULL DEFAULT '', - `firstname` varchar(30) NOT NULL DEFAULT '', - `lastname` varchar(255) NOT NULL DEFAULT '', - `admin` tinyint(1) NOT NULL DEFAULT '0', - `status` int(11) NOT NULL DEFAULT '1', - `last_login_on` datetime DEFAULT NULL, - `language` varchar(5) DEFAULT '', - `auth_source_id` int(11) DEFAULT NULL, - `created_on` timestamp NULL DEFAULT NULL, - `updated_on` timestamp NULL DEFAULT NULL, - `type` varchar(255) DEFAULT NULL, - `identity_url` varchar(255) DEFAULT NULL, - `mail_notification` varchar(255) NOT NULL DEFAULT '', - `salt` varchar(64) DEFAULT NULL, - `must_change_passwd` tinyint(1) NOT NULL DEFAULT '0', - `passwd_changed_on` datetime DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_users_on_id_and_type` (`id`,`type`), - KEY `index_users_on_auth_source_id` (`auth_source_id`), - KEY `index_users_on_type` (`type`) -) ENGINE=InnoDB AUTO_INCREMENT=10 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `versions` --- - -DROP TABLE IF EXISTS `versions`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `versions` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) NOT NULL DEFAULT '0', - `name` varchar(255) NOT NULL DEFAULT '', - `description` varchar(255) DEFAULT '', - `effective_date` date DEFAULT NULL, - `created_on` timestamp NULL DEFAULT NULL, - `updated_on` timestamp NULL DEFAULT NULL, - `wiki_page_title` varchar(255) DEFAULT NULL, - `status` varchar(255) DEFAULT 'open', - `sharing` varchar(255) NOT NULL DEFAULT 'none', - PRIMARY KEY (`id`), - KEY `versions_project_id` (`project_id`), - KEY `index_versions_on_sharing` (`sharing`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `watchers` --- - -DROP TABLE IF EXISTS `watchers`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `watchers` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `watchable_type` varchar(255) NOT NULL DEFAULT '', - `watchable_id` int(11) NOT NULL DEFAULT '0', - `user_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `watchers_user_id_type` (`user_id`,`watchable_type`), - KEY `index_watchers_on_user_id` (`user_id`), - KEY `index_watchers_on_watchable_id_and_watchable_type` (`watchable_id`,`watchable_type`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `webhooks` --- - -DROP TABLE IF EXISTS `webhooks`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `webhooks` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `url` varchar(255) DEFAULT NULL, - `project_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`) -) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `wiki_content_versions` --- - -DROP TABLE IF EXISTS `wiki_content_versions`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `wiki_content_versions` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `wiki_content_id` int(11) NOT NULL, - `page_id` int(11) NOT NULL, - `author_id` int(11) DEFAULT NULL, - `data` longblob, - `compression` varchar(6) DEFAULT '', - `comments` varchar(1024) DEFAULT '', - `updated_on` datetime NOT NULL, - `version` int(11) NOT NULL, - PRIMARY KEY (`id`), - KEY `wiki_content_versions_wcid` (`wiki_content_id`), - KEY `index_wiki_content_versions_on_updated_on` (`updated_on`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `wiki_contents` --- - -DROP TABLE IF EXISTS `wiki_contents`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `wiki_contents` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `page_id` int(11) NOT NULL, - `author_id` int(11) DEFAULT NULL, - `text` longtext, - `comments` varchar(1024) DEFAULT '', - `updated_on` datetime NOT NULL, - `version` int(11) NOT NULL, - PRIMARY KEY (`id`), - KEY `wiki_contents_page_id` (`page_id`), - KEY `index_wiki_contents_on_author_id` (`author_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `wiki_pages` --- - -DROP TABLE IF EXISTS `wiki_pages`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `wiki_pages` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `wiki_id` int(11) NOT NULL, - `title` varchar(255) NOT NULL, - `created_on` datetime NOT NULL, - `protected` tinyint(1) NOT NULL DEFAULT '0', - `parent_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `wiki_pages_wiki_id_title` (`wiki_id`,`title`), - KEY `index_wiki_pages_on_wiki_id` (`wiki_id`), - KEY `index_wiki_pages_on_parent_id` (`parent_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `wiki_redirects` --- - -DROP TABLE IF EXISTS `wiki_redirects`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `wiki_redirects` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `wiki_id` int(11) NOT NULL, - `title` varchar(255) DEFAULT NULL, - `redirects_to` varchar(255) DEFAULT NULL, - `created_on` datetime NOT NULL, - `redirects_to_wiki_id` int(11) NOT NULL, - PRIMARY KEY (`id`), - KEY `wiki_redirects_wiki_id_title` (`wiki_id`,`title`), - KEY `index_wiki_redirects_on_wiki_id` (`wiki_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `wikis` --- - -DROP TABLE IF EXISTS `wikis`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `wikis` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) NOT NULL, - `start_page` varchar(255) NOT NULL, - `status` int(11) NOT NULL DEFAULT '1', - PRIMARY KEY (`id`), - KEY `wikis_project_id` (`project_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `workflows` --- - -DROP TABLE IF EXISTS `workflows`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `workflows` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `tracker_id` int(11) NOT NULL DEFAULT '0', - `old_status_id` int(11) NOT NULL DEFAULT '0', - `new_status_id` int(11) NOT NULL DEFAULT '0', - `role_id` int(11) NOT NULL DEFAULT '0', - `assignee` tinyint(1) NOT NULL DEFAULT '0', - `author` tinyint(1) NOT NULL DEFAULT '0', - `type` varchar(30) DEFAULT NULL, - `field_name` varchar(30) DEFAULT NULL, - `rule` varchar(30) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `wkfs_role_tracker_old_status` (`role_id`,`tracker_id`,`old_status_id`), - KEY `index_workflows_on_old_status_id` (`old_status_id`), - KEY `index_workflows_on_role_id` (`role_id`), - KEY `index_workflows_on_new_status_id` (`new_status_id`), - KEY `index_workflows_on_tracker_id` (`tracker_id`) -) ENGINE=InnoDB AUTO_INCREMENT=247 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; -/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */; - -/*!40101 SET SQL_MODE=@OLD_SQL_MODE */; -/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */; -/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */; -/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */; -/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */; -/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */; -/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */; - --- Dump completed on 2020-05-03 10:09:32 diff --git a/salt/playbook/files/playbook_db_init.sql b/salt/playbook/files/playbook_db_init.sql index ab3acc1e8..c74869e82 100644 --- a/salt/playbook/files/playbook_db_init.sql +++ b/salt/playbook/files/playbook_db_init.sql @@ -455,7 +455,7 @@ CREATE TABLE `custom_values` ( PRIMARY KEY (`id`), KEY `custom_values_customized` (`customized_type`,`customized_id`), KEY `index_custom_values_on_custom_field_id` (`custom_field_id`) -) ENGINE=InnoDB AUTO_INCREMENT=93998 DEFAULT CHARSET=latin1; +) ENGINE=InnoDB AUTO_INCREMENT=120758 DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; -- @@ -523,7 +523,7 @@ CREATE TABLE `email_addresses` ( LOCK TABLES `email_addresses` WRITE; /*!40000 ALTER TABLE `email_addresses` DISABLE KEYS */; -INSERT INTO `email_addresses` VALUES (1,1,'admin@example.net',1,1,'2020-04-26 13:08:38','2020-04-26 13:08:38'),(2,8,'analyst@localhost.local',1,1,'2020-04-26 18:46:48','2020-04-26 18:46:48'),(3,9,'automation@localhost.local',1,1,'2020-04-26 18:47:46','2020-04-26 18:47:46'); +INSERT INTO `email_addresses` VALUES (1,1,'admin@example.net',1,1,'2020-04-26 13:08:38','2020-04-26 13:08:38'),(3,9,'automation@localhost.local',1,1,'2020-04-26 18:47:46','2020-04-26 18:47:46'); /*!40000 ALTER TABLE `email_addresses` ENABLE KEYS */; UNLOCK TABLES; @@ -606,7 +606,7 @@ CREATE TABLE `groups_users` ( LOCK TABLES `groups_users` WRITE; /*!40000 ALTER TABLE `groups_users` DISABLE KEYS */; -INSERT INTO `groups_users` VALUES (5,8),(6,9),(7,1); +INSERT INTO `groups_users` VALUES (6,9),(7,1); /*!40000 ALTER TABLE `groups_users` ENABLE KEYS */; UNLOCK TABLES; @@ -825,7 +825,7 @@ CREATE TABLE `journal_details` ( `value` longtext, PRIMARY KEY (`id`), KEY `journal_details_journal_id` (`journal_id`) -) ENGINE=InnoDB AUTO_INCREMENT=901 DEFAULT CHARSET=latin1; +) ENGINE=InnoDB AUTO_INCREMENT=2278 DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; -- @@ -857,7 +857,7 @@ CREATE TABLE `journals` ( KEY `index_journals_on_user_id` (`user_id`), KEY `index_journals_on_journalized_id` (`journalized_id`), KEY `index_journals_on_created_on` (`created_on`) -) ENGINE=InnoDB AUTO_INCREMENT=5047 DEFAULT CHARSET=latin1; +) ENGINE=InnoDB AUTO_INCREMENT=7616 DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; -- @@ -894,7 +894,7 @@ CREATE TABLE `member_roles` ( LOCK TABLES `member_roles` WRITE; /*!40000 ALTER TABLE `member_roles` DISABLE KEYS */; -INSERT INTO `member_roles` VALUES (1,1,5,NULL),(2,2,3,NULL),(3,3,4,NULL),(4,4,5,1),(5,5,3,2),(7,7,4,3); +INSERT INTO `member_roles` VALUES (1,1,5,NULL),(2,2,3,NULL),(3,3,4,NULL),(4,4,5,1),(7,7,4,3); /*!40000 ALTER TABLE `member_roles` ENABLE KEYS */; UNLOCK TABLES; @@ -924,7 +924,7 @@ CREATE TABLE `members` ( LOCK TABLES `members` WRITE; /*!40000 ALTER TABLE `members` DISABLE KEYS */; -INSERT INTO `members` VALUES (1,6,1,'2020-04-26 18:44:14',0),(2,5,1,'2020-04-26 18:44:23',0),(3,7,1,'2020-04-26 18:45:27',0),(4,9,1,'2020-04-26 18:47:51',0),(5,8,1,'2020-04-26 18:48:00',0),(7,1,1,'2020-05-01 16:42:56',0); +INSERT INTO `members` VALUES (1,6,1,'2020-04-26 18:44:14',0),(2,5,1,'2020-04-26 18:44:23',0),(3,7,1,'2020-04-26 18:45:27',0),(4,9,1,'2020-04-26 18:47:51',0),(7,1,1,'2020-05-01 16:42:56',0); /*!40000 ALTER TABLE `members` ENABLE KEYS */; UNLOCK TABLES; @@ -1086,7 +1086,7 @@ CREATE TABLE `projects` ( LOCK TABLES `projects` WRITE; /*!40000 ALTER TABLE `projects` DISABLE KEYS */; -INSERT INTO `projects` VALUES (1,'Detection Playbooks','','',0,NULL,'2020-04-26 13:13:01','2020-04-26 13:13:01','detection-playbooks',1,1,2,0,NULL,NULL); +INSERT INTO `projects` VALUES (1,'Detection Playbooks','','',1,NULL,'2020-04-26 13:13:01','2020-07-10 19:33:53','detection-playbooks',1,1,2,0,NULL,NULL); /*!40000 ALTER TABLE `projects` ENABLE KEYS */; UNLOCK TABLES; @@ -1137,7 +1137,7 @@ CREATE TABLE `queries` ( PRIMARY KEY (`id`), KEY `index_queries_on_project_id` (`project_id`), KEY `index_queries_on_user_id` (`user_id`) -) ENGINE=InnoDB AUTO_INCREMENT=9 DEFAULT CHARSET=latin1; +) ENGINE=InnoDB AUTO_INCREMENT=10 DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; -- @@ -1146,7 +1146,7 @@ CREATE TABLE `queries` ( LOCK TABLES `queries` WRITE; /*!40000 ALTER TABLE `queries` DISABLE KEYS */; -INSERT INTO `queries` VALUES (3,1,'All Plays','---\ntracker_id:\n :operator: \"=\"\n :values:\n - \'1\'\n',1,NULL,'---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(4,NULL,'Disabled Plays','---\nstatus_id:\n :operator: \"=\"\n :values:\n - \'6\'\n',1,NULL,'---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(5,NULL,'Draft Plays','---\nstatus_id:\n :operator: \"=\"\n :values:\n - \'2\'\n',1,NULL,'---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(6,NULL,'Playbook - Community Sigma','---\ncf_13:\n :operator: \"=\"\n :values:\n - community\n',1,'---\n- :status\n- :cf_10\n- :cf_18\n- :cf_19\n- :cf_20\n- :cf_1\n- :updated_on\n','---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(8,NULL,'Playbook - Internal','---\ncf_13:\n :operator: \"=\"\n :values:\n - Internal\n',1,'---\n- :status\n- :cf_10\n- :cf_14\n- :cf_16\n- :cf_1\n- :updated_on\n','---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'); +INSERT INTO `queries` VALUES (3,1,'All Plays','---\ntracker_id:\n :operator: \"=\"\n :values:\n - \'1\'\n',1,NULL,'---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(4,NULL,'Disabled Plays','---\nstatus_id:\n :operator: \"=\"\n :values:\n - \'6\'\n',1,NULL,'---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(5,NULL,'Draft Plays','---\nstatus_id:\n :operator: \"=\"\n :values:\n - \'2\'\n',1,NULL,'---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(6,NULL,'Playbook - Community Sigma','---\ncf_13:\n :operator: \"=\"\n :values:\n - community\n',1,'---\n- :status\n- :cf_10\n- :cf_18\n- :cf_19\n- :cf_20\n- :cf_1\n- :updated_on\n','---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(8,NULL,'Playbook - Internal','---\ncf_13:\n :operator: \"=\"\n :values:\n - Internal\n',1,'---\n- :status\n- :cf_10\n- :cf_14\n- :cf_16\n- :cf_1\n- :updated_on\n','---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(9,NULL,'Active Plays','---\ntracker_id:\n :operator: \"=\"\n :values:\n - \'1\'\nstatus_id:\n :operator: \"=\"\n :values:\n - \'3\'\n',1,'---\n- :status\n- :cf_10\n- :cf_13\n- :cf_18\n- :cf_19\n- :cf_1\n- :updated_on\n','---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'); /*!40000 ALTER TABLE `queries` ENABLE KEYS */; UNLOCK TABLES; @@ -1237,7 +1237,7 @@ CREATE TABLE `roles` ( LOCK TABLES `roles` WRITE; /*!40000 ALTER TABLE `roles` DISABLE KEYS */; -INSERT INTO `roles` VALUES (1,'Non member',0,1,1,NULL,'default','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'0\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n'),(2,'Anonymous',0,1,2,NULL,'default','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'0\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n'),(3,'Security-Analyst',1,0,0,'---\n- :save_queries\n- :view_issues\n- :edit_issues\n- :add_issue_notes\n- :edit_issue_notes\n- :sigma_editor\n','all','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'1\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\n delete_issues: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n delete_issues: []\n'),(4,'SuperAdmin',2,0,0,'---\n- :add_project\n- :edit_project\n- :close_project\n- :select_project_modules\n- :manage_members\n- :manage_versions\n- :add_subprojects\n- :manage_public_queries\n- :save_queries\n- :manage_hook\n- :view_messages\n- :add_messages\n- :edit_messages\n- :edit_own_messages\n- :delete_messages\n- :delete_own_messages\n- :manage_boards\n- :view_calendar\n- :view_documents\n- :add_documents\n- :edit_documents\n- :delete_documents\n- :view_files\n- :manage_files\n- :view_gantt\n- :view_issues\n- :edit_issues\n- :edit_own_issues\n- :copy_issues\n- :manage_issue_relations\n- :manage_subtasks\n- :set_issues_private\n- :set_own_issues_private\n- :add_issue_notes\n- :edit_issue_notes\n- :edit_own_issue_notes\n- :view_private_notes\n- :set_notes_private\n- :delete_issues\n- :view_issue_watchers\n- :add_issue_watchers\n- :delete_issue_watchers\n- :import_issues\n- :manage_categories\n- :view_news\n- :manage_news\n- :comment_news\n- :view_changesets\n- :browse_repository\n- :commit_access\n- :manage_related_issues\n- :manage_repository\n- :sigma_editor\n- :view_time_entries\n- :log_time\n- :edit_time_entries\n- :edit_own_time_entries\n- :manage_project_activities\n- :log_time_for_other_users\n- :import_time_entries\n- :view_wiki_pages\n- :view_wiki_edits\n- :export_wiki_pages\n- :edit_wiki_pages\n- :rename_wiki_pages\n- :delete_wiki_pages\n- :delete_wiki_pages_attachments\n- :protect_wiki_pages\n- :manage_wiki\n','default','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'1\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\n delete_issues: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n delete_issues: []\n'),(5,'Automation',3,0,0,'---\n- :view_issues\n- :add_issues\n- :edit_issues\n- :add_issue_notes\n- :edit_issue_notes\n- :import_issues\n- :sigma_editor\n','default','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'1\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\n delete_issues: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n delete_issues: []\n'); +INSERT INTO `roles` VALUES (1,'Non member',0,1,1,NULL,'default','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'0\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n'),(2,'Anonymous',0,1,2,'---\n- :view_issues\n- :edit_issues\n- :add_issue_notes\n- :sigma_editor\n','default','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'1\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n'),(3,'Security-Analyst',1,0,0,'---\n- :save_queries\n- :view_issues\n- :edit_issues\n- :add_issue_notes\n- :edit_issue_notes\n- :sigma_editor\n','all','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'1\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\n delete_issues: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n delete_issues: []\n'),(4,'SuperAdmin',2,0,0,'---\n- :add_project\n- :edit_project\n- :close_project\n- :select_project_modules\n- :manage_members\n- :manage_versions\n- :add_subprojects\n- :manage_public_queries\n- :save_queries\n- :manage_hook\n- :view_messages\n- :add_messages\n- :edit_messages\n- :edit_own_messages\n- :delete_messages\n- :delete_own_messages\n- :manage_boards\n- :view_calendar\n- :view_documents\n- :add_documents\n- :edit_documents\n- :delete_documents\n- :view_files\n- :manage_files\n- :view_gantt\n- :view_issues\n- :edit_issues\n- :edit_own_issues\n- :copy_issues\n- :manage_issue_relations\n- :manage_subtasks\n- :set_issues_private\n- :set_own_issues_private\n- :add_issue_notes\n- :edit_issue_notes\n- :edit_own_issue_notes\n- :view_private_notes\n- :set_notes_private\n- :delete_issues\n- :view_issue_watchers\n- :add_issue_watchers\n- :delete_issue_watchers\n- :import_issues\n- :manage_categories\n- :view_news\n- :manage_news\n- :comment_news\n- :view_changesets\n- :browse_repository\n- :commit_access\n- :manage_related_issues\n- :manage_repository\n- :sigma_editor\n- :view_time_entries\n- :log_time\n- :edit_time_entries\n- :edit_own_time_entries\n- :manage_project_activities\n- :log_time_for_other_users\n- :import_time_entries\n- :view_wiki_pages\n- :view_wiki_edits\n- :export_wiki_pages\n- :edit_wiki_pages\n- :rename_wiki_pages\n- :delete_wiki_pages\n- :delete_wiki_pages_attachments\n- :protect_wiki_pages\n- :manage_wiki\n','default','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'1\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\n delete_issues: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n delete_issues: []\n'),(5,'Automation',3,0,0,'---\n- :view_issues\n- :add_issues\n- :edit_issues\n- :add_issue_notes\n- :edit_issue_notes\n- :import_issues\n- :sigma_editor\n','default','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'1\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\n delete_issues: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n delete_issues: []\n'); /*!40000 ALTER TABLE `roles` ENABLE KEYS */; UNLOCK TABLES; @@ -1310,7 +1310,7 @@ CREATE TABLE `settings` ( LOCK TABLES `settings` WRITE; /*!40000 ALTER TABLE `settings` DISABLE KEYS */; -INSERT INTO `settings` VALUES (1,'ui_theme','circle','2020-04-26 13:11:26'),(2,'default_language','en','2020-04-26 13:11:26'),(3,'force_default_language_for_anonymous','0','2020-04-26 13:11:26'),(4,'force_default_language_for_loggedin','0','2020-04-26 13:11:26'),(5,'start_of_week','','2020-04-26 13:11:26'),(6,'date_format','','2020-04-26 13:11:26'),(7,'time_format','','2020-04-26 13:11:26'),(8,'timespan_format','decimal','2020-04-26 13:11:26'),(9,'user_format','firstname_lastname','2020-05-02 12:45:00'),(10,'gravatar_enabled','1','2020-05-02 12:41:07'),(11,'thumbnails_enabled','1','2020-04-26 13:11:26'),(12,'thumbnails_size','100','2020-04-26 13:11:26'),(13,'new_item_menu_tab','0','2020-04-26 13:11:30'),(14,'login_required','1','2020-04-26 13:11:54'),(15,'autologin','0','2020-04-26 13:11:54'),(16,'self_registration','0','2020-04-26 13:11:54'),(17,'show_custom_fields_on_registration','0','2020-04-26 13:11:54'),(18,'password_min_length','8','2020-04-26 13:11:54'),(19,'password_required_char_classes','--- []\n','2020-04-26 13:11:54'),(20,'password_max_age','0','2020-04-26 13:11:54'),(21,'lost_password','1','2020-04-26 13:11:54'),(22,'openid','0','2020-04-26 13:11:55'),(23,'session_lifetime','0','2020-04-26 13:11:55'),(24,'session_timeout','0','2020-04-26 13:11:55'),(25,'rest_api_enabled','1','2020-04-26 13:11:58'),(26,'jsonp_enabled','0','2020-04-26 13:11:58'),(27,'default_projects_public','0','2020-04-26 13:12:21'),(28,'default_projects_modules','---\n- sigma_editor\n','2020-04-26 13:12:21'),(29,'default_projects_tracker_ids','--- []\n','2020-04-26 13:12:21'),(30,'sequential_project_identifiers','0','2020-04-26 13:12:21'),(31,'project_list_defaults','---\n:column_names:\n- name\n- identifier\n- short_description\n','2020-04-26 13:12:21'),(32,'app_title','Playbook','2020-04-26 18:17:51'),(33,'welcome_text','','2020-04-26 18:17:51'),(34,'per_page_options','25,75,150','2020-05-02 12:41:38'),(35,'search_results_per_page','10','2020-04-26 18:17:51'),(36,'activity_days_default','30','2020-04-26 18:17:51'),(37,'host_name','localhost:3000','2020-04-26 18:17:51'),(38,'protocol','http','2020-04-26 18:17:51'),(39,'text_formatting','textile','2020-04-26 18:17:51'),(40,'cache_formatted_text','0','2020-04-26 18:17:51'),(41,'wiki_compression','','2020-04-26 18:17:51'),(42,'feeds_limit','15','2020-04-26 18:17:51'),(43,'plugin_redmine_playbook','--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nproject: \'1\'\nconvert_url: http://192.168.15.120:7000/playbook/sigmac\ncreate_url: http://192.168.15.120:7000/playbook/play','2020-05-02 12:39:20'),(44,'cross_project_issue_relations','0','2020-05-01 16:27:33'),(45,'link_copied_issue','no','2020-05-01 16:27:33'),(46,'cross_project_subtasks','','2020-05-01 16:27:33'),(47,'close_duplicate_issues','0','2020-05-01 16:27:33'),(48,'issue_group_assignment','0','2020-05-01 16:27:33'),(49,'default_issue_start_date_to_creation_date','1','2020-05-01 16:27:33'),(50,'display_subprojects_issues','0','2020-05-01 16:27:33'),(51,'issue_done_ratio','issue_field','2020-05-01 16:27:33'),(52,'non_working_week_days','---\n- \'6\'\n- \'7\'\n','2020-05-01 16:27:33'),(53,'issues_export_limit','500','2020-05-01 16:27:33'),(54,'gantt_items_limit','500','2020-05-01 16:27:33'),(55,'gantt_months_limit','24','2020-05-01 16:27:33'),(56,'parent_issue_dates','derived','2020-05-01 16:27:33'),(57,'parent_issue_priority','derived','2020-05-01 16:27:33'),(58,'parent_issue_done_ratio','derived','2020-05-01 16:27:33'),(59,'issue_list_default_columns','---\n- status\n- cf_10\n- cf_13\n- cf_14\n- cf_1\n- updated_on\n','2020-05-01 19:32:13'),(60,'issue_list_default_totals','--- []\n','2020-05-01 16:27:33'),(61,'enabled_scm','--- []\n','2020-05-01 16:27:47'),(62,'autofetch_changesets','0','2020-05-01 16:27:47'),(63,'sys_api_enabled','0','2020-05-01 16:27:47'),(64,'repository_log_display_limit','100','2020-05-01 16:27:47'),(65,'commit_logs_formatting','1','2020-05-01 16:27:47'),(66,'commit_ref_keywords','refs,references,IssueID','2020-05-01 16:27:47'),(67,'commit_cross_project_ref','0','2020-05-01 16:27:47'),(68,'commit_logtime_enabled','0','2020-05-01 16:27:47'),(69,'commit_update_keywords','--- []\n','2020-05-01 16:27:47'),(70,'gravatar_default','','2020-05-02 12:41:07'); +INSERT INTO `settings` VALUES (1,'ui_theme','circle','2020-04-26 13:11:26'),(2,'default_language','en','2020-04-26 13:11:26'),(3,'force_default_language_for_anonymous','0','2020-04-26 13:11:26'),(4,'force_default_language_for_loggedin','0','2020-04-26 13:11:26'),(5,'start_of_week','','2020-04-26 13:11:26'),(6,'date_format','','2020-04-26 13:11:26'),(7,'time_format','','2020-04-26 13:11:26'),(8,'timespan_format','decimal','2020-04-26 13:11:26'),(9,'user_format','firstname_lastname','2020-05-02 12:45:00'),(10,'gravatar_enabled','1','2020-05-02 12:41:07'),(11,'thumbnails_enabled','1','2020-04-26 13:11:26'),(12,'thumbnails_size','100','2020-04-26 13:11:26'),(13,'new_item_menu_tab','0','2020-04-26 13:11:30'),(14,'login_required','0','2020-07-10 19:32:45'),(15,'autologin','0','2020-04-26 13:11:54'),(16,'self_registration','0','2020-04-26 13:11:54'),(17,'show_custom_fields_on_registration','0','2020-04-26 13:11:54'),(18,'password_min_length','8','2020-04-26 13:11:54'),(19,'password_required_char_classes','--- []\n','2020-04-26 13:11:54'),(20,'password_max_age','0','2020-04-26 13:11:54'),(21,'lost_password','1','2020-04-26 13:11:54'),(22,'openid','0','2020-04-26 13:11:55'),(23,'session_lifetime','0','2020-04-26 13:11:55'),(24,'session_timeout','0','2020-04-26 13:11:55'),(25,'rest_api_enabled','1','2020-04-26 13:11:58'),(26,'jsonp_enabled','0','2020-04-26 13:11:58'),(27,'default_projects_public','0','2020-04-26 13:12:21'),(28,'default_projects_modules','---\n- sigma_editor\n','2020-04-26 13:12:21'),(29,'default_projects_tracker_ids','--- []\n','2020-04-26 13:12:21'),(30,'sequential_project_identifiers','0','2020-04-26 13:12:21'),(31,'project_list_defaults','---\n:column_names:\n- name\n- identifier\n- short_description\n','2020-04-26 13:12:21'),(32,'app_title','Playbook','2020-04-26 18:17:51'),(33,'welcome_text','','2020-04-26 18:17:51'),(34,'per_page_options','25,75,150','2020-05-02 12:41:38'),(35,'search_results_per_page','10','2020-04-26 18:17:51'),(36,'activity_days_default','30','2020-04-26 18:17:51'),(37,'host_name','localhost:3000','2020-04-26 18:17:51'),(38,'protocol','http','2020-04-26 18:17:51'),(39,'text_formatting','textile','2020-04-26 18:17:51'),(40,'cache_formatted_text','0','2020-04-26 18:17:51'),(41,'wiki_compression','','2020-04-26 18:17:51'),(42,'feeds_limit','15','2020-04-26 18:17:51'),(43,'plugin_redmine_playbook','--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nproject: \'1\'\nconvert_url: http://10.66.166.141:7000/playbook/sigmac\ncreate_url: http://10.66.166.141:7000/playbook/play','2020-05-02 12:39:20'),(44,'cross_project_issue_relations','0','2020-05-01 16:27:33'),(45,'link_copied_issue','no','2020-05-01 16:27:33'),(46,'cross_project_subtasks','','2020-05-01 16:27:33'),(47,'close_duplicate_issues','0','2020-05-01 16:27:33'),(48,'issue_group_assignment','0','2020-05-01 16:27:33'),(49,'default_issue_start_date_to_creation_date','1','2020-05-01 16:27:33'),(50,'display_subprojects_issues','0','2020-05-01 16:27:33'),(51,'issue_done_ratio','issue_field','2020-05-01 16:27:33'),(52,'non_working_week_days','---\n- \'6\'\n- \'7\'\n','2020-05-01 16:27:33'),(53,'issues_export_limit','500','2020-05-01 16:27:33'),(54,'gantt_items_limit','500','2020-05-01 16:27:33'),(55,'gantt_months_limit','24','2020-05-01 16:27:33'),(56,'parent_issue_dates','derived','2020-05-01 16:27:33'),(57,'parent_issue_priority','derived','2020-05-01 16:27:33'),(58,'parent_issue_done_ratio','derived','2020-05-01 16:27:33'),(59,'issue_list_default_columns','---\n- status\n- cf_10\n- cf_13\n- cf_14\n- cf_1\n- updated_on\n','2020-05-01 19:32:13'),(60,'issue_list_default_totals','--- []\n','2020-05-01 16:27:33'),(61,'enabled_scm','--- []\n','2020-05-01 16:27:47'),(62,'autofetch_changesets','0','2020-05-01 16:27:47'),(63,'sys_api_enabled','0','2020-05-01 16:27:47'),(64,'repository_log_display_limit','100','2020-05-01 16:27:47'),(65,'commit_logs_formatting','1','2020-05-01 16:27:47'),(66,'commit_ref_keywords','refs,references,IssueID','2020-05-01 16:27:47'),(67,'commit_cross_project_ref','0','2020-05-01 16:27:47'),(68,'commit_logtime_enabled','0','2020-05-01 16:27:47'),(69,'commit_update_keywords','--- []\n','2020-05-01 16:27:47'),(70,'gravatar_default','','2020-05-02 12:41:07'); /*!40000 ALTER TABLE `settings` ENABLE KEYS */; UNLOCK TABLES; @@ -1371,7 +1371,7 @@ CREATE TABLE `tokens` ( PRIMARY KEY (`id`), UNIQUE KEY `tokens_value` (`value`), KEY `index_tokens_on_user_id` (`user_id`) -) ENGINE=InnoDB AUTO_INCREMENT=60 DEFAULT CHARSET=latin1; +) ENGINE=InnoDB AUTO_INCREMENT=72 DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; -- @@ -1380,7 +1380,7 @@ CREATE TABLE `tokens` ( LOCK TABLES `tokens` WRITE; /*!40000 ALTER TABLE `tokens` DISABLE KEYS */; -INSERT INTO `tokens` VALUES (3,1,'feeds','6e5575602e1227c188cd85ef6d12608bb8701193','2020-04-26 13:10:46','2020-04-26 13:10:46'),(4,1,'session','999412fa9badda7423c6c654d6364c32c20b3eac','2020-04-26 18:07:03','2020-04-26 18:12:02'),(5,1,'session','124ad4acbf87a942426350e7ad028c1d119c3851','2020-04-26 18:17:11','2020-04-26 18:19:24'),(8,8,'feeds','1f28542e983dc0a3abfc81013ff7f008f1cb6800','2020-04-26 18:50:50','2020-04-26 18:50:50'),(9,1,'session','2890c663e0552f26ddb92acad6ab3b6d05b92915','2020-04-26 18:51:15','2020-04-26 18:51:15'),(19,1,'session','b7ffb106ea0b34650dd9c1770f74c2b0ffe166b2','2020-05-01 16:52:33','2020-05-01 18:02:30'),(20,1,'session','f44cfcf918eef59ffda47991c431d9c2b2ac6113','2020-05-01 18:05:56','2020-05-01 18:05:56'),(23,9,'feeds','211918c9d7168979b5dc19bebb14573b928a5067','2020-05-01 18:26:17','2020-05-01 18:26:17'),(25,9,'api','de6639318502476f2fa5aa06f43f51fb389a3d7f','2020-05-01 18:26:31','2020-05-01 18:26:31'),(36,8,'session','47616205d262d3e3f05665038888edc463b872d9','2020-05-01 19:41:12','2020-05-01 19:44:24'),(39,8,'session','a4d98ddceb539f8a5d2f99ee4f4274f711f6dc14','2020-05-01 20:40:23','2020-05-01 20:40:27'),(45,8,'session','b7346c8089e9b6237d9438f7c08ce014ad46d5d2','2020-05-03 09:13:00','2020-05-03 10:01:34'),(46,1,'session','2d0c8f8ae641c06d8c2362746846440d465d53c0','2020-05-06 20:48:01','2020-05-06 20:48:07'),(47,8,'session','1adb4bf696b7a4eafedf633cef7dee28e138ec01','2020-05-06 20:52:43','2020-05-06 20:52:48'),(54,8,'session','c1d788feea4bc194f6b24005943807b477bc1fb8','2020-05-13 14:23:44','2020-05-13 14:29:25'),(59,1,'session','2afe6590653d59a697d1436729c64f322a2eff82','2020-07-01 18:11:07','2020-07-01 20:30:43'); +INSERT INTO `tokens` VALUES (3,1,'feeds','6e5575602e1227c188cd85ef6d12608bb8701193','2020-04-26 13:10:46','2020-04-26 13:10:46'),(4,1,'session','999412fa9badda7423c6c654d6364c32c20b3eac','2020-04-26 18:07:03','2020-04-26 18:12:02'),(5,1,'session','124ad4acbf87a942426350e7ad028c1d119c3851','2020-04-26 18:17:11','2020-04-26 18:19:24'),(9,1,'session','2890c663e0552f26ddb92acad6ab3b6d05b92915','2020-04-26 18:51:15','2020-04-26 18:51:15'),(19,1,'session','b7ffb106ea0b34650dd9c1770f74c2b0ffe166b2','2020-05-01 16:52:33','2020-05-01 18:02:30'),(20,1,'session','f44cfcf918eef59ffda47991c431d9c2b2ac6113','2020-05-01 18:05:56','2020-05-01 18:05:56'),(23,9,'feeds','211918c9d7168979b5dc19bebb14573b928a5067','2020-05-01 18:26:17','2020-05-01 18:26:17'),(25,9,'api','de6639318502476f2fa5aa06f43f51fb389a3d7f','2020-05-01 18:26:31','2020-05-01 18:26:31'),(46,1,'session','2d0c8f8ae641c06d8c2362746846440d465d53c0','2020-05-06 20:48:01','2020-05-06 20:48:07'),(59,1,'session','2afe6590653d59a697d1436729c64f322a2eff82','2020-07-01 18:11:07','2020-07-01 20:30:43'); /*!40000 ALTER TABLE `tokens` ENABLE KEYS */; UNLOCK TABLES; @@ -1438,7 +1438,7 @@ CREATE TABLE `user_preferences` ( LOCK TABLES `user_preferences` WRITE; /*!40000 ALTER TABLE `user_preferences` DISABLE KEYS */; -INSERT INTO `user_preferences` VALUES (1,1,'---\n:no_self_notified: \'1\'\n:my_page_layout:\n left:\n - issuesassignedtome\n right:\n - issuesreportedbyme\n:my_page_settings: {}\n:comments_sorting: asc\n:warn_on_leaving_unsaved: \'1\'\n:textarea_font: \'\'\n:recently_used_projects: 3\n:history_default_tab: notes\n:recently_used_project_ids: \'1\'\n',1,''),(2,8,'---\n:no_self_notified: \'1\'\n:comments_sorting: asc\n:warn_on_leaving_unsaved: \'1\'\n:textarea_font: \'\'\n:recently_used_projects: 3\n:history_default_tab: notes\n:my_page_layout:\n left:\n - issuesassignedtome\n right:\n - issuesreportedbyme\n:my_page_settings: {}\n:recently_used_project_ids: \'1\'\n',1,''),(3,9,'---\n:no_self_notified: \'1\'\n:comments_sorting: asc\n:warn_on_leaving_unsaved: \'1\'\n:textarea_font: \'\'\n:recently_used_projects: 3\n:history_default_tab: notes\n:my_page_layout:\n left:\n - issuesassignedtome\n right:\n - issuesreportedbyme\n:my_page_settings: {}\n:recently_used_project_ids: \'1\'\n',1,''); +INSERT INTO `user_preferences` VALUES (1,1,'---\n:no_self_notified: \'1\'\n:my_page_layout:\n left:\n - issuesassignedtome\n right:\n - issuesreportedbyme\n:my_page_settings: {}\n:comments_sorting: asc\n:warn_on_leaving_unsaved: \'1\'\n:textarea_font: \'\'\n:recently_used_projects: 3\n:history_default_tab: notes\n:recently_used_project_ids: \'1\'\n',1,''),(3,9,'---\n:no_self_notified: \'1\'\n:comments_sorting: asc\n:warn_on_leaving_unsaved: \'1\'\n:textarea_font: \'\'\n:recently_used_projects: 3\n:history_default_tab: notes\n:my_page_layout:\n left:\n - issuesassignedtome\n right:\n - issuesreportedbyme\n:my_page_settings: {}\n:recently_used_project_ids: \'1\'\n',1,''); /*!40000 ALTER TABLE `user_preferences` ENABLE KEYS */; UNLOCK TABLES; @@ -1481,7 +1481,7 @@ CREATE TABLE `users` ( LOCK TABLES `users` WRITE; /*!40000 ALTER TABLE `users` DISABLE KEYS */; -INSERT INTO `users` VALUES (1,'admin','95535e9f7a386c412f20134ebb869c00cf346477','Admin','Admin',1,1,'2020-07-01 18:11:07','',NULL,'2020-04-26 13:08:34','2020-04-26 13:10:45','User',NULL,'all','5ceb2c95ce1593d4ba034d385ceefb2f',0,'2020-04-26 13:10:27'),(2,'','','','Anonymous users',0,1,NULL,'',NULL,'2020-04-26 13:08:38','2020-04-26 13:08:38','GroupAnonymous',NULL,'',NULL,0,NULL),(3,'','','','Non member users',0,1,NULL,'',NULL,'2020-04-26 13:08:38','2020-04-26 13:08:38','GroupNonMember',NULL,'',NULL,0,NULL),(4,'','','','Anonymous',0,0,NULL,'',NULL,'2020-04-26 13:09:44','2020-04-26 13:09:44','AnonymousUser',NULL,'only_my_events',NULL,0,NULL),(5,'','','','Analysts',0,1,NULL,'',NULL,'2020-04-26 18:43:40','2020-04-26 18:43:40','Group',NULL,'',NULL,0,NULL),(6,'','','','Automation',0,1,NULL,'',NULL,'2020-04-26 18:43:47','2020-04-26 18:43:47','Group',NULL,'',NULL,0,NULL),(7,'','','','Admins',0,1,NULL,'',NULL,'2020-04-26 18:43:58','2020-04-26 18:43:58','Group',NULL,'',NULL,0,NULL),(8,'analyst','adfc2e9391aa2ce34a02ce5bcc225efe853ee6cc','analyst','analyst',0,1,'2020-07-01 17:54:37','en',NULL,'2020-04-26 18:46:48','2020-04-26 18:46:48','User',NULL,'none','6b5dc1c8429a1c7d69375d723f7e3207',0,'2020-04-26 18:46:48'),(9,'automation','d2e7d78af1f0c0637765ae8cf1a359c4a30034c9','SecOps','Automation',0,1,'2020-05-01 18:26:17','en',NULL,'2020-04-26 18:47:46','2020-05-01 18:26:10','User',NULL,'none','41043e596f70e327e34fc99c861f5b31',0,'2020-05-01 18:26:10'); +INSERT INTO `users` VALUES (1,'admin','95535e9f7a386c412f20134ebb869c00cf346477','Admin','Admin',1,1,'2020-07-10 23:37:45','',NULL,'2020-04-26 13:08:34','2020-04-26 13:10:45','User',NULL,'all','5ceb2c95ce1593d4ba034d385ceefb2f',0,'2020-04-26 13:10:27'),(2,'','','','Anonymous users',0,1,NULL,'',NULL,'2020-04-26 13:08:38','2020-04-26 13:08:38','GroupAnonymous',NULL,'',NULL,0,NULL),(3,'','','','Non member users',0,1,NULL,'',NULL,'2020-04-26 13:08:38','2020-04-26 13:08:38','GroupNonMember',NULL,'',NULL,0,NULL),(4,'','','','Anonymous',0,0,NULL,'',NULL,'2020-04-26 13:09:44','2020-04-26 13:09:44','AnonymousUser',NULL,'only_my_events',NULL,0,NULL),(5,'','','','Analysts',0,1,NULL,'',NULL,'2020-04-26 18:43:40','2020-04-26 18:43:40','Group',NULL,'',NULL,0,NULL),(6,'','','','Automation',0,1,NULL,'',NULL,'2020-04-26 18:43:47','2020-04-26 18:43:47','Group',NULL,'',NULL,0,NULL),(7,'','','','Admins',0,1,NULL,'',NULL,'2020-04-26 18:43:58','2020-04-26 18:43:58','Group',NULL,'',NULL,0,NULL),(9,'automation','d2e7d78af1f0c0637765ae8cf1a359c4a30034c9','SecOps','Automation',0,1,'2020-05-01 18:26:17','en',NULL,'2020-04-26 18:47:46','2020-05-01 18:26:10','User',NULL,'none','41043e596f70e327e34fc99c861f5b31',0,'2020-05-01 18:26:10'); /*!40000 ALTER TABLE `users` ENABLE KEYS */; UNLOCK TABLES; @@ -1567,7 +1567,7 @@ CREATE TABLE `webhooks` ( LOCK TABLES `webhooks` WRITE; /*!40000 ALTER TABLE `webhooks` DISABLE KEYS */; -INSERT INTO `webhooks` VALUES (1,'http://192.168.15.120:7000/playbook/webhook',1); +INSERT INTO `webhooks` VALUES (1,'http://10.66.166.141:7000/playbook/webhook',1); /*!40000 ALTER TABLE `webhooks` ENABLE KEYS */; UNLOCK TABLES; @@ -1742,7 +1742,7 @@ CREATE TABLE `workflows` ( KEY `index_workflows_on_role_id` (`role_id`), KEY `index_workflows_on_new_status_id` (`new_status_id`), KEY `index_workflows_on_tracker_id` (`tracker_id`) -) ENGINE=InnoDB AUTO_INCREMENT=452 DEFAULT CHARSET=latin1; +) ENGINE=InnoDB AUTO_INCREMENT=642 DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; -- @@ -1751,7 +1751,7 @@ CREATE TABLE `workflows` ( LOCK TABLES `workflows` WRITE; /*!40000 ALTER TABLE `workflows` DISABLE KEYS */; -INSERT INTO `workflows` VALUES (132,1,2,0,3,0,0,'WorkflowPermission','14','readonly'),(134,1,2,0,3,0,0,'WorkflowPermission','16','readonly'),(151,1,3,0,3,0,0,'WorkflowPermission','14','readonly'),(153,1,3,0,3,0,0,'WorkflowPermission','16','readonly'),(170,1,4,0,3,0,0,'WorkflowPermission','14','readonly'),(172,1,4,0,3,0,0,'WorkflowPermission','16','readonly'),(189,1,5,0,3,0,0,'WorkflowPermission','14','readonly'),(191,1,5,0,3,0,0,'WorkflowPermission','16','readonly'),(208,1,6,0,3,0,0,'WorkflowPermission','14','readonly'),(210,1,6,0,3,0,0,'WorkflowPermission','16','readonly'),(220,1,2,3,3,0,0,'WorkflowTransition',NULL,NULL),(221,1,2,3,4,0,0,'WorkflowTransition',NULL,NULL),(222,1,2,3,5,0,0,'WorkflowTransition',NULL,NULL),(223,1,2,6,3,0,0,'WorkflowTransition',NULL,NULL),(224,1,2,6,4,0,0,'WorkflowTransition',NULL,NULL),(225,1,2,6,5,0,0,'WorkflowTransition',NULL,NULL),(226,1,3,4,3,0,0,'WorkflowTransition',NULL,NULL),(227,1,3,4,4,0,0,'WorkflowTransition',NULL,NULL),(228,1,3,4,5,0,0,'WorkflowTransition',NULL,NULL),(229,1,4,5,3,0,0,'WorkflowTransition',NULL,NULL),(230,1,4,5,4,0,0,'WorkflowTransition',NULL,NULL),(231,1,4,5,5,0,0,'WorkflowTransition',NULL,NULL),(232,1,4,6,3,0,0,'WorkflowTransition',NULL,NULL),(233,1,4,6,4,0,0,'WorkflowTransition',NULL,NULL),(234,1,4,6,5,0,0,'WorkflowTransition',NULL,NULL),(235,1,6,3,3,0,0,'WorkflowTransition',NULL,NULL),(236,1,6,3,4,0,0,'WorkflowTransition',NULL,NULL),(237,1,6,3,5,0,0,'WorkflowTransition',NULL,NULL),(239,1,2,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(240,1,3,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(241,1,4,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(242,1,5,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(243,1,6,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(244,1,0,2,5,0,0,'WorkflowTransition',NULL,NULL),(245,1,0,2,4,0,0,'WorkflowTransition',NULL,NULL),(246,1,0,6,5,0,0,'WorkflowTransition',NULL,NULL),(352,1,2,0,3,0,0,'WorkflowPermission','project_id','readonly'),(353,1,2,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(354,1,2,0,3,0,0,'WorkflowPermission','subject','readonly'),(355,1,2,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(356,1,2,0,3,0,0,'WorkflowPermission','is_private','readonly'),(357,1,2,0,3,0,0,'WorkflowPermission','description','readonly'),(358,1,2,0,3,0,0,'WorkflowPermission','1','readonly'),(359,1,2,0,3,0,0,'WorkflowPermission','2','readonly'),(360,1,2,0,3,0,0,'WorkflowPermission','10','readonly'),(361,1,2,0,3,0,0,'WorkflowPermission','20','readonly'),(362,1,2,0,3,0,0,'WorkflowPermission','8','readonly'),(363,1,2,0,3,0,0,'WorkflowPermission','15','readonly'),(364,1,2,0,3,0,0,'WorkflowPermission','11','readonly'),(365,1,2,0,3,0,0,'WorkflowPermission','12','readonly'),(366,1,2,0,3,0,0,'WorkflowPermission','19','readonly'),(367,1,2,0,3,0,0,'WorkflowPermission','7','readonly'),(368,1,2,0,3,0,0,'WorkflowPermission','3','readonly'),(369,1,2,0,3,0,0,'WorkflowPermission','5','readonly'),(370,1,2,0,3,0,0,'WorkflowPermission','6','readonly'),(371,1,2,0,3,0,0,'WorkflowPermission','22','readonly'),(372,1,3,0,3,0,0,'WorkflowPermission','project_id','readonly'),(373,1,3,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(374,1,3,0,3,0,0,'WorkflowPermission','subject','readonly'),(375,1,3,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(376,1,3,0,3,0,0,'WorkflowPermission','is_private','readonly'),(377,1,3,0,3,0,0,'WorkflowPermission','description','readonly'),(378,1,3,0,3,0,0,'WorkflowPermission','1','readonly'),(379,1,3,0,3,0,0,'WorkflowPermission','2','readonly'),(380,1,3,0,3,0,0,'WorkflowPermission','10','readonly'),(381,1,3,0,3,0,0,'WorkflowPermission','20','readonly'),(382,1,3,0,3,0,0,'WorkflowPermission','8','readonly'),(383,1,3,0,3,0,0,'WorkflowPermission','15','readonly'),(384,1,3,0,3,0,0,'WorkflowPermission','11','readonly'),(385,1,3,0,3,0,0,'WorkflowPermission','12','readonly'),(386,1,3,0,3,0,0,'WorkflowPermission','19','readonly'),(387,1,3,0,3,0,0,'WorkflowPermission','7','readonly'),(388,1,3,0,3,0,0,'WorkflowPermission','3','readonly'),(389,1,3,0,3,0,0,'WorkflowPermission','5','readonly'),(390,1,3,0,3,0,0,'WorkflowPermission','6','readonly'),(391,1,3,0,3,0,0,'WorkflowPermission','22','readonly'),(392,1,4,0,3,0,0,'WorkflowPermission','project_id','readonly'),(393,1,4,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(394,1,4,0,3,0,0,'WorkflowPermission','subject','readonly'),(395,1,4,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(396,1,4,0,3,0,0,'WorkflowPermission','is_private','readonly'),(397,1,4,0,3,0,0,'WorkflowPermission','description','readonly'),(398,1,4,0,3,0,0,'WorkflowPermission','1','readonly'),(399,1,4,0,3,0,0,'WorkflowPermission','2','readonly'),(400,1,4,0,3,0,0,'WorkflowPermission','10','readonly'),(401,1,4,0,3,0,0,'WorkflowPermission','20','readonly'),(402,1,4,0,3,0,0,'WorkflowPermission','8','readonly'),(403,1,4,0,3,0,0,'WorkflowPermission','15','readonly'),(404,1,4,0,3,0,0,'WorkflowPermission','11','readonly'),(405,1,4,0,3,0,0,'WorkflowPermission','12','readonly'),(406,1,4,0,3,0,0,'WorkflowPermission','19','readonly'),(407,1,4,0,3,0,0,'WorkflowPermission','7','readonly'),(408,1,4,0,3,0,0,'WorkflowPermission','3','readonly'),(409,1,4,0,3,0,0,'WorkflowPermission','5','readonly'),(410,1,4,0,3,0,0,'WorkflowPermission','6','readonly'),(411,1,4,0,3,0,0,'WorkflowPermission','22','readonly'),(412,1,5,0,3,0,0,'WorkflowPermission','project_id','readonly'),(413,1,5,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(414,1,5,0,3,0,0,'WorkflowPermission','subject','readonly'),(415,1,5,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(416,1,5,0,3,0,0,'WorkflowPermission','is_private','readonly'),(417,1,5,0,3,0,0,'WorkflowPermission','description','readonly'),(418,1,5,0,3,0,0,'WorkflowPermission','1','readonly'),(419,1,5,0,3,0,0,'WorkflowPermission','2','readonly'),(420,1,5,0,3,0,0,'WorkflowPermission','10','readonly'),(421,1,5,0,3,0,0,'WorkflowPermission','20','readonly'),(422,1,5,0,3,0,0,'WorkflowPermission','8','readonly'),(423,1,5,0,3,0,0,'WorkflowPermission','15','readonly'),(424,1,5,0,3,0,0,'WorkflowPermission','11','readonly'),(425,1,5,0,3,0,0,'WorkflowPermission','12','readonly'),(426,1,5,0,3,0,0,'WorkflowPermission','19','readonly'),(427,1,5,0,3,0,0,'WorkflowPermission','7','readonly'),(428,1,5,0,3,0,0,'WorkflowPermission','3','readonly'),(429,1,5,0,3,0,0,'WorkflowPermission','5','readonly'),(430,1,5,0,3,0,0,'WorkflowPermission','6','readonly'),(431,1,5,0,3,0,0,'WorkflowPermission','22','readonly'),(432,1,6,0,3,0,0,'WorkflowPermission','project_id','readonly'),(433,1,6,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(434,1,6,0,3,0,0,'WorkflowPermission','subject','readonly'),(435,1,6,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(436,1,6,0,3,0,0,'WorkflowPermission','is_private','readonly'),(437,1,6,0,3,0,0,'WorkflowPermission','description','readonly'),(438,1,6,0,3,0,0,'WorkflowPermission','1','readonly'),(439,1,6,0,3,0,0,'WorkflowPermission','2','readonly'),(440,1,6,0,3,0,0,'WorkflowPermission','10','readonly'),(441,1,6,0,3,0,0,'WorkflowPermission','20','readonly'),(442,1,6,0,3,0,0,'WorkflowPermission','8','readonly'),(443,1,6,0,3,0,0,'WorkflowPermission','15','readonly'),(444,1,6,0,3,0,0,'WorkflowPermission','11','readonly'),(445,1,6,0,3,0,0,'WorkflowPermission','12','readonly'),(446,1,6,0,3,0,0,'WorkflowPermission','19','readonly'),(447,1,6,0,3,0,0,'WorkflowPermission','7','readonly'),(448,1,6,0,3,0,0,'WorkflowPermission','3','readonly'),(449,1,6,0,3,0,0,'WorkflowPermission','5','readonly'),(450,1,6,0,3,0,0,'WorkflowPermission','6','readonly'),(451,1,6,0,3,0,0,'WorkflowPermission','22','readonly'); +INSERT INTO `workflows` VALUES (132,1,2,0,3,0,0,'WorkflowPermission','14','readonly'),(134,1,2,0,3,0,0,'WorkflowPermission','16','readonly'),(151,1,3,0,3,0,0,'WorkflowPermission','14','readonly'),(153,1,3,0,3,0,0,'WorkflowPermission','16','readonly'),(170,1,4,0,3,0,0,'WorkflowPermission','14','readonly'),(172,1,4,0,3,0,0,'WorkflowPermission','16','readonly'),(189,1,5,0,3,0,0,'WorkflowPermission','14','readonly'),(191,1,5,0,3,0,0,'WorkflowPermission','16','readonly'),(208,1,6,0,3,0,0,'WorkflowPermission','14','readonly'),(210,1,6,0,3,0,0,'WorkflowPermission','16','readonly'),(220,1,2,3,3,0,0,'WorkflowTransition',NULL,NULL),(221,1,2,3,4,0,0,'WorkflowTransition',NULL,NULL),(222,1,2,3,5,0,0,'WorkflowTransition',NULL,NULL),(223,1,2,6,3,0,0,'WorkflowTransition',NULL,NULL),(224,1,2,6,4,0,0,'WorkflowTransition',NULL,NULL),(225,1,2,6,5,0,0,'WorkflowTransition',NULL,NULL),(226,1,3,4,3,0,0,'WorkflowTransition',NULL,NULL),(227,1,3,4,4,0,0,'WorkflowTransition',NULL,NULL),(228,1,3,4,5,0,0,'WorkflowTransition',NULL,NULL),(229,1,4,5,3,0,0,'WorkflowTransition',NULL,NULL),(230,1,4,5,4,0,0,'WorkflowTransition',NULL,NULL),(231,1,4,5,5,0,0,'WorkflowTransition',NULL,NULL),(232,1,4,6,3,0,0,'WorkflowTransition',NULL,NULL),(233,1,4,6,4,0,0,'WorkflowTransition',NULL,NULL),(234,1,4,6,5,0,0,'WorkflowTransition',NULL,NULL),(235,1,6,3,3,0,0,'WorkflowTransition',NULL,NULL),(236,1,6,3,4,0,0,'WorkflowTransition',NULL,NULL),(237,1,6,3,5,0,0,'WorkflowTransition',NULL,NULL),(239,1,2,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(240,1,3,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(241,1,4,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(242,1,5,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(243,1,6,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(244,1,0,2,5,0,0,'WorkflowTransition',NULL,NULL),(245,1,0,2,4,0,0,'WorkflowTransition',NULL,NULL),(246,1,0,6,5,0,0,'WorkflowTransition',NULL,NULL),(352,1,2,0,3,0,0,'WorkflowPermission','project_id','readonly'),(353,1,2,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(354,1,2,0,3,0,0,'WorkflowPermission','subject','readonly'),(355,1,2,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(356,1,2,0,3,0,0,'WorkflowPermission','is_private','readonly'),(357,1,2,0,3,0,0,'WorkflowPermission','description','readonly'),(358,1,2,0,3,0,0,'WorkflowPermission','1','readonly'),(359,1,2,0,3,0,0,'WorkflowPermission','2','readonly'),(360,1,2,0,3,0,0,'WorkflowPermission','10','readonly'),(361,1,2,0,3,0,0,'WorkflowPermission','20','readonly'),(362,1,2,0,3,0,0,'WorkflowPermission','8','readonly'),(363,1,2,0,3,0,0,'WorkflowPermission','15','readonly'),(364,1,2,0,3,0,0,'WorkflowPermission','11','readonly'),(365,1,2,0,3,0,0,'WorkflowPermission','12','readonly'),(366,1,2,0,3,0,0,'WorkflowPermission','19','readonly'),(367,1,2,0,3,0,0,'WorkflowPermission','7','readonly'),(368,1,2,0,3,0,0,'WorkflowPermission','3','readonly'),(369,1,2,0,3,0,0,'WorkflowPermission','5','readonly'),(370,1,2,0,3,0,0,'WorkflowPermission','6','readonly'),(371,1,2,0,3,0,0,'WorkflowPermission','22','readonly'),(372,1,3,0,3,0,0,'WorkflowPermission','project_id','readonly'),(373,1,3,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(374,1,3,0,3,0,0,'WorkflowPermission','subject','readonly'),(375,1,3,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(376,1,3,0,3,0,0,'WorkflowPermission','is_private','readonly'),(377,1,3,0,3,0,0,'WorkflowPermission','description','readonly'),(378,1,3,0,3,0,0,'WorkflowPermission','1','readonly'),(379,1,3,0,3,0,0,'WorkflowPermission','2','readonly'),(380,1,3,0,3,0,0,'WorkflowPermission','10','readonly'),(381,1,3,0,3,0,0,'WorkflowPermission','20','readonly'),(382,1,3,0,3,0,0,'WorkflowPermission','8','readonly'),(383,1,3,0,3,0,0,'WorkflowPermission','15','readonly'),(384,1,3,0,3,0,0,'WorkflowPermission','11','readonly'),(385,1,3,0,3,0,0,'WorkflowPermission','12','readonly'),(386,1,3,0,3,0,0,'WorkflowPermission','19','readonly'),(387,1,3,0,3,0,0,'WorkflowPermission','7','readonly'),(388,1,3,0,3,0,0,'WorkflowPermission','3','readonly'),(389,1,3,0,3,0,0,'WorkflowPermission','5','readonly'),(390,1,3,0,3,0,0,'WorkflowPermission','6','readonly'),(391,1,3,0,3,0,0,'WorkflowPermission','22','readonly'),(392,1,4,0,3,0,0,'WorkflowPermission','project_id','readonly'),(393,1,4,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(394,1,4,0,3,0,0,'WorkflowPermission','subject','readonly'),(395,1,4,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(396,1,4,0,3,0,0,'WorkflowPermission','is_private','readonly'),(397,1,4,0,3,0,0,'WorkflowPermission','description','readonly'),(398,1,4,0,3,0,0,'WorkflowPermission','1','readonly'),(399,1,4,0,3,0,0,'WorkflowPermission','2','readonly'),(400,1,4,0,3,0,0,'WorkflowPermission','10','readonly'),(401,1,4,0,3,0,0,'WorkflowPermission','20','readonly'),(402,1,4,0,3,0,0,'WorkflowPermission','8','readonly'),(403,1,4,0,3,0,0,'WorkflowPermission','15','readonly'),(404,1,4,0,3,0,0,'WorkflowPermission','11','readonly'),(405,1,4,0,3,0,0,'WorkflowPermission','12','readonly'),(406,1,4,0,3,0,0,'WorkflowPermission','19','readonly'),(407,1,4,0,3,0,0,'WorkflowPermission','7','readonly'),(408,1,4,0,3,0,0,'WorkflowPermission','3','readonly'),(409,1,4,0,3,0,0,'WorkflowPermission','5','readonly'),(410,1,4,0,3,0,0,'WorkflowPermission','6','readonly'),(411,1,4,0,3,0,0,'WorkflowPermission','22','readonly'),(412,1,5,0,3,0,0,'WorkflowPermission','project_id','readonly'),(413,1,5,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(414,1,5,0,3,0,0,'WorkflowPermission','subject','readonly'),(415,1,5,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(416,1,5,0,3,0,0,'WorkflowPermission','is_private','readonly'),(417,1,5,0,3,0,0,'WorkflowPermission','description','readonly'),(418,1,5,0,3,0,0,'WorkflowPermission','1','readonly'),(419,1,5,0,3,0,0,'WorkflowPermission','2','readonly'),(420,1,5,0,3,0,0,'WorkflowPermission','10','readonly'),(421,1,5,0,3,0,0,'WorkflowPermission','20','readonly'),(422,1,5,0,3,0,0,'WorkflowPermission','8','readonly'),(423,1,5,0,3,0,0,'WorkflowPermission','15','readonly'),(424,1,5,0,3,0,0,'WorkflowPermission','11','readonly'),(425,1,5,0,3,0,0,'WorkflowPermission','12','readonly'),(426,1,5,0,3,0,0,'WorkflowPermission','19','readonly'),(427,1,5,0,3,0,0,'WorkflowPermission','7','readonly'),(428,1,5,0,3,0,0,'WorkflowPermission','3','readonly'),(429,1,5,0,3,0,0,'WorkflowPermission','5','readonly'),(430,1,5,0,3,0,0,'WorkflowPermission','6','readonly'),(431,1,5,0,3,0,0,'WorkflowPermission','22','readonly'),(432,1,6,0,3,0,0,'WorkflowPermission','project_id','readonly'),(433,1,6,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(434,1,6,0,3,0,0,'WorkflowPermission','subject','readonly'),(435,1,6,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(436,1,6,0,3,0,0,'WorkflowPermission','is_private','readonly'),(437,1,6,0,3,0,0,'WorkflowPermission','description','readonly'),(438,1,6,0,3,0,0,'WorkflowPermission','1','readonly'),(439,1,6,0,3,0,0,'WorkflowPermission','2','readonly'),(440,1,6,0,3,0,0,'WorkflowPermission','10','readonly'),(441,1,6,0,3,0,0,'WorkflowPermission','20','readonly'),(442,1,6,0,3,0,0,'WorkflowPermission','8','readonly'),(443,1,6,0,3,0,0,'WorkflowPermission','15','readonly'),(444,1,6,0,3,0,0,'WorkflowPermission','11','readonly'),(445,1,6,0,3,0,0,'WorkflowPermission','12','readonly'),(446,1,6,0,3,0,0,'WorkflowPermission','19','readonly'),(447,1,6,0,3,0,0,'WorkflowPermission','7','readonly'),(448,1,6,0,3,0,0,'WorkflowPermission','3','readonly'),(449,1,6,0,3,0,0,'WorkflowPermission','5','readonly'),(450,1,6,0,3,0,0,'WorkflowPermission','6','readonly'),(451,1,6,0,3,0,0,'WorkflowPermission','22','readonly'),(537,1,2,0,2,0,0,'WorkflowPermission','project_id','readonly'),(538,1,2,0,2,0,0,'WorkflowPermission','tracker_id','readonly'),(539,1,2,0,2,0,0,'WorkflowPermission','subject','readonly'),(540,1,2,0,2,0,0,'WorkflowPermission','priority_id','readonly'),(541,1,2,0,2,0,0,'WorkflowPermission','is_private','readonly'),(542,1,2,0,2,0,0,'WorkflowPermission','description','readonly'),(543,1,2,0,2,0,0,'WorkflowPermission','1','readonly'),(544,1,2,0,2,0,0,'WorkflowPermission','2','readonly'),(545,1,2,0,2,0,0,'WorkflowPermission','10','readonly'),(546,1,2,0,2,0,0,'WorkflowPermission','20','readonly'),(547,1,2,0,2,0,0,'WorkflowPermission','8','readonly'),(548,1,2,0,2,0,0,'WorkflowPermission','15','readonly'),(549,1,2,0,2,0,0,'WorkflowPermission','11','readonly'),(550,1,2,0,2,0,0,'WorkflowPermission','12','readonly'),(551,1,2,0,2,0,0,'WorkflowPermission','19','readonly'),(552,1,2,0,2,0,0,'WorkflowPermission','17','readonly'),(553,1,2,0,2,0,0,'WorkflowPermission','7','readonly'),(554,1,2,0,2,0,0,'WorkflowPermission','3','readonly'),(555,1,2,0,2,0,0,'WorkflowPermission','5','readonly'),(556,1,2,0,2,0,0,'WorkflowPermission','6','readonly'),(557,1,2,0,2,0,0,'WorkflowPermission','22','readonly'),(558,1,3,0,2,0,0,'WorkflowPermission','project_id','readonly'),(559,1,3,0,2,0,0,'WorkflowPermission','tracker_id','readonly'),(560,1,3,0,2,0,0,'WorkflowPermission','subject','readonly'),(561,1,3,0,2,0,0,'WorkflowPermission','priority_id','readonly'),(562,1,3,0,2,0,0,'WorkflowPermission','is_private','readonly'),(563,1,3,0,2,0,0,'WorkflowPermission','description','readonly'),(564,1,3,0,2,0,0,'WorkflowPermission','1','readonly'),(565,1,3,0,2,0,0,'WorkflowPermission','2','readonly'),(566,1,3,0,2,0,0,'WorkflowPermission','10','readonly'),(567,1,3,0,2,0,0,'WorkflowPermission','20','readonly'),(568,1,3,0,2,0,0,'WorkflowPermission','8','readonly'),(569,1,3,0,2,0,0,'WorkflowPermission','15','readonly'),(570,1,3,0,2,0,0,'WorkflowPermission','11','readonly'),(571,1,3,0,2,0,0,'WorkflowPermission','12','readonly'),(572,1,3,0,2,0,0,'WorkflowPermission','19','readonly'),(573,1,3,0,2,0,0,'WorkflowPermission','17','readonly'),(574,1,3,0,2,0,0,'WorkflowPermission','7','readonly'),(575,1,3,0,2,0,0,'WorkflowPermission','3','readonly'),(576,1,3,0,2,0,0,'WorkflowPermission','5','readonly'),(577,1,3,0,2,0,0,'WorkflowPermission','6','readonly'),(578,1,3,0,2,0,0,'WorkflowPermission','22','readonly'),(579,1,4,0,2,0,0,'WorkflowPermission','project_id','readonly'),(580,1,4,0,2,0,0,'WorkflowPermission','tracker_id','readonly'),(581,1,4,0,2,0,0,'WorkflowPermission','subject','readonly'),(582,1,4,0,2,0,0,'WorkflowPermission','priority_id','readonly'),(583,1,4,0,2,0,0,'WorkflowPermission','is_private','readonly'),(584,1,4,0,2,0,0,'WorkflowPermission','description','readonly'),(585,1,4,0,2,0,0,'WorkflowPermission','1','readonly'),(586,1,4,0,2,0,0,'WorkflowPermission','2','readonly'),(587,1,4,0,2,0,0,'WorkflowPermission','10','readonly'),(588,1,4,0,2,0,0,'WorkflowPermission','20','readonly'),(589,1,4,0,2,0,0,'WorkflowPermission','8','readonly'),(590,1,4,0,2,0,0,'WorkflowPermission','15','readonly'),(591,1,4,0,2,0,0,'WorkflowPermission','11','readonly'),(592,1,4,0,2,0,0,'WorkflowPermission','12','readonly'),(593,1,4,0,2,0,0,'WorkflowPermission','19','readonly'),(594,1,4,0,2,0,0,'WorkflowPermission','17','readonly'),(595,1,4,0,2,0,0,'WorkflowPermission','7','readonly'),(596,1,4,0,2,0,0,'WorkflowPermission','3','readonly'),(597,1,4,0,2,0,0,'WorkflowPermission','5','readonly'),(598,1,4,0,2,0,0,'WorkflowPermission','6','readonly'),(599,1,4,0,2,0,0,'WorkflowPermission','22','readonly'),(600,1,5,0,2,0,0,'WorkflowPermission','project_id','readonly'),(601,1,5,0,2,0,0,'WorkflowPermission','tracker_id','readonly'),(602,1,5,0,2,0,0,'WorkflowPermission','subject','readonly'),(603,1,5,0,2,0,0,'WorkflowPermission','priority_id','readonly'),(604,1,5,0,2,0,0,'WorkflowPermission','is_private','readonly'),(605,1,5,0,2,0,0,'WorkflowPermission','description','readonly'),(606,1,5,0,2,0,0,'WorkflowPermission','1','readonly'),(607,1,5,0,2,0,0,'WorkflowPermission','2','readonly'),(608,1,5,0,2,0,0,'WorkflowPermission','10','readonly'),(609,1,5,0,2,0,0,'WorkflowPermission','20','readonly'),(610,1,5,0,2,0,0,'WorkflowPermission','8','readonly'),(611,1,5,0,2,0,0,'WorkflowPermission','15','readonly'),(612,1,5,0,2,0,0,'WorkflowPermission','11','readonly'),(613,1,5,0,2,0,0,'WorkflowPermission','12','readonly'),(614,1,5,0,2,0,0,'WorkflowPermission','19','readonly'),(615,1,5,0,2,0,0,'WorkflowPermission','17','readonly'),(616,1,5,0,2,0,0,'WorkflowPermission','7','readonly'),(617,1,5,0,2,0,0,'WorkflowPermission','3','readonly'),(618,1,5,0,2,0,0,'WorkflowPermission','5','readonly'),(619,1,5,0,2,0,0,'WorkflowPermission','6','readonly'),(620,1,5,0,2,0,0,'WorkflowPermission','22','readonly'),(621,1,6,0,2,0,0,'WorkflowPermission','project_id','readonly'),(622,1,6,0,2,0,0,'WorkflowPermission','tracker_id','readonly'),(623,1,6,0,2,0,0,'WorkflowPermission','subject','readonly'),(624,1,6,0,2,0,0,'WorkflowPermission','priority_id','readonly'),(625,1,6,0,2,0,0,'WorkflowPermission','is_private','readonly'),(626,1,6,0,2,0,0,'WorkflowPermission','description','readonly'),(627,1,6,0,2,0,0,'WorkflowPermission','1','readonly'),(628,1,6,0,2,0,0,'WorkflowPermission','2','readonly'),(629,1,6,0,2,0,0,'WorkflowPermission','10','readonly'),(630,1,6,0,2,0,0,'WorkflowPermission','20','readonly'),(631,1,6,0,2,0,0,'WorkflowPermission','8','readonly'),(632,1,6,0,2,0,0,'WorkflowPermission','15','readonly'),(633,1,6,0,2,0,0,'WorkflowPermission','11','readonly'),(634,1,6,0,2,0,0,'WorkflowPermission','12','readonly'),(635,1,6,0,2,0,0,'WorkflowPermission','19','readonly'),(636,1,6,0,2,0,0,'WorkflowPermission','17','readonly'),(637,1,6,0,2,0,0,'WorkflowPermission','7','readonly'),(638,1,6,0,2,0,0,'WorkflowPermission','3','readonly'),(639,1,6,0,2,0,0,'WorkflowPermission','5','readonly'),(640,1,6,0,2,0,0,'WorkflowPermission','6','readonly'),(641,1,6,0,2,0,0,'WorkflowPermission','22','readonly'); /*!40000 ALTER TABLE `workflows` ENABLE KEYS */; UNLOCK TABLES; /*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */; @@ -1764,4 +1764,4 @@ UNLOCK TABLES; /*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */; /*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */; --- Dump completed on 2020-07-01 20:41:10 +-- Dump completed on 2020-07-10 23:39:20 diff --git a/salt/playbook/files/redmine.db b/salt/playbook/files/redmine.db deleted file mode 100644 index 520f0b3c36d4c62f9b41bd2967801a4b5d47f774..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2207744 zcmeF434j|_{rD&MIWtR3SxPCLF2{D;W;Zjr!@0Bz6iQoqP!1tXlF4q`97{53yMREl z+;WSesNnTOMFm6z1O!Du#0ybDQQ;4Y2g-dZp!~n@y-7CNO}B>>+Vb6Lzwi6ryz}#p znaP`ZZ^bc-v$`f_ilw}&O98HfGnu$UB#GnFcXOP12FICnj^nNb{YEgY@W1|Nsw*2e zAr9Zmci6y#N4&=j#@*r{#J`G9i;sy9i}#E7h;NCHh_8t+h<9u}4m^VdkN^@u0!RP} zAOR$R1dsp{Kmter32>jQO#=$2RL=mJtqy|xd~JV_nd$i{6hjr00|%gB!C2v01`j~NB{{S0VIF~b{Ycb)$C+a z-X#8w6zOJW>@=mrf*=7TfCP{L5pgAYl@3=HMUxAps}N4V_B)VMoZ~xMK8kg^f1NUJ3J!C{81$& z2LfTmpJ+L==V7|GLGRn(8y?YziUnUeRmu+Qk)S`RrL}M>p!w5^5>vEHG~&;wsZ=+?qe z>i4#9u#@DD7jNQR;z~|@ReV6qh>wbwiC+*;7rz5e_=g0L01`j~NB{{S0VIF~kN^@u z0!RP}OhTZ;W!cx1%?}q#dIC1r%a_elEtYvEt)M1zS~`)3_w{pH**V2wndi!u%M~qA z(sK0YjdF(#g66e+QY$4&Met?w+AT9p>$T)ivADME6z}Ei9OraeI$i6tYqMqXuf*;# zTc(@!;##dx<}RITwRBrjl`{Nfl31taDq5L)U=8HfThFn_WSQw&uj;8GtyCu8|HGz# z_=g0L01`j~NB{{S0VIF~kN^@u0!RP}?8F3k%ca~@?k2OS36BXO{xa|9yxrVQ?w8#k zaXsLgYFh3Xw*Sm}yLCVFn`Woe_kn|`O5!xm*EfxW-z}Ujr^yBHi8!mP`9rQcB-Urs`cNXLjub0; zT3npZ783angk2<+*S%-|debSmxahI#qMCcH?|K)2e+&wh38R z^_U6SUZ9pWsULDVavJ=6G?w{QrCd3s782QFVuhxbQbQ7yVt9TUUfjtR<`drYAsbMh z1p~`hs`@guTn6|Hm#hGPhNsM_>B9W%uzTvZDkuEnm0Fuf7B{%7yY2;*wC{A*j$B4N z8kkVp71_aps#i*yv}j>jFG1z+vbC9;(1@TS##fBz67EwUcpqz%fvT`4;F`WkT%=9c zL3M0PP+#`UfadC(_Q1YPz06gcHlYIhSFYS|!BNsmEj3igo?6ky8th6~|5S$dNKC~r z1BMwi%#dM*4KrexQNxTeQ}!FC5ua?tCmZp}MtrgnpKQb@8}Z3Te6kUrV#KEy@hL`p ziV>e;#HSeXDMoyX5uakjrx@`CjQ9dZd;ufAfDvE7h%aEo7ck-r81V&+_yR_JK_kAP z5ns@VFKEOUG~x>y@db_ef<}BnBfg*!U&x3rWW*OT;tLt^g^c(@MtmV7zK{`L2;zff zY>ux=du-O#Vd=0|qQAGRIcZ5z*UF@CTHmwwI_cFRIvuh&W17}9%sQ)Wt`2NfpRwk; zK3hl^*O#H8<+6p!1~AnET)wiU3UMozp>3B&+``rtV*E(d<`Thi)szIiZsxRVWD~hx zpz7LSu{6?>eP4N`oG%t2w@?;evXafg#niCDB1S1g&8xZfYDqI}MIB}->Yj@0;gU0? z!L@hFHY{hguM?`MbK2@n6mqe)4zkj?dgqGkA)k2wSIL7ilpP!b171PZvnjZyd$(nd zcb!Iays5h)xSGK&477F6)@EkHMQqZxK4llkR{g5sG&!e{o3)7-+5QT=u3KW4SMy5f zjqh3R+FW9*(>owjvm1Ai?DlNp9prM2-U7n?A1Sl@JBPN*SsEg2^nj%!11-yv!nyAqMArRlGK1Y;|vEQ?v%yR<7i9 z_Owujff72B?LEuvMmrLD2J_k>gPq3xs?)_XIC11znbl#Ao!-~KXZdOavAVk%vNLOw zyp|@(*A76Okg~jIIhu?VbS#|z-wp;?%mNZX0!RP}AOR$R1dsp{Kmter2_S)ONq`r> z$xRUl$@l+{i;svu7Oxkt6F((hA&!b?h!wFQ{!_e992D;oZxt_s|Kxa9JYGD0TjmMl zMgm9x2_OL^fCP{L5jnPYO{l3w~BAIWMX%4+{0=!gJHHpM6hUBWVX^`gK#D9ygi2o4(EdEh^ zO#FrTkoW`fPVw8~H^l!FuNAKrFBdNqYp^z;F6LpSz=U|5c#L?YxIjEW42ivBw6gbl)}!WtnZ zd_-6!ED;VD4iRF4BFq!^5oQXz38LT>O#EB?tNcItXZa`j$N5M2AM^L|ck#FK-{i07 zuj4<(U%_9*kMd{m6~4d^@~7~}^UL|8_=Ws|e3wVMvlK1c4 zXS~1n{@VL9?}OfZy?1!O<-NiCCGTgwpYUGlJ>Pq_cf?!ruB9-52mT=eB!C2v01`j~ zNB{{S0VJ?>1Wa#@UUU?Eq4kB)i{^sy`O%BuImUF|=!H2jE*!m(oV#H3!fr5XqZgb8 zMs@Uplfk%e^nw5wcZ^;z4UF%Oo<9i2oulV32IB{#=aT^UjGhk{a{kfndz6{dW&A_N@J90~mYM{&NZ#|E~Qf2FAZ?{~-w8ti3~+y-|DT zFfd-Py+aVZT6_C+FkY#>eJmI+*WM08A;7j9*uu59;Stajs=ZYPBUpRuBVYt-Z$-dR zYH!U3L$3Y%OfdYlf0Huw*8aUe7{1!S_X5LI`_~y@aJ7G_5a-*qe;owIziR)2GI0N{ z{mTW$TeUYUVEniC<}qNrQ+qQG0Xk}LlAMXPH%LtjwKo!A@U=Hc)ZW?~5H z%~pH;1Td_%*GUCfYOj+ly;OURoV&O78p+a6Yp)###!qUmkwX8t_L>ij2Wzi6!FZtd zDj|4(?bQWf{IK@wd@y#cy-Er_rS?h^jH$I(4glkmwO2@%9;&@eO7w8;WzxXTuf0qf z-+8r{3EgvRFXg~Er}h%5#?jhK17OUlz0?mzckQJA%Fn&<``&nSzTl@R*VBAytJNb~0vpGjNVV-xHcc$lQQ1K55AOR$R1dsp{ zKmyx_z6niEVZ0X`M}AiYihnPnJXsy@~{ArRx-|&`&PgtjXn#@y5)uq0)wyv)Lt0hhF3b;vRIF z^!FyQR-k@$>4-%uRvxx!@j$mE?JWU~f+p!jDWm3~@`sCMSfpW{1|(TtXl|gH!Lm?| zfGZZAFmRy1l|a3L`BH{^st9XGQLIv(DDS3;G}34^s#S%xh2r`G)D>ArB2E{K;N7q) zQ@s*kg%8#!j7FL;8fm@h7-x0TvKpI|g(W!}4+i4?NN+R}2>9i=)dAgX-+lY-YPy_J z%jpUKTf+vzaeuH^3CiJURJM??Qz2}Be}8k()*wna9+Z0np0p=(RfZH(ydy^|Eg+?=Gl$=-Fd9d<=(= z;P9yh-#`P0&xqM~w80_a=iS4lY!Mb98G*rp3~Y7y00`EQfpu@<5_r-_h9M2L07ER) zQ=@9>c6Y&G+#l)<`NQFGXmq)WRP8iUwPej4tW?qbg_WyZM@ec_g0VIF~kN^@u0!RP}AOR$R1dsp{*g*+cEiRLd2rCg5BFq*GEQ|={ zaS2!2#3#ku#E*+P@epx}@T72;aODnKP|P+GKmter2_OL^fCP{L5r zZf}#bk9zUSE7+$@u`8&a6D zC{K2OftQkObi0OS#>*FECm48Lg5&nKLWY^&&Q+yBD3o=AM}^~NTio0B?N>Y zo37gu{~w^=>Z!0mqG>eY;vGJp&mAum6J;%zNfe5DHj~xTaj9GGcE`z@qVU3YIZ=j1 zA<43Vl3Gr=FzNC?LDYbNR1kN|&gEcNm zwqQlS(?9Btm$VdQHaC(W3!Nrlxyv=M+9#}O2&YMD05`0Jzj=SvQ(+NE%E$hp;Zq$l z!NQlLOI`eAMcznNN++Jws5YW+q>2XBg03e{D;D#xIHNnxta)fBLr_WK_pZThqAAqh z|KGgEfWD9b5=^>bk3Yb z4oEBe4_!PUb=94_q&Z#LbQkQSrE7z*Aj-1ki;nJJe!O(l!0}T5s+CI@ErD=H4=hC;W4r_&a!7uUl6ZA{K?ZN1EKtJ?1P zCe~=QEe%nn8>lr}_MCvfr{S@+b+1!%m9Z``C%93MDVQvRsU4V6>XOK&ZaS=a)YA5c ziEHcmo?~~ncg~w;I-PDJRnXR#n)dU1@OarEhm4eWtz`RiK&X z6SOImTP)sIpe^UNiY$vEdm1#9ma%t|7TOe~X=rUzEW&`51SUsw=}m()+CIVGQw_Tv zow1my=4eJjBPu8K5^R777o+Cr$6P&aA&m=4Xf+4lbnc8qH{lU7?%H_9jfOlf<8@c} zWErn}+VYII={;>~tA{_DJMz65cu(lHcltU_XVFn+eRgfOd6=Pgzfn?SoEh(j4K&o1 z6t}4WJ=Fo9qqDQqRLjzKLH$tC*9xx@xVepP*4;=`YW2aUd0d5E_ewgQm>)NuG~Lj! z?MEkedASi$50Jj-y`lZT#_$ShipJN zA42vVZnbxw7&39R{taI+m=>u$p~5X0+#Qw*YAykrFREm(#Dv_=)mB|%add`4rrNivbeWvOxR$t?TObB3Zg)!kgAz|!`IXR6UGXHNE zuQkKoe@~0|ijRmliP!$GjSs^k0VIF~kN^@u0!RP}AOR$R1dsp{KmuDrKy=u-nNAb8 zFk2>5X=%G)Ck`%dQJ#GSB3hY;MFlb&u}-s!Hs;U|vu$8c+jxten+{RXT@y45$9YY5 zu9L)BQZu@lcRay)t+#OA?|bKYe2&BHpSDkRU*LL6IM(^5^%m!;&QrG}zvveUAOR$> zEeX_4KH1SZd$#FZV-jgdEevY#`5XKQTG#e({dsik1o>UGdG4V8^ZvLWh{-2*<*Z&T zjkHV*)qTS+#wBfCwhX`KPW*M1{G1Hm3TAcqHGJ%B{Y?hr<%qhE)|uSK@6|>eE#KjY3eO-i$wpmFCX%n8js+Cio;Y99KV_&DF=tVgs~__(vTTH%w=(XkB>~evvrW|l8LCF7P0(Hka@|;eJ-}eJYRRHw zRt-o-%NjdB7RJETh>b96?Z!Z;(QA7KPjYkyW}2!Vnh9g7q`7U^o%U_5rMmNk)?7a^ zz8Uk!aMx@lscjsr>N(EQIRKMReUw3cD!MTb-&Dj2=N7k8nQ*=-EUTCaKE`vZcCBVp zU@*-Jce)e&PjEQO$b#{%+Jy7t5@^i&)<@!&w>>uZHGtC(reo5mk7km7uMJHw$0qj1 zSr2W^;JC9Sd(Bs(%^H(f9GMclN75X&J`6z%XFl}e#?IF>+xlWi2S^b;HoX|0wC=O-jrFMspZnPF~M2k;Jn$+nGq?)D%3X!l3xd#2~j zrnOQZ9P8#jt#wd$9^WVG?RwnZnbFl-nt0n@-FmUEdl}!x%c)X!n9R(NUDwCFLR-@^ z8CX04o~0+b-KxJp(DL41J(l`SSDSbD8XeE@Ltb!U>qE4@2RGhd{auvt_jldJVXe>& znJ&Ytwy+#Tn<5p81#Rrr+aA(Z?c!4)OO7FURh=MzlmRh)0M7rRi>w9tj3>y6u>T)? z1Ms}~H}Oy6lj85hUyHvG9~K`Fzc1b;-X?xa{D$}y@r&Z;#7~JI7cUhr6weXQ5>FE= z;;^_@%!sP^5plJ+Ts&GlLR=soB*w&`*eA{v_Z1~^hPa!!i|7>{qFMNl@Gs$2;RWIE z!k>kwgeQdG2#*Lq5grtNAlxn7F5Dt~Q~0XzCE;4()52B4Wx_?mxx(4P>B2hUR3Rq} z3Q6H4;W%N1utZoSEEEnF;zCI93-g5igxSKLLZ>iA;032(;s4A3n}3aek$;YVmj8eJ z@A=30U-CcYf5hL%e~-U||2BUk|26*0{B`^_{3rO!`H%7E@n`d=@j74NhxjD_5&l?y z8Gj_dkUxlz@(Mqn-;bC0J@{RDfp_v|?>pW%yf1m5^ZwcUr1!VpN4-DwJ_v75-08j5 zd!zTO-Y;0tna_>dnbG&DIH+W0loHye=#e0HxrFV(<2=AfZ1H56c-#gd4k9RNc z?%pY0uh;J7Ja2hk^St2so97wNA3TqF9`QWvx!-e-=MK*;o^N=r_k7-Sjpr)QrJf5s zHP0EIb)I3*8c*7DvgbI@a?fJVVV*-gaZk|wq?Vw8BcUy1R4zjV`X2B69t<`Z5l}B>kdPW_`HtESGz0jne)})^| zrhBfj?plurO(cK>+7U3XY3KSux!Ei(GxrRYPgD8-sC@JeAi`c`cQnqw=#< zeum0xsQfgQpQ7?=DnCi(C#bxN%8yfdC6!lDc{!DrQF$qqmr!{zl^>(>A}TMW@&YQ) zr}8{1&!zGlDo3fTQCX$(Y^%j(I*W)iiTEfHXAp5Z5vLI`Lc|6l))TRghzb!p5oIDu zM4U>*FcC!}3Pj|I$PuxYh&4oHi5MbckcbQs8WCwCQbZ()P>DE&hy)QQ6LAs|A0gsI zB2FOUcp{D?Vl@%R60wSil|-x{VmT4V5V4Gir9>#6Cn{Xi-^65m`TK*M9d&!4ai#gOEew`#6!{ENGKEwM#=L(*YV+GjHN~bNB{{S0VIF~kN^@u0!RP}AOR%sVIe@? z|HtS54@+%hIgtPoKmter2_OL^fCP{L5&2_Y8m#PhvbY#l^4m|GDssZ}uv*`b zsK*Zz9xN*oKmter2_OL^fCP{L540Crs4K9Bjb4hb|y#_ANj=8Mn?(%@kpT=B{ z;_jRcE>DlS9L#+;3@%TNxhUKnM}f;DV=nt~x1S6y4~@A@=Wf%%<-su*p8L)P`2IgI z!9OH`1dsp{Kmter2_OL^fCP{L5_)xDLnVc5$w-+;uoV)w{pv7oMd14fjRv zyuo8q^$YTeXi%Et>IbY9y>GAvK)Ngd)+55=lmbekC1E z1=Oe#jAa6<9L_Z2gt7(VekC3Z^#(%GKorW%N=^1hhBM@3Z&(Qj{E@XI;}VlY{zxpS z`ZLj3G6Naa{7S|jh(KXt{!}QW#Ue_?A4w@JO4+A`$$rWZYar4ajt1nIQMAUHU_9XO z4F*C1#h>vxIM-CDHFY=})|61juR@hYk|8aVl#{9!NT(yIOj1cF!@+ba6IKF#wJ}8l zS&zgOh%M3^j6s>8!q}$IWV`0pGv4dDHN%h;X&^@XNNIs+I7Zq>EEtN#l3GfU6)0#X z8cxSjz*Gy!K^0mMB?XyRBt?!xE0C4mP>4`$oC%RL!C+jLd%-Q{53DJ+rWFn*(-|$L zDls{o@uy>f2GuUXz&ut)?tWhSFW zp)jdT%%9Pq)d%EMESynOu}Cl!3P+=v6l-y^pG+jm(3cf5kr+^*!$4J%T=;zfnQR?S z{>7j-gp_bJt3bgz$w&pUrptj~2s(c>BL~v4Ocbgt98=R7ITauSh6cSl6!rUINNH}| zQNj@F3w9z8Dl943>zwUU-h77V&){1sQ@&OrY;Mm3cyzFy>cuH1MtSr2={Q=_oYy4PaoF=l~fc))nqCf z2?c|}qzq$WETqO_DLOEwGH}HSkj&RxH5&>8WOsRJXpxw|WhjKJO*pQ|y--$Y@mbzz z7IxY!BI#gSP5Hwz3`t=acGIwRebf(wgq&8PVWy#-L(9*AD;e|ZyVyeu490q)S;7dl z@iUzGiTAHr3|XLSk>*Z|1^p)$fPoJ#C&^?CE)I&CmXpB@T&)ynFcIimpukm>7OOEs zACCKF7WvjDMJ;gqin|;#s*)CWA zF7T!AG;Z3_&VX9ci+PoN>8rpy4=~LLFCL`eRe?|@9D)}GG}YMP>^Qjtik<&~CboW>v?%h@@udZJ@0H{+xk zGn_32EvUJXvYv)_i_(DrysHq<)KD;#O2MliijsjzRV@SWw7{zu0Vt57GVg}L=BCHJ z?*wnN1f%sbLP_AI1^D_IUT1(=*GM$vHzt$e4Ert`=3~RXQ6&OzLe$F$^We!)2wv&X z3p^jhSydi zF*y}Z2Q#U#3h$&qq|qR}yaewD1mIl{KY6K3_OGZ6Yo&e?qP1i)`LG*a{0M}|n_MLA z#+)&{sT1pkoCca+8LH<>3G@bGHeQxVxzt=P8VH3`@M=;Z8c0XUOI7efR$5k6GGnbm zbxtUj5?E`U%JDou%jx7unYy_i4n9YRb}*7JR>~9d5{ULHG+Dwy~*OE*lTa%;`R+O*-XhzaU;Jo-PiFtHeXaK5qwA>6G(5&&dDEC2_6Is@dp0>m6*$;WiVDG2MX24Mxpa7S(Th7+uj>h}l0SEu0w-yHZuayaDgsO?sF zf{!BPAe`u^O=~y-4OpZQGO?@SqyP$7=F$(orcx(Z!xG|($uh~;6vGKtyagDrRAEPL z7sCkv`e6}860oDiDWpI^vBe3#Ug@X_bteEF2m}>y;u}s-YRDQy?`2MY_}Bv$^n`Cd zI%*!nDF~?nF9k@r>rQ@H#MdA22Rmvm>IBsokYO!HpwUrt)}6>go(e6Hqu~Sr6@MUT z6Yt=h;#JU6P4mQWh}Vm^h@Tg)60Z>-79VLk-V%-D18dTlFcLrlNB{{S0VIF~kN^@u z0!RP}Ac38ZfN92O_JJqz13#mIoOaC#P{8k9eGteaKLNU_^HYBDF>cEEVw)C!ZZ(`e z=33%^?)bCq?KW_>iqC;GT`#^Zz9GIuE$uy{D-u8gNB{{S0VIF~kN^@u0!RP}AOR$> z-4ifxFBCONE-SPFMpg11uK~6XHTItPZf7;O76!zrz28 ze}exxe;Di@axgOWut41n&~>q291}u6Hl*6tCU$mgfb}GoHsh4}0$M+~T?3bB*UxPtCK= zv&M6>XSwGvPu$b%>GJI6al8NPe#QM4_Y>})yYF+~=Dxvwt@}#%dG6EP1$WYYtoum! zL2kvppL-9t;O1Pfxc=;V%=M7#PS-bF*Saou)m*wO<2ufDr0W1zuS;@Gaao;jIREB+ z!ueC@JbTzVDaS>Q zGaLoSDURiig^sXej$;pp*ZyDoOZI2%zqUVUzr%im{j>HW^9VCVk8Y`H?>%=Q4YJ-}@DGu!>l_Csd-A+z1bZ1*wS518!-%=Ud|`#!VX%WU^D+da&7 z53_xb*}lhYcQf1F%yt*E-NkHoGTWWZ_FZQCF0}?JLZ7J+ocUZ2!k>|Ho`!X0|Ug+n1Q_OU(8~ zX8R(ueSz7&z-*sqw$C%$b%50Z1+a=6)3A0_yY!@@z$C&M7%ytp8UBqk`GTVjBb^)_pz-;F;+xg6P z9s_RrQQ@u>} z64gsoKb7jIQhk`}!&EO)y-4)})eBV5Q$0`h9MyAFUrY71R9{2&HB`@1Jxlc=st-|p zkm`d}&rm%>b&cv8)zef@Q$0oX6xEYdPf}f_x=Qs^sD2976I4%7{bZ`2O!bqfeiGF` zLiLYO{Y0vtNc9t_egf5xr~2_!KaT3hQGGSlS5y61svk@BRa9R^^_5g#N%a*}UqSWd zR9{Z@W2k-%)t6Cy8P%6keJRzKP<;v2kEZ(3R9{T>#Z*6v>PJ!iNU9%6^+i-)MD-)6 zegxGIr~2VkKaA>!QGI~w15{r~^@UVlK=lPwKa}c+QoWz*{Zv1M>W5JMV5%QX^@FH> z5Y-Q)`hiqGfa(WOeSfO&PxUy}<5Z7PJx28?)uU98P(4ERFxA6U4^cft^&r)QR1Z)+ zKy`)c3e{z*%T)JM-B0yCs`pX7m+HM#_fg$P_4!nvPxX0JpGWn%RG&-r9;)|HeGb*< zP`#V#-BjO?>ibcBU#jm*^?j(m57qak`rcIUqIwtAXH$JP)g`J+RG&rlSybPP>U&Xr zCe>$BeNU?IN%a|2pF#CKsJ;i)r&E18)pw`*?o{ujdMDL)qxx=CpGNg*RNs~AyHb5B z)u&Q@3e~4jeHW_lLiG-+cTioVx=3|_>H^hys`FI$Qr$~+57j+XcT?R>br;oLRCiL{ zNp%O+9aOhd-A;8I)ooO_Qr${*3)L-DH&fm0vbs81^yK;9Dn84>_x-Pm{}i7Ue`y?_ z5yv0v#jztHvSWcr58>X8AN)D*=i$C|$3I*@+PcGeI2;GV5rLx*j&3++!O;na2#3Sz zaJ&o0n{d1c$6w)i3XaF&_yrt4g5zE|ZinM0IKBeMb#Pn_$7OJw564+>tcRlr#~>UD zI99{46pq8;I2euy9DQ(f!!ZkvPB=t3;LrXp9B;z$A{>8(<0&{EhvOF?wx?k%FA_ik z?>zx0iPCj1>>f=3fo-DZ_l+Fn?i~KQhdF4fA%xyvZ=X zVwl$%=GBIInPHx9m}eR0dc!Ol=AdCF40AOz;q}3@32*%SUS`4`@#k9HpV#yi?AW)t_U zl^TDxP~%T#o5k$np5Z-Da}N6nobWh*n)@HFJDpcLHh>lXkN^@u0!RP}Y$bu(j9mnd z>nXdco)ACVRLw5TmepiVOH0dg>PXq=^SR5qs#nU1Y&!0iqyE2(<16qmXV>>>{9 z)Lca?lXE_)JJRhYL3~o2g(6xilTdvuz@-SpMp^pq}aVeKA>)=*W*C$F^PSvx; z0{AmrhD*i4l2$G!aCu;<0k7x%Yv#%&}+}_m{uIfz6MqF4@Gx}Jo(MxJ-tybE+W)tk*qE;qv zq?I)gHkw<#l_`<;yt!>&)2j6fz$s8&)!@|Jh6=h?DyTWqhPIT~X12LSMiQH7bK4KF zYMF-tX;!7dt3Q|9`c~C;Fxn2A3H&nm>8%{WG1#^wP&>gZa<2aB>c$1KssAo0=JS<8 zRv(d8WC!!=7F-Ha^^jZK@7uQM3EelKd_d#f#xKL|F0cF9VQ}2H=_1mf(zENdt?%z! za<3BDajqg{|37Z$`003Cc2SQ*45$siSu*LQ=J1&0ls^`*0IJBfiK)|wrA})5veM4$_ zD9(NtTTvM%lTPvY5#Y8us}C(Iq_dffR?-T3e<}qtT5g!yS_89Kaj6?7N!Wx_!kAis zIXal33wOIy#lkwRq$et+TwEH`_2GD5pBz(q<#4oD4)q4*IPA3P@2h8}uS|a2Ou17f z4JPR}I}{1-R{VOL8c#_~Svj7d8NmMgn12Lo+7UL+6TvdN!{mv;v*$ zgiMYP=kJB>IU{l~8nST*Ho~P!MVK`-7(<<9+J=lqgW+goQP9Q(_OGW1ejAwuy*wWT zsW+%J_LbM7h3zsCiNOY-(Qsf~=F5ppv6NSJJzE%*+lC8 zjdm24WN1gxc+lS)h(tn>m~T%TH*+`?tm-fayc6}O~m}CZtm}GhpOfrYvG=gXY<|MNnhfsTD#_%{3Y;Lz&5HrLs}uAzwh2it=V9J)&XKOUj)0Bw3xCeSoWMVY=V!D#kj3^j+IygZy zZW~)T3_A^nBXexr{^G>ghAYWjHr2K?p_mehMC5K8*C+NDwDpOsuH_SXtx!qmYSIW2 z^O5$Uz?c*dD!svI05(ll_Oo%a*sl*&^2vgl&6UShQ=_y&;MN<6$)RA-zb~z(M&mU` z6{sd-@MDcO22G(i>W@bJ(F69eaeK@Cl`>3_v!0yEmdZMLn<0@?nKF(pO;3r0WjPkw zn{_f6!OFvG!H6LZZ9lK(+69wi(Qr64w+j;G`{}^P5^d|3Y*rkZJDd6?Z)F(KxAP0T zI|l>N`4Tj0z8^XYTvLh}*l1c?JJENrH|7t)X2uI<*|-&AKV%@KHF{i5EeuxFL7EmB zqXxBfwlKb8fk3b~8VW>%k%fENxK)!zq85sUk$kZ-p|R6gA~1HqzR)wF-garUt9m9h z7;VVqpt-7H_y|T|1aZB}^|0Y%6Y}60HtygV?M4^+@=EIkE96t6WJvT!;_ zp=b4+woudI_5j|7p>u5HPNU39%Q{0e?w8{s7+YcIZY6l&bm(|+i=vVnj0Eei=_2eU z4sQTui)pO{b9L!DtmY!f&`u+<{dc!^Rt*5g3fcw>uP+QvFSO9d&hP&BY;7aNxt8(3L-tRK^!uNM>arVpA6lt|Z% z3r}lvg+0+DN+{exZ&6qjgQa3+IH8u|#<2inuHK%z9D+e9EV5ghT(JzpL1h>QbTa0! zthZ0k9}D=y!Ya-h5+E$!-+EI90CcrnZ`E+KAxnO^2*={V2;2$=1Cgl0L;KjJAKv|1 z3zz!gEWGhWlPeV4)evmc4x`0^UK@8f+y=JX|FOb0UN37~N`Dk?q$2Y@Fr4nvpV73m z(HLQadt;C>s)b&IfMlh?~2N|2uZ(Okw58D7KU9P}7;<&X6;o=C*x~_r#Aq8Xs6>@m*arP-mwuJJ4gjMC z?N9ZqMWB7SKoA;Y)CwckE^z;&mQq7-gIXE@=U* z?W-2j(h;y4E38(_8=FGLC0LIS78@i>$*DQsP4)yWW$F4{^^mag77aPXLQ2^J>;PJ* zY>?IuWm7{^wk*L~n`sGFos?j0Q>{?eByF8aR#oejc=y;^ym20O9VI)Nl4Z@xurBf- ztg>85_Cox9utal8EvTiDRIv|sK+R`UK5+8snwsxR=8DO_JgnTQm5g)czLl_ATA0b+ z5j77PZ;cw3?}aTgdtm{`lGa-+4fesxj6;PitlU};%e!HnupzS7>M~U?Wm9XVLt!aK zSauE=z$$rhSTjXHtc%o8l&C-tSZb$x{jY~48CE8r%Pkv~`#F;|d$ z%8D5JLDjn*QD-)(X_GE*-IG#md7LEgtBWq`f7eQP3p4C}q?fR6bo0 z8CI_Zk}NMYH*DF*M!*$|P8c}Q-%6m~z0er zaeV>mN?WIqwYRf_L%ds82g?mFMx!tqX~Jlv^`>K-)k({0KdBsy1m)4CCKu;&otNVK zO{bi4io_b9nu9gJAsrv|fMjKGTsLCtf|jLa#r0Zg#gGOy2P^fFeSkBiVqQ`U&q1?{15fc z?IA(NDzqu=5wPOm_>chzz`L`Bw6+2I2y`A;Hgd?9gf-5~zPY@ctX2s9u7ShHaQFxg zpIYz@G;sKgn0-eZ91?yW)?sJsoI)QZ<4YYr0D@r&RxyoB;E8QjtQKITgL-PNP@DW7>X4pL$U4mDlQsO2>K zZ|LKu@)ffGv|o{TbBz5)vVAps-x+EV%YX!s01`j~NB{{S0VIF~kN^@u0!UzT0yzIa zIUhWW1dsp{Kmter2_OL^fCP{L5IB5P0%raBzsU(zB!C2v01`j~NB{{S0VIF~kN^@u0!UydBY^M!?_?E< z#X$l{00|%gB!C2v01`j~NB{{S0VL3dKz;sSe6h_*bV34100|%gB!C2v01`j~NB{{S z0VIF~b_xRZ=l`9eFjxpAfCP{L5QxU-V|DCEju`oyg2_OL^fCP{L5+2_OL^fCP{L5cqkz0VIF~kN^@u0!RP}AOR$R z1dsp{XiI>+|8Ewb;KYB5PlykR54H7#jz|CrAOR$R1dsp{Kmter2_OL^fCP}h_D5h3 zlBEu(m2>S|&JO0)gqF_g#nKcLxb$Sp<%*WjOKNIuwlGNM|IOl?ocNCTrue-0{PtHE z%n=em0!RP}AOR$R1dsp{Kmter2_OL^uvG-yoYmqoIV~2Ki#I*bMND^ETu->}aDCFH zyOz6pU2f-JoIiA4=RDoH+8K0qIR5E)$bPh==3krcG=I%}rg^z}Khs;bZ`!K1RW`-?Z|iTYw^%n=S6cm+H!OGC*E_!4 zdYJBPJV4)bs(m(%5R%Cl!$R~JibGr8jWWm+i@Kk;OX z1^N?@R!U^kB~48i3%L<{k)!K9(j4?%bn4Zq7wYnuqX-Z_`08)bkzOcw2&%TC;c*G8<7i%F~|rwPc+n`yP#C&oLhmb8MNV84Zp0g7Cl zY6;n@>p{t2893N0Qsk4rq^D;cH3LvDrZ*SIle*J_3GR^+wXj;-=HTd_4(RC(thap3B#g^y^)#O_erx7uIk{^+OkE=eNy~taKugHY?*y|(k0T*nq%6=l8Ue?s+keG5$><|};wbPr z2GLn>x?^6$7n^7{jDFFGY?Bq_xSG3eYX{Z$A)GXNJcU$mzm1V%tmv+{U2ivy)U!Wv z0twM*an?4pW>-6!{WJ}FW6{p8@~wUvOq>09Tm7`jo>ZlM7dnqI228BH*;U#}>shv1 z8qKdcDMw3EmbTfkxB6+D9UJvi&raKDtj*C_#(G0@c4&L6XW7!O`OdC#t?{(W&RNa5 zu{1jASW42F;A5=qw?QMF-r}Q8iKNq7e6-2OEIPi`E2&Kso-c8azYp#G{Z1lsF|F(R zz&_UUHaT!aF1C=WYlLht+l-LrmXM9=*knj)l=kh$)vS@`Sab2b&CQwwV)$a2rfrOq zjrO+5q{UC0@0uiDJcR_dR|4UWtt7)=y{9%t&`q}a@W)m(2W<4V%?P->IpF4Z@X*JO zp#hEVS-(_nGC@G^+id)iixo(uF>+ZqKYP6RB4-l+&WV2)UxVZCo1G+jL;^?v2_OL^ zfCP{L5*%f$#sf&_N3lKmter z2_OL^fCP{L5jY@gRck8cB@1DH01hM%nDz)@#oX;!8>-GqF_#u01`j~NB{{S z0VIF~kN^@u0!RP}Ab~9>fY1M1&J05!0VIF~kN^@u0!RP}AOR$R1dsp{*wF}({r@p`-kXjhj%9`F>V`Gj(?P_i8G#M=F zRYW`U*r}G+2RNw)eE;c(6$IL zl5=$W_BB;~v`q|_ik0Cq?X6{K0p(`~mYAh%LDvSglC)&$N@>Ze#fzJg znsBZMP`Y;eM!8%xUFjePt{6=2L__)MbO}vgM18?q7bq zbkxA{Qva%zOBXGHutyIpfqEFL3nPN&a7|}P@}zw<;%qvXEx;{jR@c&rOsSY}c!4^s z+N&l<=TXpxdYXo`=B$!yPb1~#6FH-JEw`o39$G@OR^5D>Fla>F)l)rW(9t<_rm41q zLWN7Eo-GWP>t=5&%)0Y`D4|e~v~b|C{#A=tO5NSf zjMu5T3i#Bu4SK^zy(C!8fD3`b*_Fp?#{Cr19mp0k{z29 zg<>J4l_x#9w6zUP>UVs@Xlf4|?_s1$%etB$Zgi36wgC@4>!6=kO1VZ;g3^}NoZhfE zy!X_)Q;yCRD@>!I$qKEO%f(cd0@zs5o4t@xfjkKsBl$)EG>6zK40KQOv5^D{nagHq zdv9<7H@Krs=f-*!xX^@YTWSCyfSRx+bHyZeN|iLAMyx$*hAOR$R1dsp{Kmter2_OL^fCP{L5@<`nZgrVVRV}r3yUxbDWbD2iO1K(JB@5iv*AW5I6O1QI|3NB{{S0VIF~kN^@u0!RP}Ac08< z@YW@q+q5?)YQp`VbKI}Hhb)Tue)GYmdrW&zJh($hWUgtGM!B<{taetEwQ=HZT(Eqgf8~I*vj5P<15#HTFJ00c>YT`?yQFME*9Ntc zv}EZ@Y00X^i|0#S%}KQN({pC^bVujmv&_}m*+N>|Kt&>5OjYt)K`$qYg+!{PsXAn{ zSZFwN-!yWzXvxBXY_C|%W6J=M{9RFApZ({!V-KD#!XC~4_z2`uGZBt)K3xdaA>Y&Ve3NHAJIo^;(Z6L9d#v=k{vNNbAYgfSbw%Tw^q58y^p2u6)>hk|t@jqKCpYs3g9d7MBhtvyggXV}4q&XR^y0+ZiOFsgnr>^G zBdH^sc>mkOapt-2N6XxzG)z}-k@s!x+2q*fNo@ZKRA*MRj?Vqz0c|zy&Z$aSFXj`O ztd>ic*#jCp0+ic0b6+>Q)2bzlj#)Jz8BauQe3A%Qk8X34J{2`33ZA>5FOf$+qV~WO zml?1X7NoH+4)n zzG@xb#%^{VLIn1x8#E+TOcct(wMt?tUBi;t-ETeE^u`A&ofoKX-?J@E2V;(OQbbj&F0F9 zx;>k&YsQ&*tvMQZwkaIT)wuH{Yjr2G9I9;%cgc3s*)r9s(3z&0sxFFzibO$MPgkQ> zEBa8e1TB*|oY@LtBR&}c;-3_|5kXgv{djKidsXV{tm>YQ&g18qs{>8B&X&s+4VKf+ zsieoy0x&1q$g}Bj=eY~o6=<9%vaEJXB&>Yne37EI`s#5zxc|Oa#r@ynaX!WA|62@O z9vYS;o(>h%-C9A$3cl;qTm^QJA-l7*E*ji&o;#;q^|W|t6NND>uy|QQq;ke3)CJX3 zn^Qg1(K&CP=^O_g)9XFd=z{tiJguvLs z*jz8B8rv9y3pO?##7R2YXG=PvI~kjPGQHQ(d+)vX-dpH3KmsA8kPy-c`G5a!-t3+B z&ay4?!%1wO1)ulk?dk&Apke+KShIfbP4huP^Q8?&(YYamANS;1ej_nV!PZ za)&x55?o=o4|$sxWd@Zu*U{FDqzwFllND`hI;hy>tKWVkFAj0tZi_QL@}YqjG7q0s z$#%^znbzu|4kx>7f1T)=Rvo=t?Qas^|kVxl&O$|CsWl{cEUi6RAs6vLa|bn zr@u?b!!$No&v=IY@Q!fp-=oNi96rJ|%2V+XuFgznOQy$Jd>*ctvlhJD+&R#da%Yg2 zskDYXeum4vQC^?YM)+2O=hd~J>7UFQE+}pZ4g)-HYFym_ICuqk#9(jOmF|=dAEw!P z1GS^lR@sJRZgr2Btg`W-wJ9JzXLaIiUHnyCFCG-PiD$)o;!W|fcu71a?iOE(KZ+~F zh2rd=4EJ=R!~iis3=jjv05L!e5Cg;jF+dCu1H{08hymT};XZb%5+^8etX#2woOnix zg*9G}$2V81b5IQnsdq?S4~oxaqFX`^EtY`A{c0HIT#9(8+~|d~>7W1qA38NU3^70q z5Cg;jF+dCu1H=F^KnxHA!~iis4Ez@uuzX)Ivt|zS&Cwsw$JWdd*Vs2(cUw{OPGe-? z>Oj0^j<=EB#kTk_RE-Wv4Ezr;;6I-S{|Bl;Raiq9D9$VH?5kfomiM`Xg{z_~`y()& z*!<>nSKG?MIQJ45Zux>c4cLh+Hx6OJ6A>NmWq%;Yvm&}HWk+^?&PcA z6{?d$8kR4y-!fp0u2@x#D)wJVrQG?TUUkJOzWS}8UNhWtr80%mdGu#@cw?74HF1LL zm&+i}yx-`Ko_9@j>ZfM8SyT`o%6D5sZXc>5H?Y{a+aJb>Fcvx2fFkNI} zrnS(2#6wnb#Qq(YJE&_@)3SAn8JzZb%%ONIJBM_{mX&v{tKtLQp;c31T!$&&uBE9k z&ZI*Xwp%@;uyW30d$ywh(@+MU&QjuUxdT+pwQ0?D^meKs;T4pV&-E0VTYIu_q-=WN zL(T8W^>#P6^iRSm&(U;Frm(adVvws(#@Q$*SGHt3vU0*twyThtpXn*@AB4wHt{W$` zsYAnb$~Nd(gX7-*guzHIcjz=8MMXF%fq-;U%wL|wDq`s;}gIoB44_5NzYqqVm<2hW?YDEPXPsmp+_nAR?c;3!-NV>P?n@jt#lLmd_rCnBisDVzrwD$^5yuY4}O?wt+>-D3C z^TUz;LT*t8rk&wzHKns_2CTC?qpE?j$Rnz`ZcViQU;k5$G-7}lAO?s5Vt^PR28aP- zfEXYKhyh|?ZDpY3|BLU%-`3W1r1K&Mhyh}N7$63S0b+m{AO?s5Vt^PR27c-c1jP5u zE52f|&fi}_&_7~;7$63S0b+m{AO?s5Vt^PR28aP-fEZY#8IUXgX*CkLSE5&g)6oL3 zHlSDhhKaw3--xf*=o6&M69dEmF+dCu1H=F^KnxHA!~iis3=jjvfOPqFbpLDn-G5sD zpBe@+KnxHA!~iis3=jjv05L!e5Cg;jG4NAhARzv#;{U&g8313=41k})HK%hV28aP- zfEXYKhyh}N7$63S0b+m{SeqG;0RTP?!vMT+o;qV*uir1%|NG1s!Q}dX;v4aM@um2s z_*lFr-W0Ej7sS)zG4Y_dP24E15f_S|i8I8>;y7`bI9T+EPO(6=iUY*nVy>7ab`ev= z4q|H&7a_5w7%dvbNHI*TD{SExn*D$FclKZGKia>wzpy{GKeXSme{R2QKW9H_KVsi+ z-(}xw-(X*AUtphOpKhOIA8Qxw#r8pVyPdZ8v-h;;*fZ>%?Me1_cElcUH`$xn8`~S$ zL+v`-uyxyGeQ*8E`knP_>oe;k>s{*&>lN#H>nZC|>jC(Z;ceE9)-~4U)DErx4%P%KYK^xxv2=@>-Q&uQD$&&ofUlk1>xlmzsIA)0}Un&3(;z<}7oXxs4e&gXR|IX68obFmoN#G>pubf!Q1k2${=2c}2mGzgeGZ))GN3oImeorI9Kr5CLhU8|$^H~+t7O18 zhHcoN$v9U#ygx-6F+dFbM;PF}|B=HC@*p){KWCpIev0^s?)7jV`voRGM*IlzL&Oi% z=Jzr2o=UuniFXj+MtlqLO||(AO#B@2b!B=D6R#q^g7`AxONcKbzJU0=+Tl4&Jd5}Y z;?syvAwG%t1mfdrhsQASDB>fC4Uq~ z;;o3cAl{646XK1CHy~b*cpc)kh}Wp%uExYwh*u(Bfp|IMWr&xmte0ToV#JFOFGRcm z@qEPdRMvAb@iWA85YI+D3-L^q=?o=KSK>6>bgD|6f{Bw6PeMEq@dU)<5syPW7V#Lh z+tHX;gdPb8N$8f4 zlh7rhQ$mM?MG_WD$YS{mq&i>q{6a zVLjZuu2k2NFhoKf8iiDC36=y?f*~Ow!7rg!f=_}jp+@d zT5*NASez%$5~qq2#L?nNafs*@-C~hw7iqDd*i+0AGsMnflGsk9L{w}gwh*I4gBT&! z7ej<8e1hBmvj1-X+5Ut58~a!GFYNd2x9r#K7wu>4$L)vgd+j^yo9*lDEA30{^X;?k z)9e%NW9*~A|CM6_9rk>?#opiE%ii6dX-~5!+uPd{?3f+2$J(3Qo7fxL_4YcpW!KtX z>;JR11l<|mhpK*tAlW~o4nQ?(}wsER)ywPVIW-KwnN;7nI$TGd${x#m)_;l4{_3Yz(5S} zg#%gtTecc6!+`-n7#INj1QEssK!!*VMG9Q7!d%35dlCL5dee{0YDfL0E7_%Ko}7Kgb@Ki7!d%3 z5dlCL5dee{0l+&EVL$+M7!Ux20Rcc55CDV$0YDfK0E7VnKo}4JgaH9S7!Ux20Rcc5 z5CFUe5yk^Rhw%VF7!Lr1@c=*=4*-Pm0KiKTVK@ME7!Cl0;Q&Aw4giGV06-WH06Y&7 zMgu^H(Evag4FH7E06-WG06Y`%48+qBVJHCXry{~g0O&9h00<)ifG`pO2qOW2FcJU= zBLRRg5&(D%A`Aq84g&#zFc1I;0|9_A5WwU>0Fwg&Ob!Gv&tVc^9DvDj04B!)m>dUS zavXrkaR4UA0hk;IU~(LQ$#DQC#{rle2Vim>fXQ(HCdUDo90y=>9DvDj0OrX`fMEb8 zhXI%z24Hd+fXQJ1CWir-90p)=7=X!P049e4m>dRRau|TgVF2dYR|1RzFgXgq zqX0~f0x&rWz~m?ZlcNAkjsh^xYzZ(3z~mqR^URb0V*pH!0WdiRz~mSJlVbo(jsY+^ z2EaT!Nq`{$CWio+90Fi+2!P2U049e3m>dFNatMIQApjdFNatMIQApjdFNatMIQApjf8Um?)AyHU|L47b?TG)@n^X01$^Wlr ze@ z&pVwgmHhwJ$L$X}^{eN%&8s_|e0I~kB+Rwv`|A!&c|91OE z`)Zi+f4+T|eTsb?%=bUk?zMAv)^3Fu|2^&5_OA96i11IrjQ?@=Xo&A00rUNZ?T6_8 zf5B}3KUu$p*#2Kw@4;;Umm#wMaqB^t>whc6^&G_jj}ejhQn-n%ksgj|9_a@n7@UX{*TPJVb=e1=Hn32f2Vnq zc{R-XKNsTpPcZw;L(Kxr`foRz&ArUo<}T(Wh~O@ioNp ze`>sMykWd#JPlF&_rje2>y0an3n7O86ysQ!^S{J62qO4fjs1*y#!O=>%==FnVPmYZ znK9B>-w;Nv;R$>f_;cWQfzJaU2i^(17I;4JMBu@|U4fee*90yNoEJDFaAIIt;IKe% zperyxaA08Xz#RV#KkN^Vvl{&t znmd(v+&#&^=GBVSM-{2xR;2#nPU${(D)7Aa#M;RnofR>#b}_(TUlYzp&Ux0@XG(mk z1kRk-*e_J-VK!HCR^lxsa0<`#0yH`TzZW?r&7-<@r)8rEAf;PPb%?*5;&z^V~?rSqe?uY#KTHF zq{M?tJfOt=O5CT!y-M7p#NA5Vr3B8e*Vr8@b-NO`DRHY3wM*3_ZmAzrA}7jBqdH%;shm*SK>G&j#UC@;cM(@ zm0G4mpAtnSj*>H~wIdOaKs+1~XX9&!qJ9YCQp6>Q2O};<>_sdf<`H`k4?^rl%prCm zb|Q8lE<#+0i1YKc1*p$QY)8x>wjs76wjibv4@7K6JOFWj#QhNWMcfB*Z^XS2_e9(S zaUSAa#N83+AkIeI4RIFYOvD+8(-C(?+y!wO;?9Uu5qCnIf;bs*65@`C6A^bn+#Yc| z#BC9`LEIW~0%8g=iI_l)BgPP;h!MmvVhAyaxE11f#BqpQB92Ae0f8_uFB>n%It5@qE`Tv6&Iam|k=>}Uz^8W|R z)Zp@w|35gMC>JrX_A{{N`2R3HUOHAVKVAv+|GD!2VT!ymqW=$*Nk^d6h!{ALh!d6#D;M`TsCoUK!E<=gR+whd^D2e@ zKg^t0DfItg?z~E&|IZov|1f=C8PWge%KwKM^va0-Kg^+5DfItg7QITL{}1!%RSNxo zm`Sfv=>Nl9dX+-|A7<056#D-#pI)WV|A!g%Duw<(%&Au?^#5U2y-K0~5A*6(3jKeW zS+7#)|8wR4!;kCAi2grJuU9Gb|6zi?N}>PHmH!WO?3EGyf0$*jQt1D~JbRTw|DP-W zAEw$XBl`a^*M` zQ}0y@{eQ0ff6mbVhw1lf8~Xn+0bhDV9Q}We{y#_mpQHcJ(f{Y@|8w;JIr{$`{eO=B zKS%$cqyNv*|L5rcbM*f?`u`mLe~$h?NB^Ir|Ig9?=ji`)^#3{f{~Y~)j{ZMK|DU7( z&(Z(q=>K!{|2g{q9Q}We{y#_mpQHcJ(f{Y@|8w;JIr{$`{eO=BKS%$cqyNv*|L5rc zbM*f?`u`mLe~$h?NB^Ir|Ig9?=ji`)^#3{f{~Y~)j{ZMK|DU7(&(Z(q=>K!{|2g{q z9Q}We{y#_mpQHcJ(f{Y@|8w;JIr{$`{eO=BKS%$cqyNv*|L5rcbM*f?`u`mLe~$h? zNB^Ir|Ig9?=ji`)^#3{f{~Y~)j{ZMK|DU7(&(Z(q=>K!{|2g{q9Q}We{y#_mpQHcJ z(f{Y@|8w;JIr{$`{eO=BKS%$cqyNv*|L5rcbM*f?`u`mLe~$h?NB^Ir|Ig9?=ji`) z^#3{f{~Y~)j{ZMK|DU7(&(Z(q=>K!_|9`r_|F2f>|LV2l*Z-PJAhKk&{;f^#t>pjz zxL1?>{~wo6DvcOea~W83{C{2f|GM)3b%y@GuKa&p`TsgY|6f=Bzs}JA*OmXTEB{|t zzyIsX|JND%|GM)3b%y@GuKa&p`TsgY|6f=Bzpng$ouU7)EB{|-=>O}=|JND%|GM)3 zb@ltduKa(Uq5rQd|6gb5|Le;C*OmXTGxYy;<^Su-|JND%|GM)3b%y@GuKa(Uq5rQd z|6gb5|Le;C*BSc%y7K>ZhW@{<{C{2j{;w&pMv8T$Xa^8a;){=csLf1RQK zuPgswXXyXy%Kz6H`v1D}|8?d6>kR#WUHShyL;qh_{=d%9|JRlOuPgswXXyXy%Kz6H z`v1D}|8<7`zpng$UHShyL;qh_{=d%9|JRlOudCnxb>;u-%Kz7u|F5gx|8?d6>kR#W zUHShyL;qh_{=d%9|JRlOuQT-jb>;u-%Kz7u|F1Lj|8?d6>*)XM=>O~J|Lf@g>*)XM z=>O~J|Lf@g>*)XM=>O~J|Lf@g>*)XM=>O~J|Lf@g>*)XM=>O~J|Lf@g>*)XM=>O~J z|Lf@g>*)XM?Q(2FNB>_(|6fP{Uq}C6NB>_(|6fP{Uq}C6NB>_(|6fP{Uq}C6NB>_( z|6fP{Uq}C6NB>_(|6fP{Uq}C6NB>_(|6fP{Uq}C6NB>_(|6fP{Uq}C6NB>_(|6fP{ zU*8GqkN&@o{=bg?zmERDj{d)n{=bg?zmERDj{d)n{=bg?zmERDj{d)n{=bg?zmERD zj{d)n{=bg?zmERDj{d)n{=bg?zmERDj{d)n{=bg?zmERDj{d)n{=bg?zrH!vAN_wF z{eK<(e;xgQ9sPeD{eK<(e;xgQ9sPeD{eK<(e;xgQ9sPeD{eK<(e;xgQ9sPeD{eK<( ze;xgQ9sPeD{eK<(e;xgQ9sPeD{eK<(e;xgQ9sPeD{eK<(e_hA=qyMj?|F5I}ucQC3 z2gE;_SA509A0ht#t2Ou8NHr%0hyh}N7$63S0b+m{AO?s5Vt^PR28aR4fE)(!!Rr6; z^*l*k4ZayEB-k=(N==twNf_et|9|I<0DJ^X0?R8U7RPs|M!`AS==wK z6z4&b{t*Mj05L!e5Cg;jF+dCu1H=F^KnxHA#K3=mfq>>2>haCXXL@|7>QaSIEHJ}4 z__~^Bv`3rRmFrsCnd{BV&DwgJr^(};+LP<;o|)^Kk?Cy7^mx(8(OAySYc>B+zuYGv zz6AgOV#3fdYL~UzK72P{7wG;|IHe6T2xVDfEXYKhyh}N7$63S0b+m{AO?s5 zVt^PJ3-GC(5I{g259k>p zz7=1JvCH0Nj6Gs9KUr2o@dvFZszmj?#d-OTbe=GIj?5TS}|5ED1*u5vgzO_={ zh~2*-*uRzf2=>SyKz~{4wd|p-Kz~WK`Xcl{m-Ng(sRZJ9HiJ{c zNKr3_2t(A^|7ZWh{$leD)-SC0 ztT(Ket!J&rtp}~Uty`_@tt+jIt#hq2tdp!`tRt&G_jj}ejhFj}emgTdU`496O^S9=&%#X~s%~#Fm%*V|K%sb7S%&W~y%yZ4t%@fQ% z^H8&3cAD*Gv$>Z!+uX&RWNu@|%<<-Ev%ws0u45XeX8gj*AwsDGatZ}5V#5l-UXtWyp8S{*p##CbmBV~k*vBqY`NMn6N7`28c z@Lk}~f!_r_4}2VWC-7R}`M?u_2LpEnZVp@%xHNEH;EceDfn|Zi0=J!NRR7@Spnt@`{}KZ=k1`+Br{-m5_gAatgNoE|DpG%Qr}UbN z)VdX^O)64bRiw79NbOpY+Pfk(zarIJky=)fI-??WX+`ShiqwM@spl(F?^L8duSosb zo$`4qQX`psLJs)PH?|^YsvrhKbkS{3jgPiRu~n84DjC* z5z8~6dp%rdUnudp62DU7ms0rHXDaon5}zpX3ne~Q;v*$KRN@0A-dEy1CEiuy9VOmY z;w>fKRN@UKey+spO1!4Tt4h40#LG&&q{NF#yr9JMN<62;vr0Up#M4SVrNom;JfXzn zN<5~-qe?uY#KTHFq{M?tJfOt=O5CT!y-M7p#NA5VrNo^|+@ZwnO5CQztxDXY#LY_F zq{NL%+@QquN?fPJwMty0#MMe%rNos=T%p9}N?fMIrAl0)#KlTnq{M|vT%g4HN}Q*} zxk~&@iF1@VTZyxjI8%u;lsH|9)08+>iBps~S&5UBI8liclsI0AQ2O};<>_sdf<`H`k4?^rl%prCmb|Q8l zE<#+0m_=NGI3KYcF@xBK*oxSKm_|Ghu^I6I#QhQXL);f}AH=;8_d?tgaSz0Kh;tEl zN1TH=8*w+pS%@WDRn8lo4GYhI6Ew_w0P=Od;6|5x!R@jLNr_zvJl;$86ud=2nf@wj+U+%0Yu z*TZ)KFBa#DGsH>a7;&UnD)ORJ%ok~~ub3xhiD_bz*j6M&NQ@Pu#KvN{SXWrWCp`8) z?Z4Px+rP1YX@6wDW4~^{Xg_T~YTs|)Y2R#LYhP|(XrE)BW}jd$vk$iqwhyuw*%`ap z-rL^Yo?%b5C)!)vF?%b!$==i+Y1i9BY{Rax{?Gb{^=Iq%)~~Hktq-iXtXHk)ttYLA zt$VH8Uq6^n>lEu)@c)-s?bcjtM=NM;WSQo7=9l2zKV{xwUS^(Z9%e2CKYk}O zYBrj}_}=)9@wV|Kc22n6u2Ke@3R6&1v&%!1f~X} zflUIo|DXOZ{cri7@Zajc$bW)=vA@;7n}1vX7XEs_R{N*gk85A7y|4D_+B0j9tnH}X zyLPAANNq!{<@?U}Yu}r`$9=c>F7zGm>-DwxX8E@9HTl-}dG$Z)AL%dX_v%;aXXr=h zi}bzpDSBAnST}3_QS(L38#RyB++1@(&2cq_nsm*~nyqWb)C{fR+Sl5L+Vk2y+LhYr z+Tq$lZBK2o7ScA-4Da8)pL>7qebjrC_k8cM-n{of?+ot*?`ZFO@R0e!+&YQx)P%IP-heD}fJQT0%t8tlyrL=-Bq*fE8J$xtwsia=Stjwuw1ghQ|+)V@$@3PUCGZc`{0 z0aH)EDU^yPVo>{o&=iI91Hz)ADCFucnSv=WM}kn*oMQ^Y`6Yq7XMoO&b_0is)#NuG2F zE^QEUwK%3kI2B9;;RNc6>5>Wd3Wee^*zrJ@DHsh$AXjtQB-?5%0#!Z0F~x&nAP7zS zJEm|b0Vf2Ftgg6U*#u246pDgr-%3*$j<`?1DVT^P!jNn4k|~$~5~H$B?Bz1S^$7wK zdzMX5iC|oEzem{=3MHe7AeiPkrcg-U9q}++$GK>d_Y|~;XbNt=;_f9AFa{?rulAe@ zQyA{Y;%vth49A1PNK6vFo7)tI7Eo85rA%;31)<4dGnwg_;6@L{qd|G6%_y0Gmv9)b z(DVuuT;00jt`(-BH0@F{!Bvb$V^OHrw6ZA{OhhB{gm!jJQMeVrDEo=2j!9Mv+LB~- zC&v^HL&e}qLcOMxOwhjMJqbilc1+N1gc4EN4HYMqOwjp7p{+x%9V<<;suL?r(1Fzz zcR&;H0#_pl%?>KDy)wZy1Qz7Ky5e?@393*sZR?nTtzbL`{MQw?DVbz%0%r}}Z(TM) zy9e$e*96A|wSQ3 zVWiR|FIu>43Wnm)e1XCcn&9$4n}ACsyR=}12{zOfwr3PD-JDoim+VSR-u8ilgfuQbVCZfJ!mBFR~= z(j-}3x55;bxz?#Lg`{anrAaoEx(XA#%hVNx+XRm}sFz(~O3GIZtHP9!&knQF1aCt{ zqrw!IPvk&_DJJXXuP{X=g|!u?h-@al3KQIh@Wl%(F?a)kejP3izIXLo z;E9K?T`o(g4&S=KBA?38l|lcFFJ00i-&sTOnp#&-OM?Ex6q z<^jgExqwk^cfg1?2QaM71`KJt0S2{Md`Kdt%>+zpGXN9XbilZ_D_~691u&{j1B_@p z1BSJ!fFW%sz@RpT4~eI=$$&|15@15x5iqVz1dM4r07kX#0VCRWfMIQ0z>u~LU{Kqd z4~eC;34lp01(?v1fN?DW7}Mf_Q7r}-(V~E1Edm(Q!hk_7#D_#vS`aX)Z3URn#skK+ zaey&xOTef$7BHf10T|Yr07Kdsz@Rpo4~e9-%>k3zD8Pia8DL!76fmYW0!Fn>03%uh zU|8E25F9VSpf-{Z38%CT0h8JYz=XB|U|bsx7}JIUMzwmth_*gpSQ`o$($)hEYU}bL zp_H}`U{V_bn9%9~pRI40`=sq`b9UB)vW^5?-B)xVMIj zm{;Q>>h*FF@p3N0-~fsc{{HWOP0s)StN5e%O8g4G|MxDe1o)D82G#_8K->i@0$wMs z5EqG`iPOc2;%IS%SR#5vhiDfEihaafF;na;b`;x)xCn|Z#Aae6F-)u@OrZ;Ae`kMd z|H1y!{>=W+e%pS{e!+gqe#E}dzQexBzQ(@HzQ8`)KGi+FE7S^uB)ck3JLch(oyC)WGco7OAVbJi2qL)Jau z{oi0+WnE&OXPs%C4F3O7)*)8G>arGCE!KY49@cKwF4kmgJ1c30tu3w1tp;lYYdy=h zYT@_)zng!A(Sc9Qcg@$}*Z;@N`^?+S>tLMVJoxSZc=IT8iP>!~Fb{+ggWb%X%^l37 z88pYh@BYKgI*cpEBPZ~jEjL`t&3w7{oKMVXl@W;THflmVO!f*Z01s)6B7q~5OUEnhKrT_H6 z@i6MJB+wmL0KfC^71%AXb6|%+G7t=m2{Z(T`Tq!G5TE$p4b%l{1I+(-|7*3E{kVVH zRX^FksOI`B4U7ELrBU!D|C1bOcd=S|Jnbn~=RU6XW>xxERq1al(=}REdcCUjW>x8E zReEw&dTv#^ttwrpN*`U7KD#P?RaN?~s`OJ;={Kv=zp6@qTbb6is`PqQ>CLLrlUakC z?`mD2Ta~}9DqW~bA6=C`yDEKEW!kqM>#jcL>P!a?^DbDOZoe!xCJ z`96Ce<$LTsl<%^4QNF|8LHRa&8|7Q zE9@1NFUy!!sMkv}UKQkv>_wC>uoqB1&z?v59D5Gsv+P-v&#-4uKFyv+`4oE!<&*45 zluxiHP(IEcNBJ0g4CSNjQIwCcM^HY@9!B{PdkE!&>_L_(I~ zup3Zb&#p lH+Ywd`7y*RX3)Ud^sXc@?_~<(2G8lvl7TP+rb1M|l~$4CSTlQk0jl zOHf|SE=G9~y9nil>_U_munSP0&(24A9y<@^x$In&KVv^bc@8@V<=O0PlxMNCP@c)o zM0o}~1Lf)Lbd;yD(@>tuPDObNI|b#*>|~TDv6E1q$WBCg0y_ca@$7h%$Fbv39?OnJ zc?>%S<p*K;7AMrI06Fz4#xn1!!Q8gPz(S#1Oot;VgSGr z3;;M70{|8;mOrQVVgNt^0|4?E0MLU000&_JKsN>eVgSG{7yvL00|0i$0D!3&0I(AV08GIEfXS2Pu_jHDxFZGtOvC_y9WVf3 zdkg^B4g&zT#Q=b9FaTg{3;>vb0RSls07zm0Kmr2*;&EA8379Si^%f&l<^7yuwJ0Kmoo01E>EObh@pFaRKc0RVms0I0y^mi`+t7F^#A2sm!QbOpXw_Eoi{N+3=jjv05L!e5Cg;jF+dCu1H`~jfC2LV ze*zboPLUWO28aP-fEXYKhyh}N7$63S0b<}M&p^rl|H%_U1P}wn05L!e5Cg;jF+dCu z1H=F^KnxHAYcT@>aRpmP%wgginDhUFctTtt&V*V1eK5m+p=g2m{a?Wv0CU70;s$XD z{4f7LgW3K&uEmtlsSyLj05L!e5Cg;jF+dCu1H=F^KnxHA127;Csamy2^LRWPY9oA7 z4%g~Y4%600S+5O6IaFH*WrNm$a)?%kvQ85yg=V9K(*MawBaclq0m^ zC~LJ^ls?UeQrC3x-2nC4KpTeJxyIpCbjGCch>zrXeXWF4=^rsb3=jjv05L!e5Cg;j zF+dCu1H=F^Kn$!&4E$ju??exLCMGy87#U<18fdYh(yN+!=Yp>!AE*0`olq4czj$q*$_%h2!|#FqvONLR5%f{{JSuNZ^5kJ zStnY0?QON|)x23VLwnNuPwxW0Md{CzV}D&er(RL&(cAPj`RX^_)N}myg>*|tCS53` zTNiX@x(a!hs!y6TW#Zf^4Ra^%IDJY(qiaiJ!1mibYi`5LdDEvi z>^5iGjEQshZrF9o-di>_w&p61N{K-+&^MuPysv)bNYBwz@#3`RI`PVsOQ#p#~b1?iqKkziB9X++kY-j_mknPO457OH$tt;5xR1|&V zeD$+8<;7UGt1Ytxq1n}Tq1@)SY<^L5d$uFfmF{#me)gcl?X;Pbr|i|xxayr78)nU1 z?$)R%zOkt|xo=BfeJ@n$&=prnQj*SgWh8se>8`fseuKPFt`lH)4Wg3$dkoCxbRk~}+?PtaJwUf2f@XI%U`3|hS@hh8gsi#;$ zW?5)HdkFL>&O>2LvcE&A=p$H5ego$lu=6SPbq;@RnS5(cw!4s(J(N?$a%rVJvWIEQ_GDTMxt^s1 zXKN}B>l^K>-+e1yOu3pdbjMwA`k6w$Ih)V-X7aMfLJhixB%Ub?eM@wm=uvlY@(mMRqO7^kijk+}5Un4b+pYa39r)sLitbs4B9tskv{suYN12f)_hB zr=aeh+(PKA%LkoYdC=u@RUf8*|Hh`i!}^B#>W2^a9J4#V!K15n*aZMn*aa5c6F#e!~iis3=jjv05L!e z5Cg;jF+dCu1H{1K82H_a=Kn{+@n9-W^Zy4&Bjq9nhyh}N7$63S0b+m{AO?s5Vt^PR z2G(c>0^&1R|NluQXaBF!Cqk7c28aP-fEXYKhyh}N7$63S0b+m{AO_ZM1}f(N#~MPB z36a!zGv_s{UZj5 z0b+m{AO?s5Vt^PR28aP-fEXYKh=H|`0k7BZSN{J$VgCPGc!G3F!~iis3=jjv05L!e z5Cg;jF+dCu1H=F^Am{&c>Hnt!XEJfF__MK8%(5Q}d}}lX-ZO>-9uc+nJLbD~-rCh{ zGIug-?YYL8VhgL${LcDY;LO1F=4s*tdwctG>m;kwwv0#YZ_E~Zl=X>qgY}Gf*|=-sxoS8Go$pKtE&$t}#Z7Mgo9?Xh}q zq_h!|i~(b3L8uLLu8VKhofx;_1nB=knP?u4id89Im-7oA2&OgD&eHUe`O; zlV6%|PIqTZl?V;<#ysiXLaseiXkF0Ux***(Kaa;}V{O^!o#x4B4(iQx6|(7$ z^66&Vq@g{V>B*0k=isnf+MaJN^rTxCWqO*kZTT%EY0G8k%(eA)Wb#e2j>~QA?rrJF zwvHL<-OAIIIk-7n$aFS$X1aQt3+a~8@+ub=^mev%rL!IRQuQ~lxXKO-qa-7}d8mit zd^1U>yrB8+beCh>ROZ2ptnxI1r*^p5oOW}6EOGM$+X zM|!vSWb^sn473ZlM5WAyTp`_&A0gLqA7E>1uA{fJE58A@gLDsEvSyX5EeB1ZCtb+q zh7b29Jl*bX-96b{PqwghnB=))izFpqFE5I^$>e2m?y>b{+sCruf-LFI0a@67hsxsN zG@IehS_BOq`D<=VFU_wf&$+rb>&g=;-2nOC7U%BDt7_-h8Ru;-^Q87w7X~j^A=lj6 zlaVLY1xF}khRFL)<(l7<>+Nn%=kwY5UC@pSb$Cm5$6$WuQ!yC@6g zbaulnmxn3`(3_F3MIJqvQsD!S60 z8C^1-ZY^XN!!<;vOO2&QHiLX7-22U{$#3-PoV*?rtt*3mut&_=@S`eI`B^pNQ|ox8e_wpnt>wF+dCu1H=F^KnxHA z!~iis3=jjv05PzJFo28v`|wA8&FlB*P;FfPzXm@AprP*d%HRKW`Tf7|#W&*j;&0+h z`U2n@a)GIu!~iis3=jjv05L!e5Cg;jF+dCu1H^!v0nJ>FwbB__ne6Jnw9@nAfWid2;voe+tQ z569!NSY%HxlsZwCs>@kEFckoT@dqwA4mEBFg(pN(6Qa@aiAW?GNiA1!FgZRFkHkY! zAb!>$$sbHM`TIYs8%$2hLktiD!~iis3=jjv05L!e5Cg;jF+dCu18XV+mOYIP@w~{y zNY9J>F6&imU-LzCs&RiH>c6P=E8jD|+4>VTZ`bUqU9qN~;ZLUC#Z2)?U;U_2e3=0& ztaN0uow$StF7V;j*`1T-Oqn=$O2gcVJ5Ha{(CFUQ*f6Fs+t%2S?J8vEXL=fTn=@_3 z#5sF6>^f!dhKcj$&YCt8_MI_h=G=yvv*7=E)2DCQUw~^r*H&B?2L`|T3w3SGwJe0y zWy+hNFj&?l4{KR8Hppc&Al=)Qg@tP{(_*>mMY^YH*}^_1Pt;^RGz1MQ}ub4s^mUlICyDcAXgRLCytBKtYDj3KE%Co@|2w>&YNClZ9%TLC*Ro6 z-jPce+=a^Zj9_&W*yNn=m{2erZEC36y}UYz`w*qmfU4)a^o&sownmaJQ5$WzgLuTmDj(%ar`PGBy?0 z>+|{QCnh|_ZI^3H<(--jZmn!kXXxtVTkXz9qc4A4?bD}K4UF?TNpEp>G_ z=RjW#bbF&JyFK?ij%;`R4`=rlc6MdcP>t7}qjF!>K-}BqMd~jbo_(xO^VLrspbnvx)WP-MZm7y`)JO4M#DyuMH{(%pxp4al$Jh;!}tKS-qIRYuDD5L)c z!EH{h<*wgGC?1Vku z9%XN6uWJWvkM(!!YwHW^BkN7;Me7Oce(N^tTI&+)9P4CjnRSSDkhQ>Sw)U`QSd*=- zt+3T(HCXkQZPl3Hn}0UHGCwunHD5KKF&{SXGH*1mFwZwnH;*%qFni4ov(?`2y-3NZ!+U=#vhE&jSr1Cj2Dc@jr)vSjcbgHjkArDjH8TRW1-P(%r&MN z+ZhpKj4{$!$M6Nd5Bw?cMc{+LYk{W&4+L%vTopJ!aB5&#U`e1e&=S})Fg-9a5D$zE zGz5kQ0{;K=f9wB^|6~6f{^$G;`|t2y>%YiM zzVCcr`+ntn&-aS&N#A|Gn|)XK&h?$_EBY4u7WoeJ&GYS|@A$+1*0$S~&S!08AaIxG zm9_D_)|hh&+@(!lX=Sy}m2UotYz)+JzlXEW;6F$Gl(SDA^%KrManxUM_6tY-n6r-^ z^&`$ca?}qw`_NH8;OqlOeV?=U9rZoV-gDGKw;lB@&fap=H#vLL zQQzR~4M+VsXFqq;*ExILQD5WiHAj7wvsWGU70zC9)R#GX*->BO>?KEik+T;a^##se zaMb5Hd)`r>>)>ekh2FJ^#RTvaMb%byWdgoxe z>?TLOk+T~e^#;yvaMbHLyWUZ+IlJ0Xuj1?~N4=7>D;@O; z&aQCO%Q?H;Q7_}{GDp3Xvr8TI63#Ah)QdU0*ikRy>>@|Kkh2RN^#aZ=aMbfTJKs^y z~J(sg{9rb6N{mfC%;p`koJ)5($9rY~E&T`Z;y+Wp0nc}^*GLsbJSxwJJwN;;p`Yk zJ({zl9d#LJ%N(_jvpz>Ha#nQIqc}UNw#MW4c#h;pD&+`%gi;RYhb!eUewb1Y<%cTe z5PpbKmhz=aS;ChnYO6ldjN-6MyQt~{nlpfxrl!N#|O6lg^O3Cq@Qo4AT zQaX93QaX5tQWo(=N?FJkDkaOaN?E`cC}lpMuatJ)u9OVVD5Z_JDW#RSDy4N-P z`L;^ghHs;kt@+kUnZPF~CB;)pN%Evp5nmj_AF7n~_vb zKZBru!~iis3=jjv05L!e5Cg;jF+dCu1H=F^u*Nc=YcSN{(`q#E`MsFXIh+i96Tkvt zdFmMdf_GYz&AW|@YOk(cM}J?RrahvCyqA0Gyq9~=W6U@!2(hheECGYAc;DWATl?xq zjNr%kROBoM(dSi+e4gFmL~T@r&O@knWz>8r1g$EXys)&pKkT(SrmP&}R0_Q>6#`Kk z?b#0a7OE>|wt8pyaIE|iEmTB?S5|Mu?~CI1S0O{Gcy|mf9-=FoUyy-VK=`n1M<(4> zE~FxIw-oc0h8Rv6S1u!o+!4E_@WlbQH!bdyjcBB&=nkhT#mUJCmvZ=M*;pB!gi$#1 zgPRy3U$KXZfGKT~SEO7RgoY*hw(`~I;K(^wAWtc?EXUCypvMW}={LyBR?2$7s_N6f z+koXPUrYB6GD4?6jm-Odbt`?U+BRh@&$UEG`4JpaZtdPf7TF&e=H9aVU~1F9>%f(9ZEsrU>r3KHkYi@! z-ReG=TNloOo!i#EX^{7B#qBpHvciz{q@dI^pxq&FQu_ z`GH(DOT+2ts!(AT6^=b zicvFsEW880fLz&WRBT&1&~>cHQMI?zCA!P6?sJaG_eF7f!%3s?QdSgKk?>bu#foi% zyoMF`-AeBC!S)D9ne*A_^2J|Cxp2efvoL+Hd2zaUEsa>_5Jr#m_Zkulp*$iVEg>W-_T zz*3*H!s@FJV9QC41C#`hs?wL$k-~vris0Ms*p`+rAOr<0&f+x~V59rC?S#*7XS-Ka z3H9aqX1H&9pqc}{n6+i{tvy-%PWJ#An)-(JMSS(!Z_k${mTUIS?q`_0nOAIJcdz(< zsK_|Td!yn&S=U3u)z4Mj7jCu&_sq)WvvR4lY&^i2JD~Q8J6pwl6@h33pp`@*U6pNt=Cpw4ELr%^8fGkO)H*YCs)oZ zcOqll`JDF*IfHolOHqCaY0dR^^%qd?g(|nhB({A1;9L(h7iUImIU{ygE$Muwxecy( zX})VX7VDo&Q!1-a=xOfA&Cj~>RlkG4eVdlq+Os|RLPayI=x!@YOb<4vd>`nq;sA%v zbrlw5+B=p)uQ@-PUv(!}=zzX`rQIO7eOSyuU59kMa=k0QHZbD~UKEq&^qKh&U1H=F^KnxHA!~iis3=jjv05L!e5Cdx@110}o z{9}!*K2@3+AO?s5Vt^PR28aP-fEXYKhyh}N7$61)!GN6qKa_pJ?7!OW)*FE|e8cWk ze|_z_wROIWe53Tc^zCb|stJ3)^zP4p!<#*yLDqw7udTggB}I4jO@&oUhI@)bT0i19f_tx`eym+r;Oyqk*>?J z5SB^lN_XG|=|5!2%1$0=jg-<>xjst&K5F@<(l$w&Yg@nb|$8Yve_wO zCHGUVZx`9URW_vl?ybC{o-(lqDlaOw1NHe|y!p!6)n!#XN!I%}G!^Unrupjkg+oqp z-NOBc?8)V1&w^i`?PxEc?3rJ1DsailE3kr{tE=N=lPgrhA*6sK$gkb+3|}aRnhhPW zX8o)?l{tOomFdr4eSFuJrolX5b! zg(sSO-BOiP_8ic5ay{9?(()mDSAIxW{_2CeH$j&*MUv}T0l9^qbn7Dgpth*>GZ2d(_zuKd+Uc5i}~ zJ#l5PPWeK*(3>xxarep(TFza4$o>sY&3!xg>bC-(y^8029+n(*t=_6G{IIG6Rp+Wc zfNSB=renMMw)fQ!AMQCtEn=riR9NqnTUt#S%N^t+$JJ=d4+YmMbgn84v^n3~BHzc# z3wpU$By%rWxAF!0pc8ECg{8}&F{ss$%cVFkYVK=Wu0_?$T>r%==Wv}yRl6)_sVcdI~p*-148>~C0|c?}aATfef;vlm$>T0wD*d5yiDm~L_VY3p8l zh_%1@=IZdusZ3&k7$63S0b+m{AO?s5Vt^PR29{@F9Q^#4h=()L_Ha0rP6k^-nP4#5 z5>2)zGSPS{*`7?c#G;9owoF@$ohox@f}wc4J<`$^4Y#Dz?ZK8rED?%?Hinp_4xAgAs ziD$yG_Fx+7l4yx#+FL>`=}e@pEz#QE5^igWN84K4%w56>*)0z&aLT&BAwp6UWEfh<@-pQ75rajdX zinhhtlEHXRW=^M*k$5H^ZcVqhB!ihuCYFJNwzP!O@%CUCicTccnU;8Khs+#GCzI*6 zXet4x7>T5#k#s5%OhFx5gNaN!-PV$54X0Y#A`7w3peHgd=~OzM4uxA%tx;2%E#$xegvb{Am zM`n&hWARWp*&d3trP`BF?RYBP)*fn&$g7b7%45l35Uy8PW)8O|f%BHuWFi)gMq5H~ z(NnQ>D%IN39*T!r+o3%~QprU8P?0o;@g$IVyYY#>e(0Ee8)>te9oF;-m-%^=5(H3n> zw+7=O*d-3tY)giN$sk;_P+J;EYD-1JKx2E-5^wy#Y5<+72s8z#NJ~p95=w>BZK0NE zJG9F%oOuGM2Bj_Pg;N>)3DWxiE4cDxCI*NBVt^PR28aP-fEXYKhyh}N7$64LA_gq) zd2ER166S3Z$J@WMhMRYrGmYnrS%Eidm(~vPU0-uyjqSaihapRNEjsNVdMe)YIRByh z{0RArb$u-m$}`SW5z2$X(A_|`5 zI4PZG6EvRT12&+(z55QtK>lNDkbWl)GGCI7m2{WQa0!3hKqdIdbn626BI_!`)m9m* z1TjxgR8KD5)|rMcS}%8P-0@M)=f_*J1-Qu7p-({>kD2-Z+4~Z}Hj3--)wR3YlO%vc z5`q#E5{Jmv>XspZbCEzU;v57FMwVn-iEKHNoP#?e3E?cXK)6dOv_L6PN`SUN({hvo zZK0(=DU`D%feDZ)azA-yCn|y_vTiarh{6X@3^% zlpUC?v^SI4+FAPYZ2bmz@l@ESHj&-^oJ--CfIZ%1<6LELDShRXT2)Rbz#H7Cb3ka5 z8hssaQL9|9-zXJN!JidAe>tvcIxYR%%hou3X^5Sx@`i1`?$dhLzFSD;~7%qG)4&^F886b=Umd{P*m zbZ7}v>!24wBkjo69$8>u=_#b4ZNjH^tG{qudMaq-rKUNsg`;*$9dD={Poa07)~AZC zLR|#TFWIQ^r&MwHBnfOTEkkZ=t+rUcirOLGiHaIvnTT2nB0@PQ4_*#za4p}&UA4P% z@NU@ZauBh8%c06egpGf%wNdzgDb z{H6yyQ0LY)B*A>fB7 zmjYjaFLi-3~%)8sO@m!L6yV<)arJQbHA?B6( z^NuYp!Q<2BI3AzMg_Pr2rMydLSIXoej!$Me<}9YXb9_hx#t@IMB(gmP7{VF8~6-3>Kdh4H$FI75;V9K;RM{5OEtZ8!Q2y;&hpG%Fmu+4 za8M8*ix@biugav{#Bf%qag=BHsGh0GUSDxB3>>h$U^t8Wz#wfW-le0~QA?4pn`YybcMiE6Z7 z!s39%0gD3`2P_U)9I!ZGalqn$#Q}>076&X249Wq^{y!*ttcw;0EDl&4usC3Gz~X?# z0gD3`2P_U)9I!ZGap3<12PFM(oI~&D^pExT^?vwa{aGBaIAC$W;()~givt!1EDl&4 zusC3Gz~X?#0gD6sFb7-?n@w<{kVl^g;5p9WaJ!NH-=%kO`kVTr`Yrk<_-XxF9I!ZG zalqn$#Q}>076&X2SRAl8U~$0WfW-le1AE1Rv5sb&-)F?UzNpt9_88HoV4%qtX^2Jw z0iWR-csUSm@&z0GK?A;>=p1<2A8ra74FUKpVmRtxE{8lupeYz^@`V~gzHm4kvLEbd zcAI6B%SKZu+5kDj#}=*g|9e%T)=d@%EDl&4usC3Gz~X?#0gD3`2P_U)9I!ZGabTa~ zfTS+vGW?mG{*m6PKc>!CXQ|WFkm^+@st2nFsH*<3e!qUVew+Rk{aXD?`o*wA;II1G z%0HFgE6*!GQ0`K$Q?@95O1rX9IZ~-t4pbcS`|_*uQ}P4yE%IgZnR1uBL_S8IDvy+% z()-dY(v#AC(oNFE(mE+AEs~CuCQJKEocj;%m)wuJ?{Q!6-r_E}Pjk<6N8JM@tHq6Cuh=Ti5rd*fRD^#BZwt=~4+*ykR|w|{8R0}>rr;CC2qOOh|2qE+ z{~&)0e;I!!zl1-ApURKqov!y?uehFc-RHW=b+K!mE9qL~I?^@SwZDsV{=xZ@^D*Z= z&g-39oCW7;&UwzLbAod}$H$I$9M3zpJMMH`?bzt(b+kI>ID!t3L$UwE{{r;&wP)-n+GpB*_Az!*U#s`(X}w)PSzn^h*JtZT>+k7N-O#7#hw5YW19VLnbWZzF z-=Y0k+o`>+y{f&S{Y-mO`+@dd?c4fW+MU|1+Kt*)?K15Gt*D)$6|`>sRjos7(@xY* z(2mn)Xh&)xtwEclzo>b%gS6qAtU1+B)W50ksqd(7=+CJytG`g6Q6EPj`CwnD{Qe-;NU4pe zq8W$^{{@T?x4lgB#e9Ar{^P!H(n5w&qCH~Lf^cg%6!!VJhbuH+)bIrYhM#+gq8Uca zA2WR1_e`4KABFrNPwu-_G$3=|p=c4qABu#0+=CP?j33(1Jy1=9a_^^T!O}Btqi6vm z>WhT}+W z5%n9s2zOVR2Aql+5#WoT`=&{Y_(DcF7=!n{)1(EUej)~3;J(4o0)Ah>&)s3t{C-qP zej~=+Zqf|MKNg4@0q(XcTF~d`zD{U9cm{t28biz%<-SJI(6dCKj9V$1&xiso%-zD$ z0ug_N`)U;}L=<+I>5Bl$AEG>Zg+ZU>6(Ljj1w2Br9 zMYv0(nQc$RaAJLAu4oh0^mkl09( z*q79wwh#aGGF5-t_SR>R%X79HK7(9dv@QP(a(UG@>@&#aE$->hAeSB7rq3Xk_qd~n zlFNaPM!Vt7rIOw0o>be~RC`x8yUI3}cMOA`y+4YK*a#d&hvO(R3`gPpa1_#U6x47O zP;ul}aAe3h@}ZslQ}DA)z~NXNj>I8pjSBt^8~IsFg%OZsE_ zJ^J_>jZs2?PKj7?RjlGtV^%fHfp_Et2Rdq!pc)o|DnFEKC3>Y-Ue&S zbJdJ`qB>Lcsbf@8`9OJHc}96qxkb55IaBFUmMF(4QHWl#gI5oRD}7bJA1NqtZjtHtBBZHt8$UwbGYBGqFiJTUsmiN@*z}wMt8+ z1=6w7F;YzOONUDnq=Th8X+Oy=+1($xKXCui{X6$-pu2d^{WRz=9(LdFzT179`z!8i z-CuHF?B3))$Gy(I+P%`9aJRabx)->Qbsyu7;cBn~ivt!1EDr2T93YcZm@I|S(mWIj z#%zb0G?*m9)Dxypw(%wnmhT3v`+SCN98L3~Ntt2ulxR_32-dIxe<&ES9b(dA{s7EI z!@hv+V1^d;$ATf-m@_()_@I5d816?O&q792igC4S2p0 zCe84Nfd{dG-!|N&A)P}M-q&XvRz(Z>qqhC3Xs~V2rdMddiv0IF7=n;V9IGqu{AH3Y>x?e=ClRlX2ub3C+Y}ZUmyS6*!8Xh@;4I9EF$RD6|wu z!6i5fwBX3U7)QnlIPxt*c|}D8BC&-yiY~xWWIm3<^KcY89!J6Ba1@w}BmW#68OP$t zHyh;@5fBK+X5lD06GxF5I0{e4QK%V5!DDa~I2uR(qi|$Q!;$YulvkKXAQU?SN6{u6 zMPfJ#M{yL2;3yczQ6PjPe-KAT07pJQ$}8kTAQ&@n6!qaK(ukvQ1CByo90jN1C~!EA z{8Mmb)Z@rE8RZppA`pm8!cp`v97QJLC_Dj2p+j*L9FL>GI2`#sI5G~wk#8)@E8sxD zA3GRF(J?rRjK)!T6plg%;V3u~M}ayV`47aAQ65G@&`ps}3F+THVwzqw2px<2Cq;wx zG>oxP?n8=(x+>Bm{-Z)eLrWkMjBtN9X?~;+1znbp`HRe=upF!v&!L0)^XIq9H8?lmI&B0M}2^fLAcw__-Yv z4U{0DjE-^dP&62VU_kV9zc*><#b9sQ-11L%(+}mXu;sEGA z;bpkDOd1TqNPGqZ+?y2|+-QI(ig0f*G+)pk2ym}cG&Dqp0x|A2lNJVDIp`&U_8XJt zHzM$EFs^a0QZyLmkOG-|rJ4qMt6$SJUj%fi2KRD>2KwZv5rp>gD~1NO2KvUAC>lHq zOd3MmixdsSMi9g$_ku|SEip8iFzDKTS)!pa9oh!+VB(_l!4`3JPYAonwq1_B3k%sv?Ee_Ejdn?U^r_4bo08dN*? zOcf2;3!bjfpmxJS*s;$&MbSWf2Ei!7{n(@hq0ayn^u$k^H1v4T)PT=FGHHG^#X+M4 z_e6yT?GN?gF!#7g0}*CKf*=;T$0{_KeFdRQgt076&X2 z?E4(pq}pZfQ1|>TEpB&n^W1#CFEzKjH=8TO!qGq=5%kBSsbCBYl#z~jA{Y)O6QNKt z>T3^syW$~(g>0_LGk)rLX>Bgv+nYk5b^LfK)sx63(>cQa9X*(~isawXbjNis!qUniGZenp8_)FM6D&ra3@c zo-TCF?MbFPI#Rh*PoX)HNagdA$J3k3u1qBgZRuo_XOb}qD1}@+u?juQBtL@rLcGwI z2ZTXiJ4y{Gj9@aAPvp|Qg><&3l%O}4&gRmE^(B~qhwjYg$}pbKr#pL6$+kkal%ONM z4&a(pE?>zb(a~nWWg~=&01!q1mj}RK&bgy4Qu!IE{0voo1}i_Km7lT7Ps2z3MrD>t zG^kRHaxUq78@$~bc%xE6s6pUlTN>3o;U8vEA)YI=q1q}XOTtwOrt*a})FHfeSGF%# zW^6JG`?sM%qzPkSe-$`&3w!-hkKfl6^fd*-4S^tR0SH!IF`9fvLj;WFMr4y@Bkgg1 zReMYX{K076&X2SRAl8U~$0WK#2o&PFthRy(Hb8n$=Ut zt;Y^Mz^#TG)5QUF@j$1|YZGQ>6Mfy_lVV26?S_EKd^MRL;j~S%xvIxC%lOh?f>WY+lSxDdUT5e76&X2SRAl8 zU~$0WfW-le0~QA?4pN`GGenf{di zxV~Ngo_@dnE&WdY>-x?54f@skm-I{Z3-pcpIr`~(ANUGbrFZCYy;WbXFV^SlbMzVd zQF=@d>W%soeWLEsN9zab!*oR#bi4M6_7CkZ+Pm5g?QQKf?Pcwk+Oyiz+7sFjw1>0@ zw0pI0YPV@$)o#?T(XPfxY>a^jSs)?FI{g?Wo`hohM+OPgreO>*v`hxnL`i%M`^@r-i>VxXH)w|T& z)mzjrtJkVms+Xx3shibv)zj62+M{-_dd7eC5K1ObmgVHT~_D}GC zuK%VA|0n+OP(7dLKj+#1`G30|7XCvCoELID_#c_gTq&G_zDhxjl-95_$wT~gu@qc_yP`piNoh{_zN8V9EZ>0@L3%G z42M6(;ZJb*3=W^h;Zr#LF%F-^;g4|m1P&j^;bS;_6o)^=;SX@Q9f#k?;UhSF7>5tx z@OwD?E)Ktg!v}Hr01ofR;WixJhr@5<@Ln8#3y1gM@NOL5g~M;+@J<|l1BZ9u@OB*D zhQqJp@M}1{6^FOr@T)ky8HZoN;Y~RFG7fLV;SD&v9*5WA@LC*RgTt$FxD|(2;qXcv zUV+0e;qZ$%yc~y@;qVJMycCC*;P7G`UWCI7ad-g^x8U%69B#(pCLC_W;dwYL;&1~F z&qe0gb5L+L3eG~onJ72|1*fB6Jqp&LU@Z#Ppr8*01r+2_kVC<06!fAXi-H~$bfX}H zf>kJ3iGnl=x=_%Gf({g

@7H0tM|Th@;>%6ttn>R1}soqjDnL;umS}qqF^}+ zmZ4xN3YMUt1qF*yZ~_Vzp;3yPKL&1?KI06MtD2SmTih>9V!YBx#Ac%qh3j8QAP~byBBMKT&;6=ey z6daC%DJZB%!DJLnLcw7un23T2C^!@a<54gU1s)U}f`YLqI2Z+EP%s(=qfl@V3Pz%! z4h09I-~bftkAe{>7>076&X2SRAl8U~$0WfW-le0~QB%%Ym_u zW}6Z7Mg1Wo5D5EyZSlTBwmV)(XL}lY*Q0O#jooz~s&o@K%ytPU+#y8y@A0R&mN{Q? zp5k~#o2A~NdX(E8i|x)Y@%0;&;%cGp;DhZO(uH_?Cbc%z-j&U+ z%9mqqd+AY@G*6#5%QL=A$9X2ld(u6HRA(yZS+scW{N}|gJjc&k;b~sFWZ~QeaNqn{ z3zm2mEQJ4;&YOqI&1J@W*2Hs(u6Pb$FZrw`yu6uD{n^D{q3+m2>>I{WEL@w-t?I~R z*JAz^a`D8fR1WSk$=n0A_+?&3T(8_k_+wr~FG5|c-@q5MLf!mBY#Y40dV-$R+O~Wl zUg*oy53ypm&%oSQ<1yIlz>1Z?ig7lU73o#!w%&MW3iF~jo&z_e=qXHcd(Fo%FC$)< zca@&Oyoh*Fxmdrhm=@}0zylmabHYrGvcl!k#m9GFeCeKAg_keYpHb`*>ZU=_6LHa% z*DIIUR!A41wVDs(XUnZzU~d?#P-u}j)A991N3m0=8#m5&-U*~rn8j4`HA)4R`-PdL zx@VNzKix&3D4Y}3^67p;9;4h-Ci_F7diruAmjcJLN#Or@PZE9=zM6GvAld-u_e#LVJEtpDORVq|3YE<}jH|2^6p{}mZcF_#nrtmA_;83NX}u6Vu+T1#&{pNCNo8bvAjCPTB`x)3U4QL_led$aAwc7Gzr(C7%Xqw7(ry-|oPky|okXlzTYolDb`FtOU?KSCq zx;>qNTCUUy)47tVj(A_D!1Q4}DD3{$cqYT#h9pB9G^t#AC0NLzQj2l`Nr zR>5@1e5wF!>a6wp^@U;&47f0>I)EB*%}E%VN}!VH`P7NE2HjeBlw^8&j)WUemZWeH0Ip)CHRULWq&gI!>`rv(t zeXzmPva{vE)0R0gcq%duq-u-;Oh-ooBbysIR4|E{VSX~*ze}S*M>+)!j~&EnB+K=o zQK>Aks}t0#_CIkR`)1DmQ~MqE&C=~spEOI_-~GD#8}4=PneI{Id*b8bwPIGBAs!^W zD?BD#BV>h{!a@8W`5*FE@vHcwdD-=X>*l@vXWu;NzsRRppWD;idwX^}-0|?9-65RB zU9`t{tk~l_ChgfBpL1$(8e#uA7u?fQgbdfai+jdhnUOgg{E4CgPAQx&ad~M7S(1zQ z5a~Pa%2iAnM~yU|D^Esg+@*YKC6QjSe`^;{VUaBk{O@tV*m@Ld)1n*t#yHqIR_+;# z%;{o9I>Nd>neEA}_iv5idr&_>_t*#CRMDN4Z!)$>7d+N6a;2yV#3L18>vqm}o zP&xm}Tm3jKdJ#xF@R2G>>$iG$mu;Yu?bO|5YbLGVI%zlA8sSQ|hYg-BophX;tzMG} z(Q>YnwtCE5A?ZLKm?RFL)@}m^ z^#GcgYt1%5Cv}_I*5;~NSCh7iX0A24YNnjL)v=pQjS2(ogJ)`{G_E?!%oKWCjZTox zxAo@IYhZ0(&fRy_nP%>A&%lN-@D~47Yt3Q~tyv6|kzz%$GB>ZSq|JZu$&tA zG+edXENFDig7SUsD?ve6F2s9PuUQD(FtCuS^u|?4l#@}THp2#vG`_1=nq|~v*uYyj z&NbnGZ#=i2$l`#-0gD6w8yryKF-CLW<@8_Z55l?oOSKf7YX7P7h;oPM5hdZz!mouN z3U>)N3Ks~og?j#H{3HAo&I_FDoSlx}!)>>67x8EF-Fz#5{Ack#jeC&E=E=n!5rM0- z*)DFzpER@|aK;&lY$g-$&8H?WOQ+U)TGE}}@p|dV-dyUaBNN$V%98-Ce}3Bd_3`e^ z_@g8V+sT?d^V5l3HlOV%c&4X&;<@#nmcD#%I+4!y;;te#|V7PPoh zI@#n&`8uNU_GrlKizi~VWx052R?4yq>N?p*P>u*jQMbF2KB_A(8EFoZr?J@9a$H8_82O z#(cg=&L^C0{%!W77j%HM!**iM?!vysI{6rvokOWftOjFEp$o9 zp3&s-`;2I#FWMOJNriYPe!O_00A~1x44M2U>LrT1O^&n#A}i~ z9uV=#zC@wPvzBlLNMKD|lTJVp`StnkY!7f2F%$6>U(8g1$1`gU6fk#YlP3VzJf68d zpw&m_mL|`nLar}02~%gL@}PspW|28rVwXZ$c|2avq$$ZvLo%1`ZO^Vl`t(E=_Ac}k z5NFA~C`kjD$qK3VbWatzGhOKFYp;3R+-}f~H+g0>wU%nTwRH*<3E3yH-2q-MReBMr zBc92ph(Tfvspq9Vt9r6)d!$TiO)Asm=}LEYNz##xsJS0?WFu<&(phJnS=Uwi=B?E$#^MsIRJ|cnt_anjmiEi#r1N5zjx1q|vLp^DJbtYtE!{1?ZJM z9qG=&x^@ScTv9pI5ny{vZat|({1cS*Ip{%z;wfGBOoo<*wW&?!Xwd2{*N3+Sx31R4 zh0uv{+lXg8%?oCFfaiGoL{k7k+)hwiA!KO#@rFt(Lv4(@316+%+9vP1nVAJFT&AHnMtLXc{##FwPaanr5^%wN{!MG`4yPTNIi+sJ9is+UsqH4FY-Z6bY%9_iB7B zFDsz$!?+Yjm4+A&w%fh}v|A4h1Yp%}f&c@;c^K^rUC=bM z&;*G5LqlT$Ofn!db0E_}LT7tCy_q;jJ`kGmf(N#&tb*2-H;YU6bYyd-J&~RzUFkeZ zz8(pbI7kZ^IM<^BRv|f?^MGLpFfKglfd{~wNJ!3*X(qi2B}b0{QkNs|!+-%fjf5kboeReXPA5H{j$F38#J9Ez-_~})tORoPcu<%3OoKf{Xy`;ki|5Fr&@Mih zP)!(r1SEl6nmmx@pkmxigtCMQUtf0*8Mtv7NCtQ1rc?wnyheRCLVpg6k+Y! zwG_%H;yoCaMF=UU4}^UV4P3P)GmKONLbll}#DmR|)EB9F&_8ODsR zRALqB8=i`O7lzAbXy>>=dO!e`cL_k<6i~B*xfa!!pz%X{J{mJ)NmmLr z;=|mI8V`iJBjN$|I8#YaNfht{p^{;yhVm=T+&nOMfr%~ZcR82=CZRt-yK5LYg@Lhe zG#;PG*tZ`V`(S(=g=u7b)BqnuVeveBar;O-dTm;ZN45X(oMLjRPr+OeHPd_pYP-$RI#Mh`s(Wk%J@?G zrj#FifUXGiz#a?qiN)=8xLSxnuOZJ%eFN(6K&t*m6+yTifa`B#NuGZuqJbK;KP$oT zd5DFwk}}fzx;D&*|UMzpSs+7lQx3 z$=ZwBUD{%;S^Y@SRt*%Kf#rcu*x6TKh*E#1ok8nI-X~!bR(T)bk!4Ad#k^LiPIq$g0ei=h3fxBuE|2JuyGMcz$`IfSK$34-Y7N zwMdz~i&YA>B$(3Ln(OOHW-1KlM96{SH#UL)34od_RvbBe(CZta@u&yueI1x9; z4GGd5YYeTd0t==Kpq2rFo5<$iSP4u%OY*oha|Q*4XYL|TJP8)0d>-c0cuv>b*Pcly z%2ZFj7frQc@wFVrnev+6IqLZ0j%DO&N}Z#!`0|un7n%E_DLYZBm8bWm66m5~#kCaY zPgYz`X2n%s+_3~-oJC%oAB@Mti#u9yVzRb!z~agmjKK3Rrk>w%NL_Kq379Yr=jlLd zCNI$|8O0ro@TH~X(%5(~6zT8>{N6~i19X2eBk7ICq8;A$P(0qA^e5U={*D8SI~L-b z$jZzyCSn-=pf3~;?O)t6A73F$Gsi(Cg%;c~kG^AMiBX01!-_kO$5+Vg$5Ds$JX@gt zkHZ|loYcQ#uUBU!O^0Vb+QW+!anM#lPtu1KmS{%inK^HsXI?grmNLuIaY| zhYp1&wHGrmiVW0;LV=U=bdjhaGAo7E38+AqO>c(hMXFoREUY+1#O3qnLYi*aaGKne zMwHCFu|l-a1*bNC#$26q+VEq|~2y27W37FxNWk7QhwitsBHhYc%|g{&4mB zlxVx5ZPDvf=$N06(l>%fdZKH^Kha9D6*?ZM8j?upRhEpcn327p+GWY9b%|7_ik9sw zAk9IAic26Jg{T-wIo)YgYxxF{u~b28+f&`p$9rm!K|8Rn1{oIhy*0@BHHk76vi<*i~ zhPf!!EAa}qmFbZslGz(enCgl3X2umIJ<-M^EqJMO;)1AdS;~g)k`$@j9nGB4avYu% zI&is5QmISbakn$WPb+pSlgB+*vrjMXn1x#uQH?li%pHd?MnJoqNw>>UFe=O-v%u1* zV9o+Ry+EH>+%X*&HjPZfhV4rB%rEX}CJ!N#l>DdUG)y6n!6lO^q#fz!eIa=Hqp6p- zqbcN3m_Xj$&Q2kx;Y(x+X&*Zj^D#^akHj~TDWrW&q9YOP@Wp*mm_jz;D`X03r>2lG z`VM9a8O2w~6w;2TkZApH)1T$^XZ4%(RsWl-ZtJNm4pw%NyljI4xUe`;+7vklr%pDY=`c4wDf+C0NEeLeE)*xp{o$6VW&SiU$sdH{}n&I=o!<|e$oD(VE zPofE8qPXKs@~{!o4oxK|@qz@_^sHyj@iUe-wYI>ylC`ig&aB09C6YP>!#Gr7xdy8$ zaAa}E8Ms`s%ZDGfup3PGE8x9TnQ_G(r{ilO@&tUX+61-bdYp);EnUd+9SOthtfOAX zh18a7F@dNpU98%24ZcLwmaeg(j&Lm2o(OqE!C=@Mj0fZ1xUW6p4W&B#(P$_hNVNw+ zZP|x!B5F(5n1DZM#KK_x2DN1#UmZ z_FRL@s5Noq$f{!4Ej4iLvJ?!IX!myIVgWTufM6kS026b->x+1OKL6)q2QD4{A!lyD z0$i#P%79z*Tu=+%1-=M)4d;gtv(XkO>iEXo-mfuY-#_y6`i2Nr}U%#~wKD*@+X(APM+E_y%IH1E(co z&xyod6j|$1)N4AC*h^vp5qnNn>?QCeBKDkP6Ujt08IQn@nt(3=hdn!@-gaL!;cXAb z+k+8*z~>JKK`uW|b9rf#-QEkn!FDC0gBU}3nDB2BGCz<&61fu|*dii)_*@Z{Z?4vId^2 zQJpz%f=%R{apxk(hiZd*kn(Tk_sUO{tCh3h%k|5YMrFACxO|^{p(MNi>E7YKSQx?o zlYgCmlD~^z&!5WA=Oeu6+UXkQayy^3iMH!(McZoIX|{#7qikNAcfb<_2kVWzeaIPwH;*(&UT9p6YO&vjr!6JD4lF79!Gp7TN`M!k^PO6w1Aa!NP_Z8! zqqf;jA-%Z9q_-J)5KqJAb~tGWCy~j{b2!b=kB(ZGPcw+4Hq0ybkH;K3&rR|&C&6(z zieBDnjf6Dv$w3Y_WP4%x3nzZb`DKs>rBfbxI8T|thda?hN6L3c0W1FS8XkE7fn&mi zKn_Ww+v3TU;9VQ(lh(t;z(XmkJd;xmoekhL1iVlrOXp5Yr=?-J-3v$SVgG!(*8?sz zJ5!VD4=VPfgW@(DIZq)n=P3>^_IvQf(&)zz-t>kS`_b8QTj{jAfF{_!0PqkUEidy> zfC+X#I#X`5kqNfIOtAaM;7eqJEsTu@BQQUTrMxkJFzF4ZVm@zsBoXw6Izmw+5DUfq zNUzk7&Vbr%WP&Y>iGjkR!$?H}`xpDs$xoY&Ot6K@1iODEeMe=2eL%4v9ZIy>$jL&X z4o)Bxz|Tu&W1-l8Ag=feR^W;k_IiqaLSH<$D!*v$%)ahk4-RHSAHr&-p}g)MO|Fxu z4AezEYvDzpNqE}Vdzc3(JMj0Qq;Ookw!fH_z36m6BGEvcNi?LhjZ5Go5X~jc>*7=% ze2c@F1Y-jnm;hJu`NmQy%h4M)bQQXHGg$^#FrYgc;0gvDqaxc9>u6cVJFmMD~^Qdo3DjS!;;BVF)j}2ZG@cV; zime2W;|0N1V$_f`Loz2I`~PU$Yn=X`{u}*fIU*k_yQM!#FG@E{=Syp(({f)uLbKrGkF)pLPqWXqH`w>Ly=HsN_HEk@wli&Q+y}OmwiUKHwutR8+W|Hwx08FB z`!V+*_jUM({%jX>N8ulP8SvlO%NuLmX4_DUx)0Mv@8a2wVm~=BLxxfJSYI+4g8?z% zjTr3-Z!nMucwvNuqpNVR#2-y2Izq`945Q7|py(cxibvbq1Mz?#hEa0fg$$!^Y8WNQ zUdX`fW`V*uWZaj>hzo^)MBpyb;FbvBP_g)X9^V4wJG+sCzOmQX0f1Y_Q%`GjS zX6z{ukEla==RFuv%L~4e%O+TukrLN-!9iFLcy0nWM`#^^ecG7MH`%uiCb7tS(4xf) zXUuA8X**%*ti>zZJoDzxpSxt%%(l4;W-nYkzj?{rg$t&7eCvEcpRYP8l?1-Q0)E~- z;1v>bM0RT!B=YcS7P!%8RBl{0zYRVFIkSEj12?$PNy2E8YRI4f7LAQ-z;9+lJm0(S zXgCm>PEMN%c8%#lu=v9lMrRwd!sGm4Bt8sILc<~DX=t@E(Vyt;Ev!2XT>ebMYsN*$ zKjvY`J=Lnz`f1~u=dYQuc**h8+m;!}g|cg5KNU{^*u0V)S?wxfJFx(lDx_M!-B9$-1$=J%sTN2Z4I9Tp9y@;wjS_g7%8)keww zTpCj;GdMU*NOyQ4^&W5%!kb<6F%%)%P8!f4L2s#{st_gNK?cv zB+G5F(ikhPv0BT_HcT`aLW?v@0b4m~l)E*So8##&#{0?&Y;Sh2^+&MWBP%d>jTKm_ zCqSi#amrGqkJ>Q1*dM}`UObCby14}VRN|sq0(@FwF$7UDs@P9FvyvT_?qQ(osf>P8 zi~Rxo=EsxQ1W%WP3Sd|X5?`KVB`D&RAZ$SEr~P({XeH>w*^-r@$gTv5<4rP!5yu)G zej}9#bby~_A1DgjeJO9$7Yum=e!t)6Px(Pl*bY+|;*gU}NW?M8XgmUUCD9aSDlUmk zVMJ;Qb2z4#?x;**_AB;J!BR!)a23NG=3CvL5cn>Bp zpHh7dz4r4^U_-VrpMb4!gQ&30wc@U<@My7!{L|HPgpKwLfC|0P*G{H7YvYAP*U@XH z&74;_Zppg&%TMxWtEUhZySzD#Kvke2wKns1e z*gqK$KM69>n6s)Ov}YJ+C*gaEoD$J&BWY_L=sP zwtv}vY`Y6I0%zDx;vVC^&0SzS(B|Sk;NIeX4*v%G1NCPXKN%6e%AmrR-nFQV+5oz` zZX$fi5UmUlzGQ{g4gQnByFXTmV#6gi-eCwP3WTW@E;H%#Fh zbcqz0=wMxgw&lWtFWKG+Mp^8K#{+i)1b1pF%B+|q`{#(5l*byd!VgDMhBp#y4|;=P zBqo!gkheV$FggOMfIk_IfS4qE>WI*j$0R}>sbDY?MG~6qpd&3u9t}m$po(@=MT1Bs z`|5~DmCGV^6BsnwalKqb3>xxY3rV!sk8&Pe`c5qP%SEP5;(cr=@5{QGCR0e*b&Yeu zTlUMlvB76>2E2sgZwpY~Ldzeh-GziftJnrOMgR>cQ8u1~i!Xm;$+1^?(V9#4db`pq zVMjMw!otxDvVMi#1>g}KyW9e|V6b*A`*^P23i%m{AMnv!@`69B{AC0Xo|RQ+Nh4Ys zSJ75!!jL@JOLE;U1hg)S=fIOQlH08%(#%YTa;MxngKYQ4H(|b_WT{+hM+>}tCe;GQ zb5LG@yJIxm4(Z03sh;&qS|H!DbsgVTYeYt`SS{46cj4{jdbhLKKL-H(`gFYk1|YIywln}C(M7h(mI&fTrPzNeE_w^upds&D z3vG6D`hbOYsrMl-RnRZcM^50R7v1sbo=0~*++R^ICLXHF-OucQtuT_}4!DaRxXb&@ zjLrK8cEsH-;CC~Uf6DdyDYz$)4k-^hg=oboOKoY?oMQjUq!rt+FqX~EyywCJIwUzP z<|SDT5d5&$W(6*t?6r~cPWD|(H|W17;^d_NN~r$^kbtJWuS#fcunZ?7a|4MI&|n21 zo>a-)KpGo_6I=d7B;}1H+Wp|YGz8vD+rt6aYvT_`Q<3%#GB+R|R>?RZjp;}R!~Tv$ z5?oL96UV7U-b-b94&OoXqMlwvKD5@;b8eft$D!iS7t~uwIkIDr%XNV=zIhSW%Buv z6l{lr14PJQa_K-P*bN{VXW{V*o!hvh zN?!gOw&aRC1>BG>C!$5&>){)HrC{;W1)k&KizV2ESXyegRK9ZupVonI;1QFqKa~o` zQhsmBAA`kh($@joMk7&gN2opEH$Y0k=j`@iT&MJz@bMq~9ALckz;0)BD4bdP5BN%7 z9GV|>KlxDKE=F~vvVkuErBdsO3KC6`%Zo#>x2EE`L>DrD;*aIQ2S6g;-o9ME53Lg8 zJ>b(BZOn!}ssNDtX*goLCgttSWZUBzFN`oS3c(N9f=oV9Mi!OjH6$$$rh?n-+$#9E z;eu2;Uo8vZb~s=UOOiyYVl4$Z5cX9ppV3Bt2)^ehb!U_54)~}{Y1InmP}qs`xg22{ zd|}$MaQ2er&5LKXn%~_rzi&39F9(aS!ZP$$*`8K#6AvyGOjGET);+p)Auz?f9n=SC z_p51TokD%U5AP0T$}zVbRtle3qD?fjL=p{hnXovOSPypZ1`s3F*9PPa>CwVD-?|7p z>8I0AB%}fPlk_uF9dX#oOW%MBFJH{BDr9@9i)+b7`LdcdQGvAtt^~~@lf++o#DcuW z{-m;F1R`K_u+D{V6m`Ydz-KpeWw}}V4D<%ExRb}jPLWL4Ra0pG=X;o1+)1_&66vaf zxZO#14weYwW}&#Vv}^DjJjqq}1#wFjq;L*&h+a#OoHaWW)e+5}*jm*UNneB(X3B4} zVBOLkj`4lq1;u`E0p``ZWrc57r>Q?&z{@ZTZ=nO$BybrSEw=Z z8FXNf+UBC=5AjeBUx(=Q%*G>4n}o+1=zR3~BXv}&xRWFE>mx{k=E|ND+Iuea2a0?! zV4Q=eRz&-tGD%h zu&My!HHOUBl(FEpB^C_@QfLwdK|JDvebwO(Z#dB5@5vl!yveB5sCF2L)V97ZVkyve)y-0Y(%& zUmVI??!kN!EgsOBue~uVK`;Jvh9z@}Kfo+7z<^NO5I$7Jtl#jKS4rM%4!%%=?PH(G zUc1j{j`$gDne(8{avkW8%n?odUuBv{8UHGCxha$laF^DI8k3+QZLI@4TAqwy#Ezzz z)1A+tDq%@TJTH;yih|Sy#NkqjAfC6p*iW1-onPwC`_}yBKe3~&+-gi2UG?FKN;`tj zJ6Ej7c$UGmo!!dmfdky9k;f9O|KD&t%ISa6f2aRSe@6eley@J3ezks)ezv|^PwLC{ zA-+O&f-S^Y$PPkjUS z4m_?tpx&-tr(U9-qpnt$s>iA^^>8(z9<1uBP5F!RTjfRN$IADVZz^9_E?3S|`ji#Q z@yaytIMAt#Q${E*`S0=$`PcGKUL{YI>)@=yN75gq z*QDp9N2P7j*QINui=?xpxYQ!ek|I)8s+UGfs{7yWKe^umZN`sa|H3!iH@Lsx-r!ET zm%Hb>k8tPRUiTsHVQz=`SMm4auf(UthsC?auZUj~H;HS-w0N>OUp!hg#6!gcL_zpa z*eSd!{7m?P@NMB%VXJU~aE8z=vU*zmz|gkMW1|2lF~_bN$8jTi1)OAG^Ni`ljp4uFGBLx%yn4t`)B1UDI5Ru5qpr zE|>G~&K=HQJAdN*zVlnouR5=Ep6^`mT;)8)xzO3{3^*q`>zr=KM~**&2gc_dk2P|H%Fw`#0=2*uP-kV9(oA_T~1u z_9N_G`yuvW$nsbEv)x<%WySjf2UKUB%|T|8+_v)>w3$Jh7_^Z==P{_rpbZQgN|p=aSWQvpg9aWmO-;C$jxn=#h{rCn!%vy z3~FZ3(F{6@LDLv?B!iA%P!oe<42m)+!k{pNLJSHrC{RHnx6RKWgF!w9H8QAyK~ouY zID@7zsGdQS88nGOhcRd(gC;QOPzH@>&^QKpDoEhAjb+fm3>w3r(F{6-K?gBtB!lW0 zbRdHcV9@>y8o{993>wCu{TQS(NMn#%K|HrjW{|`nH-kh5DGcHn}4Ehs;-e=Hz40@MA ze`L@f7_^f?{S4Z{pm!Mb`wDV$_x+YZZ!_pE2EECk-!bTQ2EE3h-!SM^2ED?dUo+@s z2K|abFEQvv2ED+bUozv%_O7VQGh|H$>U>tg3+ z&J)D%i{Em8*?qP9a%mm-6u3^lK#8hXsb5eJQAaw5J7vckj+Y(JI39OA;J8OzB_{b> z_#61s`8>afpUWS{|B3&p@JHb(;Zflx;TmC$kQL?$vxM=&XmPAqC(aSqyC=I>xX*K+ z3BC#c;(pfsWB1owYh6oR^IcP1hq^fDht3zAKXcycy5IFB{t(y4uD`l|F5V#>E=`b@ zN(*4G!#UE+(l4ZYq}$~Nxm!L?E;?>^-0XPI>2x0H3^_f{gPa9txAR2jts{CHU9Y=-#Y_B1KFE9d>3oJy zffvUw@LTwM`ET&s`F{Q_{uTb;f-3lgdf_CYMd%W~C|o3L6t)R>3BMCw6J8RY6Fw3? z5cd<^Vv`sUr-~EBQ^aNBLNODGjKKD1>e}GdZzj41P9Sq-?&?Ql_NykdZNHNI|yHHk238_`OLb^nH zMtWR&M0!B_oAjRaj`W5+Ne;;;RR80*0|%aT-L2lD-oTG^y(>Nec^nJ(JR=_@cgSbB z9#enhctqXq+T{2IxL8!bqy7}Qcq4Gk01o{MxRC)q^gAz5e<`TyE6(HK-M=Vo(^r8O z>=b>OzEGc|H|tG$K%c5l)W_;|`hL1ww`(71A83Eney6>ry`(*-J*7RWJ)~{Z?$W-l z-K1TkeNnqe+o+wTtwK06G!TK1g#~}8baJi&}tI(;z)P`N6G>mshdf(i4Yg! zNM1#vm4tXQiB7_ix`jmN6XH@5Eg{4UNpt~@M3RfrL5LTV=pq~`aT1+Ih+iPlr6jrp zM`Alcmy_r+94Vb7;z^Vt*S<(lH$h(_$VMWL5Vw-(DiU2uqAPGDe?+2x;z-GnYgZGL zC+Hd+$$ur$2ZVS7iLNKnbtJkLNAi0ldKX8^I&$qsg4PrCWgN*n2>J?%Zo-jx6pj>y z5Wh;In+fr3f^H#5AkjI5cq@*?5Fw5v#M?=98;QP7qOajd89}1qB-+T21Uo55c&2RP zy%bV$68TzwI;T}MV&uLH`BN(?Wx`#Va96pA-@+YGxq)uiGO2f&)Vp#SxOW+lHK~4? zG%0xtzkOhmtN2$crHjMJa}q`>Tls(QvUE~o%JqUu-7X6C6{L_VmcLK(d_-s&SURa3 zg;b9G9g^}vp=)5u+k}mktmSW$l=tFDxm~zxm(Tf4lJZWH@-E@Ifmz>8l90NUzb1UZ zjTyjlhVx$$-2-wF-WDegAj*%EtRE8>?j}#+*CgdrVs4kOQW~X-;`J0Kp2qj_NfISU zM0!6T7att(NXkJtiMU>TqLPca)~#?;cJTM5ix|l-xW7rg5g95)GN_8B9`KI)#oayNTO_kLCEM;&zDiQQ zBKf&PSr!dIIHht3iN;E;yUALaNK#IaF4;{=vD6I@CpS!y9vD#JBI$-A8EKUWNg0;j z*iF`oK~nnU;k!xc`UOtu`Z+JL}vGs^&U0{hHV)6g;psSBFDaLDuiG_F|FizK{(}Cb{$2e}{YL#Vy{H%T z4*f*1{vW9~=pKEz?$rLKy`#OXJ)=FM-J{*CU7>B()@duXR&9Zs6aOr}ExsT=DSlVH zQ@l(piUqMlyiq(+JWf1PY!E%-aM3CJO?XFmS$IZxM7T$|Lf9;<6IKd03$4Ne;TXX$ zOb`wfMEJJAANb$!&+bIXIhey=$3kj;qNv)iu_&pUdw2!1+7pOU|d94>|90-sIfqT;uF=p5*+Z zbDr}kr_VXwxjzWxe>nObuQ-0{*zUO3af{!wj*R0}INvbc5p*2p80nDgAKTxx zzi$7z{W1If_S@{&+Ap@BZSS?W+n0bB#Hf9WeT-dG&Q)?s626u&M`==~Dr1%X6ubO^ z{5$z2`1avL@?G*x@)zZe@*25IK1rS@A0_+b@$&vMFa1O6mtK*6Ds7kUm2Q!)lD0^v zOBv}@X^}J?d@dX&jg%z!$L@FCue*N^XEE+~-{!v7eX;v&cdxtMy~I7+9d%D}k8x|- zF`6Gva2%+K>Oa*#sJ~I4Rez}7r+!VnTD?#`Q|(btQx~f<)v!8Q9i=MDzm)ftHXxSQAQd-l#vDyWuyT_8EF7fMjAkru>}xivH?VyYyeRv8$guF2GFPqCje0<8$guF z1`uVk*`K?gGT8v4Og4ZhlMNusWCMsY*#M$UHh?IT4Is*71Bf!&0HRDbfGE=oAj*IP zh%(>+q6|2IC<6{4p~4A3lmQ12WxyH1-A|cp08u6zK$OV_5M{CfL>YcYaN8)84Is*7 z1Bf!&0HRDbfGCp+q6|2IC<6{4%76ptgUY)Dq6|2IC z08u6zK$OV_5M{CfL>YbnQ6?Kel*tAVWwHVE`^s|yqD(J z0Yn*a08s`UK$HOo5M{st^wY|_1ELH#fG7hFAj*KVAGeJ%-~ggbHh_Lq$rBJ|vH?Vy zYyeS)A3&7J1`uVk0YsT>08yqFK$HOo5M{stL>X`ZQ3f19-(#MWGT^{9%76oiGT;EB z3^+QsjWXE)qD(e`D3c8!%47qGGW-CdOg4ZhlMSG|D$fb%n+&>>LEm7|9TjvCcYlsS zs~MDKP!EH;8I)nrDh91&P?|wq4C-W12ZK@!N-`)>K_j{Q+ZhyR&}j^6W6-G#YGu&L z3_6KHD;RVlgO)RB8H1KGXbFQ_7_^u{CopJH1=Vr)FJ#aH2F+*CJO&-lpyL=che5|O zXf}gpF=!@(W-w?vgPIw141ipsz9LRtDWtK^nL1s|>oCL0@6e zO$_=ngKl8Z^$fa>LDw?q8U|g>psftLia}R0=n4jXi9ugv(B&1Ra@#Ir&=(kVDT6Ly z(8Ub8kUb_==eJmq9tg3H|`mi9DQbAwKTWQEl4EJ$YtN>7m(B_zICf)%>6tX>?jS2kTUid5a#`9u;uJo+GL zVLk0~0X+8vd;?rAz-MPaClB;de3prP90mCzfri+eOv1_A{F$kqWFEQ2DIbdSO^=eZ zcV3TgMq~!Q5&Z-w9JM{A?(Ipq4M!ArPQ@Lq*oluk=;l$l&$3~CZp{jgClfEzNcarb4ZXkQ|^kJW(dmUcfIRT%XCZ5=Ie(=$EcyTBBMkG0Y zt(85o?Ho@Xzt-UR^-l7kMRNRFV~$_%B%fI%$FH@qsU&zN55jlEjrLdvI5UsKXRY8% zR^XG(2j7`bB#lG@oSE+=A6q1+FSRjozY%EqOL(lVII z18}J_FcM7kR76U_OwZ&J!g7J*5Nig&WQhZos-oiE`3@RjGp&!CW<||I;5JJ>{r!{X zl*VGfJS?^W=4W$=V{*rV>j;=Jn+cYX(e@fl=+hJYAEs+K^6hjwZZcmo+sD8r5|u>K zaqb7x6JU9$ipVAd{ila#hy7Ek$T4*PB+~q~Wniz#c2mY)Zt636T;KL?+?PGL0$baY zv)VQ*G<~d65-X}EmC<+qcHqE)Ym~Z%B?h3u%0#R`h)Up=H5vxXgn#=ssaB6wNdDW(0G0f zPA9@!1v5&_;s%17TVkGgIx$5<-HJe8o=&}TTGpNdXO^O0oWP{Hv2w8Ulr|w@1`7;1 z!&z+l4Dy^lhngGnkZrTqY99k+2o#tP!?6GcR}+JQSY+APoiGpz`WCREV7m`ag_FXQ ze|t4@S709z2Vl_7HjZo_r4QV+%PH|4-6x!u{)AK!tVH_>mA&$OUys~KSZ=yMZUzfM?xP7q3L*jT?#SU)rGda>wecl*CbcSb%Lui*#2*E zb>n{IzTn>FHghYvhq#A!6ua)?25_8kqifb7Zv)gFat;TP0W|bEv|+HJJ3AX1?f+s! zcTO$L%noJ-v$6s?!3dbxDJ;%{^?IZ*5X~$q%nRj)LZOUIXlS$vjLp_LB@zThu(a>n_7aO`W%6RVhj>(iaU0X{BL+68*@rI8b3x=1%MSiec zk0x-ajh&9XX8W>WkzI&LSmh7oC9vK~Ke2J^CyzCsXu4fTKMr7(u@)FWq?Xug z1cv~A|3om@3fyF_9}GE~!jgUMZI_XVAGe&n$cl7pp{}YT1~&bPhrDQARaqtBQh{>j z`Y2EZYx_WYnr%O#23E%)*U=j$4Xvz=fo(@{ZVl38xCV^)rl*H8bF;GZLJ-Ky%E-+C z$AAtAZ4V)g2vO7s_&`5c00s^Ra&ZkxVh*tkndt~-&z~|4@Q{*`2<+3mKeNv^4DIz# ziq<5oipL7ZPaZz0U^rN=jMRYKNbG-uJ@OHCHTg9*6F3P2Z+p#PY%Dyy(7MYev6&*; z?((lC@R~AkO?rB6ZaW(YQ9g8mRSv4TwolcWrpY22hyig9rqP=8$Y&N{#DBJsWB4ZRCbl@26!o1v^U?`9o1p{j!4S-)B*v|=Mgwr!}Bbj+Q;b0WTD7x&x5!WdN{I6z& z!QL?#+}kmXJ{repC)*fBN5AY2#~4L#zBooZ(J^}E`1p>&C=KAm)9Ik40h|9iFs=(O zkTNr%Vd%#Ny2nxEAI3f|P${7!uYUkig6-+{FB(PG7Y+E1kti44jY{mwJ7j_O4doqx zG1;87LMju0gSqMeSmh6tg~3L1MJ2Ez_?S@?VEYGvk&=p1SoiMc@&_zF=YUb=UquS= z<4*o0C|V>+tz-@aJHrL-xtGJK%}P_vT9nk>ZksH7W!ZcERMIXl4~DWGW~RZp-kuJ5 zU|xYb-S_6pocNAGILAzjl|Zy5AH} z3^}$?Y#SK%K1J;8J3JQBtqNOWd*_10_P*6uf&H6k-9V7^XM&6zD+$0?MA#ker_hZa zun0dVS`Cg!!NFQ$Fz;=WITRLmTztn#baq9jo}JofanKc^f$eU9J0*{d??5-emtpgo z49-^aj!jU&$U?LX$jCZ57+G$7M=re>#>a@Z?DtbKz{=2PEwVC$Fu3e&UHqEs4d4Hz zVkuubTKokx?2i!Id}+Q^pROP09qc{P+gbjX{E_^Ke1m+cTp~}D)8u67O*oN%hj6{L zP?{rT!dL$^S9k6wSm{5(-ONQ@C9X3eF58vjQn??v&pCL;Upv0WhSbk=JoW#HlvkC+ zcU(j#pBskIhUt3H?9}w9JGvr(t^g_9j0C|eAFLq**_oL+;LR_R5hyGI6@bF5NGPi? zk{Qm-*~^EPb{E%)FZ@Ifq7G!>6C5}pGao)PS`%YF%3w9!K6iu#acwnx*#PZ;S>dAD zrLoHD7+vs^l~fui8q}n*H7cx?ODh8CebHPs@9~L!HwW$T<-_j2y$n7oRENu^mjg>B zi+qb|bi|YU0WYrMY1FAfF8JXiE@j(UZC6%17u)_^D$X$euThcYra`4q|pYb3q z$V#N{*_RZ0AK6wR?i7GM&nCwCBW0z;t0ZB)EH(RtvU}<|Aa8`L%*4^UNEz&mz(*OY zOe}925%5>k6vfyLi5T!_P*s|lK_1AWO3R_xHaZqAFDosyMZks#ahGX}iB->Lg=Trg zN)o;?6VHM9y&~OqOQd>kRSi7U76t89Sz+Y^o_C_f#LeJ9e`b*Aq3p4B0H1j-_E&%d zjYK`A(@#B#N;ALvm=)8Gl)=7xC&Ua?DA>~>>(uy;3sKNOZ&qDRLE}(I1bq9SgE`~3 z|E`B7B((SKzmRf|L3EPp(hhrLbpZS=OjDu&(|1O-h#7bbJvd1!^_HIv@sYxq9P31NJW0wLPIZ-kd?Wv>(3MeBCx$z7{w2~ zup5YSWE46<5qUD{3^mcZ8sce@lx6s+Vfl2oEL!dFLkz{k?i_r>yPy`fuZsEtzaYn0 z**{nqqEkU!7{o*^$qg8PlzPCv8x4+(K+sgx&MIUs? zWjh0xh21KsPP@Ok&b=W5EvjSvb|n&Hovp&V%COo-3+mWbUH92mXi=Tzl{_@QqlV@+ z2YHd%QU^5acaHCf(Ohud*tK&-WknR~3yno%eRZ|mznkm|Y5>hgV-0j6HISYGu~jrT zD>j&$32%)~e_1yp3+W1)3>VT}oD1o4dI=ZOT~hOkGP8i|f#;vBTwsZjtjs_-5(x+L zV3$3ZQ&?1-nF*Hbca+hadSm0IqlMmZNFOALNhhwDfHA3&x)F)9yRwdtH8mK$V+miA}JL4&Mb1STO3qR|o%o zoHgOsgIEFS@Z?hh_yW#PO#iV08>1j%kKa$-{IO3C`?-m6lfCX#?76eB8_#e5qrv5o z_>N*a$mi$cJYur^L+E1@fSW5Sit7ch&E=Z}r=h|rq2 z%8NB|Xd=o1tAap(Jz(7rYj6KRTp1;LslA)p`>DO7(tb+%D(>T(oppcrvi`dNoqQtF z>`ml2B&7|-+sSniKbSLi!5RI<-X!lr?=GcE*{+pnTlG=;GG8ZOgRxDTCvF#~2`xep zPSSVc=kZ%SGMu5`EP#t=cHxwV0oFhMd_oIC=F^SwN8_@I^Sl4<41Xx3Y*1k z(sp^9ceAok9R;W3m*^$>Hs2^;3BOdR6B~R>4cVBdY}M!Si#-d4d~vX}#G9{dQ8(+I ze2c{`-YTsHY!fW?j1o$OoswTpl9zawD2voZ+G0K5x6D|?ZxJt0X=;nM6s-B}^v&>XHIj^F+BSWw=I0lBIIuv_BKU=6q6`)dc7pwbrE;k)eeZ*1XR!NpZ zV4<%{+9vIk`^Z)DLV1f(CkN%FU=eXKSkjxP>{6?=?fNvm#pm}eGGnzoFe=BW}I#Cg&} zS(Zz@gOw22OV|Q-BROTTR;6$Dg?!tLQPL=J2H(K%^vnZm4Bff`9bvSAbn^JT7O}oB#&2k2*XuC8!Nac4#`vanNUv={di7GI8|ic1 z+`1h|uj+=^*RDr;braH!jffj*y@}k~H;}IHiP#_#6v46r(yMwPuKO9W{#wM1T?sP0<>+eBqdXpfO>n@}lk49YkcZ_df@3nCt#y3BY@vHyA(*20I{#cA(#oA>B?RRdj zfz}h4*~d-rq!@=jJw!L%RMcmTxZRThIE-#u-RAet_3E#t>U{j9)|B z!_75*#I7&E_u)1AW+JX){e6v0XgAkF+XL$TbfoJyV7i8W zh)w^(_{MC+Ri|S7nq;J#iV!#c5wW2^;tJZXkng#KhI)Dt6&{Zy`0r=^HCVTob{`f$06O2kGPVRt8oP0x9M!eHD@9=Ohjy1jJS%< zSMdB&LW^7zE7$rzd;J_esEFy7zwKRS(eU1HV)~Ui>^>fG)m4~&%`C(wIv6X)eCvwdhn0`4Mr_Hn^2mG-B%dx`1`x{t0tf2D=%wLqRxVh%jFx{F5FkMp*q}P9| zwAjnFvQh=1Em05f{Blg!l!Vwg4{?KpxPr~MtLS)!@z3U&mMyBS9-y3YHQ$jh%}3-K zSUav_^Te7JnC~h!Up8E;HdyyTy?;WkL%ThX>DJJ34bP?X9z2JQpAE^FZspCGuK6sa zn`!?AKFIp#8aiJ=f9V0L6+t)GMBBy9ZJ4YF?e(&P_49StVfqy#5u4b& z*?bAotNw=htoa(TiO!QSe%bhGrq6+PaO*SLtGCr`o?LMb-rsx~=DXr7eW|@X4Vy5& zVFO~*qnN&twfj2S58T{Z55}+Bj<{ha>{*-r9QZ2h=WAJiTtVj@;6HTUgmThx3G&vx zcz?rIg3y28MtU9X2X1clQNF=ezHnc6yuKpQ-#^FuR?ztg>YdfcYBnFO&hXjB3AED= z-x7O%O>};SaD83K!MsBIC)960Ouyk7cHdtS8)^H&^FKm*-Au#reyeH!f%{qi zS$h&m2letN#MNgSRaSYSKF4Ex(;b-KhU<+j_UlW!Vtiu-rfX#Vz4<|mU(5JgQz6n# zk0Y*|i@2J;Cp;(2uHR{FxAKQ_GCr{4A($i0{sZ$5ombu5lJ1JJ$h8R8|F9CA0qfyK zu(C{omE~rzIJXm4kx8(g&xaLI9ayGY3|8v4D%)Xg-v`!)Az0^D!FqLxx>#MLHmJ)~ zSgor&)$Op_=3s>%)bh1DuyJ3a&CpuF&fGGvf4>#hqam7RM}%NK+y`_PX2^@dCgDO@qc4-U%3Hun;dUT-uF5FTq?iU?5EjAt ziKX5xz9d+eF4A_vj>KkIhgb0>>I~R5NP@NhVp#nr=}YxRdL3Bp+YT#N*w-*-7%luf zFWEckqszW|M!vDkH_g|_x0CK1Oj8yqo0Xlg_pngirG;QUy+r3=_hz2H40a*>V0V5q z>_o`EUB+NziLp!1Hx|P#PY`x$<|#|S`@t4i-wsym$exF~74~iX+Ctc~@atQA9PH67 zg#DFK#zJE=?DH(tcIutR>mc z1y=)`sUT#0K+Ch>q&j)DAGeXgj)^ea9^Y?{h&7{fG%DGa>? zA)g@(1BfeFJvLFk2j$$w(m%zJ$^$ajbUmXf-vqh@?{A{=H{@H4^a|EKP1j=jde+X( z$06O^1+nQDhC3Kic?0sL@($$pB#8&S8*v3~ADL?oVfy+b5t~`NG|y)=?PrkgTt>5Y zX`*rr+XEpf})doQPQv&1zYgV&oov3yv2)%PMa66b)J*FO zp3}zixq%^_ZzOIdoi6|f;{7X6VAzczoqr%d)(@L6XYq7ifcwrPG?b6MXFaR8m8)4g zHcnR3egNs&e9_#9*P9<^>FD@^=e)@Bdk*6pWOkjl58VF=(#;>T>$JWlZk30{f6d|t zAg)Rx2<4;mAf#jM)Ii4>%!@(1zS7OoeZ}sZ#E`X518c8UQI@_3UT>i73HeNA@h3Cv zi`Um|LtJ$&!#cdaN@O%0$55_&kZxe@*TBZ{%JD4SMs}UHGxQ5Kj@Q!rfM)%E-Exvn z=2p%i2=T8V-9Y;f&}`mYOP>og9Y+$kj@CEaw}9OrLtK@N`GBh=$WP+d(sGF0I$E!A zAMKBD-yJO7iI{F3?Qf875WDXkc6}n!>p6mO-(!sK%ILKO;XYc=@Vw92b;>Uwehy3b zI!kvAUSCVcJLLBn(k%w!dder@zPkwx*LM*Fn$9zT%P_t{VexMhl(_Y5T&$t>1MPbx zyUxn9n#~jIt6BWN*?rTIUeBK2ax|kyG0bL2uNgQfWDbsXX9=? z9Y+xVGK+6w$i`7i4x?GWTmLAdzaa?n2^){=*C4%?_Ct}|z}mNky>|nh|Dj)gf%k7< z?Y)}b2kB}10MhmZr0opI+P{U?1H9jB_?%U=ec<_wZejJdf%U@;tRHWn;{@`d;{?)w ziuW%$f|Y}fgY`5X(rv}-8#W`ZX7h0i?Z?o6da~Gj_cg!_MH*Xg(idI!?0 z+5Fz}N2J&N0dXUpCqTX%$>{C`MQ&qfq}OC1w$OeJ@yD|GRF*D;^u|6cp7uM5Ygx;# zk73v8JOb}e+Y|VRmt8-PU7vus<}AdP*I9fa;)WDrY%&l?xA zbXVZ@jkSmy(pdarq}S4Rm$;30A>G32bK{dN-J>jBf5Z)x@4@reA-!fEOZO(y8#l3Z zQ(63W7SGys9er^{KbG%BI=_|c?;g$ZKl7jR-P}L8H@P3-pW~n6 zujb47{>E3vv*4kuvyan1gcafms;>M~`BZs9xfSfxmntKbzTW4+D*bg*Bdo!1mrnOw z>#2ragu$LPPj`2%`)u$pf0SErz3N)yx`lhC-7%ZhN_(19jctI$JR7FsO!JO0S@5XxD^l=qd45iN=>x)u(QzUTxSXRQZAh9pIlpA7Dg*n ze$bn*0_##q@m7&$a13T(H%D@8yj7srPQq&<-hUdgV&xxCv(Ja@V_o8{9-0mnX}gkR zJV8*TZG~z32$u^LwYv6(cF_`T14^)$(2ML%EtS@;@f{b_D?RB$yB>i$?@%?z*>32b z5{!VdARJDO!gJ7I8a}6cuWs?yV`x&WtL}-qf-H`d$thn;oG3ta+x9XrG5c%^Z7z^WoIh)dRpvW@aFm9S8>V4y!t--7J!y*=MpH z5}iKB^O1%@OfQAQ zDf>9PYMu+h=d^Pu1dg6o*v_6NI_sXtLPp11d(+;_3=?)Ybwm%M8DX5I(&59#8E9g* zqNP6;AOcwQ9(8OfMx1c|U2iW^Z!h9EPT+-II0YnU5*-nurx{TRl3hZ5m zS?3x*VY0tZX?b{Nbb3`7?35BK4OXw9=fKHR$Ujusv@RyP%mG-?vI=X{#Y~4m9R~Y% zHRK2u*p90OYjOkqK?Mxw!Z9Z3^z9taX+_(NgK+w5=g0@^jnEsC?cF2!ym%`bp1VAN z_nN$kDES}sBxReTdd6Fm=p*r1YIn!6)ZXz{G#Q6yAiA3tw5*zeBKNQrxf_uW&|Dbu z^KMRlj)uVSs7JTd+)OZlkR8nmq(^gufvnuzP#{zo3J212iwc8aCMl<=FdaA!8Vf@% z*DWOy&deyx$teaaU9D&Z3gHa zrhd>&YcC9+a;}b4zyWZsjtVTh@uktkR%Hbk)SDOudq&lf63d2CF4!~z69y(@K|VKN zW-yp;@g$q|wFBlfZ~!t|42Ct)(&TuwT^+9RgTV!VNq9CGq^=|f!HP>~)`E3vP!pdC zCYt=kz+;KnG=dmJijl)&ljfGkz_cSKZSPp8d1#W}GkQ3lpadgIc)Sw=XikA-OXRY| z^@4Csq$Y82vH?a}Ld}bnCQ73&Pky19NO_5Jscg$EiFY2Dd_c_yU&8Z-LPu!=UDTavkP;LVK9= zF&nZ^0k$Dw2?Yga6C#;tK%{KV$9PCV0XE`(b@}%;%q_bG2hKT;i?^cDKeSuWt$ofx z?H07k_SQ`%_W%01S~>Uo?iTko?z!#>;IaI2_?jEiH1&J+19g-7DEO^AM?GE5QvRiE zQ6?+Hlq2PF;MMO$=_Aiuo)*tToaZpjabbY~t=^8bGlPmi~v1;ER3ASbooO{lo5Os7)?oSr4q z=-A4c{*k58vZB~@1>~=Cux&H8v?8j&u`QTaZ868kTLZLzp$OAs?@xevroXKx_DIf% zx1wqEGpPjA!<1l5mj#o;#nGC%W5P8T`iDkg&MyUnHn5~d`{~Gid+fHP?n@tmOX?mX znihm9l`Ph*+@L6vY(+^*w)IY0mL#(*BkI8DK@B;w90Pd;%oD;1=aFDIdMd2wAm9Er znYKUJ%qNDF`$P4RHIBaw92=C)MZ-j}7$mp*tLA2aa0V}dM&R%zlI$-rG~Sv|3pWRg zB2KD}Rh35I-DC90{$Wlh4gTS^loyUG1xF9ibl7aLYk;=9aM$1nvTKkLf>^ZEWs9YI z3FB<=~$m_Rn(Y!VW z`H+4|4zSK5ecblMiQ|a9%bLnaWf|E-0P~NfV26=3FPwM=``sWp5G$FnF!&0Agd~cj zn-ePsYIX^j;vh?&0lSHFiPM8%m6uq$E(;e9pr$*}Z3a1Zn#Qbd1QJ#^0&sq{x;)Jk zHQ{hQj0JPkAwLWjH)ny{l5p*XQ8>6cdi-hr$#A^Uk`rMAB0CMXDSn-Er$H)E+3gJZ z!43yIb6Wt0GtmwQttfL5Xt!ZRk|)-pX7b&tac^Q;O?YN(pmn~sJ+mZCDmK?+R_fiX zodB5;vaS--DB11Efn}9*64ol(Ke;+8-Z~ultP2N%xhZkrjSkb~F#EhfM8%=@2zmaP zc#5l3!g!y_J`ZV<>(CSjk}z6c zLrM6E&U>4Za^tNh(^9iCT9zzq^Da564~t!D%+Q+Yfo-CdFl3uO%q@7kNw6M-ZK6pq zWSc#lY%@e3j%>3>YBZRe70S#AgBPMA_yAH2pF;Aoz!wM@8PCcnOwSBP({q4rqU|qa zf<00S!^OqLq0IDRV4G+&7TIPG8{0(FvFr{9+eFK;$ToXWwt2+~@zxC5a0>^~hU;h2COZE`zd1ZDO}b*vT<+*p8e_RHkL;uQS$wP+K-wXEw3sl ziWb(+1Xm{&2VfFmw;k{H8B12YHJ$e0bFinFd}TjX3zJ3AHd*u_OeD=7A;(MOtpjK; zymA=k{o7(9)JFwv6tXj5+qgz1Vzv?NNYf^=+Gu~X{@w=Fp-k}#901wo_Hl>kfBulX z&wDxf8~IcDZP3eak{^@r0bTvLTmyaurpc$nKEnXe3hyF&r0+nt|2^p?@IZLKbc?hA zH2;@L=Sv0Bc+gAFkdBplNV52Y*eZS~ZV}gu%f*MpYs8Di3eeJDEKU@Mi#ecao(w(? zeg?hokA*jdXF-?$5#bMTrl49V67CYFf`<4&p}&v{n&WQIx1PUwwt8OhtnxhJxyf^d zXEtc9FY%o18S6O}P6iz9>E;pnUHljP`}`}Q+x|5F0Gt}QkT2uU<8OmA1Vi~O{&+r# zSKR-0f9c-le%-y%UGHA%zRrEAyUJbY{-b-cd!#$$?&nT%`#@j6S}W3~!kK`9T7NAS zPEWYiZ`Hr4Th$lTRq7LP#^NUR3fP4yQO{P#s;7eP`_XDQRaAB>9wE2kzD${Yz<|h`e z+5E%;W%D)*RGQ^>I)qIH=I z4r-T!`rbkP=%D`TpuTlb|8P*>IH<23)J_NWm4o`yLA5!kRtL4iL4Dz%KDVgeT>al2 z)ZZM`XAbI92esWnee9tA>Y%ncsE-`fhYsok2lc*#`ip~l&q2NGptd@wcO2B)7M04? zzvZCbbWpE5sMj3S7693)edTvgKBnAO%AHjK{Yt2l@6-jqIz-lw>YSq9n?(@>P82( z$U)uUplp7c;R)9}u3hJ#u60n?IH;>FDw(Ta=%B80PzxN?l@96(2NicvmpiC=4(c)o zb*Y28#6ex`pe}My7doi94yw*U&2dn(Eebr2*ILx^U|qmLo#UX+wy5K{m1jAqX%6a4 z2Q}3}O>t0@9n>TTHPJzx;h^#z)C31L-a(CXP-7j`7zcH_gBtCiMp+a{WT!c(kq&Bv zgBtFjhB>IA4r+*l8tkA3IjB<|)F}??WQ&5CVTFTQ?x3D=P)|FkrySHW2lb>yrEv96 zIH<=R)MF0nQ3v&igIemK9(GUJYbx`*>sJk81T^0p% z&z%nHj}Gb%2esHi-R_`nViPgjJ_*0qhRE3i|`=V29ut*durlb_s5WeS)iD zr{E&kD<~JHdM0^3g45|^^x?+8U_HD8R>U8`n)p>%6|aMJ@iVY8eh}8ix5MiAY9p?l z3+wF(u;Lz~-KE{C{Xx4*n+LlAe}a90TVYS&Dq)^BSC|Vs1G8Xn;9OyXFbeh@u2*hT zZU9RNm&56Ym{O*Ep;arNXixFKz`6FLVP{}A>=4}H*&t-XF2ZrJk8lL+BzUz)U^n4M z*iUHl{7oDK`w*wVPDC2)MH~gY5nV-16oj9(?~RLK#a<3;_UW){KLgh7!(io}4Quxk zVD;V;*6%8;;D3T$g5UrCLp31sF1Mft5c(4kg)U0?=!CbNjbl+ow;lJQg_K0K=+9Na|A zst_s>DiF#k=o=8$W8|3#Qz`hcCX6WVI0C(gfR%G zBaEh?KZ~#lVWaRDTlH+l$mgWC!iNYSAiR(87lii^-bL7o@D9S;2yY?0iSP!(>j6RT>m$azL<}V4lhzNf`lL<2nevn4zrYxM{py!5I73@F9<&) z{DkmtgdY)pK=>EJF6D05h5sAX`CEGn+5pB3gy{(9A)Jd)fN&1N*~-`4$U}cg%q)Ts z){0#Dho0x}IV5TTt92N{P=p}}gAoRS0J4YVQHa;_5k?`LhA9up)jmQ8~Zk|LGdQ7P|vsF~aQ#w;|k$a0|lC2sa_z zh_DFZ282H#T#s-a!nFw3AY6^G5aB9>QxQ%czbrZ+;;uSdUf13J;db2uL4XdZAU6k*Yzk$a8%}P``PU+^o+k1+) zzqglsqi~9Fyr98~_C5Do?k4x2-8Z|ZxN}`UyV_hgxvt~tUFW;ba192ZfT=E>`#1a@ z_J6L64#&9VIM0y7UbI8b@XUBCb1#NkTgmNc-7ys%e;;y?65Qp~_)BA;9#`p)!GYqk zll;ZC)o|{w+E3JaiI#9hGzxCz`hu>F-Ro3xa(2A6jw;`rOEqnhO+~#k$Bl-wNL0}u z^wulj2q8H@MUE%MYRf^_JvrVwhu(Ms-q?9^No9FB<_B%N3ui^)AUFE1LLckNBFQeF zsK|o?ZbgJ>2D38*esYY!PfuDw6lM-67@RtPlf7r zJ)P=x=%otP>w2c<6$Xn#;hgk9UV32$cu&kK23JwhLOAuDksA$$;ShBOIVCvNrihdz z&xhBTLKTq~;Cb|<-;N^E9tUg-3I>@vN#sDS{UEOG00XGD4k9OG7zK4n^g4#>l09welIVPl-C?Oq zc8#}|)4qXr5_&Q_2@58~TgzwNQx;a1 zR92z$Pdq#jN=px=g$uz2CHVe?sVD%G3HZUrcMHG^!oe6grx^g>VKsq_0C9s!QzpD) z#{zJ2GZ38}CZ}owVQ{4lYM_bfBh5T-Fa{1)S5?mT52>hu!#DoQSfq$3b(Yt{`G~pp zLkH=>w2Vxpyt1gYxRm(Ugi_|w6RWwq>w4OrW9i?6uPiW{@avpe$gnAJPM|GtF?CrO zBL{>A`bUkKQm|(Vn22k_;B;}IfBLX8IQ0<)zgc4^jUL`k(r85y%c_92C1lsZbEf0M zbHVRotg;+_=-~-}Z4G!=t0{%!PjHqNe4>FD#xOjc*tZ~zf_59|Coy{Rwh;Oen706D z?BobkA-QvI;=ID%ylY+#XLn}NF?Bhf-RWtnmi~u(888I&5Xd+VQB_6PfGk2Th_{wt zQPE##&qHGndl&?W#aq$0;N@rH^wN$f@GCSCyl1hE6ZT9#Io^tX!DeAGOfjK@vqryo zE4mRw7n(gg?{nPd#akov@yK<1iU%?`g78pCZ${xEiRk9%WWgKR-I*p4;b8_%hQdRV zQ+Pm^peQ^frRL>i=0-!|>_BdMW;*ER=N5zO{-K|oB-0jQM$WU7?en;Oc&v_=0fVKg|K+tsMRVsshSh1IP%t|$4JQ1= znYcM~<_wr!T3rh!ci`j!O@2&TG3eK)W#s0Bb91u8>A~W>P^2iF9?lFEf&XnVO#w$Z zvP0Q$#xXY|BN_qE&Ur<-p{%SduxgbVjufXC<`zZ^6Hc+=VE=xO4S+=j;5zLvt-Rft z)?R%+wtvzr=WrcHV6Ller(Os8nV@MGDlsk=Ed%ia_&IZ7-QHaZVRN@TGSSFFdv_#+ zP`ty&*V4&hN)SED6=3;ra+w^>gT&_9U96fE(a6gnRISJ7MA2w_!qdx-LLj{zi;e<_5a`CoB5l@i^h7R(O70Y z4ByLdHLf$}8y6ZEfc5j~##CdhF%+!y5AZ}mGhl*exF^pufIq==3|L>+J#PMcPnB`3 z?=jFXU+nvX?+X4A{$BnTuqAjY9|J#eCH%SkME*2>1>XWz|K0j7{Y$Xf-zI%5y#spv z>wH0}UV0R4`QIvCqkrnV(EYXdW$y-WqxVVggWfy6H+rw~UgC{;OTE**Q@mrmL%ccO z6TymqcdsJD$dEIxmZ-ngj4bviDnBU63 zBJ>uz3##Dqd=KC9Kk>ZldDXKC_Chi}&7P+dc81%4!d@SFaM;BvX#ZjYcn>E0;|UYG3l=))4Rye9EpNFhTCeYh3t z!XWSA^~=qm$eRh&54?~Se2U`L_s#2ioMh#7^B(`{$R&cu&{MZV< zZ3VYj!56IHMz2|AYph^HqP)DuSrvJu6}-X<&NqXu_sk%7x%oPmn4yc!&|EWAXNKmO zq1k4r)(q8{p_mz}HbWPfp(-&K;niHuS&4MQ>p0`MJs0}w`KA9m!{zrk`Mn1IH)|j< zj|keItl-_ggm6UU*c+`2*IL2Ltl(TL7_)-qR&b`tS(YY3GE5p&pcUl8L`V$#E@VO( zdG4RB3~slAS0++xOj09B!-?x2?HqR9qn&LdM4Wu88OlzCMDq^r z+C&_8CG>{K0rZHWR@z)E*xw2sWd(b%AeNad2^O&D@|u_k$(_xRDe{W0M4W3YS$Viz z9{w^C@WLehbRzIrBJfZmup|-qVc}x zc$Ni(*CbLfmuIfRr*IFtuj9e9+1SKJ%i4erO?_q%WR?eewxKK8u>=gQal>V1#;mUw&n&hwq(%kZ7xO99UT zqW+`4Q~ykV&o{|;tNyC*8s8{=qu!`L;k(RN;3U9v@|AEF;VH7xmRHFa%9V1Fe3m?39tQsY z0`k%F5wa#fB|jv)z+%7->CfN~@Ga>DX|1$ex<|TMS}0v2RZBDBq{11}Na-XgDBmeB zl8zHUk&@w@f=B$9_@%g2d>KwBtP~#;?-OqmuLb{fwc`2m&+vw1R)Mf_GTK#a56_YP`pz-)6<$nh5gxExd4%>oRL%_&xL= zt^sTc(Zd^)t>7dpIME88fike@G4jpO1T!?=42?5GW6jVQGjzHc8f}I~nW59n&`2{h z!VC>JL&MC_P%|{d3=K9zgXA~3ul~bT`rmw9qO}Bri4LMiFxVy!3C67iY!i;e&a+~f z%tK-?wPG)^f)`uCi>%;yf=v7)Ih&DSLE5Z=T^yy&@x*IEBK@pe8LJoZUrB+f{$9kN30;*Eg&UZX~jNc2E~YB@Xl$Oq+Mku(3`Dby%k)Z z2zvCTR`6jf_>dKR&p72a3qKj++T%)W|o0M`~yj<K!+tQdX~n*1eh#iH0l2R@Q*|c2n1P z2&l!(Cc2SC#VRWt$u5p$f!*|+AgG%~f;oY_?CiooW-za)I26f><`reNuk=(Dje&cr zD)f+o#v)_jk&G!6Q?1N|0u?B4+6vMqTo$YJQ$JUJP~snwKRGj_FLPBE+l$ICQIMJg zYAv(D6$~i2KitKXSSQx*xsGS&5XBoMh)UYRBf!6sWx`l$Cn;&L+4hg`qc~6 zncL8(6^oD;%#OFAFRSbEJW#Jg(`N>CNzkn%^>IOMw0bU%9vYkuCjekJz!*Qf?C%2# z_S32TV#~K%AYm*$FllZK{2mmfO#lsj+V8;+mE{@^X3q4?eVcDb<$CH0&Kz&%@MY@r z1qJ2^E}%oWfR5n;I*1D#qqyLb0vyM5nqXdlz^Jd4HyO+w8_o9a3de8E91k`-TdyUj zdD_orzhlu}Dziw3ke#zsW{&NbZoebbUb?-%gTKh}edBHD za%u!lT;jg!rc1mH-A` z;%#pFW~h~)Y-#1Up(kN>hozO@Io^iug3)4rGPRh0>SeS`@9UNXUPo05n4|BQSZ?SO`G2L*W=uQDtQ{$ao2jcgJy2 zOP~W&`I%rXe@{^mdJC`-=03%KMC(^MlZBrC(A})vBMh)0bRaXQFj`)4W_f9T_3TL_ zOh+>GhOuyzjhrweNkCeN4JaxjP5}>0a5&I|y@^9r?c3@H7gFfYdJgtchm6tTwgc61 z^dikhD>)8@&ZAj`JU=bodJ!EB3nt)`epB*8u0wpVIgfQZZ81AR0qq5jZeSBg=m}hV zkFa-${aN}yu*tw;JO}RLg{=Pr?x{T3uAjk=5>FCEVF#Q8c-Oeis55en<9#pc1NFXo zlJ>fCiqc2%dB5|%?|s;No%bSd)Z5SNm2Z`=kk1yEh&PCrilzL`d?w$McZt*7e|JCa zzTLgRJ=Hys`^43i`+@tM+sZx1)pHMW54w87V_hX&zmBfKg&#Ybvb}V!SbMR*$Ng$G z&_CWbgtFH$bRI|*C(Vu!KP&#>W5@a@QP;8l3DrelpMmLhyKsEk}!}Fo;!7Cv6KLl@a z<0`>v?pSjA4NOMh)>B7n@&F_X;(FTj_*4^%l$8=25;5>sNIeu*m4OWgf7nk>2@~8sIGUzy#%m5zcGSV{AP0?afxV*I5 zKNS2Uf{)^&XvME|Y#aUVFc|?hgvw*^hC~#=Z4}Gd3-uA~hZNSLHnFCiL|(~1E?QAr z00-Y@R)@=D1vIV}7LNT$MjaFzYMoB%+ZO|1O!cG#2gg(|=a@q0-Z-XurFLW!62=rd z{bpS|r6@C+TL^oX#4r<#Xmqc|MszQbpV5028#SFODl4LpDu)({r6PM0=*fyj$n&$~ zZCNN&oI}USk-sUKBHif?$R`%Bj zfJxy{Bnw#5qKmOX*lz7CX<4_0M$fSKg5;`rTRLs?%g?}j%_Z$2PbqtyP>zhZp<}85 zKC<)f^GI&I4INd5F@f0edW7Zg0Q!PBpQo71-+=A4QwY;Tm$*1UQ=9`7o#WyFO-Tj! zs#)ogBH(h_;Yc8>FdPbm(z6N!k(_W=Mi#h^3m0X<07c)pI6zZU(ldgY;jCzS2)I=r z`e@`6(0*z;PSlkMR@A32s4&M}9{&tGD9Y-7Ln$EORQVyC^?J4n2qTe!hvkinU zZ_k9!4N>sqAL|=>Ma&Fmo`+7#(qsI(q!@31?2S zoLACi5L6Rg?E(YrINM@dT8DeJ+jcDNskqurIoQ>1+c7j3WJD>1GaYS@kmqahwxf_U zd9m~Vk8mbj?y^?4nwc$kZ4JFYMspBj`cN3onejG1at$_nwZm}^vd2N=_qI2F@+tAQ zR2or^O>Z)&j?N&-@wOvr253Mn#c4ooP`oXLUcCUbZ^wYz{-#IZIlX8W$a8uTD{ARr zMXfEF#$vbb)mvA7Pux8KcBDQC-W!sN4wj=d)+$sqwZVX zm$^q6pBNEiqVGp-t~<+pjO#wv<*wPTsB5xom}?lv!OG=qYyy00Z?g%=Ro8m%onLLq z`QOV}`O)S6^`3rdyzM-!QtWEI&H1bvzPyL4BP9{yzPoxrRT!*jm4O|sXw96;>REPc zT)An)AXZiee0>K8-NYDI1(*e_jmE&jR%O}jXrLlG2aIghl)_KAY%bW@3e=dExYD4{ zoNMbdy~$LFCT*}2^_FwuZD=}gI_<8#Mf2lGzGbzGS`!;lS5;P74eS1iwH3sq8T8UA zwqBZwy%b_6?-m=(1aI|ilXj2I&4j{Cw3RNENKt3d2$Z5yol;ajy@XO!YHCg}Bb*MO z+Cgl}f~|w1+{^$N^?{#gUO1yToE<96%>^lH0=)@mmDCh4_Yxt_?7@y)+c&O=r_(0BF+%Gv^`NDw{cN*Pk*Oo^+yRkk^q3JNrcL&P zX|}|s!ib95V2ZMOc4;KqpQw?5tUed4gO!!}$)5Pw(n2s7HkT~&$s9>8higDoD5~^V zRMz;TbzqeTnyLm?`|WPI6MyzasH`vm?7gvX0nn2o;R-))CBOqqtLdHrs792+27n*F z4wOa`xstU*{=^BxMogMCeaPg=Lxzp=gS-34EM_MLHVw*H8Ock*=%TB0xC^ojgE_h= z@j?unCt!bwy=KgRbPPAP$im+rm<5J5Yak|eG}&O82?p9=0bc~hGwVP_hTKZtJ`7nC zhtjm5baP|CUc^aIDX57Jh*g2roM<(%uUA@`R)!lkfpXZrA>|3gBIVRR9(-m9lq4+o z1%Qu&na)5_MsZF$*sdzf%d=EzCfW8zOee))4G&D@g?9h)V*k`)et&^xh*rd+)0ufb z>%$Brl82Lz$zKj{_k($Q6rK8zX`~V^a+*Ctz9JZJ8%c|@ z5SRU_zXgGs8BzuPlf8aF>H~W@wzluPudhTTt-V9;rVV26luYTt-XZ&9-hIYTn4GZi znkbmxw)eDqfoK;c9oW*R+2iw7ALmyv);VFf3H~Y2W21Eg$#e^oW~>DGXSgO7=%=7F z@=5#N{I^+oJ@D^Wu*)=p_M$=9drg5ep^i0OVZ#9W+i-h-O9q)OajGIdG2S+ecD*YZ zXLcVJ{&v{88*E=4Uf%X=aJIxA+W^oX8A_`h^+!@W+gQ&Pm&Du7p;dl0T9xemTNv$V z7rEogW_#Ji9adXSOwUav(lO|?735cvRs|!j1qlJUpa3M~y^TxI?G2Zf#Rl#+CefWd z>;RLQfeu&pRbe<-2`_+ue%~Y)tWoleu1J)A59in%$)kz%9*ecNsJ0k zSEx*(peaEbhI!^J+dR`d`QmsRng+bQ6qiTlWhuJKuY; zx7J$$XY*%x&+<-$v--pN=lB-zH~50MT3jan2~P804L$}d#X@n4NVFXWfET`Qq9ptv zvkWGQ%3nzR1oQ()JRdsz`&r)oJRhNVM9&81 zEAe6K4=~|BaklAEaT53nwEQd{o$$R#{0Q=2^I!0v@bB|)@vlh7NGVcx$tOt?2X+a* z5qF56%Ad&Z%WuiAfE9!mxe@FfJ}N&T-!0!J-ykoPFNeLGnDnBwQCba_6rYrqO7}^3 z62FDg0_ig9O)+BnXB9R*Y6{~J$QWy!o3LhAl!{`7s8zge?*{;PLg97l2!+?FBNSez zj!?iT0;Z&nP~hMbQq&O&9C$*CIzoYiPDoKlC~&|DDe4FX4mKf09ihO1CZwn%6tK2} z6!l5R>(nP5ug}NGIKt%!^AIjWxD??Mgo_a_LbwoNEek9BQHBqlNr_@4!jzz{yWHA2lsFr&OrgYNBqmT|JQAZRL0vn!wPBPPidRmd1a)%b z)^aI9{n)s*bV>v<*@=|shs1G|I2MWClt@LQCnb`Q=t_w$NPz7acvFoKy#6S{BM5&+ zpta5G4ag3zB)UDF#-L2ks<;Q<=JkIGGsS5kMwo- zg>**c$glbX{r#5yeo23~)8CKj@B8%kZTh=~{=PteH`3oV^tXZjK23igqrVT)-zD_- zkM#Ez`uhj^yO93I>F>q#cQ*a4qQB?sh1@luc~;0>N`LFJM<38_P!w>+f+`hD7%JL6VP{?(1|Ace#8c5Bx6SHKWN@ zv7bWye)+J~0BK*>R>IU_1>PK29b*p%zI8*a#1GP-8KkN{!)f&Y4ux~I6eA+*yovS^f zO;uNk7i)ilorPQVUV1lO*G26YZI|}7_J#I|_P+L(_KJR^evQ6Ge_mg&H|xu_3EB|t zI4xB>Lj6(wR&7&XW9!`WrHJ%rIHho<_fqd1Zx#3qDD&G1Zw1Rxmcbq zPm|A(PX~L0C(GI3OW*|AFZYzY$g1p-egd0=UrF1gze?{(Z%8kxN2@E;C)9`4CF&jO zP3pDk73wAGY_(D?0S}93tCQ5R>In5zV~6pn@wTzqXfhrHj|+>8xKRT(7^fMh8z&pt z#sK34!w+5ry8O2Pyf^>%|AbVqDA`Hy{(5^hWWR}T}ni3n#PoJT;?TM+2_PSV#PwHo0x0-`YnVKf4Z z9ElWlhArvqkQ#+2f{Z9UnA^9pvzxL{}QP-gjR$d2wx!36|$snN9ykge?#~T;Zp>f&4DiYc+Jgq-{UPw zN?D=(T2^SkmKECFWQBG&S;5X=oI+Ac#z2Hzge-(~gaHUAQt){ZWCRI8L=X@>1Vkf_ zP=+vzUX$sLk!Vz5WCcPwUb`FNE`&R^x#nw%MhsI{;xESFg?O85mkNRX0m}CLMl?YcL%tN>ofjzcPKbpRSj@o~2x+^oN|zv{UIQ!Ylh9pN^F zTa96^lMZL${y)l#)Szsfif|G_2q7CG10fBezj1~+fMorAW4eu+X_VWjBI6<(6*jK6 zQRf-A+o*F4G#g8wpict}g%Y#?Qd5j|Hfo~rs*Rdpd|;!-8sFHc(Re%Ta@oIMDAGV~ zr!=6mTCHBH-lpEKHmT3bQ@~T+qf{f{Yopbd;|u!w`Ht1U)Zf=%055ru>55jO6>7t^ zQ#HSqto~d5PTi`$t}cg_?jrRXwM;EmN2x>AW7SlZQ+`n1SKd|{l&7URnp=8OE6}ED zA+4LbQ+-KY3hUt+>d9J-R-q(u;CuSd9zPFY-ySLXW|! zeWo0i&rxmxi-rr7%arlTY06-^zkHmWDjy+jl{QFsNHf-l0a!P;Slaw2>aKT_$T z7>ca8ygzvV(ILHqnV@q38VBA}z%OB%w~zNIZ?d)|te zvd^XeV0>nLXuM-=F`frMjm^e#<8k95<6dL2aieh!_-ee^s5L5#nZ^v`EMuZE#u#p# zV&wd4e`&^1`~MT4`!D}>78Q{f{w@4d*eI+P>V+qTrNVu}ABCGi)8tCwQelozC6o$< z;OlX+Fisc={wG30y3kKJMo0mlk3K;XIPgO8jc14FQ_lyUx54w{X3siLljj-FW1a^+ z_jqmxZ;w}d;+~57HSplRep<0iF{)eos$N7mw=k@IUd}g};j} zVx#!9_^9}RunqKLZUg%n3&qQYcf||Em{=x8#q)&M#WTfxaWv@3oFu#mUkn4{@nUZ= zN%&HlEj=MUEG^;x%D>0I!N0_R$M4sWJpU7&3Y_z}G~4}xGv;^dH(vw7KdIyZK;%^b z9|GYZ*1y-S;30&r+yA|#`%lsVcb~`XCl~1>ZsvZH9FEIm=iL}ge+R)M@hj0mWGs;^ z^wAR4@-T+d42KZ@%*#|34j-;p#GsweQoJ1dk-q#Fyo=#r_HhcSkx zJYAk^7bgT>b{n9#0l)p|^?dq^cZ{duarAercOvIE3)N15rplndR4K#=(p>w~vf$dB z*Xi1v*Xi2)|B7;wcZMl+@%l7xg^ij5t(g$yczq&$71Z70QIm^jDqI?s^}yL7O``sQ zK(}9b^;@LALiiHlbA;^(pCHh!5?=iPDY_lPtM4F1w>)?it4^ic8oc@u=H|99`S-99=K+ z_@$Y@OnE5r-Bf=?S!0GTC0#;&hWzJ)`W4sE@LUcG_-!q;wyAMyX#I}iA%itg{`j+mYeq<~^W>^#=kv17;n{_dHxY>w>uXrBImML+Y)ch23p zcjnHWTW01AZPQABA4-4IU@g~$v<>>gu?=0Wo)-F>E@00bvYtcX*{+Ya9YeF*yY25& z$f`<-%E2?#i19SJ_t>_L>Qi4xTP|=1x5ck!7_etYQqi`hd> zo97w&?USBfsxG!Ep|6Ez&l`$fr)@SGq4P=4ewtjXm$vbRm4rNZX(#;Vc>h^Qdr(8j z%pP?Ct8blV&s&~Vsj{^%_H4Tr>P-u1k_E#_z=N48fzUvG;UK{1bd z4=_?wIU23xI3@J049lq~8l_~U@hi&<6h2Ska}+*{od598%KiUVI!3|h_8XPlpoG2{ z=yv)>psN9XSUZ4hR{CO~Tj@)muEzOcF#)ovVK%x(_kCRr{?pX}GhL0n(KY%6hP7{u zA7I@ZCB;fkQZi1-iAu&QIYG%7CC3{b{%07$sYb9w_5bU8X|L!zYDV8Z#-V?zzi<6S zf7810PmW~w>wQ$8s`YWKoY!Ejv_60l0k>Go(dT~=#{8d#74&9Vr&^1x$6H5OkFXY5 z541+D`(gb5F4msb9jtDv#qx{gJIfZ!hnBZ3ucEd+Z8_N(ac_MO^9No|k18<66gZb+ zt-U4Axy~8R$ zx6vs3pc*Y<>xPjMc3Y112kTef1Xf7g+q+x)_j=D)o=>n+;v1fq(<2-_4|wj{_BG&~ zbZ;{CC67RV@_)sDINSfG|Ktn_OPOV{We)oD*H~&T4;v#=+Ly6@x_+^$Tl#|3=ns8% zYIKHPk{Su3k57#S(MP66gXm*Y<3aSHsSzRiL8;oI$L!ZS&5oa(L-f5+^Nbp~0i#ba z&IMn>o~1D_$@It%W5kO(tJ}`@G2UU`!>|J8A{y7>@_q07l172Nj*$V+Xqs(N$3`8R zf6dfMp&m$)rt$2l``bUS>wSLzGqbKnPwSrXdTiUHtL_Au1DQ=J=d#9>J8D=+!fv3gCc#Cl}u7H zk;J`&Ar{~1N={R9s*)v27Ask#WTBD;O6DusUrB!@348s&^rTw6)Kg_q-GUacop$S` zZb6IJs>q^5S7KITQj(*D9{Mb5G=RnP3q^W%|lRE1`!ri~Ax)=P5Z? z$(c&dP@<}onssAw&sC9gl+08zL&;PnQJHCXiTF z>00UHvS41NadBDcsCC~wgRp#~63VTvhW6;HYg+fsR<>D6s3fp3rXt#ru0{jszG*75 zLfDkCARNu%Wb<`*H}kcUa}0;pVSXW@8d|*i>3)V@8z7L z{fI<5^lxFG9$Jp$IQ-V3<>0RY12j8ol_STl>DxRY=MS7V%kUm{7#xJnpO8Oj_RN`Z zX{Xjd!z3?%&~L0bf)$_w;r^je|3I`L8i<9XiA&V zL~qk+I~ltipK+Ie+-q~@y$3^qKsd5}hQkHHL_F*d?_@el?`7=XSQvBr9RGQrsF@BU zR1gnf6~O5BhXG4Ggc9mynzf^G6o+Iyir-tSDf9lqek7WqVuuRCaTG~-N7I=-jr|$D zuzw`i#uaS1*&7Py{=f0@oaq391&M?|h6NC}t7xGDe-tYrMS7af>|q?hWE=pR5&YG@ zAxXJS$ynP59d#sKYdDsZ;YP)l`2cXv6XDSI2N1+%hIJ(3JxpiW@{A)`n6U`jUE7Bm zUZw|O8HDkMV?X#koHlW8e$jkd6yeBea0mleF3P=3rXvXyBtoGWT9fUHB3OV}EN+!& zI<32LAek?KBd5)rcJlanOW=TU&g}V9OY+lYW4I;EKN3Dbr;=~M%zF~%zKFhBY}8)`waOD;3_j1jCD0l>ykY~ zqvp?h7;jfcM=5J%hP?_!#~Ln=etSK@7FZpf^C zkHk%B&f-i})t@Mc;!K2s+vNzBSiqm~2X-*c?riMlu#DwaGwUT!7|v(m>oFAkgmHh}{yfGD z{E=`l6!n=VdyQR&GM>j&{hvO6?!=PGlMEN7naVX*5Q*S=&T#f(1ySSr3wuqcdW_v< zet;M@c_DeIGM-k3&z@#@7A8+r?HfE=vL*A*aWjp@w!g;xv4S8TEFy7_X`@&`nI<@mJ?@(^Td7lLRFsUl3iOYJap(0LKE36A zfGiQz$4JO&I>lk^BlEM@w$>!wB&*UKFwv--+Z7}wjAejB+g<2n3BW^hJmxT!+OrpA zyGwAG@=}c_`B}5nHIQ+SAru$d=ilCLu*XnA1dUEOY&VtIj6EhY7Ua?M$HNu&@P$Sp zQvIL>Br@eKSP;hpRs6R%cUd@rM(ExYab%V(bSV(=*&ajmmh`0>gtgd=bu>J2`*k$iexe=A#t1 zzrE4H8_xuZ47CJL3wWkV1TCgny0N>=Pm0@`O7edP_r~qcSf=a+3L>#M&e!&}GJxAs zEEI|8rn5Smdt!%Y8QwRyzuHodBX|x`k0EF#v0U(c!`m_4f@l#j<9>mA?Xf88^h@G# zv*&DoIie8oybup1g1^1TlO+&|217wJp4v@DDP(?XPw#@?L)$fO;$1ZVkXe)9jc-=Q zQ;!FVKxF%8Cme>qAcmE`V_}nN7M8}_{>JQ}w_&5D9SP6Nw9a(?NMjwXNvH;Dt*mw@ zBaj~q^bf@FKTZbPf%M65XNkuBI2|UZ>sakqYk}t5?0CYl*0I_(%d^O{!n4Vqv{&0# z+V8bJXM4)_sIAF%5&XwZu^;5<>$1Db-L;;uke# zHh8Q1!TPoJGwWvS+t$~tFIhLj|K3{bYHKYVZ`&<7#Xm@T56q+ z@5tlek8Ol?sP#~5p|w8-P!ym)x3{g{R*BKhD{ODrHrY+KpD@3Ei@l58YmeK57{R{> z=HVCFXW2{a6YOK*3GZfmx%~>v-*2&hVt?P>W`6}^@3%VoV5WaJN3J96C~ypg2Y^Dy zILF!W6}SMN0cstq9QQl!!nlIv&WoJqI&X763NHrr&PwNVE|c>o=N9L?u6$P)SI{-w zRph$FRpy%KTIsq2eZ6h2S6nZ+ySa1SPPgvv<37|~h@RfCdxR~|c7QEv^V>$*hS>(& zifwajGi>MD&cJAZ8*SI%E6PWRiT!+g89evR!`y%k_AebyhwkX_ z7!Ci0(;br>6&THMm1CJ>sq+lX7np-F4^y1Q&N0qWn8h#{ea{CtqfWoGA7(7{cIG)d zJKavJQ^TBvuN|K`Hap(NYK<>BHac%~KImNGe9HNTa}zu{eCzVMdb;*;?cqAe6?YvD zZv^z8d&K|c|2#ka-}p~|@OS=Gvk}Vm%k_)&bM({n`T8tTFFn7L4>Wkc9Tr{i_kU#@{I6W- z<981Czs6*YGj)AN;fEA%rtlpK;r9tvjHW~g?@tI{rVu`$@b|M6Vw5HRev(3r-^AbR zD5R0Ft~K;Gd_y6=jzV~d!rvI}i*OZ%7}blv;VlXwM(-ko&nSc#rHinFLX5`6-|!!W z5TkAp(x_V(M%UtR8eMCQqQ&1diq?hEviKW*r4V9NEJBQm#pqfJU0+ko=SFC!y?Zb& z6;_NyMo8P+Z=$~`1rNN!As!=GvHivLH>GcQc|tt=G9oSz~ zx`_U!zBh&Nyofy7>F<6N!b>C4xq`yWDJDu`fI>fo zdmEt#ZY&XALm{0b51k{=m9))33J;|401DwI5;+Z17@{ypp-OqM@wee*5@}vXVL8Q& zqVOmRhfz4h2t8Cc++!%_7>c=(LaI6LDHN~Du$cZn!3gc0=#Z#d<|uc#IoJ~^??T@>C);T;s-PT_4v=%#aFIQhii zR5uJCpLQCVi|~2+`#B@zapkS_cMFBh6gE+~hQiepHd2_Ruz|vQ3hC(p8F`~UJCD_a0P{Q6}zeY4dl01+pv!n?p!83nu$02t6wY$@%5ujvj%Pk? zGmk>5&z?E%zT5V=z&$j5=cR3yP^jvys^JUWUt%OK;$KgSV&N=Z*Jae7ndv-ti zQjqu0{raFgbhG(q-w(d8eV_R@``-4whS>^zti9kJeyimZ%llX_;1$eM*kD<2X|W`I zFJV^sO3S^LJ1jR@uCZKZS!y}XGTgGiC2YyJ^ssccxb)BUxAf=rr}TCDYW+6-D*b%@ zOns4liauSRsE^f;(TC}W>4kbi59)jCyXiaW-E`l7=YOb5KDs%lhAGit*lpfz62=H2 zn;Q0P^TiZJl|+<;m4uW8l?0UdmC!IHn~#Pm*_3l@n{OYo{rOV)Pam;wZmxv09Di>jY#8Q6Z(gi)Gi@Rc5y*LfZGi!LthnI1@Cm6oQDa5lE{>HNxW}_cOA>NemH{O&mixclc z2oIz1Pzn#Bu!zDzmS5CU8fH7bicf_p-^3T$yZrXvU~HfB3Wa~8a1&LP%P3q%;iVK_ zLLt4G_~^~VcOk_rrSJj@&!>>ySbX&U<2#39&Zh7z3d<;@_aYzii^_RAg{M(S&y+rT z?)1@fr;naHeGAD-Pe?v`iuKV`tdE{zeRIf4Ps2WX8uroCux}Q{)7zSF2K{|9h0`gV zMqvqsQz@K6;baOYQ8J*wO zG*L)zhF*FS_55nYcz&VqX9|C!@J9-NpzwPNw^H~Wh2K*64TWD*_!Wg;QuqahTPXaT z!p|uDl)_Ia{FuUzDEyGZ%@lq>;rkT6N8!5^zC+>L6uw1a8-;ID_y&cqQ}`N%uTuC5 zg=kffM`~3(FVo*I!DGoEa0l`)I+=eZ`&SA4RRVvN!2f&+7*A`y>x>rFS5D!z6kbE& z)f8Su;gwGBFs;qJN^@>-Hen8Oc0cq5@Il|%r+dHkZuY+7eagGqyV84`_bTuC-bLQ& zSTit)x$ND%cFzx(!~O>5ueW$AF>}2f-uh32|MOzZQ!j$Y^S;mdy% zdhz4%;ol4X`!)FPe;0oH*TY}`&G6NKHhlNbgP;D<7#nZ^{PX9-H@}W?1DoNK|0&x_ z^uk|-_3&0>Ji~O`SoF{r+Jg9g(9LGYsD)49ZD1q37u*HU1sB1S!D;YXP>fLtMetV8 z7oG~-@KUe^9tvK-N`bX_+rQDW40F)uz*E7omcdvVa36S>&xI$1ul4ugK_Q8r+6w&& z{R#bCeSu!0kHNZs2kG#Ypm)Jb-&U;j_Zqy#uQG3NFLRe+C4@=vjW`%%2=>8>2Dxq% zRy24Y^U0rZCE;1I0_z8yi?stvux`Lm^xONfwm=t`6{|CR%b4Tj$zx2Pe1U!2895b!t>DOxa5VX6XJq7J5sE?ps1mz3bSx|35I|=F~Xh%Uk z1@#b=C#ZXx_S0&+3hE+g2SJ?$brX~;$S24v$Ro%t$R)@r$RWrs$R@}t$RbEjQ-M}% z7Gx5XBS>pcHNOh_MbOWJeiHPfpdSQ%FKDZv?*x4-=o>*_3;IgXmucEptJxyxb3va8 z`c%*tf<6}Xk)RI+Z5H%_p!Ws6C+J;4?+AKZ&|8Aq1ihK2eYBd_1-&NdRYCB7n`#U2 zyEg=F67;g5mjt~i=mkN~3wln_vw}7XdPdL&K~D>MDouN9HBSh7T+n(!j|qBG&^keD z1+@xl5!5WGNzfWWs|7U*N(yQaR4=G5P5rc*T0u2}ss&XEsuZ+J(8GdO3VKM;gMuCq zbibhc1l=p>9ziPv-7V;@H0`C;+$rb|LAMLKP0+1r+C!@;7IadYf?DlhL5B%CRL~)U ziUbW3G*Hk0L4|@27IcuH1Je}HY7Y>!zo7nt5`yA_qJkoV!h%AAf`S5q{DSrqR3KZ{dU zA?R{J%LQE~Xqli(1YIoXB0(1lS}N!QLFWrPPtdu7&JlFBptA&(;fZ4HuZbgH1mf))u{C}@G8`GV#Nnk#6Ipi=~u3YslwmY|twLMt^x z(8+?P3z{aVM9>sLlLbu@G*Qq5LF1hsd(Jp>p=KV9cg8aFO7jZ5rxwF|`DVQhZ?GHT z=e$X;)mQ2(@FrUhFXv0~ervaASnE7)@xyC+iKQ5C(xtW%^vjR74aa!*LR*Ec9HZRV zW7a?|eCltpZN@uzo;}w-*j|Wn`=uDIUyO13%duj86a3(>v~R{p{Y@C3Z+B>TtM|iq zelbQ040kMdEOnGQ7CAOKHagZjnjBjko8ggPbLQjQz;KLyFLcH+YQF+w+P7dRa_KmcHn_&$En1KmK4_9OL=>+VU~BKNmjyH0xID7R+yG zvu?uog7xs`UTa-xU4fYm<<{kx*HC6%gjo$G_;xTFKHLXmMnl}{#}|ZrYo0aNYPV__ zL$C$w%ePrJSvFz>K@+|vtb|Yc3QM_VImQl@Sr*xr+RE^?Vuh^@BO^9qw1j5&+xz0H z#&FCQSY%&eudr{#H;=9MEslIgo?|d(HIzC^Fal#GzLZor%JJP~tGUp((iivneSPuu zCeN4avztrI73OmDa`RGsxIP%;4dVD7(HGw7^YmQZu50)zvBkXE+-BZn-e_KruM@R; znZC$b;v9|H2ep_(u-T=#^6>Sc&{gVM>Z-*W4qM%Je6?8Wu5hn+w|O+rQqLmaa9^Qs zsc(}r7jqN(V!lEtzV4Jc%bhE+zQcOVuV`~_b>+JHVx5R$*J!Nnu-sej-Q->Gt@RD| z)%vz#hQ(%l`B?APuvSE0cOJful)8(t{=;&7FObDU|8cGKfXETV|Gfe$L=Y^x2jTaiMQB0+B@7k7+okq)smko ztvb?ByOunLbs)zVD{U-iK96;dq1b*Z+dp7^fwh_S0YkCfrL0R-{F)M0+Micj!~0va zAIJA%btql^E$ch18(EXA_pn~WdJbzT>sZzytP$2-SUpM`e=ros`zY%ptQCg(w2C}K zalFe|PgVBDCf55|uVp=#m5#%%HJ-?PIBT4Bch=5IlfSZl!umHuy;{|MtaLt*-uKGh z_&)3NY=4jSIo8$6zBfWr(Rh;hX*}UBetb^5d^~bRmvHDqeVs$F5`;PTp z)@NDic)VI2=ckVAR~^@{y1Bd^*T1@<%>7ySWbMLgQd+x(^>x-KSgToYXI;*EI_q>+ z&Q~qxt2V&#Tt2lf#WhquUaf}89m?fiL-hbm^&WaXZ+`*nJl657N3kBr+K;t6t66C^ z=c}6YRlT0$IbYSBuWHU$HRr3E^Ht6Hsvg9@^BZc{*4UM<{)Y8!)@N87SXZ!K&3d+> zUag+$KXjUkUo(KUfOSXSu7Z`W8|;_b0VuT}&{1sXdR|Z0AJSdL>F{;9hSI_I)Sh^? z291Bm*U6fXd3#C++i^M#d#LRic2M@F-B>&E_H?}=J+5aB3AWRDvTIGlnCW`OcBdE& z9mnxEvMy!i^W4Doy5U@oe}T1`^+7|C4!2_s_p112s%O|Q)iWr!uMKbU_8WM+Ls+Sv z+O=k`r%4-c_chz8KEQr5^JryHQa!+ZfX)-_RG*+!pP*cylE?D)RDbMR3texpf6nQ> z#`-vKSIK%SE1h@jhwDqSL~Y-~<=V18b6?i3{JY1PsXVb?Iv+^q6^_4-^#Zkha}6_H zhuEI4!)Cs2nx9biRxaO`t-L*5$Jm~)<28Kz&0AEuYd9Y*W@b7ruhz1c;+AeIomMXY zmIIi%{a8cw6WjCkzJ`t;O!WmipVOJZzoYYtcy2$MsGi%kRz7bnTyL8Ae$h(j727wf zbeeYObk5*(U*LGI*R7W`^YOHNz}w%U;#=KHTe$wUQn`AyCOST^*1EH@SM*fc#K+$n zG#JN8%($*)LFI3yD<#ukZg<0qAzEs@$1@oKCZzyhhNa@-<<`!jNJBi~* zFdxl)F!Mpodo%Y_-1H*H-@@@XGhfVn5%VJEh0K$cHf?5J#rB6e{s)eKmE-xmuU*f~ z^{AQ4do5p2Yd=%JYo>CxYwNlwUdPwnx*WC#J!M+o)HB`hDgXW?Ly_J%<|CQ8-CNh6 znd*sGTgTVqx;=UOu1cGa_bfNOox$TXwO`GLdMo}Kjh`-$)Lc3qE+o{ z=U;#Sx0gWrYub_Sg2d+Fu0yEa)deKc;Dat@Z~&-wWC*=sQ8*3i?LS*Mhzh^rfIL1Z@%YxuDMk zeJbb^K_3hHNYICA>aW#)An1KT?+JQW&}Knz3wldXo1ixZy&>pzL9YpVRnRMf{w8RX zpqB-`l%|AM`+}h71wAL|SwSxfdPdL&K~D>MO3;&no)Gl7p!I?t6ZEK{b%NFkYE4sI zt8Ed~BxsGG)q)xYH4ADGR4=GbP_3XELDhn)1XT)pM9?Zh4+~l;=%F;lwAu#*-7n}q zLH7!JP|ylNcMG~p(4B(r5Olks+XUSzs6x;!f^HUclc09}q*1N*hO`aTuAdZiov@V) zx>nHDg02#DrJySWT`p+3pvwd;6Le{s4%X_zfLX|uLHTLIbHUDndJEb~P%l9{3hE&!Pf&M3-2`4K&SDiJhQ&=f(F z1x*q(F-;+@c7mYsf{F#5BxszVv4TzzG)Bvlt{$=p(1}O6@Ld(fs56s zKM_b2?UzbrzYe7m354NAyQmu*{4IP z1Y`b4Fj};CDwVxEkP5tu213YGQNL6w{W_FNFcFI;0!4eJQrYXzrxJj3@<=3+2p9ED zrP8-UslaD@EEF!^mL| zgo8!9rBd0gL#aeUu~5igv}-DrT|1OYAQ(r%6!l4^(x(Hdz_+&HJwH^mODdIJI+RKf zPLZSGqWn}U`5j0FOQ8fq@bq1@b1IdcJCsTw<_`x#MZHt0^zJ|^Sf(T#3df^GJEc`*HHXavg>EbIZF z(A{&++H-)tN4sRO1i`%dbMxoI1NFSw`9;&_j-N0CH~)R}M^2kMbNs~o$#dq+o|C_@ zWb&;1sgq|-oW@I!ydjPY~l4VW=`&b<7Ivu912HuX0T2*z4LSimFbkN5*cd8xzC zYq#G&@|dAg!F?SG6?IRg(!B$zU=aGc|7`O3I zQKwWYojQ<;u|h>68jKg^rc%l6P%2n~2TjmI-?pOkwM*t-SCqzj6A3>aL%gZO_qN;b zA1z8OClLz3lYfyXm5QfBso<^>4aJJwsZ`t@NCh`1JmleoxKgROI+O}lC&1%Oku#Nw z^UtON=kH-Gz+pTq7CBO>I69OH+Rk7&P-IV~V(&mI#;OWfKPpmWOQmA#Kq|)Ld;kkV z6j@WLSUZ$T1P`rv;IyPtv2-YvfIp0-ql)xYDtZS}!Q(uZn+PU~Fz7?QimEBNfBaQ6 zq*fb|8LCyH+uhX%QFAp=>Iq7{~Nvkcm2-%|J3aNd$Y{{H~RmL`Ts`m|ASfP z|Nqth|0ll&{k3`f5=ei|8=}?yB&{jd;3HnyhH-f$v^p&751$`lCOPU62 zb)O0PRM01aJ{I)3pbrIY7W9Fj_XWKt=v_hY2zp!4TY}mIy(#DoL9eIjFs<%YL9Yn< zo1jgCUK8|^pce(bAn18P&k1@~&_+Se2-+a%X+cj3dQ#96X*yJ^TQBG_L5~VrC+KlO zt%6zvH4ADIv_{ZsL5+fvf*J(X3#t=TE2t(-hiG+Gf+__)B50MMYC$UnJtXKsK@SMJ zU(kJm?iF;8pcR7d7Ic@OI|bd5rXsEGHbJ)vst|OGpxXuABbnZ+B4`IeodtCgpcb-xPwB~7Rk3k1yt60%>iq|1UVD~f zMtK=lCH%da-I|*H?QWx);OjBdzZP@-S71(hIp&Nn#R&UFm_c5GIpm`;i+nIV1H|DQ zpf9`wk^n`S4_rYxp#9Y&E$fhQ}A045dU^>3Ca_N^3}k;DU|nyT*F(1;mslK(W3qP z^Iw1eb4$ROzvR=_oybb_roeG#nl}Zec~elD$K=!2eyZ$i|Hk?#>q=Id_lWIiz9V!2 z$4_J(ZfLHyhUQ5^Z)3iU^)%LLtTYc7+tEB+sGs9^Vs$EA{T=JOtk1GGvfj&jE$g|g zG=D5tTTSHvJ)GmCtbJI$N*jMMx%`q`en~FBB$r?EIJMto5o>_87pq-q z!#AvNvp&Ph<=1c@Gv}*;=HKON4V?!1-$6eAQDu%GK&$QR&t{ z#`*~Bt*o4{dd^q~LJtpg2)?!`*;-NAI8eOl`l72o~x(%={kjSzM45-&77}h&Q~+% ztC{oFv{j|oMCaY7HPLy8HgWs|tW=*7e*rV+tBLc~#QAE9v3*z8T%~J%Vf~186YDzG zRjjwLUc$PVbqec9)3%P-00 zm*nzGa``2>{F0;i_XAi9SbMNqls0_H`X=jBtXzH#E0{T74QDfRz8W}R4Tp0)=c|G9 z)xi0x=X}+3y{La#ZC}5ZbtUV~temfU&R6|Zjz5NVAS>sqp4)?ZyNa*-hV^aMXIPW0 z_poxl>iB%sox<_sSUF#Hapv7wJF{v^Yd>S<>$sM$#3|Iteme}&R6Yz z9N&x8p|s{Z)^}N-WnIn6^{}R#`8?J+tS7PZbzHMQb6?i3tT{@nIbYSBuj)rRp7T}B z`Kso8Rdc?oIbYSBuWGJ`)dl=}&R4ZlaTVvQ>K*2dtbD$z_Ng5{M$iU9 zPYZfh(366m5cIg9^@1J~^r)b9g4POZ71ScASx}RpHE9~D)vp$m6x1N7UQnH&MnN@# zss&XEsuc8ypjCn%7PL~(LxLU@^njrI1>KjX5nBDdg6*y1>Gd*MnN|Sx?a$AX*yb~FBf#JplbwOE$AviR|>j9(B*=b3%X3uGC`LL zxGt%AN2^sS(8 z1br>&D?wif+9K$4L7xfwRM01aJ{I(mpbrIY7W6@yP?sj8X_!_&UQn^1lLUdr&}QDEYw+iv58wWU@bh1caROynyP*Q>I5c5Rhc9_@dp@@B&b$xXb!O^6$<>;_V5WW*@Egq3Ux0F| zR=oOl*5$0HvrcC{mUR&8eylsPQol?mt&xr!`j(1s+`!tvO8qjhU%`AP>&dL6Sr1|5 z`qRkgv60VTlFwW61GQa}>RTr*$@MGA^()EsE6MdM$@MGA^()Eco#b*(a``5^a=JN6 z8$M%wm32KUmtVsj%$%==GnhGF4VU*E)fKkN0Z zoUeM$S3TFK`lH!?5G&`ap6g3J*ONM~A9Y+W>Yh~F*VVG#$;$bvA&o)2#KZTn}rm zVm^y?7V8PD)Gl<=YGTa0v362g{WB})tD5sw&Fw@r=c}6YRn7UT=6qFizN$H2)m#s& z`*FIQuWGB}D$ZBco6JwK^7*Rb^Hs&?tBTK8)ePQ_&sWu9%zVD8_o!+gyM>v{ zeeG+^R4-tEoSEte_z`AmufP?|*BJ`Fg!w$?#msYsc>grS`e2 zRyTo}&JXwiW;!2WIuB4?#n*nx`X=jBtaP1q)oSTFgVJ>drRxkjgSX>+)pEXSLmW@n z8MdSAs;gE**A@b7}GoUdwX$GU1&oUf`6l)dT&Rz6=sq zd{y!Js+z~!@%gGcikZ(>6`!vvK3`RIy>!(o={kYFuC}k_d{x#cuIOcGCv9zlb$8az zN?U(r{e<;ztm{};vEIUZiJ`cj3R$VVJ87+p+0NHdD_=jYv>oiJ?RxNbR{lLP(qnG@ zO2xOfu|CCG$9fm*m8@l~Gg-NvZ>4sqlh#7%LEkd$&<(5&tSeZrVm+I6HtSf{A*@l> zU0HLLHvi1}5i8%9o7XZw%zE?xeE+`}qualNN-m#>==1tHVo)NS`(9?pR67-~? zCj>n%XuY7v(llOccvR3jL2CuI3ThG5ET~D)8bPZCH3~`!Y7kT}s7_F=pc+Bdf~wL~ ztTj{$dPLAFK@SUBDd-_V4+?rf(EWn$6Lhbjdjzczbhn_p1l=j<4neo4=_IY;HbJ)v zst|OGpqmBVB4bGPt%E7!>NLn2wE&?k)YEAEf6$c z&^$qN1-{`IYiQT|2|6adC1{kOk%C4DI$F?hK}QK1Cg{jCP0|{^ z6!e9lErLE5^qHVf(=<_Q_(aghf<6-Tp`guz-WT+qpmznmBj{~GZwYD>^roOU1idck zH9@ZmdL>PGp7@)fO@dw)^pc<#1wAk5IYG|~+L$KPo}q${5OlbpA%X@AI!w@^f(}X3 z7_Fg5&>%qr1q~2XDCi(T2MRhs(Eft@3rYxz3yKMf3W^8{3knGers;UCAt1;vXg@&( zg7!@luD`F+gf#aS)KAb}g8B;DQ_voQb{Djppj`#^5wwe-d_g;>X|&eRThLB|dI{Q5 zP)|X5g1QUpCa9~RE`oLt)LBp`LAio_g1mw}g4|ALVa^rk|Nn28%Z+ga6&OWOiZKL* z7(tMW@dIsGgMKB}t1qM8?WO3kZi9D%mGDYXMk~RWV{ZQ<%y) zSY;lb4>n>ggQb=-%c4I%vmE{LwdkMUjK23g^t=y7zxyKey06fUaSVeoH^0PzetJjw z|C%p_KjRevV?>q6?9J4#fcUWDnwK~}!rN2-6YM8&Jbm8-(|6qNS~Y!FM0)i7 zudCMdliIGDzB?kGz7HavzV~5!`Ywt1vsC&`^!*R<^xYEi^nDTA)AvBcQ~wp>@8<34 z`yk@!yC>r7Ii9||BA&iuBK~QPr~az$S`B?SMLhiu=~F)+;(Hp~A)bDRcJK5tND6pq;l`7HGZho>i@=J30CAs{PTz<*X{QE;#gRFeMk`BcU z-?F~Lx{;O3ui<`X&R4_v%$%StCe z-#o2~$`{(g@l?Lx8<{U;UBF7$73_3fLJ#8jy;<{EElMlDWPOvB`b+Y(N@{oVw2IzF ze0Oc_F{}ew3s`q#wJUA?hV^aM4Xh2UD_E~)J)3nl>sZzytP$2etUjeJR1dprE!=*# zyv*@ySsymEtG0F&>i`vBv(QkKH?^~9w=PogO;qmSn-sT<;O$o$+Er`i_NRvGd3UXe z>MQm?nSXx(Z%^k9_ZKSXuG+fpDt;Z6H<;U#wN&mnK5kdmzM=NB_I0)W+9#QxV6I}W zWWJ60R_0~QmolHqyo9-gc`ELM{?xtjkErpxJgsICE9DnFl9|dCO!Wau^#N*A_Uf-$ z-(uzZRb9_~H|te~qFg^_-Nd@iP?UdIaSI&>wp+#a3f4JQC!{xoEhV6H-Ue0<3>&dL6Sr1_ivhK|4R=WCo*7sSTXI;a3KkId@+`hEX z^^baXu@T=@YoYpw{LEse`UyMLTiB^xfc-4CQ~gFgqx&}ORR3Y8@&;3TfqL1Gx2JXk zb~-PxQ~QDXyf@ofTj~74o~Pp1QT+#76t_ODw3+HTet#e{wKLtd)zof6Pcq`6Ls{dj zyRlNc*j;PtS_^!W#w{cyn%Ts>pa%+tixFOdTrc`xf?6ji{uu?Nv;=3t`|wJ z7fG%cNv;=3t`|wJ7s=!K_xv1_3^Dg+bt-N6j`dyEXIZ&kG(5n}`D(a;ne)}a`D!?d z<2hdqoUaDXR|Ds(p6h%4Yij%Y$62X;>8{n^&dm9$=X}-A;P^4Dhp}?L>hqaBO6z`L z{ebla)@IfRSvg;Ie7@@FKGt2Uo5*&~R~^+K#8W+mc4s@)x9(c)SBh)fSgHOYp6+AN zyEy(z)-u+ateme}&R1=i<9A{8Dy{j+P(0^9rL=|Gdt5JXaXjr0{I%kBbo|(!_K)l1 zMwWk8 zZpNGP*}i$cDe(ArxbFa8fiK_J*{6HIg_plqyia*o!@u8c-mARldlz}9dkeim?{401 zUc2W9&nKQYJR3bNo=VSMo^sDcp3^+DJjI?7o+3}w)7R6}<97ez-r|1S{et^Zyu;t? zzR|hLd57~Fc*$GhoZ%b?|9AtPVdoxrFLyeAa(srjy5}5g9o6t~cfI2h#~F@N#{|bH z$Dw$q?&s*`$lU*LtN<|Dez<-6`Tr~7_22OSznWG67;775E8MRCzY<>m4gdcwv;sh} zb%eFZYRvy{-~V50xz}R&|9=$U2D_-tbCja((T3AN~lRa3x(2VxGhmu5(=rFvfn2YpClW%#`Tk z>f*9ul>JA}*SurB!_0S>uQ4w*FEP(BkHbuWf#$Gz4|AT`Y5K|ZnW@e6oN2A8+O)!S zz3CFu8KzRx1k)(fp{BU0pQ)G0o4Rv*hvod~)frR2{Y(EnC6NApH%m(<1vLn26jUdu zR#1(gYC%lETJkLp6!#hohj%HL8l8kP0*==mIzubXpx|W zf))sxFKAwxrfbPLf=&@sDrmN#xq@a2njz?9LDL0I6I3FoU0*hibBeG{7BorFL_re- zjZf1wEmbgZCb1dS3jQqTxNM++J*=%_T6XvtxM zjuh0cFBDrIA#8^W8Z4+??-|KUg~E2Qpo0V*DCmGRP1Tb7 z3+gW@At){=mL~K+ektg4&fC+OuENHqbAEeirnTpdST&FKDZv?^5Ic zv%bS-_hFZQhu!cGd^y0I>p%AO;2(W=HokoPTfad3BOVCbe}Q<^lKKWwhCcOG|JeJ# zd5L;^%~|#Dd5isPFaMkpNMFsTX^rjf`g7pxJ#7QEYgy)K$#yLZs9nnfYS*%W+O;g8 zb}b9&hxU6&wrgij(UR@j8PIp>EkW&`(?IQ>(?DN~Ex#1>g`h2hJ{R(?IQ>(?IQ>(?IQ>%s}m)%s}m) z%s}m)%s}m)%s}m)%s@@z$kqsI_hg1G8-*jc#bsu5Hzs7g?!pjCn% z7PL~(LxLU@^njrI1>Gm;UP1Q=S|R9eL3gETiPm_hpgRQJF6cHvw+gBdbc>*y1l=g; z20_;gx=v8JplbzPBj{>DR|&dO&=rC%Pt#(pak-$&1T7PEsh~>)T_os2K}!W)An1HS z=LtGj&^dz67Ic=NGC^kwIwMVsw8ql~ohIm1K}!TJ7PLsv0zvZy%@Z_N&>TUh2r3mc zThJ^)GX>2Mbh4o7XHLj(;LbeNz+1sx)&C{6RV z#zBGx3K}4&P|(4G4ia>rpaTT$FQ~tugrK;fn4qYjh@h~bkf30i=4p)qL4HB|2`Uh@ zub{mJ^%Jz0puU3k6tst+-39F?Xjegf1nnXyU(n8JnyWST7POO~UV?TM)KgHNpzeaY z3F<1Si=Z6@br#e~P_7`KAg>^gAa|PZl0$0_4EAgz1cZyv8rFWd9=OQUS_ZG4)(_F zO%C`gbme+VuukC$&w9^hZ(po@xE@~>+T^Ho=Sr7`bqs4gTfKSSTIWWL1n7%V@Okjm zXV*2%cGv=ciES7iztQm4XOCkgzR?)LzR125>-4R_ntki-o3M)CR;=ik=jfZBQvlD5 z<$utZU-92xzY(hk4#!yhQez~)XS8RyXRxQx6ZiNrb|c@D=gIZhJ^!KA7UfEcUyjYLf7EA4Zd!ctUd=4)1F8wnr7-HSSQmloz(%$CCmuobp=Z1L8&4sC} zB=z?0SfSaCzm4%UJ+!7}tV;~d(^@tuT}|VcV5f1GdDYc1=YtXHs}X(*0&H>FiKF~^u`{9T^5n#OxU zX}lM-$*@BoV7;F80@it~#jHoNCRlf8rE<#C8h=sT_%SP=uf}!E53}CLdLiq4)(NaM zE(__=xH2e>D}&OwGANf*@(Zn#W4lL7rCowc=VDj|bksOxFSUZsx04&tjd$%K570eAPxc zz7MO<&>mXr5v*MQTX$pT>$!#MX%DUC6BXa`H`Yg4A7Qu?}D@VBL|` zuC)0Z*0))oVNJ5~@m94mk5gLpveMQRe`GM)!H?O_`Di^waW&-+_Me$|RoZ$kGnZFu zE;E%Q%IjL@v4-Ypt%ozuR@_YItA|#7wu*1Pm+e=xoz5%lD-^e$$o2-sEjH$-m9{oA zQ+eQcdopu5)zfkI&}z8+>W3(MO)sVObeyp7$4vDDJdnAJx99UyPvbaYpJK%4X=|TS zT5~fqT~|G{wR~NzrE#|45pmN3b zm#Fx4G~O4yn71Fq+jDugmNJiIJKgWFeWBvkbJ)JGr@a0BeGTomhqi{!2ei)E4tf_W zpSLx9KG#tD20OLe(8GAUFzYU?UZtz4ee0pE-pu?WYcuPEtT(VOWu4DDo^=>&f7U%% zJ1cGcm6h9*Ms80UALV!|=N?+)P0Sau(s*jbQ~5%Nb3C8VMrub9Pwgm_&u8*WwOx|S zFUjSXR>e0_eF1a2O;m5doNm)2#&&qVJB7EumH8ZIzCSf{c{D9%JLkV?3LdGq zJy&D@Bh~NLI{5boDqTnC3HH6%PVFtYo546QeOP@;>waSWko6_jR@RlQTtDi#-q$VS z_{pqXKk5!HEwEt*-&E9Cg z*?uP8r3cvi*v+1z*)Fh^*oN5p*<997tWR4Xv|eT{wH|E^T6eH~ZF$jBZMhb6 z@{hOlx9q6@q`$7O)^EYv@_2oqzN@aA-!ngIz8i0Z)69pP_cpstpPDw99x^RAonjhc z3Yog(e3SE1PEAgE&f=UgIs51IGTz*N@1Jer?^*w{{o6~Rw|PKL&>!^g>ksZ52;~RD z{lk&|VShm)5Ddhlv$B~(v0yY5ote=bO5oQKepeS1>>=kvzh&g1QMT~*&Hv3 z#)I)la9TEVFdFrTVkMc)v4VIo7DxoAW;2K4{zNn|C9^qNkccE=!NBBf=14dm3WO$Q zGy8Gm;poK7=14&_9Ek)H6SA3u;b<%x8=u)6E{F#r@j#+Dn>iGYC4zyIGMhs#x(ctiGW|U|o=07U4Ia+|a5{deUWitnYxDdieW;Uay zM*M+5d}uZ^Y|&`^h|K12K?El(5j#Aa*&mMjBY`2A&7lHRCVx0SIGfoYO$7Xb!!nzL zxW?k4Q1H-fW>nKaBz#C_Gpb@D9QFr_vY7*kFj|K}na!w*k#Hy;9GJ}<3I>DGz<`YA z0NPZ4I1&gIW;2HqIHlo(vzh%kpMk(ZnayZZLpbB%1GAZfp+r0!IUuuHwW*=d{@Kjo zU^o==_s?ubo0>q29!X>~M`B@Arg%0pYD?T7iDfoN3c@I~crd!XITY$2j1>4$%VUX1 zW;1GPJQ@y1!`aM8IUEgzGMhsMxB`RWU@)6G6!b@ep+IJH&}cmT{)j)D8ATclh4#y4 z#w|S_@)u+_qaynQ;c#r8zjJ1DxFCuj$6~#+nNiOI;mA&z z%^^HHMDfJcE1Nm&NAj^9Gn;YuPx#U7^~`2QgPjP6dSo^SjN4qy@6XF-4kd7lO?1y} z#&c>S7z>8GWiv;DxcuW?vzd*`5{h)mX!a*?vxp`_!5y-h(O$>nki$mI z%xF^4+~;OCqozi}IOV=<=13%%2u8fw%sAPxSlE-<94)|24i5+JY~~Oi--7{H26Lc) zBwP?SZY2R{HnTqv4aFml%;r!5Y-sK6naybSP!Z!HTQ)N;p~vlU~`e7;Sywpp93 z71lCqv9-{eZ`CYqmL^LD=EE0T3N85-4eQJ`!J}Up{NNR$pIbxUb`yH$%g{?-XwEll zn3djSsxXzAicN*4e3O>bmeZ6|kyDmaoKu*SpQFLoUlY9bm0|tBLUeuRz~@ zG5YQE(P!U={`v~^)fc0OIv>5#ZSE#_1!mG0)(;vptBLH6A_J>|NdKXXcC=MEe%yVu2ea9Oi8$Iy?Sag8v{o@R<8kf&Y<4t-*nxImHoHHH z$8NuNZ)ST8&kRvK{c87Qvj-wUyqaq(GTYH)1;YVsSLsK1c_9zL{+Y<7PH zFI{o%mdy5GK?IN3{*ZQaW;<@P$bT@b-IUE9#wVFTK)W%s9XHwtp1b_o4cY8CeYn82 z>$BPMk{^l&wCgh1BmE<|*9K!Te^@KeX2*>>5r}KoX13$GFcA;L1KKs&?4ejFo``8z zXSN&nTRdO|wX3q(Lq`1%Xjf*o<1HqPw~&B#MK*iHcsLAcmuIv4V|bpAYs)j+@yd-4 zZt=KwSvEUfCh$hDEz4{V`PfoTWF;l-IdYlO>#4nHZuuH zrqf|j8n%L>h<=I-ilU#mqe3ZL%ckN6D1zX^BI<`r3od0warvLKA`F`_!C^;a2;`@EiEFa=oFq%}pYnC4jV|t4#-)WwY;Q$pFh$#=6<%iJvBMIf( z&GVsLj$^b*D&I284~G*N43%#-&4*TwXgZ@&!AKx!%KsBmB^)&6|07^UlTj1?Ki&Zu zArOk2^8cXGu#7b2|FJ-W%GZ?thk_qsx+(u32H%@Vn)Ck&Q2Yr~{vVSUR){A2f20Gt z1FVlt`Tq!5nRwWo|4)XK;kY^fkIZ<;od1tQGZ--C|KpG=!{+=y>^-0>H|75mWZq4f z^8a}2L?B?w|0huJMAVf3he(@<$4&WvXiTu`HRb=&jA3SD!v81G)?&d(+?@Z%lOq9B z{vRC>6SgV;50*S0jhplTNi5c*ru;vV)nWlt{vT8_q+L_~AD+Bo@-9{6EZdlEH{6{|^Nc z>}ZEIlB7n)Clq-AALQ{6874 z;~^9NA7d&M8?lfn{|_^k2o~B+C#qnq1FO1NFlNgCgC-+`?&zx-{~rn^F}j%Y|1pfm zfw(FEk2=NZVaor*)+>Q!U-M^!2uos;HRu16n24YHi3=k&#f4C!nrEef<%KwAbfVr3n{~yA*7RMQ;{6DdZ z2!>7g{~(?X)+S`i|3i+%=wr(NV?_$q&XoTLO&*IRP5FQ5o1@XNIsYHWpqVh`|B0zs zJYd5AWA=ycF%&c9|1pVSmNe!6sj?|<&i`X{2qnz<{{&GMnezWpSegZ*ru;wJ0=PO; z{vWIGa4c%d|HJwgs%lgIA9lsyflT@TAhe9}kSYHU4I4&$Q~n=nYH)m}{6F~pV9cEV zkHNMe7AE}v;Qu%LKlbF`;J(k|B#NLLNe$76JZD;kumsx^a<#9O!!A#Yh{|7mZ z7G}=>qjtmSAEx|2#Fhm3cT@g9hJiC2G~@p<&0?y9eSj(d9}Sc317`d`CR&(fp?*#I ze@LsOeVgovBRAI zC$_iXpG^6GNK+WX$Kd~o0a3z)|BqsMPUx$kIsZ@1vl3(Q|HOVEY|j6qe_$PK%Kt;+ zg8h{#{|}K11E?wg56da2Ma=ns(zTMN{6AC=`1B_He+&XXsJDPA|BrqNeUT~u57rlp zGE@GaT2+M2`TsbKn#}osD4G*VbN(N1g=#nD|FIhj#>b}oe;C&Np@=E}p8%m6j}!hs za3FgBCh`^dchoYbFW8U$rb&KcUO3tTf)<0uvf@{vXy9_|J_0$NYr>1oMk2|Bvx2 z1b)3a|Bsy%ke;wj&7A)Szl}{z=KMdI9)eMG{vTQkv_^COKMVl_{G~bnpM(KW+?@Z9 zU~~e1Y0Cd6F}z}aHRbaB2AjahX6H!x0%i4k-TL-QKTwKM5cF+q@-j+PlWP$Q$#{f=7Ip z=Wm|hdw%ZufoGTJtJv57eoxg?_GCP3J!g92@IHU6$KC#N`ybkW(f&~T?)ID8Kh=J1 z`z7s_cD;RF`&sRY_BriS+S}Ux-nOUhskVo)^Z#pYpKkj=+of#-ZP~W<@JX0#JF#tQ zTf6%o?!E4(-H*8MMby6=-5+#c=HBA&fzS6P?s@JvyQjH5u7A2-a6RMtq3b@^H(Z~A zM}*7av#{6oR@YlxC%NXjj&pgP|8lNv&G;h5o=iA(T0&1r=ob?DxrBZup(iEugoJ(~p~ofkn1p^T zp+_b3BMJRbLXSx3VF^7Xf50!x@JllMq71(v!_Uj`CK-NChW{(W&&u#KGQ3fSpBCU1 z%C1kz@CF%vQih+9;q@~7m<&HE!;i@DIvIXgh98pQ|H$xzGW>uHua)8ZWq6GY-zUJ! zm0jeStU4~c4@NyYmCc{f*c!>EK0bZu; zxL^HmtjnXQ5i;L7?xp3hCvwyWY{Ug4gqdccKKyESB7tv;fXSwBg5G; ze3J~{D8o0%@B|qiFTADsX z-Tf~K{Zm5!kkH>H^s>dEOsMpx6wEuV7ykk*$!{#3U+o6A@9(mc0cJ#RoS4b5|__@h6&%au~D zzlWvpw0Y`meT&{->CR>51=ab>7pnO}Pj|o8r_WoKOP31eLblT7U!UvG6b8#({?$X} zzCwRj=Zd0U(ki(^zm_K#(Pxn7uzO{+iq^4GE8)IN`m`Q>-icjZiwBDx`c|DjB1aOt zi&~|ZIBLyf|v~sUMrE8V4|3o(}jkPMil)AE1 zNbBXYUUnBtxk4#d8Jeet+$CKjRYhL2FV{a%(aZDHfV(nO)aR*M|B(CSPEu{Bp4>^Q z(0$QGZ>qk0q@C3NX{`Dk-Dhg~vaYTylyjBb7QNiT(ERkFk!t;B_rI(xC!KZv9`I5njfYj2`fdbNt0 zE)3)|D(WMb)+#zmt?FBg`9iKj>-^a2%ZJfoypcV0@|k(OJWg6wsPxXMzC4*`E@GMX zvFh!x>dTYp$w$+Zho-K<28l3U(9{iT5@F- zts6}xpC3{O#A2cgWYN|ZE?ugYa~LY}1ucUSK*jS*6}(QiROlmj9H_lYzV<35J*%Vt zqI;2%q__>w`Rrpa;dI_DqtosLZm0rJAETSA3Nq7e;lsetoK&7`(nx~4r!i^ybpR;!VV8~t3 zdg!ZZm5P?$+))k$f?<@8!wg;@MeEkLXl3$cjf@KEAZ{{56$VOaoeVOhi}n;S($;!$ zcbXKPT&9ww%s{#_k8~N*l<}3x071Sna?5(2f$p@17L6hzQB~QXsm?mFYk}6c49R4C zoP{hlwws;2RPQfrDReDhorASWb!{b=NA-4fok(sVJg^tvUhmG9$WY(#)U=S--K*!( zNE=HaoY8poS%pGRUhi5!PwB!J%9BwHZ#=3D8B7;_1C7^bwxp5Tr}bl!Xnbz-D~y>6 z-DXQJt*eXr2J%{^P#X2b9xc?e&1lXyk%3y1j4 zRkfD79G_{6J}P;AVXzR3j4DdssFz&U_>S@^^%B%S*t%SK05Zht%0MPppiPt)r+&)n zg=dQywJ&gXuF}w?`^tSqy(Zt(`_QuTvf`rto`(8qa&oist>(j%x*(s!;3L;fttbo0 zXpu1*0)K<~7`c{d`9a7*qw5Y*3mseK?%v0eM-_F{$zvClj*@awh3XvZjhdXc2xY>X zKqMOV7KL1Yw$RuZS1du|%3!eJC7PZ~hAK>JXXf&Hxl4FK}Gu<^#-L;U8dC7W#m)-T}5u}gdNKlt>JHz#taX+ zmx%D>hyeJg?*ZSfzW?=o*tgv`qD)(TW@Z?w)K+MN~_-bsn&I^XSF6;=d?~~ZG)Y}9@|s4hY{!CYqn3@ zF0~EVvbOcM57-vllCYAPYHPRt!@Ae{G&C#sTEE_YVS8WuJK9$uIzh1g`1ZrwZEgG7 ze$)1owg=m8Z~H>q$J*Z0c2Qe@TX);aw)t(LwiDWpXlr%9^#z0vwX z>t)t0)*kBy>k{icL^zyg^;rICc>$3WerUPR@(s&pEdOJ<+%jnCwY=5x7RyPNxt8NB zUTAAxtZQmo?yLVk^y~Fk1A@}?T4lFLN&$+b6re~-0g9v)ph!vqilh{vNJ;^Uq!ge? zN&%+iQi&YZ`<2}yDFrB!Qh*{U1t^kIfE$H71B#>+ph!vqilh{vNJ;^Uq!ge?N&$+b z6re~-0g9v)ph!vqilh|a3c1W8M|F*|TO_3bMN$e-B&7gFQVLMyw*W;_3Q#1a07X&? zP$Z=QMN$e-B&7gFQVQ^N;f(-AQVLKcr2s`z3Q#1a08bKb^*&{{NJ;^Uq!ge?N&$+b z6rjj&0g9v)ph!vqilh{vNJ;^Uq!ge?N&$+b6re~-0g9v)ph!vqilh{vNJ;^Uq||$r z-6AOkD3VfuA}IwZl2U-Pgo*_eNhv^8&J{^1IcggUbGQ3EJ7s~Jg8J;i0AsKF!;h+q+$Z$Z06#-(RFUznb!}DZV zlwm=JeKO1o5Z`x?4F4d*-^=iKGJIZ!|0l!W$ne)P{FMx!li@FA_^b?{k>S%ad`gDD zkm1h-c$Kp2XEOY$44;(Y6EggX3?Gx>k7f9%41XlUAIk6%89ppP^uenIh*x+>hCh(u z_htA!8GcuW-x1)I%B}}x_-z?}ONQT+;R7pg-PdoQ|su|D76Ug=)!KHZ&g2i&vWs{0uCB)8M8xJFzrVzvH^>j~E*t_NNBxOTd3 zcHQK>A2Z(6QT-U zhgJG^#1`D@C^~u(VQ_`_$81C!JO&o?PQ)A>vA<}49+3y1us>pd5b+0h z+HbbsgcbaC_G|3h5sPrEy=d=6M8XaBmG;GmOPH_+u$oux$Ji&?!GE@nw7%H-JR%i7 z(fUa1gNRqS6KngM5VdeCq82W04Pf_!Vtd~9h;1h#7jDO%hYg5bINLVKI)dnh4_a@w zUWfRFy|9qD#`~i83B)732|F3KA|l~pZvcB36zfLMi066F6P^b>JD~@;&a>UK)zjsV2fZWK#cf;L zuJhdNb+$cX-RgV>TQyYI>8_2gi?Nd-(Kfs7m^P<-#QnVc3F`)EKdy1!;Jn#+kMof> zrEL;o9R?8ba6?;f>vgTyv~F*`*m@HpFFs*?(dI-P#)NI9trt-lue053dl0)kMp`Ge z&PK$>4Xs6IFZMBPcV6eb$+^?{pz{gm^Ue{M({+q%HX=eUc5T2eh^?;euIqdwz88JZ zBR=C3zDIlyB1+><-_5?85UcSz-!;%3UF_THEBbm7w{e4SrEjtCbYH?3@XbaH$77&L za(WgcUSk4Uq1lMqc#LO~$BEdDBkeD?KaU8GPqaVM{vhHw?!*p{n-I5JUztIKg-icc={rqel5dyxAF81JpElfeL7Fi^7K4U5AyVjcsjjqs&e;fJpCG; zPM?GHbv*q>p3bkoJIB*^@bu#tzWYL+{vDp~;_38xQkD{;hxH>38$w8@lk%fhaGRIUH>+Mrzm%y#g9>bJf0tY?0DDT`SG{>_&7h_&yP3r7B@gx0iQGz$Y++N`6UHr)3>-HGOC-CDWcHH?-e*6PJ zKFN>Y;>WM^<0tv?J^VPtk6C`?@3oV^*G@lApTdt0cD!vLKmL**ALhrq_>s2jDavgh z;`kDNEb`;q`SEOiO!DKK`0;Rd-0?4dr0<1(^)$g#l^x63@$Nryyn>zgK!xKJ$5(JX z!12d8-p(=o-nbu4pQ1eQ0MF;`;DMiT%-`$&wH!anj=Nep{xLaDQSR^Mn6|5_%C2KL z=I!nN3pjq69e2_8GF7?FOE9i~FH66TwpUzF+ZFP8JHG!@JU_~>r{4$p3;6Z7@O)m* zUGzI5KhN@a@OH6-zULHW2X7ZUc)Qra+rQ5Tl@KWyuIJLgk#>`Z{_X%R^Hxk`3K2I{qXwS#p``n z4^LmikMr4m?t2Hvw0<$a(sqaIX?+4Gcs{K^;5TyoZFcA<@rRNym|XCmeab z+;tL9pUsc7K9EoQGmf-B<4Es2Rk@Sj@6JE4^Y5hX66yDGd^10Of*-Hp$M^B$h5VS~ z$5s5ekRSQ{f9G_Lx%_d*2*Y;_^W(4h@rV4liy!ai$N%NW5Ax&X{8->eI*v_M?x5oj zjwkbUULSYx`ncmro^D~s+h5?vpY!8)_;Ck6-bjweD&KUF;}qqdmpJDA?H*cg3E3y(f%_< zx#f2}Kgy3@cD$drt8Zo)-u-v)>7sml?+rZtd3L<-Jnu>|fA{0wqKNPP20#CPe*UFi zNnYN4v-bw+{BQB|ujl7~$a}MxzxyihBO<<+kBhtcJb&L8yw8aFyEBl~1^N75+HR+S zzv1`48=||BKUKM%x7XY0I10R(oQLBEeq7Iwe0;t=#PJM%q~B$#vXg#y9BDn__!!II z$@|I9dpZ6JKYolKxAWrwKc@JRx6_@xo$j2&(`mcFJi+_rZGU9xw>`y=-{Z%f{P*I%@ zvHOH_&k`9f7U1>DJ!i@AOc^ec;Q|?o3@~mrU(P*Uh6`nQstiw&;mI;QNrv-en3Q2c zhH)9jWEhoUM22A*h6MO=<({AnMFtqTA_ENQmrtH6!+;D=l;Ip1&X(aU8NNw|Z62f>vkDS{sLy-{vsB({6$OUxC&?!TQ4DB*(m7z_BRvB7k*djwkg1i4E!+*-~ zA2R&A3}2Sv-(>h#0e(c;JtD)GWVla;f05yzWjHLuKg#e$8NMJxkq}0y_Q<&+e~4U> zKLix{L%`q4*FG=9|C8ZwWcX_VUZ?E-l?t(o3hHGTF zT867+c#aHL%5a4Ym&sOhIh*Fb{X!J;cYV9A;Vi`c#90bA;YiB@M|)> zS%zPQ#9ZgT6miDE>wiT)`O5?hkD z_HVVmWPb^4?6EB`wL9CMYCo*K1q|%dmNP7KEXTCG)bi_=AGh33{(G$!Sr&)#*VpP< z|549r{k?L{0T$@3)jjWIoAFPeo55!qoAFC}Ujf_b>6YS*THBq=c0VtezhKSU)oWI) zTCiBv$|~E0ox#W-E$thc^kdCI*IIwCOet2!LrcIhu!ftcKa|9KM&l$ z1Mw9Rmi#^l9vx=GrNcrvOCWpAv1Jgu#?%$7R3xs^`-+8*`uCP$K>-*6Ag(0lceg)d2n>w;jKmidAcu zt7q#&tew@W3al-n81nZff)!;(S1GWI^5s+xg3^2QhC5#6Jjq8uc8&x=rm>$(BECG-e-N z<)5~*_U++Y0WK{{dP&XXO86vjVWF4()jc`t&tVxWis-$fX?5Cn+jlE2I#PJ5d(NlV zGVdJfj9_)oR+_-PQ>fFE>1ZGv&jkJHXe{B6BvWC3B9V^!5f(9~MN^q{D5W1&-7`op zV%{m#X<-C~golF^yi@EMpgGJtgHo0JB3QUQ=phdn#hakMM6PL zaN7T*IPgYCSN9Cj^qH(KsMn1$b-;p4^5P{^93NF|hgJ7nKoglW50yCchy{+V?%70B znX?d8au$M1dWB17uuD*HI!$HuHe-4!o(#s)A84HleXMEEn6M*|ReDbj?sMS&gA54RKM&U!>K3>FFj_GN z2-4fB6Oi##*a0{J(Nye#Ea!+961ZY89^a>@d$s;txepzhc=h1@le+wR>-%w?ksy9Kf(ba-Y4i<3=E0I)*0oZ)H%)h+cN8^D0QpJ* zqdeT)Y%bUQd(fK@-z|}le*lgHl-Ug zL&L!Hm2c9?Ac>N$`PL$^}CF^EqvCL%3Ui5QYfQzCd+`|0&O5qwyEPD z!oF_9OGu-a6ruG=E>U6uz_eD>(;cCBK-l0*y)Yn8a0ca`;HF-Th-{pHQ+2OG`#ba3 zG_%PZI8gJ~wC7#)Og8+?oN`ii&qXwW`30Ie`SjIiz@ZcxZbt7{XB)m*=FC;s^cMOc z53bZI=Wo{4*`zzw8OP?!}(_YhCBV()`V?N$_+3Tj!(B>zx_rVa^uE z?$&2vHNU&{G|Lg#Q~v9gAGCY}mtLe~;7$I`El0JqDt}R)Q+}k}tK6)7Qh6`SAp)o4 zT=MUszs4E}R`<@Jqa+g_kDne3M>DBZBH@q4A#q1ik)S`RYf--z*0P~YCV`l&;iIa1 zr_+m=*mwN21Y$Xd13D4=_D-WYOzbU9a)5lMEAU2x6dPc4v>sj?IxFUlSKgsbH9gWBH<_9nuQ$K)k-@_czK|w)==bEI) zL^xGT6PJiY#_OS_B663>h+2UQHLSy_WVWokSL=a@+sRzhbtVIWcqE8`zyZXhN6^w( z6tj3u(YfmrE*SS%h58AC8Cu2<9Z>S9gnQD?&;orZ~4bkoM?S;<>l zqB9g}9G>Ca3;rkb-F*c(5Q79K3M0Wl^wkj&nS{6mqH7M1hpWF?mC^up%SJ@KGDKMF zF_PN zMklHObqN0IR4$Cq8hiM>u)6mc+EcbMG3j_i*EQCMZ_;8W*j_xblGG*Q<$tBG@V}|P1bgr!zSyQ zY_i@|-P=mP*VW98?aT>J*85+g(V2QYuie~3>nlJmjAMQl)~U5A8nM~~n42TXB;tYx zpp?T*Tc4xrb53Vp2L1yzI33-hr?4zd_jU@E(p>zg`B0s8U<>3~^_e@_83>Vu)vK~x zO3=A=HFd$-xMniETc(*i-I`xOzIHOQ2glCtEBC^QHTS#9uN}-$m(2~S`qs3buct8; z5}(4Ex6Sn{)*JpaRrtDuJKSY(3kwIsc#ozlqz3P_h6i9#&6kRL>4ZPdCRm&F$J+ogT3P7;z?C#)wzr50&P(T3_qNdTZC}F5 z_qv+x6B1J<%=TjYC9IjzG`obR%h|7bp3rV-FR0D;;`K)3Z- zh(KrYJ?8zr_ov=s`=#yW_Eg(v95Y&f+xjqK(Ouu#+q$ClRO}i*3>NUW+un;ffR9=? zB8;7~Pok4Tk0H_vlr@&r#K9;W4>9&(NFC~lnR_rz33BF z%} ztn3$~6c|NmnY6q#whZW5vQP+wkvhv5ad>JxfYdiNrY5j_7GTxAjdVdM=ofrWp_ z(&Ym*-w6LOastg@i-+v=cv91KqTho`FXoSAwX|Ogq%;0NJQhhtwNxUc1&^wZ98WJ| zOM&dPWKho}lJU5HM0G@^Ic)KetuG!%m_m_XQC~cuWK3(wOLjB@C{#!wggMm_wuEHM zhpc^hp|Vo13~A~rt-oC8qb3Wr%0)G>)goI(>9op1NM%trgw$jLmBW^OOj^-N<*?-( zD}pXo4qLIY%F(9>!g?qkiRu1ODjf7jLfN2SOT{(6o(dIYZ=tAYN1suOZsvNdT<0UgH=SrnIavbeC?`Q2SJK@#USk+3`RpV(9 z&6gle!(kZDE7dDzr%&OqCS`A)BaqhZu8YmSap!FH;BcNDPc*4yDm@>f+K@i4&-r! zW{13mp`*-1B(egc4+dq6=M(cAqMjYpw^R_-BX4L&MMWt1M?~gWtLH1_bZ<^tRRueP zF_Q%&mU#mh+F+hQb-K8;R6v}9e#B8I`-`Occg7Qmct8xqL1TIhrAoPs!M3xDwZ39r z?~FxKfmAf1h0=jA*8lNrCKXCW!|_xon@&fxYy>tS>1Z^YO`(-0lUg{KL7bO#JRM8w z$w(@An%=)9S1R-qE$x!bDHw|yb-7K}Hn7kGA4`1BcQbW%eVqf-In%%#33)vPB3fJ? z1xR?0v{vdM@k;!Gh(8br$*a?Y2;@PUN;f7O#`Q0#yS0XvxX$7;6E@D$t6g0kUF15* z)kN)E8tBjD^Wji;2IF~<-Kf5btmW3%nGFx=K!lUICj`lzz|v>a-LTXmt)AS7#&@8p z`{>@5td2}$^EX>`W{pMX z_?vNUt@)ZaVoU>!d}7l;7K_#q#yRl>=OsPW5ym%NaT=Y>v#;@@^pA;dbsCdL6B$5QZw4{C9#{miY;}YaCa17Z-9%&E&_CSW)DDu;Mm>li)dL2fc*XB_ z3oq*))$!2GL~0~EWt(0dVbS9*VPbIB5QB}^oyc7IYRr@eH%~&0W?|Zx7@chpqs94> ztp5*h=~WQ({r~fl=U<&ahgbcL&RFXMt>0+VV4q>Ab?OeDz-%Oql2(l4Cm@1f5{gfn6_=4YqvFOV5k zu!lxjE}2u~JqU3oh(u!uSx_b?6LsN9C*K0nG!1DciBzwg0A-jQa>+*+1(_&BWte;> zm(9>sLD-R|Y+CL9qE|;aMBk)KH25(!Gb!kH^dnMa8<}tFc;(rwApe!}6VdzETQwvmf0q2y-=)^J&G0YZrD|QYVRso46hEWhy17V1n{H#% zmh!}QEy`pl47<42xan1-`F5$0<4DV9LLGZF%OFA?Z`xgG+x!mb0CS9z!X818_Nd7L zYu$!zGJoKHWw^$nykVZGn;jgu6!)g;h>fbBn7pnx5#kKH;t`Ru(x*Vy$4))cY528< z5Y|}U1Dbl8O+3d|M_Onp*?taP5`*4c9bu-?j3?9WjgObB>#*uDvyWyft_)FpC1RfH z@H^=fSXazI#Wl>VrkNs%syBG}*I{N4%~V{O>ET!?7|;V5e>8;|E|Q2ssSrrS{pkR# z2NL*;W??)q%(kg8g;i!+T#rTLQ7s-kqB_hryf774rmo@|X8U;f6?GNYZ+`%~ zEU{Jl*Bs` z#WmDfB(Dn1c0TVnlrw&8o`X`nzv3^XvIAun(9_>r81&~V{cF@$;9PYfEwg$CFSKDfxT=ssoaX|<9zzk=GoYWZ&OS4@b=G!gnlJjZ_TwdwKG-3uBH0H$`ELRUeypv#0<5!S#s0VW{IQIMx`_+ zG~foENR-gxP7+#B}r2W)C82X{p?`r_s4VypJy36-lnW9c*@!z8_Va?{ji ziA~Z*Cyh#JOpq}}&4k$|((6hc5(`^^U`J`WQm*M2o5%n2ST0bGR~}caG3#{q$J|-> zGT&3~xa%1AvCfaUUT|jZKX={b`l9_3>vvoqa$V^9iS?`2^WBQ?qrL|%^ILx3@*!)k zCDqn~D0F{U9=AMV`HJOw%X=&rkpIZ~w|11*!mmEs=BN%2Fe&3*Y+j?H`M+gg4^)TG zqcXy3R+1*N(x`8CPIb7zihnq}$PkhaVy0VF9cH`ew{a0bl7}Wbg~Y1Eef0IZSxLoh z$iiIQL=dp9RJOhPO<{~DKzd`lk-7ASmDMoYgv=A15VKa(mt$g9N)WSF(R3zerRrjq zt4BGu=_7G(aW8XbO0YW2_HQ$ZFg-n_WwmT37WBt7P4`DK*@!=-=^1}8oXl#$Y$P3y zL?IEfUC8Xg>1ok;AfP3%?fSB4bvRAi%vI;oFOiA z(+|u2TpG+y&ZI>Tbi-_;t)wu#J4OJgPxeC)kLoXnh z5Q?7&Y6#;C?T^$sxPD#N7laO&_35k*zk`mKY-4Y_$sE|&W-h1>cd=H{!@iv{1s?1W zp=#q8AkMB1zl}ZK!5(ivsM>S=Ksj>Mw1B~!Igj9jd3_eaVx4(*U^8`^F4i%FFy{?y zc1n}!iusY?2~PK|3W?{8KTKTAYXt97wTTOtyq$gse#sOlESS#=rm#pGHaSzO!{^d7 zXR-I6EDc{!hrE^MGIdCbsY7tH^)!{;EM?pbbKN?c!RERYte>(G7%pIoV<3dNE|^aE zQ|Yh{1D{kjnhnN6(FClYhS$=I_#`_mqD8{dSTYs&eNkD;-t*x9y%JT$cAZ~)EPd0= z>v)h5G>1f6DzCCfnJLCwY;Oo|6hr5;CJxnkDJ6RS z^=$n_w!Ce`tUR=`YwO=pr<9=bZhCXF`!n6-^fWw5)e2m@D_K=HPu(*5?z(VSX}w*) zgP7bjwaHzL1$vVUMkkF*F}q{Ki82&Xm%3lY`uJ6y2Qz14sNPJ6KR#5?@V%gz^XnLp znVTavAg7rvEAFvDxJPOR#>>glnCWrcp&Zt7hvIm|ceQ&7qWjHqp3!oL)9*ao@v`Gt z#BV#zvD-Jt`)BWWym9ZFyse(Uc&<`DuUw~Gq3FsM$HTtceYfL=;H2InJg9e?<9o>0 zYmd63;i-;0S{Byw4jm^}1Mj||IufEH%7>YR)HC4)A6?=Rv(RyyPSaIhDhZ3mSRm`q zW-=NUtWo#~)A38g9=miflZ>ZQndS?vrUt8mY9l=XTXc-8udp?`v2v5mO+_p8(aX5z zYe+%}Gt1guV!K3*9l#<)iJK^R+9Qsp{LDn&PfXtX+;~%jSp=rKXIihf1NZP=Z}ZM_*dY>g@6Cr$3LU zb`prs2FiWwoI|vr2l8x_bV)Me5?S zmoDpKt;o=o*S-&Z@6I8$6K@G`nxrq0qSd^AnVeQHjoAsb&7#E3HSyFYaUOb+AXXoU zK``-|hlM{>ZIs-=a6Go!#PbfNmCU>Ign74T1`_6q2~)65B2E+7DynB%1YQE+i7=SK zHi;^u$+=9Pm@{iXE{7)|=^o4)4wC(o6O-=$ z!>`(g{(ma%?N#RFyVp?9mf_kmmjyXQ3`QYdsc>XPx0jVL!{yRtLhL~6jXg`)OO~g* z3;PSm0G|W%gN1s!^DUrwLV-|#U=90_`ifev2S2&mc5$J9vwC&``@-NGbqjIwT7gqh zn53OT2c*;J=+i5ao7g(4l{SMVTCV5Hq3X!V^vw0_Ogk^lGG3a+XRB*#H-;fIe?0a$ zocf#kp#_P8qc2T<5?^fsv~|{soPetA+(8}oNkV2 zA}dUEmxS}}%1q^w7I&ZPhwjzxliYK#2cYVnEo&_cEn&;? zmdO^yGFEfGWKDH=9upv#23C7*XO35N;t)6gfb+(Jfo)8~7}W*NvXp~QG%BAGw-B?J zuUMmsR|ujb*)9ZbM~9R59^zD;7>PnNMMit_SHE1)`Qj3tdkQDdAm@W#(zni230Vk_ z`@Q}Ytme!96Wx@Df>B<%2$#HsKP5({q;Tqj-dsMT!aRs{USY3K_<&iT{_1d&HRolt zIcxiG&dkwF**(G5d{T9o3A@Z2n`R73k_TsO6U7_Wh9?Y1#)qj6Gl`gWKTWh{XkI@c zHbO!--#9%Tjz@!mRKgGI&Nv)6#uI)`3y1viP&O0|>TxX*iCmhk4$q|(bLAZ|Pf>ZIoQNYsvq`Vg$9O}F2U_E4Ki!~!6L(*AH3 zh7XZ+Fzd%Y*|qR{Uygos4+1LX@55TLf7qE6Ui zt{~f$8)F{8i!1G#)af*7PKGOKQqDp@mY)cX06*KcjRyy{fpl$u9{XzY#sblNi^3(d zs>8EsQ@fnaiyL3ZW2+ejUjI6V*YL*gLp+V2NC!=`n@~%8Iz+>Ru;B)Le*ky|Kw~X?*z!4v_xpFmqVJM&ymg0BP3CkF5?fhZf9+exoE-O{)$w zrxtH!!96X$u=gRZZwn<6C8R_Smv&Xt$;TY_FZ&Uw9$zK<|2fj zF~#+gLbg}3Ka`Z|PIyTLNpYCD@?er;_w-m$OGP8em_Hs#fE!N)F@+=%Od_Ml6M86+ z)#F*hjf;Lhx~FMzEuK!m2k@loFxzg;EC;)f&KCwzGUi8wm8^S)??xjK$S~9O@G_GP z3^Roa?KX;udoceY{2o(@jlpsBRQ9#Hg|EfD5VH^7UH@8FVY-|`oA?KrF=Y3IC%$tA za_~v9Xe)8?i;86hi5L&7<|+&i$4 zlq)g?hLF^UYTt~=142@NszO{diz#{oD))-HWfDkfKrDR`M1*k0d1Oi#F_w9FgpdNo zh=>OIHM$j&zg#&jWWv`74SppiN#$YQQ*!;;f^Z7CWOFW0jV$?H;V}v81MwWJvtgOBX0EWnrP85B!!_fpgJW2_$S{sZ%e7;_N=G1DxtfmoZ8tPaQMIIOc(mNZ2hX5Fi` zzFY|#gX$qXs8ex|+oss83B`MB`5J<_1|@L+bpa8yWZ%~+x&ZL;OZq-uQJo+ za(*y)_~D1UE>Er=fZ;Ax&iVa*@P6~OOr{$G0tulnC1s z%j8nH<Pm6vsigIPRFEyT6NAz)ZNG8edI^=Ie6S}Dj zMF^?lBk`%I5I{eNUg4MG>*uz>-C`}3R1~|Zm_t4XyE7E$tZentbjxYR9qQ@ywfKYT zsbv&`UMfC`*I@m<>Q&M`s8!Ovygk-SB&Ld2OQ+{Zpu^fblXvCS#T7cdmC|Ry+C!|i z8cf4L2)fno8m8xx5N~L)a701wnSu=odKmE#f=Rnj8X}40I`l)sRa))I^b_g4TEz#- zmzQ%reOfoE>_WX+5^JA4VyuhcK}^$jYF* zSnHSct!WauB`r4ezocsA^XLQRBxt4~>@=LmKbU;xsKjpSN4uBQKYb*MieIBBxRmAk9g-?kB!<(pf1bOxOtWNG(?LVLu(%z zA?ZWixKlUrSGXB%Z{CFN217A2!m(BjuXEHBoY91FQHln=qwu595Ag??vIWS|LSPx17WvF7Fj9sTJI8wXvQ zNQXS~xysP~{Kq#p+PI9)^a>1ExZ&%mxm6dpc$Aq=m+R8Cq`4`}u?%O@vDn(0j5~C` zGAgb<3N;azACTC08P6B~{E{%ar-42`lCo^%b#GTotzdFVzP6;c43N0Khcy`+7AGJzm|MC0*5N{ffWdLk7M1~RG6d=4k0jD`MAxC_E)Tka?hov<`0MGG9) zBlU1Rn+oZAHj%~uqFO+UC6d`-6#qm*kz^p2)e%lG8l{iqY6QViQ73sebd)44H%sP` zju2xoL-pLWT*)8=xSBobzqMS%DI`K&msowpiMPd9r(DEOKqsrPZf0fBNhDLfobDu> zf8n%g5s87lZm@L55b=!OQ7i{fSc+IeHEPDp5+V@64voeQ14QplxhuR+Ju(p-JiT^| z&8!nuKQ=3>esCG&SN{^#zg}IO%a9Py{zd(1$up$C-#B$p4XS=LAUU7js_`zySK<7$+zME`tsS{oS<4yJehN0e$*-+XmSHPN04u4Fl# z@EBK;BBcE?F~NCBp*p;jwy!Ig(O2rf&p-xS!Lhj;y^|c!)fwtvLXPWU$W8k@0qF6} znI_h*?2lfFelJ`(2;Z6nqGKDLHv#$WN%tRhUvg^wmix6z9FGWrff?J*Dns+s12?pR zP1M=65is}IsU~(dumIlN4;3BSi@2{fH3d$TmeA(HohYRY3z~xwOJHTQn3jlH*`y>2 z4-TZxqM6KQB4r;({h-`u3hi7Yb{&go0y96+47(1PWGti^%=|=~o{B{wQ^YiXIG7Ij zBXNXXNk-Ele>fhBr4r!`!qa46ezJgG#7sQ2X+bT9fGr4ofd`)9iIuRiL-1mnsBq=g76WA@T1X0JRS=~;aN1kA3u>MY_Mcj66*}cUoBxoG>s-+ zhKSr*GmR#iGpuOgxS)xHYjUz+6-~Vov6E$|&^S#rg(mlGCV)`Z9<)d8feje$pSo&#?L=#6Zv1Gg0*^B>#Az!RKg{XbKA zR&mdBztP?1`m^gv*JoVscAf9axK4J>a6aRF*qOKg(f*A6;nv42S6K!u=UNt6=Cu5! z@-gKqWk?yKFR|X|sqSN* zaoLmCLpiYZz*eslJNr$w=Q8`(^-TtQW31oDT=eo1PVrawT|ft-W$Yb{q5cdw6N^P) zz(KuCV*3~TzmlKFR`;DxFJQy?`i5bAA9LBuhVk`wVTsIdi20Yet*qbhuk@@ok#;tyxwLOz;^X`vW~{C&(f9vkx4O$#I17NQ)bvPV?+F$afigkM)5;rB6* zcl?U_2tT>HuRu$7B(2zWbRX&EXIA$y|Ag^#De7{)F02rd-{19(JJ{fr|FCLX4Ab=WyxP+%}NxO+{cRY{xI)E$DW9y}y&_ z{5q4VNHQJ_M-WRc5!JLnG7V)wG7$~wnXn!U#jw>E!Q>)ZI2nqk!Wjfei$!8tOcvOU zgqTjDPFNP?hoB7*x5|^}^_qvdI@o7UD9jbYEJTy_h4OwvTfGJ=Xfh8;ad=Lg%Uc<1 z5v#YP&E}kgnp5~#Ra-bWcj~%rpt`S*&LNka%es;=hrBk8skRDy&6^SiLFNXB4}zHR z_K99});X(Ns{1z4y1DG_tZx4M7JLwq#I}iL+Nj34zl{xMLuh^7b>LnAyQ}+hOtR@@ zHE%u_PjmwqJ~#7^%D?}VldAiA=v2dYgsn5?@bL}Yn9-RZJvO7SlV$t)g5?0|h~VZL5V=IfL&U#}JCYv%Zm&DU$EL$wT5b1dUe#nRXz z5RS$CiBKZ#4<-_1%+Ki1J7d0P&H>r%yLMV6lL#ZsKp3$D_AzISY`$JA%-75}AiqMI zue*f#dM%3`Fu%I*T>3dbRHpC0cEa=Z;#^N}o_ZhBx4`%cZit9+N=7{+*RR2Dhj^47 z&nq9mv`uVr4FxRQJishs5bTmZ6lu_qGuvGl2r~sO6z7N@gQY}mx+kK1N$Y{JxC-V^ zWj;LB6>zbSo8-^L6irQviTbKofIHL($3gr400$Akq_UB;pSMH>(O`PCsj}jc(5?4Yj*ivU8N&*|Os%Iaf172+Ng4TV% z*N2kQ^&xhH+75-fvO63zpVD8YIlS@P)HW~FnIzFT-Jq9XEJR}|Q7x8V9c8u76Vg0? z^!A3)hWJL{d43Ic5R|u+!Xe@LgMB&CG`@-Dy*SL*p50fjh!*{Qh%Qk#v1e;#_SS4? zGQSM+j9dpqe5u95990iureVQ9Dv^bX5|V{_5mJS^5mJr%5z@pu5|V56BqWJ-B_xaW zB_yY7bta?<^+r<1p*?7_ZD0YB+WS=OIm=_$0@bvXLqP;hOk>33z;F5r_zf+y7(WWhp?F2MQAZdKwaF4TsYW^-AH-x zd}E7>9?$8@@h!VrJR7}l_x!{22hYzu=Q;0k-srp%vH#XPk9WEpBaUA>?r>c1INLGL z{&;J?_1xCC*tWOq@|@-Sjqf4f-M$-r{l2xng+8zMk1dP6&nRC(bbu>;TYWvgb-s1j z6*t0WP_lgYoMxLcv1L5F%5!?lq=UKszwO$~7F9rIRnnWq6E&LLiz-U~hIf67naqv4lUF&V~`?7=lG6asZR>C=VgnyMy)( zg&+Ds8GEELBNA62tVGxc1?y63KD|GlH5lj&2TW$jhDf=6aEpg$`g3rzN9{8^li_eU zAx@K{H;P75=_IzPBT`c;im>E?c-)`V14(~0sb#{ESPHu|Gh^Q&tw%t!r=tFFCmh7FD2?SHAC_H(<>mZ{#+3K^mzWN+tEGNIBzWPMT7?;WP*u93;+V*!= zM;6f@Uk?nj{*#LCB4;dg3PkRN+kA zadl#&c{qs8>BM)Jzo%3fDEcdib*EGBwW2RB1iOPj+s*iAl$+GCG`I0^eL08-ypiUH zRdYpOUIt-FiU;ql!B?KJ0 zwXT8sfdU3XGjc9{Fq>R+!sPlkn$9NITzzsS{QnfoBE_1uyl8pavdHrr&tskk+AnrI;ke)N zdB^)5gN`#Ca~#JwEcS2PzhFPt{uaAxb6fvvecpOW%UVx+%keFfTNLFf z;%6i&jepjL&1Q}Hhw$sI2DYKW>vSNgvWB;*Nl&jWuS6@Bp5WUO9bMfB<&%LdSN|e)09$m zghk2Q#=77pLr9nGvm|Z+T1zs2)FRNqRtb6vm05^0AEkorUzQFD@aovn)1l5U7RkIm z2ZB7Kc9>d1v`6b{o-XR|RQV8c+k1Mc*D^2`l>8RM#!LD*buaqi5(Jgc~R z&BEnHEl|$Jii`DCy#wVf>(7dn*7T-xixLaU8`iAOFI+qSZ3~AA7%G@83#*9DWHMm3 zDm=k?>E!Cj5G}{{!&x~FZZ@cCn*Azu?8D}F`m>uwUS=sO&#w8wd}X4g<@$)ngrWu+ ziv&V?!zw*JltwK=ol5);BZ(OP37+2IUXx@{FK{dMQkKvU)afRbFNh|bT~?Fxy3T}~ zKz2rB&XQ$|=#`D>RK+{?O*49GpojbV+|ROEuwmp9q`I^g?HUQx^X_UYX$n3(51g}w zTU};>bQ)_DO*(cx(mS(C;tgub+0_viTYMV}p|;uRYDFgUmWh1~Vh;C^P9%0A;+{ce zUXb9qlqDERJ`}HxFq0;Y6;qtJ_ftJsA2Y)ywm#m3^>H*1K=&xo8Iunj zWKL&RPE5kvB+lu~%!v;u(=%y!{LBU-endfmjxPiQ+C(6QV4jJ1AQKO#laX`;b2_tt zViWSFX@N*EoJgi4F-+lo!W6zqn8KN51HYm^g`?jx6Ne+|yKkcG?3E`}N0^zzwQ-g_ z;kB{Q(#&Nbx;7rqn>XLn^~wys=&MbK-{$M_=GIoVWpAng_bUi4YQ$h`aq}W{psXUX`zT48(rWNTqmJn z1HmLAm|^vH_p3mo)ECiykHYJdy zKhLSnePrGcme;jA)mQy=8Bwl9CP5*}84_KWxV|GIhwzla@E~P%C(cDS6{N-?fYrC# zNo`}iBG}mcWA(J^2r~-0w7|wGL;86|dt&Y7$s+qz>xZ?6Otcr)u9xb0|6d4mm1y*| ziO6=$=!s8W&Py?SWtnWp1@zakY&TmF?jXqVZabE9Um^k;U6)IGNUC+*F4l9A(bU1Z z;4xV2%d?rR$V8bg-jTV?C->q85wg~k;huee+{pN*-a1oq;PRc@)~*a%K6Rw)A?H%t zRNMK^M{Gssw_Jz0mbgxHMP1$43$V@hHQQv@VEeyppL2c5^=Y@SeV<2l9`Clf{_5Im z-EFYdoKEdfc7vH@J_r+AM#y z?6o{+dBXC8_IAsCmfI{}a_z8u%JUJ||9IYO^|ig^dB}6WW7w6mz0Y>3^QX?2oiDnk zwLRmSOv@8e;MnpU>BS{$Ks)Z|XmPUH|#3`p-YJ zpH5q=XH)%WruNh3d57`S&C5XE#3+N+^E5lbVY7OEUjO;i`p+lpKcA@oe7yeivHH&+ z*MB}*|M{c(&mY!*KEr;ZI3BJ3^W54`t7on8)BUsh&!5`f2zT8sd=!_(Ve>p#`{f+8 z-KorM@@eWx#!WmM>OWVp8#ryA6~?b6wVQf&)qXjL*d-3s^ho{Zu<_GtcYd>Wvgdoo zuWvioSzGHxIP~jK4g7yt1GVnv@SR%gFb>}-wbWMMNww5g-@IC?&6lX9+I;a^s?`^* zrCNOv*3FzYU#QmMe8Jk8c3)@hOuMgx^6Sg zT`OX%=dZ?3ug&=BdAa`cZ^ln=OZ{H=7^$AW*MI)g^^W=&dB5?v`;1@r*3bP{{bmms zsm?FEZm8ekJH~b2GJbutcCO9yN7ubZ@(+w(->;vr*FBHkjC=vlVseI)4Blte&air( zs{iDJJ!T~5yNy)mRrQ}&8jpCWmS}TcU;p{>`p=KK-4`nH34CPs2$Xhd+Y!opCvbyT z>5^Kx+}~?UDkfH{?DdIE(9?E{Qhb$4()6~qns4=5+PV^6FmQD zZy9x&&GVP`qno7uuH8Q>)#`b+{jKAY1Bk@)6OT*zXww(@w!$q=NHBak9fM36USHf`sKg$d{yZj-$nGS+LboXpXxtfto^ilp7T7Z9MO2cTDHye zQvK&X?^I=Opwf@uUJ!{Mc<#pE2b$G9w&{$BvgG*6b2F=QMDE(Ed0gt1q zoM7=O&bK;GbIx*l!29oZe8q8{_cOldyanG*Z(DoFcbTu!c9ZklzH@!^eRF(X-zS{c zdiQz1>)7Bp$?kR*TR&%29alKFS$w$Jp}*I24OH8!`({!_;iWFBj$LJ_V{`pvH(8|v zAxDVoyB@|>VBz0eOhYG%y^IyTFC3z5G~ptMYLluw#Z%U=SRacRr^w+cg{Mi+AwH!#;X4XGkMZkx zdQZ;ALj@~nY6+j6@2YEOxe*^BRX80#_KgI2qiw_6GFf3%bxM z$5c%V(|C{ls%+2X9boiMn!1|yzzy25b^18k3b(PX)2o{B@HN)}6SQZq&aLj7%DVm% z*3u2W-gqZsF>eIUG;Czbu%px}An{483v86j==hB-Xdrd<3Nf<;9R@<5hrp>dEKb$d ztZLZZm}L!#AgtvLm!4_SwI}Y&oMqE^I+;?T2!EDpwuD`FWK%C!^Q%Oq&!5ntuGdv< zOCgt0vkg&vu(Ma+n$8c z&17~HtL#P{){HZ1JFL7vgVqh3!C5>v#@MWKV$ZmpUeBx&R>CSF6inc>R+`FATS@ke z+h_u_N?0jaCG4}(3}%(Ea(XP938nN%)Q=5Ju-eBE>rcU9mmi)=wICdcYX6VDFM*G$ zy7#{`nSBLuL5wi&2{Os-3kqZs(69%>5+E#hmLwy|%s7)ka19d|sv+AnOneXVlM(lI+C$GX@7!H&Aw$S7Bg} z4^hZ4vE`1mq$B49{Wx$K18Q<^m)q&}d02m{g+$gBbND>|u-_gF2YhxEP{j}5V;S58&vSptMi-^w98Ip}I& zs$fspd^V@cU*>>+PTP%`HuP^02a4lqMn(S|y}1lEkn2Wu_LP-SfV=VPyg*{ihTGl! zb5uj>YzWtV%7jbuFqzs5E;2`SuJO7{(NVE z`eAn_G7JXddUC@KxD9)v-sS^unz^A@Z@V$an4pvBfz9URm#K5%G1g>H8OaDEMso{f zd5m*2nuEn%&o1r~i!sn*cy0ES7QaL^*%oMI>kfouEJH{ZOt4PqPmBjt^9uYZp_&UM zstMn?l>Nq4)=voZXc8#k7<`LRzy)~Mg2wg;#|yseY2)60qsL1WHH#C4hL9fRjbVVY=;FH7z zb=4z=!Q_VSBHEDpwk-;d{vs&0mkk?>fy*Gg5s(6c+menR3uXNegIt}L~xL7EkS`3JlexU7sy8sONB9=#=4hFXU5PRn^A;iQj(K!$ZO!7!KG&AaterW(&$aoB7tNVJe|G+(gv+EQ z0o_eJ_NYt&t};f265DxBTp?AcA6Rj+b3^u&gRo)5F@EhuX2S@-bAHS<7~YBPe5AL> zbURh9le(N@w!3jBN#db;smtl3Qg>6#bT#G*Z48S?iZxGSM!toBbtHIk4 zcH5&tFF4M1ie7sVJ9cq`od<}vqY!=qc(|MJON2pOSnL-ebc+jobVJ5BvKfQ<=BXR- z1;S%4WO&T$*-vmh=5_cEEvm$0ekheabuI3#k1rt7yb)9XekE6!*bk)%hC%G5%=!_G z3?yoV$$#F3jquG2BW{Eb4_DwQ5#|1bLXIHvf7I930-PfCCn*}?nNHp!pip2mv{Rjd zzA&_Noq@hEq?4Ts%e}AyCrp&=$QeTJ=p-it&odFo(;oi-JzBvh7x)V@pCpnj7@)Rm z;bnS=GEvfXCkH6hE`{fEkOZvYJ?XFmXPRf7Y~@u%Cq`}Ev(3zEcgzFXK1pO)f z&-I7&U(~niSLkP1e{cPv{wC{-x;L#K*4?E!V_jyg);z1a#9D5>%<@lby6Bgd*DcRj zzOMX`a)F||=<|wk#zjR>7CoT+W>I<3_#(6N56Yh@Usvuy|4@hI(u>wP=OLqw*JMvE zA^l72vKPznSQp5@BT%^^dUxCi2lm9LSXPhe{9=hKI~O0fBlmFY$)2jkBWwjJ&gda} zy1hAjin!C7N#4^8>=d}@#lA6%H+r+DmXrRXSxXY~A$Z5lO}RmR+sgXJ9rD|F{0(*w z9Ou}G?IU63-WlvS(c6>yEyJFFZIme}QXM%hvVp~#KYpVs{f2mf? zG7hB_@@B$)jKmoi&Tx`T1@hPlDj0>~>;|?@g}4hK$ME-&`{X(knF^-XBQZ@`+uHKT zhAuWKnP){;zfmxj1|3c03k0k}c69X-=PG?_^;& zOZ+fBNOrS}-pAq-Mrr{P6Q+L$GK$3gj8t)OPY=OSqs(m1i!g?-(gMd#Ritalanm9h z@+vvv8lenhM)nj5K6Woz$t2o1+=T>qJ>tfTmQ_>O7_dg)$}HNoNQ^*YEs?!>Eh|Qt zjGrXSa_#t`2+To@5X3JLF+y!|&@Vb5Hjl#tQUgD}L#9YABQ@}`Z{(#0qqC>H_|9dx zS!%Jz2+LO$vj!(AA3QO53p@nFj`*_u@ZE%&c^|JW1rGB|csKD#lA6Dg^OKLSN{-^E<*hm+$Z!Z;sIyS)cFtowh`@xtVy>M_BUmjsWA{ zorr!*=FMMZV{OZk^f_NML@uSA;C=2UTWxfMtGRT6xWh-8!zHHfeLmZ#8Q@v2B>?wr z47kL!2mX32-3q~ln`KJPy1>tsCFlO0VzzAtH&P#%Q9mc|L$Ib22e^bYUNph-Ye5C7 zaSQP3MO5P!A&0g;53IJt9WGgI7fGwF^$y{xe&#H!oW!*)WiFVNll5M^D8F(-E;Di7 zG#5$U3MC~@YH3Lk4^IMa(hEB4C#5re;(3=WQ;TyS+tpR4FV&@xx}e$f+x;dR4a!*kZZSbuH(f%UL;m-X}3 zE!Iue4c0qA>wk`QinYu-!8*#Su=H5|*YZQlYnI)XFIc)PAF|wKS!Tf3DrE z-Kb4#BicpU8CswACh%ye*ZfWM2hA@u-`2dM`Ko5S=A)XdCZmaJ7He+P_%$V(D>Vl7 z-_?Iq|5E)O^{eWg>QAXZrtVa?s$=RU>f6-;b*Xxs+Nk=6>QAaSRo_*0t3Ivzxat8_ z8+c1-P%TwetAeVD;8DR;^v|MqihfmewCF(5^F>b-ea3W;sl~L)G~ZNVa+%EU#;1%QHr{JY7*`u>j3J}Tc%AW5quS7G_^siXrQR~P=)t0OMU6#u zMKg;g7u{S`46>I0Q~p_bT=_llrto#;XO&MXA5yMYHYt}WXDM${PEua2v?$IhPUdES zWv=40x!)h8|DG*iQC*=d!iyDG!hF@FzU{F%N&l!yoeS2R!^f55LF5qdfdB55L2} z&kEh&;^7-S{3Z`y=i#?`_zfQZHxFOq;b9&g;^9Fa9^hd&4`1csD?EIehx>WBkAa^N zy7%(%B_8hK;fp-n&BGUX_;nsW&%>|ra3>GH%ESNS;a7P0Wgb4q!!I##yU?9r;Il$^ z3lEza_?&QH1`nt6u!@J3JPh%$f``)>_$A@MR31*@;jKKpg@==Q804X!hdv&9dFbJx zn};qQI(g{eVL1=WcxdP0Bp%+(K;UF1^01VLB@Be|{6!w_VBn{P?l180^E~_<4?oMp z&+zcmJp2?7xAX8>9zMgvPxA0-9zMmxZ9Lq{!!90f;o&D3_$i_LNgh7I!;kauV?6vQ z4>$AhBRqVJhacwQqrgs&@1LdSAAW>~AL8LA9zM*&hj{oP4gk@wS4?B2x zKM(KY;k`V(hlh9Za03t9dAOd3>v-74!&V+`2dL z_iwt#@Z32_0DdRQ0CM~PX9^?$KbK?xx&8m<0VDvq{eN}<2|#ZD-&!C6_?jdG$nF0d z`bq#sy7x!&nWE2t{NNn-|KMihVEpVQdLv}+5@3I?0fUofnALij927XOAaDa#1Jbaahuki375BKwM9}oBP@FgDZ;o*xs z+|9#XJbZzNU+3ZTJp39DcQSCNaNxgq_!S<0nTPBS5Z+}slK|Nr0zh_$0Fd1w0AzOv z0NEV^Kz4@!kli5w{4`&xPw{X&51-}XGdyH>2wxQrJk8t%$nFpTZsYH6DT4ciBC_e+dWJJpe#<4*-ze z0{~?A051v$uVcOp@LC4$77kv+LmLk#@Nhg2ujb)ZJRHZvD|tAUhgb0MavomB!%KNM zhKHB%a5N7`@zBaZ;2A7DH1p8JLn99jJk;?}%R>zh)jU)&5IXch9(M9D%fpR4?BL=3 zJiL#G_ww)_9^TEvyLh;PhwVIE&%mz;2iEbhjfbr~%LH9TC!!<9U&=iv$-F6ZGg9@g=2DG!(M za4`=T@vxSM3mFI!$pt*D;o*E9&g0=+9?s_BEFR9}VKonLH>h?f9xAF3;QacS>V)cy zTBo+D$EqvfeA}U}Q8%gAsE?_Ss*k9<)qCI!e203wx=X!Ty-D4nZr7G*1KMiv0@$Q& z*KX2wnF3~;xd~4GkC{(eY(+bZwij(K>L^MTttqN8Z8z;H>elWsc9{ipwYkpRZr*7= zZa!lvF`YDzGNnw%O(ohr+9Tk9@QiM(E}*N{)xnwmc3rpbnC^sLr!Uc0>+3)Zpvxo} zPZ*EFY57j$4&!m-8Ph1!8q+55@_$k_R#gJ$?kQD=YO`^ZvBTJIOc|SuYm9YpmR@bF zFb0ecV~Npb9BUk9)ENcC8N*4#3Bz&2F~d>A5kt3Ok71`_hhe*+%dpw7$3Rr9{o=J4*hnmLtCM( z(XP>^v>l*#uwAt@i+=&-h1Q`RQy8f%?8 zrLI#~t4q|Q)Pm}y>bUBtYL9BWYLlv6wMJE=s!%ypHkGdE3`A`_R&=CjkHujbYZ1&R z%ty_8%-hYI%qjC4a|P&Vj5VDx9Wm`Rb(z{tb*5^Q!!*`pGu4;_=FR4Ai_Q`#+ELV1 zw5h1Qs0nlss!biHqeVxJ+l`yeCFUA)hq=pq#4@U=!gRu{Gj*GefsR9y_JmHSE74Wx z*632Y&AOesqq;NtvHF01jlM&_*`za`G#)eVF?O3an|7!K)hJa!Ri|oFb*Xk*Ypm7Q z3TwdXu$EYD*0G>}qO%H?GnSK<6PDwaW0s?qBbIK<9?MS44$F4XM%irHWa+T9TT+%L z%Nk3arN&ZisnFU$*JG4crxi43G$%DDG{-f^G)FZ@G~Jp#nw^>*p!w0I*{s>5>Cm)m zQko{s8ujs<6hK>~C@K~X9wF(0w@`YOaNvZtXz(Y{n+Lu}-}n*z!YdRXr1&|Cze;fz z#ZOcGAjKb|I74xo;8%SFAH0U*>qvU=YKljZ`-gu^@GJkM_-_>do}`C+DgFsbU(=)X zD&aLVy?%&d8^t?G`dTr?pQQK8D1Li^MoZ`6@;~t0a()NCJ z4ZZ#XeeTON-AdDk=>2CYewE@6Q+%AJ->28x3GVKoX$wu4)AV+l-bPd0URMd-(EcCxLA0Jj^pkpD8}O#+W$$48&L}QGZf!N@m`AQxaj^i#dO?s<8cDtf1W;%%MbW9 zf)9G=^T!B2G=<_nP&}35|D$*T!FxxO^bj52d#|VWqx8O?-lyYy?`(RX&fC4K=zTmN ziiN!?dY{hoLwNjOB^<)*0Nl^g`*fW+gy#udr|okH&mX{FpwHp;1@KEWA3A^b;`V{> z{+L|fOWWrVokx4$rSJcQ+~23A@BfBg|2@4vj^ck(Y$xfV_b9F)_YaSv824wfaM(m~ zjNZSF;&zfAou!?#gP>BQk>^tqMf`b%_O zed#KS@%mgW>^V*F9!!}4e~;pqY5FCaZlUP|G`*9iv|sn&{)YDh^!g1ny@aL$NniXE zO@BtyZ_pI4i^al=pQ899G`*XqO*CCX)9EyI(sVpc4J6%7>$RKKYxj5Qby~08v|hVu zy>`=j?WXnGP3yIrw)1X3eV^8A_ZW(4y>|VP;9WnZDV}e|!Y(`yA;tX(DW12GZlKTM zc@B6H#duu+O#5pW?XO)ra{q->H2pPAX}w<9Pw@6@NP4gerB?|DZ>N~9^M`T$uM!T^ z`XBy0xqtX2^88`k9&rB?^!mr>^;c-xNw42e@vAh&^BKl_GsWHHx$a-k^v~q_p@|f~ zPVfQReur+P*LRcjfP&)BlIITpfZ#(xf)Ae@Zd>u5<>$sm`{kVeQgFiA`Q&>oZAuU=2!vp5pZl(g_qBNxJ(CP2Z;JQJUiMI9}NO9K~HUeUPSU zny#iPUZ3E3ygosS+XvE1>3uxj#tXY}zd?%ECrJOB+~4(enr^4*V>G>srg(jV=ND64 zNz-zg7SmKu(ieJZ`oA=#^?Cu%&+)?cYti*$;pG@j7t$1uH@I%6cpOdf_$e0l|CQkV zczgh+<6%GUf55cA_v8KrjQbN(+JF03()VZ4)K61dp8Xbr_tE*Z?}S-%vv7^@f?(WY z+-Pht&NaFW|1kU-_QNk3K5e+)a682K`>pOTn)g5(UaNjiaY*x)=5^RLJ)`N=%+lCAfv%;T*p9`-GFAAR%J`Vrj$oX-hY&guPreVOR*K~Fu zSExz_b%rfGC1W~xj^2+fogK(Wqf$Z4H-x9gP3!DHP8yYpBvH+NDsN1fY>C-sw4}fp z9q}+%i*08YhpKGh4Jk2`v9-ino08GYC7m56{0U-rCp|+gvfd7JLVSUn?*OOQn91eFdZ_y2z$I@c+ zYKRPtzmUHZjb|coF}>l!+IwTuGVDGN!ZzeBzH?Wc`Ae)3xb&8-F`aBnF~N>;IQHg( ztH>iB`_#I4Y(0y?F-n?o#b*;?*tbE0vd_RbSeOCN{TImmd@1eYd$irl72AustxnWw{puJLU(7ThE zhJ$v4_~Xq<7>SM88+`@>en*<%V%ioHGaGD8@G`mw@56`j`{m60WjU9B@Ck$A)^g-Z zf9kE}sdQ|r;of`eIy)3(*&~)?!Zyhm{+#CltSSPxs#q-9v&gf1ew{($6)a-8yt4!O z@Kq{^4V{D#*^>CEP>fhf8&`>f8$wBe@io* zVCkD^mggQvu{msmd%C6+f}u%yw*wv^3@FS@D+;aN5>LR4%uKd93@E(EWbg#CpBaR*79(W)~285b$2Lmy; zJJJwydEHlJ&t~vjbh+AE><@=MK9|ECxGa12PJD|lPFtnLDSI}>y^~*@F3Fxv;#-%I zmfMP*F>H!v&n9s9e3Upn7q*U=r>mMPCjY7r1 zRGyiDuQ$WQwuRbSlQHo82AmYQK~7;G(D}k=`Z8esx<8hrv zpU36$o`05=3-`fNB^2~ydUJDi5}16b6mm%@`BwuC$7tM(^0%(De zVj~k7D5$NZEkWWiAb05C?=zMLAL+0aO2a6J+p)yDcsiM&dlu?8u_@lzRLE4CfvdYh zahqU12L>ZF!&{oLYO^p zP#^GkTtR8|j2i-rV~5UF(-3zyj}gvMkXDWS2MMn3&l#lMCy_<~DXK4HArGx)nbrw`}G1 zoGs9UZ7qc>#LCW&8wsOWN;s6KrETZ==~UR{-GDhD%CbFefh)-0wY2SfTGu(Nv*S8k ziiat?`tumyKj>j0VNY@*W+P?h7$5A#P&YEKs$a=pYRgW(!(FpQhq*HY=SSC;(sno&076iihG6Nur;pB>zX7CUkaOiaTYq zoix=`Bc^}@iNEnSWhgZtI-#=xl^vS=z8~5K3|doL7}GRTbeOVeXH`xRik2HLkGcH~ zVOI=X|3k3F2CoRzIS_1cdf|T_7dT(_HN>25hu2#Un*y;Mc)GUc*y>EOEggx001$D5 zk@A^|b;-3c`;2u!wU?|}>uuHXXf&3v*(0{=+oxP#Qqq{RRnM+kJh>Kl6U2nn z*Gv0Uh(JQl6>N)BXunokMpK6Fa$i4}Z{E^Bm2QZ~nxl9}z*G?WykPq?Wd3L19dT~^ z+joOoxI@XEv<>Q>J!|jm7=zb{2Z)nr;VFrgxY$FspE;D<5MS)#^fQBiK%n4qc>;l0 zBNS9Fe?|8|u(Jb&K2<6_Uucs3k0SK*leS7_s z>+4JEVLHPdn9udhgyyESG^z8!8Of}!&rR?8(wvyOAlvhv(=CI`zy~CWc}{HjUU>gQ z?Em}s0GPM`&wBu*{{OTy2J`?({r_o72Jiq#{r{=QVGn?L`+vp*V9x&^cmf0ufFIcZ z|Hle}E>gu91D*rI!T;gmaRzn^2jAr3FM0S29{!w%zvAIfd3cP6KjGnzdH5q9{*Z@1 z;Nkaq_&pvT<>7aE_#Ga8n}M$i2jAe~H+lFv50CKhTRi-49=^sy)*u}6J;dKV$io9X z?B?OCJbZ&cOY`!H@CqqdeTq!^e5}5gtCq!w>WDQ64_R!w>Or z6AxMYa47Rb{9V?%816p6-(`)B;Vx@z3~(d!@IK)nYitaVH8uu#AOG;ZJiLd8taUNG zyMe#k&cpRQT*t#U9IL}Jjug9^Y9%W{)vZw4(noXo=@ z4+A{(^U%jbF9X4=h=+%69=dqwbR)nR!3=K^q)!dHZ+g-32gI;wcLu#q z5j5o;Zqfa4GTVC@$mtY{$LHe{lDZKekWk5(ZB9G^2NyY2eJEaQldZNblcHz!ix-r>Is-?kpkQx{rg0RujIHF3OgY3a zgKth{!qSxXb8>@JtC}{1)A1-MN{P)IKmhI z@cKNH>HCnZ>ch|vRSJ(iP}rNnbSJE@2`Y287oGhos3lPyD5UnHgI5LBcdyGIua3#~ zqLWvJ;!3hWTtRd)vWjdkI$KpJIy2;kbZj!nAi4kp_+K`Bp&iGt?FbQedePyC)UdkF z`PtslxSbxhl6LwJJP4r!9R==#g9tny>L=Hi*E3TBDSvQ}Nopea@l4<62UQR`M|zV# zpBTQTNPV^!9d0QU8;SN&os6ako{1w=jE6yFWe3r?jjn931?QM0YTp=oS)o}r#=45+Kq!Ee2Or7T3dKB0tWU-iImzE-S$?b!tM3#xU`M4AU zAoe0dp&b9Tl;xk0oluT{S~}hpbvpeqPtYFoxqP6?;s=H0sI$QyaYr0ZkKgb2L;|pE zA~T`fvbnU_>um_T9YIg{(rhoX2~to^mZdpG7I*`h1W9k?7g{J8vIvq&CaJMJ2vtM2 zlnTWoL?3_Yh?%sSWW=rz#Z}W9X?ni$KpFg+pjLSMw&IZ2*tv01kEV* zyVmEd+blmeH<%Zjr<*>cx9Hx}{Yv)@h_KhLTdkW1KKU#VM{kT)slE=Z0Y0kfP`v^# zE>VmT-V|N~7Xr@+?Lwol1pdLF=4D)(F;~&4IW3(EBfJoL)cb_5;if4wBW_` z22j2y*1{-58>pa(wvt#`W7#Cw{3gg^Vgp6&He&5TciG5L8O*05t+6PKTRgUqv2&~) z?5kSS*k%CjvXf~r9YHr*#I-S7ycM?0X>8Sncv^C^+EyJz%(%L2{YNw))&SLHgPZwYdj~N2?f5WbOfj zH}Wdb7+^MYc1iX$w6+|DVGN9LX0StNz6)qE80tbYC)t=x+};+C!f$G4l+zoe%H{NC zp)O(JwilTZHE#gf&e|9x@dh;fZE+Zwu?DfNxz&aY-jM-EPKX1RX7Sb}^ayK}l%sga z&b^Ph20KKdypr`DbXp-@6tlgP31jQVgmJk<7|-JX**H7f>%+NpYDq3KdywpwX|bN7qZ=2(5bLhuwha_whGI*t-?*&UZe`IP!P@hWg14FSOo(V3Ek$W zqj8Xy!P-9KoY!~YNJv<7V*Ifj?dk)#0Q7(TmTRwX5HTlMDuM592jSO^6ztj%)NlyGE zp{L8RL4z0C(!q4zGPDIO#}|lY#WHpaScY$qP4=?!F@I1D!vE~CFxX#uVu*73TmicS zJkNl>d@vRWMu5Gs2dJhS^Cr-L<0AqlHt>kU!3bNQF zyGtO);1ecl1LOJ(Y%5bR4A6;;7)3lCoU%ZVt^>X%`EXa&PmAoy@jLkw7KB`qzH(j3u8q_U8d zZ}eq*kqNCrk)=~lqUGmfDCS1kfCDl2&@hJ~ta>-%rG!wBWr&6$i^klpdYLY}HrsnW zuH1vSlXd0Xh#2DHV`*d_erFr_kRn_o{<)eQp^+;#dK)$j$Yf}BJUZElcf4?RvpRun zPV;6icG|)9_FC*7puT)Q81&$s0-Udf=1qqYLH@|M&@P~i9l>C_$PQqTO~VK-HGuI< ztbHmfY*+@!*XxxHq?=`qi8;KvIWs+d}97uv$kru8~SOxtm{dD~#{Uy3z>JIC^ zuKT2Jt?ml#=XD^`8R%h{5S17(Uu_yXYsSB!@O5S%N2cIrUom1vZAMExgXJtWKp{o&MT5B*TkV`VVp}2t z9tknOHk3livsa+(fGIF^{bU#v$ZJami%cY@gmQ4U4A4${b5aCetr59gz^)&1nhvc^ z;OVNBxafkVxKF9YwW2Llv&iM|M_wYPQf1%`s|;4?a#)7fX3D*O;I_RWscLW_XAz*K zVh@BJ(B2^McY}egE9mnAeHj`_^aTPwcOV$_x}8q9D+q2T2G%tQlsmxXjr&3|R%FYI zx6GKa$}~6AzRWq10S`kh;Jbp{T^DI${L9EoS_&AhAWAPg&}h5yWulfqZ`t#-8+NNtE!p1N$q*t$W`#uhk)G7Z7m|LL5s(qxhKojIL@PKM5iH@= z%o4t0oIWieKSJaWw*2$)U9#n0A)T$3WqW7f8$|tW1-Q8#WaR}R!*u)x71|>qgTn>c zS25WyM?!{5CdcKhkRgO`5Yn=I{7}U6ATp@HFA*Wb^5QV~je>tMKakX^_zn>=EN6ra zQ`k51LWWV<-dphVx#(w*^49yqe58B3rJPmThJaIfBCn4?cYG zxbWda=k?j%da@=5F>$E>&sdYWjUnhFO&sW;bt0%T4g3K3&`w4M-AoR`cr!c7;kym( zjAeV5;f{Lv7Sd75rA;925N$~Kg$_WHAaIFACt=nucNmgNCmTU+m55m2m<>IHAHXk_ z08^0!4}x$|2d;==A;(v7UCCAf`Tc^;L=^lWmZB_x8;z_*u8Q%Vf_+fZW&k-4_zMH) z$>_v|3UzXO(S_hj4#Wc+uqX)5%#iP6Yn^fw)%SK(VMN z|0(P|5LkJg-&n|g<0|W$`4jqDe1}k%6~%6+ zry=T&iC&;C3-BF6T~;vErG|YYPhB9FIczRy7dV@}fZR1-D_`{7RYbS1RNg5VXBeHv zD-351Z$k{cEry36^4)xcOaF0wR&UmJX&=_E)4W(@D>5qoqWr1yRplefJC$pcvy@{L zZwcEJKM+!i?TW`0_dzUxdc|zTWJRfBEcmMKg@1ki6kih_>T~H|0@VlpCE5O~GJWh{ zm2pA7FlUgb;GF8+N@>o3900ij&M5`193OLm*FrHEv`0k`=u)_SQG3`gI_xg7A>wj~ z-Ug4;4a^#H4xCeXSy}9K1{yp_A0DO?as-@H3S7xdC*%%TdLuub;6w%0dU^3MJizXpRXvJ=A z6@jE6qYAi=6b)kS&B-|E529tY9Gz8?SPHhh*IZc5ThXaMI{(i}C-{}WA0Y(TSwzIL zXsjH2?9Py+Jk=Hk8c^Hjt=q@;VlHxhAIty+$h)}2pC7<2l#x8=9C>;CsLPB~VezC?Ri0~1) zLVlQ6N06KcS|4u0rD$8EbuyYGD6|C}2x6zdAW4F|63r*V{=7hg^m$IyAw5R@<<3vX z8_{7P;vtCN$^7%EK*0ii~Y!gI3ym56d92jS8MT{e~NP2vhZNJP;qFY?CVT#t-! zumKoPfn6$+7jMq<^`&Iqzh$I6oFMu-HkHeOy8T4;v@e%L9Y zcq+gcoF--~L>RXk80FK%c$!|&-JI>c4}W|n{`e}69hqdSg)Mj5RtcdCAQl^_rn$4d z_u|Kwk;ggxW@^=ew!Vu%H4gdKr9KCMZ9(yqau$y(vBjes*p|ETRZ^Ih6QFdLG8a~l z)9w|n8F2Jpl08j~mL@0=Rpj6ct`b{S@+`gzZIwNZf=cG(CacD~ z{G#6_g3*aT=8d5sMoxP$3cK8(BNz$72Dl*_i9RG|Piycnd5oNHtQs-L!go40i;-zS zEbJIc$%eqVIdNfVA@z{W5I&LtGNH8Dxv-M` znq7-mNh{y*#}_OuC?IW4La=Ir(Jol>OUq^1(`I~|Y?xL_8>Y*%r-`jL+54<21}$BO zyTK6?FU_7N=GkQLvns#$IZdpy=^OdI&*P@! z@f7U%8sd#P+yY$jTCw%698QE=k$(jQrB6a3zyMZyBG#H|l0c?8nOxf@6*dKD;<q(=emZP#tqb?8#MHM$yIh0dX~=|<@U z?Mdx%?NM#Fb*FWQb-T68y4kwP+F@uR4v&}r#Jj$#y3#K!slcp1<89EH@ppDUFSYxO&)EKG_6^4MpVJI=!3}X$W3_63LKchdXKcPRa zKc+tlz8bsrd-OZ?JM`Q2UHVP>c72n+PG7AL=u7lt^*Y@d-3i?>-4Wd$-40!sZWH)+ zXwua|)W?9XL^oEa)1J|u&>qts`L`u*9~A6^7WkkAK4^gtS^&3zwn$MlL3k~WQk(Ev z6U9p@UPAG7imNDgQS7960>$GgHc@OO`0#rKA3j6z+Z4Y=@%JhI9>x19-be8lDc(Wx zlN3KeahBqZ6elT8P+U*(3W{e^Turf;Vh_dFQhW`?R*EeIANmKuhyG6S?vf=ryx08~n!ZWXH)y(trk|(j$7o9H)lKWwP3zTN zN$;1@^eUR_N&4z3n*J|MkJ9vIntq9Xv?e8UcKW)GLwEgze_S;X}Z$E9n{j~k|)ArlHn!Z1Wra_us zPt#E(-SUF82PK zJiqt5G~GwjFVd9OYcH+W-ZZ_whNg3AO6#@vMvBMKR3Pa~f1>HnX!;GBzCcr2ua{_l zy>t(~9;Yd-*Gp9tJ7{_}O^qbo^BzsUVCW0_DrVN zZ=&g?G*y!H#Xr;Z7c_mHrgR*>_!){f)AU}N-a%73k6*lvVmD1~G&PZQH?7xhTCd&T zqt|J@cGG(8ruEuQ>$RKKYd5XeZaNNk2kHB?Ub`=&nAU68I|T3gIZbJQ?V|m)i}u$p z+F!fwrq9v-+O>pY+F!e9f9<0EwaY;6zi^tSZ_$+2>xEYko**15rRn7~Eh6c`ztHqe zn&S0y0t9`c__H+q7}Ed0LGh+w{ViDe@3MXt?E4p6Z?)cRdC&3-OWaatK4rSZq=5bH z4&8maxNg4Aue%y{h~L$|qTQkWm^P-Z*1WCxq2@W&d#V$vpQs*Hya_e{wTfF5*BG8q z=!DaX&nn(9bQ;nIk;VqNE62DQM8*2t?+?-o(*h5cWP8F`68uOAOT$CwWcq8~OYyc-TpdT(G%^j*AzCr% zHG4tVY0vho!r47U4kbhH<3kc&yE@n5eQhq;t}g*Yc&5|I(IMO6l9U{z>F})7=>rJL z3tajXE)?f-D0oA*hxj;|LY6X_LqRgkps(xMz8<$a+e3VzY%C|QN@s%Sy7Wj3&z0F8 z;?{&{MTa;wq|$89GF+e;BzsorsGyB5$@UNzG(^j%0_pw)yl|CxnPIN_K>?|UwNpqIOq?C?Gabl3;sVKZjI;`{q{(}ABp+=;LgJtygb{( z8Y@;5$D-ho-RX+CFU|I_#)=hr-GLs~Sh0fD9q1u$0f_EE1@X5BeM;Q8e3)3(R-6y| zR0S@|(pY^9`6vTFbKn6Ls031-9!jm{X^5;F7v@NLVH?=#HoIMnH-?6EvIQ-Ws4)1L ziV0jZ%9C?09Qt5L)90-?-(V12i~kOUKu)i?+q@NaU24 z0$#Vv>kRmVZWP%Dx%BI+yEG8R@*|U`yjNE6p(j~5x$RB|Qrf#vO1$j)g@_h7DudHa zx2v9MV?w7`l_T^d>zK@j2_cwTV-IRb+oI3Y*ge17RR-OOAC)6L)sk{J1lSU6aeEO11rst6B7)PZz?G<{*V@K66b!=o;vvZ-O zKo4gUPK(gP3VBkBM`iy`!I-u&6pV8iR;-VhigC$o4|QQf+`m*vH2B;XQJee{3N)E@ zVpGA<y4&@rOEOH1gb>5(Gb11X^7YoM>Is|ZW>E$i9;G`O)ZvN+A`M=< z&jI$#9{6bwhQUb58H+_+QAY%HbRoV;4{=sQ)b6GgyMmEGIN}I~A!Fi^hGu*fP~T~I zF(8_I(-`VY9MsTH=-e;X}ooZE? zx5DZ9dUM#g!g#yUZoJI!cf)@hzG8S9yaTKSrh`EUwEy>ncs|~b8kxj0xDrb|6d59r& z<}i2&;Nqcf=Kl*dx9G1pRS&qhPt`0%w0gU_Ap-m&X%x4*Z3nzailF#*mX}M*utofV=2` z)7xNoc)hWp-wC$fUeCZ^2zVMI!LUcP$575#S3UsdgrF<$^mrVuXhYZw7U37jVw+h& zS;gqsL|aWL#Hc&Z3RO0TZuf+ujUivCdT}VS9&q){P$X2jA#{5nw7ju06}o+WX!!!> zr3C;h+d|dLLh~CdouTTv2yX~gheDCY%5|aJmxaUym6_1(i`kskA{=h4bcLoTL(v75 zcOeYVuSeO1*H^ZLZeJS;qv9|*&1?)MLsgN`?8ZEcSLhRMm*?+=;)jAmk5KEnx3M?Qci5i{aWfhL+)CkgCeDX6ML@k-!EyNk#u5 zd9tu7laL}07%`hPO=8JLI$8QRDj(WZ>HqzqO_cuMAJQ~|EhY(jVUlq_rUsWPXH5!53MGB^*&~4`%{RWh;+qc@PD*;V0q3k)(uYDGmNDJ=QE5| zgUd&L;lQ7qDYs_eJMzl~_uc+hj6p?L{ZaiquRVMxk883$G<=1V3_V$1o31(|XSRLp z3>ep#?eP)@e;UbDVz$qX+mPWkfXVjYyoumz8pmW`pY0(bD2Q}t8n}Fv<*PutMdD5n z>DE+iUI)=6dYnwPrXq&hfiDm)b}GwolQ0ux>6tp-9gD`iE>G0%az-M^r!55dbw^_M zsLKfyJrE5yaGI+%=VPxUU;|-_rlZ>v!gYc8KCNnEG^f?BQXf%3|h-ro;8$u_IKz)KME@7 z_@khE4j&!VZ?79Uzrk+Wz{US$8;FnK%tP+j11V>Nx;8knVdX_`Brl@kqYTK3E?694 z%DS^W7P9}MzVPa6YG>5Vs9jQpDzJbE4^^6shcW11z?8QAD3*Be}S4Ca(q zb~5Cb=;8Zz^ksXl$DKi#gQ+qrbUz&ry>=bjjpJ_4_7JE2#2R^Oe%-anO*dFPufgw= z#d9jRcwUq3vEiFuGH^6<6^E6R#A_le=M-!yjLrqdGv%6sR?e&O1+sEZkycK#q7D52 zM+Jl5aJ50L|AT(F{*(F->(}X*=!3eKKu7#O%?`~L%|q(l%KMc~%6Uqk@&=_*@ngly ziZ5GV16hGf5mjt7z79I?Uob8e{v`ZDctiN2&?P(!k^uBiFlXN-R?B#(lWUOaJAK)> z|6B|$K&;uwWUm@$m?M~S)x9bEt`heQ5m{8p3_cr`5JRsL+ja7tO4O^wDxLIdrPQmy ziW9?hLJup)LtI@k*x-P@w&(<#a9`ME4|t$RcWF5@<++jrCC+X6P((&>Nt_ZvpQ5=H2o#Ryn8A4@V(aZ;F}xwuB&OF& zQJ#QXXaqYqdz(FDPvE00u^9>wX@elP8|G@n=CTVAIytA`>iWcDAP#Pn%8> zlCV+|KAiVKaxsPoEHD{{UR5G?D9v8bbuP&E+=*-aFk!JP-^c7we_Qz6;6pq42E3h5 zpwQkBN(pU!b9d3u?E8eY|K*-!KY_o<-OYW63{?6>FdQEwWK&h2bvDm=xd${xgzzH; zyz!0M9^&?J8fI}SWr!c05ilT1VQz@}p=e9}@b&UqrjkxV2tXn0= zx)o=8nsI4wCiT+vX*A&4hz~u&wT1A0*9UbZ&hrSF4I%nYoaGVv9%AV`@s~%4W@!9S zl<$DP6Q6p7IEUbX$?J4EgHiB;*F*f{5po`4$axf3gT9d`=dh_Ee)BHF6%1i*4lpG( z=GdD5&(k^CcZqwQjU?1cm9#z=3Wt3zr$6fVN9}HB01gKsax@%)c>Qn~0*5L=2q^7v z!hZ2xH8cFHV1ay>^}11|dnlTHw+K&&$4DfBs{gnk2Y^-jL5A9YeB0r0N@s0tFnF&cqB% zH>0*18(Gs-ea9_Ic<5v(rT$T|Hb^8xy4*z`mJfNNi=zkKQKOH^n#`OHn2li z=-<$b`boNPfe(P0U=8pZ#0RL*UaEOn^HGgO{cH6qwNv$+>b{~gMQ^B|&{S!9w13y# zXS}Cqi?Y|GSI$>FXWnXgb~yipue!D=je#kO5mO`lc1`x5<#L_5+5C|D_ zTnPALfV28&GSR%DbSrvEfnTy-tx{_X-*V=jRg`X3a}O&EANJ)QF4?MrR%^Z3B+kEW zu~fvHuT~Z53X7P+%JZwCN!nseODG=@?zlLmb!}THmGK(+GR8Bjp|jS3-}7917L^N3 zoXCq&P~WyWP)stOpecvmlByeori)QP=eC(r0ihjb3Ru{T6StO2Z9f{uyUY-Fd2?-E zy0r{H3?3nz=;6Y#lz&#G`l+yN$hB5KB1{_U!xOib4q9Y)zQ`qm63> z!v9ORUM&?EErT+{B9Lq1lC8y3dC{}Etn=%v^r$A5EAE7C({XXp;ta)=zR#5R#L$OC z>DDU-E3Q9Z+{*_kuJovOZN9iO*y0xD>XDJMM6~UD+!l*%tAU&%6%P@Lv;#Q+n zhJGfqQ>t9)R)bUs`N^DrR@a(uh}+;Tou2laL{!;^7#2~K${;^Qe*9Tf$bLqzM8r$F?i-{C(xdt(1@92%4*!U&YlBo4Sd`^vQsJuX>}r<^gWY;isHk4N}qM`?T;K z)8oRJd~@Jm6Sh^uXQT-z5&8V+cXf$_l`fS|qE_Qdw`P#i6~1G7tYq7Kc#E(^FwvyK zwQ#zSJS5U5Hzhb~swS6$lWlnMbuM{YPsv>4g{Un_i0 zux_xNwLD?D%KS-lndvL0pz*uLWrklG8uah#*TYcxn66m+C2gtZCCw7`uhdD^-&BvN zN{bE`)hd6YY*L(6JfIi@AGuI}Yd7kygtci3d|xjp;8!RlKx{)Lur7kCx-E_3iX~!T zY=r{2hiEu^rN-rOfjyeb?sVInp2;5XWUs5t=k$6V0l7PVN6_u_2%D6Njarmjm27Uc zZJAU&5(j_swuPbEXk2U_BtwwtI{aW|S6CDmxDEFOg@={x8#O4yrLq|=ojcQ32?Qvb zgp=YK?GcCv+8DE85|K)#TWui}FHNql&N9E>?{-4QeY19!1w3G^?+_kRHf&U*tlhF% z^JXwJ!PYJ#pOM?^cln)i8F}1pw?7~}sBGS-%5@=hV4p6WlY|g5(2ii@pJ>h4rsra* zY2~tWlm%SSiLS!z9A!bL6Abo+2b3E&7NP9WuC;K)REeq9Hn5oxL3oDGxlwb1S{)Y6 z!O=JIpDLfX$KiL#=k0+}<@E`jFn*LMZ~5^vS6nwUfe5x_TS6f0>SQwX1j~Xjeq2Gh z%7XDGc%T=u%J4=7$`BFG!pbghC-P4kyIejKaBu*lv>+46-sf>SeO_Usa@9rwWpbTt zCN(I~Yjv#MHnT=P11G3~gHm_jp$Hj(Cw-^WEp#Xo_oMI6=<|IAp5yGS%h}luFwZ@K zGM_u>3KTXQ-0?d+ZcpHTW#&GV-+bBpme$@@KC5;H{8zrDG6et4AR%`pVYOT>17%L1 z+Y44G1+@&6x!kbucUaQV340D0F$hcEWjPF4?^52s0p-^y+md8hh+&AW0&#t?laiX|w#GUXR%J09 zMc@b&Xpuw08@V?1mIYlwm}i9*hC9Ka+vDA!Otqr|%#f5 zM3_9@GLOgU@XO43Z%{p2Ds+P<^v0MCh2*Mh0 z$=B224!9jM^U_=9bi%6cUaxFj*MF|F#C4(#EbS90JG@*k#HU2I>9KHIBZReVl*`pq z=Jog>wr64MdVnAB!1?PsWlI~%weOl;u=-SiItH{cP~cj~KGGzgozvm?(7^Q1g54RJNv2-tv=2A|t3@=Oq*L5EL&U z{r4>}bRJL8DKmKxL+6IslTtP%QLaJRzMYe>5iRLV-YbcePF1CttZHkyTms5^MfIC3we7=P8{uY#{{2IJ8 z7S15A@vs!o7`e8k=%|$%0N`_9+w9ne^~rQpmIye?+FTIKpXQ0{$qC51~OjYLq3V;U1asoy~ip9c$g zxmJcdup4sv0(U6mag^~bvellxXkn;owp7EMVYXZg0}~i<1!S0YH!y)-7{;Esvb`x+ z$3jL0j1yq(gLC%g^&;#Rs%HZ&M?t9J3CVo1SbDVJ=mRnI^aop$KB@#Adk$ z05%Y|Wims|4R?Y*ptp@mv*Iz~M&Wru^Ee!t)u~pfZYa7^`Ih2s#YU606+R~nAV!6fhYU{{y|pf z_D?9?vXYf<6iMezdFi7h-6+{oFG*OC5Uo)7$UNFK$fJ@(XyTTLR05FO$dw>3xGCKd zmcEM~E-XU+S>>o<2zjn{74}=rn}^fd$-#;s^`d*rZ0T7zBa&-CnL{GimRVB4(OZQrDD#qf zl7PtTx%^Gsa<^34{-&oi?Mt`ZB^9!t=_x&{-Z%8-E#HDpnTb3cPOs#etk3aP*%ow+ zP6YGljl$;Y^MXbXlG_3QO1m`DC*>=bKYP&}9>$EC*ae!tw08Y8u}eBnDeV#lD~0r| zYs)n0!~INEnWMEa>Ot46!gkVw1o>k8>AV+9`RZcShUTGt<3ePnzjf$3I~OAVVSf`Q z%?0=~RK3rdLH+UtXa&JI>wVS?s@>nmr>@<+wpA3(yX^vJ|px&aUgFLZO!msczvr<{ynrJ!gVc zJYa|9iYLPlxw^(nXOZ`ptlj^&yf42VA z`h<18`VzH5^%LbS%8AM=6)&jfDV|q+O0ijZM3GP|R!mp871t_8gY&;XQ$K)1TEG88-fHOePzfW7u>%lS0~bAQy#0?eb{3 z)1RtcG<{x5bYvQQsp{CmrnbzwrMLUii<%5D_lr*BA_v+od(k;EAB zdayWq=T^o9?RwpVS7hHI9?%{k_JP-5WQ#L!%eNZ)9G{!BiLbZkJc`)Cy(`3huP>hu zr&QEDopJ68ejMEhO6E+A2X*8c{dzd=*bsqM41=VNctD4fy>zC&KGfV?k52jiAA4^C zC&zWxi+1&F-91~p$FeMUELoZvsiyZ$@shC?Teh}nMqVeGRCia;wAIUax<{i?>=>1I zTejsjL;^WCa4!(v`#}~6@P2TCgaioNg#-xXhDYGS1>V&NxIhHa=>5NQPF0=msh*zA z0p)sROH);+>YO@tzVCeN|D)eWM@16Vs5r4x&uP;lS3o@+ z8|!^6X=@`(?nNW4+K_RM!(s9C-i;e_I$R?mz;}c-;AKV=$()+ZW+Q4$gAG5I4r>6w zyw*6!(Xu!(Zd@PCX5%>oiDa)f&T(`sp5D9BPVYS@17K~G(|gaUjMjO2??#s1``n$z zxowQ^oSNoCUNKgOv>v#Fi2S*jG|f-pPFMt$>7qWxAUu}x>MMir;6;r^&(!a(qvSz1 zdvAcE>I}_+`o$*pML;X5d4g=FzsstYo~C#T6|re5{BQ6mZaoSfO-ejIF~#oZq-Nl&UFP!l2}<+Bm}_m%!cQHdvQ#=4sXfb$}+a)0yga zTD{rwOa<&o0E%s=6_3RX_%Y#-BaqXIUf}f25l`8a@7YN>VvMov)GO6IhZErqs5%J& zkd#?$xFDiI(B9yTp3W5Vn9%+~bj-qKDsYCB#``2}(k0(YbJO6)m2}qNp88(=dHtB& z>;0S>2AL;QdJVr?Do=9YdIBlgGQdu7wqAQW3pYJN6l(6pI^rk5s^CBZbH%qYzr(8F zQtM!`_%g1T;HeY&@d*d)lHJC+t&EKrk8?I+i7)RU6`3d|Yf3{9i8$&XmytG-jMOj5 zNE*vr1KgTL%$B_oA{HA0e1oqa@>qk=9+9SL)^o-#-KxV$9aX~{Euf2<{K z=?O$SPWSt3NKLwdGXvaW^+1A{+;ziS<-SIVM$L|E>9gj+l*^#e^77ls z_MAZFW*|?N-`)gwWr=&HX$}BOT{av`$vC%#D;E3sVs#Lk8j$>okxS3Xu!kGheZV+( z3!|V4AAu!&N%B;)jr)4z9LMwH&@3Bk66YhvIS$$PAn!oVmFL`7NCdUA$d$%94(!Jf zTW$to3!=P0?;O96Gk}|Kf>6gX`?yedvn13(aim~-{(~VV*lY43ZmJpLka3Q~xpFaU zlRU(O^|2m}#AggR#(Llb-bfHLNkGh;<7lmdW8FkU+UUC9)%#4(#hw>>Zt4ET?%iE~ z&^6roH=SkQpZOm5b$UPUz1H)?p7(WpwqsZOpS4f6yW3uE+tB*|wBFnD*DX)9TmQc)K!7$>+-=Y9}W8w@R+NA!b` zI{e)3PTxlTkPUHRKZmB%I?`Ddi?$3=Kz%5T*roc2CR|A%20fa(&0V^c`fy$wyDPwW zDabLbdrC(e2SnqkfIdn_7Y0P*N+cLXfrwk(+WV=$2FsmtHuq_h6ln=dhSRk1=qQKq z`4FxolaXZf{q9G%Qy2F-PTL5wj*g^Jki!fRV-d281zqF8(J(S%76u~YN-P*eWZZUl zIYnLG<=AD-if5pc6rt+hRmo_RPJyZ+gv$fOGwd*pi9zHCBvGZqT}V=gL(Mvbg^TDJ z`%fl2U7U29Q3T5;qH*-MV3EWJ5!)Wcigyj97OW?5X??ja~29=43I<7xD^+JL2sFt>nD~1p#AEvnSxcf+q zdbz`~7hy;9Tk)xlLKY*D?co@{N-&zJ3-RSwFajh##N5Sb;~6|Wv_sxSxk2N;ybctk z`gfy;A}~G~k0JoRW(N5c1UMrhA?iLJq3)a`)en||y+e_%v?{1h&fVn#P&`snK{{q&n|AjLjyQinwRO)VFg4DyUB6;YrcPBG|Wp(mne%V5~ZIj6ir= zjCCKBI*uTW8XHnL?0zCd9XkgaOGG#_3rPZ*YbFPvJUy}>kv$ODQ&ZIj1Heni!VYha zfO*Pb3y0iOK^nk5#}y?F03qE7NM+N^Q-wzKg``QZ79LC@NWY#|_>~k=T(AJ#lL6|} zIl+Ybq?Z~#nwcn9!1IuHfh?Y(N`}6>(=>+%!Rf;F?3MQz3k4B<9B_YRkb0yvA%|T_ zC(}M4ycqPoa}O9bvPl-M-Z0206^+CO-6y)$b?D**oKX&a3=6ng>`Rj@nG);xD2#Md z{=VVigFr9?LK};{-8(!)-xW6XY3@vL8V>|Ssv1-m^-FJzD`1Slkm^3Rjo!FEEs=|8 z2O<2nKJsJnY;vgjQ5pUN{pW7KxmQZgWp;rJkKL18n2x zuw;vL>M000fD55=QYpP7q(|h{hJst&9~+>a$d|Y9tD2O;auS)P3h#BFK9wm{@>%}~ z!xT2TiF5zqP$ZeClS6p_;S{o#Vgv3+`>B8DP1{U6^B=TLtXRyHRhzFYOmD@5Nmxtb z%@&d?uEZfp#>4&Y=|1YxIlo0B*8|hlG)r_jgnT=}C&<;|@TMfYVIQc^_TU2wlO~Yt zbLX~Dx6aa|%^!&qf{yYFMFe^pKOw2nM6KxKFfiqCTe`Urg$A$x65LKxl)lPXXrxK_ym{7T@GPwvoo+%oe0^EMlK< z?m39ftUd#r_e{ckG_}#)-8JC4MY+}0{g>Up-~G#7S3}!>+?)39@eX>vAAEZfpGq-{f?5ioiudq3Q}w|9H*_7{754E{GJntndrJjT3hKpEhT|Kt9BLNP8<330b_;!$Qy za=mDotKb@~qSg+#azJj@U~HW6S0?gBKl2CqD_OXfD^&tv9`q0KD?l;ur*$;oyAI0$ zE?RO93K>^GV@L%7hOB8psSG}|)wp@Y1WOpj^>) zmP;m@qe?GT>TOWBP%`&VMoQIaz`m=-S$1gG(9V6k28-GHQpor`4pnTD&Za_)AD4!XU*A<7UF&~ zCU4s=vzkh^R1?|q_k?*PnDSBEZjw2Jm>rwEN1#%D<%Kj@pf)*mpAcQ|VI1c1-nIJ%s$w{;Z>LKT8j_jw8Mm zR#LvpxJaeT-O3Y!S}ga|vKLE_agnN>yA^Itb-mDoGY4wUc%Hh~xVWE@=ksl%!|$;R zhp^z*viQv>$-MQoPTCddz(T3m2)}^T2|2+BC>z>CAIAKAJ7Y#eHmr@yHg}3l2US zQ7;CIk!pS0%X8g`aq(WhVR5g3>ji7WS{3)b-ne)V>uIA{;#WvaFkxKW!!C}Ai|tFE zsjG~OR7KjYh~Yj@ZkK2fr|+si4d({lm+C!R@B92s*BTe8$g^AF0Q#=ynLh@sEfY2_ z?qpYZh>h#{4Y_POj_oX>rnF>8jq0%sO2#43M%PjiEfmkivx&@g#zm_5>{fV;jqCaK zL0~gLON=M4F)j|VOFYQN^}HEngL|lYvwe>pW`p5T9cO!ZR$1n!ju{sz#?P&Yij}VC zSG=j4-iG=W&BJS!@Yc)N!?k*7>-tXpfEQp&E{pb|FF~6OL1Z961_Ve3O=~CJT_{iG zArl=cS10VP6a{0jl}77#>MHrS?0A(bEfo9EVIR-xIlWZT$B;ft2-0i6H80p9ALF>+ z7^wX{I=r7mvtYls9 z54qMk%i>^3A7SkUOL}opmNdqiiXHRCbzmJIVrK;Fcu{5@A22SCvWupC-ENs2he?zs zFaes=8g-uhhmv#+X7Mn4hRO1{Clt)$A$cS(5VLrYoe|991({hqz^({p@xq3sh`u2F z``KNBS-h}5s3nt-jI}hF#bI_yFpC!?W-(H8kIgLbRfgFm@l{@6L3wx$ipsTl9*H3D zuQ}s+GGbiZ&X~zFCbzqcMG#3QkcH2_fdh|B-jyk)svj)wKK{_igTcd*L$libu@aBH zD8~<#?m3!1e9uHCd^o&+_x@m}SeSmOHaaAJ;K)O>>2PSrgAeR4?0@9YNcQe~Cey{{ zMR6MPSbM8qe(6|HTh^K4*6wU~*N0uVySKY~zuLQ{=h^Om?Y^(;XS)VE|GD$mI!|?u zc7{6JeShNnDc@7R2Yjl}?fpaVr@bHZ9`bJX{Hy18JfHAnJ>ib;c6_DdOh>un&W>x_ z|CUt&(A$&koo(N0`%K$YZTGhgwEk1;FSowj`atW(mVasaYRlP{sg~V98TeoBUvap$~8E8B%K z&>Zrnt^D}@GyZ06t;CptGj_UGqt~+<_n+ZeS^}loX%JR2egBynJa(tH7RLMfipJv zJ0+Dl+*OxV7Cyrv;HjSmgIk#F6+Ux~_4W;Jf@E3;t2}V#YU?ISt8y4y*ji}=XY9PS zMvbixH*kjMtBJ4d_+)FT4VOW)W z$q|Hw!_-+b*MEkm$I*}*w3X(fv*{qL#{Fk}R^tW_w!TRJ8E><;5{-JSwhcarjquWc z#?H-aFbIi8IeNn)Ghxke_>7Izj}`4S!%j5XYK@!#IvhTWBaOCLcM(p7!(9t#)NS3- zU~o<}YC}vkxM?Ac_MaiB2@YaT-(q1>s!gK(r>U~QqHXQ(DkEPNHi#^t&%D&T7FJZB!*35=Z zKWa6lCA@HE7t&<-^rUqU(d5E=97uBTG-3JhF%d~Fys3^NL#GMBiQnKnvV{a0I!zTE z7Q1I5J$8Njoq=%ZKm7>CVxi5qEmp0d`_#WjsV=*!1nNsUjjuteuAad63N0plI%~}# z)_~I(7cS49&%IM0RI>&H7O-gfiC*pBdE#T>iIzT*L>gg{gv;lzR&tT?$dmC`C`5e-hc4^w0FdNr{_1? zehe4@Pqr1&yzQad@lvE3{nVf5XTQ(?er}U-@ffqOol0;Q$H^5N>qUkUxjuLBa1XzL zT4v_@jIIGlJsg3LJ(^Xc0HIY=G5Fns=~yDAYq?-D8efLFeug`N0~!9W-?EZdDAt#s ztnid&c;R8PM`!}-)ia!MnC5jmM;88`aSf&4QQ>}PzLB`U(^NjBLU`$s8*%*dLV*_9w}NKV5Ui^URIL z#VTVlC;J79xr|NteRckSiKGPBhD1(H-1wu6xQGrJ8ioMk5X;$4v#h^}mE8E^BNh9p zX6EL?2WX8Sa5P=1yI8Zv&Cyvyujyn#(}iPQ&;%o9Ii~g#NBMj#XbJjjHZ(qZ5kJwl z|G>@G2bFRlmfd@PhpC*$y)POwYDclx5_I~}jNr^a`hW0!>Q z^hM@7eR|lqsIw3CqIrJBa@+F#(oCLP%3Lf%o?C6yDF_|mrAv!DZ4hxeGcz-ogMg^d zatJCwl8gtcl*3R}r}PSgG73QKO9Xv{23@tRx0iPZGsiL|}5sq+U#vA`rNk=qL~lqFF=fWu+006UN0X=RamZ zh85zt=3fV_Aj2rj4Co-?C0%pI^CYNQV*`4|WDl3I@KPtcNZ+}Mq{6;+(rXw=dwk+WRfG{o`KX-qo_uKAAT7K8v-kE9n#g?CJxx3|qEqAo2EnfG(xc`Uy59kl6 z{^q~m=VpM*`1L+w%wNwrMt}J94_%RsRsXf41e%UEjTozs0JC z-eb(aS7yF1uk+2iuB?4z*qFb9wGk58OB>R$Od^tsL6MCiNinJglWHoOjjFLkPETm5 zEdC2Wv(uRGWNYN4_<%31URVMYh`$j82xRr0>G8mhop<_?^`ZIgltE-9lmt55QbxW6 z`Dw2vkB%YJH#0bst@sHZNM!M3vT2sV(?A%K zG79z{*n8*DunK*Q;tB%%uqFp(wpa)-&1B#3oxngN^IBjBo{#eobO^v|dmum?xPEN1 zP|jCXfU9M-S%wD(fhta6vCzV@>2Vdqf>?!WNc0ve!s{_#T$s|Ps}tp^?fyIU*=dwY zLe}Fpf4P#$(o>4lC6u<2C8kg?5RUtbVlEb#sbczoe^R0Z8y<$GytET5ZW4?tA zOeo1OUD23eMvQqk?_X%iFWFJbt6^|g8S@GogLv#o3S5py!Qx%)w2-(@lJfloJ0qm) zld|&tF?L0;`jZ=$;y{47{y4kKG+(TbXpuN@OA@4ff0SJk%J)f0`95BAPmS_D%Pt8e z`y>xs{-*11Yxkw^*Q00B#{4?AKwjc_&90YMM@HCx0PwjTo5G`1OO@-N?ANghOPu6q z{Nl2|Z%wkc7|SF(YoBbsh2>9{&K66#LQ{gLU|_=iWanMvIaX)DXqL0U>Wq$)l%mQu zI@*QT=%JZnb}3J*K}KvCls+2Bk8US!3`9Wq(*R>i*{a;iO_y?YSD+u#9MjLj8ItYf zi%*RFO%{9Nt_ODP+B>-GfnAG!xWU2EQS*O@WrXuOIy%hoj3eRN1t1yDo122`CHGZ9 zK7%h_#n_DCi!a^Od!?(*1ul9uJ8d#&a8ZaK*BbLzveSZRzGU&t-cPywi?O0>jQJjR zr(l6E*(`9rn_UoW^Cg=FUTw^Gu}jyB9qKwR_F&9jcHSH_tS9rHnlql>KL(Bl{ak0v zzo+K;>tQuT)><^2!(DAPcTuK}kKN^3XUt#Au5qYA*UL3ngWcY@UGHnz(boIr-p{xE zrSE_HKH~d^@0WeMe7(LO^&R!SHGB6*7CKm)c$BKpZ6c+Str&T^S816-Ppp(`;=wcAl=alSRnOaW}>VW^Q6)4J+NbF z@7VBz!y~))K?lnL?wcb&X!vys>Hqno&@%y|g-m@-*h12?A_@Y#9zDuGqXDrT77{7} zI!#&#bx24PEKq|o4B?v|Gv;sP0;*{)sS*iI9PJP(HEONX`1I^wie(A1+`M0E$Eoxs+ti6Wz{MJ zL8_=n%J7*Gl)Tj#D*7aFieMJ7b@XH)6b=B*y$-w`I1-|A_n5{Yx@1=gfmK-HG!@_u zzH_h?P_Z#&09@2fID{NatrmzB^{ToFhec>uB#+6r2=IvmQ+eRTYK7e(6haG=6n%%g zC6yk~5;LBG~Q~=6GpmQ$qT;Fm^ap~5k~lxn~nKCc7IIV z-|o~5TMJ|$D&%2h!oG4744nkB>{f*K`^tu;a1e-DguZO$>%X!-0k9-Jf;!3&{RlnT ztq9TY6-o4?S|0X2w&({zlWKWbIsUI$IsO#2kc!kUd!3e}bf~a>ZLL7XhMjXVH5p=dSWiM|?>fv-ann}Sd zoJGW8Tnnn{XgUqVn^+_Ol|A+UtXU|Wi$YaMYJo8`J31!K_M@5<=>bm z*l+7aU%sh#mJfLgJ1u1OmnqyJl)$SKCb%_)FI%tfa^aH@0=M-^UY0%yA#vMdvOmf5 zE@OTJBam0id{Mo;;>~J-3Ik{q|5D~`307$ilL0{N<@iS|CwR>!wjkQlxs1tLi39c9 z5x^Ki34703lCfC8E2TKRQW$sFo{6lz&A0|jiNXtIHF}{JpIUH>26N#%ZfM(`A0yi_ zs70+IgSxVwCiXhEJudNS!h%urn5Z14;5;bF9?lyRCR8BL%@>mOg3pAwNCu3$Yu3rwIgM_HB&{vdhm7&WXF{6EuNVOcBW9(b&*vs{qZ3t493m!6C@ z$OkN+s|hV-cbJaS0<1!X?SAJnC{SK*Y^cD1Npn;O!K6>sFljLS^^CO%tHH~(aokXI z#Y0UwVH7QU7mx$Gp3| z5$}4>fA@R_kpKnHRj2~+$&Q!X|Dok8J?-6p2h6}Pbf4%R?>^jpd-pZH-|qcH@3Sqp zD#v?H_8jlYDn+H(@D;^{<}I2%q1koi?_4i7Yx6z2-hH*(&YO7hHe)`=cA;m4X!P3Z z#I$9bg}Kpk#aLc72GBZNZY48O)hb6SB)BhXS_EiUfPvmoI4%pIvFx7|d1?ZVv4~TO z?cKhAWYj-&c;xN_hxUv-2rDGhpPQQ+hfzQ;i^Ky0nXLe%*~HniV`rk!^t6ILRV7YS z%$KICaPj$rzUu5G5*47tED(cFv>Wq0e(=Ocxg7DDgCJa2Fa>eqQ0(Dm9frz3qfO}u zcCeu$R~lUL44jJhv&D4s{d_2|u2`gj&&ouXZ0MZdc?^*AOe-UKCmzg&;#w-MX48ov zfFSj>n#?8QYABwFLvoHpfIYnod8bBGhoWY8<}9_W+H1-?u>I_$!B^ohh8>1!?-Sb8 zR8XG{;5${PD}fa7*@MYYGKf+VQQ$6z?a0H%UP4=CPX)gJ-0E3tJ&@-@+8!;(`eQ&t zHKhtQ!-!n<3%y?2fvpYSK{J;;!8J?7>f8_e7))l8M}Eq|{|;^CK1M2ru>HSkY3*yc zl1yEHS?dV;VfS=!|hVuc^Uh|8W`2Ve^zZ)Z>nj-G8+!p ztHRlQC4*8^Q?s@@jP%6_S!9KN8&`u7m{&q;uir{Kl*N}36UBWJf*1Q)apUd&{Uef? z#icAv8kaGJo-8SElI3+2VQG2f!lCX5m5Nw|#oO6=ETAFe!19^!u1GVP&YRXtJkWq*L|R7uRFEId)<^Ve+TbiSnxlGy{>K%u6_w(x^AzTz;!s2mCwAk zZkI976DvN-2lkq^HPXsvDicLVV{3%2B~%-xa#?BGNTwlNQ`i!CK8CO*yjEjNp#1-J z%I&VMD?2ZC{zd0kJAa|`lbuI84|d+s+3WiU-!|V3-p4yW(eYfzO#6RzyOqCF{+sgi z%8x5AD-SBSD=Hv*{=zlm`nu~&uFttX<$Bfi1Fo{`!}53UpfYNXKVNY?dwHEixksWK zMR_0lNVhPm=4Fpj!<*1Q72$liWkV#Y!6Y6F11&!SYkDx3L+XAAe??NcY&@e!6In#1 zoV$&GBPn2Lv_%M8!tbJYVS({UEyD^!Krg^EUj$>~BNkP0Ii4`u3`3pGJ_oELp zl{F7V*qC@>qXVplxv2!h>fhisMkVBj1#N~=p{bg$l6A^#2S1UPFTnInudn)1)KC0| zWLoQYxcO1@CamF-le%raKqDcH%UOUpAX1^|5{jz8M}cfM4b^^@&M~2jYw#cld<9Oc zoSFa!GNEgTX_>_kvic+iMobN%# zyo~!f^RjgLcbL#tM`mE>q{Uk7oGOQts%o9^JUM2Z+sEGQ*#LjD)rmgKwhphPPJ{^6 zC6jWb#yl*=$JWq7AA*8SDi}4X*(7JcBnUW&g-v8K7#*-fTQd7ZXR*h?+L^>DJ^i(njagOR# znBv@~^(aIa4AGN7xeK6~?&_uq#}>+r(lsp3NKQ zNGDR1S9Y*T*t8b%puizPxi(SxyHVY89_hD)nOTOx2(rldlvYH@BngNmy*g8#IzrnZ z73zfWQSnoX9F;AFuqR26Tq1%N@X$j$XUk2*Fn}jS zDC(~U%V60O7yM~#_sv;VTTN-J>>r1G3cHFKP)b!gG!*<~f{lOAPJhI|pHCwbHFj82 z$#;NC12L&iI^x0+k8BVk3#6h=D5N}_!5pGMnjLB&aI=PxJVAayBp}FA5>37ju`?)%$P`L+Eb(QP)kbr(A8HZ9COA(fZxq zCwu$5f4uwS-OqF(7t27~f`tjgvjs%&x-B-FtpCDfJn z4;>uAc2po&Zyn#bPsDX`I1yZfnF*|p=J!L_K{$zlA&BImCnSd5Pc||NG78hw2vg?F+Cd&n$Ob{pl#+e?TPjf(XF}4qp-hw%pZP8TMCZUu; zt1{0OsStXpI%YDR(Q)ir)yh$NaYvR=7Zctv>ds0v7_)sMHQtF>%t0$eloOV>sh~BE zl3s6|BQQHf*~+AeE$^vY_K;($>^ip{Zy{BvBA@W|zTvuMQ3gU6At)VVcX89%7F)`> z#yCf)dx|Imw#D*(O&I4!8QVF*eTkcE#97(I3Ioy5&S5`Ap}@j}U7b(?p!{OmSqUe& zBSe~qM&;1^O68J@RLAP9KVO`j&?*!Cn~ZZ0vq5l|!sc43)Bl0su_Y(Owc7nxC z@OI|n-m-45ajwj1)XQ&eOruNMf}#DDSO?r2vZaO&-)EdFvWqd^SG&_hTxpyms5?c} zB-~6v0pSD&PB3@oz&Dd3NCPw z)NBfFfw&$=h3pXc8^PY0THNOK8G>lhqNy14z8t&49e$f7y-%0#sNsm@Z8ACHW{V>} zgAbKq(=EctHm_I`Tfn!N7`Bu*U4~+}Knzov!a@WFZ^SHuHNL2wH*$}RGjsSV;WP6AI| zJb?uB%WaOkMVc678>VwQ2sL#&Q)8*-9^+h^^QAV%D>hqp=anoJa1RPNu($`wKonSD zo$wfs8Ry1Whfnip;mw!TCLfB`n1dID_L?i9Z;`LhF3|?Jzg*H0@!RiXF0bvh9^rPY zOsHvqOjgtZAL(M-{R=tJYPPWZjB`}$T~SWl$UnHl9%ind#t3P33z02Dd~1pTvA#9s z?iZTMyKB^-yY0AZgR~oO>;bMqFl5a2vX{Z$*0Q_) zOl4Z{+n{F?QQ(TjRCN96HF}MA_%U$iKW4ra-eJpzrI-`2V-r@6xnplxpUvg8U?iPN zW5*^$9Me*}#oV!Z}Qy)yOqoa&eY;+Og<)ebc>AL>_t7Q)p8H{A3qjwd`Y2*bLG^QBf z#G)NqGO|<0!?bHu5AsUIyN=~CP}apEAc0L)VJq2(1aM+Y??^BEcrcylet~Ml%rhgD zp)jmh?*j$^Dl06`6%UE!Zexx> zNlc#Czi!Z&BUnd8IlynV#C!?vmvA6iXau>IE7uxxSF<~~!ry_IACp&6p!3 z7}JT$OlalS_wU z(W{L)LaQ;^Q=iG6a7U+nhpkXtVa)m174AstV~(WfA2Q~=jGMjAm94%ND-)6vw$TS+ z>V>tnEb`vVP%j{8sKZr+nrc%VhN5CE0hmYuyD_rkpr5#aKN3l%;5^Fa$-9MX012$* zVG06g0dxmEDFsBY9A&XB4fG3oj8+&dR;Dt8MUyA8>=V7D9v%+BHZ+a;DzobNbUv$L z0SC0~(R`(hK%pJ??NX_biW*D=?Nk&A1RFsi2mz`f@VIDe4XC>kqo|!aE1?+fm^EBU zNx}YZhbbdQIe{?c@UopyS-r~LZY1|x4vacofm=y;>WFnIv9OSXn4j%zo*B2^Lt#Ut zdmtsYI)yD6XW?>TxM*ZSsdp+BE7eMdVv$W90$!IxBg4oCSa>q*aCYa8eOjrm=}cv8 zgrGGG!#uF5?((7GVbqr|Pt~8+i?G4t&5l&dlXxhMx>LIm>a~PsOK1|0)-@^~V*TyE z%lUlW*%5sTsc(R}tUF(sMBo;AO)DxQwz7y@tDVZ-!#mBm_61jlDrAnQu&%mG`>;nJ z8rfBMHZuXx)%w{W(9*hgbjp6)CFz3;;5&IC2tGpqi(#LHae9v3xo86KhmAQ8R|vS( zwa?N3*NT*}1#~d3$}Qu4&Nqn7;QMhT7eN;w@K||G>6+6 zSFMZau?e5Zo(n`=oy-?ON@J56a9$~_$f9`0FN9SU=WVJNLK{w)6mOofs9l_JqV)R5 zO4M#XW)VtXqzSF_`iDC_iLZU}oEj>xJx7nj8S9Cdf*L9pt!)Y)l}KD%tRrvhY%OV9 zU2tJoB5!enP1@pwN!HRKf2}2`_e+rpY=u9JZFhOuy|)>2t&G@;Od{=b5M~!=AE4G2 znOfK7jX45}g$aQN*7R9I?&<}N1!BfVV@_eca{z!osuObrAnW^elxVZ%0bc)a&eid| z9lz8O?;7m7rt{yB2k;x6Z*!R!bbN#97H(fvP`f>cJ`RRx&v6>U_9xQ1F z_AaT_5*k5J53*Ik1@!?gsP8c50&HQvHpABXz={QRI80bh`>+WK3p z#`UUSD6`xlkVwT7dN`~`vI!ko5vepV-Lf$tm_uR7rNYsO7FveHt^qf%Ouz*+}=C;k32!p*+2lNj1rTHy$g#SP;2bssON!joL|9y83A(#Ueiw07>Z2Y~a zJW<-Kjm+#Y-2}-K8GJMIg{s{e6(N zCz_RDWZ`7MbYER)$(Gf`lZArTvY@Sch<`m6HjHF|Tg8$Qr;*5~RWlQ}-JCCF3e#Er z=G$-Gff)1=6yZZ^lo=g$+s*iux#w@b{k}VQB?foy-Fs`mY6ukany21g+X>sutd8_! zi*_U~S8l%j@cw)EAGm-2V*M=DTfzfOIL&Z%hG2W-)y#F7yO6>HMTpN0)FI$G?xr8Q z3XKm@bWDK~Nt@RD6PD0pVz_++<^+jiMAlsboNt&_OtME&PbOB>n&aceLl;J^F^>%c zXowji<~FSOWPnsS+EvDs9{YBzF_uooS01@SJEd=5F9yIp>)D zR$t|87I!rcs#J|a1(lZ(_fw%}0Ss)NG_Zae>Gkpn&r>idZ)GEWj+>MRE-wuMd;to8 zC0R0tFvieeWWs<i1&ZRQg_CbF}IoBsPh{s4rIw<4a~WOR%n`Y`(e%vB_o)fP15Z2 zlR0-IJHb;&`)kd)H?vDTKBRv`B%XxG5KpPGXc+Z*LV89`r@}ck84Ct;iBu*WNe5w^ zeIL6?n8Vj2B2kaT_3WFz z(#fW#f5nnw6Pr8}4wv%Y&bguzzpeEeG?3fAr(D~%!Sd}PWQBTIE{tW1V$McY%IXvQ zKJyecPf4`=WHuKQp{eARt8>aRdB9JuINK9vJK_c;FPvm`T~-ec&NtX?WzXB1KDpN0 z#vg6F*Z^Y8eQZpyS}4u1*{&Dq!F)N6w_|Xvv`+1a+lE>IU^J5wPzWsWA!dPJ2tjB@ zA_xm+<2aV?)^E5rDkoh%zuxoHJ#V#bZ1c4KOY5J*|Nm3HAL%{N^X;x*?)s^&vt1b= z0{*V|XS_e`ebT!hh=4bHyF6d_e4*nrKm$D5_B(CA*!F+5J)oTI(OjQ#ebV)c>tnrh zy?@yIYrUWE{gK|+dQbG8Aa=t4R>usZ0%10$Ma1hX$U_X=)}(A+SL`7Xv;x zOtTDl1yZSvsy<0k^<}umvb+-$riD`BZ4emnUvhXLV4C%9hE;=x1WWQKX+V+!fUOW| zS`^#I0&E{GAfu!!SQE8ce|F3k>xN9twyJCU#Z^8*CnrOlF{JXEK8#a$v1(mV&tQ)dCrkLwj(4&^FTcIHHF*;dv5PUykMROoDTe%R$>? z)HQ~r@#Io;y&a?5?NA|mU5;7{vtGlJ*C-1eY!V@}MBcedt%`8(%s`oKi)vLeP{6iz zhGNX^XDjPTo`k*4Qma7EWxqWN`dBv4&SJZIKh%rY9eTwoRCxZ5+ zeNwOrp74GhyKO76iewZ-b`N_PC$g=?DtH1p*W9+&vI?F)&RNCQ4Z&P6u0^yMa=L>6 z{Ru^&w7~|f>hVl25{tz{;S}KQ=Xee|*W9+Q55}|c98v+o(A;>&IFIb#Drs(VQutO| zbAx@KCxvtS{#It+f9kj~cPCpi&vS)#>x$)y`}ge;Ilu(KV2T7xj#$d8TKgSJnCeq` ziV4sP&ccN$C(uWyUKx`ha2Kmrza%{Si#mLX*#;Z5u&x*LNZlF))<}Si;-x%F=2Zgh z8wct)DFoyvqqamY^!8gxG`#EoTk(Yt(FI z8?KO<_<`z24mfSYs^3aSMAm`BK3tx1FscfxwG5fscT@-JZML7Gxip@6$XQ4qoibDD z%_KnQoj7644KV`JI9XXcVe`)d+T#EPg7#>~yF(^MkFm>`yPd7=r?}O3>t(g$^@RwQ zgndK$j^QBL7Q>;YvF#1$a5Z}pWTlh;QFJh{#3=jBoFxvd*OExh%_VdlERo8on8vID zi6w^QJ8YH+uRB%evb^qF9X8uFqXeu^0`52E%B}0}HRj&Wd+*?@-`cHL#Nc3#rJ^pT z;IQ?Ikw#nyl3^r~;>QfYmIqE-H zp=a5VZq{xg*Ib~8H{MXhdr>+9Ke6P9sza=Z8jL5bLn#wr`N2~sAS8204}-JtK?kmD zRY2fD83jPM!(sx(p{m111Asd*5>h2JOd6$iWeJ(0=wpzqHYgT*00XlyTk&@g8G(SA z(-|5E6-}H4kLG{`T&NgahdA{r=g~Y)ebD03WIM9$Ly(8;VTcZ-x{a`Uafybo@c^Fz zqZ2uet~cg5oPl_FO~&yJ#@rO+(j3cu5UC3ME&1c2k?_1}u92vuk)V{4F~@V5xt5`B z(DigAh$3ZbDwhV3l&&XL4Pc{cSdT?x>9n4WXEV>?i%hV$JjK6=x?&~3#F6w5Pft>u zCRy8#<`ER^?;9RIh=mGoH8Y~Y$VdV60C1cpjOKEQDGEy&?J^Vv`bGqgL(eB=LGxn} zWWu8hX2!^%|L`O()8|W<%T@Y3LkIW3;#Vka13l3lhz_av$ART3g$^N6WNLO20x?@i zlLbQiL_tlzsc9pG2;O*H#$Ccv*2qY>xUh@Q8i2ZCCL8l|P$(^#uMU#c6tBX-rC?dq zO92YeuT%pE?PQj~9$rI4#fvP^Wn|?=3g*W`vUHjJOukS!qU)106jxKPz$Di~fx*|Y zFeYnNnZ-ad0pGb#*mz9m6Bbl;s*ITX>Ztg2bZHiNjsRu^Q~H* zZw!!wEbvW3B~6s0D~J=Gr@h8pmd)Y|EqoR)Bk^S!h@Fg}Oqz5cN{cEPSz5$o3qmG= zlB&DRhgl@L$Yc9$Ny#ruNVRrji%w-ir4cdm=2-*_?%?Dq(`)lc9g8n5f3vi;`Q@i# zZZYOEj3|cqT67ShD$f^6=$Tm!M8B90QHi=C^YU2n{ zTx#34VJVJR@HP$y#W~fs^_fg8lSu~C$RVHO(DR(PZIgH#$DJ2<*t`w4VGb_OZNuA` zZJ3<#8(IukTX*YsTOaCrvFm8pXxGlJNZ0k9e~B!BpX+?Sv*`P}?@PYZo-ccT#`B|| zXxoO?U9DSNuWGr_@}-uaX!*ewqveC{ZLa^?^3|4KX!)C#XIn}wA8Og#^8S{Amg`%t z*8|Loo(dV~c}^~W`@n`!Jg%oQv7nj+qgJC)4VLjxEURWiz)cJ4DL}I6R~YAciYgy* zfQ=Y6YtDDG)p_!&JuN>dRn(LBi+6v2cLr8D1MapJJ|MKL`>r(3^Hg}Q;|Y4{HqP^W zcrIQ9z*)}obayTQ1!_3U3TW$E<2=tg=X@ftK9LCNVI4$ywQ-&&nsd$)usO?l4(%cC zkU5J3ou0VSm^;pQ5sv&fXi1ebGc$v5#gwu|N_1vP&PVg5TsbgtM1_81raA{o`b;Ij zilxJ>Qq)ysVyjt{e23FWW#J^i)h)tkkbx4aA5#$rUnv(!=T<9|W%6UFTx73!@=ixkYqZJAt+9GYIscrsr7-CE6pfMfq)4A@X-vFMFRXl5xLv` zp$f}%V2bflSmH7i z0CYv2+jAYyG4JInLPMRK_uziP*k z3&nTKfCvI?n0?`(GuFioIy>|V#`!Kr*eCWdxhh~0cC+th>Wa(zYT$(&cS7(&(CK*& zHz7`Vo;+Zj=TH;R_VOWJ4!V~W_p;<92Xm3wt3+NV_2%T-1%tE)wp`fqAlpct@!4KL zeb&lp>W8Ex+(o#Wt-&ncguK}}?_r|!9sG+rXfRgh!Ff4PKCte@RmS;tzV(Pr)ly(q z#S~Y|65nf_Z)2~-VXgyLNUU+Iah|6e3z}jeG>xYgBp@dj50ZS~mNbvSTKRyd0(04W zaD$f65_(XNsiABvp+*tz3B1Wz66Rw)md*qt2>c8~KH#7@e77H5kC2s&7StmExtZh8 zH)5AW;ek1hdcy^VL0e#$q5wgHA$MLkdU_ZzO`$=Q&qwK4_^g;H?2Uon=)>_fo z=DL)3UdHCS8qWYIQ1}KKY=8ejRraijTmvia7k(lhV$3QF0bks#JSDr)OsCf3C^6jYVsE)BWnA);tA!d_g|kbA zM+K-XD|B})9-Pzdxytok_ePiJKll7e&nJ4G>*?q^}x>npNo*s{i%2)ME}O3QEFjHd{Bni;4pOlgh)y}3Kg2! z89afth{a;;NfA`1qzjRFf;EW8*}Fs&9G^?Pdn_JhtKkWLP>`0?uV(A9)daH z0dAobpNdcnxUjf@h*>jL48o_#uz}Xo#Ce5&o$Xm6^IMs!#Upw`H4!~9=khdou6YK@{SgB!@_C+7&Q-ABhHwToWg-B& z$wrgNy3@08gy@-wn#iT$|42teS|SE5mZx-I&tF>ToVhDu{RUTW;0~$geJX4CDvVo9TJt(FDmyYJA0Fnb{WU3jBDz(CE$59Bl${%Evx$OAtGyH0{%>~dYX7N@tsPgjUuZwx{;l>ew`W_=x8L3R!|m%^ z^KC!d_Mh8Mwtcki!M3~G5^bB!KmSKf*SjzK?hL#;11p(YwLD4uiUj2mf>ch67i%st`dbv zC5lF%67d8zu0@14MAOL>^jA$y!4IWIVd7D>TsEsFb11ACMZwKTG7Oc7CkAqrC}gWd z@0V1f&`rHBm?{xZm*Xl?s8%K7xDZ^y39U~gQ4ltj3x}W*aVQ9`5``p{h~q$rJ8YHc z)CY|75%$48`6&NjYoQV~*VLJQw3KOEhGT2h1`J5M&=vq_QeBM+qk(5^4cC8jt&f%1 zu0v=AObu~{G5R0Y8_Gnm<43Bru9vO-`Jrb4RG%fV0F?7x6xFpvQRQ}O+tP1Wi|`ZR zziE~v>!F!bzlBWx7OWU-=1J>-jQ`dFc>wH#+I#F)%n@KWBX59pL@ojA0Db}M_fX32 zlX(d2E954yj>tz~9gw3yI*8bhAeVu4B}9IMnj`5Nc@V5?k8Zu z*6++0VI7e}!ajgk!a9I!!v0;lAFha)^rCP~*zK5`!n%w3D(oY2SXf61Oo??st_$mc z{1*=c z3i(hP6}c(cC3&W}Yr?;UnZaoCol>!^46Hu$+fXv0n0r~ft*BxEAbY0c?-Ok_d{Cwy2ogKb!dfxIp<(cX@ z+455@Z?+t7(OP!5yvO~|?!R>Zw)=vJQQ!ldhs@3GC#GT()m^KT^{L$L?|#0{OQIIMsf-OG?dNzL76wT%u@7w~}F^s_P90O>8d;rXiXZ!MYfg z6?%eL)*j;$MP9lUt|PeKST|x^qR30Pa)L|ut~cC6g+h4-v2u`=$acKLu9`;3fV9=J z{9D_eOah~D!Gfdl`MBP=MB#sK#asijMsbyKi6Z{oq6V|;jdnIKI8F6&tkbWPrV&qK z&=huO4f^$)t~D-Eu$^0!gm=Bp6a$F9nXqw*;_BQA*GgQkZwQ9ZBETj8pK>-F`qU@n!)B%;Y{j7tt-#6PXpnLXl*WX%$O(>t$#a z2p(fvI9I|cPab}YDy2=&Oym)LPWt@ep&i6=E9BYC<~2~=H1ktXL^{X`@#lFK1r833 z#YON4P|w**Ou+$2ACKxj02{qTuY`E^y$5y-?HwC_aCl_bz6SaPIbK&=b&buLox4rJ zd&hOeplP#AsD~bORA)I3X}nT^3bh47fQ3p0fLc&GQW*z6Eb#7L$RTC;ph|tw6FHofdWkN#^ILJ{g=TsQ{Ilycag@*MCn5a61#=6}RpB5TTye|D4 z74GzLc+Iw(Q$A)IV(^jh6|&PA6lxQLhhwgBvA2WB)F@SLp+=ZHFajHMb z35nAY1zbsEVq^rAaEXir9W@ne8tz55J98yD(DRhex zbV<=QD%>Aoffta6rVz1#0<#!`i5T55L?4nyyw)VSb{n|8KVz6|e2w?#0Fx4Qzhtc7 zhKUtzz9nGzaGl%70KZugElDJRO_sA-`COgk15tw4*|80{jxjw=C8QW(@(X;Q3gI*1 z&`yR(A{ip&U>1;K`XL|!bO>@H_$%(UQU&rH)rT)O0p*XSy-;$v(wHaM61T#GYh16f z=o%361UoB~wby8;9j`g#A^rbG_l;ctU*FZ&^`6du>ilNsuXMiH`Do`@=iQy_eE;VA zyzf)qkGFrL{VVN1)Bd*mFWkT5{+#=?`w90Rcfft4yIuJs<>!=`veEUV@|N9KJp)mGX*+YJHeZzI8$V)wG+H4?F5%7 z?$O!_-rN9HIh09<0Ye63rW%bUgFq#VM^IQGos4Ip2BjiVD9#kiXzc`VuFnP2S}>N# z<)AoI$fTt>ziICTmnfLgzDM2(E^T6$#7^)g?F7#zj7uBYPVh1>1mt>i#XG^>`79}y zyD8iouZ}VWL)Ge3K23a&d*hby(#zNmrYjH#8LFAp4G9k@2&NPN!ys5#BW(#NPhf5a z!&))#KQvvQ0PbDM%DINdNpQs9gWUkUP|OLpXG=_&tk?dn6MP$he$4lPx(1^{(;Y+u zvtYMdKthHq!2C<)CziAusean|>ecc36m)B2aon0v5GIy% z*jw`BxnnyH?-{o1lGBo*mCI&9ES;ly%}=i=f+hTY_IE>YC}6EoNCQ!!VuCRdaC-V3 z9xaM&Ofq$z?qEU;|1AC3&m<@`a~RSGHud5L8`~ucL$)@yH^s(wi2|c-zJ!hKlE3DR z=V{nEZ(>ycg2v^)H!ouqQUeHR+yMYLWanHkrYEl4Q6`G za;@9~W=qolWQxKdrEhF2s60nTx=AKy(un!8Sxns>-Fk>#>~8y^qg#jR%n<&<4`1SS z^Rhr1+|JRx1kp=WPY(c5EGao<(e1!iU8Ar*F0c5s(QaJYz*g^*9~G>v9cTY|dUxO4@(!~?8cZ-@x1r_08r_i%N3AD@pm zRxCtu9~K}7{Y!bl+T4yc@hvrQ27s#~DQnO!6Hx)WFTn`~hJ)c~JmBx!s~y*-P(=Oi zp+h?l4ei-ayPIrKEt_eBF!g7Sq^DtQo?@o|nMoB=L>1=lz%&fmTDC%tfH>82vQiDz zJMEj)Lqj7B?g+(e2vtYrHSY!|v$;BXE}W_tAqXCJN-K;N%SUyVnPJHgnI^$Ysi3oH zYRZ*T3Hf)*q#*GFGj3rEca>V6QsyXaSh}H;viP_<51jgd}Y(dQL}OX+gDhPd!46FnvC~YZ5vE;$a=s2w|lL|4IXSwT>slW&Dw^| z0S~<0ZMAJQ21kR@(;CEYZ^0$F0T<9&Alq|JlcywY6#K>_@G(jRqk-__)=$!60l}Iy-B%#d39; z2?ts_d(65CwB&S?6D^&cvF-vbIo(xHOJ|Q-cQhEB11+7MZg!IcEuF1eH(`ET7pJAO zm1d14S~@$`w6XQ&2F^a(w6RS~XD6FBwrS~Xxmjb0md=)%HkN3qXf?)abDBDdmI_we z2GcCl(h;k1g9lp^*MIhrW^E-}%3Ez44MKYGgw?pgAS7BEx7uR4I?aR=E#<76KubO8q2iwk*1BUFE?;@tZ8G3 zmOk9Hu|!KBYSvh$rO~F1C0cseYK+z9G<6m&b+`LmH!8G3Kk1nV zj7xi%ZRsTu$o=sZ+fyGpaQ6ZK&I|?M#G?d%$pWGGlt|Ju!<6C?R00b|lWH;=1>R6Z zOQa6=rDW;bgrfwxKf@Vb!tNJ7q#;QCW`xUB5yB3Z@lx zwB|#YiDmq%WORLu%+wkJkIega@}Tn_FkO>Td1xHJj3Oujh(Ap{#GWo_Q~nt}U5js2)MovaNo|Ho##I=g zfVs?3q)?>B0B&}Lel3_`DbwCE%)Yhm3F8t$Y$A)M$Suupx$noA;Qj)*nE;dHXU!?cs4?x5MqF90Fi&#Q#%LZ@y zvdy0^*Wd8v3B=E>2&dj#wUyzw8kbad`7SZd?F{gt;vc4u%_<-GY2qnz0uv9f-Zs`; zUPQ;B%ck}i2Fn`X+EyqApmQ=^gOs7E8`|4QPGVYTZ8J6B%^3wY_`2=>? zobi0fxU`EeMqXFR_3_n3PAo`tm^3c!1F=Jdf;$U8AUA@k zu|nqFGDGGFILGE1#P=gLXFN|L#)EK&+{&{e#^bHkF@7!qZpTDDI;|sPkbPzL>sSR5 zqNQ0ckL8P0Ji}bG<|7Gfib-O$UYn*zEzaOf%MJ=FEj!SxyZt$rU-^Bv_dT9& z&l8^Uj(_a(Z zUC*EsZpg0{x zF*wdw!IH+)h3SY|)wSXvC0|ojI2Mk@lCXpE0G!1Ic=jm33T3@@xR;TCt{y8?K$I%5 zrtr_;M73D(IZ4}T=u}6_Q|bIv*0NTFqQMx@cJL=o)`~d5WV0zPm{NoB4C=)u;wi!j%&EvW)x+sXDium6uQe`EEUY46I120I8j4!R5}D}L z#syw}_69x_Q*FT=auv*it+iZZT%bT$ML>iUEC`Nn;{q>A+sz*Z+{6prtfe^N>3G(~ z!G-Y*j$6;Gi5D!r47bPy> zrV%lmR`swJQKOkqOie`+fR#rr#B@xHX5!fx-kDblvNfKD1$nQ!7GgK5blT~ z(g=?*MGa%+Ma%f>9ih_ftydZs2x-MEhkS&hog;C)FRx+7-}i|1zAnr^p`a)N1?7l6 z|KH)Y#Kc(a`FEjT84A3(Zo6@TLqzkc2E}%0V@!k+R%!5VpvWL4OPDkLlmy|wSD&3J zPh~3@F~^hU+Gc^2=@be$U!eGGv-Wl2rf0g1?-0O>qMYnx-}lJMwNjg}z$Q;sArSeF zh@B&! zLGp-s1u10+p+VrNTZRo7^msRXQc)*4i_5HY^fWN!pScnc}N-O31L%86l)eXM{9spCP-2p9zBYIa`vY zb4#RbAs?6-4vjH~Nb0yj`6E~N=evIdvHp*H&w8Ktmc93TZ}WOQbDnQ`e%l?0L zcYVS2U+~AJ9CYmzg3T)a>9_(R^&mX~p}3guFh?VhxbI zULxK(GwMXi{8q-EfZPb8oKgkzc-1(b}MN~Ynt$YeD=ok-|fGPVr)h#aI=3`32% zf-6QOr2(LgFzTrEI4tirJUsc;L5o&211VPUri#%5bG`tTs{wzPx$!;aiPBzeWM+qD zKL{qn$rxOWF;s;LCzFYw9J7E5JcC+kb`TO>fT67fa>+yvqC3#i6M7ipel(5*!CX`& z++Ab~#xr^_QqPR7*OU2hFu5dItG=r1+Cj-kAqY0l_6IVkMr2w_2S&vNkCGT&sF9Ew zwLDY?6hdj4Vo@D3izp>v^3sOcVr|BS7^8<1T-`5OR;XovbJN_kvM&y$hJ)mDjjco) zDw+CCEvMvp@>b&luQ2dTp40ASY?P9c$>mi9gS>w7CxqZ? zO0bMntL2bQ_#;fZyxbxW(J9p!l~m&b#c3$YK0c`SX0r+Po+33&gG7=0%JH@YU}G-) z;!Utn@XCnXLQ%9V6tJZ5vVGi=Qrv*xxUd#YMqxie)Laz6?<&%&H8q_KhBB!{DuREo z%MyBxxn~yF$Fs?7Fa>)Qc3A?iG3^~iX_qDJ8tV>wm%YNcK+rX&?WM?UFV8+?Tp;Kg z=w5u5iYwk@mt`zr8}3qOz*!qxtrq}fXu@ID`2id?6MLs6rPkz~1aL{<%KEH?zFM6? zhD}wS(krlZW+o^JI}!*c18JN-LT-R;d8VWyDoO?XNlC-s`Nw7LV0>Bqtgz#c3ZFP9c2uV zSv52mkSBE6I#Deb(W!jK^rPC!%IE_BK6{wuQI%R+URQojX5H2(W+rI=mbxU!Unuxf z92Lm#r>9Snty(R~r?_1!U&@v34mW4An{|9o>1mm)Kagd|&T7??v3wX}{PImJpm|7nYqZ8_@a#s1Cb8YY$?ES~5@A zE00~b79BgvWJx4h0?PaHn6)iPtib;d-8Ss{oU8X2daJ#IJ^!=kQ$3?S*LMG2_Y2)S zyXL!ou4}4mTjyVO7CX22{@i!Qci7kM{Wb67-k9eXJX4;5j&FCI?l{!pYyZ{u<87DP zzR-4S>#wx#ZkccS*_KkvX7{(;8TSp!A1E&>J75*~+#0FTyH4Ebak;Nkb_{u3Kg`yD z`@sU@b@No%wfg_FcO`&r6z6(%T9z$|`v^1<&=NbXY-x98$u6NJwnGBBAOQk3B(fyi zBC@1N^2Jr66iQ1e^d!_Y<+ZOZEzr_~vm6NtExqYYTiQpjS9;Uqwcs9k|IGYa?bz!m zaRTqr{&ptoZ)W!2*>C5cd;Wo$W%J6{Hn!dkx{RTS2Iq)(=^b5RwG9@OgWdMtttT3C zZk>aiNE=u*jYm3rx1M0gnVgdxm^z8aAU*R8Iq#i=oN!wQOgzURJ;xhzZkdxDIDSTt zMtZj%XUN%ppmL&J(ayG5xD&dt<6DnyWZ!G+Lik`en*^~lqQIC6o3VrrbWf(lCOA`2 zrmxEk4kwbqbg>BYmt#Y)VgS~g^8?wTr0>lpO64V4SZKfo!v->g(?2nPv=$C`bjEwP z9%H=1drVK>udD)c;%)H`*gT;2ZavzN^X@sxfzzHNoqF%qqYOFknv)zjBL)oU_HI4W zkn_$t$ceSF!-AslUPl;m-Z3XRVc3}w?;PKHcu(c!H5gXrnSnbg_ zy+n^@yHVnhu>-Y7-}sU|I@;FJsYbL|?^eI@;ofF?^8RM*Xq(!pX}UJP)mM9k8%%;; zybq^?PKCov7n+S%c&q8j`}+!d8%+A^G04MBhMeo?AV+KK>`-+LbjoYUdCQ#SM5C~k z3X07}L(ZG$BnLJtb!t#{c?>z%%|VXZ7K><|(T?7&4ThXI%}I{h5#!a9+mLhZ9OOjW zU}UpXh41b%9xM?{C%(x9L!? z#NiX$4LOxL$qC0`cN%0ln;~cGfy>c5+dA}^-T~=R3^`ZNNeA9*Z<*GTPCElj$uw5e3b7fV^m2;31Yl}nMEF9~(qAKNzIZ4sg z&UlA5c6lS?g*Al45V0WUMa!^yM_VUrzI66nR!#n8b4Wf^wJ{Y+ww{Tql!-Y>2}9#W z4fl*!rHs!(O0*3cQmUr+j8&zK%}Gim0{cR>p3$n5(K$%b+d5#aCrBBoN*S4xlt?TN zJ577aRVn2;NYUD2kWo9eo>EmxX--n$GlTZ^6suB-bC3cxPe)9RsXbe&Qp6!H2UZNI zZCVu00M>g7RVjrzqy=gnJ+8)LJ^8AX{G6n~;f%0_x+hnalAD7Rs6OIh*l^u5T$M6B zCn?Z$k3o@?txCzxNeZ;wqp>)f|6gcZZFetsx4Y-NJ+2?S_PE~aI?nl9zuor--!s0O zymxuu<-N??50(IqY@BNRW#cy+Z)@BJ>jPfn`GWgO=hMzFIq$XIW{n)aKZsoskKi8M{9sVMPx>}WO^+dx^UCK06S77rE zN$w%$8w%$6hJGF(<{Jw0wbVc=+>uh@2r!ty)uV9wbtjyW8tRBAl5q0e09(a+t+Vn% zA0PO;UX;LvIZp@lRu8{m)9kBZiLvnDON^I^`D?Z!YkyKT*GYFa5zQAvaufD2e?G!a z3>=1ecbq`4njPKO;=dVdjp{5Ye38b`r|)9h=TbqiVasj5Pg}@$9$!b;lO9OG9&TxN zyH5n|_Yy-fE`m0#VIe46>?sSZt~5O8MTm!d;C$N3CF?zIFmV2Qu03MlyigrDzsRh7 zY~cJtvxjG4<%J&Zv4oeHd5c-o^KxuOeRcxwW!r_TgYNlxiUPBJ3GOAHY{?UA~croWSK4OtXELnD3Bg`!41o_yT;kPp`bNlzWPq*t{_lTb=-88;NYNrwHrn z$E)Y=!M++eMzNS7~F-xz)0u4-12u2qT0qNVf2=u1AKTy6YkKqsBRyi455Gb^*^yxb3ZAsodfu#yM_# z18q3pqz#36ODiv&$2~+Jq+lqlv~;3gJqPN$o=Xu^`~^vU+bb`uoep`X%F!q!{v7Tr76s**DzD`pqG^&htMVEiAetum`RR@{>>cTZwPooJ zFhie+#9@^gJK;@N!90BeHjl*9P&lsUH;KYAe_}MMb@a!y0SyYrl{`cgj(Jnzc((bD zTHy#OJBx>4%8acy*IZJ0ff-G**{%9G8?zB%k_aAJnz`}4*AKE8^5{OOpm(p3$sKk?9%~Q(Lq~JOL z^K+)HJK!7g+7sDqZ4m)X1asffOnQv@nwmdw4lFwoO!CVCG(6gKAPJ)k|CnAMCDwK96tI zl_(AJe4@?#ZDBouDGT)ldA*6b2r^G!EhAw)XBK46MzWw|3BWgL<#&V@X5ft0*40_|CgIC0o(qk zdA|xH0_uh&4s<0?@niT(D)m$&*%YsSKvB>B`(9ySrP%!_Mf`_>I5iiPEd zZ!62qvoFInbh9tiozG$cy((QE%ENjX-WnEiQ9VMiW|#Z+g&BCB``8gFn4Fs8 zv1LAI!U7!;$Wz5O4Zx{a5MtJ1vr4kX!J)HC`J5Q+V9%Mwc*u;qF3J>^L5F%Z*ffCK z>O94G_nz)GV2mE0GaFevRehn=`E`lWbT?ao$DUBPT&S_aPjBL1hkvu+axhU4T%XTp zO*`2Se34M0@`BhCyH&J8ixzF`HQbb(vFns?ofv_=?cfdnC&kG#!X8Avz=wUx2w zSOM%w!syRJ_~r|1wj!XOy24aX73aZH*vm!DDB8(IqqQvwFVu`pz~jL(-b8SAdWIN1 zWuS-kp)cc)L*Y^*JY0EUf(NeS6=cypyF`Oz)b1Qs=2Z&bqmidV^4A@4aYA76!z=jV!84JN^@<6CR9qAb8j75|2gbJ;2cJ_01 zdGVGLQv(AjHKoTop%u;!b*?T*-ePKnZ!zCdYlXuY3p?7mx*&NAAEJ2kyvhrC{uSOK zh}tse7Wlf__M0BIb#)L{b)E~x6~Qu)*dyINoML7R#O9yyfam*#T`cqka$1lx_`oG4gG z9M;-X-1;h8rYs&6f=7j_k1DlK-|1s%ma1->J`%0pi-3;Ai*}5txxD42CtpF_JyI-! z&C&B=t2OM*>f__B{1{d+)=}*cui@oNsSg&E4ROmPrlr1p2O?mkoXHL+a=gZ?wfzrB zM8357U~UJyQn}2)#KDNjC5oU(`QpLINM%Z3qi%v3l1*}xYjb5ZQSL9oF1lJ`OdThq z&t}naS_|v`s^!6YI6kmc?Lk?O3tw7!At&mHUS3jfF?vrghQ2{zKFmun*ZQ&t-b{sN+NE6mL^ExRMJshic>*e%F{>YmjOk zKG#C!B->wXP2X+$T+_yexcknA`3-LOJKPt$f8*Ze{*Lpn?r!JZ?xUUU_7A&$;`+Mn zFU@~&J?#3R>w4D~IKS`ju2;K5uuEXFd3E#R<|CWOn+KcEZ|-f@n@?#zqUkx?&*3zH z-R$>e)W-)#?tU31SAq0u2bkWiudYlT#dCQ@7{V?Y6(!p?S4gMfzp-{!X|ncbtUVHe zjco1daX7n_S?vpfrAyZKOn_;!)F5n@OO(wNbGK~Zr__@?qR;Gk4 zpskyE@l&!WV`n*Ubri+|;Dm}&+gz>Y^V6WaD^tSy8s-C|bT*ED7KE}LB`{XBnfK+A zY$PQWgl<}uiq}-8nt5R;jB%ITbx3plNpborQ)Yu?r3I17lrTyuy6C0(;n+aDKb2HN z$C zwJ!RUup)z)SEhuu zyQBH*7STN2l-ZPCaY56w%skzcu%IXEx*|(xJa%+ts*y_;V=b_?2p2DadAcbV4-wQC zP1Fm6cH-5FHR`WBxiV$vCDKh%k(xOVgzU#)5+4KEAM$3|k8K`(JKzB_Xesg`GV5Uh z!w8BreF)5kxc(VK)b zu!|G2rIXm9w>X7!mV8uV#tABYwGYgSdEW321*eUngRjvK#<@#VCu@exg~1s^>1@nA zXpC0y3MG`}o}rZCFUHYL!|0eA7(bsjd~QyVCQPzeCFlxJb;Dpw&@`fMJQ9*>8ZqbI z#+&NsX*2Lbdw-e)2QYAbV6B{4#-3keHU9$B3hfQv=v3Ksf=XdLFm|&%EB~- zsem#HzymmuBE;7WT8xp_ZEvG_PiP!^XB@@jb2ckSD+$H5+V#rjtD1+K`@G+AZFKzA z@k7VsjyoKqj*A^D9UTs@{kQfT>{r;HQWCBsU3O=oS~%Fe$_wy2`%k4&~araK6i6I=GIHx0^a@2W}v0>w?OZ zu+CQz%MwN`dTP^5L>V@BS`w*CMk@^wy zz}oar1N{qOeoOQ($~cx*nKIkfD#PUNR67?bIvi!A!vP&5Vf#v`M0tKJp~Vx4NM|VC zkpS!Fi2>*$C8Lp0NB=-tPs8>PHL63$D8!|S&Pe&hRHR=`r&AqK=)MRuSEBn;Hg#Ww zwJW@%)_sAllrVQCx>9A{m4X#L$IY(D|GpuoR;Etj#J^57YAiGfcP&7U76yGpv#UJs zEl~Qk@GSjq{M2)9ZHRf!`VAc3?AV|DbO6ncIkeu4+T42g4h$)V+avn)eq5OMWhBuK>ms2XfV~iy$b6BFTlTlZX<4wbp?yiA07VW2uj3ZK+Q8?2Hf_2z zO(4wWkEPfFN1KJ^F%Zbjc9lRhGf`7wW2&7YQ?$?^q&SfU!((Wkj74iVi8XZr*7G>a zM_^1ZH@LQ#XQ#ZjOP%)b)9gT%_O|IZ7uAlqEYpgl2LW=H1D^9^_#WWD{|#@7K}Zbjj$WbhmFk^rW?eP zP-ClAO_B&$oi4MSvJTFN%p}>Ss#=8VZi(uis+l2tor~o?tJ0}V!ZKueI$N*|sP4V6 zNC9NCM5btY7tidO@XR|_@Ez-qC!PvNx!4rRa`8!O-B0?tytQNmS=xanowJ|B!l znWbc-ysH*?5UXz2aK9UT2eW3v=lGTKO55EE?BajW+2Zpy|Ec+V&AXcKZhlX5qIr39 ztl8Q0i>7i@vPo(5d;a11jpw`Wqh0@W{mk`c*QZ=px>BxnuEj2|^S6$Y^J&M)w!3YI z+Z5&Z%8!(Wb#KplO>OJl&|7c5yQj!)^p;?u87xnL!`WewqWk>b5L>tao8{oVZPQ4~f$xx6 zRhfFd7?fz@-M=x5?%&9PoTpf-OkF4hULXV-qa1vFMTQMsu!9FiVBNg@9&AX151lwv*CtIL$DJH#wQ^oo<8@?xE1Q|E}rU&pkc&lQSsBEK^j#iC%~ zM(vEMsvg%=SV})74zdu9i4oSi5GPomhX*{&1_8$A!T8Sx-jNsMKV#DPPkUwR0v;&# zIE=wY`Fi;ZhJnO}U@;6d%7%e-*fc*Sb_I)cjIv=MvB6gi1C5%8fyCxsF*YzdKRytL zgSKI3Czu|GVW9XxG?a)Y^^gi@ccfDTV1_LchG8JFy;ltCjGh=B(EB5)Xee|&FhJN$N@XToq7~d3|&c*oV zC>jWv5)Tw%^!(VEdx&0o(1in{C(HMri;0_GJ*VXlYQIsI{MAR6faBTlLo3+eq}NC=EL>7iJEG!<0`^i({Zw(en_ zJ5nlTV1xc(F+WnM9n6#{!G>wJ)&kCnVv8}(BJk|%{ryxPu2%GS`Ym=h; zSeACkCO+!gj=>w@jQ!S?Q8`#Hh( z^-Mr1FZr-@m&4WFEVtecgkqGy`$%4U6 zu`^Z-ZjQm=rW%RByA7G%ZH#sN#Aa2|@f$OD{KQ68(eWFb52r|g9YHW|9FKOg8Ys;S z*rj8k&TurXgGu-PsFr|^pV*`-dTnDT!p5j19ETAHGlEk|{$SD18#DFugdt_Tqt?%Z zlnHySm@>nR;G2%COl{)d<83E#D#qqq@zx(B=9TaMy!ruj_zrfSfYlNEm?_vt{X8_$ z4>o9F-)AB_QObz*Ql-RjA)9W8A!{&E69>CA9RqN>#Q-c{Olkf79nn-Go=hYD z)krb>x}ogibnetGi>pf<(y*K(mEnCxSpPNHUIH_|=`vWhPG<995hOHR3grg|V9`!! zbR^48lj_f8p>Y&~#jK%JCY39Pm~qfhqCY=UK2A1V_6<4sPI;eFVOwGs6EF>@H)0v zhUNBPcQykhpqYhg0w6C9q;o0!yhza!C_7grvSY9vuSSv~c4j6XhJ7`#VSIlR7&H=Q z$n53?v^jyb_o+p zH9sHhET>b(ldK+;O`i|O!)JevoTH5Qm`lzIvK)oq)A-ou;^wBBEuax3Z``rAR-5h8=2nN-W=94$u!)iLa!LN7gDYW;8LK-?%TW*9 z$lb=u--O*6Jm+M>VjQx%M`q6FoczsZ8snRox3#JAH!uJMJ9R4!q7h~cU^1h4u(&h{ zRv5t&E;FN>L(Fz6iiNBhSkNj?Fv?D_Rjnp^n5EsGl`DfKSPlyIni716F<;^ev1XhL z#?}q7=fE(hux=sNaZX6XoL!Zvt9a@MMN&88h<-rIDA z_ZQx8d)IsJ_k7s%u7;4~Bc3Zf3D0s*i{q`1^F98CXKc^fK5y%FoT$9tH)TK1-tAj! z53=7{6I4bu|NZ`J>q(Wp8OV8dTP4Cjr*ex$em7Y_=w7vM{aU_sx@829@?ttT4C{`I zkTZ=oJN#*kHkS6aYu!AoHFFKe@R?(DO4E;E7Nq2DRL?HpDPnN)% zmf=DfG9g=mY7{iE0+X*cW%{#9G}?l&trI42)4>%v&;_uiRSYf}Dd%B4b2L$A*7gcq zxw_Y^3a;sA`#(#ssO)8f?RML%k)^{|XEsAE2bPeTJ@iCQuk2+5>vr3P7{M)=GNljp zfd*?LVfL6AY;m+f_SpB2zp|HEy|vp!-$A*>4?b)fqUPf{rm~kUO}5)a{!?x?R70)o zWs8&TcyO3<^L#jGGuj{4%m<#KKq1_OioC)V^cfhi-SmM~qUbb-AZWB3O zx%ouBUypXC)i7B3+RK)H+HFEPl$)#C0r#-wpS62x>TyJ6FIxy|w;e6mxtZ^Whu2_p z9kth(*YHQBW#43oP>lWZDUJ?3 z9ZN$3*@T6W!0jh$a1eM3)<&n_WUK6D+dk~J8@7lfZlCj<1vGC9u$3wZ`3*Klv!fD% z!ZZ$_s@R`|9>7#ZZR2qewpa1z;s#{g$-ozCSJNR3{{&%af!J*g&6O4a)jDH6>~@Cw zW!*$B1^pptATrg41qYb|n4jS54Pc?cx(UecV1=f2AJZ5mjAM)&l&YP4*rkxpW;287 zTr$o4GKJ6(?8pd#oeSm<+6PxKqX@GJI7(mL7;c)afDT(*A~(?nLk{iS=3#qBB%yY8 z^!JD2kpwJygkuBQ>7D~2tsf4tAJ7wU=4b!(?bb%MT4xd=4#wEqRaM?fA8!XcX)oSf zfvHq9tbf57P2vml#^|Cx{HV}P5(^DN)f_M*96q!4Izss0Uu#hjoHlI=0;*v@i zpsT^Ma@FbwKUE?%oB`7$+;BKEJIM}s5Sa+_3v01JvpWNw+jI(^Y^n&Vw!CIrEVs3- zvX|`zg4#$d4_CHJlM^pWwyMrS%q>$v8J04aVcQpYx|9=VE5o3eW|OQ&F}>X=ra{go zNzMsPzf=4*IZ*0uYzm@QsMSi{qbhsZWQ5%&MwpcCxDpqh#rEwO(@H6vX^ZMv)e@XM7f#uTB1>)fgSm1 z&~WntSc%(T(^>lK&@-_0Rh7NNBBOPR?{t z=%8>E+R(bHM&Afc%1e1l--J!dTmCgl&>6k7E+{s8vf1U;<0Ge?)HgFel)IN}z0qae zv1Ofoq0S}INFVe=I%4p5xI^m;ErDeqs;)0v+S?uLyV4j_3s=Shuz`9*->RyRvTaynkJ^gBniq`d2C6aC}hle!=@-;17YH1il&A z1M2`j9Jo1fU0@<`Y2fvNm4U^9w!nhGVF8=}kN%(fzvX}2f3N=|{_XxZ`!Dlv_V@Wu z_qY3l{=@xt-=BOx^L^X*Ip2N0+kLnA-r~F5m-SujTkU(DFYG(XcZAQ;{O9JMH-D%3 z^KfRsN1NZ#`iV8 zt?>KeS&eP+GdQSBm z>+v+a(C~wXFE>2g@bQLUHN3y!riQHz#fD_V`i9wMRluDGk! zHP6-L{JZnF&L26y=KQ4d1I~9k-{{=w9B~dfFK{k*b~+b1PjEIn{^9tYjwz;j{nK{(Ji~_OII?vwzzDpZ0gxzJ>i-`yEn%;_p$R(3xs!<{mGScVVD@Ut>}P=*i4 z@O~NIC&PPXc#jM}Bg0S2@KZAUqzQgW+5HI_eq4rk$?#4Y-YvtA$?&5xyj_MLk>Q7B z_#qkorwl(R!w<;tKV*2D4Bs!q9VYliW%sQzoRr~vWq6AW-zUSHW%wQ$zFUUxlHogL z_zoGqU4}Qw@J1QFO@=qf@U1eu-UPp(?0&Nhuan`MWO%I%-y*{|%5a+uD>B?F!>eWZ z1{q!@!z*QYg$ys3;bk(Mkm0xqKB4R$mEnjC%Q7s0W;;Zhkc zF~P@_-3}SrP4KJA?jOnUhcbLxhCh(u_htA!89rr#Ur}~{SBBq_;kRY@Eg61OhTo9k zlQR6848JPFugLJrGW?PZzbL~m$nXgneqM&3li}ks++%{!blEM#$7Hz61R(>TA;Z_1 z;N!~f(`C3=hNsE!wKD9IVW$jZGVG9HRED|?H5sZhjL0x7!*&_A$uK0t*U0eICb&o0 zy-0?wGHj9ILK&Va!&l1i6d9f@!;_#n9WXVi<aU4Cl%4co`mN zg1eR7$I9>+86GXeqhxrb3=fy#VKNNJ&@V%u44Y-xBtx$Z8)fK`VS^0aGIW_B6q`s+_H?sq-udcyUr>v`B&aG2ZU4ntpit$Vq9++A=Fxvz8I@4nl8yZZ_E zQ|@OQJkU>%H-sBn8kRQ`NqQA9w7o1STUs_97> zMcCPNf79KKS2u2IJfkt#sCb_7?DX6Qqa&LQxoDb8nLMB_H+)y_@MGn_%E;&{ff({Y>Q zYR4wW8IJ9a=bamz_q&dBjk}(5$KBiA&o>;_u%V&QaDT&-p5r`W&$#C%&r_b~8sm*? z8@C6Z3p^Fr8Mr-gQ(!!>DX=^c4jdOy{LlKI^xyBl&3~Q0;NRds!{6dR%=f(S8Q&9* zg5z%Ian7~Qo19O=cuN6BVV-kuaNp#9((`2FxZ@`0xGUVSw&8jB&hUK$&j+3fJQ27% zusv{fU?{LQ5Dx?c9{+Rxr~EtpxBGAMkNY?Im;1y1Kb8qwjY-2YI*PdW81H%}&=M%Po($aYUaR0wgTv-npgepY zyUtf0+=kaJc-@HM-H6{K@Gd9f+c7+h_(6dm3!?uJUSEOXUln-QF^GSR;ar3B2nxaeeqk z48H@z_u%zY!v8T1!?&aVcLd(G7V$4J{2Ii67uUyng#W`I!0@8*e<&dEt|a19Fnkl@ zOYnL&UgH?P3Ne1ahYG^~;rlSW3&ZjIJ+@5v?;6GMS7G?q@cIy5KZ@apBmRlNyRH-0 zhrcAQpZ%u@f0%!-`N~88Bk*n;hW{GF@w@GsM9jbE0_C$$Azp`9{C*Grh+zo-9Qxz; z+Vye7{5wMUXAs|mSNDf9E{($NaG~g!d;foTqob zvXk=*SImbGuEuaKcfPXgd6e^MydU*z=iAXA^XtwJVfaFJ1$jTj>lg8QABG==_&I@h zO^NFx-^Xy92;ar?C-C!I#QeSm$^*YcjOo~g&wH#%-2cE2FdW}=7k{4x%A*Q~KY`(8 zfge2*@wFI^dbR6L^uI;;Kjy=5)URESitxwg3;#z?^*#Cj%i57h-{XULJrA!-@rru( z_$v^5#dXhL#r46Jc#Y!~%gqOm5cq+;c>N7tzlT@M4-fGCGGBQB^WOtJe*(tx0F@P&(jIlZ=pX=Ct#jVxbk$um8TP~n7{Am=>&{=aQ|!Z{uaDqxqiPx z;QLT7@8kNrK)H|WFI-W7@B2@Thx&itRfsp^70c86&P1%^^(4G<{ue0s;(OhT?{zQo zbuYfxz4%`D;(OhT?{zP}*S+{&_pTCh@9n}XzSq6SAjbE)2kW_ec)hqlxrdhnaOL_A zSFYD^#qV{`72^JT@O$0E%Si~w?{yD;uY2%&-Gk-NXRy5d49^D(l+WOMeTJ783zXYV z5ps9_(f6!!Sha1+uIT??uvCkk0m(7cD>tG4m;J|C#(%&cw)Fpqf4L+F-*4wT{hKV~ zzrjCl>7VuAB+0oK({rK!cFXwP{+*Wo?f$1EIoK}Qd7}S0%lO`a$IAcFzXXDk9Q>Y- z{wxr;jQ{n(T1)>&0z;A<%pZ^55xCki{`SCjOaE&EcbnzxK1%TOXfg1FW&DkSXDt0! z2A-GXEJQiXVja&9Uhjj-XB?kW<~;Ym>R@L7o3A*C`TysQ6##7hzdHMWqcs2jD`N!! zoByxQ{%@7$|DQHi0I>Q0>g<0>n*aZ*u>ye2|5s=K)6)F^PGbcCoByxQ{$C)?|9{F@ zCtjtK;8hB#*x&gMfgXuo|vAN|83XKZ|zoia4f4}+-p$e}mM@J1QF zO@=qf@U1euUWRXx;hSZ6oebY3!)s-DjSSytg5Od0RAgwLABIr#{4hZC{4l_6^1WBe z@Cq4TF2l=YI3dGv8IH+tRE8rmEX%MY!=en$)5YIb_T){W0CO@NmSI+g1sPr{!;B1v zWH>0p0U4%cn37>qhW#=$PZz@*nWu{ZZj>XNr;ER(?CCRw0(`v;FOuPfGQ3!Z7s&8@ z8J;J@^)g&1!*gY5o*#xpu9ZXA$Z)j`SIKat49_;fZz_9M$Z)v~&y?XZ8J;D>9vODa zaH$N<^TUt~^K>FW^K>FW^K>G>#j>c=WcXSccFC|)hH(@8hO#Fn!wwlnWvI(glc9Nb z5hRD@&~_QN$uK0t*T~R3od}W_$)T+>Y?0wY8J;S`SIN*kyZCiwk9l?xpm}x?;7O)? z0R~|$`(uZ)UL{#CH3RYoHBSh`_kD#NdZG+Zkl{QT9xp@l3@}JORt`NzhDXcrC>b6p z!y{y9o)CUg*>jjF6ktGxei`~?*epY@3>#(Wkzs=j-7+-K07I&ra;QUwb{X1as7P@4 zUK#$=1iz;2{)Y_zF2ldca7uhR@0H_cHvQ41X)b z-^lRSCI~B%ekH?S%J5kk{z8WTEyJJ5@TW5Ti41=%!)Lsp^t+w!{6Fje&vh+4>(kD4 z>;QHQ@Vx`Dhv1=o>>ZHD4y^VLR7Vbe4fE%-?;ViG4y^VLR7VcJ_EML?^gLqV{~ZIS z66z<);~5za$#77H12Vi+hA9~)W!Nvngbd9+KuDFj2MEyI0|aR9#Q`*T2mzWqgaFMQ zLV)HDA;1l$Wc*lp+}t4qXzmaKGW;;Zhkckzub4%^gCJZ0-;OGyWwT|lV0cLC7cy8vkJT>v!qE&!T)7XZz@3xMX{1weD} z0-(8f0npsL0BG)A05tb5eyBWd?p**h_bvc7ncf$mSB8x;Y>=T_hUVS{h;quI4jI~I zXp^D2ckx4IkGXdN(A>KKXzpDAH1{q5ntK;dD|^hn3xMX{1;FP`$pC2XYydQOHUOG? z7XZz@3xMX{1weD}0-(8f0npsL0BG)A05tb50GfLj0L{G%fWMMo;g>Qr_bz^*?D>T$ z6ySf$@aHo8nGAm_!=K3T85#bU41XlUAIk7)8U8?q-c@gE5iq6_<#)Wli|HGyhnzgk>RIh_$e8FQigZS@DnopxD4-- z;hi$P!vtZX?qf3is0?qH;YVcnVHy6X3_mEt56JL8WO$nl-_OqfbJ$N+yf-#H2p9Sx z1}qr3{%}X5Vn6)w>l>~=R{2?SK#g2}c`~2P!a-r_7G{4oxGn={rL_9Ir-6yL(@$f@ zOM=NPSUp^P@EQai`|zfmlMg& zZPQMKF@+3*dD5r}mm^`VgW+VN*ak-IwNN-33Wqy=mR96|K`?CB#m?!2vuMI#M$TtC zUWQQt7FW}Q`Qk)Z^@#P2a7rGx!pcIymS1WlS?*$X!czIM68j=xdyg4uh2)!#qT?ti zpEfS|4u%q7X|hmGkHD9=HU#IJexM9{Kg;~XzB0T4*we~(1&1<&LoDB&*3R8G`` zyy^2^d8Kvcoi*=z_c!P6cgB4&^6kNAT63O-FTqZSuNt4*uWXA348@(+85hN3AkVw9 z7tg-vH7y5QX5bn5*OYy^nA!6$51yWZP5GCH8)qpBGl%Tm%(f4M3uk2Fgs^tFUj_{Y zRkP+~b4HePF=XOv&b9M0`I>XCS)=?kIS`3X&(^(A0GF4rvW3~09mou}?jwtXy;&%P zyFjtFjHE%``P=h9H-aHWuvl9qKm=D0hd(q2G|XcEPH+pS0oIC$L_JH~YwOf52W2hk z-+|%(Q-a@;v++#*mUFIeP<}FdLt`Hqc|Thj|EFa&DAz$ZF{ILZZYA|>&5K&QLzK`) zJW)E&Xj{ysWZq}Fyzf$ZTA3`B$1{s#;CjEx;(fFzq;hyhK|H-spr$Z2gn9cT!+&Hf8hGKYpZL$YoT+>`4!k*zS-H~bUME3xWzH-SmHR!{;d5W`;GRb zy~EyUd)oF1Tg7&stws5h@`y#}l)Q)mV&ElZK%GoCDK?wO=J7;MdWF;3z)s#8$mYk^ zri;UwQVF{MV0=BfIbGbCNx^VIDxb?vsFSIBH$lD6jng2h` z9kV3PO7G68chgM0Yn@yRH#Kq%hi|b@wQHSRQ!lRRv#qWd*Obpz)r)KBTqIs5vURe@h&oFOOk%r@xYj8!w6bM#X`QGBvysUqMpVf67R=7nNpM9CQpNVM2!pIz~z`(SV}>3rb+c@J#*GCSPOR1o~-plZAq|Prll?3l!Aqu4x*oPA)R;m?d#D zRaBj9t#^}^j3!4Afa7*Lr z#*^Jox<0V4U;E;=uHq6Ya$F*2Kjz=zzs!HWU-kQazw&*~ z_W|EkzSsNWzN4Fe+b=iX@bq|&YxqsW&W7t7 z&Tn|7`*-dK+&8#4xplY4^#iM4`}?eZmCw%dEAwspr1AyX=Vgoh2V$1+W&4(MNVse7 z9B!gphyh|iS+wIK!x#)0zp*q%W|$*t-EpB28I0dpMXnjj*|DKs+?oZR9TymJXG?@h zFtd4Q81J)6gkgb4-Ep1~7p&@7#kH`ivtzw+6Ij);y2;9_&W?4)U0_wm>aJ;4b<`c_ z8h6Z+I1AfuJI<+h(@fiLtvlAjO~Ond@M~dkP77BpU$yR7QzvfC@Kx)M)%D_1ko|%PeaL4Iz zkFAjzkyR9DgQsembA2(9D`m=HL^il%u@uEHg=da(niRz`Q_4v@Udy6DmB%0CvU<`< zJG$gJ7LPhy|n9Lu*lX-7-W;-IF`@S672NR}h~wG! zOTAi(V)3Nljzv-wiw9Yht>i@v5Cg;jF+dCu1H=F^KnxHA!~iis3=jjv05L!e5Cg;j zF+dCu1H=F^KnxHA!~iis3=jjv05L!e5Cg;jF+dCu1H=F^KnxHA!~iis3=jjv05L!e z5Cg;jF+dCu1H=F^KnxHA!~iis3=jjv05L!e5Cg;jF+dCu1H=F^KnxHA!~iis3=jjv z05L!e5Cg;jF+dCu1H=F^KnxHA!~iis3=jjv05L!e5Cg;jF+dCu1H=F^KnxHA!~iis z3=jhr3#ZX=h<;755 z4CTd8UJT{MP+lD6#Zg`y<;7869OcDPUL57cQC=M7#Zg`-%IidVohYvp<#nRGPL$V) z@;XsoC(7#-@*-g&FA^5=B4Hsf5*G3zVIdC)=R5)7cop&@VIeOPMtKpG7eRRulovsH z5tJ7}c@dNsL3t6B7eRR{%2QFEit<#Hr=mO+<*6u7MR_X9Q&FCV@-&pEp*#)cX(&%a zc^b;oP@abJG?b^KJRRlfC{IUuI?B^go{sW#l&7OS9pyz)UKHg;QC<|~MNwW9U}c^xRP1Lbv~ybhGtf$2m2h@gH%P(LE59}(1#2PH0iBZB%7LH&rJene0|BB&n`)Q<@2M+EgFg8C6b z{fMA`L{L8>s2>s3j|l3Aiu$3VeyFG)D(Z)d`k|tJsHh)mSn#K!eyFG)D(Z)d`k|tJ zsHh(*>W7N@p`w1Ms2?iohl={4qJF5TA1dmHiu$3VeyFG)D(Z)d`k|tJsHh(*>W7N@ zp`w1Ms2?iohl={4qJF5TA1dmHiu$3VeyFG)D(Z)d`k|tJsHh(*>W7N@p`w1Ms2?io zhl={4qJF5TA1dmHiu$3VeyFG)D(Z)d`k|tJsHh(*>W7N@p`w1Ms2?iohl={4qJF5T zA1dmHiu$3VeyFG)D(Z)d`k|tJsHh(*>W7N@p`w1Ms2?iohl={4qJF5TA1dmHiu$3V zeyFG)D(Z)d`k|tJsHh(*>W7N@p`w1Ms2?iohl={4p?+wn9~$b1hWeqQerTv48tR9J z`k|qIXs90=>W7B{Yhlcv0p?+wn9~$b1hWeqQerTv48tR9J`k|qIXs90= z>W7B{Yhlcv0p?+wn9~$b1hWeqQerTv48tR9J`k|qIXs90=>W7B{Yhlcv0p?+wn9~$b1hWeqQerTv48tR9J`k|qIXs90=>W7B{Yhlcv0 zp?+wn9~$b1hWeqQerTv48tR9J`k|qIXs90=>W7B{Yhlcv0p?+wn9~$b1 zhWeqQerTv48tR9J`k|qIXs90=>W7B{Yhlcv0p?+wn9~$b1hWeqSe(0zl zI_igx`k|wK=%^n$>W7Z{p`(82s2@7&hmQK8qkib9A3ExXj{2dae(0zlI_igx`k|wK z=%^n$>W7Z{p`(82s2@7&hmQK8qkib9A3ExXj{2dae(0zlI_igx`k|wK=%^n$>W7Z{ zp`(82s2@7&hmQK8qkib9A3ExXj{2dae(0zlI_igx`k|wK=%^n$>W7Z{p`(82s2@7& zhmQK8qkib9A3ExXj{2dae(0zlI_igx`k|wK=%^n$>W7Z{p`(82s2@7&hmQK8qkib9 zA3ExXj{2dae(0zlI_igx`k|wK=%^n$>W7Z{p`(82s2@7&hmQK8qkib9A3ExXj{2da ze(0zlI_igx`VmF_h@yT(Q9q)nA5qkgDC$QP^&^V<5k>uoqJBhCKcc7~QPhtp>PHmy zBZ~SFMg54Pene3}qNpEH)Q>3YM-=rViuw^n{fMG|L{UGYs2@?(k0|O#6!jyD`VmF_ zh@yT(Q9q)nA5qkgDC$QP^&^V<5k>uoqJBhCKcc7~QPhtp>PHmyBZ~SFMg54Pene3} zqNpEH)Q>3WM<5gm1y3rD^iQ-8B}zkGOOoZxXnNg9p^z_@ySkQx-vycS(286tGcb@Y zrgP;b$z-}z@{Sa<8w-hYIbF{Qi%5j_@cAziW8P`GWJO&L^CoaK6iViL=M4 zI!|!?$?C5G_Ps!%59ZQgL16hwl%Y&R2oSucQtHW zmdKXU!L|8Prkoi~mo|EZN1^HwOr;CyTq>B)1xv|drcf>g695yb;Y==5Di;&%wqQA* z&z6ECrF1Ho$py

ELiamnr9q;E~RaW{UaTa5`76KngD4DYynxaA)B1%ai$RHc=?0 zTh7m<$AZ1tM5(+an=Y1v-TB-=X0X+JTA`Re{j_90l@2B$w6yr-iNtXB2tWMKjgYoXZczB3UstdtJqpR#m`Qa-f=gES1he_Ujk&~dx@%P? zSw8!6$7F^RgXxWhM0u!dQD0xVl+5Sa(&On?FFYze-o=tp zDkn-qq5gEDTna7n@-zk4jg$(RWF|jS3a($*y=HZAT{%%Kdke)(zL+UbbOlv!F`Zyk zvDbtTGEz>Lx`JVEd7_Z+g6}lpJ*}P5cKT`Uj6&~~SNgYAl5Um-d?E+jx!{;>m45E? z3iJt%WpbfHF`qnkTV)duS%4uYrjn6pB$4RvIC@*<5*~B{1|1JKG1lOoi=}&xOXi1% zM<6du9I>s^$AgZ>dyXB-3=TnpF66$|1o^>dgXH5`xUF(N_jw)OX_0Nu%Wcl($8vD< zdD6}EV%sX~xz9$t+1`^br;{un2aPWg1o|PvB}&1SYr2=L42o|zZ(C&@zx7pk>*33? zz&R`Db9lUCMZ7ysSRV;%9gxzs+#6r~4)!J1a3A~< zcNkwn-Bwx6L(W4H^TUypnpP8$P;?;N8PfHESg3O#840QSKq3*-W1amSDfkwv_+9w@ z?l`fdKNb$F1F0l@zq5G|e!n|R-|sBx9_jn7;6eEP?%?0=nv1qomUET9{uE5y(bH9W zU1o4Nu`e|)XUbW~uqOW2jV6ckrE+jBpu=6k+UGCT^s9u=WBDGQC-Q^0oER*z!X;5ICz6}nQt5$ou9V)G9!-=$R4t&) zKBzY_QXa||yMpFS;)UV?-b@WgV(sC0dnD>*x}F~?Ceuu3lMp(Xhk`4J58jvrjb>#H z1cFy;Bw6la*?{R5yavm->?I(yl+M;bFt~yhFO6SMNaYRi#yh-rV4H-(q>1PqC29rKfvZCSqf5B%2i_^0bsdftZ2{ zh+X%KvmW#XnIu6f;mUt<2=o@Lhy>v)=%#=Zsp7eN-$lyjdv6 zvt2<}75BA_P^F$H?0&pn3^|mnR2+)9)m11WX>{o&4c=8fcs#5bC*=#oV2Zy=AoL% zPItLil`_5K>16PNbboL~4obdk7Al(*kA#)Yolx1Rkxr;U65JarkUQsh#`V~M+M$K? zL_8AGq235}#=^-^JQhtQ`XkYPs6wt8+E#hJDBG(w@1ZE$&21T0uJ2D$4yatOQ>{az zX&?;+AryJ692hE>3tjE)V`F1&oAbrXa+%Hf(Kcwcw2MMpYY&G~iHT6Y7#e`0d8C+z z#!+T8lT8n%Lr||Ivb?-*8!8WHQCbPa4X0C?kzp?93@9GQ^2N=ibaI5X+uDn%LTD&+ zDO4%YLJbY&$3o>idW4FpQV7biP%%B6FQ*fQLZ}4w5tNLj5Hz-Pr2;R)vlHx=;rwVi zR30kkM+S%BCP*f<2+}bv5gn*k8^znhT6-imy@q3rHF)|)=AcY27xV0$u=*>rob+PV zU%Uk!T)p1Zf)ZBe0McOG^qvj&s({~=>+ z+E(f2uer4ytEJgn(_Zh!6*=f&rAuYVslk=`!Qe7p<8Jht>(&{yEfj4_d2v&%ALqrl zRhDp{1U}T%3a{4;gJSUvelHe_cSyw|l&Pxor`;_aI31!eCq!x$% zIw%I-bj7x93eN{O4vO6P@wr!PTShYd*@^XIdEP~dr#iG$A~g`|?~L?^^hi7g6>5J+ zNYfLMNJNjuV(G*IRAm>eS`l1lJR!J*cSA%@gr;l>o}3OsMFv?g6=ZSyCtxTc&uW$6 zK)whCWM;T91mg-8H6AO9N+bQ{@OUKB*3UX6g?za!ImBu`s2ue6v0>;FjHg3mLz!|q z3qw7uuIisC!1zmONK{?Z>%21P2BB$-n}HUR1J6VXcq6haK`(x3Z8XEPhJ$1 zUiM`4hdZkN{7t7d2qMA!02_%Mp4q9}di=J^8+ZXwISC5@UezBuonQ%K(&nNOPELI=% zA*-s=*VWf&))wq!8qxYN!}N7=wPF29i!h#>pkE20_?Em&yF!$uT`l{iF!<c7nUrD9&^y*y%+UyHDbxEh2opn?;;y@l4&qnJK(`+7}vd==WFa;eth

TPaG>|D6O+kQA{qRPA`zpawvAL05{7&7OUl*M2MZ&K|K0SC~eI@pH(EKMoaf@&*6TMXvKU?zz- zfjG=2`b*G-7d`(_26|K3Y-W%RKD3K&b!eo-T2?s53o-aOPP!Pven^Nl!m{ZEj0jiY_Y}Bg;I0Svb8we|y9nGb!Tn58>~LtH?RIcu;BE!?5pW*^_bj*@!Tkc<5V*DA z-U{vpa6bn3Q*dtqR|0nd$Tl@2HdZ}odxc{!MzRK z$KhUhce@Ro1Dq3_3tR&@54hvOHG=a(+`Zub32p_ryTI=_xPBen2>cB~Y`+FK4sI#9 zAAl=>J00BXz?}hZ3Ak=>-vHMGZaugy;9d`|58TDzE&;a@+$L}daI3)egG+)-flGrM z05=HkNpMAQtKs?0;En|cM>yL3-~!+d1Lp<@C-&Np0Cyy~qagkUxE>AHe}J2SznkEi z2e%pA-@u&52lpFrXM(!|+*iQmz`YCHyTRQI?yKOogS!RXd%>~q z$sEfEJHWB`eLpys2mS-x2he>4u8hYIf@6Pw2(RpKmM)e**mFOI?h&{?1nv&JvcG=^ z4!())LG*hVt`C4??@$59?qTjyaO^#^;64eCy#sSsfMfZDU0M9A!Lc-LMSLY(+57DT z2b}VE`5Igyk8oaC++E-pmydya4LAr>{sh-W;1=NZ)A;w@aAnVDVayM%%J1R&Kj8iX z?yun3J@di;4{&Ag|3`2!#2{B;@7xNm0Udj02wWS4F*%@H%Jbk}5YBcCT&KXXd*M6t z>!0EJcZkd01M<1@Pq;RNWA6cwU*Qj%7n}ne=m*b}pd(zL*t2(nWADz~Zg7wXZF|5y z4(@Z{J`axNyZ4~`0$lyzz6kD1;2>WpKZom=!9jX#EPd>q+50jM&IG4|V_ZA~SC$rr zncD^q-qUs*gfZTZhwFE1{tD=b^0bJfd`HCNaUlOH?0bStF82w*;P~@Sf-7_ExtI>+ zQ3z*_eux2LfEXYKhyh}N7$63S0b+m{AO?s5Vt^PR28aP-fEXYKhyh}N7$63S0b+m{ zAO?s5Vt^PR28aP-fEXYKhyh}N7$63S0b+m{AO?s5Vt^PR28aP-fEXYKhyh}N7$63S z0b+m{AO?s5Vt^PR28aP-fEXYKhyh}N7$63S0b+m{AO?s5Vt^PR28aP-fEXYKhyh}N z7$63S0b+m{AO?s5Vt^PR28aP-fEXYKhyh}N7$63S0b+m{AO?s5Vt^PR28aP-fEXYK zhyh}N7$63S0b+m{AO?s5Vt^PR28aP-fEXYKhyh}N7$64zg&6R8?o<}q?sa(H;TiK> z;_3GI8vfMq^-^hH;vzD+}Zfi z#&rAk! z8|b3|bep6=kRSx6cnAlXUH8=@NP>+92@*#W4G^MKQY$MntGkG*%3@^}8ZD9%s)~fV zEy~iTvBzFZBE|dgYRC3y{8{$r9p5vyWP3;ADO>i=_?p!>;{iCnX6-%x7ZI72b@c_1 zwlqoUBfBCpA|qeCcz3*~YpPOGDhsL+R4k*IS7kKGmaY_o*@BS`78TRdE27T~o(M-G zA^z{N1*KT{SmWFg{+2!BEu)V-q8f#QQa1J759IZEX|jMR_80VuB~2KmTz+;>;I?u_ zzx_7V&~!;fuet9An(Kz!1A)M8L2ADJwjezcc zOViduK{w}g-I5L~rP-=7t4q5-JbieNl*^+-QYv_bQ7jsz!h%#abxpDiNz+ZWlF#ar zHK$AEilOSJnJ>*sN=cI{dP&nO^vlRenqn!^JfM{?NgqCPn9q5uRH@?4nr`W;WlHmN zdP!2WGkV2TDtUTk7Vp8-c~i<&ORAMON=hMbEzq0wv$|TfbSx{Iw<-X;Smyj3Rx6ba ze3zA13Rr7)p$x#VRh7$yysFSVcv;@k3whI`4o%Mi47yp{-#9nUKvaL2gXk;Ww%V*_ zPw0AZe{;H1_H1{tmz~hnxl;b&s&2My{fRmKFy1(3owWis22~8B7)?YN3Y87h3PwWV z82gtT3d`YytTf*uJByb2N6A(CE;+9gG-S=NWc(3q9BG_Ovak5eu=t8gLnR;pFn2s4 zOZcS9!gxT!KkUyL)1n>bEuw8)+O3}f^k?$gcv#wh^ng?_W@k!DQ6E2&S1X2TD)uduCA3N(nlgWkjEBK#Sf0Qv#54(Chy`0l-#OwrV=F?{h} z>DX}zzw;&2!j@O9e8JsZ(Pzyws>zz1Y553rDQ40AaM8?G^99Y_#KFs2_Us8@-TK*a z`X;>0oRhPLB(Z+|wjtL~I8A9{Hj^+sM<78)Z z7|jPdn!_o4$OLN^ANv*B-n&?f*xs+Ww|7755!?HfovDZtPU}%cj%0JX98=O^Ii-d) zIj+UjbSjt4Cd0J7cd}7pd%vh+TMLFW18E0MdRFUtm`Tc zv#)F`81svAy6NG!zIYc~U!ohGNU@5cg+Z4-E)YD@^$eGd4C?;Tyj}{$PI2=y3{EUQK zecqkzQR%Y=jN~cv-Yn;vn(IRX&Nqe-}=r#31 z^M?ef)?x6Ess^?R{D#XGvgB}k43i}McJU(O&33bk+q;?sm$zG7T;6VKa(T4iGh#y7stjUBr3CcjpupmJ&Sr1Z5b^$NTDb<1{nTAv? z74oO`!onD6b()brn^qHJO0~2MjsCXprj>XcM#Wo3ZO4ckR~QBU5oLpHCUgZmqgycS zs=lgk(_5QFS3T#GO; zKR-W~!@Kkao$2Q=Jh|41;Dc(<7Jp&~YY zT-voa0~8=~zYDuyn+S+E^9RsKY5txQe?1{spi^wp^>{gI0 zNQvdjH(3reI!}yul8z3`0T5p!H92P#U_~<}EuUlZszusvsd-3j;Mx3pEHmGVB-}`AG7*QS+VBE zVV|d*fV&E$wEpj4Rw+=Z40)kFwsl z=pE>`F%XA8!k!Z1@KdnK!25x(e$f5ZPmww0!>mP^Q=W30Q%w{@8v)_kiY&ua|OhcqOGS81AQmt%O}{?~ne$=r4?ZX;dG*Z!|r6!|0}wKO6b& zKD}?+|9@hN>89>?W%Ez^tA3_Y8)U@jiH~xk{LBxq1l801ryAvj40-+3o4EhaY1n_@ z$f2V*?OjoXn7|BDu3{9W{p1sqrsv?}cKPYnE<+fN+5qR-M+D@%$PnyhO$VIt%>@E8 zhe}X(b?%WqY|KJt(hC~=daffEn8FfEmaAo?QQOE^k}z{Uv;F=?Z3AD#6=D&N;LxH) z6TFy5pEM2z1_eI*BD8O5;wA~sJPt?6B(U7vIA^fee2CBa)hmuDmD4Z-9M$vYtoPrseSMK^K0x{~jxwMRIp^@c{9qLj`&W=B6P3)e_KA$Rn%={tZ|d zf@S(_#LpB8L3o*LOb)^xRVm(bKfCtY0Nfj#APbznH#j{Z?LBt%@Ugp( z9o-u|aa7uSk{b;11MwiuiT9F)ibRuMlN{K8==1{o|$Q*=Tn^55Aar|t) zi%Y^irjzz^I>#nq6p^Unx+fD9uiKKEldpPdu1{M23s)5DZAoLwC5MoRyNtYfNkYHY zI9K8Fc2Zz;7oq<$P&gc>hg%NQcErk+`I|+o+*ch*|MH1wcx}P`+NZDI-l+An7GV*5 zro|$7W24r`dIdC|8R)8KUDc@h*<(V)|0;?2sRWvR9nJA57V&A;Y?BtU6n=`e2wmW- zZe8Fp)+2O*ukKup_zPX&Q8r5G0$<$$M`ltDr&C$z0-t1ELKpa|OBYyZ8PlQ*oMl}? z7x*gE1-5KlMCibI-{7qq&urYY<-RTPE!(&FH~+=vpWXZ~H$T3)xcPz2;Z6T#(=Tj# ze$(LKe;fSX;5P?v_x;r1l>>h_@W%t+8u+<^M+TIEV*{yy?Hix;o%espzsJALztQ*K zegDz-2fknN{S5xs{0Hy4rTNSC7gWYu*xCdzpWD8)xly~GVbT`|ISxO&ZXM;6QYtAE zh{ryzluV;IPdYWlg2lpGER@aVQrC2WLL0t=l^=vMyruA$*i?H5!EUx5Y zXwBy0Iq09^L?WDug<`2tESgpmdOWL8xMnC7(qmyoxx*E@b4c444uu?}qT6CF?WUmj zJ-13HV0bt=Cf%vd?4LR@gAiJ2H--E2c&I&1soW0dy6iDmVJ=&@3*<~2SLgJmI8K5y z!mmtSMI3coGd-=b$egB-ow*acqa4uH%0d}#`a50ncc!Js-9Z!0b)VmCUkjwpwq+FN zv|MGjnr~~?^5*HXQejczuJs|hw0gFr&$m52PpFGU+s#hsSA;{#Wp-(*CAd(aB7%Ca z6ok9EWJ!~_zp!8+Lj9l=JRt=qq~QIo&&;YC;%hA_XyTs5BN{i2JO;aqYS1{nL=nvz zBAi@f=Cdqj8**>~v2zq|rvMiu`Qd6_w_MNNIaSaVQ=d5wg?Z+Peka{CVBIctAxGt zoB@~E#h7fqB-9cS&xW`(9PCJ%y!Z-styos_v-oqCq8csf*TPf56?v4lV3yAfu$l2;yWAi4EVyFrgRDhx#b;eyv34`-5nS=vovR_p+Zwf- z*eJmjpWPAD!b(&PXR~e!nGuV0 za|ZFCn=6PWH%AanZf>y0nGtL3sm5_uKu!rM!?{7mVF#J6)Py;WdX^ z)UIjNwsX>J)0HkN)1@+*^*dCqZ8^rjsj+W&Bri&1|zfs%9MhQpAvn>>T zl~Ujb8nvt0B;w}jvjfg6o8mR7%vSc0;118wjh9dy&F^b(4keQyQ&+KO+hIgZ<4V>d zXz(*`rf~)95nuky&Qv^}Ra4ox98vTXt|&!xSxMuXYc`ci>j^CvPKQEZ8b88DiOqdx zM>Z0JWj>Zf&_!*8bqN;njEhBVX&KXG5mz>9n^~8jq0cZ?>WNUJwu#};j~){u!n#$K zt_mtsT2}M9YfxHRWQjHT-+HJtYZr#P>LhMuBOD1vaTl@m?g-4nxSd&;DMCtR*8$xI z;$-XfkWl>HiA-p53v^r$VbI(QXE39xFglZW6CtO}7mPNS4D5*Ymm~xCaN~+=6y43x zL=`9a#xqI_xhaVWebNJ@r%|jQ5etGDb zq0bMU9Xc`;9Q?Jxe>M2{fPdqE+xWc=f8zhQqkl2_&C#D9{mD_q|APNt_#eg1fW5vq ze81`Y(aj^9{&CayalhcVH+_B6vzwmv`Tm1%w@deT{rT@*fB(S#`N75_51iY_iNNd4 zo1D{AN2SS9wJ5F?U)5Or7$YNsO1?%hXdx&Ei#)tdki*wN4i|Yyn;?g;IppyCb&bUn zT%HqR`fKZ^Ig@9(C!B80PCPIv!$Fcn$b3A_=uS?0kHm2ud@wgsM#k0wHNK5CSj>Xcsa15?lB^QF-B%!A?IHyyoxEe`> zU=K>Bpuj2da3U4!Vo+(iY3bb+NMaR;fO#t@Y&h@2E88ex7q^;4c(ejtP0|&C@ViDC z-QEW>)|@(Y^whEA2gW8pJju--+{i;+V(Y27J5B7k<#w`kx@63kR@T~U3ysBTc0L*+ zhW549DroP*#@U{)_X<-$NqBImO-Y~;F5b^bj@>d;|5Rgfib3d!)0|+v_8x15TzR?d zsTte|2&Kz~f6VjcigQP=K*5zlynB<#OHn>{H5U1W^*h7{bWuG7#$*3lZnD3&{h`L9 zNYXMPMmKeVOC`LWWOsXG@i4<5o7=Rg5cm*&tKR;Qft~;Z@4MH{`@X}REx69Uc*u>P z-yz<|@7N38_Z^4#MH-9zTD?#OzOyr{si|~01qC3i#pPI93(ILOo0N4Wl+)5Mh(kr# z)>!1X?u9DwogJxUHX6}WF?dxL`4xMi3Vf%j3M}$V_VyUJDzM0J+Y43TJ4_WgA8IV_ z=WJQ10^eCTTRvsd#V%Oq_D|S}JIHylnr~f`9w3a2EOP}ygiJ}im`u;?T2R-d7Hn-G z++ z8tf*b%)O$k3t3oSt7ee@EGStsDDHO4RYetqZlM;F^#G zbnA{5x<#Cp=f)76_B%r#Yb@?#pI6%>KJU^PZAVU?(~ZU3_zNb*3wkq><@ae-hAMpF zhg!aQyVY3axvFZX!~z^%q}Wc3_0X4_Ne$zU}5x{GyTIQm^e?jV1*y#qS{rj`P}% za5|YK{|IvGEb?ndf=j*T;!-U)i(YGTDJ<`#dwH)pJ`K|Uuk+`9eZ&5L29^fqH-4=z?4S0h z{MY+8_rZ=x7C5)M<<2)KD`3QX&{3iwDOx8i!*F}X)$GM zIQ?l|FV8EMI(L4)vG_?wWj-gqQ>p2m8z)TR) zkgjFJsfes7Nr-n5H6&+4N?O*_2#Lu?(nx}(u0iBEu2VWZ++If3u%ekigyd5P6~vt) zjbNATT^eFMSr#=~=rmG$l>oFJVvU=1;0}_N&*44H6>G~G$!I*1KoY1#G8Rv#QlT`3 zu-cqwB_oEaYvE)JiJL-*|A;CfRZB$^YFdrx*>nW9jS!M=Ek@g@4XNoY30d{^yAXc@@N+fwr z+1Vh)MIZaDuOJ~!HWnASgtWj<=^KuOv@V?cC&M_q$-9 zMoVb+8{0q9Smcq}wHw87htFLG;(cvnvBEIUp4`pxQjJ9(+A7S3Z@`Lg-={3t zg;W{M;C&%I5l4N+&5Vt7VT=>j}N3MZc)UVQoa?+i1dx??uUoDXA_SuS-%EY6T~h(CLPiawY*ZO|5?`Qgcx^JoPY~O6(1L*Yr`R4vQ8V`lw@>WtvJCn<$p)2BAftn4c)6sA`oQx!K=^z!P zD*=ufz2z#gBL~eCk^7#d-kTwZK5jH28r&RPC>8*+Xa4zst;wg_*lr!=k6HWxwuQ^4%pfBW0WqIx$isqs_Cs;l}N}9#;!_&>c zL!~puX+0w!C=?Er$P9!Tt~DKmH;#7X809wXv7`GZ4l`30 zALvZYchm;j0YqBhB8jH&S5*UValM1BQ^?vUOAl9J)#%uG(M<@4dTaKK5|=JOd~vBptcbqcwN5tADLp&E(oVE@P>}{v5ab@z-strbT7F?( zSun*rCPkKo_UTR{)CzE^;DSfX&g|EK8<^xSq~X>KgW*lv$FN6$ex+&UjP8C;Y{%Wz zG7dwR4jXUwADDLcwoO0D?-haQRQVU{?BKaRz@BHyJgH0+-5@-UoG@oVulNn!E-;#y z)78@%`GF&@=@{G(Pw$_`B{01MiHU68gW?$ud2*JEb2bf)E+cco$q%G!-YKI3IM6Y2 zH9BiI%(>%=bq~_2c3EcgDaubmi8@Y9Om&^b?nf3XS3ldL$+KkF64^^SagsfQ^JJ(0 za1B3TWaReIVsob{Rxcw@AcZWh0n&+DmPD|%PoTDsYjy_ji8&-Q(hsy!OWsq+m$L>g zVBs8)tkR8KvIh?uXSmLq#!y;mrn8Z)R1L7#kqgH)*4~Yyx^+BXMrMjG zeUr10`b~yj)Z1fjNa_{?Y?m3Pra8gy(gk|6zZ)2iz$-&UHJS?Ga@>4lQ&8f?RW8N1rRE@F8y^1WFk!dPb36LVE;PG#DvRFUMr zxjFXa4;b)Jov7eusjHJM`xI*BlobK`9>5hFcU&(hjJmgRhbeOs$C&@6me~keWEiv95{sn&iQn=18UQ`!$NvkWC-PHyTd+>1{-h1Ha^kKs|joi?k$US}JE|*BvwsIz# z(q+*SlTKH((jT!EERn*BScH8!7P=Pm?V6XADuVp~0pAyW@csXo-|}btclo#Y-ofqt zZ=&&x@5kZEuON^AlzK{mWF^1C^$Qf; z==XE0dt_%W8b#D#IESh@u)N1|$XAvPrJ}N`hT~~m%TI>Y?A7%P6!hr#b6a?1M<|j_ zs|sAM@2g*+U`D^6+uS3z$sHpoq|q7Cw76eUzd#|4e*ad!HWp0yk0Al9tMEU2i-P+&fXR? zKxcPX3xMk}SOHp$0Isf{h5*+y;#+#!09=m}OuLu?Tu+F}S}g#seqyTaMgUj07~X0J z=L!@C8U)%qyV(TVo^hE2+Ire70&Ts(V3#4))hQN@|Je3`&dwH- zKxcQGRiN{M7K1>SZkJ7;bmCYETpeT~Xc`Dy9c)B58-eQ?0RXp|ptILyA?WOM z83{T&iNf1p;B zzdBkQEsqAbJif);lHL3d!~Zb+7sKBg{`&Aw59`DC4yT829QwPV?+*RM(BnfN*!W*J z{?W#7Zuk@5Z@F}Mec(CYXMESXTHJpk^WVGp&u7lmFBF)D{CRFPh^<>gZr-wEVdzYM zk_fH!3JXa~s;O{JhaDh{yzIysm<=Isc>>u36Ulfq6bom=*~A+3VtSppB`5CRvHI!G zRXXOk#Y))wyGNnvC35VC&PKd?B(3uk&EWy;aqz>dXFrH&GDG9*wJOR4Zu_%&I9XFy zj=FT^V_9;Dk4yL5H~HYq$?3`C(^LtoXsQI>47;6UF`+`Yw8#1Lc8D3gLtFv7+z4E+HC#8X+{|ucQBJ$ z%!!zJx6aKfW9s$GerjOpq!3@*(ix+e77Fck8ipPZ)-TL4Xe{z;$*~`Vn3mnHu)iqX z-Dii0tXb^f%%CEtGR6&C;;_2UDyv&(A6Ic+`GK`h>>e2Dohf&(E9}O#!uGVOr?+e;8dEPpJNOsTmT{0fvH$o4BlU48{h6Xc9&@hi|J zRNJo*<@w4Usb6@IZS7}g8Jwf*mYST<)T!lNG)#nA&Bw1ngc9B#@+u(Z4(gwbX@$bA zBtcD2AiRKn@mfL%U0Oh?U|fl`IiNl^JBE`FLBOca&N@#dys!BDEk2kRZn76cv+~@+t%|*~rPFR4*Ll;P5j22eKC32;en$yW9Y1iaoeS zhca%-c4tFRUW}W0D9lT1GO86-Cs70+ep$Q;Nk%WZP{RIXJ_LvuR3_OLV?^0q+8-36 zYd+T8C70gg-mW!hI}gy!0bXAHR;h#=GDw!ol226G^~_~cpQ-f=ALf)T$6+XZHG`0Tc&&3PQy^+gY^q1*-Fmu<16_=V9T8O!dIAV;mNMNIuu&!!ikO>Yz%({ zdeE~?#1L+CH&U#~09Q?en%r>h_u2N_qxb`as?918^z zc9`8I61LTmwJoEc@=1N~?_)LnqNCTMqTla~{Nl*7BWIBXaCpn#Zz%>&1r7${0sn^Y zBOAc)5C6jOmyzl3XNNyK`qLZ!-G)~;6h@c&|E%x*8$P$;QQyyRIJ6a_~zZONkBvqfi-T#zNQ zCzjPgoUrgM*BFWOE{E{=j(?6=KxAVAU*qVit*P6J5(AweT-sj0@M#8xFY+1U>lSyxm#{u$$kMaS03;zUfk&%Q z=u8ypBy;IpL{1~?zZ`>1FQ-$;nW>;qM?z6jdMvw|vLfJTc}h4jZ@+|q;3{%RDg5E) zM!5odL^828Z8GZA3271q>F6d8GXWv4(lk(JL_&a#j8^K%-JhtaLlc8HJd^9jf!DdbjF*bqg;ONHChO_V~SaB{yBHn{<}QaGFfa@ zlhHyrp^>G`oTVA6>H1kLv@S5d{G8HQ+Zqz|yxbNKV9 zsV()3gD%l9e*M+;iyK%2k1UMuP@<7UPE!(yEWAj$k!%Y$D0A@x^7JJP6ca*Y2S1*aXL+IGJYsg|@rGt#k*{2vHhd zZvlVJofUtU=Y%}6%!^6UBFf@=8NV1INKA&$l>x~Cjmhlo5R2N@vKN$vL>dxyaed74ki%*VwAz&@t&}9s~#{mI}o=CwBXt^$V1d$M5IGA>w`OkUw_SFHjC2zkfgfx+{81 z6)<_6VUKdROnjgx#9@A=6f(B?HO9iaQ&>MGi?P=qBlD}t8o2p2)@pvGL@&1aHMVm# zPF$E@DFKX4N@F`BdMJlXvAHD7uaw8dCcd#I@x4IVT$~YZ;(MXUdN}coIm8z_*CwHN zf%;QT3HyT*+pnx&q-sO72jd$L_1`zxH*m4<|JnTK z1AjE|>jSS2d|}|DgF6Q99lUq*FKzyc|8F-x>HqNN!sd@|zPInc^!;Jq@AiG8? zfYM~RHwURkDww#P=$NOAxcyjJ2<(SxZ4SbSg}cT)V;v?i@fWN8MYr*xu+dzoPKMff zEEg-8=V{VkGF60x&i;<|0G$JJI!;NNj4*#YVV#@hB=z?q>p6~`QnnNLh3gfku&yP>b;Mo+^ z#_p|Oyor9?LwJ*;?Xay>6oh)~uW$#^aK4l(3<_mJ&_f9=}vfv%S#C7B4g)L}k2e z2qkuEA!GxMMY3`tn?`gQ@_fpOn2O5rEb`jNqNwny>44BSHi$zgu_GRiC&S^0n!T!i zk?Lsq{XAb=LZoZMYPYjy{>6#wHy>oHy^b~V)h0-~NGI{dRB6oC5);lB`vCo|tcOEC z;e!7ASi4wF6Z+>*)-PVk(EM{^%)0GuoyI)oNL~%J*5F89l@+qh#AXNkkn5M?@4!2m z_ct7uDLVtDfwL`{vLcgVAb6u=}_dR zB`gzRc%h~_kGZEq=?-&VBp7ntRC5_wTP<~9!TK!d%ec+4XAoh}t)N{T&AfIg-3bJ> zcWf{{>is$pYPyo$9EkA?@;FP5MP6EcB3D+1tK|*tY2%v9Yq2{;)(|h(p7T|f)?!~5 z7SdiR<_h(TS8%cA5R)?!j@Yt3G_;Yp7ZQSiQ1v`VH6fBY>TVbUxjcC3@;j!DxTZ~Q z2k{KC25zuVwGhu;^@~B)$(7BNn?0R`C=KRm%c>h%=9%H7o!>;B&uIlL(n__M(81b#N~6M>n) z&e6Z}J-_L`P3cX$Hf`P1zp3Acr2hD~Kjiz!8pwtJCKM_AWZM)!ShFo_lmB5AZw23J6l?Y zjx?5baJUTfp>K83Ph6HqCw9;9olS5T-xjN8U!7E69Y`%2+?TsZ8GyD8JG{*N< z-y{;TAZe>KaU*nojTc>q|CkhZZlx%h2I|9?%cwI&PLbV>C6Ye-g!$0-)-v|PbYqD` z=RQAIwS8|5xNgfzr{>@dEx>t0HVJ+aie2Y8z`q9-CrE_u6PY4>Z$kQwgd%9Zy1f|! zIX;y{U*}Wbqzxyb*V*tloehsPmUt;!ZiDl^xl@mXBU%jdU`S6Rg#^;^L*EHQ7DT;* zP&}KBB_q*ojioEud;(40+!2qb)o>d1sxdSHzD-%D9|=nIyYDW!fr=8@Y4Mg*y}LV9?2!JtVmmOiAxaS)z%H*&f+#U zxy*(!R%dWrp}pec-Ldk-X2k>DwE!uDe_$foOWokFF7I;N;)r{?-qnRw+5zm##*5Z& zYAkJL2T0g$d~Z5}_cADCOV{rm0)b#roK2Hp5ksKZnP$sS;}eagVfHbf;c@-GH!qD- za`9#yNQtT{&e({#Yw-V9`$rFrCP$@_e;E1RfHCsTfdiX=Zu8TdKezen zpyt1@jq<5+W%R9 zb#!5LcJ$=v#AtZ*`q3>T|KR&w-!J-J^woW3-;a+zGx`kv`=alrUTd-2M}BQ!ul@HA z<$teiEK$n9K9T0n_g$u-eP*DsbT7lg&ppDC;k)Z*EXQ?7hTS1`g=WHJWG-^Z!z^0j>MdoS*hNBQLi!)$fG+|WA z22Xk1gEzTNlCwvnMcoXWj_)3>6;#}fgk$j(QWeDGv5<=etvC`Dl@ie;9CC2Fwbbof z#mFc;b;&q}#v(C?J$1E!Mp$9tNNOz>(0KgaV=ZL_RLqS_iBvRpSNN`UY%-QcT89J4 zuhd3wus5puaCtGos+c3*!SSyZe!>cunb7K_*c}gzo2=d<@flZXs zhc<1Z-@P=XT3ZE#P{8St`r-r{!aE7_tN{`CO3UDgyuWin?qr;U-FXEuBSt(1e*7CJk89S zx3Oj(7T|lE%$gr!E!;`wd)sZ+9A`bktoioNNH!YEDc~DXC5&=(p-4_vA`uO`Tug<@ zGnGc68K`k-HcFT^-`)`khZHpo?GHLsl68q~d)uYPC0fQb)i`j?IO`H-&9}K(bE>fv zV<_;sQGQh4UN_ftA(&H;lX&K8K6WiUldOJg#Pl9)j&A70B4eoYYbXT^p@SA`ubeiS zg|dWHa9JD~lTM5*PK<1^@-IjVB%3l1!cz*eDKekqetN!i8qbtYo56O@8ZR9MXNg3Qrs~9GJWlm7N6S{Ckxk?d}$gS3y1A2~1 z-rOK&ZDv7cqEpeFLp~D#o7Ds6G4n{7Q)Kt*rJyR2Fn2nStOmh+(Qfa-O1tpDRhc@? z#u5duf@RnT-eG_5CdPqxQ2>C$yWS?lWw@mU`NtYdA-1;9d|I6MOJirYxUy=)B{%=A z+ipprjBMu#r+SzYcLUQh9My2|vYQT~o&=Ze=Vx)In*F>peo995COp8W${p#Z!l_G||a zrU1S^kpjl|b_);wKx2vG6Z`y8fky*fmIvlZ@raJA@GWu`hEdCPX^;C|ZxQpP@I=Qa z_?E*wvAB)o_`cgc;JZWR#uC+X!xT*Go!NCnz8xkLV-*KlRc2ekbs+0zV#jB=CvA-oTFx|G&e3IsB``&kje2KQQz+gQo^32crWo z_y1b|OZ`vwoBbc|zoCDq?{EA5r0-Yymi*)X-M%05Z}R;Q-(UJ(_x*Yt``;PT^E7Z0do~{37kaf`oLjh z)+pUw&1->sP}58|MTGN_PvWlUk%liw3ItP|fO! zq$*{rTG8<=is=;GJyoM>ViB57izzFni5lgF1pu5?@}o-0SdU~?l#-bjD{+0- zt+X7}|C7wJQbLW93aSKR9{WoasX!Hou=t`;r4PwTtoCxKQ9H%}e7^wZ6({n=YDM}; zzEsL9R<%&bmoT-dYE;~)NM&dib~b89*%(=j8L&5CT5P~ojoK0RgeZyiJQdIiC$XD{ z-Mjfb%6HUwNk&oo>UpPpN2F1^mpv;=;XJ=Ht0hBPG?$X~L`auoS|l!`-c?8rW#dX( z&E+B?J+!S+JH$qb+E>r-$cA!SDiKp7z;Rv*MAW`|zFGUKcCckkv-TC1H_5u}Ohg(tF&+5v`!pA~gXo?n0ct3p*jf+JBejG}bl@L}n&p=hjX7EfugNvuc*} zYMwBSUWD>h8l8_EFi=8O~s>j~ZE2 zc>PSiQZ=(cBHhZDSamF%lbnuXfvO%nlZ}K>5=zOUP&ufI8N{KJRmIdzlo2i$3;?<` zE1#(rN_s`f<_q|ZE|loOA(PFruI6)jRi=thRR5{HY}Rr$uENRXi$G#ks7f4)TuLRZ zHP*P=wKsz=GtX3_k-ZtQ6B)J>C~Ce-l&r!-?OnGXC=@13R%L-b1n6o2lTjK6xhima z)TJ2J$xSszC+(S?qJmAe}?UO#caK&381hK-uoTV7Pr-rMb` z8?}9GYipBYxU1&mCD64VRBd~s#_KeSLXyw76tTLoQR6imMIp)O2U-ZD4KDCOUcgcC z!RNpSQL7Ih$1607k9&^zV9L#Co^$g-Ub0c}!RK~{qS2h5)Dm(cp@n5sv<=CMn#jtL zR63Ljh0f7F9ugQ;LR5)4Iy3d$BPn0Zq+a>_UMLjKp<5A^E zSDi??gf>Wyxx8h{?$US%8{ro zxqMkizWCUC!7Zg-d+EdTlB}1d>;g&2(oJh&eQk9Zm*ISS8#P|=us*@*&2tXt`)9bb zASt{UuuW2kJGRv2dv2)y(MFAz0e(Udwda2LxZ~aoLlBfm1d3z?j%0u&djk2Ark@>$ z&^v3QnCG0F)fJqby#cD(KF-g3;8OV8u11a5J-kC8Oc(wp@Q?KWZT>I%MxP%2+~^~t zTLZrz_(tHVz!QOo0HnhtQNQB9$DirX)+>~;83^LwWrCJJ7Wn43uRF!xl5eBWT3=yp7B-UwLukpSwR72lNcWq$|Bzj8CDTZamp}5UNxY}FUYeM zqgr+tD4qdN&7VQ(bDNnOm06{f|0EL-%*)T>!ab`V@7jApFP1a&1YK5_IH*G4wse;^ zc=J3+TD~&=DLHy;_~x6ZPTqC+&;)*^@yqpCaB}=imdi@gUTI=HL*_U$vvr}ypjDD?m=;y3rD-N!Nv@fiFAUqSaP-Uw{}N{W zkALqm8PdTV6ZVC?@FK|zvn?${k4GD|9D~@RP(EIKkL88kmss?9PfOKjF&ndcy0C0~ zH^62-cG{SQhDtv()jK$uagJODs<Hf?Un$A^$JVCivwK&3QNEz*kfXCFOVf57Q$D|xWD2BvIKmbwFp)F1-B*OW2{FU z#us*Gm2fVZ3Pof^QxS~<}FzdRCZ|w`)3da26U5(l)2Kq0UqIuo2Q@bmH+rd}y zp{o#^?71(=Pej(Pcf(Ue^Il$G5oWy1-Xce2T-iw!0GWkW#Z3G#rbog7xVD%*!fp%) zL$MyxO}iFS3zvBTG!qc~mcH<~$ZVE@dopPN^_S4gHc^jCm9ik41)~aY@d1A54N=wOA$* z2@kj=BuBjJBKNd8WSb%scfhubQp^b}!@Xm>VP#1;Vr?X|E>Q2m2ZT-H=I z1syvbmD9N>6y01R9!f&b&ZQFD8uhE#D8cYw-Vu$3Ls>nQ3T*o2>O|SIygVPTjJ1iZ5Ru9wr z-K3pMQwEINFvzn&2<{(P1sql(4;&DV0zNZ^OLV>$K4-~myIIs|2(~M>+K+`OY!-GV)-N~A2yBhT^4BPAbI7fKd;Y~fZ{hw^pL1H$u z6Dt_p%OlWWEY>14n3q~KnD;koChNV0f7wd|N2X6qPe{{qie^ACnFW8WxF>v(l$3{A zi=bIAx@cCd%zA8#!OqAkOrB6u3^q#8tQU9Wa;caW28QG1rIwdp2eqZhS_Bn)u}Q^h zg_c>GRP4$|?KJD!%D?f&ZDb?@q&B(detD=d(5MI4K0on@*yl^*{JDGq(ka=s9|;a+$#s(Ob0s&)nrL;?iV$716(QNE z53|jg5gXCPh|uFSV_%0__I3NgMtzXAJSHY{Oap7B{ns|?18k-n#Y|VYXzO^RzL9n6 zqH|y^;KH&uxR?DB$p-zbMVzyjT<5Ib$9lv$dueAPtHc!u2y!-*j?1xJNRd;CcudZw zBJo@-7fwW@F~|mfHcFhcmv$s#(MUR>rf|;czLuBMIr}tg5$EhB*E#!C%PcMD>@n6Q z&e==soIU<oA4^^2_uSO6$77j*w>9!X1MUVu>_)iy4e{#ka z8iH^dSydB}0Fh849gBn_QN+h36Y(VZ<85~0(u8Pqa0<*`Hz`!EMID|pOiP~RVRX!Q zAy3S~dmvBG>ALkEFl$HWeN-tFY2B zmu!W!yTQM9O{4Y*=h-&8J3M<`n{YX|0Br4(EysHi<}eW`!o{}}lBfl~vM8-JZ{0gT+S!cqh!mq+OdCHGYp z-xf#nKK9M-<~Xq!9#SU+(^s!QA8gcP48xy1!eRUBx*5ad!&OG;gwlu*yqS~DNNOzx z=XzL6$&sW2-?FMIayk(S%L*dqa?zxkOGfnN$vT395ugQ=WlP+d%}sETKtv=%jWh~~ zf7B#IF(W+M2`IA{$duY1Dx{0LE1FVNm8zC66oM^759`Y5ps6brb?%O;l}qirc`|Zy zdgA7E^n(xY(+Y)|>IW$XbDxW8Fcza1p!YDgLw<1+(QmWnoM8o1u_%JiTu-}+BZAPP zh!-$z=9ErG!U(5NCgb5q3J&=s0zQ>l=C~F1KA14oDhsD`On`_fi-hn3@dOmcc)Iy> znMmzWDt`HSm2kOpM>Xk`h+zQOq7mCc-Jx~f%AiX8$ze*u+wHQBl6s1;G`{C-0Qa1` z6jPVGTPc_bp2tNFXrT;xZ7gk>z% zSYDh_GJAPW;OnOw^&M;%YDG@DUg^yhC>94-cF4VR2A&Ll-GT>}n4D(8^n~j<2s9DD z=ZtyWA%dxb#iNpCisDWoN=b(fP17ZzDsCNto?ho>Hm__y)u?ahixTU7#nE$Ip|CUs zMZBItXboLA;?vo0U<)#(GkL_l;>HgVG76O4-l$*8UM6e^ue8_@Zg14DVZAmm2IwV6 z`Aa6~B}dqrZMTSYm||}a@o!>p#K-Uu<1K;_Kp?7z-JkdBPy_lEkI6i*il^RVf#_1z z^R|G5-7eofMfJM~(XwI?CrHfu-%CC3#6l>q(#@km&jo-~$>{IE;Vjyz6SdSobuk1{dprYksaxSgM5CoUi z&(x&)DX#YN<9Y#Gxeaxn4V zz`BHq{}o~4KaUUm0GG~$@cPQSrL(n?1E$xn1{U4Lu}h_Pj6)8^S{WO+G6K0M z#*SV|27{Fh+iRv!O;)&e<92WL+w1Wl;6cEHfCm8&0v-fB2zU_iAmBm3gMbGC4+0(p zJP3FY@F3tpz=MDX0S^Km1Uv|M5bz-2LBNB62LTTP9t3_+Ah2a%%=dmI>L0yhbZq1s zo4>sIvztG;d1UA-LyJSDp$CR0hi)1C+rjS*erxb&27e5>|6_y0{eLv@_XB@9@Ke5@ z8~F5qK5%3p>U-4pfbY$gFaE!LwU*yqf8f>et{uxYp8sI|ovRT|;`cwfj|IK#TX!hf z@oHAbUF3TZ>?EB)tUL?#O6qDv4JRYG*{&mdoQf2A>4=(^Q%Ng5hn zMb>gB|DB!3RlIJFUPqz%-Q%cO#Q=(uV!_yUI5XwtLROFBL!pH+#BZVp zx^YE$)8*6pY2A=5L$0t73py9UcvjbNx;;XEnPeIKF0~UWZ-zplcOe3PnLsTBRUxZ; z#X!WFJMo)D*-0eaI;fn(FGHN)SAT~>^ZkAv^SjRu`MtXS4h7}={XG6}Uo+x&YyBNcPU07r z!}dA18t$vVvz4K4ZIGj`6WO>fQn;o54rMU$`+1z=z7aG~auTOuXjlCmN=f4P^CTks zx`c$=Cl6yONr^Ld`(*tcN=@ST^N{d;PDJ=xS;DpTcShJmJR*EwOF;Ph>+ft~oic~W zK>OBWU6gOZUe|5c1G}E52YBDcu4|t!)Zf{_u;6ot*f-y{ZeD-T#8t3@wyGKQLj3U(;K}8fcnAH^G7uuxVrmmOh>iAK^n$oQW z1vAsV8Qcm71KZS`oC7%OSAVCUQ(aC4Z*!>b<==S_4N4s05Dg;9loP^f7<&Ag`a3?h zoW&3DgMbGC4+0(pJP3FY@F3tpz=MDX0S^Km1ULkqIKE-n*LTGgPaJ#Ve&3&~xp4fE zM^vLwP|Bvh`+>YZFHIH{)7oFqE0#22lydpmJ%QWG75(6P(-EInM+D+}WR3IDJ^XH2V-FU|56(Kasa*3alAYbLLaho${T4@d=LcBZ5h z_3|_5nc%UqUQw*PQBn#th`oc}!{^czOBtImibbWQ z9nP2Z@v=FlpVc!`Mpjf+FI#%GuqS{y^|RyjKGRanIXSB0GRr=OaH z7auC&yYNC&I$;=vK)I4PDtT*RT#5uLxG(CF5$bTOBm64B*9NO~l z1LJ|+fvblP^#Aw%KkWb2{+Ifn?0=yDw$Z=pzqx;;?>G9s);Hq+M-2b6|F`{L_do0Z zg8x(gg8w7_d;AIiP5vwWS6&M7@W16db1CE3JGSpXu6N{m$5k3jg+br8K7VcckZD$R z-yaRm9K;FIr76SATlq7(ITP5g;mk;iik~=6foZjpFIy(gjV3A7l?U0tSwEvo7S5e1 zRZW~njIic(3B(|885K0>r8D`8Q7VF#j5L-`571k;h?j1!ZEq|+#1>M&QMC0P&@ElX zd(?ui5LuFpilj2?R^_BcGIE@r5QUJc^YqNTe#WX=`NEiVBtJW6Nm-pQC%Yh3l#*!_ z=aq_XN?Mi8NGntm$NqFq2VNL1Qg2KMfz!Md7&y|g(JX`QqvA8QHRn@q= zu{6h8KP_4ZrmJQ-ujY-aDNPd5#KNQrT0X6vQ)YYZCrw)JDY4wE8cVZms%?C#KfLZl zIFyQ@IoH{oyt=WZvF7)SrzL#5T&@^uq_L#3o|B?yXC#$M>gjMyR`qm3jz!}+ITa4Y z<#;-pj-n@&j3>7>ma=Tr^Uc1^p~oSDw&RDFig#WY`WyHZIu+ zsYoVX0OX@D#wjrIw*};}@xDT9lQ7>bFbx=`<#Rc`f(Zq#feFo4jB42gTVfq5*b&(A zoMn~G@nF!xM}U)!Vfx^lQZeYz=#?N}U=aHjN@MHNsc0+_Po=`i9z)fc{Zl7qsukTe zGM0?TqS0hHoQyRXUt_T%Ri!dUtCT}g zITQ*9h%^}0imDUqSMlyy10s(^XGJ&78I`^dn~P2~X;sx4r?W%|j=d-PLpzUNQ!g}s zNH%sc*#*6lBufxcP8UE5#m^E@!~z7bQ4Lp03K8A>s4Kb*B_ckN#oik}tx z_pZGe%ogTtyTn5ei%+n}m<7W)T`h~BbB1Y=TtrfpXtHMkmR6*oW)zit$)3#aV`#a2 z=M8)$r~Kv(D?B`TR-IEyv$}MmQUw4Yrd6{X6g@{m05qy4(ET23Wa}sB77SG>@D;n* zkWn%1ufjtFRY_K8e`zyv6_Q(}aNI-#4ygtfMcWIt~=qG0WkoEAjXm`(V}STsn{&yl=r5?mgNBm7KtQC03=8XGW=%d4KU&qXbM26 zSUY+s6yugScH-D^vMEltdY9s=xr*-hW?f6Hq#51o=N z?NGMFx%b_6?zyMkbI%dNo-E;vQyOC=N0#wQy-3I?QwrE3IsWV7l9-l>PkQnYm-D>> zBcGloDYbq?y?=}nRJDr})OW0#h}bn;4GGcOT@(TW$>3JXI=E!;gC3Nev6OT!cB%KD zrmOzAldsy_$VT4s3ehf&oCt$M0uXtO;xGAOP!jTskrDcliG~o0q_v}zg#6kwM#;z+ zqa&n5qapNLPC&@t&C~OGJ%2xX0*P|`%Nq6cz?I!;5z^p5HIt&Cl}Qag>D zjA`^_%pfS{)_TY0nQ4S&i9y(!D5wp}GG>-=L0ZfmbMk`jKwx$+txOfGDeBY!F9JaJE)B)(Gn=omGR%>+q>MiY}W1Hhg&MjAL+0^~_ z-LH0jzw;ZNzt#E4&RXY9o$u+qtmEH0zS;4+9q(}ehx@CJAGyEe{=EA(*D3b__g?p9 z?f=yNwf5g^|4jS6?WfVrPw1cf?ocl{C?3uqXM6wJ+mBD#818<&cBT0d^};3!^`GMB z=CySznJbzYiE=5%GqM;A#(bfy1O+=5gn}K5WPI6JEGuWlw44fw_Ie~#!e-MYF`+;Q zRno9xK#ZjNtSqF!3d*wr`<}sEkh!G=g6h7qJORr{epZ0W$7mEaUt~(@8qs8#J!T{+ z#(YvDloZO4VxeA`)lb6T4Hc9KbF~U=2IZ=MqBI>SrsYb2nouhNy&JBjv6h;q2935@ zQO1>Nxx(}+(k-u?2nItD%0l%bsBxhvFXFlz6t@U;w}h=SY3Pr!fEXnDqea78LC0H3 z%WKl}$l6R=K(DZq1K+Sy%S_#{(8eTC2bKHLPbj6kNYlDp zz0hH1F0UEP<$~MHTwXJn%cbgtc3Qx zHE1ChoR*SKM?$^-URspqW7x<&OYSuI;YTd}ZL5Rp-b3lueVmQIrb{h9ZbAX$?A>&> z@8L_eh&z7u{<~=H5nk(FiEcu&xs$fw6#7*n*~EeX%B&eEuM)}T94+A>dDSf0%+MMx z*}S?Voeo742}$;aqcPDJ&Pt+BPKX&_G%clKk}N5iYy>c#rmeVS^Xhgv63v7X*))-C zs&oEkY!|gYM)fxJdl!x;fCg4a(H+xf+nzv!;#M z+(FGRj@4af0L0jC5dK6Ump9FwLLC#_Iz(8e75mDyQ+7gp`AATp50CS*C#aGW%-1S-)1%2<#1gzWuXi2D3*!}$Xkh)a<1|!v27JC zC7tt%dVhgQuL(v?UwsSf3>)*aQc+`9)3Gss$a`WY zkac@9?52V$8ISlu@YOZ>GVB?{(Hj%?5VM%Q%>~O~x0++*AQ)z_6`E95?iFXNvCm~J zQ_QZkejZ~On%3@NvBmu>j%%FXZF4{1&3OmCH+tXebvVE4-rMt6J`%t^mzRCMboBn>&C!GJ`{9EUf&R=lu zbYAW_>v+lWtmC&GKkry@RK0)aebxI-?~`8luQ)$-kwny1H_Joddi8>rQZ!DzUccmn zMWq(Oz5iazo#1@8dSMTxa~Jqk@DJB7BT<(l=)mwmC<`Zw`I4NW;!ijeOG7u0`^1ze z`NB#>f|)Cl_GP4aG!l};U?v;4zxLIxF>lG0bNRf0|IEt8()3=TR7q#Z^(edOwv(L% zTn1Hg;FrWB3EmGvhRv(S=A~bMCaC%vvR;3pPz(fP7RB7ElxJ|2TB5#HC3Znf?`hf1 zX)q88usXOF_)55RE>-}O{Hzc6v$ciauresx_o9;cA)uETW6s4lh-MIg%5UWM6 zFqX|%3u*ld(j;))4Ypq;Q@UHu=b6;w6F7tjdG(Q74iHN?xpm)t{Tgl69&AEaMeqt zLil5p;dDWzR^p~KD-4W`3h+^aqX?02XC`y$NpjDdCvHla9Fh73nN&gUo&e9LrYnEX zzd6VwHTGw#dZCNXnQM-(ZI4AG;Y>7^j$>c1Ht*}}P+KqTpe0;wechzCUU)aH;Q)Jm zhb)ESsYoUWTbq>eg~RaFk)yGwFD6GqVk(poLzyTB-)i(2o$%Q2Y~#i@8pLFotzLrQ!hBls7c?(d>K3CEeYHw}yNLL34GNwUFu5PV=Bd{bK0(}r z0-7WW0;JuRPk=(!QnbsXN=XWx3kE90^(g>)o(dG;&WnD_wY;Ja2G>-p&k7l5yddYt zab0;SC zxVKI{*tW5zUUL23L=}maFI4h-gn-gZT}2v()mkpE7dJGwV}av**@VvNe32JQ)8j)OMD5{CiQ`*KPQxmNxFZL2|y0gJffjdd)8Q7e$lSwbzw2*D;Rx>(F3V*A$0@cws1G{G2R1kUniqxwW=k zQNP`1$BZ_jy6#dhTuKon$&tZEsM4fTAk!rlWZK5$iA~q47kX$#gm>b$o9AWfg)Q_e z?Jkp8%0p4~+HLOjH6n6srX||tfm!76&>AjsytZRCHS`cVKpap>z1X>ViL7)YJ76e)lXhEO_ zfffW>5NJW51%Va>S`cVKpap>z1X>ViL7)YJ76e)lXhEO_fffYbx)9jXb-Tmmc%Q@Z zKKELq-hJ%4jvmKWXIJN^3YT4WS=T~>KI(D#d_MTT^~#ydI9%m!N4O^P6OqTN=HKaj z3D1*FA20_htz;bGsEF4cX$t2(^6;df6jBHRXDWfuA9>tNi^y=5T8ejQ{%We0$|KAN ziNKL#9aiLN#r%63u{+T{VwfRPm^OFwZ#wy=0ysNcT4fNMs!HZ*bi|7qzvL@Ql@MHn z4oGK!FiLRRmdj)Yv_N|{uFuI*KqqA>;iFl~Xh-mKvVcFyNE}?oB8>Hq&&bs@2|1`?1Dlb#)ZE(gd9FYn^*6(Y zKWgMSNXIHFh;L?Kxb~ActRh;#xb~ZV%K~^|A+$xRjL>KbAWdUlA(k5HhP1;eBcWR> z=6>mZAWEFEQodc*=G5_ZoB+FI;2;UtHIB(>X9wQd<20U{wl9qz(9I$n(^$dBx2J@T7|~;ahKOm@h4`OxOB}Hd|WSFjef{QIgycj3Pie*4?!eKnnsb2(%#3f5Lh(?2I|>Phij{|KiTQ{ z(IMh%=RTH~X9ectfdny?8ubdw*7EsTq|lUtzM$k2LxLFY4JUddQGYNJM(LiqLi^c* zeqLk!G<+QI4MqH7B8mW&d+M2$KMwojQZO3E$LSS67K46Klwt`?Bh~P6N7FQd34b&g zi-*L4x=cSNYyb1Lu07ftlKe5`OAST`>L1qo`LFBhClro_rNp`VI1;*Vb=G%cLO(Qh zMAB6vQ7WA6kV;wL0l_i|hfCAqrUj*3Mi{@DNhF({P>M9eIs%rOk{u#iAhN$VZXcE) z`bnnWC_wQceF?9dMqU*f(0;<<1pXPQ-=_D&(O~uHMEeO!(O4`vP#@F#d37E03Hl=u zQA)%H>bL6s{9s-Eh)9bT3ZAQkBqxus5i)rN5E+Os@MRAPd1ND=7Ki^$PKQVti5sHKX z(i3_=f4Z)I!eL1ifu$pQKi^qLKT&@o7DvYBbM;|kYyQO4(HpllQF1_{Q5@JIeF=YT z8hN!_69wT-h$8wquJ`lpb@UVQBTG+046d4SwLWY?pap>z1X>ViL7)YJ76e)lXhEO_ zfffW>5NJW51%Va>S`cVKpap>z1X>ViL7)YJ76e)lXhEO_fffW>5NJW51%aPf2oV4O z%iZ_3dCz;V?0Kl?rY$dQNq7Ix?uBmm=1*+i;`udCyzA+%J??uuZ|?YE$AtTTbw2SE zyOh?%S`cVKpap>z1l~FjsMc@0(&6knf*E%?oDQcmnRIkI9Ih^Br(@HxiXR!yg(0OV z7vLF2f!8ivi)491I8J5!;$*EF{Jqf9|T)KTHNZZad(> zIVD{q0SSd%Q5aQHESah2*Z;PW2J^sYZfP z;`7?dY&2~CN3S7{Oat@)0 zi)lrmu}E{(S!AQGP7+kclnMx9nz0!j4$O&|D2a_Hh|Y^-y^e+)KXB#hXUOO=jNXh` z+KD|gcyLhIm#)f{v(c~}W?`&II1~iBS|K0pCGOZ_4BO)PzAIZlO~wk@uCz~1&C)$S ztFO|2QKBSC(Poemf9+r*7L7Un%yn=56d5ROyQt*U6yiv;EgYT9Rh4|MQYAatH#;R) zDhRtO3;T-a2+6WtY8)Q7v1p|E5J|*sI~0sX9p7_R>!V}_gSJaG<U9E(>c&Pouk?U6VIYzF)XYZB_n<*92LQ_UjdQ~l5y;jgbD+~(7t2BF$8x8lP=F7 zlskxl-Lk^|m=uy?!2iY*K%QJh;!)A@G6aO9WH@^P!F2GKAnf+zh9o@7u{jH2e+XzB zmK-k;UfTN8f?!eKnntIa|mqlwmIJ8n054g zuV;Txc+1B&e{b_2Y<|@9&+dP5|H%D^?k~AN<-X0`?-t$L+P~laO#9yUZJYkzwo04a zHrSSM{JHn9y)Swn^?ufy_8#)ayn^HB9JAirytjB0-ksjd(KY$wdeL>N8H(G~g)7~T ztuE(#X!HWdH!j(qFO_q!O%0W*ll#?$chTB=c&*!H1EB`VVQP>(RGcnxn{1z4fteqd zD92#$FIEL^eVQ9q7kWC#K=)tH`uh6iciojPAyd*+McH){x&K&Lm))NCPnDGqygyya zC_*|9lkSbz&dP=SwIA?!s<~=j=@m?KI5ju~TO|250~-(wq-;LitS%hR6%|h|(<`J> zv3O7krhQ^Go%Mx7@sKZ0{v|3f+liSJN)w)pQc0I{Q^bVYE9^rO!E_bTXN((#DZ>Jb zd}P$7HZz$^PvX8Pov)#_kU9r*CCUE=oBm!w&eLnM>U1unAe&Yxm914clnP39vXmiV zZBo&&pzsy&mKDE;MZoA4kZKM25=j~~Iq#8cXjI1f z5KIJu5l>Z~sPrO7mRzkOgBdY|vuiD*s452IQ7o6NkSrFHV|gF>4?(+^An+r#0)p=B z+#~qN`u31aX1LZsHaH3>y`?9M8$p%{4;Mak3bo?dBJyi_^2)T5?-g);n5z{$xRha+ zK%{G)k8ieD;4mFemlbN>M?+=j8{=oYK1W7#i+;geAu!Ul% zhE?w<0xCT!JZA{9ZQ;1qgObgblFs{P)CCX4$obp&SKda9G{q8Pmq*KCC(=1$zX{|? zlFL~JH~QD{3KI7fCs>KVtA$+v3epP#Jw+jTbe}+S`jIQv-Xpnmxl}1-t7E=Vw(c<> zyCfV73<4i0bYxru9NkCvhU^dP3%DTrIr7uJ+qGv*7-QSEd$$LjDd&30K)|ocq%Q?P zSA2UsbkwyTD`a;Bp{QcxLLTf`UO{?2Os9}5){ro=R|tBlvs1uKxj5UjYdh72F1i~x zamaU!?X)}Z6Ygb>PF1TpPyZMLY(D=xq zlGFt!tvSJKc7&qgcu-bEpDdX za43~hE?4J2LaVOgRaf%!xmBIN$I|9qgrwDqK$CZ>^LNv#D|wr(j2bN7sm|X;ck>fz zUbAk-pj~+O<%%+LaT3D6nw8p9TU%~Wom4=RH9vt;R*(g7IqDaYqJs)JwunboBTNuC zqKpRP-VXQAlo|DRABVA6u$*!%?L=RE3lDl*l&NW zf+U-QY+RXF2xeMQ7O7uJVp4*Om3(euvMR6~w^TS`I86}TFO1B>wE_+~vzT>tGFK7s zKSi$0k`F6WmZ)7YqG^vh zKT9bZ7c#yEA!GiWrKD30s`E2+c?*Mld2eAMqv=TO;)pCj3}+Zj{$`-=ZYtR9IyyKa z?8=cdfV{%h$zDh$+7X~9fSdxfL#fdTewg~%y`uEeK>If$oz$;Y=cgG?hWMu0$R}^m z;adIC0=CsG*tV^{MV+s*iFfgd>ypt%IM@35)=qW4Lg&Z@y{}!eBm;wP`tD}^l$SsX z+DiN3Qqb3l6ci^?&=qD7e4R)^m(vn11%2Ht1-+Bja4G2PJ659;SyTKrJ%1HQqaOXEN#qE(1Mp%aVhBQTngIKe#mj1+HcUs98c zl~RGqLi?0F6w!)svXqBU5%D2|rUwOdisU3GB3xKeQVLvMeBqRYf60lAFCj22;5DWX49y!X&|pO<&Tta5{VA3av3>mA) zLMP9Y8QV);Gcz-O_)aNPV6&LO6jY?LAAbpup+q{WL{f4}i7P?aOv0ip-=q|$bLCQz z*dY#OZWMz-T^==CiyB1Gp!i0KX8p{-I|%aB6FHQUJQ*QoOuCd`R^uWY2yi$-TW&p|MV}! zCx0-TB`(3#TBJ#KtAWF6Bs)G%MVR6vQ*ZpTQYclydf|+$l$VgpxLpf~88|$6xGy>E zI|k2eT#N9ZfmFVf3KZlDfjhA9wz0HUu%f#{>A zMgS3B@lpo=OT`e39HS4>k%XItU4#97aAcQ@XLsw8TAwmo!>v{^SJ^9+D(MWF95cnLDh1J0D#-*s^pMpwjY9NZQ#3Bj$veQrT?08&l4umAw85NJW51%Va>S`cVKpap>z1X>ViL7)YJ76e)lXhEO_fffW> z5NJW51%Va>S`cVKpap>z1X>VyTR~upw*!8w|KjMrqkFvj$mW0T_}h-}c0AMZD;h;Ki}}bdOMuOH4XA!Rb`H8+#&T5ybvj$Mf~2Q3f`9mgb&^#my2+Zg13{Z zo}^wFw=n;iN8F=F4hh3k@=TFDUK?dkrA=V~E>qPLv;p_sdlfx znLi5m-Fw*NyQdDBJwG1akxnCus+<;mVJVaFg@akVMo=;cCy)*+q8v%ZV@hAPOJxuQitlU4p@fGURk>QL1Vk~Gh>Kz(A;rV^ zYYg#?SK)Ri>?+st%I>|w2etn2NG_wuyBqxRL}^w2c#Y3ubzeLNMeSJhkSLAy^oXcy0W&ldAEFTOS69f;e_lvZ$OyNBUyryjDDz}ZecXmPfC z_#!*oy5w^2l-x~AT$Z?iaQD&noNzxxUi(GESV_{nl7|T4{va*kl<^@m;l7F1 zaF@M@c7)_8g8a%EpD4v-UpNy=`Q&IUh7d4OMNVh3@oYu`;r;+^#fk7k+vDMEMoP=k zEC~1eX%#2j519z}`z&n?!hNZ#_R=cubo~%@x<2nw)dYqACwcseht^HBHKxbH-srs0 z6d?!x%oAm~z=9#H0tBm|*IKX**&G}vJ(Alu75+(tl~a3ClJ zG-u2HvYg2)EJT173&;Nb8Ee_($Be#K6(46wQi@0f(eN8ZC)wKy>d>tDF(Xt!p)!e> zE;ufx*Z@W#qK1lct(eK@kqg86eVRQ#Ybc$uFD>Mz%F`9a__%RKl{98lIZLyGm?l-M zkl6RNDWf5Y88ntgTo{sIp`kdHtFq^e4ds^QHa@E(@5K9SWdyaT?n8EvbhU&qJ9LnA zAuU5_85>*jHJ=eJ!4jp&12^}LJ@P~P0qY|_u-PM81Rr6zzyFBFXsI83lV|c#RgE)h zyqQtUhjh-e&cgvZ8KY!}^MHp44~SYyI_ED@)d(H-!X=o*5Ea`e)9&+anl)9 zJ;2VxbzFL|an)b9Xor)q-+U4t-UeZ1fR<>&ife89NK#ez(e@QS-Ak5!X|trrPxAkX z&Tl&!Bl-3G@18&F`AUT^E`seRk}+AY`WBdQu^SbUa~R~sy* zk2jn7M+5g*_sdK*WXAM|w)Ly3L`!D)l=O$0Ym(%)sj5i3;V&&8vb?m6scMkcj`Km> zt0o-~`vbHo7yBP1Vm}FWruu0yXJ-!*vEN5axY+-oS?u3SYq;3|;EqrRNre!y!xu~k zgT8PWF(4DMRL~d7O2M!c3n|fb3}XKcv=tZoAKac6B?W1{A_(%K?xs~-?0?WC_V2Q^ zF~okb)}6G9hsk(wYrZry|1MR1FJrjcDC?H`M<9MdHW1_rk43tawL%qeO;;TDiH+{AEpR)S8jYFxSSk~h+Zqo@S%VhdNZVLB0`dN0H&Has);j% zr#1?}NEL)|ZQ7SSfLEcAZYXK!(avaL2&FW3q)8a1V?vTNnMClb>G`!y(60ufA|u4- zG-8WrLMTwN*}MTo^*t10xuW_YkD{qwPfN9fN94%sEG3=l4XS!AMeBtDcHkd;3(Juv znaM0hLR>O!rb)(Xkn#+~(B&~ELvrNca+|3y2wp3NeXy6+z#@f&XCqYe884=(Ed4FdeFj_u2$7| z)7k)Ewz~5MOg^q5jGhCoJ=|cXf+Go02eZy z9o^W3be-h6wsNjY_>^Tv4Ur@-0z-n?eEs2zmy0)f0)Yy8g`*=v^2Er&!J$JVr^h&0 z4IX5}sO;E^4OhV1W>X+$drJfm=TeH-8scbN;1Ub|6E48wn{mGIK&R?ZRoq}A;PQNl zBiGx53(!qDIx=S36uv8z3z+D?l}D_Bs9W&WAnj{co^g}fLpSP1z6CavouL6XaEoP2 zx1CVcZbpiEV7dpEB*kkxfuPDP?lz~&4_K)3dsNj!C-Oc%WiwSa0|vC21&rpj`AdX0 zhhtcXB{=k#2yO15J#yOoB{OYiahf@8{?d+kCK}4fnXE6B5D^7gjFSwLsi-d$mPN#y zi^O7z4BE`XH*-4srR|AeEEA2T^3~NsIs2 z^XrbC&Kn%<&Yn;8$lWh=Ki&PCn}4VCj?P;keZtq&OBz1<|OVs(Bob+ow&0PrJ~+yEI#H)jLU@1j%Yi2f)+^h6M7&0@`Rw0=}a>-j!aEz>1k;0CBi z*Ui^iKFx+)noPHpBn43~)4pt4#!<;e5v)iKg?&ma9hH@AI20Ab_W2WvBw;uBGtG&> zBR_#>WpfiXM8A`TDU!JpSzdYO&LysiNUXUm;H}ImG@uE>@*r~cB*_%uBbi&}a(a>n zr4|Dznh6*_AwCR_kS}M+Cy2mLlN}(;&Sbe%o0#;KGgH25tyn|`;o=0lRe}MTdSI|yil4}NH9d>Mx8Hksc1OZLVKadRtJ8ABn*>yu3a#(-9dzLrHs6^ z3f&E;`R5S19D$st!`0GsSl9z?W|d-w$u29C2#DOcMWS>=w=z;dG~I&0xrc?W(wuwr zb4i?hDw>lI4Yx!uJMX(!Rf|mIC@@0s=-Wf&Fz?bXx<6x}JbZ)3j2#*yTQtV^XiR_& ze}()GN9jpyJl%%GvGz0$2~{mnVwL7QU_*+R#0U^)7TJ(Xk&kX0P*oPv@Gjn+jspx$ zS4~7fkXZmkPLLn95ajDrHAiP1(z{t*`WEuyO9^!R*~hogFA-E3n8H$2Kf zR3Tc~%VF{wJ1otq-*E*_{q|muwppu&?$d>4C#2Kp+m|{LeFDngCCjYvGWs5iTbEvGKO*?tfR+PQ*Xg7so|sjLY$x^Z%9 zYPui6n<+nE@xH!(PE|idPmVgy2*@M)h5eg?Xqso(j|0s>v{{r(PP88(#sC)GQY-0H z-=V6vQUEP@Ie^|CoY`y=CY}Xml(fC|w_@aq404J^-kIquXyxo@Hv+Eg7djYcZ61UWnqg=JVM^*2j*jVQm{EzC#_07>L0529lT7wrk zGc0bjR?wH0TRTJ~1SS;ofkxHyHPaqls`VY*!Nj_liXv zzvIf+_mJ^!vK?>Wjv5VfiljxQ+LW;G@Zs?j!eK;+wI41R6@wzC(L51R3PqwJ$8Wpp zZS~z`yn^j`hYk%3M`_%3Uq8trcmzr0@``qqMw0>xhl)_@k$jLaJiBSc{86Ni3dNhJ z5%b5ycq9^b{Fdw9`YtjH#da2ED4!laId~ZHa0>`2%As(qgh;QmLNZORRPARVMx?kD zvzvhw1K2~3-*lzwJIM@gu${q?;gR8fo=^cQuH7I}e@qGk*v*4P{YV8Civ=CO;hLln+AzYwu_2p~I5v0c}mykON z$hst|M*QKB7=xQY6RJl1kzf!@a{QX>RQ)8jmCZ-!FhrznhF@PpFZ7v64fs5do3_vZ0*Co0~prOS4;==uhCFNj8`x`GavW z0lx5yu6k#EI~i}r7K-|KreN$ypn9UntYRcows53xh!AkRJz}X-ZE2;5lPKW@PV>@5 ze?-E&oUr5bu2TIfGL-?_sc;N3>`TIlBqC@px%!|#5lKWMHYgua2n&jO#`MaH(rC*(CGX--HsU|`ffWHS`@lO!k2 z{2|gCN%*4@_)Q}|(Ha!vftBOuU6uM)GTbd#YV%P!Gk9=N*q0_3R7k3OjC(5`Dw1^q zzRm1{_ALcN39<2jvYG@Xv_I#Xs$W4yJzxu9YKVOl%Y&XxG6|H~~57XI*FOmyxb-w1wZm zIZDSt)r9_&0|;p^CLn#r-x0#-7|r(Cz!FD0YB&vrDh2!%+48G-nJ z2>m?Qu-#x$KS*Z8ez2ezjfFyvpK;Zl^-IWT6Sf#h=qRUK!l;%Kk*t&v7J3%d)Wl=4Sjh1SSGwLq zh9c5nvlcU?OjM@JAxTIUAy?;T?Y1!Dmx2)h$!-)W9#25#{J5)*ym{L&Or4;9^OAHX zh0R=Y6X6ZHFEtV9-`7U~Ekg)W@_CxVe2CmIm2F`V_QxU-sYxKh-iH0qFd}iu@iAAS z-c4X&ugQ&a$pB2VpZ|3!37qyCLc$R^wKm~W*blQKtlN%{y6Wxq&1AqkY=N!=V|X$L z;TRM>g?#U3d5hw7C4;xR70Tc2wk70`$Afq*+dPpF$Vn_3NjQGWb$8uE<}q$N5B3BN zM4fp2n3y)XOr=IlcC-#3wjVwm3q~R~G_yv z)N`Zf2G2XYzR~qdUGMMO)A^5%FK-&y6xwvnCU4unxBX4qAGST#_N#3_P5wbA%lujS zi)9)wU-d~*oqH!Wvi$OKW?y>zEo}0$di7Y1c+~C3^#X6Ma+3gU6HUnZC*7f#b>4 zar{0IP991or)l{FDG!tSLh`_gWO~Bd`{_bHn3ndRO^xPjhx!x2bYXujEuG1yS@+2U zN0M@~Pb6K)GksYyO-w&Zx?*44ob0p7kefyFJ;sh8o1fbZnJNe9~$x7IlXOkl{$y##YNHR5pJwKQPaL5K6 zVN)RO8-SHRcKGbk>C~yd*)yk(-YJhJYOJT><9)}H{o&;CnLhL%Or|N$0N5NB=)cAX z9X=7S9hVZ-^ue3+X}}>RSywbN8`+nV#F=#AcL=K)gHMEc7g9ev0S!IyyqJgKZ4p?xIzzZiB*kE9&wade2 zGx^K_Lrm6gNIDrjP7zBRVgeUqAB!Ov1Cz6dzKb{;;_6;Wo zP9%>X?;9W(4G<0{2Tl`olal+6b4(aIbmHvEzM=hzn@7%`Id=4RHrVj~oA)0-F_axX z5jik&=jotzvL};$hm!jbC5Mjp^(6<6lf!m%asZ&400Qniojl6>J~=QsJal6Jz^Pz< zaOiAYI?7kV&cY;tGN3kWU=#g)f)! zewM8Vn4B)wyoG#sVB0WM$?oed?9))i^zgW|MA+OuBCF~Ax*f#NWt=O{yI8l~zu zgls5!7ztajcAg^0KbnyEIsi4y|4e>mw-6(58Kyau<*tB_Y3~u{wos^X06YcNFJVqT*;I}x}PPa|-TYPNY z4k#vTY?DJJ^*&k6s@LFsQi1OW$Cx#`iZ0=xVh-{m1%utjf-LvFYiZB`gF<`mCk$Ka$@U}dTQ~jt zroY+rolRfdbbeEO(|g-K?L6nqI!By6&Y*LLvm5dL{@U?f$2aiL2L3qv9Q!xWTyMJR z@ASWJ^e?w>w1d^PpL>@&x04>I^PF)#@fJQ%CcA{$R|&34dZ>`bXG_G7DP5pRQK^_Y z#!{zJPe($ibq$L>WNi+8(i|S8GD+{XSOZ94=AUI{!lqZ0Qd6#}UEiUR;pDy}hmNj7 zfE_+Kl5CCxNlmaDl27a1>KuEre;=3Vp0JZpAydLTTd0(>RXk!)5VJB<&LQP6ytWM= zlZxlyG5r(I(hq4(_9TzZ6WTfUOq(-=C$>T6yq?Lv+6;Bs*NDHx{idlXD_~DyA(hE3 zFMZYmD<*xZ+f}>`uL8l6ir8iiI6Xv6~n%8N|b!@ zU@+?oX49!~G#klgGeO9&?5!_9(vNS?z>PL8CrIk-Irf;B%dd}{&2;jKw5%zoG@w~U$+J6b){*&B zE*9@xhfUcC-nOJc+4y7~R%N5{k|t&2lXcjYO^uf{DjVM{YgslvTi(2E`p#-wHY%1i zFdLsWSecCqtBKhtC)U3e?aapKno)LHW3%zOjiuSB)J(F=o10DFH`|Y%l`PW6x2rHm8y`2>q>ZX3!?aPg3ahl~<0jLzQK#E#S7)C# z8ZKd+Ha=LZh1zJjlzH0tVo4jd>65h@s*R@FQ8HPnjY{2AZ4@=ztBpDvqqV70w^$ox zy4ji(nannt1s6`ng3b(Wp7J!Ai?w&B_SPF&o!iR9XOWw1srlyON+=L`Sqv90wLeY_ zJ1lsMR?@k}`x(c3UG0udw`@wZ{ln(J-u%a#pV<6`&FbbOn?swg+3fNB!1J6(_6&Nu zJ3rm2A}+v=_D_5NhxcXgcP^lP#>c)VWqdv+{usx z8qmB9BR(-27EJ~M5xR<;$9)bFvhjAEWFF`hf}ZN^6oLZawO!Mrb%dfgOcmFg_*U4M z2e=g(J9!KJRNKjIxc}HgOKPm~6T0P?Xh+pD-c=}>ijt=4(e1VTEOCvD1oX=)ABn;o zK))Q|9Zz3pQBV=JpI7HXSO$kp~9$^D?2Q8p;FS$jqBOIWgay!D4#Eu{#_RE|l zlIxSijxaz!i3d5y&Gs8%tfHK_2WJF2F!v1y2iQGt?7Z*(p8A-OzJ zBcUxSHkx|{jBx_*D*QI@T%&R}9*ZhUOiJNxMJ$?*OXN;5j_CQBP&Aa#^>5pV?NZP_ z;09E8DQ0N$jrUw{(3O=*zrLH89`I@ll%Th_5s-_ux{g zX=BHB?OBPVG~$BwKyTzO=q7b8LCF}mD?Vw%RaQVJ>}8yGq3z|iQ|erdp%6E4KB@D7 z4O0qGdKO)tQ~D<@l>P>FE<)#WfYVU-vY-RC57W;%wSNNCUW^5?B1<&mCkVA?(Tq8@ zf5J@dS%6|r?Vs3zkO^sc9Y%b31(Ai-I16eYjw2NaVt&ODg)u9p5$S7=1uo_QdSbhh zm6T8@l96FGW)X_T8$TXt8+KdefW5iv;B3ml;v#i zl%uR>)ob7=>$*@_f{Uz0#L+ni#1Q=|;*B%e>QtQBTFn<}B>bX&lg5-*X4BP;u-aXk zq0u(nr z^G)2c&K*zy+Z~__{pK_N1B_!f>;Ykx+_@JeYg)XqfM4T=>N$J9t z_8!N(94|ZEd%K_L{>AS5x^vw}yWh3>KQ{mE=0Dy1+0A!(zUTP^&*wV+cgKJ0_>+#E zj+fn6wEt`SkJ|sR{ioY!+LiXB?Uy?qbllxuFlqZF0^mNUi=l^?t6xXm z`CfG{L&@AHd1$Do*G=ZQUO<$SVWnD|0zyvZl`7)E6*8JGM_!D@;*{u#X}onyMKeB# zpa{4diG+NKL@a~+d}2mMxZPAF8(9O<1joKQWuN+_-e?tnq2hBH1+_!Tq~FIK7C0(V@W>C zlF0qr3=5Ft6NA3m6p5GTlc7nF7ywn@Oik8_wXK*hGGDXEs;P!Pr*UIWSUomEPM`Hd zJBUOs+FhMa{mg{lME+PYOKQYDCIV@TKN>;LG4>9tGS;-WCJL;1TrAgqDHI{yym_v3 zB)YxX<&G|qI^)^#jf><|2a5C5I;hT%zX^B+3oXax!Kb(5wOu+RM}prsTK`jUDg!L+KR4jUcmWB$UX8Qg{&(i^OF-hEwoXP7-A$ z9zc$V{49=oz+)yple4LEE(3DHD(R3FnULrWk9d<(#9B&4VvabJxls%T>o6Oo>C*4J zkuCjc%hG?6C?PZ!7ORizU{4bbn+569N;>DSR_8uU*K@(g*Yoz!u$$z>UX!EQm@pPd zk2U&fGRmS+&t~#TWo+)^X*jK|s;{L;sa@JE)8oHgO`fFO7unX66t2pKqp5ka)?Q2w zr_J7|lxK|L&uW}e*B}^yjh2X9&?~Gxau|->IF)5@;uvaUjxdbeAEKXX2)?bpL!G;g z9ax@q;A!3Nurbl8Ua$am+Q^r#}VhKbsN=Rv6B&|qzz!8i1G1w5MH$Gpn< zTgacCQ@QgBvOkitN&!h)wd@b+ z9&cCPAQL}hP=-gI>AsQ4=|)xK?bp&qla-#3=$W>gZW4+A{~l+*!}U2=-Bog(a$W6m zIA6ePfCsny&6Ypg@`qdgljqMp-|{@@`8m(sp8cM^o^77CuD|GdzDw=8qicUhwB!1Y zOWmJryRU7s?MPd=?b@~u*SDPyJAc_(arT?C0Nhup)DW%C%m3@>+24L*LsGNrstq;2 zn2qxH^=4g=UHnttA39< zZ+Uh2ENJ#TON+vZ;&-(a~AaUj@6i0Bz2y>nB=XV-JwK+v8m#gzz=*OIu zJ!`PCdG;QXYgEsgS=l^$5UK5&!OFVSc@JY{PPPZnuAi0Va|nvk2NOl6R4TLE-Bql9 z4g70>j*#Lb2yz;U?x$gM(r)IF(;l$}LqyuMvl^w5j-gg0hN5ysrYf6WLLy&hYUyev zfQPq;Err*w6%r?Vf}~fVBwP#y@}+96;zMbrQYugb65J(}3QR!?>`KU%F`-l;AT^Tu z30Q84!IztF@H1liSqUO++{!#e41~ms&lN;w-QiTNoRIE@|f@MvR0Bvw;#V(iGF{-MF)kBH0lycgO6 zfpP;s5{Y>d`O^wEHu8oijZ5>RkEruq^f1(U`qF20JzK|=Hx_qr-q}lI?Yu*Mo@Y;t zwUW-c&FZ|HPV;;_KeKPL`pgqg=Q6z_byLDQ886BOrI!i~&cmKDvuc)zh%?=1b||>@h$vFr7l%=gq_~RvutHD50(bCv=1pc=jNGrAXAwrHGms{R#W&yB{V}@z=KZIf(!_Jj zsL;gqxXIOo4J&zOt(H6(oM!DtQQU8rDZVJ2nAvcerEw8RaR+U!A;mVL|L=AF$kFqI zo|DevESU-3TS{k%6zbNyY{^N+4yfh}Rb^GD9VbH3{MW#^O5FFJqL zd7pF2`61_FXRmXY^9tuC=cbj_aOXE2nPtDiWdHNBAN=25`C;|^Ou|FJethCpcG1o5}&CRrfAGea4DR%3RPW* zrvefgL5m4VSE=Wj1%z8DzI_Rza>Il#>;iX_cPG?EX29V79xvOh&U7HG$>Bb%E*31X zd0C$(l+d-L52UUcB%@#mo_@?poj9fs?K`%xSv}uD2l*)16<%4l078O0=a4OLK#Mj? zMGZ*~#*mE(W(_q-V!M~KW!LIolGkiAvG5F zd}(GCq9CNcP{h+@aZah{nd)5UG0k4lMV^bek3H&nrjc=q^a=!`^A^SHmCoDL^KI<( zbIs_LjmbkzOTAq^?_vXRQ|~LQCQj?v9W0RPdD@Z@q~kmiCn00478vdooxH8F;#%p;hE}@Bqr8s+8 zr{!fEZYG3*Krmc zhLs4sTG*(q)}r^C)K@bS=m~of3w&zN7{!1wA-!@CtEH*OM$}a70=qZV_GQ~Pb&=it zaU12!78~VGb&=fyas%qiJT{7b@2KNS*C9vOuXcT`tK4jPb#oqq>i|M|`@b>7)I*4fkX zZyj>`Z_@aHf8e^;`z7zEymxxXU58u&*SlSA=MS9EIZrzeI6aR42a98$pdigK<} zk@0Q;sitsAjZ0^$Ew5%;_6*)OA++fcV;agVv0RY&W4IY-W0D+H{7y_@hG|1rwnz%( zNdwn)gESOaRi2Dy#QB7nld8!3Lrg~% z(y}pxH_DP3Tyx{q2)PHHHg?IQxsemrT?Y0P;QNgofdtem^iL}3vqFwuZZn0sIw@B* ztvN&Pydh`Ny~nfmieN&CU5bCgPobijQ}FhsRKqLxy_T#h*jH_iUx~+H(yb7{mNJ1fK zGHVOfQHK~ZMk(BVoL9eOV+626;AZq)3VGKZ)pL=#7;7Tawwu+(Gjy)?HjZSv!N7#n z9M@N*a}fEMzcCm2Ub2XML3NS&9&>NCm&|T(OAv6#e#|SGi()TA6hkg26f?JDQ*kho zfJk`4eB1FN5ebK65>t7 ze z3aE=L^3G?Duw8j^-8}LLiC;s!Lxe$OvIT2|;7gpYmWZTE8RlvLu?B{@*4Nznj7JeK zW-n;zz`3-N-^-G3O_dM>7k{s%@;QVKF4K2lCv%7};$Oz*u#9tZI2w`Vlp=~nOD;$x_XKNMVsFJG~_IvmW zU?Fdc|1@Q+^j&0=7d0&%IMqLJm_%}7p4GJM*x=~E(6OT<#LR9gJ~DjlL|;SM$wR}3 z1{=x-PmCNM9K6NolsWDhGvQuRrmpQ`uF|Po?05JkPY2WR6`q^8VIk(w*QT#0Y0zv_ z!Av2SZfM#NiGZ#}yRB>bG)J(tp%hj@@-mS6WSEA+{E=-KJ>h|JLyJNd5?fknD20>Q z$-~DQ3QZUGq;Goz*al=x?W%NH!x(fZWW9Ib4gaF$jpa+*k$X9w0$)+UATnkK@sf!_ zq|FTCC4)h{Q(a_F`>y2dc`K6_!8kr_W*jfQqgW~`;D77^mB!zRam?~g>ZML{|9_qH zcO2fo_P*$S)caX)+Iz?w^9nux(DTPVLp>kd@~hp!?j7CTo98SM&=GgjT=faS>c!)0eW87r* z;@d;#G5Z~n=cy*{#d9I(oQwZ9b1lkijQ6NI=i;C0T#NrUaV+ZeE0{c|OmAZwdbKhw z-j#`A@e)(e7+zw@x}XJ%Y3SUxO(~mv{sSCkzDLE6TBCQddkB3aP{;BvwF(n`f&C1g&korkx6Bx z6l|&qI9R6?IQ?W3312LN+-i8Ov|1*)Dd06r{O-$(h*zHkxLQz(09v$&ri@8G5&E3(H-t6B6K zRMA{<8dgeT_qJu|)a^d;ch^Wcn*pNadiE zOH&m;6iOf-=!`_D9G>AXtE8%-YABypV5ac7_#kd zbuq+{d4eN|&geHtZ&ycc->oi6bVfYx#|xJ9!2&F+n#f1@HP!495 zupCU|0aP5kdoOLp_xxMiMMU4oWMDb~@7_bJIPdzPan;Z3lbq?0Z@I4PiaO6?r>Y5t(!XzW07r9pb6Zrv z^s6Nyr3lp;1OU&WESLoi*)o-fOubh)WLz%_cN1UUY6VgPZUhB9ohEz?(cjB^@fUKH ze3;xMXG?hqLZlDkO$SHZSz!|2lLAwdfT@Xp{eJxO470e{{`=cv>O4cKalUf>Fq79V zTv)(Nny-f{0d=0C+#qkdtiVm9B-A77Jj;u5-)Yw9IU7jtC*dvxa7Oa>9A3*AWeS(I zp zM%Epp@e zIO5XS3M51&$^tfJ{JTlz91Fu>{j{;zS1ae!B!YwWW7|@wW#wFUHeKZb9<-kAi+wDA zk+t9EG7Sr`z!O7SGP}pG)e`RV0x&#r43?AVDsEM_NG` z5z|#Df`H&fbF(ke#pW)=N??SO)ckzxH9-~Z_A1In7H;EQMArn(M`|@hXV*?Z zQ%Qi4Nv%Yughr2Jlvq-0zfp^Y5=z-r%E)9>ae&gu74HX@6A3qBTky^x&^$tBT}$zl zE2z)yP*x#fB4pMzW@Yoa?P)n0jb_tXD5&#S(<-i@K4&PX^E)hU31KIaXLwiiNt_?s%^{zmqQRMn(&M-|PWL z)T;r_7K;!q@1rMXKZgqj( zf^d7!A0Uz{w{a7z{g6W9CXvYar1&y*;R9xnK2IPW4od1mFD>RrFbajv8;geg0}{|MXS=hv+i4it%slo1XMoT5tLYQ|ra z5(v3liH0Go=;LT=9;_5daWO&c+_IjUEp2jkx7Eok%2qreg&MCx;F^Z)*t&SuAiU{X z=bIql-_6!u%4RD{)p%=7uYr98;=-<5`46}=HT*cL%$Pr9KQ}1wHcO@2eJuAnS~`H* zrRqY6Vk)Pj&vRFx1!ffGbo6-$CkxC9s+Dxkxz&Xr#n#2UIJUkWg_GeECr=;hpG+|p zo!>v&pDc~CA2$!3oS3*}Kl>q%o($9P=6asglOgt- zeLN7!XUMxu_J?>M@c9_+=!}eZY*Mt{ieiG9NEl+l+T)phSX~HEOsI1gf#+?^a2iUk z`{rPQ8O${V+y=hjCdo(_*afs!e)U#$Axcr2o5G(rq=qZh1(xHBGq&gTu$m+4f{!hM z^UUW>V!{S!-8OZB+2y%Y`|}p3_AAwe8|YN8<0r^%+7j>Ossst z-vGN_V3t$9s&DA*8hnU}44e;rV@D#Q$eDBs`6MMJjOeBrq>>DV@GmKXH|vPL9nGWw zKqfwL0Dfb82+0+K3d}H@ z*Y(%iCB13;(j;xuHc6YNNt?xM()g|?GwLRS? zOI)u!<4(f8g*s*p<6`k|bsfBuu+xOEeGzk7mJW_hj2(j1Gyy$%**19CTBY@($1bj{ zN}L#4W}L4$YNcDgtU%uQVbCUTBzo{upnZk%sjj}B4baY~`juC)=wZeC!`Pq)-HV#M zEnUmmauakdWl#Ui#+3{az!n}T59`74i77k30PC-1Nuy7`qEq&g#t(c=^J*X6NFi)o z>_aHs46KpntPEGOiYXuNX6a<5Z4=_U{IQLoxvrH}ZcVFMIkCUuA%JXRpET~0?Mo`J zV@%y%ulpWfS>4C?ljUUa6-T(ZF=pYg3dlkb7r2X_Ex>Sb0m1?I!m~vlM>qhRPd3O& z`wb->i68(71p`;PBag-AziPAj-kty8d!6s|JK7)heIAkfzup_^m3nvYI@%fUJkYtL z<69kH@A%PgfV(%2qTSKk!}(t*pL-b@0A1F3vr_ZF$BH0awDvmp^M{s|83eQ@RO% zJ{YUhrHezT<_Fh8DJ*Ao9;lv-Dru+~B62oPX5L6#lao2*c0;wS9JC9Oh_2_hAjR;` ztiH=q@QG3yuHf^OGRW}-lm`0;Mx{km>@iaFdU+jpLRXru#=#?+t$?-+9c*>J6sjQF z4Q1m|PQDzXi-mc^(G*M+^qh1G#RyBt*6udT#>h^4izEy#B!FpB1^Wy2l(24FA1rzy zM7$MejKiU+@x!5WkKq4j*Jb}62Bb%fz{)C*fwb<{ca%>0JSN=w%;)H&&x64&X8xSR z%yH7^vEbH8|G5KNIt=@Yo|U5pTnAMnnw67jJuPbq+(4!klsBQ1{+L??cy7O{CBr#A z7eg)aRUUC=i2%>pA^_gufmhZ^|G9>f{s?Q%I?q36o%FBxR#tfo$%jgOGM?KuXB=8z z8P5*$oB8Z5utA5=Zc8$N@Xcj|Ce~=q>XBIdSXe>jN=47c6In$`$I`KIGM-aoMmnZu zbC|4n1PNJl@Yu@fNxG;SIuf-e6Q~@lN8;%Wh`()sMtL5D88oEFgHpMI<7z02T&7mq zJQ>Hg5Pvk3$(mGgH-SPbhKc7`V1r4Q;bh93gz`wqBAa0pZmU%8=T1Pmd{GO|XLHSm z|LgczP;o3-8Xg(f@J~IEJO<{JY+&VTNU4V|xCp@dJd*?xlFN`!*5Y#3iT0)o1XkG< zXpJcSLEXdWY(K3>#_pYzs#fWg5k5BiSw$IC!~NO`4gO5<*BwqO$^H`wB{?t<8H9US z#8P3zRg@P>=uy>3Cew+WmQBW0Eo)#SBh5ezAscj@lcj79Ql5_d5^4AZBfD5yi>Eau zk%OmjCZ0&qI<^MhZulra0dH?y|Z}k31=O;QVo$1b99Uq4V;Bx!_*zqenejIiF z@;k())OKrTg*jf$qcId%FIx>x*5V?E0au z$GbwlAL@F&?>_`~b$!0;^Ox`OeXs9(?SCO_e$@AxMv2pZ-uHF{e)n=&&pO4t%}E23Bj=_LuB`IvKK<6* zwWEP`(iTDd=6RYe@%sgc-z;cnb;12LFVLj$Ne$-{f8NxZhj0hbD6bYk>G|D+6lL!ROx{%b>u|E0MC zU48^53Z4p0OggUP)I0gU2l0SQ;CB0oBEGg9HkNFkb#n99;I|%*CgA9!#88O9j>tV> zELEjJqnO8nZLDY@9V|o1cj$=pR;x9uV1-*mMx_HK(j2P5D;+dxkJgpPIebkypRm|% z0h&1)-*oYr3&D)|)r%TPDfh%OiPc3C>wYy-h~!jn7a6w^jTysSag7vp3w5r$6N-Rx zl_{WV1|EXyft6KW=A&k*>tFCviru6YWv|sOttapco*mgDv@ek0$ulC`S5U5C^$AXT zt#Sn~+?d?iQmz2H!#wZ6;<_(*@W(CB2R>w$5i$Ei_NgnYJXNd}0(Nz9FC^{k zVGUSc`cgZ}DWb5HG>nu6b@xtb)b?uVFCwpMVF^*E-RwP!fxQR@rf5hxeYwj$o)^Ku zE_bpk76W_H#lS9iusaq5d+|UxrbqO&W+3JVeu`?E5*oreMAp;Mh@r)!xJnr#+Sywc z1AB2l-ic@9T7rrnw6R+j1ADQ~z%K7-c*o7aE(h2xi-En!7}zCa<+7hGwC_t=%zWDn zY<(esDUUYu&6{9agK+9VWm>pD+IqlEi#QIaSXZ)fGlVd*=f#?JG32sQ)(g{fNdJqp zv=uNdE2ITJlUnRnSxeleYpOLnH|NUZ#z?=d3c=0qV%j?-3bK7XcraATojS zuGloPy@BnmE2=^C&9e6_%JDpDo@3Ex;j{H_w&kwaB<04K$G?>t2<}A+R|jj2GE+`| z4h}O2PDHsSSDq`&>!Q)Cg2^hD`d}j`4XXjqJXh8|YehD->Ry%BgY^};p&sEngs!ee z*t*e(^8f7$_+>?Pbh( z!gZjBiiOqcGw1b1N@oOV8;3Lr>epxFa$twY6z>gNsb#2V%K! zPSy07oJlM2z{sWzIcdPR7B!5MT0E;ovqto;+8QZa{C+MmjlIprTR?snNTbzzx zcSmiFbS!>9m!QUN0SZmL!`(z(e!9K3_I7sX9`>o@mig^RhHGn&u{rytck>(DmY>}2 zT^4EsNO4X%v6uk083??~N4eB*_PSu|IUMv`Dk4bakj=b#FBnV6F_ksFg|hWMV@>wf zEai2zJ!4}Ous*{})yv$fB$MVzE>>VE%jPRGC82dkt&=b0QmI<0rVZA}qF%|&9$z?i zDq5MoaO&Zc%4zfd9KflTjbrS&VA{C9a!iTMMPpQOz&`pd=8HTN1)^qx6cuYZ>c()| zC(9lDZz0B&m*hpG06`KSxW%ko)iZK>XhO%%=f!8piGt<=>IGBdYsLNR~c$B|!QJV4$k-aD zL^2*$lVP}asgYPT8r8_eO0V{XLU^nSkE|u+TrlB9m6;7@mx^%Z4wlL@q4{b$WES#J zn1+T&&P`6qQv=)x-0<7<6qfxXMxg?Km;5x&pvZkPjfB^uBLmF%YiqOIIW_9X5}Zj; ze6y({XM)zUqBv)jx*?cKq`^xG?xdw^Ib+Zv0dN~L%)#0s1=AUu$T07CW`iXYoifj+yDOlf{eN~MmcPL58T=pQ{dF)@`IG^idc9BEV5;8R3g*k3_Vn9aQkO;|2J zlbY-w+uHMwO->CtuT+-ijrB*@+QsIc-$EDH1pu94Ib+s z9F#(X6Jz}&px^>B>f8F_WoztCnBR1f2$MN>RZ~w*inf5pA z{6BW4cHYtUJ8jRlJ+xzO$0v4V1AiI#NZ_%+UjK{!Wq;Cl72Q~WE-s(#@&)epFF(-V z>H7vd!nB_)Ah|A12o+QmK^Qh=(HqR0WH-)&=uhTn=JbqYl*>3nF3uW7X$IB3sEQW? z(}xOhGVe!{;0jrlz)ORuauSx|Ivv-#L)6YCv`o5p1LoOZspjdr5JBy_-WZD@Ja zY3Fyg)sC8kX%pXd#%br}ZMB2+K&Y5Jw0zoW=cR456A3~TRuznA#A)ZnZM72#C)I>@ zarsnz$-Ure=+-ScC8(ivR1%+X()onvT|IAh$tl5TBpfG5hn;qw+eSO#U?P?Ps6)#` zPCH-SRy!&T%*puB@}SesSGL}ck_;vziDV=)v^?On^W|-|6T=or#DLL))6QqM(M}Ze4zC+*$(Ym5r?=G((r3nE_%79H=U2DUP6XUPf!v)# z%TcGDU)feWVI*HjBrYyT>LlWqT@Bqj5}^d+G3c)F35xRxpK|rQSrVZ@I8spVaA-N~ zwDU{bXeS)h)L5JZkC4;OFK(+H)F4QxnBt(*&M$1eop6$-IFW#0COhqXa$D`Fz=yd1 z5vQF`Y@?k-FsW)$72NGXr=5>)s~y_f#I+AQ?fm?<+EF5qBd{e8IqiIG8|`S=+DK>% zd=5J8{O{XpCz1%W_49z!&d+V5op>-ok}F8o{Z2bSyRCNcRWU7karw>lt^G5uhHlx` z4#%)mlmt=lH#wj1QCH8K+}dadU!aDuRPJ-y`A^$wC!7Ej;BNOi?fmpM+EIgX2*7c) z^G2tgk8Gj!K8K!NQ!LFJ=l=$^Zx>JiLMRYN0}L4(GYiL_%T#$~Kvm6fGQ& zvX+?N*m`wvxk8AUIp2yn{h4YpL<3~?eDbD@-epSmZP)c=*C{D3$^jut4fSwyQ3_mi z+}kG62%P>Mt5GD(N)okX{afE(`6d~RJk@U3vm?12lOG@mU~^zg;{lI2MP@#zmyfsW z4IG5Q7g}Iwpit`vj`LO_dzW((%y}-;mF=9po>uPhmCN_DwZ3dQEWhkHEZ?MggDWXd z9m>5Td@sWX?Q%ob(3d-FnU%};v0+?_SzGSkhtrsACi)JuDNpe^N3!3Is{F9+*h)L< zK3H21yZk2;Xvtzca z3TfR)m$KPdx$eb z7fTf~k(Y86at5=-67S*^!z-6>XGDkl9Qs~zWRk6JFwooAG|*cTKK3?T>0Ax1T)vGF zv-gi##Ozfpd^Gu@yEdimGTvII*u5F8ry4gRTQ7C5b-2+uo6&k6zIpaWw5~Xt(0;<& zfYz_h=4)yj%gf#q)|0Ny=QPcoODL%^5*@lWo%KM=TCb1Yz3F%sM4s8ujoUz~52dpC zaVOa6iG_mEl}vA3VqgWW0HevJb_9)OJm$4zq7x*)lAXMSv% zJ!}_ESUbi;j%?cUbpGG(`#B$M{$K9>RPXIwKMV_hw(Cq+xbvSn|FrXWJ3rfbrSpl- zL$LOLyFK3iruNsgecM0mKjPo(`v>12<3-B(m-UVLzv0*YXzL%he6Zit3z3y8Jgd1S zb-i*Rt!r?)R8=`fiICKACWlJMxuk4F61lXJ%_&ACeD}%~p7q?4pkCRZjTmuViD%S1 zSFZ57j+WH*N?q!@!Ye!4@6@HPyH>6=lz4o_Nj81?jVo7pw&@Ql9Qs$bFL{-6dS*$Q zLSQo#2csyg1<(3^_(Lwh2b2k1oB4E48DhYeObIwx$%##Q4*HHfe39iDM8TDd6bDC6)EEX_UtNB->H%46fW ztAx`?_LvfOmtk|WzX6m*E1MUVChNYvaP3V-R4o>Z;(u@l&?3!}A}>YdMD=;9NRY)7 zUunhtts4yv(K10LuN-e&_+N*Si|9M&jq8>yr8oDVJv-Px)&FKt&>*rr-h0IMN4(Bs zg~Gi@?o+^kykr^=A;wPFVMXGtUmBr?U3!Fx6wlhb)DdBB^#Zlsz`tY5)9!G~i*xtN z6`sQ0(h0l*;p|F7RnS*DSCo}2hZvHp4_ox^RVHifcdT6D zdL|y=<@=@;;kCNBa)oD@{=hpq-rwA|Kw){uN`uw8d6xVbiyQ|KQyLr{BLFTh^ zeujcFhY^1?j(pdB(z!>*F~y)?LvI@bS=u;~=7Gc393375xU^mllN+qdue$mE`T7Gc zZf#Lc{vA{bqdr!iSI`-X%UCi{FL@0ChAXVy*P66z@X^QIRr1J-pfiWvx^x5~C>-?= z6slHY=El^LEoo4e?^(HW4`Xh%H(Gno5fg6KqV(d)@`$y6 zHWUi3OT+6j!Pae0bpC&n?=O8lKhm?(lka)BN9zf6|7G`o>Hbpp2f82Y`cl`Yx>h^> zXU8AIE8sR%{d;A{ukHA$9jiMY-jUexz>d9vKL~t0@bMim&X`@t@DPV|7zU{9F9ca;SEVgnz`jbM45Gv#Gb7Rg6`Y7^`O#I|0I*E3tfH z_Qoz{vkQ7TI9D?2vA>B;M4|Gk+-cTesJC{FL~%QUd}uc=kR^7j2Ie8jLy*Zjn%G^4I4x2;X?}yu~e9b^ympLHQ<1U zqVJVi9gYm-1c7)mR3C(g17&A}YXhYkI2;5Pl+)G-K2W6ES=p36}QP4I+uaHIggs zBm#quSgF*mkyz>XbFp&pKq3Q?BAkiJMpzHaY7#1|G(<)@oXAA=FtX~wo8qq8HIgdr zBm#r`v+$aZ#EeYxj@mU6D(##BgSJeGH%O**-l&U|du!K7r1V=kX9k&RaP>{KYa~zl z{qN@{(!p(ulMwgk^BMeIqH+}j(68wEnW8jK$%)dqLW(3NR&M6Q9Rcfsx2g)}o3cW{ zBy+@ZYZ=6 z*OB_oyuOZfn<>R9E=V$T zE_ANkUb{wuq2Ir1k+&P;7q)FwmY%F44woNU*pJgZO+LROS-0&U$NX9WYDddxha%yJ9IBxyGAx%zkiZ%qrICT@ZgCB2$>X^aqGxQ!YoFVGp<&cCV|`fdd&G5rYw3kuwo3DkF3d zYM`_VHBdH=Ae&e^hl-nEzmx~kX1@dbb1|d}QnaK2hE1s(ZH7JIV%U_s(RrhRVN(uA zn_&-dU!F|uS_hle4{Hp-fo(HvSBf9I80p!1NllB+N~8Ir!Pxd@KHrVosGNlkHf#A6KpE3_to4hdpQnXM)lY`NLKYIs6_h%_!%|=7V~gj-bf$!`cEj z(z*oo;!+R?yAZ4H6rxbRtfrw}3W60Wds9T#lQ9iu!gM5>%tcY;zFv>2(bZ>6FJC|y z@;GvM)`bihr=aYKwxsJt8kBgmMaSEObL(nny16AIkTQ6tBpcG{{u3_s4PEiNu^P%v-^uDXH(i^2_{4Dk z@JxTxW&Pn3h5l2`mx~#%c5&6CWqQ`LZF=0@dPB8Ot4N1?^4PTTgAzF2*%D4IOO}7Q z2{9W2DjU0(U{iPZaVJsUpk5fA|L^jbeY?K2>*KpVylZLK^sd9Z_U`iae5>aZJwMpf z-xKcsv(DFbc6a<^`{(_?=KrYweg3llZT|cG-7xk4U%p@V{h)7{PVQ(z{Mi%&U=RZ? z1~Ken5GPy=Vz|yAZmV7EXLop7=Ha^wrN#F?Q@i$7#vlH-65|iU+vX3Jz-3oZru^?! z6LLcy8gfeyi%bkwiCo4aV9}1oQJqHCluQP`7ZD9v@KKX0i@<-)2#3RQUGt{h9tSie zTyT1uhZ7o-x>ziOa>C~%#k$+J~*T0j**ImfCZBFaK9;sTCxr1Fq?Q!=aX>^59bH%c^v zv~)bVogG2qq;s3LMmkMNF(@0&()2=vW%jC%)p8v`QK_=QQitKZH(Sg@S~o+`aYW;x zI;$h2Mkvz4>R@<@gqvC2^?VV&+itFIx3W6NNVU3%I&N{Ur))ElZE%s0h6HvPJeoI4 zO&1-%IoJE}9`kTd#nlF9RQm`;?rAPBeLJ}sI&?Xgx?0E8^AqQpSE>7|zA(vsc$)@j zZ*p6o0+V!V%p98^LgG6JE7SxZ$#fAGAKrV@aIVjDSe2+c3u3>rwmb|mlgN2UdJ>k_ z&Mvx2SznMD9RX4-+bC)OOvfV?6t6X}e=SkFcAU|`XStql*g31)jo+*-{~g)z?oPJ3 z-R&ke-t0Iay@fFqZZ#SvWx+A`h0aSSYS$iO@V>9gSvtDzs9$mDLSxOWmKxvgeM#R^ClJ`xR&#ao zz^^%Drso@og!O_&AW|^nbB${XfAFx2NRX2&Q`=m3MC0)4+t?e{rblPFv%m&IM_sp~ zg2(HW>4``bPjP4VNnlDyf7l1|v(#e3I9fKXLwIeQPNF;2t7%hz0LI`L(r2Tix0jh z=K7u?(vzs{0(Y1ha_dRR1=m*23>`rEX*Hh7W@JRr7^qL3fMFvVNy<@G*EO82qnf5b zPeLBJw$@{4e?-j~5j7qm!v;Cv+Io^9ml#a`x6T`NF&Lo&4Q5mvbWse$=<0pA<_b(3f-=F(_&-Z2Dm#y&1k#^{LsoIfEN=_YsR#l53`-Th; zI~*u+hLqF(Px%gQ>Ok%DwcobM2XFObm+@seMvFek)!wJJO^e)Ta66qn3rn|a1(}Qn zc_F7};&NJr6B`0kBYGsgv9{Lg0J>9&)#j@ft7aAE7D}^AmX|H1V<+G9`YCfUe<2?l z=s!nUsiW|$WbWv8zUe2bPgGU+UPq$oR%Pl2Crp>OyVd-y+{gB&eBf|j>fF%4V*{f@ z=O8H6&tQF)JjS!fj=(XbJjXzEJ%tdzdL+{n0uEg)-Q zy3T7>!uNIVB6l)k4%fMf1Dgrc_BwY>R@w?dkWBr~AKD~&`tIgHg~^v{?bzNTr<_yd z#w!`(6P4Ss%}l506vZo7@MG1f&NH=Zqg+1hVA9D+$2zAsh=>ib&e(EfbDOAE3Z>Eo z)Z2jPF0WyFPwm$#a(&b=$%H4_1uhc~yJf;*c7r>+3?JBxW)L#r5PONcLl5s)P!&Ck5{p@oXQoWP zF*1D#L^#bLf1gE!U&ZIv#$zkUMxEwhhw-x;uJR+G2g$J>Vo{GSnv+UdRL9=S?&!#d z=PU}eZaWqgTK7JuL>qU*%TTaGCw*1xfNjdOZch$%+ORW+QrV;mZ*1s-xe10`Kc;To z5%cNVHJ#ImJlnjdJdUY1n@mcss5WeRUKPh8T>GH?;ni>!`FI?<<<{44C^&$^@bWnP z)Ol(zWBKsKd?zCTJbLI<`^Mm+AznO(H*^xDN=ZgBYF;{rkNPB$Dqb;%ld6+$QuUaN zRGmDa!%r=jg_han1rloECVn0DB#*pX$lIwz#I) zbp>-j=AQd~y*+>Bll+tZo828Ti2Jn zetGB5`LA^SC~^bLbdC8ZyP{q9cKzO-U*0pj`ww@&u=^)=ebe_}e9!MX&i(%VC-!_~ z&-d?nX3sOs|KGQ_L7wZn*Y}Nv3$OBD@I8$m2=Vh7hA|h4M-Cw0KvYY|B63<$QFu3k zf^vG)(B*X6KtTdkMb;th%D&pQB{uor&n5ejZ8HMmrEukyCKoc4v!gM0z-Gp>2?j92 zT=r361E~vH;=**1j=89F1Al6_ZN)L?k%1ef)ksAz4UCRR@V7>B6`Wu}Eh+6GA^><3 zNP}2PlTC#J0jSV}E}>z|9l^45a}%M-A_VM9tdSxWgQq50XhFV+?kS4Ee#Qz(gn=<* ztd|(^W}6OeUB{rlkk3jds^tqPNoTP;l+c1-H#8&3W_E`dw%9H3t@iLZ0$5HsUW98m z>TJ(7m30#_f5>fxLK~KKygZ))Z?sLy4HxI_t1jkv(CJ!XtHAj+!UF}1rHW;j-a@2c zEBCCAN(xE*7d9F!uzY5g)}9WE|Adap-DYJ8j{kN>q+o-q2Xo9oxC%>GK_&J=RZ~{f z5cE56PlO8z|6M+#&lQ%c7udh}2lRKoii$~a(?5YOvZYd4J_k1t6UFDU%u8d#)CETE z+C|P9ctGEXqocUV%k^2v5LMRG74B^`@+y`EZZvX`89Uc;Gbb}ATlTc{;g&ABPU;Xm zTpMQ-HdC_V*4L=hEVnPa)+3(eA@_6l9 znNO<%}TpR!ElkhK5Dt6bXNaQG{yYHOWrRbTeAX+HfbW?+_#1r5UtRe&7@ zFDmqn8QFYwj`1AQMY!&8EpRi}dIZ9B-}qF@VJrQQOr4rIH!}4Y^v0|b=SDomcGfvV ziVvQ=BU;YN7#%Wz4RXybj>fE_w<%4PEaKjV+0iSO2*V(uQFziSBHclrGIslVUXiGYMI zf2Xf)yi_@BRF-t<9O{*p<|xUja~=+~H&qFY^+mN{G=T&#sLR(-Kakx~V~V0`xxl}RnSbZiQE)n2#9crY1DY7x&KVT)6cp)T;QEcH0;*`r%?UXSX+ z)`VL-P9^Z=PxDYrug{GKV`?IbQcW$N8%N0v4RxHef#usW`_TJxhiCUA#RbbpfHoCN zQ)twq1@MzTQ-l%%NoJ>zic~sC<&mqEe1Xn_hrEXrPQaB61wWc+ARbg=N<6M*0@XC( zG3hy=p}Bd)DoCyfw^6-X#39dt#PsSmhH`_b50z}~HWt)SGenJ~1Ex;hPIz|fng*h` zq^*_)7>PN{Z6w~E!WB-7qr_G7x5k1|MNMj|9?-vsI(^Wy({ngvx>mMV7bsVWpbW3? z!W}JvqH5n0SZvBuNsW18tO~7eyJK% zV_H(vrUMrrr%^oSIf}+^SUxDC<7`b`e`2XVW?V@`T6@NwBmhW09!S5FdX_zVK0jO1 z=kj#`yg-fykzSHY8Me%0G^i>Oq!xc?;K>yAamKTc0fd1da{xSVSyc}*EFgD)S<2*@ z(E>tWz%8K;B;zCFEH9TIm&m7QTFaMhEG&H z)@vjfL#LYdjzHn<)ah}2CulK#a#Ld}drf69*!+Rl$`ULpL| zG^)kk9wRvNc)fp^&q73gAz2Maw%A#SLqqbYi9O6zgp+#el1(x@|jgi7G z&;G3S&mw8->jj5`%B(x0>XCD!>}+I}0f(RjYBA%vYm^`&SHn?{wTt3ws6v;}-WI5y zCj`7{p^FHf&`kpow{`&VB!%XZj?@bZs>qf^O|4caP(c)_@Dj1}f&8P??NLu4hCzVS zgm`~BGYb|p!i%GLcZF3P#V59)9>$(RDNE(i!2BcBl{ddVg=`&A7@spBWKlWra|YRI zpk~E1mzO+xj3k2^)j?~;6nDT1!TlczWT&V{#q;CNkBty9L=u}xX%e|c=PTa504MDH zmhVC@DzcMl>QvzAN$Q0%B(=&dW0TTEE{DV(6qT2)k~V){Uqn0+iXC4x$Tx_%3^7`- z-V-SFn$(i5)HXuJ9~Cm#+hzvis7LtE+3X8gO6 zF^?x*W`&kY*>nc#>fCxnDxw7;6~Zf^_3Lpb5k*Divw`^u`g-pLJY|#-#Q?(zSSlrQ zagbp1?S;1%1Wk--K)Xq3z*v+R_DpmlFgH#;4tV12B8!_r9U>wmh`2|05D^n`Et(h) z6vyoDS}{LsG767GLGzU=1T*XzD<;zPqWTd?d8mgPR$D(0cM@?3hGPM9l=|~#Y$M1= zl!1vw8YQJXj-WhykCmNroiz;UFNWL>9%~rVAEG`JkRbRnoa0+QzQmDL# zRUB7O2c8(A&p+ll9$HdfdNl98kV`cj^Po*CW?sd-j|3{GsIQ0D?aPi$_V$bR>NOgK zcYR-j7NF??QL=KOMwkZ^ECw zwX0ma&Rwe>+B*cIeW-SotJa5@#^s^*VRrCzi(>V|Yj5o;*S2%@(NXAjuP!lt4cF}+ zb?J7mUSv18b^qvru$oPx46Y$ZlW;#*(^^>8vr$csr%{9evW<$M@w;kQxz3*Jc8~5? zvW8+PVFOzEt8V4}(bwHkyIN)Kb7k+*y0Z6bg!hU!=fo=w-Tas~f; zV+@0%+x96Kfc5gim_ASY0PB+Zl5OV0y+aS0T66RxR83%zr4&Y_JIU+g1Cs;Z-U!}F zU?@<&m@zX!6bT4cFN9d6pcx`J2%M>8c=S{ZBt4`2Y?LW@9#J%~!WL&_SZR5#HKU54Iep&1)OlFo9gDk1)DW|AZfKic?yOyXl51MI#{H;coc_+w2lf-U@mL!f z*0HPHmSbJ$tWDLf7TItwaqGy@SFwS>WppMRa`RkoXf1Bqi8rLIzpr+co5PZv*mx-G zX+dE^xN*#y5I7oN<%Tcre0bDxG;SK)^~uC*YgeCO^pTgoJG$4k_x9JWaswK#rg^lz zspZ$yu5v>fH<6nAnjrSeJ&QDyI4S90}J5J z+t$b&7O?tw?dmjJ>>rTXtn_W01x%Hp2u$OwX6uU18K8mAq%fASneXZykIN^@jP=43x#8$ zNF)Td!|(?q(hEyw9#wC)>sp4z{hi`I#R4YJuDAT^7^vgko}#iU45L}<2d*0Yv6ucn^BM)9v5Me z9O7O)>cP6uxuVvtzJqnQ`WWBP|9-eveXU$S(R!+JL8PQq^O_-_EI3a!J-8t^bm-1H zB<@CBsLHjgZ|BRzViF$g@jA#djbo*sub+VP)i+9QCD5ar zOlxn9((bEWJcL(ZgbO$<8yUIg&&Tt@*ZS=Yv4pIUS?cq{Fk|L1QFm@;p>){9| zNlKV>NeM}}l)$4i_yR~C$b~c6ER+&*B7!U$YEILUn-YJe6Pg~2q~qCeE(%{YSq00^>V&zr6c% zyH9ujWcO-!p?j*kuX|_Lx4Zsp*H^oKtm{3U|I+#YcBb3^sQu;k&$T}q_-gxcWD4lr z^A~$QwdY56{>z@)p0j(7?*3NbR|DgFq&<6f|Lg9*+Wkj?9}m1g@I>ITz^Q;n|J{UB z{;Qygz`IZZ;r|bRcK)O9gC5_RuC4J@EX!QsFzP|%=1C+nAr+b3+a_vjN7xGITW)mU zYN)pM21eB0&ucrJ*|wCst|phsx6nVU;V4oAN8=et^I@G*$|fSRnn~(vET?6mZrg-> zYlqK4lS1WQ@-^NRh}@uA~on$|#rQ ztiEIhXDf3BM;7%C>SKi+BQ1pw*UjwUcwS9I9i$hSQl_E6&#efKXpL*2$iMR=jeF|ld&@JC+QGEp)zzwLau%)rHK=cb=t@q*(2~yGvIZ>f@$j6 zG2u#tQv~dr$ctHa<>s)nCbKv+o+iLNWT&~eQrom7egWNw&)fs9eRSpxchuJIb+ME) zb(XTmi(POgbf(TyZm+HJY8PCUa>jBr{hr#|0WR$DLW^e_Wa68%;xKw%8G}=SGmw?n z_Pal)bH!gLnnuaAL6H^cyzqW_ve{~rk>|%5D!D9@C)7$3k zwmEG(Ub39|ZvqrAd&iAB97Ey3e2BK{a(o@0Zx+C8%vsP8rez`@WXlCPL^+Cyy@U6F z+gtw6a-9pq2IAyLcBPMKwu3mYuE)UR32#Bk)@g0qKiZv10BM+!u>TgNgR;o5?dLtp zobxUBZ>G6w^3JyuOzal($(P2bq`EIY_a3Hy&vy-4@LNQ#kyYC`4^pE>->D@&vt%)XS#E=v%TZ*I;uPWdFQuw{$X3n z_e|TLwtcesrn3f{B-$kwX36SRzCDb zhGKHt^xfsxWGR^uequ;NI6utu$|jr9w|Eh71c%gxaO(ubO#)R2@I)Ht4M^;8xzDg; zEt#3C$V!VN8cfHu6W6U;;x0+Muw=*bhIk91L?RYbWAP|l_7ZRyfp-_Ss-5E5{pu;> zqK?{MPAOY@F&0&+kiDkG;4{CK7vWl_B~Sx5uEC42IotgvW%qcfl+IOw40#O_%Rm%9 z*hV4C4~zUO`a&T(fG)zSURs119%TSf)Ri4Xk(M6{f(mRn#Ea-{8z_-yL&3j5zYnS^Fj_g2{d<~OtkU7w-UkHlL~N&a;0>Paq&@LX?6j}!6D-nZ^u zi>1KRHd;%8TrhY_#znpm9MNb?j1LBqL6;EOwSpHnlR+Jmd(nl z5hhoSL{!dcY9yA-W^xD(g6V}9MBqYGf{L;#dOWRbFufdQ{qO^BqJF@=%9F!eZ`2RC zx7V&F*&AF>maz0>R}R*$CfG{&er}CR+zjythYJeEI}2TH7B$@2;dL_~yrJv^afg-U zp_DqXmecvB3}*yX39`D9D6|iO%H+FOCC55&3*?A{b1+=y98U=*m*Fe{IT{U6Fawx- z8eZ@uEby}~_2ATGu{Gh`R|8Eh>PsjK^Z;!3=)5FREm(5bfV6=)zYKgcSoKw&+l5-< z)iBW2EF27>J444=Cod3#2uux-tTpk}O7V;P1$8$tV z8yTJC`(jCg*P4VXPE`bq(`q5V9yV5cVM;u&6!7jx!XgTJs!*^i^BQ7%h87{#I0>*4 zTm2@^(>Rc`-DGc`jWqTLYF9NzLwI($#BD8W5Ck#Kp5SynK|DX^zR>yXuG&?V5u7Vs zj2tJv!#w{+Q}Qs+5VmA!*&Mvl=9+UQxEC56DxHo}SZgWi@b&#t4yX9CKrUGlHC!6| z>o^Zzwp?_Iq+cdhk&rlY<6uiF1}`){;=q`lBS*?yw^ zNc&wl^M7%tjy(VOw>{VP>9&vV_&eVHo< zb5TS(MZCF9qdz3b$GjCs1!V)pQIX4{c>!LKQoYC=oEJe~Or4C0pg41&Ta3$57XJd4 z@*H%4I6beU7v6HgkkN_JN5Jl%3QbJ1a7#plhX{}*ScB_o3g*^`z#lBTX+qQdk!{Q?<1d?0c3E@g03*T&+d74J#Bse;nt{dz{zmd1%~clCgbn zudVSKb<5nwHx`(>3A@?e%MaAn_`!xBAIA2szfBI-*7$K|fPX{#b%+;q(ho7YfuFZV z$<NI@6gGN531^T|B@&h6N=Abd zjfNE5k&I4xxFg645sB*A2vpZx>fvXq(fxWPi-6RKk%O6$3pe}}Hd;T0t*LDA)*JOx z7)BOlcdU^)X2$nESX+y*1@s^IDRp$)EMY@^KVuA=`SMLL2HTNnn-+|XIl&|qX*Bw) zmDzz(c|Mf4f@@JhwUkEMOLF51LH9g2k5t$pYZSrxB^Uj75tJ=8#%(Y+r!C8nb8{NA ztwhwC&73ISu)*%g3WeWvyW=!FT(r6=F`mJKy)Xsymo zH_fNhJ#^28U1>8V`2vMZ;EHJvkP6EnB#(97%qQ)^SwoXT1JYs3Q9vr*wKm)`uK zLV6PCJUET?-w+!LS>~qY8XuN3H}<-(HRY#=j~aP(P0y7USOO@wPys6G{uQLuI2Oqh zA=fc^wDXctTMIILzwapHmZLW&P(aSb>L7bO$}N|d_*!K@PIFThzam+;;k~o~tKoD$ z+o!M-Dk#Y`OF%!C&y-7)oH!-hi(7^!4o3Y{XaXWFQ=viChJ>_igRn#L4K`-wueHXM zMGl{!<@zwE&lr6acjzWNPQN^Rtwnn1K#T|7WXHPXCOI3NuWhp9I+uqYrtpsp&gS^n z`r{%*oD}i%cU(}gjTR~ii!RB{su zeK!^;>gWHhXISiQ`$6Ac|Cn#jU+($(p3m<2@jbJ9Cic8#&%xdQvinbVU*5gY`@h)9 z|G0l_=dQMYZu?f-AGW>F_Sv?dZTmsIxQRa{#vu(h+)Md&rie7-4R z3B?)077h!)i7NGoZeNlY4J3)0L&!V~?^Qhm%lbTOAcvfW+-6+3tWOy@%`@kRPy#8I zR3x`Uu8$;A+(i-z=Os#T@%pN$Dvy_c2WRSK3F>7gf=Bw!t_w@=5kDQyFlBWhJ8&0C}x9KS?@kfk8#e^bgnlrHJ zvyYq@9T^~{59qzw;K$vfR)u)hpll1Dpn|ZnyZ>cDr22d1^>(x z>}3L{zam!15G8zo{WjG%>_Rv+MHoUXPeFmfK10G01`u&##A$*}#;kFAJV7}n>aE&S z!mDtmjydn8J!m6Xy^d2IedLqXyiu{iSmc5ko0d8j!6#sd=5V_okPhR9_w|Le?s3D_ z;zHVP5&4oRjit2`TwS%?uv&CqZ)nl(()|F&Snn!V%2GX0u6AOrE$aCSDEncoP!56X zLcWfzWv$_la4E3>Hd@a_x@~lq)1kF!!#R+Fk7+EVP3>S;g8aaFd_0XYcKy? zx&ptDh9~fQwV;>zwK@dsZ4%fT9>xl6xpt8~vlSOKYy3_sPFJd)ty_JcuB}ZmnPize zppAPNG;XZ}+8U3Mx1^+fQ?<2od_demYW#X0Xv_=-*NLKJ9jYb7H6UvXvh?%3EJX?V zQ`lh(0aiSGo*Q4r8v?9g5#fapxkY5$?U~jLH*6m~+Me4!#$XYFsSwg0kG1FDF-Eoz z9%9ce3}bHF$0$=Vaofk(fz6nPVf*04p1CDsY`+%G8EQ0^P+|Mv&Yax#G3K&;@Y2oJ z8+F?UA~jF40dRoF>Lo#59g?;fr9eO+AP^7;2m}NI0s(=5KtLcM5D*9m1Ox&C0fB%( zKp-Fx5C{ka1Ofs9fq+0jARrJB2nYlO0s;YnfIvVXAP^7;2m}NI0s(=5KtLcM5D*9m z1Ox&C0fB%(Kp-Fx5C{ka1Ofs9fq+0jARrJB2nYlO0s;YnfIvVXAP^7;2m}NI0s(=5 zKtLcM5D*9m1Ox&C0fB%(Kp-Fx5C{ka1Ofs9fq+0jARrJB2nYlO0s;YnfIvVXAP^7; z2m}NI0s(=5KtLcM5D*9m1Ox&C0fB%(Kp-Fx5C{ka1Ofs9fq+0jARrJB2nYlO0s;Yn zfIvVXAP^7;2m}NI0s(=5KtLcM5D*9m1Ox&C0fB%(Kp-Fx5C{ka1Ofs9fq+0jARrJB z2nYlO0s;YnfIvVXAP^7;2m}NI0s(=5KtLcM5D*9m1Ox&C0fB%(Kp-Fx5C{ka1Ofs9 zfq+0jARrJB2nYlO0s;YnfIvVXAP^7;2m}NI0s(=5KtLcM5D*9m1Ox&C0fB%(Kp-Fx z5C{ka1Ofs9fq+0jARrJB2nYlO0s;YnfIvVXAP^7;2m}NI0s(=5KtLcM5D*9m1Ox&C z0fB%(Kp-Fx5C{ka1Ofs9fq+0jARrJB2nYlO0s;YnfIvVXAP^7;2m}NI0s(=5KtLcM z5D*9m1Ox&C0fB%(Kp-Fx5C{ka1Ofs9fq+0jARrJB2nYlO0s;YnfIvVXAP^7;2m}NI z0s(=5KtLcM5D*9m1Ox&C0fB%(Kp-Fx5C{ka1Ofs9fq+0jARrJB2nYlO0s;YnfIvVX zAP^7;2m}NI0s(=5KtLcM5D*9m1Ox&C0fB%(Kp-Fx5C{ka1Ofs9fq+0jARrJB2nYlO z0s;YnfIvVXAP^7;2m}NI0s(=5KtLcM5D*9m1Ox&C0fB%(Kp-Fx5C{ka1Ofs9fq+0j zARrJB2nYlO0s;YnfIvVXAP^7;2m}NI0s(=5KtLcM5D*9m1Ox&C0fB%(Kp-Fx5C{ka z1Ofs9fq+0jARrJB2nYlO0s;YnfIvVXAP^7;2m}NI0s(=5KtLcM5D*9m1Ox&C0fB%( zKp-Fx5C{ka1Ofs9fq+0jARrJB2nYlO0s;YnfIvVXAP^7;2m}NI0s(=5KtLcM5D*9m z1Ox&C0fB%(Kp-Fx5C{ka1Ofs9fq+0jARrJB2nYlO0s;YnfIvVXAP^7;2m}NI0s(=5 zKtLcM5D*9m1Ox&C0fB%(Kp-Fx5C{ka1Ofs9fq+0jAaKhO=tU3r`Y!nP{J@?EcfY** z@!r4hy}0XdcfEVpYkGdFr>FZzyYKJ%Y?s#gxz0yB{=8$cqpN+Ty?y6T?|gmR2ixQw zpWmScJ{LIc|6PCDcNL9X|Icz@dF&pazl)yh^7-*of4{HO=L>ZCJAG|q`AoTFmU0zo zBA3f&4C!pSl&xke(&W6pSj-n^r1SY=wzOzUle0#l5NMBtBVjolk(H>VsC{a@FA@zV z)Nn+>_0~H{B@$O-zOMy}%cC@ifei+6zEr-DE0h+cfzsT3zF?HSJB%h{k%a2ip_+(> zlL_DN1oF#gsKcaZhXd7eL7J@SMI zjlp{<*Jrqtlg=4MeGX$dtJ7t#uMP(_Ef&{2rZ^l-#IUU*zUKmuFAq_N_j!KwP%%@= zqK}cGw|RFEjV6?Eto4h+K~>R|c-;5Zz;e&>AocKW&mJbL=6pVrFI7$HY-!ObGeRJZ z6c_9zd_p%d04(aWdf6yeh=gPe)ASgQk_;x|sv2t@4(=o)s)FzR3eEDs`m^jB&f6x= zN%r@*;QBDNo zYFJ5lbe_O2i-jYq@3#Zs3vabiZr#aadcmG^eW_5=v(jK`vB-W{$m=$D8SYYWTY4Xv5QxlU@UVv-C zSWJm3t%O?9g7HXFQxxA9(c4?r@6ENa&X0}MX|;E6VNFXUl$LFU-ms@ME$;gQ2*ok# z&6`lTdK)mx6>xdk*@vh@?=?GA$eV_ALeE^t zmP%fHRfz{9F)f<(>?0b{Kt+6?$C^D#eR!`~!tJb4HuGS4MF&>kvKm0*8}s*3F_{oXLrNp(i~CVxH?%W(?@Sa_SB#XSwi!eUNsnt zMq=0@zZNJhYt-eCXP5SV+@xfvs6h}LE!irl;f@jk=L`Ej8(7}E9N&j7mpi=sbO;gu zSTBNq##mY`m9wUlFE*gyNgSgfj*y-_wr(`2DX}6%*m1ZK^?f=pyR1@=nkNY3M#Y>3_l3MVTq=VnWHI4h%PJDo z@O4-~&9b->2_~Y^WIXKq)j)YUN?o1t?25K5Xh5u#gp>jI>rfB~pl+~d;~%y-*)v)5{7CV%q!D-6x$o z2(IadWHVFN=e$5rf?@E3xW`&of=Ut_J>mOQAiErL!eD zQDPnfqXJPf8cQZM-!BE8SPoG)M>pzbbYh@?bb9i!$*G|+@6IBSRlFb#2O~Is#FM^X z47_tWNS(dWv$M%3tNCHTlLzq9Leox`2M&f7cwspC&NKGyM}j(2zDIv(nH zL;G*Ef2{pIZU5Bv|Fr!<+xr7P|F`^K_kYI!V}8Sb#-H@x>-#e_@!x%4_x+~t4one=It;=t?Yvs~u zcIEZf6=^YFl;?2R7on&_PhX_uba@JKy!LOsP=N=S}0_qj_Udn#|A4>4&->nlBq~d58{qQl_Ar z=COO1^tr;lZ|Ux? zv=x1r;tKei$@>Zpy=_P`TcmO#T&7_Zi3^V!m07(&(mNf*cvER3+bz+}vM~=%)?GGo z2F{B(D)x2D(rl$NZ}x>k^r4Hhc^r3)OfX$2&6xA03N5P;#J5B!tc4)cq3zj<9-OVr z6}l_>3~NBIR3O_1vuL$w8q>ytZer+Y*}4Ih1lPUPFI8wob?ep2Y^e+!_3{OramS6k z*`3uZK$iCyN2lF1kW#grG5YWgP~8|aVD^0yEi)W-r!!@PsdI1>mq>xuN6V1b27n~& z2u9pBag=j@kt{+#GN;d=y9W-Z%!SNs$*d6jdjL;MQvKGPNuO-p$drm%h`Ka2PK(_+ zy6`<+qOFw z*qr^WC3|!3#+A1=Tb=7hnEUf*wdg_4v-x}-PPu22b(5z#o}Sk$vwgVhOy;3(tP{mngJ&X>xdvsk6rNjiZ=A3B#WRbq;Pj-X&#G8FD|vr_ya4K z-oj?(xHSVE)5ElOAYodIXS&;3I+(y?4HLNUdsZ$z#O7}~WW61@Nz|cE8}3=Tbd>da zpVh@)*XF!`o;hPffZ~6l95RF~2c*qyrJS5KU zSUltl2V#+U+K44{vW~;DtQv+cr(-!y&Ot{B?SmGNs#)-Z7<59ujGIr_Mv}Sh=LITlerU{=(hRD(0(mS4u0F!fY-+JZ9b5HWzUTI1Snl z#zi*s&0F9i)PY5gac(v1`bFZJU>N2)ydj&P$%8e?IAMdv=QC!|gpw>+D$j(7QxJy; zhr*!OYG`pTpOLd=Jy!|2n9JhgVsLgTUCw7^y$G#46cvoMm^!HnLTcIw$Bj%j5>*XI zzTtE>jsu~Z%o(a4&*@1hWTQzfsb_MDL^7)xYD|ZID-ko&u`n(sj~m5>e7RI44my%O zrnq{h@dcsiCw*Re2|JYaTbU)k;f#eofQ`Ofx^ST?mmLjYsLrJFnOWT^NT+mt=7=<0 z01eQK(z#M)_K5UE^@*xlXI;rqSP3cdTgAFKrDK#(Ce}rW+w4iQkKv?(<@A@H35`z- z4)qfqUQtx4qYlq^7J@NPygL)WRq<#1HSsoaA_ zpU(q?q5=J8r6i>dsZxcm6K{^>q^ikuS@VTz@xl>l1acGY4+8?#(-Mhnrj#jFp;m)p z6r-C5-7g<;4HJr}0!(St1~v>P%FxXvX%=tLCD%(K*GoZLR^Sw-Ra&U^u3QQ+n)7Uz zMROc^VVnEY7B{}ryVLIX2KOe|Nsv)zOX~RoNj-AImCk2-RxTZ3s9o7wH*t(3dE`de2EP>s`L%C>5ARrJB2nYlO0s;YnfIvVXAP^7; z2m}NI0)c;{2=uo7rtco#*L=H=?%unrwCnL*V?7`3taZ+HPIeycJluI($A9hkQpcw{ z^o~94pKbry_J?;~-T9|GzrIt&E1%i9Z)d>wAAK|M3i!>oSF8_IYJax_Dks0+vQzNO zZNKZw-FgHrU#P9U8_F%e|3fF4a_j82tq}e5^YA<6p7H0&3S59IA*m}*EX~9AEs^i( z;OHpa=XG*=h7z-sO=qCa&5`Pv*(&0(Y$OfUyqtg^l≺h@4h4VL7I0x{}K!^my3t zHf}T1F}xNn(=i#2jX5|kQm5{2Y}*Aqo}shl&atDT-u4e~BR9+#v(+>+0gO(Jp6H*H zp}>9uhT#zZmCPCG&>XCwMme-JR|ri^+OD>t3HyU_-DO~?EaoxXGHdgcaZ%5d%Eb^j z?1$iotSM?V8i8kOG#U*nTHG-xoXM9-1C4){^kQk@h~#$Z7}Se-_@zEpohiXJYr(vb zUuyRAaN8STeTl@n=So@T?a%DzNpw#3^Cp$~)~xgqC2{ku7}E+jOfWmf)6lA$KybEC zO1Y<+DJNZO%%`!`Dtf*MGXa@@Wl7FiKa`CbbAhz%jy--l!XI)OhOgUA%RtK2Vzy9- zM%dDZ*MW!4e_D~?ZR+Z>Nqyhy5-@6D@j-zLQ%DsSUqmUmzn6AYq2Y;gs|jHDsBiJs zQejQVmDz}eln@Ra*PXR5Zg#KyjS zh?B@0Q~$S^^dGLRUF7ZG&fE7e>2G=J@fC~iuh=(LTU+40a7*-A$Mk<=v~#?+R^{zl z0Pej}vNT#-tMC@NmFjH!jjc+ z32SmXkyB(9j`Xsgi-IBPMmCZ)63KKliKRWyUg8b|6Z>@|or~sRc1Fh~cgL^0qqbIL z7q|n#gzZ0oCg$8t)ZGX6*47H_4tGJDU><0zudl6LUfIvF217R(kIJAy$0^HU9zxKWbI*#i+ zZ+A%oyGs!;B~dgfm>f%%MA97W`vtvBaY>01U*c1eA;Gh=v%m_AU1)bf5PV~n04d06 zoyJMy__WE%X__>y?b9^v$w|^UN!!$EohE5cn>2N7(Qe(Gw2n{XJd1_f?>=UB7TCpO zNm`HmJbqyB%-nnDyLayY{{IQ)hF>j>mCEJPWdE41GJMu@vk&`c=_~3NQCDEmJU5_T;&VLJ?j` znS23mK&pPu5CINsk_~?Wr-y)(R0m^$aM-5G(o78-b%L9z*-UM3H(=N7(6+1t+{)f= z4syEK=WP#LKls2^m^Xms*u@Afr;Yq>yt!V;k6WGwt%xG`IV_f{vWFH%_f`4DO@GAv z^Vj(oVy46wV$+*<*J9&{$UBb+Mtw${4c;0)_F?`iv+`rVJ@R8M&AY?r&bgtQJ@4%O z#4XdijvhOu>;muOaKv+Lr`;=>f>$``8V2FDyW~A;{&|isnQ+NF)`EP?O^d}foQu01 z@f1J5gju47cQpdc|9^-3tgH7syrK~r*RadA{_Og*9DuI+JBovQ=l6B^E#^G))^xiCQ+Cn8l+81TOiMj-aR=hbgTX{5 zq3T8?tVUDWpsGc+sG7?dIrwWK-Y=7Vz?_frhXhl0u`iVi8G0xeH|{s*nXjhXEqJht z4IXTsIcmDy@`(ly_5pJ~$gc?Y{Nh%4X5B2C^URgX?fyZ*D_-oF1$&XXJ}W06xxwdo zinCm+dBat(T>G-%pDJ1zQNGHUHU(}8G+IM~2qrBnjOUWh()Q>~DKZQfKCoT+BKR7} zn#>VjQM62HqRJns@SF&HnMe!o?g`;qy_eH%$kr^12P_@SO2OPE`)ystsr=YPS$QR2 zEanlgP$=Y!D`_J_t+Wx*HY}V&iYyyh9Uh|PDZLZ`Ysj2Q(WF)lZLCQ*Bd%2f@GB05 z#sBuR@QgdJu4tpIfZ9Q-2bz2?m*^?LoU+*bGb}h44((QKf>2^Cx(L04b{XXiD%5cfUIf2RqXYckVFt^y6M5#> z`5b)wjSBt{Y9Z+Tn5ZN#E_F4PksCNIY-ZgGbjerr628qT^d+0BY!^2DgywCDsz5X6 z`}wIe9pP;4MVqa?gCD>qbDp_Cy4^yczX+amey_6u8j<;rifIUq$i>@ZNte9lbdNc| zhYw)NIke!Z6iX8D4;^9$n<2E#STH1PVeY^~ezCI7b>*wtSW~&8OV@MBY664ZP7JnB z_nPykCYT6pf%dE4=68!+b|L(eRxr8FqQ&v5Ajy9k{6(Tng1|v5QP4Mlh7;tf}p4ub_Bx+dyeW+ zHJr-E)M#AGsHt!!sm8TfB&x@A(P$zALcfzgB*^xKzLXvd>Io>?LFhlkuLwea!9nQz zoKG|e{bqCiL4HLjTP|>A%gtxZ`R#n2KQ+Noz0fhGcetZIclNk)aw22pTfwQqBK}tM z!maHejzEm(wBqnYK|wkuWUmoN6m%oI(98nucOzyaW9d}D7a$(5iZfIwRirwFt5%$v zl-9gPYx@ZE1Q#-Pb*gAgLdk>pE3Qi65fU&dgd+h&)r}OPxhXKRTt=u}QI+GVGSEUD znH*Oks~VM61%aR!edK8#I`$+Z0>=63Kq8uo2D7>z%S4j7R4$bXX~CSKAj*+SZeWxR{N7i+E^d@a_at-lrP>YBb3kgE@J z8X(CPV}7rt}^<7ujx4M3(>leFbd%xNHnckbduWkD8n|^Q8uix|Ed_U>? z0bj-Uao;}QJ>Ktnzv2Cg_s8KMu+8i3{;BmJ>Hc(gt-FZFzvABG-sWEC`ZL!bxxV81 zCD+d)3&2en=WL^YH%nFX?)W#m*PK7YH}5A8@y&a=V;a~Iap!jhkF9( zGK7%@v*vk-77u9zd4#xXAa08p306GBMC9HgqdD07Bs<-g1hhl!YN+e)TyT2hm>Xw# z-}viW$6AxLX&J*G+XG^)mbh@I2pPY>XjJkph~K`V{Gap#!Z4RijO81r#KByA51O=RD^9U|l;LEFrE zmdnTOengD3*~w4uHs_DZXqjX*2O%uOM0S>?$I`T4>PyAq z@i=q&gUHU3^jNz2OAe8p<>;}WXcF03iXOLHY>!LAKO$<*vkX0M_a|Q#Uq{F6$|}Ap z&b6%Oz1PIGI0Sn3IaeThLHUa~a`{<{0P`yJh()eMUMh?uArE8!M@!`k#r$aLoF#)N z0>Matr_oj6xB!8;I#D)|bSZxh=jX7YB6pBh;Cg?Nq^BX03Tnsu`4|pH$e5#+q|f~! zM)I#CjSq8p7%5Gv)siY2;PFsFo`fva@M9&&`{VGO5U*2Ft1MB%I4lLlD%>aV$QbmZ z@Rul;CWc4w5VHM-wUCjBXt7*;u@sA0!k$qWV$ZO=4GsRvew(4j+cd6%8G{$49pP`g zPFUH5oS##}@d62qB7sn%*(#9?z;+M{-7T5baR4z73MBv@w>rQ)NUHky0O!D3vpAil z6PnJL^Uv@Prxp_*4i{4I)K0PlvUhqP;e2Dcj_mV|kq?&Y$ZqhO6Xrb2bmVr=d|UwW z9_HWLMD-&~e~|B|LAId=*^WYh{~AK-+p!t`24B;OGsQg1Z{&6hXNpTL=(g1RW6@Z8 zBYV-dA2jEm;0;&Bk~zrl8c$OYSeC=cBCwa52<#@e+x4*P3oido{|4W;eZS}XhrStK z)%Tijudmnp8{U7>{ij`_E~Tq?!~b39_k7p$Up>F(`Dstt^RnkTPZ(YR-*J7x{k7g} z_k6_tTkc=p72PRTc2>Dzmiefd+4O?1_ZhI7t_?O>6ryg@L{ zS2y!iJ>as0PpROtt~RmX()U~0hiq}@;NXWYgukii;tJ!k;!%twoK1zM=?dergd?di zj9hVYS;CL>G~d`)c7%*b1erv2H5SRhEj6Tp%R(rHie&p4{3nJ)l}T_}!q-$7My~W} zp-?mzj^~(RMEH~n!^jl}mo>`YR6fz*vhFkIU*}hZ>+lts!)j*KoX_)9@+}cOa;0NF z>+H#cf#**iz<&d0p4o^09#~X$fpb}_dG9rFS&lD&$#ag_5V+D$iWG|6u|XGq+p3=< zj!aGs2Ej_&v`F>SLe~xkB!1WQ+(Pvu?cyxClbC!%`@>T{$yaK$I#~_-;r`bvGMOQJ zsQ+BX`RjG=>Z!oLfM3#><7aDba}j8fm3j zN+>1IVm|U!C0}8=Xn1%Mk{2t*Qob^^V*Vt^qQW;*2pd-{S#;QOU|eBGif{*%-?g`v zH0KTenapb91AY%P6Aon%&mYv-Tq5<)pkrgLkW`3mF22*C>){Wx{U!c*y<#yl zJ~|rw$lCQR(=h*L`Qn)qV)0sVBzJt1w%?+iD=T#8F5P~>oX_xv%i^tCu?4F-6u~QL zyd$BExU$)KIQEJ)tAxK4|63{EDEJmmRe7CFc`OwDK&!B537h zNh`rGy|eC|?;yiAJ!Z~dpKn8S%*V3e1wnQYk`75o0+J!G^L*RxBqp z%idm55zxtgoS#x(pFo)@Tq+e+O*OIz(%^BXOrEo-A7d_={Z7xSsS%dfv55GKL>Otw<8dt)3mf5VDjq=&NibqLI0 z>x1Cbj+aZ-5;AVX+aZhWxp>I#k>{UVG@NoFKb|XO%VKUP;K^#78Zq|6RkiJKCz;11 z!Z-Qb>=#~zLnkJR2w-kxsFT_5nnoK`Ue}Pmny24}I4y``WA=-IS#o9HlI|O~w0?Ct z#B%T0jE*P=*XHHy6n;xzqhI(a8|9Y{A6`@LJ>bTJVQqoPp&?j1MZRRtPx8ZLIxh~B z76e(OM7Hy3BV`~qB(HNNR;I$)dM%6CH|BK>ZRa@zps^|zEV4Gs48Y7i8u_F12rff| zBReef|Btz9uHIklt@if!{Bh4u_6+tsu<3U;&238G^Syh1;hyq6dpG{`jbj@h^WXA+ z)_>aH>-$aLai8D&Z@e#fH*|lgd#XFq_3f^o?$Wv*-0+__3~qQ}{qL-wTc2L{y>-8^ zuDouq=Ubki@Vw%=A2k9`yL(-~iJ=z%OOJY8?yc_q`@EwZg0AE6##Qn-_R36ruS{@P zogCb(r;x(5skC2gAc9I+2^5M;rC+ytdA*}vLWxK`7*FS|Uc_>&Z7wKk6^{j@@yQX? zH{9x;er%t2#4#BW1P|>ue9ud$)KXy)bXiuLh$Yz96$9aVWo2>%nd^rQ7E#AJdPfd& z$RqGlZvjHGKN1T?0m85~{b9$rtA#Srk5U@3NGP4NddYRvOBA(hQn9pQ^E>LuGjFDO<8)j~3n)~#Ojj(S1zWmG~+XRKZ_9rO}IQ6E&t3Z^xy7a>2bZHu8g z6pFYcQ|V7wy?mmBxkUTn_ZLkh(?eD-Lml;k`bEK5DE*q%%WEC=0<q-sn}UmsdOJ zCBljbBJX*6(CTHdgI-W%GZjfi66udyy$FT*+SVxCA44CB@Z>A@G4P6GGI#G7K;6s) z*tlT&Wo!DvVz{>HvjUj$cqE>F$?D}L$Lv>on4p4X9MMbB^jWKyvmNw;;*+crXfl1q z>g7yFytCv%2p9^}4;(Zc{^hv81;q$PzxuAj% zicI0CK4JB8qJz04`$4Tx88`i+)r)YoU+Y{z@Di%q^)6ZDFJkvoh zAS)sG;zrZ^tX@PRv9&EL3Kt_J2;2Q*RxcmxXfBAu2*xAnr>$O|UVAUBU~mE@-NNao ztX`h#sFx75N0CVSNvoG9JLrYg_D!Uck@OQ*FHdyT3ks;C26p;!tCz<+=p})gt>Hv0 zmL9Nr8R)1NCe|gw>6Fz=s-s?lsc(`~`$X@Dd%Zp1 zUbo)!C!RlmFTl@w-t>%m9`LMp|G4`}_eT)}(CzvQ*Ee0i>-v)G^X?hM5`4z>`G&yn zKIXceH~{zGcl|-5v-i(mJ^y?CPqcd*_r`Wt{+6}hXV$mD6ycHnzOHM`m=aE)nT5DC zHA5BBW7b)qi${k2x~}bfz^p&OTZECtbAIb1tE1lTV*IlN~&Mghq%Gls5Vp<(=2 zP>T#fuS^}xH$%m-+Smwa<$D2nOLf@43oO~#n3b)ubzw&Hb+f*aZ}l0$v$?LlKP^Dk zq7AYo5~c{gV*K}tw)^9buef2QU%S`f^cJ)3=Wv_C?CQGK!YXjOc!!q0y%B!N4#cVI zYdTf8KWo;#yyYrqLR{Bu)BBoFqU~nAn|CE_@2+c2j*8pNdKbScD=}W{a=?ABS>J$* zmgoOfZfB2eGVAMktFW_Qg`K^=jyDJraMh*&A+zq`7X$^kx&w6;VFQhYR2=mgR$Gz9 z?ZNaANgz!ka$9H-9jOxQZvK!oiuOTEoD3$S;Rx*PSNRoTXTR#OvtMyO(PU@8%&&+A zzbftQbBD}%k!kdY*KvHWc1&VUHi{cAwP5iAy{mZT)-=cAdA3I1OChr^s`uO0`TuU( z)>~7qRan;>4|Z%{Uo};0?R=Mv*{*!w-@=Qn315>HyLTg|;K ztjNne*4C`N%rnav&)YubFq@0G2H{t@R z-cxc(+{T@@WWyD}Vav9dn09fjuB~SMew?x%nH9}-tq(_hA{R6yl%4XX12erb!OeLP-kdV^W-;naJ2O19g{5ggt(Yv8Io<*7lfH}Uxi`scdV zgO+=mTD+S!Ty%ZZbJ7pL56E@m2!s1+#uofTattYAskDN4{u>mji6&_z!oIF3O<4ED`D2Z;yOb z1ga^g_#5)fclOYbgjpbvEeV_8f{?Ht&7$(T@IiF3=3p!a?nRW|mg2B!GeZ!EStyFf zs^DPm2qlb6(ugJ06tsFs934c};%rh=!+JE8i0k1nF5^34@hbMWW%j}57D{PGD2Z=N z)XA3Lmg)GmSO{<9nZ~z;>9IIok4&KGGPlABsmhY<%%shFf-lkBqyWh5m?=74{rq>iwmh zQ3cU#PItiJqmePA5~|pOHcRV+2nzTezzZ~(NJbqpI=+E7P%j?30^y{H;J-0zL=~9^ z%O#fiP!&@sm7S@JoMSF#k`jq{C>#z&l2B^HCnXeHS-59mhm9oAjU;lhm{W$oE7cc7 z$_OVb!$T7f9ew`5{!=GTA3b{L=(B=ywiefy&^Rj)TPDo2w(ZjNcQ_6=xNrhJ&G)%H zqs^U~S>GW}ppe+!(=AR!OZfA*7v3DN3}vmDkw_%!8}^PFE` z#h%N&%ro;R!?(!Xm*BOiOv1lV<+&v6Q&%Z!V+KSzmV?YAW4m3`O(NZg%=&hIRb-WL zO?O%291-=&r({+N3NQIl=SxmACHWrSBDsQTCs)8yM%rA#^p0FGlL%^1k09*^5*kJ_ zK{b^?xg#TqAa^|;Oy+bQT){5>l+cm5ru%ZKBy&~!k zjRL=IvNXgK6pR3BQ)y8>You~oLJ#M%DDsiY!1+Iy%OX!@BAE>$^JF3z(qM#*WkW^^ z(TWHP2#2$YOfVCQKkbma4rQN2>XpS>3?#|pDgKruiL&!XRl$cka_%jo%nw4xahGyS zNiu0=j&f=*ls$VdoIfa~2;r2kDvNG7!LvZ5^Oez;*gpuQt=WXz2pY6${fZpLwAZXZ zB+e+Qj-9sY<@bF*;Bfgc|5hbuGtEdKONnZqshI9%v%XW1K;dugntl(HKx-@Qa_$k3 zJLfK9Muo+f7ww@H?F@_0r`sWk%>KXCwczS`p(oYz*ruBQus`bG=6Cu2hwqENANJLJ z1>ZB?zwv&?d!zdc-AB3~@7~?@uW|byBhUZOBgdcaI@FNr-*d$u-r8r@U*p^FN8S)b z<9f$L<8TT5Fk(WGdlp#*n0LQSip}K6STLN4qQnxYWH63WfSIV8f@7H)&&5(fJsHXc z6OmQOkzx#_F6CqFRZjBk^~y069x4Y;vuNS0HLR2@OGsBM!U#kbJVb<4S(zRr9=EAW ztF+1;)Z6<$X1I?;ScdyZbg7iV5d@tLqS&<<+LNgmx1A zOAwhXO2ZUaaw&O4lgeVaTlFii4!*&ju)9~4!8efT9uism`RHTWQDe$}#32#dGa66= z1q2PX8dn*_^UFT$e4T(U=ZTa~){NPftgsL;M_oYi`aG<^0j>1_bXoR*ctQLO*}q%Q zo?(KgbNK?YCoPfX8?Pxx2xLoRsG4Z~f)9lCXVxefRjb560Cgo0L}gt=HfQ8RX36*2 zvIkfJP?nOoY`kGLi9jqCqi?mKv|-~3o?J@Q@oJaCUldT><%Eih){XK}%5HzoW+OO& zP>wiI!7m0l{;!b|e$8qAmnMl^QTb{Vkx2!o415caJsO7~Ta!v_g{!5aUv(LQh$HPX z_{C(4G6EU1{;FVlL>U3sb(`sN=-UzZw$?%#O~(wF7Z!?bGcVT}JHz6v8!g^f&H5{1 zCc7m$xjk-XX(@qIX8mP8LQM*I*IS6NcXq|vYna3ybnZaD{~Eh*^#uulC5u3BV7YzJ zte+KFJ|?mB+)?s(z^tF)BVLr}bv+^aS7v=PKv5`aqoSS4HR zw{_}V=Z@nDS@g@=c+Oz@_b|)I7YPRB_(%gF$7eYJbd+2~nIi;yLmdyA&q@vrBctFH z%1GjmcF&Y@=%#FBN~LO}663PQCuag6k-&aY0w9~ibZX|Yi|?|0&hp*Z)ZEE;0HlgV zbU9Fx0CQC}{%$RfFVWhscxHmARhBpNEuwfBTNoKFn%B-OJ-yScKhHlKQx!)@%_d;) zmd%6nnWaW;oKcMWvAm~^7H=(R)}Q6?F)QM*T(#RHe-=~sP8WA{P`Cl)aK?Vyvs|X= zJ$xH3e+%E8E9${lc?dS-|F!2IVDi7}3Aom6_WY&ik37Hb`J|@|Z~x!#{ng&j_Fn9L zu-Dh~wN1%Qk8ZmEp6~fz^e6m%{&l`T_WhjiM}4!tk}v7o?)??-KlM&`cXj=F*EhPd z>;CP!&#n8^y2*8e>mK#IaGcs%a^<^CD>kGQuqGzIVazfjJQ{v(lC{ z+nCvcaDtTvli9}10IBeRwIH>PA2Zv{g$?}Vos-_NvmG;DXOA3Go{Yq2-& z9UU&13+wsroR&Ubvo?R@w5qp&ZxQSrfsV6@IepuV$}Cuy1?KJDXz`lo%mqZQp-E;) zcFn#&SQp{=A=Voiu9htKN|yN5odyjCq!XL`f{QQ4)8f3HZK2SRI}I!+bE|Kx+xC~t z`W3OWtmD$Q$=~*I0;@c8$+vx1W}B??5wm`YUp*_Q-L)#HpaQtaACvTR2J{mL1m28g z^0nV=hN%EpDqq{uJ>#U3=lK;$i)MBNA?U{=MqGsj6^3{t21C4VXlgW@O`>Ljj#`6J zP{~RDlmu#~FRH~1Ef`E?KqV*mB}t2B8nmd+k_FpTa>hxE>MUb$V|oo*w9BlQ1uc>* zI@2*N+AmU-p+afVC@6=j#+a-uxQZ8E1La}POc3vsQVzbIkQZ6eRb`xyna7yQu6}*I zuv>xfUCC$pZR`nQd_f&JXrD`kEEKOcWf^b~2x`nfK_X1NQX$vizqKgWSsI6%ccwT7+JBzIi^K--hxZQ zJ$}%Fba2oSGWUpReWY!DfJJKZmQiw|&e0NmDm=JZ)@qL|xZ#@NNpSHsveea$uaOD6 zEN6A2#asKZSugT!J}ceyX5JqZ!?`ki>A0x7>*%pl%C2Q{CpMN2i^o@#tt!i3Xs_RH z{PSaP8RrLJC>RENRT)t;*iRL8kDqx94q#h|kI(tR-yU(PkMVW0j-q9WOQC6rnFe}P z5ErR|p0SC`?VT9%yy!FQEDyQIEsX^;o14F1?65q)F3lPtI? z8~1PA<^MDPANYU6|3&|df7l=MKkWN!?hnJ|J4GOEU$T#!1*P&1)$L`CUh)V_|TqDD3Wl@hTb8n+=9^L3p=X&omg)d(8#m;kre<@l76!HG|#3YP);fb7Qi- zV`lWZiEp4&V=~K1 zUXB{v2E{W}I~rBXyi-xZ5v%d2n#oty3r4ww+Er66>uTAxu65M90<#HiSSS=xM=ZEh zaMD?A36~49E=qK@ENaD^M;)%Au>8l9-va`mv2T-{tut{&o7CAqrU z)vh1xCgD_Uk!nt^nEj#2v-k!hS37x^l3d+zlB*s3iX>MzcEmFoEt<;Y)I=@`g?=I% zSG73;2OrN>%K|!#j&~c+o%7PCCC4uItMS15X zo(gxGy~fCnSPn}^)XrJq8FNA8)tV5W{tcTJt!4f2y^361@<_SCD90B5Raz}xQ!^Lt z=byri)Ue!mA5spv{3{ZHm|_x{V?f7JVCS66ST_tg#m zX~WNN*ta3DerD65O^Hp9Z0hy>itiu$-tv`wXMG>`b$kE9`!(-B^M2at-P>z(LT4j&KW{fN)4|%DP~E&Jq3k+v-p~>DgLD%Z@~n|z;~`e)1RL%kH(iBm zb3z#-dE&3{h-MRdRtqK75HvT;rWjT;(U`7gk-#<Gi0*87k` zbBDh{Sg*>)Brmdr`YnS>X?zTcGzU>s2mkvdv?i>U3zO}{?Y0F(%br{GBxFVAS%POv zx!j6$|DYVUQ7(r0z8vLFueU?@Q?luf*Sep|md8D}bw&ihuxHk6$$NdMo<=5V^xVZ8u!KKF4ynSo2 z57pjbc^+p6(STxk+uwmR65m>@Q*vc>YbX$kFE+ln@vCC-?M>El(2;hgafMmSn@#D< zS<8iU4nHt>EnDdH7$In~fe%iOjZb8nn?|bHl3tN*PTTsT4m0^;^MjmZHaDF-auTBH zc&P~AKKqK(cc?KvNvtZ%Ig2f^$lGCS4gnbM3`^3|w9t{Zr24ATDczT<)^_6Uy|uZ= z`N^=um^N$-v3SM-UKrQf zlh__u+vuX798UF7PiYeIk!AOr{jLVyq;1PB2_ zfDj-A2mwNX5Fi8y0YZQfAOr{jLVyq;1PB2_fDj-A2mwNX5Fi8y0YZQfAOr{jLVyq; z1PB2_fDj-A2mwNX5Fi8y0YZQfAOr{jLVyq;1PB2_fDj-A2mwNX5Fi8y0YZQfAOr{j zLVyq;1PB2_fDj-A2mwNX5Fi8y0YZQfAOr{jLVyq;1PB2_fDj-A2mwNX5Fi8y0YZQf zAOr{jLVyq;1PB2_fDj-A2mwNX5Fi8y0YZQfAOr{jLVyq;1PB2_fDj-A2mwNX5Fi8y z0YZQfAOr{jLVyq;1PB2_fDj-A2mwNX5Fi8y0YZQfAOr{jLVyq;1PB2_fDj-A2mwNX z5Fi8y0YZQfAOr{jLVyq;1PB2_fDj-A2mwNX5Fi8y0YZQfAOr{jLVyq;1PB2_fDj-A z2mwNX5Fi8y0YZQfAOr{jLVyq;1PB2_fDj-A2mwNX5Fi8y0YZQfAOr{jLVyq;1PB2_ zfDj-A2mwNX5Fi8y0YZQfAOr{jLVyq;1PB2_fDj-A2mwNX5Fi8y0YZQfAOr{jLVyq; z1PB2_fDj-A2mwNX5Fi8y0YZQfAOr{jLVyq;1PB2_fDj-A2mwNX5Fi8y0YZQfAOr{j zLVyq;1PB2_fDj-A2mwNX5Fi8y0YZQfAOr{jLVyq;1PB2_fDj-A2mwNX5Fi8y0YZQf zAOr{jLVyq;1PB2_fDj-A2mwNX5Fi8y0YZQfAOr{jLVyq;1PB2_fDj-A2mwNX5Fi8y z0YZQfAOr{jLVyq;1PB2_fDj-A2mwNX5Fi8y0YZQfAOr{jLVyq;1PB2_fDj-A2mwNX z5Fi8y0YZQfAOr{jLVyq;1PB2_fDj-A2mwNX5Fi8y0YZQfAOr{jLVyq;1PB2_fDj-A z2mwNX5Fi8y0YZQfAOr{jLVyq;1PB2_fDj-A2mwNX5Fi8y0YZQfAOr{jLVyq;1PB2_ zfDj-A?kEDAe4lsi@O;YC`=`BM?S1r~NAKy`_}z_vxbe#yKfiHus_v`9{1Km zmCA(S`o@E&LZL|P&FE!XR48cU6=T<#yfLYq%ny%gyZuj$myM^M z&`ViE(F~6u-m7U@p4Ji*?bC9Y=F^j$F^S)N z@T`If@EMAp(P<$+%5G;<(DFsc7+I~V^(zMfPH9q|7{{~=1tnvkJ0pu%t(Mp`xqNv{ z%uyT1=;P(QRyELT^NT5%Ao}L7)bFoUwdzD=Krzmb8|D0%fq@HtZK66-Di0{nmntL5 zGv(5xQTA80;mUwtRkUhV(?|QW`HEgTXOyQJO;xt4{z7S3ywm_j#w@ZEdUZf4Ro<9j zH!Dik$mNSzC$<(9qhRP&CEZw`y+^e%WAAaTI{(wr0hGXyphi;O0HZQlei5v zaGM-4%Ip;tr8+fkC{HRuW#7@XQbaGx6Hh4*0fS=oBM&`}ThPmZf-bQgsu-0`0IgyQ z@`vLl)+P4h#8`2Nb;fR06jga_&q#UCWA+ccidNJOM@t6aOpH4kCMPEyzbd*`vC3Ke6#B(^(Wm5JhLu{2rq7YyvT z0cFg{<|oFmW|dJ~R+JE?zJJ8fN5!|H95>2i`AP*{W9j!{pYsi=U<+8y0H(^em4?9^ zn+cmA{Xfm$|I~=VHgajAkYziuniu=9I$~g7<36oeRraOvS?Uwze055Bwp^MR@5iHI zHW{|VvGgaWDpg}FaMCEB%j<@6Y_iC3IFxHKA@(^k3>?$hE4~!H$|uA|u896BvOhp# zl=*j8HW()2BlY{A2(ZKCsV4&LVDVqRTw7n8dzGI>Gn4Wx>Ro&m9l*&`-B&QmRW|!v zet5Za$y#1j;rm{!Gyij_QpKJe7A@Ft?6Vk9cI}d1NWa*0m43Eev0M3eUVM%3$X#qJ zD#uPJd#qi^QDFO&HOh_1|7LrT|G~H4?%ll8T}O|dQXIpIJs8}*d$&Jd%o^thaB2s~JC-j_R1NI6pr3uK1K3(qOBUj>+T0+g z6;I1$=pH)AHoJ1%+U-Mrxz~GYb9sL2CVA^lw2U;hD8A3%Tbmo^ZCm7BJBp>Ev9&gr z89Mb4Li9 zgXG*PvUWF!+HxdqTW#)Tj@H9+H8wlQ*hgz~FY$}d%8OmgvJOE0tP}ZLJFyGS@D_>t zEs)}(3Oc8UYjdahmD8f@TRUP2J(|gd;%YdY$f?mtDyk+8J)wp&iD=9)g7J_Z!9t$m zPsyElt1lQyrb4k;D1^aJHVytD_T~xRBKPL4Z5TXTnyjFg7n^$dAY)u6Kxe10Igj&8 za&z92n{(!3ZSEM~LT?#z!X2|;2lHiPQUgbl&R4Wd0fgXOUSphAWyH^@?rMN&=F-xf zMpwY!pbwn#V`CtJk^!qul#3Oml*@tFF_g0c0gy&92OK#$@C2aBoG^}5tK*e{KmbQz zKfoF>3ge|>Azw6b(2fN%IN}0Ekg6U6|hy@7Bj7>-6WDK(ghXVj<`*41Q0i>Se9CL0MQV%cCQ5%7b% z!+97EhEjo0C;%2^S+49LsMrWtV~~+0Tp8ZISTTk`eHn3YX2x`kGF)QRhHY1{xELuq`BaqR4Wo|M3H3T54_WzRL;zei!O zZLpQaeXaPQ7L3nfV;I~LxNq?9S&*1K$g6m#W>#nkrI`-Z=8p3HZ@wt^{|Bsfyo;N~ z8luCkf-~Vr)0x0X%HgIKMpEb>AwUQa0)zk|KnM^5ga9Ex2oM5<03kpK5CVh%AwUQa z0)zk|KnM^5ga9Ex2oM5<03kpK5CVh%AwUQa0)zk|KnM^5ga9Ex2oM5<03kpK5CVh% zAwUQa0)zk|KnM^5ga9Ex2oM5<03kpK5CVh%AwUQa0)zk|KnM^5ga9Ex2oM5<03kpK I++_s*KeC4OGynhq From c31c24ccd85edc7d2f76234caabe7f985b9e59c3 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 13 Jul 2020 09:12:24 -0400 Subject: [PATCH 200/314] [fix] Check /nsm instead of / for free space --- setup/so-variables | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-variables b/setup/so-variables index 1123562d9..07f7aa71b 100644 --- a/setup/so-variables +++ b/setup/so-variables @@ -28,7 +28,7 @@ mkdir -p /nsm filesystem_nsm=$(df /nsm | awk '$3 ~ /[0-9]+/ { print $2 * 1000 }') export filesystem_nsm -free_space_root=$(df -Pk / | sed 1d | grep -v used | awk '{ print $4 / 1048576 }' | awk '{ printf("%.0f", $1) }') +free_space_root=$(df -Pk /nsm | sed 1d | grep -v used | awk '{ print $4 / 1048576 }' | awk '{ printf("%.0f", $1) }') export free_space_root mkdir -p /root/installtmp/pillar/minions From 242e17b329dad002ac815d48cbf8cd2b9a6f0d83 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 13 Jul 2020 09:45:11 -0400 Subject: [PATCH 201/314] prevent elasticsearch pillar being added twice for managers and helix --- setup/so-functions | 4 +--- setup/so-setup | 6 ++++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index b05da56dd..df19a17b7 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1141,8 +1141,7 @@ elasticsearch_pillar() { " log_size_limit: $log_size_limit"\ " node_route_type: hot"\ "" >> "$pillar_file" - - if [ "$install_type" != 'EVAL' ] && [ "$install_type" != 'HELIXSENSOR' ] && [ "$install_type" != 'MANAGERSEARCH' ] && [ "$install_type" != 'STANDALONE' ]; then + printf '%s\n'\ "logstash_settings:"\ " ls_pipeline_batch_size: $LSPIPELINEBATCH"\ @@ -1150,7 +1149,6 @@ elasticsearch_pillar() { " ls_batch_count: $LSINPUTBATCHCOUNT"\ " lsheap: $NODE_LS_HEAP_SIZE"\ "" >> "$pillar_file" - fi printf '%s\n' '----' >> "$setup_log" 2>&1 cat "$pillar_file" >> "$setup_log" 2>&1 diff --git a/setup/so-setup b/setup/so-setup index e1177c21c..eab45388a 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -440,8 +440,10 @@ fi set_progress_str 18 'Setting node type' set_node_type >> $setup_log 2>&1 - set_progress_str 19 'Generating search node pillar' - elasticsearch_pillar >> $setup_log 2>&1 + if ! [[ $is_manager || $is_helix ]]; then + set_progress_str 19 'Generating search node pillar' + elasticsearch_pillar >> $setup_log 2>&1 + fi fi if [[ $is_minion ]]; then From a6cceef986d46a4b66cb5455f8f3116dd9515708 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 13 Jul 2020 10:55:55 -0400 Subject: [PATCH 202/314] Removes create admin user from setup --- setup/so-setup | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index eab45388a..0c19fcfee 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -188,7 +188,7 @@ case "$setup_type" in whiptail_management_interface_dns_search fi - collect_adminuser_inputs + #collect_adminuser_inputs ;; 'network') whiptail_network_notice @@ -341,8 +341,8 @@ if [[ "$setup_type" == 'iso' ]]; then set_hostname_iso set_management_interface - add_admin_user - disable_onion_user + #add_admin_user + #disable_onion_user fi { From 14faa3b898269064079b2795566efa8ed93b12d0 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 13 Jul 2020 11:08:04 -0400 Subject: [PATCH 203/314] Clean up bash profile --- setup/so-functions | 12 +++++++----- setup/so-setup | 2 +- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index df19a17b7..1bbe4dccc 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -656,12 +656,14 @@ detect_os() { } -disable_onion_user() { - # Disable the default account cause security. - usermod -L onion - +disable_auto_start() { + # Remove the automated setup script from crontab, if it exists - crontab -u onion -r + crontab -u $USER -r + + # Truncate last line of the bash profile + sed -i '$ d' /home/$USER/.bash_profile + } disable_misc_network_features() { diff --git a/setup/so-setup b/setup/so-setup index 0c19fcfee..a0e545b92 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -342,7 +342,7 @@ if [[ "$setup_type" == 'iso' ]]; then set_management_interface #add_admin_user - #disable_onion_user + disable_auto_start fi { From dc0aa270d9382ac5b0913dfce97c8b7e69eab23b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 13 Jul 2020 11:12:11 -0400 Subject: [PATCH 204/314] Fix ISO rsync --- setup/so-functions | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 1bbe4dccc..9885c48ff 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1420,8 +1420,8 @@ setup_salt_master_dirs() { # Copy over the salt code and templates if [ "$setup_type" = 'iso' ]; then - rsync -avh --exclude 'TRANS.TBL' /home/onion/SecurityOnion/pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1 - rsync -avh --exclude 'TRANS.TBL' /home/onion/SecurityOnion/salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1 + rsync -avh --exclude 'TRANS.TBL' /home/$USER/SecurityOnion/pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1 + rsync -avh --exclude 'TRANS.TBL' /home/$USER/SecurityOnion/salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1 else cp -R ../pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1 cp -R ../salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1 From ef3c5d1fe03654e6e9b7bd9eabafa175d7c584dd Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 13 Jul 2020 11:31:37 -0400 Subject: [PATCH 205/314] fix patch pillar, select patch hours on 1 screen --- setup/so-whiptail | 71 +++++++++++++++++++++-------------------------- 1 file changed, 32 insertions(+), 39 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 4d3d72c40..943b91f16 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -892,50 +892,43 @@ whiptail_patch_schedule_select_days() { } whiptail_patch_schedule_select_hours() { - - [ -n "$TESTING" ] && return - # Select the hours to patch - PATCHSCHEDULEHOURS=$(whiptail --title "Security Onion Setup" --checklist \ - "At which time, UTC, do you want to apply OS patches on the selected days? Hours 12 through 23 can be selected on the next screen." 22 75 13 \ - 00:00 "" OFF \ - 01:00 "" OFF \ - 02:00 "" OFF \ - 03:00 "" OFF \ - 04:00 "" OFF \ - 05:00 "" OFF \ - 06:00 "" OFF \ - 07:00 "" OFF \ - 08:00 "" OFF \ - 09:00 "" OFF \ - 10:00 "" OFF \ - 11:00 "" OFF 3>&1 1>&2 2>&3 ) + [ -n "$TESTING" ] && return - local exitstatus=$? - whiptail_check_exitstatus $exitstatus + # Select the hours to patch + PATCHSCHEDULEHOURS=$(whiptail --title "Security Onion Setup" --checklist \ + "At which time, UTC, do you want to apply OS patches on the selected days?" 22 75 13 \ + 00:00 "" OFF \ + 01:00 "" OFF \ + 02:00 "" ON \ + 03:00 "" OFF \ + 04:00 "" OFF \ + 05:00 "" OFF \ + 06:00 "" OFF \ + 07:00 "" OFF \ + 08:00 "" OFF \ + 09:00 "" OFF \ + 10:00 "" OFF \ + 11:00 "" OFF \ + 12:00 "" OFF \ + 13:00 "" OFF \ + 14:00 "" OFF \ + 15:00 "" OFF \ + 16:00 "" OFF \ + 17:00 "" OFF \ + 18:00 "" OFF \ + 19:00 "" OFF \ + 20:00 "" OFF \ + 21:00 "" OFF \ + 22:00 "" OFF \ + 23:00 "" OFF 3>&1 1>&2 2>&3) - # Select the hours to patch - PATCHSCHEDULEHOURS+=$(whiptail --title "Security Onion Setup" --checklist \ - "At which time, UTC, do you want to apply OS patches on the selected days?" 22 75 13 \ - 12:00 "" OFF \ - 13:00 "" OFF \ - 14:00 "" OFF \ - 15:00 "" ON \ - 16:00 "" OFF \ - 17:00 "" OFF \ - 18:00 "" OFF \ - 19:00 "" OFF \ - 20:00 "" OFF \ - 21:00 "" OFF \ - 22:00 "" OFF \ - 23:00 "" OFF 3>&1 1>&2 2>&3) + local exitstatus=$? + whiptail_check_exitstatus $exitstatus - local exitstatus=$? - whiptail_check_exitstatus $exitstatus + PATCHSCHEDULEHOURS=$(echo "$PATCHSCHEDULEHOURS" | tr -d '"') - PATCHSCHEDULEHOURS=$(echo "$PATCHSCHEDULEHOURS" | tr -d '"') - - IFS=' ' read -ra PATCHSCHEDULEHOURS <<< "$PATCHSCHEDULEHOURS" + IFS=' ' read -ra PATCHSCHEDULEHOURS <<< "$PATCHSCHEDULEHOURS" } From 59c00057b14cf253af5bd7b084b49573a107ac23 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 13 Jul 2020 11:34:30 -0400 Subject: [PATCH 206/314] fix patch pillar, select patch hours on 1 screen --- setup/so-whiptail | 64 +++++++++++++++++++++++------------------------ 1 file changed, 32 insertions(+), 32 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 943b91f16..17a75504a 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -893,42 +893,42 @@ whiptail_patch_schedule_select_days() { whiptail_patch_schedule_select_hours() { - [ -n "$TESTING" ] && return + [ -n "$TESTING" ] && return - # Select the hours to patch - PATCHSCHEDULEHOURS=$(whiptail --title "Security Onion Setup" --checklist \ - "At which time, UTC, do you want to apply OS patches on the selected days?" 22 75 13 \ - 00:00 "" OFF \ - 01:00 "" OFF \ - 02:00 "" ON \ - 03:00 "" OFF \ - 04:00 "" OFF \ - 05:00 "" OFF \ - 06:00 "" OFF \ - 07:00 "" OFF \ - 08:00 "" OFF \ - 09:00 "" OFF \ - 10:00 "" OFF \ - 11:00 "" OFF \ - 12:00 "" OFF \ - 13:00 "" OFF \ - 14:00 "" OFF \ - 15:00 "" OFF \ - 16:00 "" OFF \ - 17:00 "" OFF \ - 18:00 "" OFF \ - 19:00 "" OFF \ - 20:00 "" OFF \ - 21:00 "" OFF \ - 22:00 "" OFF \ - 23:00 "" OFF 3>&1 1>&2 2>&3) + # Select the hours to patch + PATCHSCHEDULEHOURS=$(whiptail --title "Security Onion Setup" --checklist \ + "At which time, UTC, do you want to apply OS patches on the selected days?" 22 75 13 \ + 00:00 "" OFF \ + 01:00 "" OFF \ + 02:00 "" ON \ + 03:00 "" OFF \ + 04:00 "" OFF \ + 05:00 "" OFF \ + 06:00 "" OFF \ + 07:00 "" OFF \ + 08:00 "" OFF \ + 09:00 "" OFF \ + 10:00 "" OFF \ + 11:00 "" OFF \ + 12:00 "" OFF \ + 13:00 "" OFF \ + 14:00 "" OFF \ + 15:00 "" OFF \ + 16:00 "" OFF \ + 17:00 "" OFF \ + 18:00 "" OFF \ + 19:00 "" OFF \ + 20:00 "" OFF \ + 21:00 "" OFF \ + 22:00 "" OFF \ + 23:00 "" OFF 3>&1 1>&2 2>&3) - local exitstatus=$? - whiptail_check_exitstatus $exitstatus + local exitstatus=$? + whiptail_check_exitstatus $exitstatus - PATCHSCHEDULEHOURS=$(echo "$PATCHSCHEDULEHOURS" | tr -d '"') + PATCHSCHEDULEHOURS=$(echo "$PATCHSCHEDULEHOURS" | tr -d '"') - IFS=' ' read -ra PATCHSCHEDULEHOURS <<< "$PATCHSCHEDULEHOURS" + IFS=' ' read -ra PATCHSCHEDULEHOURS <<< "$PATCHSCHEDULEHOURS" } From c58571312212164ad8bd57cd163cd5860b0e78b1 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 13 Jul 2020 13:28:54 -0400 Subject: [PATCH 207/314] [style] Change SO_ERROR check to non-empty check --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index c22d49ee8..0ddf99895 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -623,7 +623,7 @@ if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1 fi -if [[ $success != 0 || $SO_ERROR == 1 ]]; then +if [[ $success != 0 || -n $SO_ERROR ]]; then SKIP_REBOOT=1 whiptail_setup_failed else From 55869c4f81a8e60a3913106a74fa9432f12736c5 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 13 Jul 2020 14:25:10 -0400 Subject: [PATCH 208/314] Fix username so install works properly from ISO --- setup/so-functions | 13 +++++++++---- setup/so-setup | 3 +++ 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 9885c48ff..66dc20ebd 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -659,10 +659,10 @@ detect_os() { disable_auto_start() { # Remove the automated setup script from crontab, if it exists - crontab -u $USER -r + crontab -u $INSTALLUSERNAME -r # Truncate last line of the bash profile - sed -i '$ d' /home/$USER/.bash_profile + sed -i '$ d' /home/$INSTALLUSERNAME/.bash_profile } @@ -1156,6 +1156,11 @@ elasticsearch_pillar() { cat "$pillar_file" >> "$setup_log" 2>&1 } +parse_install_username() { + # parse out the install username so things copy correctly + INSTALLUSERNAME=$(pwd | sed -E 's/\// /g' | awk '{ print $2 }') +} + patch_pillar() { local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls @@ -1420,8 +1425,8 @@ setup_salt_master_dirs() { # Copy over the salt code and templates if [ "$setup_type" = 'iso' ]; then - rsync -avh --exclude 'TRANS.TBL' /home/$USER/SecurityOnion/pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1 - rsync -avh --exclude 'TRANS.TBL' /home/$USER/SecurityOnion/salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1 + rsync -avh --exclude 'TRANS.TBL' /home/$INSTALLUSERNAME/SecurityOnion/pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1 + rsync -avh --exclude 'TRANS.TBL' /home/$INSTALLUSERNAME/SecurityOnion/salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1 else cp -R ../pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1 cp -R ../salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1 diff --git a/setup/so-setup b/setup/so-setup index a0e545b92..2d2275f5f 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -47,6 +47,9 @@ while [[ $# -gt 0 ]]; do done # Begin Installation pre-processing +parse_install_username +echo "Installing as the $INSTALLUSERNAME user." >> $setup_log 2>&1 + echo "---- Starting setup at $(date -u) ----" >> $setup_log 2>&1 automated=no From 00f178197c01d3d80aee2b14bfbe418742bfcb6a Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 13 Jul 2020 14:34:11 -0400 Subject: [PATCH 209/314] [fix] Evaluate $success early to avoid checking against other output --- setup/so-setup | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 2d2275f5f..31baf3deb 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -620,11 +620,13 @@ fi success=$(tail -10 $setup_log | grep Failed | awk '{ print $2}') +if [[ $success != 0 ]]; then SO_ERROR=1; fi # evaluate success first so it doesn't check against the output of so-allow + if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1 fi -if [[ $success != 0 || $SO_ERROR == 1 ]]; then +if [[ -n $SO_ERROR ]]; then SKIP_REBOOT=1 whiptail_setup_failed else From 81c8185cb559cbb1f126e6d90affe76e5ecec95b Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 13 Jul 2020 14:53:47 -0400 Subject: [PATCH 210/314] [refactor] Delete check for network install since we check /nsm now --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 3b5fc81b7..df7a3f254 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -420,7 +420,7 @@ check_requirements() { if [[ "$node_type" == 'fleet' ]]; then req_mem=4; fi fi - if (( $(echo "$free_space_root < $req_storage" | bc -l) )) && [[ $setup_type == 'network' ]]; then + if (( $(echo "$free_space_root < $req_storage" | bc -l) )); then whiptail_requirements_error "disk space" "${free_space_root} GB" "${req_storage} GB" fi From aa4d435020333e39207f9fdc6dd51529114c135a Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 13 Jul 2020 15:21:05 -0400 Subject: [PATCH 211/314] [fix] Don't run so-allow before setup complete menu --- setup/so-setup | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index b5f6d1d52..c10ff4737 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -624,10 +624,6 @@ success=$(tail -10 $setup_log | grep Failed | awk '{ print $2}') if [[ $success != 0 ]]; then SO_ERROR=1; fi # evaluate success first so it doesn't check against the output of so-allow -if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then - IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1 -fi - if [[ -n $SO_ERROR ]]; then SKIP_REBOOT=1 whiptail_setup_failed @@ -636,6 +632,10 @@ else if [[ $THEHIVE == 1 ]]; then check_hive_init; fi fi +if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then + IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1 +fi + install_cleanup >> $setup_log 2>&1 if [[ -z $SKIP_REBOOT ]]; then shutdown -r now; else exit; fi From f67f0679aef27825630a0259a6fc77cedf6ca028 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 13 Jul 2020 16:02:01 -0400 Subject: [PATCH 212/314] Add new so-pcaptools image to docker list for network install --- setup/so-functions | 1 + 1 file changed, 1 insertion(+) diff --git a/setup/so-functions b/setup/so-functions index 66dc20ebd..7d05852e0 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -775,6 +775,7 @@ docker_seed_registry() { "so-influxdb:$VERSION" \ "so-kibana:$VERSION" \ "so-mysql:$VERSION" \ + "so-pcaptools:$VERSION" \ "so-playbook:$VERSION" \ "so-soc:$VERSION" \ "so-kratos:$VERSION" \ From 8f66a27f07d1dd7a8cc8929596eacee0b9723a6c Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 13 Jul 2020 18:26:43 -0400 Subject: [PATCH 213/314] Refactor image repository to a single variable --- salt/common/tools/sbin/so-common | 2 + salt/common/tools/sbin/so-docker-refresh | 16 +- salt/common/tools/sbin/so-elastic-download | 43 - salt/common/tools/sbin/so-features-enable | 8 +- salt/common/tools/sbin/so-import-pcap | 9 +- salt/curator/init.sls | 3 +- salt/deprecated-bro/cron/packetloss.sh | 2 - salt/deprecated-bro/cron/zeek_clean | 64 - salt/deprecated-bro/files/local.bro | 139 -- salt/deprecated-bro/files/local.bro.community | 133 -- salt/deprecated-bro/files/node.cfg | 47 - salt/deprecated-bro/init.sls | 206 -- salt/deprecated-bro/policy/intel/__load__.bro | 1 - .../securityonion/add-interface-to-logs.bro | 20 - .../policy/securityonion/apt1/__load__.bro | 9 - .../policy/securityonion/apt1/apt1-certs.dat | 26 - .../policy/securityonion/apt1/apt1-fqdn.dat | 2049 ----------------- .../policy/securityonion/apt1/apt1-md5.dat | 1012 -------- .../policy/securityonion/bpfconf.bro | 106 - .../securityonion/conn-add-sensorname.bro | 10 - .../file-extraction/__load__.bro | 1 - .../securityonion/file-extraction/extract.bro | 21 - .../securityonion/json-logs/__load__.bro | 3 - salt/domainstats/init.sls | 6 +- salt/elastalert/init.sls | 3 +- salt/elasticsearch/init.sls | 3 +- salt/filebeat/init.sls | 3 +- salt/fleet/init.sls | 3 +- salt/freqserver/init.sls | 6 +- salt/grafana/init.sls | 3 +- salt/idstools/init.sls | 3 +- salt/influxdb/init.sls | 4 +- salt/kibana/init.sls | 3 +- salt/logstash/init.sls | 3 +- .../files/registry/scripts/so-docker-download | 46 - salt/manager/init.sls | 3 +- salt/mysql/init.sls | 3 +- salt/nginx/init.sls | 3 +- salt/nodered/init.sls | 4 +- salt/pcap/init.sls | 5 +- salt/playbook/init.sls | 3 +- salt/reactor/fleet.sls | 4 +- salt/redis/init.sls | 3 +- salt/soc/init.sls | 5 +- salt/soctopus/init.sls | 3 +- salt/strelka/init.sls | 13 +- salt/suricata/init.sls | 3 +- salt/tcpreplay/init.sls | 3 +- salt/telegraf/init.sls | 3 +- salt/thehive/init.sls | 7 +- salt/wazuh/init.sls | 3 +- salt/zeek/init.sls | 3 +- setup/so-common-functions | 1 + setup/so-functions | 11 +- upgrade/so-update-functions | 11 +- 55 files changed, 103 insertions(+), 4007 deletions(-) delete mode 100755 salt/common/tools/sbin/so-elastic-download delete mode 100644 salt/deprecated-bro/cron/packetloss.sh delete mode 100644 salt/deprecated-bro/cron/zeek_clean delete mode 100644 salt/deprecated-bro/files/local.bro delete mode 100644 salt/deprecated-bro/files/local.bro.community delete mode 100644 salt/deprecated-bro/files/node.cfg delete mode 100644 salt/deprecated-bro/init.sls delete mode 100644 salt/deprecated-bro/policy/intel/__load__.bro delete mode 100644 salt/deprecated-bro/policy/securityonion/add-interface-to-logs.bro delete mode 100644 salt/deprecated-bro/policy/securityonion/apt1/__load__.bro delete mode 100644 salt/deprecated-bro/policy/securityonion/apt1/apt1-certs.dat delete mode 100644 salt/deprecated-bro/policy/securityonion/apt1/apt1-fqdn.dat delete mode 100644 salt/deprecated-bro/policy/securityonion/apt1/apt1-md5.dat delete mode 100644 salt/deprecated-bro/policy/securityonion/bpfconf.bro delete mode 100644 salt/deprecated-bro/policy/securityonion/conn-add-sensorname.bro delete mode 100644 salt/deprecated-bro/policy/securityonion/file-extraction/__load__.bro delete mode 100644 salt/deprecated-bro/policy/securityonion/file-extraction/extract.bro delete mode 100644 salt/deprecated-bro/policy/securityonion/json-logs/__load__.bro delete mode 100644 salt/manager/files/registry/scripts/so-docker-download diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 759f78f18..8db8fea52 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -15,6 +15,8 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +IMAGEREPO=soshybridhunter + # Check for prerequisites if [ "$(id -u)" -ne 0 ]; then echo "This script must be run using sudo!" diff --git a/salt/common/tools/sbin/so-docker-refresh b/salt/common/tools/sbin/so-docker-refresh index bd9993570..11200864f 100644 --- a/salt/common/tools/sbin/so-docker-refresh +++ b/salt/common/tools/sbin/so-docker-refresh @@ -14,12 +14,8 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -got_root(){ - if [ "$(id -u)" -ne 0 ]; then - echo "This script must be run using sudo!" - exit 1 - fi -} + +. /usr/sbin/so-common manager_check() { # Check to see if this is a manager @@ -39,10 +35,10 @@ update_docker_containers() { do # Pull down the trusted docker image echo "Downloading $i" - docker pull --disable-content-trust=false docker.io/soshybridhunter/$i + docker pull --disable-content-trust=false docker.io/$IMAGEREPO/$i # Tag it with the new registry destination - docker tag soshybridhunter/$i $HOSTNAME:5000/soshybridhunter/$i - docker push $HOSTNAME:5000/soshybridhunter/$i + docker tag $IMAGEREPO/$i $HOSTNAME:5000/$IMAGEREPO/$i + docker push $HOSTNAME:5000/$IMAGEREPO/$i done } @@ -55,7 +51,7 @@ version_check() { exit 1 fi } -got_root + manager_check version_check diff --git a/salt/common/tools/sbin/so-elastic-download b/salt/common/tools/sbin/so-elastic-download deleted file mode 100755 index b52d88c45..000000000 --- a/salt/common/tools/sbin/so-elastic-download +++ /dev/null @@ -1,43 +0,0 @@ -#!/bin/bash -MANAGER=MANAGER -VERSION="HH1.1.4" -TRUSTED_CONTAINERS=( \ -"so-nginx:$VERSION" \ -"so-thehive-cortex:$VERSION" \ -"so-curator:$VERSION" \ -"so-domainstats:$VERSION" \ -"so-elastalert:$VERSION" \ -"so-elasticsearch:$VERSION" \ -"so-filebeat:$VERSION" \ -"so-fleet:$VERSION" \ -"so-fleet-launcher:$VERSION" \ -"so-freqserver:$VERSION" \ -"so-grafana:$VERSION" \ -"so-idstools:$VERSION" \ -"so-influxdb:$VERSION" \ -"so-kibana:$VERSION" \ -"so-logstash:$VERSION" \ -"so-mysql:$VERSION" \ -"so-playbook:$VERSION" \ -"so-redis:$VERSION" \ -"so-sensoroni:$VERSION" \ -"so-soctopus:$VERSION" \ -"so-steno:$VERSION" \ -#"so-strelka:$VERSION" \ -"so-suricata:$VERSION" \ -"so-telegraf:$VERSION" \ -"so-thehive:$VERSION" \ -"so-thehive-es:$VERSION" \ -"so-wazuh:$VERSION" \ -"so-zeek:$VERSION" ) - -for i in "${TRUSTED_CONTAINERS[@]}" -do - # Pull down the trusted docker image - echo "Downloading $i" - docker pull --disable-content-trust=false docker.io/soshybridhunter/$i - # Tag it with the new registry destination - docker tag soshybridhunter/$i $MANAGER:5000/soshybridhunter/$i - docker push $MANAGER:5000/soshybridhunter/$i - docker rmi soshybridhunter/$i -done diff --git a/salt/common/tools/sbin/so-features-enable b/salt/common/tools/sbin/so-features-enable index 6ba9252a9..edc378bc5 100755 --- a/salt/common/tools/sbin/so-features-enable +++ b/salt/common/tools/sbin/so-features-enable @@ -31,13 +31,13 @@ for i in "${TRUSTED_CONTAINERS[@]}" do # Pull down the trusted docker image echo "Downloading $i" - docker pull --disable-content-trust=false docker.io/soshybridhunter/$i + docker pull --disable-content-trust=false docker.io/$IMAGEREPO/$i # Tag it with the new registry destination - docker tag soshybridhunter/$i $HOSTNAME:5000/soshybridhunter/$i - docker push $HOSTNAME:5000/soshybridhunter/$i + docker tag $IMAGEREPO/$i $HOSTNAME:5000/$IMAGEREPO/$i + docker push $HOSTNAME:5000/$IMAGEREPO/$i done for i in "${TRUSTED_CONTAINERS[@]}" do echo "Removing $i locally" - docker rmi soshybridhunter/$i + docker rmi $IMAGEREPO/$i done diff --git a/salt/common/tools/sbin/so-import-pcap b/salt/common/tools/sbin/so-import-pcap index 02b7ffedc..92dc27f50 100755 --- a/salt/common/tools/sbin/so-import-pcap +++ b/salt/common/tools/sbin/so-import-pcap @@ -17,6 +17,7 @@ {% set MANAGER = salt['grains.get']('master') %} {% set VERSION = salt['pillar.get']('static:soversion') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} {%- set MANAGERIP = salt['pillar.get']('static:managerip') -%} function usage { @@ -31,13 +32,13 @@ EOF function pcapinfo() { PCAP=$1 ARGS=$2 - docker run --rm -v $PCAP:/input.pcap --entrypoint capinfos {{ MANAGER }}:5000/soshybridhunter/so-pcaptools:{{ VERSION }} /input.pcap $ARGS + docker run --rm -v $PCAP:/input.pcap --entrypoint capinfos {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} /input.pcap $ARGS } function pcapfix() { PCAP=$1 PCAP_OUT=$2 - docker run --rm -v $PCAP:/input.pcap -v $PCAP_OUT:$PCAP_OUT --entrypoint pcapfix {{ MANAGER }}:5000/soshybridhunter/so-pcaptools:{{ VERSION }} /input.pcap -o $PCAP_OUT > /dev/null 2>&1 + docker run --rm -v $PCAP:/input.pcap -v $PCAP_OUT:$PCAP_OUT --entrypoint pcapfix {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} /input.pcap -o $PCAP_OUT > /dev/null 2>&1 } function suricata() { @@ -58,7 +59,7 @@ function suricata() { -v ${NSM_PATH}/:/nsm/:rw \ -v $PCAP:/input.pcap:ro \ -v /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro \ - {{ MANAGER }}:5000/soshybridhunter/so-suricata:{{ VERSION }} \ + {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-suricata:{{ VERSION }} \ --runmode single -k none -r /input.pcap > $LOG_PATH/console.log 2>&1 } @@ -86,7 +87,7 @@ function zeek() { -v /opt/so/conf/zeek/bpf:/opt/zeek/etc/bpf:ro \ --entrypoint /opt/zeek/bin/zeek \ -w /nsm/zeek/logs \ - {{ MANAGER }}:5000/soshybridhunter/so-zeek:{{ VERSION }} \ + {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-zeek:{{ VERSION }} \ -C -r /input.pcap local > $NSM_PATH/logs/console.log 2>&1 } diff --git a/salt/curator/init.sls b/salt/curator/init.sls index 0896e0c6a..8873f401a 100644 --- a/salt/curator/init.sls +++ b/salt/curator/init.sls @@ -1,4 +1,5 @@ {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} {% if grains['role'] in ['so-eval', 'so-node', 'so-managersearch', 'so-heavynode', 'so-standalone'] %} # Curator @@ -111,7 +112,7 @@ so-curatordeletecron: so-curator: docker_container.running: - - image: {{ MANAGER }}:5000/soshybridhunter/so-curator:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-curator:{{ VERSION }} - hostname: curator - name: so-curator - user: curator diff --git a/salt/deprecated-bro/cron/packetloss.sh b/salt/deprecated-bro/cron/packetloss.sh deleted file mode 100644 index 744fd09f4..000000000 --- a/salt/deprecated-bro/cron/packetloss.sh +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/bash -/usr/bin/docker exec so-bro /opt/bro/bin/broctl netstats | awk '{print $(NF-2),$(NF-1),$NF}' | awk -F '[ =]' '{RCVD += $2;DRP += $4;TTL += $6} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/bro/logs/packetloss.log diff --git a/salt/deprecated-bro/cron/zeek_clean b/salt/deprecated-bro/cron/zeek_clean deleted file mode 100644 index 24bbc218c..000000000 --- a/salt/deprecated-bro/cron/zeek_clean +++ /dev/null @@ -1,64 +0,0 @@ -#!/bin/bash - -# Delete Zeek Logs based on defined CRIT_DISK_USAGE value - -# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -clean () { - -SENSOR_DIR='/nsm' -CRIT_DISK_USAGE=90 -CUR_USAGE=$(df -P $SENSOR_DIR | tail -1 | awk '{print $5}' | tr -d %) -LOG="/nsm/bro/logs/zeek_clean.log" - -if [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; then - while [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; - do - TODAY=$(date -u "+%Y-%m-%d") - - # find the oldest Zeek logs directory and exclude today - OLDEST_DIR=$(ls /nsm/bro/logs/ | grep -v "current" | grep -v "stats" | grep -v "packetloss" | grep -v "zeek_clean" | sort | grep -v $TODAY | head -n 1) - if [ -z "$OLDEST_DIR" -o "$OLDEST_DIR" == ".." -o "$OLDEST_DIR" == "." ] - then - echo "$(date) - No old Zeek logs available to clean up in /nsm/bro/logs/" >> $LOG - exit 0 - else - echo "$(date) - Removing directory: /nsm/bro/logs/$OLDEST_DIR" >> $LOG - rm -rf /nsm/bro/logs/"$OLDEST_DIR" - fi - - # find oldest files in extracted directory and exclude today - OLDEST_EXTRACT=$(find /nsm/bro/extracted -type f -printf '%T+ %p\n' 2>/dev/null | sort | grep -v $TODAY | head -n 1) - if [ -z "$OLDEST_EXTRACT" -o "$OLDEST_EXTRACT" == ".." -o "$OLDEST_EXTRACT" == "." ] - then - echo "$(date) - No old extracted files available to clean up in /nsm/bro/extracted/" >> $LOG - else - OLDEST_EXTRACT_DATE=`echo $OLDEST_EXTRACT | awk '{print $1}' | cut -d+ -f1` - OLDEST_EXTRACT_FILE=`echo $OLDEST_EXTRACT | awk '{print $2}'` - echo "$(date) - Removing extracted files for $OLDEST_EXTRACT_DATE" >> $LOG - find /nsm/bro/extracted -type f -printf '%T+ %p\n' | grep $OLDEST_EXTRACT_DATE | awk '{print $2}' |while read FILE - do - echo "$(date) - Removing extracted file: $FILE" >> $LOG - rm -f "$FILE" - done - fi - done -else - echo "$(date) - CRIT_DISK_USAGE value of $CRIT_DISK_USAGE not greater than current usage of $CUR_USAGE..." >> $LOG -fi -} - -clean diff --git a/salt/deprecated-bro/files/local.bro b/salt/deprecated-bro/files/local.bro deleted file mode 100644 index 30b216548..000000000 --- a/salt/deprecated-bro/files/local.bro +++ /dev/null @@ -1,139 +0,0 @@ -##! Local site policy. Customize as appropriate. -##! -##! This file will not be overwritten when upgrading or reinstalling! - -# This script logs which scripts were loaded during each run. -@load misc/loaded-scripts - -# Apply the default tuning scripts for common tuning settings. -@load tuning/defaults - -# Estimate and log capture loss. -@load misc/capture-loss - -# Enable logging of memory, packet and lag statistics. -@load misc/stats - -# Load the scan detection script. -@load misc/scan - -# Detect traceroute being run on the network. This could possibly cause -# performance trouble when there are a lot of traceroutes on your network. -# Enable cautiously. -#@load misc/detect-traceroute - -# Generate notices when vulnerable versions of software are discovered. -# The default is to only monitor software found in the address space defined -# as "local". Refer to the software framework's documentation for more -# information. -@load frameworks/software/vulnerable - -# Detect software changing (e.g. attacker installing hacked SSHD). -@load frameworks/software/version-changes - -# This adds signatures to detect cleartext forward and reverse windows shells. -@load-sigs frameworks/signatures/detect-windows-shells - -# Load all of the scripts that detect software in various protocols. -@load protocols/ftp/software -@load protocols/smtp/software -@load protocols/ssh/software -@load protocols/http/software -# The detect-webapps script could possibly cause performance trouble when -# running on live traffic. Enable it cautiously. -#@load protocols/http/detect-webapps - -# This script detects DNS results pointing toward your Site::local_nets -# where the name is not part of your local DNS zone and is being hosted -# externally. Requires that the Site::local_zones variable is defined. -@load protocols/dns/detect-external-names - -# Script to detect various activity in FTP sessions. -@load protocols/ftp/detect - -# Scripts that do asset tracking. -@load protocols/conn/known-hosts -@load protocols/conn/known-services -@load protocols/ssl/known-certs - -# This script enables SSL/TLS certificate validation. -@load protocols/ssl/validate-certs - -# This script prevents the logging of SSL CA certificates in x509.log -@load protocols/ssl/log-hostcerts-only - -# Uncomment the following line to check each SSL certificate hash against the ICSI -# certificate notary service; see http://notary.icsi.berkeley.edu . -# @load protocols/ssl/notary - -# If you have libGeoIP support built in, do some geographic detections and -# logging for SSH traffic. -@load protocols/ssh/geo-data -# Detect hosts doing SSH bruteforce attacks. -@load protocols/ssh/detect-bruteforcing -# Detect logins using "interesting" hostnames. -@load protocols/ssh/interesting-hostnames - -# Detect SQL injection attacks. -@load protocols/http/detect-sqli - -#### Network File Handling #### - -# Enable MD5 and SHA1 hashing for all files. -@load frameworks/files/hash-all-files - -# Detect SHA1 sums in Team Cymru's Malware Hash Registry. -@load frameworks/files/detect-MHR - -# Uncomment the following line to enable detection of the heartbleed attack. Enabling -# this might impact performance a bit. -# @load policy/protocols/ssl/heartbleed - -# Uncomment the following line to enable logging of connection VLANs. Enabling -# this adds two VLAN fields to the conn.log file. This may not work properly -# since we use AF_PACKET and it strips VLAN tags. -# @load policy/protocols/conn/vlan-logging - -# Uncomment the following line to enable logging of link-layer addresses. Enabling -# this adds the link-layer address for each connection endpoint to the conn.log file. -# @load policy/protocols/conn/mac-logging - -# Uncomment the following line to enable the SMB analyzer. The analyzer -# is currently considered a preview and therefore not loaded by default. -@load base/protocols/smb - -# BPF Configuration -@load securityonion/bpfconf - -# Add the interface to the log event -#@load securityonion/add-interface-to-logs.bro - -# Add Sensor Name to the conn.log -#@load securityonion/conn-add-sensorname.bro - -# File Extraction -#@load securityonion/file-extraction - -# Intel from Mandiant APT1 Report -#@load securityonion/apt1 - -# ShellShock - detects successful exploitation of Bash vulnerability CVE-2014-6271 -#@load securityonion/shellshock - -# JA3 - SSL Detection Goodness -@load policy/ja3 - -# HASSH -@load policy/hassh - -# You can load your own intel into: -# /opt/so/saltstack/bro/policy/intel/ on the manager -@load intel - -# Load a custom Bro policy -# /opt/so/saltstack/bro/policy/custom/ on the manager -#@load custom/somebropolicy.bro - -# Write logs in JSON -redef LogAscii::use_json = T; -redef LogAscii::json_timestamps = JSON::TS_ISO8601; diff --git a/salt/deprecated-bro/files/local.bro.community b/salt/deprecated-bro/files/local.bro.community deleted file mode 100644 index 76b18587f..000000000 --- a/salt/deprecated-bro/files/local.bro.community +++ /dev/null @@ -1,133 +0,0 @@ -##! Local site policy. Customize as appropriate. -##! -##! This file will not be overwritten when upgrading or reinstalling! - -# This script logs which scripts were loaded during each run. -@load misc/loaded-scripts - -# Apply the default tuning scripts for common tuning settings. -@load tuning/defaults - -# Estimate and log capture loss. -@load misc/capture-loss - -# Enable logging of memory, packet and lag statistics. -@load misc/stats - -# Load the scan detection script. -@load misc/scan - -# Detect traceroute being run on the network. This could possibly cause -# performance trouble when there are a lot of traceroutes on your network. -# Enable cautiously. -#@load misc/detect-traceroute - -# Generate notices when vulnerable versions of software are discovered. -# The default is to only monitor software found in the address space defined -# as "local". Refer to the software framework's documentation for more -# information. -@load frameworks/software/vulnerable - -# Detect software changing (e.g. attacker installing hacked SSHD). -@load frameworks/software/version-changes - -# This adds signatures to detect cleartext forward and reverse windows shells. -@load-sigs frameworks/signatures/detect-windows-shells - -# Load all of the scripts that detect software in various protocols. -@load protocols/ftp/software -@load protocols/smtp/software -@load protocols/ssh/software -@load protocols/http/software -# The detect-webapps script could possibly cause performance trouble when -# running on live traffic. Enable it cautiously. -#@load protocols/http/detect-webapps - -# This script detects DNS results pointing toward your Site::local_nets -# where the name is not part of your local DNS zone and is being hosted -# externally. Requires that the Site::local_zones variable is defined. -@load protocols/dns/detect-external-names - -# Script to detect various activity in FTP sessions. -@load protocols/ftp/detect - -# Scripts that do asset tracking. -@load protocols/conn/known-hosts -@load protocols/conn/known-services -@load protocols/ssl/known-certs - -# This script enables SSL/TLS certificate validation. -@load protocols/ssl/validate-certs - -# This script prevents the logging of SSL CA certificates in x509.log -@load protocols/ssl/log-hostcerts-only - -# Uncomment the following line to check each SSL certificate hash against the ICSI -# certificate notary service; see http://notary.icsi.berkeley.edu . -# @load protocols/ssl/notary - -# If you have libGeoIP support built in, do some geographic detections and -# logging for SSH traffic. -@load protocols/ssh/geo-data -# Detect hosts doing SSH bruteforce attacks. -@load protocols/ssh/detect-bruteforcing -# Detect logins using "interesting" hostnames. -@load protocols/ssh/interesting-hostnames - -# Detect SQL injection attacks. -@load protocols/http/detect-sqli - -#### Network File Handling #### - -# Enable MD5 and SHA1 hashing for all files. -@load frameworks/files/hash-all-files - -# Detect SHA1 sums in Team Cymru's Malware Hash Registry. -@load frameworks/files/detect-MHR - -# Uncomment the following line to enable detection of the heartbleed attack. Enabling -# this might impact performance a bit. -# @load policy/protocols/ssl/heartbleed - -# Uncomment the following line to enable logging of connection VLANs. Enabling -# this adds two VLAN fields to the conn.log file. This may not work properly -# since we use AF_PACKET and it strips VLAN tags. -# @load policy/protocols/conn/vlan-logging - -# Uncomment the following line to enable logging of link-layer addresses. Enabling -# this adds the link-layer address for each connection endpoint to the conn.log file. -# @load policy/protocols/conn/mac-logging - -# Uncomment the following line to enable the SMB analyzer. The analyzer -# is currently considered a preview and therefore not loaded by default. -# @load policy/protocols/smb - -# Add the interface to the log event -#@load securityonion/add-interface-to-logs.bro - -# Add Sensor Name to the conn.log -#@load securityonion/conn-add-sensorname.bro - -# File Extraction -#@load securityonion/file-extraction - -# Intel from Mandiant APT1 Report -#@load securityonion/apt1 - -# ShellShock - detects successful exploitation of Bash vulnerability CVE-2014-6271 -#@load securityonion/shellshock - -# JA3 - SSL Detection Goodness -@load policy/ja3 - -# You can load your own intel into: -# /opt/so/saltstack/bro/policy/intel/ on the manager -@load intel - -# Load a custom Bro policy -# /opt/so/saltstack/bro/policy/custom/ on the manager -#@load custom/somebropolicy.bro - -# Use JSON -redef LogAscii::use_json = T; -redef LogAscii::json_timestamps = JSON::TS_ISO8601; diff --git a/salt/deprecated-bro/files/node.cfg b/salt/deprecated-bro/files/node.cfg deleted file mode 100644 index 804771728..000000000 --- a/salt/deprecated-bro/files/node.cfg +++ /dev/null @@ -1,47 +0,0 @@ -{%- set interface = salt['pillar.get']('sensor:interface', 'bond0') %} - -{%- if salt['pillar.get']('sensor:zeek_pins') or salt['pillar.get']('sensor:zeek_lbprocs') %} -{%- if salt['pillar.get']('sensor:zeek_proxies') %} - {%- set proxies = salt['pillar.get']('sensor:zeek_proxies', '1') %} -{%- else %} - {%- if salt['pillar.get']('sensor:zeek_pins') %} - {%- set proxies = (salt['pillar.get']('sensor:zeek_pins')|length/10)|round(0, 'ceil')|int %} - {%- else %} - {%- set proxies = (salt['pillar.get']('sensor:zeek_lbprocs')/10)|round(0, 'ceil')|int %} - {%- endif %} -{%- endif %} -[manager] -type=manager -host=localhost - -[logger] -type=logger -host=localhost - -[proxy] -type=proxy -host=localhost - -[worker-1] -type=worker -host=localhost -interface=af_packet::{{ interface }} -lb_method=custom - -{%- if salt['pillar.get']('sensor:zeek_lbprocs') %} -lb_procs={{ salt['pillar.get']('sensor:zeek_lbprocs', '1') }} -{%- else %} -lb_procs={{ salt['pillar.get']('sensor:zeek_pins')|length }} -{%- endif %} -{%- if salt['pillar.get']('sensor:zeek_pins') %} -pin_cpus={{ salt['pillar.get']('sensor:zeek_pins')|join(", ") }} -{%- endif %} -af_packet_fanout_id=23 -af_packet_fanout_mode=AF_Packet::FANOUT_HASH -af_packet_buffer_size=128*1024*1024 -{%- else %} -[brosa] -type=standalone -host=localhost -interface={{ interface }} -{%- endif %} diff --git a/salt/deprecated-bro/init.sls b/salt/deprecated-bro/init.sls deleted file mode 100644 index 8f36be420..000000000 --- a/salt/deprecated-bro/init.sls +++ /dev/null @@ -1,206 +0,0 @@ -{% set interface = salt['pillar.get']('sensor:interface', 'bond0') %} -{% set BPF_ZEEK = salt['pillar.get']('zeek:bpf') %} -{% set BPF_STATUS = 0 %} - -# Bro Salt State -# Add Bro group -brogroup: - group.present: - - name: bro - - gid: 937 - -# Add Bro User -bro: - user.present: - - uid: 937 - - gid: 937 - - home: /home/bro - -# Create some directories -bropolicydir: - file.directory: - - name: /opt/so/conf/bro/policy - - user: 937 - - group: 939 - - makedirs: True - -# Bro Log Directory -brologdir: - file.directory: - - name: /nsm/bro/logs - - user: 937 - - group: 939 - - makedirs: True - -# Bro Spool Directory -brospooldir: - file.directory: - - name: /nsm/bro/spool/manager - - user: 937 - - makedirs: true - -# Bro extracted directory -broextractdir: - file.directory: - - name: /nsm/bro/extracted - - user: 937 - - group: 939 - - makedirs: True - -brosfafincompletedir: - file.directory: - - name: /nsm/faf/files/incomplete - - user: 937 - - makedirs: true - -brosfafcompletedir: - file.directory: - - name: /nsm/faf/files/complete - - user: 937 - - makedirs: true - -# Sync the policies -bropolicysync: - file.recurse: - - name: /opt/so/conf/bro/policy - - source: salt://bro/policy - - user: 937 - - group: 939 - - template: jinja - -# Sync node.cfg -nodecfgsync: - file.managed: - - name: /opt/so/conf/bro/node.cfg - - source: salt://bro/files/node.cfg - - user: 937 - - group: 939 - - template: jinja - -plcronscript: - file.managed: - - name: /usr/local/bin/packetloss.sh - - source: salt://bro/cron/packetloss.sh - - mode: 755 - -zeekcleanscript: - file.managed: - - name: /usr/local/bin/zeek_clean - - source: salt://bro/cron/zeek_clean - - mode: 755 - -/usr/local/bin/zeek_clean: - cron.present: - - user: root - - minute: '*' - - hour: '*' - - daymonth: '*' - - month: '*' - - dayweek: '*' - -/usr/local/bin/packetloss.sh: - cron.present: - - user: root - - minute: '*/10' - - hour: '*' - - daymonth: '*' - - month: '*' - - dayweek: '*' - -# BPF compilation and configuration -{% if BPF_ZEEK %} - {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', interface + ' ' + BPF_ZEEK|join(" ") ) %} - {% if BPF_CALC['stderr'] == "" %} - {% set BPF_STATUS = 1 %} - {% else %} -zeekbpfcompilationfailure: - test.configurable_test_state: - - changes: False - - result: False - - comment: "BPF Syntax Error - Discarding Specified BPF" - {% endif %} -{% endif %} - -zeekbpf: - file.managed: - - name: /opt/so/conf/bro/bpf - - user: 940 - - group: 940 - {% if BPF_STATUS %} - - contents_pillar: zeek:bpf - {% else %} - - contents: - - "ip or not ip" - {% endif %} - -# Sync local.bro -{% if salt['pillar.get']('static:broversion', '') == 'COMMUNITY' %} -localbrosync: - file.managed: - - name: /opt/so/conf/bro/local.bro - - source: salt://bro/files/local.bro.community - - user: 937 - - group: 939 - - template: jinja - -so-communitybroimage: - cmd.run: - - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-communitybro:HH1.0.3 - -so-bro: - docker_container.running: - - require: - - so-communitybroimage - - image: docker.io/soshybridhunter/so-communitybro:HH1.0.3 - - privileged: True - - binds: - - /nsm/bro/logs:/nsm/bro/logs:rw - - /nsm/bro/spool:/nsm/bro/spool:rw - - /nsm/bro/extracted:/nsm/bro/extracted:rw - - /opt/so/conf/bro/local.bro:/opt/bro/share/bro/site/local.bro:ro - - /opt/so/conf/bro/node.cfg:/opt/bro/etc/node.cfg:ro - - /opt/so/conf/bro/policy/securityonion:/opt/bro/share/bro/policy/securityonion:ro - - /opt/so/conf/bro/policy/custom:/opt/bro/share/bro/policy/custom:ro - - /opt/so/conf/bro/policy/intel:/opt/bro/share/bro/policy/intel:rw - - network_mode: host - - watch: - - file: /opt/so/conf/bro/local.bro - - file: /opt/so/conf/bro/node.cfg - - file: /opt/so/conf/bro/policy - -{% else %} -localbrosync: - file.managed: - - name: /opt/so/conf/bro/local.bro - - source: salt://bro/files/local.bro - - user: 937 - - group: 939 - - template: jinja - -so-broimage: - cmd.run: - - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-bro:HH1.1.1 - -so-bro: - docker_container.running: - - require: - - so-broimage - - image: docker.io/soshybridhunter/so-bro:HH1.1.1 - - privileged: True - - binds: - - /nsm/bro/logs:/nsm/bro/logs:rw - - /nsm/bro/spool:/nsm/bro/spool:rw - - /nsm/bro/extracted:/nsm/bro/extracted:rw - - /opt/so/conf/bro/local.bro:/opt/bro/share/bro/site/local.bro:ro - - /opt/so/conf/bro/node.cfg:/opt/bro/etc/node.cfg:ro - - /opt/so/conf/bro/bpf:/opt/bro/share/bro/site/bpf:ro - - /opt/so/conf/bro/policy/securityonion:/opt/bro/share/bro/policy/securityonion:ro - - /opt/so/conf/bro/policy/custom:/opt/bro/share/bro/policy/custom:ro - - /opt/so/conf/bro/policy/intel:/opt/bro/share/bro/policy/intel:rw - - network_mode: host - - watch: - - file: /opt/so/conf/bro/local.bro - - file: /opt/so/conf/bro/node.cfg - - file: /opt/so/conf/bro/policy - - file: /opt/so/conf/bro/bpf -{% endif %} diff --git a/salt/deprecated-bro/policy/intel/__load__.bro b/salt/deprecated-bro/policy/intel/__load__.bro deleted file mode 100644 index 4a4d603a7..000000000 --- a/salt/deprecated-bro/policy/intel/__load__.bro +++ /dev/null @@ -1 +0,0 @@ -#Intel diff --git a/salt/deprecated-bro/policy/securityonion/add-interface-to-logs.bro b/salt/deprecated-bro/policy/securityonion/add-interface-to-logs.bro deleted file mode 100644 index 674b9272a..000000000 --- a/salt/deprecated-bro/policy/securityonion/add-interface-to-logs.bro +++ /dev/null @@ -1,20 +0,0 @@ -{%- set interface = salt['pillar.get']('sensor:interface', '0') %} -global interface = "{{ interface }}"; - -event bro_init() - { - if ( ! reading_live_traffic() ) - return; - - Log::remove_default_filter(HTTP::LOG); - Log::add_filter(HTTP::LOG, [$name = "http-interfaces", - $path_func(id: Log::ID, path: string, rec: HTTP::Info) = - { - local peer = get_event_peer()$descr; - if ( peer in Cluster::nodes && Cluster::nodes[peer]?$interface ) - return cat("http_", Cluster::nodes[peer]$interface); - else - return "http"; - } - ]); - } diff --git a/salt/deprecated-bro/policy/securityonion/apt1/__load__.bro b/salt/deprecated-bro/policy/securityonion/apt1/__load__.bro deleted file mode 100644 index de931eaac..000000000 --- a/salt/deprecated-bro/policy/securityonion/apt1/__load__.bro +++ /dev/null @@ -1,9 +0,0 @@ -@load frameworks/intel/seen -@load frameworks/intel/do_notice -@load frameworks/files/hash-all-files - -redef Intel::read_files += { - fmt("%s/apt1-fqdn.dat", @DIR), - fmt("%s/apt1-md5.dat", @DIR), - fmt("%s/apt1-certs.dat", @DIR) -}; diff --git a/salt/deprecated-bro/policy/securityonion/apt1/apt1-certs.dat b/salt/deprecated-bro/policy/securityonion/apt1/apt1-certs.dat deleted file mode 100644 index 3f5e643ac..000000000 --- a/salt/deprecated-bro/policy/securityonion/apt1/apt1-certs.dat +++ /dev/null @@ -1,26 +0,0 @@ -#fields indicator indicator_type meta.source meta.desc meta.do_notice -b054e26ef827fbbf5829f84a9bdbb697a5b042fc Intel::CERT_HASH Mandiant APT1 Report ALPHA T -7bc0cc2cf7c3a996c32dbe7e938993f7087105b4 Intel::CERT_HASH Mandiant APT1 Report AOL T -7855c132af1390413d4e4ff4ead321f8802d8243 Intel::CERT_HASH Mandiant APT1 Report AOL T -f3e3c590d7126bd227733e9d8313d2575c421243 Intel::CERT_HASH Mandiant APT1 Report AOL T -d4d4e896ce7d73b573f0a0006080a246aec61fe7 Intel::CERT_HASH Mandiant APT1 Report AOL T -bcdf4809c1886ac95478bbafde246d0603934298 Intel::CERT_HASH Mandiant APT1 Report AOL T -6b4855df8afc8d57a671fe5ed628f6d88852a922 Intel::CERT_HASH Mandiant APT1 Report AOL T -d50fdc82c328319ac60f256d3119b8708cd5717b Intel::CERT_HASH Mandiant APT1 Report AOL T -70b48d5177eebe9c762e9a37ecabebfd10e1b7e9 Intel::CERT_HASH Mandiant APT1 Report AOL T -3a6a299b764500ce1b6e58a32a257139d61a3543 Intel::CERT_HASH Mandiant APT1 Report AOL T -bf4f90e0029b2263af1141963ddf2a0c71a6b5fb Intel::CERT_HASH Mandiant APT1 Report AOL T -b21139583dec0dae344cca530690ec1f344acc79 Intel::CERT_HASH Mandiant APT1 Report AOL T -21971ffef58baf6f638df2f7e2cceb4c58b173c8 Intel::CERT_HASH Mandiant APT1 Report EMAIL T -04ecff66973c92a1c348666d5a4738557cce0cfc Intel::CERT_HASH Mandiant APT1 Report IBM T -f97d1a703aec44d0f53a3a294e33acda43a49de1 Intel::CERT_HASH Mandiant APT1 Report IBM T -c0d32301a7c96ecb0bc8e381ec19e6b4eaf5d2fe Intel::CERT_HASH Mandiant APT1 Report IBM T -1b27a897cda019da2c3a6dc838761871e8bf5b5d Intel::CERT_HASH Mandiant APT1 Report LAME T -d515996e8696612dc78fc6db39006466fc6550df Intel::CERT_HASH Mandiant APT1 Report MOON-NIGHT T -8f79315659e59c79f1301ef4aee67b18ae2d9f1c Intel::CERT_HASH Mandiant APT1 Report NONAME T -a57a84975e31e376e3512da7b05ad06ef6441f53 Intel::CERT_HASH Mandiant APT1 Report NS T -b3db37a0edde97b3c3c15da5f2d81d27af82f583 Intel::CERT_HASH Mandiant APT1 Report SERVER (PEM) T -6d8f1454f6392361fb2464b744d4fc09eee5fcfd Intel::CERT_HASH Mandiant APT1 Report SUR T -b66e230f404b2cc1c033ccacda5d0a14b74a2752 Intel::CERT_HASH Mandiant APT1 Report VIRTUALLYTHERE T -4acbadb86a91834493dde276736cdf8f7ef5d497 Intel::CERT_HASH Mandiant APT1 Report WEBMAIL T -86a48093d9b577955c4c9bd19e30536aae5543d4 Intel::CERT_HASH Mandiant APT1 Report YAHOO T \ No newline at end of file diff --git a/salt/deprecated-bro/policy/securityonion/apt1/apt1-fqdn.dat b/salt/deprecated-bro/policy/securityonion/apt1/apt1-fqdn.dat deleted file mode 100644 index f0a57f8c3..000000000 --- a/salt/deprecated-bro/policy/securityonion/apt1/apt1-fqdn.dat +++ /dev/null @@ -1,2049 +0,0 @@ -#fields indicator indicator_type meta.source meta.do_notice -# The following line is for testing only. Please keep it commented out when running in production. -#time.windows.com Intel::DOMAIN Test FQDN T -advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -aolon1ine.com Intel::DOMAIN Mandiant APT1 Report T -applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -attnpower.com Intel::DOMAIN Mandiant APT1 Report T -aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -avvmail.com Intel::DOMAIN Mandiant APT1 Report T -bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -bigish.net Intel::DOMAIN Mandiant APT1 Report T -blackberrycluter.com Intel::DOMAIN Mandiant APT1 Report T -blackcake.net Intel::DOMAIN Mandiant APT1 Report T -bluecoate.com Intel::DOMAIN Mandiant APT1 Report T -booksonlineclub.com Intel::DOMAIN Mandiant APT1 Report T -bpyoyo.com Intel::DOMAIN Mandiant APT1 Report T -businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -businessformars.com Intel::DOMAIN Mandiant APT1 Report T -busketball.com Intel::DOMAIN Mandiant APT1 Report T -canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -canoedaily.com Intel::DOMAIN Mandiant APT1 Report T -chileexe77.com Intel::DOMAIN Mandiant APT1 Report T -cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -cnndaily.net Intel::DOMAIN Mandiant APT1 Report T -cnnnewsdaily.com Intel::DOMAIN Mandiant APT1 Report T -cometoway.org Intel::DOMAIN Mandiant APT1 Report T -companyinfosite.com Intel::DOMAIN Mandiant APT1 Report T -competrip.com Intel::DOMAIN Mandiant APT1 Report T -comrepair.net Intel::DOMAIN Mandiant APT1 Report T -conferencesinfo.com Intel::DOMAIN Mandiant APT1 Report T -copporationnews.com Intel::DOMAIN Mandiant APT1 Report T -cslisten.com Intel::DOMAIN Mandiant APT1 Report T -defenceonline.net Intel::DOMAIN Mandiant APT1 Report T -dnsweb.org Intel::DOMAIN Mandiant APT1 Report T -downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -freshreaders.net Intel::DOMAIN Mandiant APT1 Report T -giftnews.org Intel::DOMAIN Mandiant APT1 Report T -globalowa.com Intel::DOMAIN Mandiant APT1 Report T -gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -hkcastte.com Intel::DOMAIN Mandiant APT1 Report T -hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -hvmetal.com Intel::DOMAIN Mandiant APT1 Report T -idirectech.com Intel::DOMAIN Mandiant APT1 Report T -ifexcel.com Intel::DOMAIN Mandiant APT1 Report T -infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -infosupports.com Intel::DOMAIN Mandiant APT1 Report T -issnbgkit.net Intel::DOMAIN Mandiant APT1 Report T -jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -livemymsn.com Intel::DOMAIN Mandiant APT1 Report T -lksoftvc.net Intel::DOMAIN Mandiant APT1 Report T -maltempata.com Intel::DOMAIN Mandiant APT1 Report T -marsbrother.com Intel::DOMAIN Mandiant APT1 Report T -mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -mediaxsds.net Intel::DOMAIN Mandiant APT1 Report T -microsoft-update-info.com Intel::DOMAIN Mandiant APT1 Report T -micyuisyahooapis.com Intel::DOMAIN Mandiant APT1 Report T -msnhome.org Intel::DOMAIN Mandiant APT1 Report T -myyahoonews.com Intel::DOMAIN Mandiant APT1 Report T -nationtour.net Intel::DOMAIN Mandiant APT1 Report T -newsesport.com Intel::DOMAIN Mandiant APT1 Report T -newsonet.net Intel::DOMAIN Mandiant APT1 Report T -newsonlinesite.com Intel::DOMAIN Mandiant APT1 Report T -newspappers.org Intel::DOMAIN Mandiant APT1 Report T -nirvanaol.com Intel::DOMAIN Mandiant APT1 Report T -ns06.net Intel::DOMAIN Mandiant APT1 Report T -nytimesnews.net Intel::DOMAIN Mandiant APT1 Report T -olmusic100.com Intel::DOMAIN Mandiant APT1 Report T -onefastgame.net Intel::DOMAIN Mandiant APT1 Report T -oplaymagzine.com Intel::DOMAIN Mandiant APT1 Report T -pcclubddk.net Intel::DOMAIN Mandiant APT1 Report T -phoenixtvus.com Intel::DOMAIN Mandiant APT1 Report T -pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -progammerli.com Intel::DOMAIN Mandiant APT1 Report T -purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -regicsgf.net Intel::DOMAIN Mandiant APT1 Report T -reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -rssadvanced.org Intel::DOMAIN Mandiant APT1 Report T -safalife.com Intel::DOMAIN Mandiant APT1 Report T -saltlakenews.org Intel::DOMAIN Mandiant APT1 Report T -satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -searchforca.com Intel::DOMAIN Mandiant APT1 Report T -shepmas.com Intel::DOMAIN Mandiant APT1 Report T -skyswim.net Intel::DOMAIN Mandiant APT1 Report T -softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -sportreadok.net Intel::DOMAIN Mandiant APT1 Report T -staycools.net Intel::DOMAIN Mandiant APT1 Report T -symanteconline.net Intel::DOMAIN Mandiant APT1 Report T -syscation.com Intel::DOMAIN Mandiant APT1 Report T -syscation.net Intel::DOMAIN Mandiant APT1 Report T -tfxdccssl.net Intel::DOMAIN Mandiant APT1 Report T -thehealthmood.net Intel::DOMAIN Mandiant APT1 Report T -tibethome.org Intel::DOMAIN Mandiant APT1 Report T -todayusa.org Intel::DOMAIN Mandiant APT1 Report T -usabbs.org Intel::DOMAIN Mandiant APT1 Report T -usapappers.com Intel::DOMAIN Mandiant APT1 Report T -ushongkong.org Intel::DOMAIN Mandiant APT1 Report T -usnewssite.com Intel::DOMAIN Mandiant APT1 Report T -usnftc.org Intel::DOMAIN Mandiant APT1 Report T -ustvb.com Intel::DOMAIN Mandiant APT1 Report T -uszzcs.com Intel::DOMAIN Mandiant APT1 Report T -voiceofman.com Intel::DOMAIN Mandiant APT1 Report T -webservicesupdate.com Intel::DOMAIN Mandiant APT1 Report T -worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -youipcam.com Intel::DOMAIN Mandiant APT1 Report T -08elec.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -09back.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -3ml.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -3pma.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -4cback.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -7cback.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -911.cnnnewsdaily.com Intel::DOMAIN Mandiant APT1 Report T -a-ad.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -a-af.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -aam.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -aar.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -aarco.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -a-bne.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -abs.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -acer.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -acli-mail.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -a-co.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -acu.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -adb.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -add.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -addr.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -adi002.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -a-dl.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -admin.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -admin.datastorage01.org Intel::DOMAIN Mandiant APT1 Report T -admin.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -admin.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -adobe.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -ads.bpyoyo.com Intel::DOMAIN Mandiant APT1 Report T -adt.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -adt001.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -adt002.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -adtk.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -adtkl.bigish.net Intel::DOMAIN Mandiant APT1 Report T -adtkl.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -adtlk.bigish.net Intel::DOMAIN Mandiant APT1 Report T -ae.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -a-ec.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -a-ep.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -aero.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -aes.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -a-ex.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -af.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -afda.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -a-fj.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -africa.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -africa.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -africa.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -africadb.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -afw.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -a-ga.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -agl.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -ago.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -a-gon.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -a-he.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -a-he.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -a-if.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -a-iho.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -aiic.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -aip.comrepair.net Intel::DOMAIN Mandiant APT1 Report T -airline.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -airplane.defenceonline.net Intel::DOMAIN Mandiant APT1 Report T -ait.busketball.com Intel::DOMAIN Mandiant APT1 Report T -a-ja.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -a-jsm.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -a-jsm.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -ak47.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -ak47.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -alarm.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -alarm.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -alcan.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -alion.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -alone.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -amanda.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -amne.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -ams.busketball.com Intel::DOMAIN Mandiant APT1 Report T -amusement.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -analysis.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -anglo.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -anti.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -aol.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -a-ol.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -aol.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -aol.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -aon.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -a-ov.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -apa.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -apa.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -apa.safalife.com Intel::DOMAIN Mandiant APT1 Report T -apejack.bigish.net Intel::DOMAIN Mandiant APT1 Report T -apekl.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -a-pep.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -app.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -app.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -apple.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -apple.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -apple.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -apple.rssadvanced.org Intel::DOMAIN Mandiant APT1 Report T -aps.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -apss.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -apss.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -ara.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -ara.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -ara2.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -ara2.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -arainfo.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -arainfo.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -a-rdr.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -ares.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -argsafhq.blackberrycluter.com Intel::DOMAIN Mandiant APT1 Report T -a-ri.comrepair.net Intel::DOMAIN Mandiant APT1 Report T -armi.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -army.newsonlinesite.com Intel::DOMAIN Mandiant APT1 Report T -army.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -ascn.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -asiv.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -asp.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -asp.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -asp.busketball.com Intel::DOMAIN Mandiant APT1 Report T -asp.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -ass.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -astone.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -atm.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -atom.busketball.com Intel::DOMAIN Mandiant APT1 Report T -a-uac.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -a-un.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -ausi.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -auto.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -auto.companyinfosite.com Intel::DOMAIN Mandiant APT1 Report T -auto.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -auto.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -auto.livemymsn.com Intel::DOMAIN Mandiant APT1 Report T -auto.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -auto.myyahoonews.com Intel::DOMAIN Mandiant APT1 Report T -avast.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -avph.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -a-za.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -a-za.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -a-zx.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -b.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -bab.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -back.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -back.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -back.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -back.worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -backsun.busketball.com Intel::DOMAIN Mandiant APT1 Report T -backup.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -backup.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -backup.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -backupsw.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -banner.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -barity.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -basketball.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -bass.busketball.com Intel::DOMAIN Mandiant APT1 Report T -bat.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -bat.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -bat.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -bat.safalife.com Intel::DOMAIN Mandiant APT1 Report T -bbb.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -bbh.dnsweb.org Intel::DOMAIN Mandiant APT1 Report T -bbs.busketball.com Intel::DOMAIN Mandiant APT1 Report T -bbs.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -bbsfu.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -bcc.blackberrycluter.com Intel::DOMAIN Mandiant APT1 Report T -bcc.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -bcc.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -bee.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -bee.newspappers.org Intel::DOMAIN Mandiant APT1 Report T -bee.usapappers.com Intel::DOMAIN Mandiant APT1 Report T -bg-g.comrepair.net Intel::DOMAIN Mandiant APT1 Report T -bhbt.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -bhbt.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -bing.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -bitdefender.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -bkav.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -bkav2007.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -bksy.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -black.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -black.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -blackfish.defenceonline.net Intel::DOMAIN Mandiant APT1 Report T -bll.dnsweb.org Intel::DOMAIN Mandiant APT1 Report T -blog.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -blog.busketball.com Intel::DOMAIN Mandiant APT1 Report T -blog.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -blog.regicsgf.net Intel::DOMAIN Mandiant APT1 Report T -blow.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -blue.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -bluefin.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -bmi.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -bob.dnsweb.org Intel::DOMAIN Mandiant APT1 Report T -bobo.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -bobo.oplaymagzine.com Intel::DOMAIN Mandiant APT1 Report T -book.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -book.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -book.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -bot.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -bourne.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -bphb.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -bring.busketball.com Intel::DOMAIN Mandiant APT1 Report T -brog.regicsgf.net Intel::DOMAIN Mandiant APT1 Report T -bswt.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -built.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -business.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -business.chileexe77.com Intel::DOMAIN Mandiant APT1 Report T -business.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -business.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -business.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -business.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -buy.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -buy.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -buycow.busketball.com Intel::DOMAIN Mandiant APT1 Report T -buyer.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -buz.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -c.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -caaid.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -cac.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -cac.worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -cache.aolon1ine.com Intel::DOMAIN Mandiant APT1 Report T -cacq.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -cadfait.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -cais.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -cais.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -can.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -canada.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -canary.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -cappuccino.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -car1.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -care.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -care.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -cars.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -carvin.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -catalog.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -ccsukl.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -cdc01.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -cdcd.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -cdd.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -cdrnkl.worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -cecilia.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -ce-ip.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -center.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -center.busketball.com Intel::DOMAIN Mandiant APT1 Report T -center.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -ceros.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -cetv.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -chat.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -chat.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -check.staycools.net Intel::DOMAIN Mandiant APT1 Report T -check.thehealthmood.net Intel::DOMAIN Mandiant APT1 Report T -chicken.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -chicken.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -chivas.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -chq.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -christitannahill.appspot.com Intel::DOMAIN Mandiant APT1 Report T -cib.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -cibuc.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -citrix.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -citt.downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -city.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -class.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -client.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -climate.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -climate.oplaymagzine.com Intel::DOMAIN Mandiant APT1 Report T -clin.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -cman.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -cmp.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -cobh.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -coco.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -code.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -code.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -coe.nationtour.net Intel::DOMAIN Mandiant APT1 Report T -coe.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -coer.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -cok.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -com.conferencesinfo.com Intel::DOMAIN Mandiant APT1 Report T -comfile.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -commpany.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -company.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -compfile.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -compu.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -compute.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -conn.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -contact.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -contact.bigish.net Intel::DOMAIN Mandiant APT1 Report T -contact.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -contact.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -contact.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -contact.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -content.cnnnewsdaily.com Intel::DOMAIN Mandiant APT1 Report T -control.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -control.blackberrycluter.com Intel::DOMAIN Mandiant APT1 Report T -cook.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -cool.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -cool.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -corn.busketball.com Intel::DOMAIN Mandiant APT1 Report T -corp.booksonlineclub.com Intel::DOMAIN Mandiant APT1 Report T -corp.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -cost.cnnnewsdaily.com Intel::DOMAIN Mandiant APT1 Report T -count.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -country.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -cow.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -cowboy.bigish.net Intel::DOMAIN Mandiant APT1 Report T -cowboy.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -crab.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -crab.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -crab.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -crackling123.appspot.com Intel::DOMAIN Mandiant APT1 Report T -cross.busketball.com Intel::DOMAIN Mandiant APT1 Report T -crz.dnsweb.org Intel::DOMAIN Mandiant APT1 Report T -cs.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -csch.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -csupp.bigish.net Intel::DOMAIN Mandiant APT1 Report T -ctcn.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -ctcs.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -ctcs.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -ctimoon.marsbrother.com Intel::DOMAIN Mandiant APT1 Report T -ctisk.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -cubbh.newspappers.org Intel::DOMAIN Mandiant APT1 Report T -cubh.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -culture.chileexe77.com Intel::DOMAIN Mandiant APT1 Report T -cure.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -current.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -cw.e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -cw.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -cw.nationtour.net Intel::DOMAIN Mandiant APT1 Report T -cw.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -cw.searchforca.com Intel::DOMAIN Mandiant APT1 Report T -cwe.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -cwe80.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -cwel.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -cws.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -d.bpyoyo.com Intel::DOMAIN Mandiant APT1 Report T -da.comrepair.net Intel::DOMAIN Mandiant APT1 Report T -daa.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -daily.newsonlinesite.com Intel::DOMAIN Mandiant APT1 Report T -data.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -date.freshreaders.net Intel::DOMAIN Mandiant APT1 Report T -date.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -date.rssadvanced.org Intel::DOMAIN Mandiant APT1 Report T -date.voiceofman.com Intel::DOMAIN Mandiant APT1 Report T -datehelp.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -dating.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -db.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -default.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -defense.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -del.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -demo.myyahoonews.com Intel::DOMAIN Mandiant APT1 Report T -den.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -denel.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -densun.comrepair.net Intel::DOMAIN Mandiant APT1 Report T -des.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -des.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -develop.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -dhfx.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -dias.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -digi.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -dith.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -dl.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -dlkl.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -dnn.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -dns.chileexe77.com Intel::DOMAIN Mandiant APT1 Report T -dns.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -dns.issnbgkit.net Intel::DOMAIN Mandiant APT1 Report T -dns.progammerli.com Intel::DOMAIN Mandiant APT1 Report T -dns.webservicesupdate.com Intel::DOMAIN Mandiant APT1 Report T -dns1.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -dnsg.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -do.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -doa.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -docu.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -documents.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -documents.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -documents.busketball.com Intel::DOMAIN Mandiant APT1 Report T -documents.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -documents.downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -documents.e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -documents.nationtour.net Intel::DOMAIN Mandiant APT1 Report T -documents.voiceofman.com Intel::DOMAIN Mandiant APT1 Report T -dod.dnsweb.org Intel::DOMAIN Mandiant APT1 Report T -doekl.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -domain.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -domain.busketball.com Intel::DOMAIN Mandiant APT1 Report T -domain.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -dorkia.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -dot.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -dotnet.safalife.com Intel::DOMAIN Mandiant APT1 Report T -dove.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -down.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -down.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -down.safalife.com Intel::DOMAIN Mandiant APT1 Report T -download.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -download.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -download.freshreaders.net Intel::DOMAIN Mandiant APT1 Report T -download.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -download.idirectech.com Intel::DOMAIN Mandiant APT1 Report T -download.symanteconline.net Intel::DOMAIN Mandiant APT1 Report T -download.voiceofman.com Intel::DOMAIN Mandiant APT1 Report T -downloads.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -downupdate.bigish.net Intel::DOMAIN Mandiant APT1 Report T -dp.booksonlineclub.com Intel::DOMAIN Mandiant APT1 Report T -dq.booksonlineclub.com Intel::DOMAIN Mandiant APT1 Report T -drb.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -drinkwater.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -drop.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -dsh.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -dsw.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -dvid.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -dvid.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -dvn.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -dyn.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -dyn.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -dyns.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -e.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -e.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -e.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -e.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -e.canoedaily.com Intel::DOMAIN Mandiant APT1 Report T -e.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -e.ifexcel.com Intel::DOMAIN Mandiant APT1 Report T -e.microsoft-update-info.com Intel::DOMAIN Mandiant APT1 Report T -e.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -e.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -e.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -e.staycools.net Intel::DOMAIN Mandiant APT1 Report T -e.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -e.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -e.usapappers.com Intel::DOMAIN Mandiant APT1 Report T -e.usnewssite.com Intel::DOMAIN Mandiant APT1 Report T -e.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -eaof.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -east.freshreaders.net Intel::DOMAIN Mandiant APT1 Report T -eatbeef.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -ecli-cow.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -edit.aolon1ine.com Intel::DOMAIN Mandiant APT1 Report T -edu.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -education.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -education.rssadvanced.org Intel::DOMAIN Mandiant APT1 Report T -eeaa.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -eee.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -egcc.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -email.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -email.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -email.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -email.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -email.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -email.canoedaily.com Intel::DOMAIN Mandiant APT1 Report T -email.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -email.cnndaily.net Intel::DOMAIN Mandiant APT1 Report T -email.companyinfosite.com Intel::DOMAIN Mandiant APT1 Report T -email.defenceonline.net Intel::DOMAIN Mandiant APT1 Report T -email.downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -email.e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -email.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -email.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -email.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -email.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -email.micyuisyahooapis.com Intel::DOMAIN Mandiant APT1 Report T -email.newsonlinesite.com Intel::DOMAIN Mandiant APT1 Report T -email.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -email.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -email.symanteconline.net Intel::DOMAIN Mandiant APT1 Report T -email.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -email.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -email.usapappers.com Intel::DOMAIN Mandiant APT1 Report T -email.usnewssite.com Intel::DOMAIN Mandiant APT1 Report T -email.voiceofman.com Intel::DOMAIN Mandiant APT1 Report T -email.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -emam.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -en.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -energy.e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -energy.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -energy.nationtour.net Intel::DOMAIN Mandiant APT1 Report T -energy.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -energy.searchforca.com Intel::DOMAIN Mandiant APT1 Report T -energy.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -engine.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -engineering.newsonlinesite.com Intel::DOMAIN Mandiant APT1 Report T -environment.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -eoaf.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -epod.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -eu.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -eum.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -europa.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -europe.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -ever.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -everest.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -eye.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -f3tel.bigish.net Intel::DOMAIN Mandiant APT1 Report T -face.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -facebook.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -faq.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -fashion.cnnnewsdaily.com Intel::DOMAIN Mandiant APT1 Report T -fax.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -fax.cnndaily.net Intel::DOMAIN Mandiant APT1 Report T -fax.companyinfosite.com Intel::DOMAIN Mandiant APT1 Report T -fax.defenceonline.net Intel::DOMAIN Mandiant APT1 Report T -fax.downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -fax.e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -fax.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -fax.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -fax.micyuisyahooapis.com Intel::DOMAIN Mandiant APT1 Report T -fax.newsonlinesite.com Intel::DOMAIN Mandiant APT1 Report T -fax.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -fax.symanteconline.net Intel::DOMAIN Mandiant APT1 Report T -fax.voiceofman.com Intel::DOMAIN Mandiant APT1 Report T -fcn.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -fed.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -ffej.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -ffej.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -fher.bigish.net Intel::DOMAIN Mandiant APT1 Report T -fher.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -fhh.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -file.cnnnewsdaily.com Intel::DOMAIN Mandiant APT1 Report T -file.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -files.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -files.downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -fileshare.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -fileyp.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -film.downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -fim.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -fim.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -finance.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -finance.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -finance.chileexe77.com Intel::DOMAIN Mandiant APT1 Report T -finance.cnnnewsdaily.com Intel::DOMAIN Mandiant APT1 Report T -finance.newsonlinesite.com Intel::DOMAIN Mandiant APT1 Report T -finance.staycools.net Intel::DOMAIN Mandiant APT1 Report T -finance.thehealthmood.net Intel::DOMAIN Mandiant APT1 Report T -finance.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -finance.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -finance.usnewssite.com Intel::DOMAIN Mandiant APT1 Report T -finance.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -financial.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -fine.worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -fineca.blackberrycluter.com Intel::DOMAIN Mandiant APT1 Report T -fineca.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -finekl.bigish.net Intel::DOMAIN Mandiant APT1 Report T -finekl.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -finekl.worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -fiona.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -fire.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -fire1.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -first.voiceofman.com Intel::DOMAIN Mandiant APT1 Report T -fjod.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -fkfc.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -flash.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -flash.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -flash.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -flash.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -flash.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -flash.livemymsn.com Intel::DOMAIN Mandiant APT1 Report T -flash.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -flash.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -flash.usnewssite.com Intel::DOMAIN Mandiant APT1 Report T -flash.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -flucare.worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -fly.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -fme.busketball.com Intel::DOMAIN Mandiant APT1 Report T -f-mi.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -fmp.bigish.net Intel::DOMAIN Mandiant APT1 Report T -fmp.worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -fnem.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -fni.bigish.net Intel::DOMAIN Mandiant APT1 Report T -fni.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -fni.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -fnpc.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -fnrn.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -fntel.bigish.net Intel::DOMAIN Mandiant APT1 Report T -fok.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -follow.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -food.busketball.com Intel::DOMAIN Mandiant APT1 Report T -food.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -football.canoedaily.com Intel::DOMAIN Mandiant APT1 Report T -forum.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -free.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -friends.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -froum.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -fs.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -fs.searchforca.com Intel::DOMAIN Mandiant APT1 Report T -fstl.bigish.net Intel::DOMAIN Mandiant APT1 Report T -fstl.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -fstl.worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -ftp.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -ftp.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -ftp.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -ftp.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -ftp.bpyoyo.com Intel::DOMAIN Mandiant APT1 Report T -ftp.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -ftp.canoedaily.com Intel::DOMAIN Mandiant APT1 Report T -ftp.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -ftp.cnndaily.net Intel::DOMAIN Mandiant APT1 Report T -ftp.companyinfosite.com Intel::DOMAIN Mandiant APT1 Report T -ftp.defenceonline.net Intel::DOMAIN Mandiant APT1 Report T -ftp.downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -ftp.e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -ftp.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -ftp.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -ftp.micyuisyahooapis.com Intel::DOMAIN Mandiant APT1 Report T -ftp.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -ftp.newsonlinesite.com Intel::DOMAIN Mandiant APT1 Report T -ftp.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -ftp.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -ftp.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -ftp.staycools.net Intel::DOMAIN Mandiant APT1 Report T -ftp.symanteconline.net Intel::DOMAIN Mandiant APT1 Report T -ftp.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -ftp.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -ftp.usapappers.com Intel::DOMAIN Mandiant APT1 Report T -ftp.ustvb.com Intel::DOMAIN Mandiant APT1 Report T -ftp.voiceofman.com Intel::DOMAIN Mandiant APT1 Report T -ftph.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -ftrj.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -fuck.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -fun.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -function.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -function.symanteconline.net Intel::DOMAIN Mandiant APT1 Report T -funny.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -funny.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -fwb.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -fwb.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -fwmo.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -fwmo.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -fy.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -fza.marsbrother.com Intel::DOMAIN Mandiant APT1 Report T -gaca.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -gaca.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -game.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -game.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -games.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -gannett.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -gatu.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -gayi.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -gee.safalife.com Intel::DOMAIN Mandiant APT1 Report T -gege.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -gege.oplaymagzine.com Intel::DOMAIN Mandiant APT1 Report T -geneticmedicine.conferencesinfo.com Intel::DOMAIN Mandiant APT1 Report T -geo.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -geology.e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -geology.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -gg.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -gg.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -ghma.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -gjjr.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -gjmy.comrepair.net Intel::DOMAIN Mandiant APT1 Report T -gl.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -glj.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -global.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -global.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -globalization.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -glx.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -gmail.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -gmail.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -gmail.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -google.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -goverment.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -green.safalife.com Intel::DOMAIN Mandiant APT1 Report T -ground.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -ground.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -ground.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -gsti.busketball.com Intel::DOMAIN Mandiant APT1 Report T -gsup.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -half.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -half.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -happy.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -happy.e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -happy.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -happy.nationtour.net Intel::DOMAIN Mandiant APT1 Report T -happyfish.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -hav.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -health.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -hello.mediaxsds.net Intel::DOMAIN Mandiant APT1 Report T -help.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -help.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -help.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -help.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -help.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -help.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -help.thehealthmood.net Intel::DOMAIN Mandiant APT1 Report T -hi.bpyoyo.com Intel::DOMAIN Mandiant APT1 Report T -hill.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -hill.booksonlineclub.com Intel::DOMAIN Mandiant APT1 Report T -hill.businessformars.com Intel::DOMAIN Mandiant APT1 Report T -hill.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -hm.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -home.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -home.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -home.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -home.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -home.staycools.net Intel::DOMAIN Mandiant APT1 Report T -hon.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -host.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -host.issnbgkit.net Intel::DOMAIN Mandiant APT1 Report T -host.regicsgf.net Intel::DOMAIN Mandiant APT1 Report T -hostname.regicsgf.net Intel::DOMAIN Mandiant APT1 Report T -hot.thehealthmood.net Intel::DOMAIN Mandiant APT1 Report T -hotel.safalife.com Intel::DOMAIN Mandiant APT1 Report T -house.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -house.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -house.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -housew.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -hpd.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -hq.lksoftvc.net Intel::DOMAIN Mandiant APT1 Report T -hrsy.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -https.lksoftvc.net Intel::DOMAIN Mandiant APT1 Report T -https.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -https.progammerli.com Intel::DOMAIN Mandiant APT1 Report T -hu.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -hun.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -hy.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -hy.worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -iabk.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -iabk.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -iai.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -iamge.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -idtheft.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -iea.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -iexchangefxn.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -ifc.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -image.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -image.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -image.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -image.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -image.usnewssite.com Intel::DOMAIN Mandiant APT1 Report T -images.spmiller.org Intel::DOMAIN Mandiant APT1 Report T -important.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -index.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -india.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -indian.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -indian.e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -indonesia.newsonlinesite.com Intel::DOMAIN Mandiant APT1 Report T -info.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -info.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -info.bigish.net Intel::DOMAIN Mandiant APT1 Report T -info.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -info.companyinfosite.com Intel::DOMAIN Mandiant APT1 Report T -info.defenceonline.net Intel::DOMAIN Mandiant APT1 Report T -info.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -info.freshreaders.net Intel::DOMAIN Mandiant APT1 Report T -info.idirectech.com Intel::DOMAIN Mandiant APT1 Report T -info.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -info.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -info.newspappers.org Intel::DOMAIN Mandiant APT1 Report T -info.rssadvanced.org Intel::DOMAIN Mandiant APT1 Report T -info.saltlakenews.org Intel::DOMAIN Mandiant APT1 Report T -info.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -info.symanteconline.net Intel::DOMAIN Mandiant APT1 Report T -info.theagenews.com Intel::DOMAIN Mandiant APT1 Report T -info.thehealthmood.net Intel::DOMAIN Mandiant APT1 Report T -info.usapappers.com Intel::DOMAIN Mandiant APT1 Report T -info.usnewssite.com Intel::DOMAIN Mandiant APT1 Report T -information.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -information.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -information.defenceonline.net Intel::DOMAIN Mandiant APT1 Report T -information.downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -information.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -ins.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -insat.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -int.busketball.com Intel::DOMAIN Mandiant APT1 Report T -int.freshreaders.net Intel::DOMAIN Mandiant APT1 Report T -intel.busketball.com Intel::DOMAIN Mandiant APT1 Report T -intel.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -intel.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -inter.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -international.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -invest.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -ips.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -iri.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -iri.worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -irl.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -irs.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -irs.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -irsauctions.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -irssales.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -iscu.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -iswb.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -it.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -it.newsonlinesite.com Intel::DOMAIN Mandiant APT1 Report T -itau.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -itinfo.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -japan.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -java.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -jbei.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -jeff.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -jeph.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -jf.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -jfn.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -jfs.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -jhd.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -jhd.safalife.com Intel::DOMAIN Mandiant APT1 Report T -jhsfkjlhjsf.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -job.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -job.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -job.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -jobs.mediaxsds.net Intel::DOMAIN Mandiant APT1 Report T -johnford985.appspot.com Intel::DOMAIN Mandiant APT1 Report T -jr.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -juda.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -jwss.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -kf.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -khoda.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -king-kl.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -kit.dnsweb.org Intel::DOMAIN Mandiant APT1 Report T -kit.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -klape.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -klati.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -klbakerm.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -klbar.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -klbis.bigish.net Intel::DOMAIN Mandiant APT1 Report T -klbis.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -klbis.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -kl-care.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -klcirf.worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -klcocon.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -klecca.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -klecca.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -klenvi.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -kl-hqun.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -kl-hqun.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -kliee.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -kl-knab.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -kllhd.bigish.net Intel::DOMAIN Mandiant APT1 Report T -kllhd.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -kl-mfa.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -klmfat.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -klnrdc.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -klnrdc.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -klotp.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -klpiec.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -kl-rfc.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -kl-rio.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -kluscc.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -kl-vfw.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -klwest.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -knab.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -knews.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -koa.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -ks.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -ks.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -ks.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -ks.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -ks.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -ks.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -ks.petrotdl.com Intel::DOMAIN Mandiant APT1 Report T -ks.usnewssite.com Intel::DOMAIN Mandiant APT1 Report T -ks.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -ksaa.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -ksap.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -kshan.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -kusw.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -lab.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -lan.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -launch.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -law.canoedaily.com Intel::DOMAIN Mandiant APT1 Report T -law.myyahoonews.com Intel::DOMAIN Mandiant APT1 Report T -lawste.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -lawste2.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -lcan.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -leets.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -leon.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -lhd.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -lib.freshreaders.net Intel::DOMAIN Mandiant APT1 Report T -life.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -link.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -linkup.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -linux.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -lion.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -listen.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -live.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -living.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -ln.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -lnz.worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -loading.bigish.net Intel::DOMAIN Mandiant APT1 Report T -local.dnsweb.org Intel::DOMAIN Mandiant APT1 Report T -log.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -log.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -log.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -log.issnbgkit.net Intel::DOMAIN Mandiant APT1 Report T -log.sportreadok.net Intel::DOMAIN Mandiant APT1 Report T -login.aolon1ine.com Intel::DOMAIN Mandiant APT1 Report T -login.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -login.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -login.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -login.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -login.safalife.com Intel::DOMAIN Mandiant APT1 Report T -logo.freshreaders.net Intel::DOMAIN Mandiant APT1 Report T -logo.staycools.net Intel::DOMAIN Mandiant APT1 Report T -logo.thehealthmood.net Intel::DOMAIN Mandiant APT1 Report T -logon.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -logs.chileexe77.com Intel::DOMAIN Mandiant APT1 Report T -logs.issnbgkit.net Intel::DOMAIN Mandiant APT1 Report T -logs.pcclubddk.net Intel::DOMAIN Mandiant APT1 Report T -logs.sportreadok.net Intel::DOMAIN Mandiant APT1 Report T -lone.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -loper.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -lost.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -lost.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -love.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -love.busketball.com Intel::DOMAIN Mandiant APT1 Report T -love.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -lovecocon.bigish.net Intel::DOMAIN Mandiant APT1 Report T -loveit.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -lrl.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -lucie.dnsweb.org Intel::DOMAIN Mandiant APT1 Report T -lucy.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -lucy.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -lucy.booksonlineclub.com Intel::DOMAIN Mandiant APT1 Report T -lucy.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -lucy2.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -lucy2.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -lw.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -lw.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -lw.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -lw.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -lwave.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -m.cslisten.com Intel::DOMAIN Mandiant APT1 Report T -m.ifexcel.com Intel::DOMAIN Mandiant APT1 Report T -macfee.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -magazine.downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -magazine.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -magic.tfxdccssl.net Intel::DOMAIN Mandiant APT1 Report T -mail.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -mail.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -mail.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -mail.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -mail.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -mail.bigish.net Intel::DOMAIN Mandiant APT1 Report T -mail.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -mail.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -mail.canoedaily.com Intel::DOMAIN Mandiant APT1 Report T -mail.chileexe77.com Intel::DOMAIN Mandiant APT1 Report T -mail.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -mail.cnndaily.net Intel::DOMAIN Mandiant APT1 Report T -mail.companyinfosite.com Intel::DOMAIN Mandiant APT1 Report T -mail.defenceonline.net Intel::DOMAIN Mandiant APT1 Report T -mail.downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -mail.e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -mail.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -mail.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -mail.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -mail.lksoftvc.net Intel::DOMAIN Mandiant APT1 Report T -mail.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -mail.micyuisyahooapis.com Intel::DOMAIN Mandiant APT1 Report T -mail.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -mail.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -mail.newsonlinesite.com Intel::DOMAIN Mandiant APT1 Report T -mail.oplaymagzine.com Intel::DOMAIN Mandiant APT1 Report T -mail.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -mail.safalife.com Intel::DOMAIN Mandiant APT1 Report T -mail.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -mail.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -mail.symanteconline.net Intel::DOMAIN Mandiant APT1 Report T -mail.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -mail.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -mail.usapappers.com Intel::DOMAIN Mandiant APT1 Report T -mail.usnewssite.com Intel::DOMAIN Mandiant APT1 Report T -mail.ustvb.com Intel::DOMAIN Mandiant APT1 Report T -mail.voiceofman.com Intel::DOMAIN Mandiant APT1 Report T -mail.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -mail2.syscation.net Intel::DOMAIN Mandiant APT1 Report T -mailbbs.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -mails.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -mailsrv.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -main.busketball.com Intel::DOMAIN Mandiant APT1 Report T -man001.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -man001.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -map.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -maria.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -marines.defenceonline.net Intel::DOMAIN Mandiant APT1 Report T -max.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -mc.bigish.net Intel::DOMAIN Mandiant APT1 Report T -mcsc.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -me.busketball.com Intel::DOMAIN Mandiant APT1 Report T -media.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -media.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -media.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -media.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -media.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -media.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -media.usnewssite.com Intel::DOMAIN Mandiant APT1 Report T -media.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -medicine.chileexe77.com Intel::DOMAIN Mandiant APT1 Report T -medicine.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -meg.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -meily.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -memberd.booksonlineclub.com Intel::DOMAIN Mandiant APT1 Report T -message.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -messenger.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -method.ns06.net Intel::DOMAIN Mandiant APT1 Report T -mfa.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -mfc.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -micro.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -microsoft.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -milk.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -mini.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -mint.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -mko.busketball.com Intel::DOMAIN Mandiant APT1 Report T -mlls.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -mobile.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -money.sportreadok.net Intel::DOMAIN Mandiant APT1 Report T -moon.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -moon.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -mor.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -more.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -mos.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -moto.busketball.com Intel::DOMAIN Mandiant APT1 Report T -moto.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -moto.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -moto1.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -moto2.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -motoa.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -motor.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -movie.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -movies.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -mpe.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -msn.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -music.bpyoyo.com Intel::DOMAIN Mandiant APT1 Report T -music.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -music.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -music.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -mx.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -my.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -my550.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -myfamily.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -mynet.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -myoil.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -mysql.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -na.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -na.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -nat.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -nature.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -nav.booksonlineclub.com Intel::DOMAIN Mandiant APT1 Report T -navi.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -navi.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -nci.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -nci.dnsweb.org Intel::DOMAIN Mandiant APT1 Report T -nci.safalife.com Intel::DOMAIN Mandiant APT1 Report T -ncih.dnsweb.org Intel::DOMAIN Mandiant APT1 Report T -ncsc.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -ne.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -nes.nationtour.net Intel::DOMAIN Mandiant APT1 Report T -net.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -net.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -new.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -new.booksonlineclub.com Intel::DOMAIN Mandiant APT1 Report T -new.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -new.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -newport.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -newport.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -newport.safalife.com Intel::DOMAIN Mandiant APT1 Report T -news.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -news.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -news.aolon1ine.com Intel::DOMAIN Mandiant APT1 Report T -news.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -news.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -news.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -news.booksonlineclub.com Intel::DOMAIN Mandiant APT1 Report T -news.bpyoyo.com Intel::DOMAIN Mandiant APT1 Report T -news.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -news.busketball.com Intel::DOMAIN Mandiant APT1 Report T -news.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -news.canoedaily.com Intel::DOMAIN Mandiant APT1 Report T -news.chileexe77.com Intel::DOMAIN Mandiant APT1 Report T -news.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -news.cnnnewsdaily.com Intel::DOMAIN Mandiant APT1 Report T -news.defenceonline.net Intel::DOMAIN Mandiant APT1 Report T -news.dnsweb.org Intel::DOMAIN Mandiant APT1 Report T -news.downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -news.e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -news.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -news.freshreaders.net Intel::DOMAIN Mandiant APT1 Report T -news.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -news.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -news.issnbgkit.net Intel::DOMAIN Mandiant APT1 Report T -news.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -news.lksoftvc.net Intel::DOMAIN Mandiant APT1 Report T -news.marsbrother.com Intel::DOMAIN Mandiant APT1 Report T -news.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -news.mediaxsds.net Intel::DOMAIN Mandiant APT1 Report T -news.micyuisyahooapis.com Intel::DOMAIN Mandiant APT1 Report T -news.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -news.myyahoonews.com Intel::DOMAIN Mandiant APT1 Report T -news.nationtour.net Intel::DOMAIN Mandiant APT1 Report T -news.newsonlinesite.com Intel::DOMAIN Mandiant APT1 Report T -news.newspappers.org Intel::DOMAIN Mandiant APT1 Report T -news.nytimesnews.net Intel::DOMAIN Mandiant APT1 Report T -news.pcclubddk.net Intel::DOMAIN Mandiant APT1 Report T -news.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -news.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -news.rssadvanced.org Intel::DOMAIN Mandiant APT1 Report T -news.safalife.com Intel::DOMAIN Mandiant APT1 Report T -news.saltlakenews.org Intel::DOMAIN Mandiant APT1 Report T -news.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -news.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -news.sportreadok.net Intel::DOMAIN Mandiant APT1 Report T -news.staycools.net Intel::DOMAIN Mandiant APT1 Report T -news.symanteconline.net Intel::DOMAIN Mandiant APT1 Report T -news.thehealthmood.net Intel::DOMAIN Mandiant APT1 Report T -news.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -news.usapappers.com Intel::DOMAIN Mandiant APT1 Report T -news.voiceofman.com Intel::DOMAIN Mandiant APT1 Report T -news.yahoo.com.conferencesinfo.com Intel::DOMAIN Mandiant APT1 Report T -news.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -newstar.nytimesnews.net Intel::DOMAIN Mandiant APT1 Report T -newstar.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -newstime.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -newyork.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -ngc.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -ngng.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -nh.microsoft-update-info.com Intel::DOMAIN Mandiant APT1 Report T -nhc.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -nhs.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -nhs1.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -nhs1.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -nhsl.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -nic.safalife.com Intel::DOMAIN Mandiant APT1 Report T -nicenews.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -night.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -nis.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -nl.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -nod.downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -nol.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -norin.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -notebook.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -nousage.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -nrfn.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -ns.issnbgkit.net Intel::DOMAIN Mandiant APT1 Report T -nt.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -nucor001.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -nukor001.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -nullmx.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -num.safalife.com Intel::DOMAIN Mandiant APT1 Report T -o.ifexcel.com Intel::DOMAIN Mandiant APT1 Report T -object.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -office.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -okie.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -old.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -oliver.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -once.downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -onk.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -online.livemymsn.com Intel::DOMAIN Mandiant APT1 Report T -online.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -online.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -online.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -online.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -ope.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -opp.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -oppa.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -opts.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -orca.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -ord.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -orient.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -otp.blackberrycluter.com Intel::DOMAIN Mandiant APT1 Report T -otps.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -ou.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -ou1.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -ou1.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -ou2.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -ou2.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -ou3.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -ou4.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -ou5.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -ou6.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -ou7.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -outlook.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -outlooks.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -owa.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -owa.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -owa.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -owa.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -pacific.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -pacific.worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -pack.cnnnewsdaily.com Intel::DOMAIN Mandiant APT1 Report T -pact.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -paekl.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -papper.booksonlineclub.com Intel::DOMAIN Mandiant APT1 Report T -papper.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -pars.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -part.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -part.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -parth.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -pay.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -pay.freshreaders.net Intel::DOMAIN Mandiant APT1 Report T -payse.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -pcie.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -pda.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -pda.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -pda.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -pda.staycools.net Intel::DOMAIN Mandiant APT1 Report T -pda.usapappers.com Intel::DOMAIN Mandiant APT1 Report T -pdoc.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -pear.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -pear.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -pear.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -people.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -phb.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -phe.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -philippines.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -pic.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -picture.chileexe77.com Intel::DOMAIN Mandiant APT1 Report T -pink.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -plane.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -planning.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -play.conferencesinfo.com Intel::DOMAIN Mandiant APT1 Report T -play.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -pme.worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -png.sportreadok.net Intel::DOMAIN Mandiant APT1 Report T -pop.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -pop.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -pop.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -pop.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -pop.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -pop.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -pop.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -pop.canoedaily.com Intel::DOMAIN Mandiant APT1 Report T -pop.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -pop.cnndaily.net Intel::DOMAIN Mandiant APT1 Report T -pop.companyinfosite.com Intel::DOMAIN Mandiant APT1 Report T -pop.defenceonline.net Intel::DOMAIN Mandiant APT1 Report T -pop.dnsweb.org Intel::DOMAIN Mandiant APT1 Report T -pop.downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -pop.e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -pop.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -pop.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -pop.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -pop.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -pop.micyuisyahooapis.com Intel::DOMAIN Mandiant APT1 Report T -pop.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -pop.newsonlinesite.com Intel::DOMAIN Mandiant APT1 Report T -pop.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -pop.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -pop.staycools.net Intel::DOMAIN Mandiant APT1 Report T -pop.symanteconline.net Intel::DOMAIN Mandiant APT1 Report T -pop.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -pop.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -pop.usapappers.com Intel::DOMAIN Mandiant APT1 Report T -pop.usnewssite.com Intel::DOMAIN Mandiant APT1 Report T -pop.voiceofman.com Intel::DOMAIN Mandiant APT1 Report T -pop.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -pop2.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -pop2.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -pop3.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -pop3.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -pop4.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -pop5.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -pop6.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -pop9.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -popw.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -popwk.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -portbab.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -portpop.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -ppt.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -prc.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -prefix.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -prefix.usapappers.com Intel::DOMAIN Mandiant APT1 Report T -pro.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -proc.blackberrycluter.com Intel::DOMAIN Mandiant APT1 Report T -proc.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -product.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -program.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -progress.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -protoc.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -psp.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -psp.staycools.net Intel::DOMAIN Mandiant APT1 Report T -psu.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -psu.nytimesnews.net Intel::DOMAIN Mandiant APT1 Report T -psu.worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -ptp.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -pz.booksonlineclub.com Intel::DOMAIN Mandiant APT1 Report T -qedh.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -qhun-mons.businessformars.com Intel::DOMAIN Mandiant APT1 Report T -qiao1.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -qiao1.safalife.com Intel::DOMAIN Mandiant APT1 Report T -qiao2.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -qiao3.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -qiao4.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -qiao5.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -qiao6.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -qiao7.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -qiao8.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -qua.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -qual.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -quick.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -quiet.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -qusc12.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -rank.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -rcs.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -reas.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -record.companyinfosite.com Intel::DOMAIN Mandiant APT1 Report T -records.marsbrother.com Intel::DOMAIN Mandiant APT1 Report T -red.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -red.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -reg.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -release.busketball.com Intel::DOMAIN Mandiant APT1 Report T -release.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -release.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -report.cnnnewsdaily.com Intel::DOMAIN Mandiant APT1 Report T -report.regicsgf.net Intel::DOMAIN Mandiant APT1 Report T -reports.saltlakenews.org Intel::DOMAIN Mandiant APT1 Report T -research.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -research.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -rice.bigish.net Intel::DOMAIN Mandiant APT1 Report T -rj.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -rj.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -rnew.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -roger.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -root.newspappers.org Intel::DOMAIN Mandiant APT1 Report T -root.saltlakenews.org Intel::DOMAIN Mandiant APT1 Report T -rou.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -rsut.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -s.ifexcel.com Intel::DOMAIN Mandiant APT1 Report T -s.microsoft-update-info.com Intel::DOMAIN Mandiant APT1 Report T -saf.blackberrycluter.com Intel::DOMAIN Mandiant APT1 Report T -saf.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -safbejn.worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -safe.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -safe.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -safety.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -safety.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -safety.newsonlinesite.com Intel::DOMAIN Mandiant APT1 Report T -safr.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -sale.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -sale.staycools.net Intel::DOMAIN Mandiant APT1 Report T -sales.usnewssite.com Intel::DOMAIN Mandiant APT1 Report T -sam.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -sam.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -sam.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -satellite.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -sauu.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -sav.safalife.com Intel::DOMAIN Mandiant APT1 Report T -sb.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -sbh.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -scc.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -scc.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -science.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -scorpion.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -scpkl.bigish.net Intel::DOMAIN Mandiant APT1 Report T -sea.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -sea001.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -search.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -search.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -search.searchforca.com Intel::DOMAIN Mandiant APT1 Report T -security.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -security.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -security.nationtour.net Intel::DOMAIN Mandiant APT1 Report T -security.symanteconline.net Intel::DOMAIN Mandiant APT1 Report T -self.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -sells.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -sells.usnewssite.com Intel::DOMAIN Mandiant APT1 Report T -send.issnbgkit.net Intel::DOMAIN Mandiant APT1 Report T -serv.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -serve.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -server.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -service.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -service.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -service.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -service.issnbgkit.net Intel::DOMAIN Mandiant APT1 Report T -service.symanteconline.net Intel::DOMAIN Mandiant APT1 Report T -services.busketball.com Intel::DOMAIN Mandiant APT1 Report T -services.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -servmail.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -servmailb.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -servmails.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -set.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -sfn.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -sh.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -share.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -share.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -share.canoedaily.com Intel::DOMAIN Mandiant APT1 Report T -share.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -share.usnewssite.com Intel::DOMAIN Mandiant APT1 Report T -shit.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -shop.e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -shop.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -shop.newsonlinesite.com Intel::DOMAIN Mandiant APT1 Report T -shop.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -shop.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -shot.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -shot.newspappers.org Intel::DOMAIN Mandiant APT1 Report T -shot.usapappers.com Intel::DOMAIN Mandiant APT1 Report T -sifcc.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -signal.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -sinbg.comrepair.net Intel::DOMAIN Mandiant APT1 Report T -sisc.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -sites.progammerli.com Intel::DOMAIN Mandiant APT1 Report T -sk2.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -skills.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -skills.usnewssite.com Intel::DOMAIN Mandiant APT1 Report T -sklcenter.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -sky.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -sky.canoedaily.com Intel::DOMAIN Mandiant APT1 Report T -sky.downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -sky.safalife.com Intel::DOMAIN Mandiant APT1 Report T -slnoa.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -slnoa.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -slrfc.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -slrj.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -slrou.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -slrouji.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -sls.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -slutc.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -sma.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -smile.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -smlk.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -smooth.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -smtp.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -smtp.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -smtp.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -smtp.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -smtp.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -smtp.canoedaily.com Intel::DOMAIN Mandiant APT1 Report T -smtp.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -smtp.cnndaily.net Intel::DOMAIN Mandiant APT1 Report T -smtp.companyinfosite.com Intel::DOMAIN Mandiant APT1 Report T -smtp.defenceonline.net Intel::DOMAIN Mandiant APT1 Report T -smtp.downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -smtp.e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -smtp.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -smtp.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -smtp.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -smtp.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -smtp.micyuisyahooapis.com Intel::DOMAIN Mandiant APT1 Report T -smtp.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -smtp.newsonlinesite.com Intel::DOMAIN Mandiant APT1 Report T -smtp.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -smtp.safalife.com Intel::DOMAIN Mandiant APT1 Report T -smtp.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -smtp.symanteconline.net Intel::DOMAIN Mandiant APT1 Report T -smtp.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -smtp.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -smtp.usapappers.com Intel::DOMAIN Mandiant APT1 Report T -smtp.usnewssite.com Intel::DOMAIN Mandiant APT1 Report T -smtp.voiceofman.com Intel::DOMAIN Mandiant APT1 Report T -smtp.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -snoopy.safalife.com Intel::DOMAIN Mandiant APT1 Report T -snoot.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -sns.syscation.com Intel::DOMAIN Mandiant APT1 Report T -sns.syscation.net Intel::DOMAIN Mandiant APT1 Report T -soft.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -soft.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -soft.cnnnewsdaily.com Intel::DOMAIN Mandiant APT1 Report T -soft.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -soft.nytimesnews.net Intel::DOMAIN Mandiant APT1 Report T -soft.thehealthmood.net Intel::DOMAIN Mandiant APT1 Report T -software.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -software.nytimesnews.net Intel::DOMAIN Mandiant APT1 Report T -solar.e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -solar.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -solar.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -soler.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -sona.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -sonah.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -songhong.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -sope.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -sos.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -sotp.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -source.livemymsn.com Intel::DOMAIN Mandiant APT1 Report T -sp.booksonlineclub.com Intel::DOMAIN Mandiant APT1 Report T -sp.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -space.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -spah.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -spahi.dnsweb.org Intel::DOMAIN Mandiant APT1 Report T -spckl.bigish.net Intel::DOMAIN Mandiant APT1 Report T -spcmon.businessformars.com Intel::DOMAIN Mandiant APT1 Report T -special.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -sports.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -sports.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -sports.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -sports.canoedaily.com Intel::DOMAIN Mandiant APT1 Report T -sports.chileexe77.com Intel::DOMAIN Mandiant APT1 Report T -sports.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -sports.newsonlinesite.com Intel::DOMAIN Mandiant APT1 Report T -sports.nytimesnews.net Intel::DOMAIN Mandiant APT1 Report T -sports.rssadvanced.org Intel::DOMAIN Mandiant APT1 Report T -sports.staycools.net Intel::DOMAIN Mandiant APT1 Report T -sports.thehealthmood.net Intel::DOMAIN Mandiant APT1 Report T -sports.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -sports.usnewssite.com Intel::DOMAIN Mandiant APT1 Report T -sports.voiceofman.com Intel::DOMAIN Mandiant APT1 Report T -sports.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -sports3.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -sprts.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -spte.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -squick.bigish.net Intel::DOMAIN Mandiant APT1 Report T -sremx.bigish.net Intel::DOMAIN Mandiant APT1 Report T -srs.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -srs.dnsweb.org Intel::DOMAIN Mandiant APT1 Report T -srs.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -srvmail.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -sslsrv1.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -sslsrv2.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -sslsrv5.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -sslsrv5.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -sslsrv6.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -ssun.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -star.canoedaily.com Intel::DOMAIN Mandiant APT1 Report T -star.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -star.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -stars.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -stars.nytimesnews.net Intel::DOMAIN Mandiant APT1 Report T -static.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -stell.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -step.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -stk.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -stk.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -stock.bigish.net Intel::DOMAIN Mandiant APT1 Report T -stock.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -stone.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -stone.symanteconline.net Intel::DOMAIN Mandiant APT1 Report T -stulaw.bigish.net Intel::DOMAIN Mandiant APT1 Report T -stuwal.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -stuwal.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -submarine.defenceonline.net Intel::DOMAIN Mandiant APT1 Report T -submarine.downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -suffering.e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -suffering.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -suffering.nationtour.net Intel::DOMAIN Mandiant APT1 Report T -suffering.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -suffering.searchforca.com Intel::DOMAIN Mandiant APT1 Report T -sun.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -sun.newspappers.org Intel::DOMAIN Mandiant APT1 Report T -sun.usapappers.com Intel::DOMAIN Mandiant APT1 Report T -support.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -support.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -support.companyinfosite.com Intel::DOMAIN Mandiant APT1 Report T -support.livemymsn.com Intel::DOMAIN Mandiant APT1 Report T -support.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -support.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -support.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -support.searchforca.com Intel::DOMAIN Mandiant APT1 Report T -support.symanteconline.net Intel::DOMAIN Mandiant APT1 Report T -support.thehealthmood.net Intel::DOMAIN Mandiant APT1 Report T -support.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -support.voiceofman.com Intel::DOMAIN Mandiant APT1 Report T -support.webservicesupdate.com Intel::DOMAIN Mandiant APT1 Report T -sute.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -sw.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -swiss.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -sword.bigish.net Intel::DOMAIN Mandiant APT1 Report T -sword.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -syn.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -sync.ns06.net Intel::DOMAIN Mandiant APT1 Report T -sys.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -sys.newspappers.org Intel::DOMAIN Mandiant APT1 Report T -sys.usapappers.com Intel::DOMAIN Mandiant APT1 Report T -sysj.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -system.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -sysy.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -tag.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -tape.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -tape.dnsweb.org Intel::DOMAIN Mandiant APT1 Report T -tape.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -tclient.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -tclient.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -teach.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -tech.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -tech.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -tech.saltlakenews.org Intel::DOMAIN Mandiant APT1 Report T -tech.usapappers.com Intel::DOMAIN Mandiant APT1 Report T -tele.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -telnet.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -test.bpyoyo.com Intel::DOMAIN Mandiant APT1 Report T -test.chileexe77.com Intel::DOMAIN Mandiant APT1 Report T -test.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -test.issnbgkit.net Intel::DOMAIN Mandiant APT1 Report T -test.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -test.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -thanhnien.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -thec.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -think.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -think.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -tia.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -time.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -time.issnbgkit.net Intel::DOMAIN Mandiant APT1 Report T -time.mediaxsds.net Intel::DOMAIN Mandiant APT1 Report T -time.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -time1.mediaxsds.net Intel::DOMAIN Mandiant APT1 Report T -times.nytimesnews.net Intel::DOMAIN Mandiant APT1 Report T -tk.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -tnjs.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -tod.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -top.ifexcel.com Intel::DOMAIN Mandiant APT1 Report T -topmoney.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -train.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -train.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -travel.cnndaily.net Intel::DOMAIN Mandiant APT1 Report T -travel.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -travel.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -travel.nationtour.net Intel::DOMAIN Mandiant APT1 Report T -trb.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -trip.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -trip.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -triu.booksonlineclub.com Intel::DOMAIN Mandiant APT1 Report T -ts.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -tt.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -ttl.tfxdccssl.net Intel::DOMAIN Mandiant APT1 Report T -tx.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -ug-aa.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-aaon.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-aeai.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-ag.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-asg.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-ati.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-bdai.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-bdai.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -ug-bdfa.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-bpd.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-cccc.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-ccr.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-chsaw.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-co.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-cti.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-dfait.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-enrc.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-ga.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-hst.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-hst.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -ug-irpf.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-kfc.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-man.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-mbi.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-nema.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-opm.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-piec.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-pmet.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-pnl.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-rev.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-rj.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -ug-rj.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-sbig.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-tree.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-tta.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-volpe.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-west.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -unifh.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -up.bpyoyo.com Intel::DOMAIN Mandiant APT1 Report T -up.safalife.com Intel::DOMAIN Mandiant APT1 Report T -upback.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -update.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -update.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -update.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -update.booksonlineclub.com Intel::DOMAIN Mandiant APT1 Report T -update.busketball.com Intel::DOMAIN Mandiant APT1 Report T -update.companyinfosite.com Intel::DOMAIN Mandiant APT1 Report T -update.defenceonline.net Intel::DOMAIN Mandiant APT1 Report T -update.dnsweb.org Intel::DOMAIN Mandiant APT1 Report T -update.downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -update.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -update.freshreaders.net Intel::DOMAIN Mandiant APT1 Report T -update.idirectech.com Intel::DOMAIN Mandiant APT1 Report T -update.livemymsn.com Intel::DOMAIN Mandiant APT1 Report T -update.lksoftvc.net Intel::DOMAIN Mandiant APT1 Report T -update.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -update.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -update.nationtour.net Intel::DOMAIN Mandiant APT1 Report T -update.progammerli.com Intel::DOMAIN Mandiant APT1 Report T -update.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -update.safalife.com Intel::DOMAIN Mandiant APT1 Report T -update.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -update.searchforca.com Intel::DOMAIN Mandiant APT1 Report T -update.staycools.net Intel::DOMAIN Mandiant APT1 Report T -update.symanteconline.net Intel::DOMAIN Mandiant APT1 Report T -update.tfxdccssl.net Intel::DOMAIN Mandiant APT1 Report T -update.thehealthmood.net Intel::DOMAIN Mandiant APT1 Report T -update.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -update.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -update.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -update7.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -update8.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -updater.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -updatevn.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -upload.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -u-rfc.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -url.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -url.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -us.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -us.issnbgkit.net Intel::DOMAIN Mandiant APT1 Report T -us.rssadvanced.org Intel::DOMAIN Mandiant APT1 Report T -utex.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -value.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -vedio.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -velp.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -via.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -via.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -via.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -video.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -vip.issnbgkit.net Intel::DOMAIN Mandiant APT1 Report T -vip.pcclubddk.net Intel::DOMAIN Mandiant APT1 Report T -vip.sportreadok.net Intel::DOMAIN Mandiant APT1 Report T -vis.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -visual.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -vockl.bigish.net Intel::DOMAIN Mandiant APT1 Report T -vol.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -vop.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -vope.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -vopm.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -vpn.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -vpn.businessformars.com Intel::DOMAIN Mandiant APT1 Report T -vpn.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -vpn.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -vsec.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -vseh.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -walk.bigish.net Intel::DOMAIN Mandiant APT1 Report T -walste.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -wangye.e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -wangye.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -wapi.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -was.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -water.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -wave.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -wcasekl.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -wcov.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -wdeh.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -weather.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -weather.chileexe77.com Intel::DOMAIN Mandiant APT1 Report T -weather.freshreaders.net Intel::DOMAIN Mandiant APT1 Report T -weather.staycools.net Intel::DOMAIN Mandiant APT1 Report T -weather.usnewssite.com Intel::DOMAIN Mandiant APT1 Report T -weather.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -web.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -web.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -web.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -web.companyinfosite.com Intel::DOMAIN Mandiant APT1 Report T -web.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -web.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -web.newspappers.org Intel::DOMAIN Mandiant APT1 Report T -web.rssadvanced.org Intel::DOMAIN Mandiant APT1 Report T -web.saltlakenews.org Intel::DOMAIN Mandiant APT1 Report T -web.searchforca.com Intel::DOMAIN Mandiant APT1 Report T -web.thehealthmood.net Intel::DOMAIN Mandiant APT1 Report T -web.webservicesupdate.com Intel::DOMAIN Mandiant APT1 Report T -webdata.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -webjbs.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -weblog.bigish.net Intel::DOMAIN Mandiant APT1 Report T -weblog.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -webmail.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -webmail.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -webmail.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -webmail.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -webmail.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -webmail.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -webmail.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -webmail.canoedaily.com Intel::DOMAIN Mandiant APT1 Report T -webmail.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -webmail.companyinfosite.com Intel::DOMAIN Mandiant APT1 Report T -webmail.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -webmail.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -webmail.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -webmail.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -webmail.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -webmail.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -webmail.usapappers.com Intel::DOMAIN Mandiant APT1 Report T -webmail.usnewssite.com Intel::DOMAIN Mandiant APT1 Report T -webmail.ustvb.com Intel::DOMAIN Mandiant APT1 Report T -webmail.worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -webmail.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -webmailh.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -webmails.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -webmailw.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -webs.newspappers.org Intel::DOMAIN Mandiant APT1 Report T -wed5.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -wed5.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -week.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -week.canoedaily.com Intel::DOMAIN Mandiant APT1 Report T -weg.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -wehmail.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -west.freshreaders.net Intel::DOMAIN Mandiant APT1 Report T -west.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -west1.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -westjoe.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -westking.bigish.net Intel::DOMAIN Mandiant APT1 Report T -westking.comrepair.net Intel::DOMAIN Mandiant APT1 Report T -westkl.blackberrycluter.com Intel::DOMAIN Mandiant APT1 Report T -westkl.worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -westnew.marsbrother.com Intel::DOMAIN Mandiant APT1 Report T -wfcx.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -wff.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -wgl.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -wgw.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -wh1.bigish.net Intel::DOMAIN Mandiant APT1 Report T -what.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -whi.bigish.net Intel::DOMAIN Mandiant APT1 Report T -windows.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -wins.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -wish.e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -wk.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -wmp.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -wnam.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -wnara.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -wned.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -wnew.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -woil.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -women.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -wopec.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -wopm.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -work.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -work.canoedaily.com Intel::DOMAIN Mandiant APT1 Report T -work.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -work.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -work.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -work.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -workstation.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -world.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -world.nationtour.net Intel::DOMAIN Mandiant APT1 Report T -wow.newspappers.org Intel::DOMAIN Mandiant APT1 Report T -wow.saltlakenews.org Intel::DOMAIN Mandiant APT1 Report T -wpcs.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -wpot.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -wpot.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -wptex.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -wpvn.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -wpvn.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -wrim.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -wsyggfw.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -wtom.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -wwab.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -wwebmails.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -wwt.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -www.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -www.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -www.aolon1ine.com Intel::DOMAIN Mandiant APT1 Report T -www.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -www.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -www.attnpower.com Intel::DOMAIN Mandiant APT1 Report T -www.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -www.avvmail.com Intel::DOMAIN Mandiant APT1 Report T -www.bigish.net Intel::DOMAIN Mandiant APT1 Report T -www.bluecoate.com Intel::DOMAIN Mandiant APT1 Report T -www.bpyoyo.com Intel::DOMAIN Mandiant APT1 Report T -www.businessformars.com Intel::DOMAIN Mandiant APT1 Report T -www.busketball.com Intel::DOMAIN Mandiant APT1 Report T -www.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -www.canoedaily.com Intel::DOMAIN Mandiant APT1 Report T -www.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -www.cnndaily.net Intel::DOMAIN Mandiant APT1 Report T -www.cometoway.org Intel::DOMAIN Mandiant APT1 Report T -www.companyinfosite.com Intel::DOMAIN Mandiant APT1 Report T -www.competrip.com Intel::DOMAIN Mandiant APT1 Report T -www.comtoway.com Intel::DOMAIN Mandiant APT1 Report T -www.conferencesinfo.com Intel::DOMAIN Mandiant APT1 Report T -www.copporationnews.com Intel::DOMAIN Mandiant APT1 Report T -www.defenceonline.net Intel::DOMAIN Mandiant APT1 Report T -www.doemarkennel.com Intel::DOMAIN Mandiant APT1 Report T -www.downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -www.e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -www.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -www.freshreaders.net Intel::DOMAIN Mandiant APT1 Report T -www.giftnews.org Intel::DOMAIN Mandiant APT1 Report T -www.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -www.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -www.hkcastte.com Intel::DOMAIN Mandiant APT1 Report T -www.hvmetal.com Intel::DOMAIN Mandiant APT1 Report T -www.idirectech.com Intel::DOMAIN Mandiant APT1 Report T -www.ifexcel.com Intel::DOMAIN Mandiant APT1 Report T -www.jjpopp.com Intel::DOMAIN Mandiant APT1 Report T -www.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -www.livemymsn.com Intel::DOMAIN Mandiant APT1 Report T -www.maltempata.com Intel::DOMAIN Mandiant APT1 Report T -www.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -www.microsoft-update-info.com Intel::DOMAIN Mandiant APT1 Report T -www.micyuisyahooapis.com Intel::DOMAIN Mandiant APT1 Report T -www.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -www.myyahoonews.com Intel::DOMAIN Mandiant APT1 Report T -www.nationtour.net Intel::DOMAIN Mandiant APT1 Report T -www.newsesport.com Intel::DOMAIN Mandiant APT1 Report T -www.newsonlinesite.com Intel::DOMAIN Mandiant APT1 Report T -www.newspappers.org Intel::DOMAIN Mandiant APT1 Report T -www.nirvanaol.com Intel::DOMAIN Mandiant APT1 Report T -www.olmusic100.com Intel::DOMAIN Mandiant APT1 Report T -www.online.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -www.phoenixtvus.com Intel::DOMAIN Mandiant APT1 Report T -www.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -www.rssadvanced.org Intel::DOMAIN Mandiant APT1 Report T -www.safety-update.com Intel::DOMAIN Mandiant APT1 Report T -www.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -www.searchforca.com Intel::DOMAIN Mandiant APT1 Report T -www.shepmas.com Intel::DOMAIN Mandiant APT1 Report T -www.skyswim.net Intel::DOMAIN Mandiant APT1 Report T -www.staycools.net Intel::DOMAIN Mandiant APT1 Report T -www.symanteconline.net Intel::DOMAIN Mandiant APT1 Report T -www.syscation.com Intel::DOMAIN Mandiant APT1 Report T -www.syscation.net Intel::DOMAIN Mandiant APT1 Report T -www.tibethome.org Intel::DOMAIN Mandiant APT1 Report T -www.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -www.ueopen.com Intel::DOMAIN Mandiant APT1 Report T -www.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -www.usapappers.com Intel::DOMAIN Mandiant APT1 Report T -www.ushongkong.org Intel::DOMAIN Mandiant APT1 Report T -www.ustvb.com Intel::DOMAIN Mandiant APT1 Report T -www.uszzcs.com Intel::DOMAIN Mandiant APT1 Report T -www.voiceofman.com Intel::DOMAIN Mandiant APT1 Report T -www.webservicesupdate.com Intel::DOMAIN Mandiant APT1 Report T -www.widewebsense.com Intel::DOMAIN Mandiant APT1 Report T -www.worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -www.youipcam.com Intel::DOMAIN Mandiant APT1 Report T -www-01.marsbrother.com Intel::DOMAIN Mandiant APT1 Report T -www-049.businessformars.com Intel::DOMAIN Mandiant APT1 Report T -www1.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -www1.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -www1.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -www1.saltlakenews.org Intel::DOMAIN Mandiant APT1 Report T -www2.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -www3.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -wwwcb.newspappers.org Intel::DOMAIN Mandiant APT1 Report T -www-ctr.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -wwwi.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -wwwt.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -x-admin.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -xawh.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -x-book.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -x-fmgg.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -xinge3344.cccpan.com Intel::DOMAIN Mandiant APT1 Report T -xinge3344.ys168.com Intel::DOMAIN Mandiant APT1 Report T -xmer.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -x-stone.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -xtap.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -xwclient.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -xwclient.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -xwclient.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -yang.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -yang.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -yang1.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -yang1.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -yang2.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -yard.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -ysb.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -ysb.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -z0.booksonlineclub.com Intel::DOMAIN Mandiant APT1 Report T -z4.booksonlineclub.com Intel::DOMAIN Mandiant APT1 Report T -za.booksonlineclub.com Intel::DOMAIN Mandiant APT1 Report T -zapts.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -zc.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -zero.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -zh.lksoftvc.net Intel::DOMAIN Mandiant APT1 Report T -zone.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -zone.canoedaily.com Intel::DOMAIN Mandiant APT1 Report T -zone.companyinfosite.com Intel::DOMAIN Mandiant APT1 Report T -zone.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -zone.searchforca.com Intel::DOMAIN Mandiant APT1 Report T -zone.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -ztl.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T diff --git a/salt/deprecated-bro/policy/securityonion/apt1/apt1-md5.dat b/salt/deprecated-bro/policy/securityonion/apt1/apt1-md5.dat deleted file mode 100644 index 421549121..000000000 --- a/salt/deprecated-bro/policy/securityonion/apt1/apt1-md5.dat +++ /dev/null @@ -1,1012 +0,0 @@ -#fields indicator indicator_type meta.source meta.do_notice -# The following lines are for testing purposes only. Please keep them commented out when running in production. -#4285358dd748ef74cb8161108e11cb73 Intel::FILE_HASH Test MD5 T -#9593fcbd91fdb1a41d0304bf684d29fd Intel::FILE_HASH Test MD5 T -#e2c33fa7a3802289d46a7c3e4e1df342 Intel::FILE_HASH Test MD5 T -001dd76872d80801692ff942308c64e6 Intel::FILE_HASH Mandiant Apt1 Report T -002325a0a67fded0381b5648d7fe9b8e Intel::FILE_HASH Mandiant Apt1 Report T -00dbb9e1c09dbdafb360f3163ba5a3de Intel::FILE_HASH Mandiant Apt1 Report T -00f24328b282b28bc39960d55603e380 Intel::FILE_HASH Mandiant Apt1 Report T -0115338e11f85d7a2226933712acaae8 Intel::FILE_HASH Mandiant Apt1 Report T -0141955eb5b90ce25b506757ce151275 Intel::FILE_HASH Mandiant Apt1 Report T -0149b7bd7218aab4e257d28469fddb0d Intel::FILE_HASH Mandiant Apt1 Report T -016da6ee744b16656a2ba3107c7a4a29 Intel::FILE_HASH Mandiant Apt1 Report T -01e0dc079d4e33d8edd050c4900818da Intel::FILE_HASH Mandiant Apt1 Report T -024fd07dbdacc7da227bede3449c2b6a Intel::FILE_HASH Mandiant Apt1 Report T -0285bd1fbdd70fd5165260a490564ac8 Intel::FILE_HASH Mandiant Apt1 Report T -02a2d148faba3b6310e7ba81eb62739d Intel::FILE_HASH Mandiant Apt1 Report T -02c65973b6018f5d473d701b3e7508b2 Intel::FILE_HASH Mandiant Apt1 Report T -034374db2d35cf9da6558f54cec8a455 Intel::FILE_HASH Mandiant Apt1 Report T -03ae71eba61af2d497e226da3954f3af Intel::FILE_HASH Mandiant Apt1 Report T -0469a42d71b4a55118b9579c8c772bb6 Intel::FILE_HASH Mandiant Apt1 Report T -0496e3b17cf40c45f495188a368c203a Intel::FILE_HASH Mandiant Apt1 Report T -04a7b7dab5ff8ba1486df9dbe68c748c Intel::FILE_HASH Mandiant Apt1 Report T -04e83832146034f9797d2e8145413daa Intel::FILE_HASH Mandiant Apt1 Report T -04f481d6710ac5d68d0eacac2600a041 Intel::FILE_HASH Mandiant Apt1 Report T -0501bb10d646b29cab7d17a8407010d9 Intel::FILE_HASH Mandiant Apt1 Report T -0522e955aaee70b102e843f14c13a92c Intel::FILE_HASH Mandiant Apt1 Report T -052ec04866e4a67f31845d656531830d Intel::FILE_HASH Mandiant Apt1 Report T -0545a524a6bb0b042f4b00da53fec948 Intel::FILE_HASH Mandiant Apt1 Report T -05552a77620933dd80f1e176736f8fe7 Intel::FILE_HASH Mandiant Apt1 Report T -0583f58ac3d804d28cd433d369b096b8 Intel::FILE_HASH Mandiant Apt1 Report T -0588ffa0a244a2c4431c5c4faac60b1f Intel::FILE_HASH Mandiant Apt1 Report T -05bc8309b93676087d5fb0b58ad5e9d8 Intel::FILE_HASH Mandiant Apt1 Report T -05cc052686fbdf25fb610c1fe120195f Intel::FILE_HASH Mandiant Apt1 Report T -06598b0490133815541c5ac023623e82 Intel::FILE_HASH Mandiant Apt1 Report T -065e63afdfa539727f63af7530b22d2f Intel::FILE_HASH Mandiant Apt1 Report T -078f1e2c528f2318b073e871f73efc21 Intel::FILE_HASH Mandiant Apt1 Report T -079028d315d039da0ffec2728b2c9ef6 Intel::FILE_HASH Mandiant Apt1 Report T -07ae235391f7b290ea3a35067239a290 Intel::FILE_HASH Mandiant Apt1 Report T -07c4032f24ae44614676fbdfe539afe0 Intel::FILE_HASH Mandiant Apt1 Report T -07fe9f901fb4f14e16fb5d114a92b0fc Intel::FILE_HASH Mandiant Apt1 Report T -08084604344b5ed11c2612795b2d3608 Intel::FILE_HASH Mandiant Apt1 Report T -0829207a8400e2814990f79fbdfe7f4d Intel::FILE_HASH Mandiant Apt1 Report T -082cc969b3eb6786e3e951b450b8de0d Intel::FILE_HASH Mandiant Apt1 Report T -089c9e5407ddb464dfeca2e528536395 Intel::FILE_HASH Mandiant Apt1 Report T -08d7679a9c806a2f7d2be26fe9b425ee Intel::FILE_HASH Mandiant Apt1 Report T -08e0d0f5cdfe1bc2e5fc1b992fe1e073 Intel::FILE_HASH Mandiant Apt1 Report T -08f21a020f41f0bcacdc9427f84987da Intel::FILE_HASH Mandiant Apt1 Report T -0908d8b3e459551039bade50930e4c1b Intel::FILE_HASH Mandiant Apt1 Report T -09531f851ef74a7238685fd287a395bd Intel::FILE_HASH Mandiant Apt1 Report T -097b5abb53a3d84fa9eabda02fef9e91 Intel::FILE_HASH Mandiant Apt1 Report T -09d372e4259980ac95fdadf1846578d9 Intel::FILE_HASH Mandiant Apt1 Report T -0b506c6dde8d07f9eeb82fd01a6f97d4 Intel::FILE_HASH Mandiant Apt1 Report T -0b680e7bd5c0501d5dd73164122a7faf Intel::FILE_HASH Mandiant Apt1 Report T -0c28ad34f90950bc784339ec9f50d288 Intel::FILE_HASH Mandiant Apt1 Report T -0c5858f293aed44ea00eb9e0019609df Intel::FILE_HASH Mandiant Apt1 Report T -0c5e9f564115bfcbee66377a829de55f Intel::FILE_HASH Mandiant Apt1 Report T -0ca6e2ad69826c8e3287fc8576112814 Intel::FILE_HASH Mandiant Apt1 Report T -0cad42671e5771574df44a23b3634f32 Intel::FILE_HASH Mandiant Apt1 Report T -0ccfaeb11defb100b5ddb40057e8fce4 Intel::FILE_HASH Mandiant Apt1 Report T -0cf8259502d178a099ab2852e2bddbe1 Intel::FILE_HASH Mandiant Apt1 Report T -0cf9e999c574ec89595263446978dc9f Intel::FILE_HASH Mandiant Apt1 Report T -0d0240672a314a7547d328f824642da8 Intel::FILE_HASH Mandiant Apt1 Report T -0d678350f05b274844da5d79fee75324 Intel::FILE_HASH Mandiant Apt1 Report T -0dd3677594632ce270bcf8af94819caf Intel::FILE_HASH Mandiant Apt1 Report T -0df42947e167cd006b176d305c08d57e Intel::FILE_HASH Mandiant Apt1 Report T -0e84132e5ad04351b644b8d8743fc4d3 Intel::FILE_HASH Mandiant Apt1 Report T -0ec0fcd649f3d5aa2e19f110c0089164 Intel::FILE_HASH Mandiant Apt1 Report T -0f23d5b93c30681655d8a4258b8de129 Intel::FILE_HASH Mandiant Apt1 Report T -0fbdc6e3f79063a4773d4872fa1f15d1 Intel::FILE_HASH Mandiant Apt1 Report T -0fed203f3df6a82c9124f24aa3d9d75d Intel::FILE_HASH Mandiant Apt1 Report T -0ff20d023d6b54661d66fb3ce09afe3c Intel::FILE_HASH Mandiant Apt1 Report T -0ff48a336655869a74611236e6e2d249 Intel::FILE_HASH Mandiant Apt1 Report T -106338ad223b84fbc2528a55e3e22302 Intel::FILE_HASH Mandiant Apt1 Report T -1097ca5269dea866d5c9f2b0cc50af6d Intel::FILE_HASH Mandiant Apt1 Report T -10a38dd9598cc31efe664cfaa8f37bf1 Intel::FILE_HASH Mandiant Apt1 Report T -10a68e08c514d3b69296b0eb557d822c Intel::FILE_HASH Mandiant Apt1 Report T -10bb5a8ae053e335fe047cf38db95452 Intel::FILE_HASH Mandiant Apt1 Report T -11504971bb85cdacb8ef7d45e6e2aeb7 Intel::FILE_HASH Mandiant Apt1 Report T -11ccf3f93b00b01887e50283742cd1e6 Intel::FILE_HASH Mandiant Apt1 Report T -11d350127ff1e9ecd665c34326475584 Intel::FILE_HASH Mandiant Apt1 Report T -11dbecc954bf8a89d59407a992889cfd Intel::FILE_HASH Mandiant Apt1 Report T -11de4b1ab84bcb8dd28ef0ea4641f6d0 Intel::FILE_HASH Mandiant Apt1 Report T -120c2e085992ff59a21ba401ec29fec9 Intel::FILE_HASH Mandiant Apt1 Report T -1224527e295380dce1ac9953c850ce97 Intel::FILE_HASH Mandiant Apt1 Report T -123505024f9e5ff74cb6aa67d7fcc392 Intel::FILE_HASH Mandiant Apt1 Report T -125ebbc6f0c957ee994fcef1431a93f4 Intel::FILE_HASH Mandiant Apt1 Report T -129c6cd9d2aa895cf6fa137fa1d3a188 Intel::FILE_HASH Mandiant Apt1 Report T -12a410d82a1fc9a8c18b350872e0d465 Intel::FILE_HASH Mandiant Apt1 Report T -12f25ce81596aeb19e75cc7ef08f3a38 Intel::FILE_HASH Mandiant Apt1 Report T -1328eaceb140a3863951d18661b097af Intel::FILE_HASH Mandiant Apt1 Report T -13835f0d5aafbeda50560afc92c8b7b7 Intel::FILE_HASH Mandiant Apt1 Report T -13f0b56c28995e4efc8da784ad862853 Intel::FILE_HASH Mandiant Apt1 Report T -1415eb8519d13328091cc5c76a624e3d Intel::FILE_HASH Mandiant Apt1 Report T -1486f48948db4f9afaebd69c7c52f899 Intel::FILE_HASH Mandiant Apt1 Report T -150c4c1f589c4baa794160276a3d4aba Intel::FILE_HASH Mandiant Apt1 Report T -150c95865766c2dd0562e7bedb6db104 Intel::FILE_HASH Mandiant Apt1 Report T -15137b710414e4e8508ac5ab27e2cbaa Intel::FILE_HASH Mandiant Apt1 Report T -15244d2321faa3a271ff0b1e5a23148f Intel::FILE_HASH Mandiant Apt1 Report T -15901ddbccc5e9e0579fc5b42f754fe8 Intel::FILE_HASH Mandiant Apt1 Report T -15d1330be5e27f6f51d011b0575ffa05 Intel::FILE_HASH Mandiant Apt1 Report T -165ef79e7caa806f13f82cc2bbf3dedd Intel::FILE_HASH Mandiant Apt1 Report T -16e53c619803d0068611bb6d448d1d49 Intel::FILE_HASH Mandiant Apt1 Report T -17199ddac616938f383a0339f416c890 Intel::FILE_HASH Mandiant Apt1 Report T -173cd315008897e56fa812f2b2843f83 Intel::FILE_HASH Mandiant Apt1 Report T -177e0270f25a901c216ffb2e7a36e5b1 Intel::FILE_HASH Mandiant Apt1 Report T -17f5a2e0997b59449ca2120b20b5b7ce Intel::FILE_HASH Mandiant Apt1 Report T -17f6602f1c507b006b9d09eedcde0096 Intel::FILE_HASH Mandiant Apt1 Report T -1809c3cc93332d7bc0799238519a2938 Intel::FILE_HASH Mandiant Apt1 Report T -18316e6ebb356a66c8ff51e73c1bcc8a Intel::FILE_HASH Mandiant Apt1 Report T -18e5ef23b634344321b2b3f5fa80a598 Intel::FILE_HASH Mandiant Apt1 Report T -19fc27aeb48b3ce8d00eb2e76dfe2837 Intel::FILE_HASH Mandiant Apt1 Report T -1a0c7e61bcc50d57b7bcf9d9af691de5 Intel::FILE_HASH Mandiant Apt1 Report T -1ae2dadd85cd97452bb26b2c901d0890 Intel::FILE_HASH Mandiant Apt1 Report T -1aea4d24f3bd2c51288ad643fc66e0d2 Intel::FILE_HASH Mandiant Apt1 Report T -1b36190794516da078decaff881d9864 Intel::FILE_HASH Mandiant Apt1 Report T -1b7eed9d2438b494197e95fe57114f9b Intel::FILE_HASH Mandiant Apt1 Report T -1ba6fee7d4e73752b39a09b1396b69f0 Intel::FILE_HASH Mandiant Apt1 Report T -1baa7f5813e259c6346d1b02a1370d75 Intel::FILE_HASH Mandiant Apt1 Report T -1c16bd1488163c03cd506c2f71486a0f Intel::FILE_HASH Mandiant Apt1 Report T -1c7538951b21d93ef7ecf3fa94ae5c5e Intel::FILE_HASH Mandiant Apt1 Report T -1ca3ca9ec20474d07fc798f2b41e2625 Intel::FILE_HASH Mandiant Apt1 Report T -1ce4605e771a04e375e0d1083f183e8e Intel::FILE_HASH Mandiant Apt1 Report T -1e314c972075b8058099fd8759c11ce8 Intel::FILE_HASH Mandiant Apt1 Report T -1e48f6ba839d2c4794e23c10e5c4c138 Intel::FILE_HASH Mandiant Apt1 Report T -1e5ec6c06e4f6bb958dcbb9fc636009d Intel::FILE_HASH Mandiant Apt1 Report T -1ea61a0945bde3c6f41e12bc01928d37 Intel::FILE_HASH Mandiant Apt1 Report T -1ede2c69d50e0efbe23f758d902216e0 Intel::FILE_HASH Mandiant Apt1 Report T -1f2eb7b090018d975e6d9b40868c94ca Intel::FILE_HASH Mandiant Apt1 Report T -1f92ff8711716ca795fbd81c477e45f5 Intel::FILE_HASH Mandiant Apt1 Report T -1f9b32bac55ba4c015181ebf55767752 Intel::FILE_HASH Mandiant Apt1 Report T -1fad25d4fef631f8ec3115e0944e4621 Intel::FILE_HASH Mandiant Apt1 Report T -1fb4ce2e56ced51ddf1edff8ed15c21b Intel::FILE_HASH Mandiant Apt1 Report T -1fff3f96f53c5bbdd39eb2351f12549d Intel::FILE_HASH Mandiant Apt1 Report T -201fb83679a1fe05007fc6b8d6d96680 Intel::FILE_HASH Mandiant Apt1 Report T -2080f463388aebe6deb7edf11c01f7ff Intel::FILE_HASH Mandiant Apt1 Report T -20e2c8c7a98ddd4c16f6e878194c1e78 Intel::FILE_HASH Mandiant Apt1 Report T -212c724346400853d05a4440cabd716c Intel::FILE_HASH Mandiant Apt1 Report T -2156942db0293565c9420c1e254a2c32 Intel::FILE_HASH Mandiant Apt1 Report T -215df0c319b98dad4f202849b097f8b2 Intel::FILE_HASH Mandiant Apt1 Report T -2198fea94bb79b001fcfd3e03b269001 Intel::FILE_HASH Mandiant Apt1 Report T -2244c60f4c1dc285c259f3ac5bf88ff8 Intel::FILE_HASH Mandiant Apt1 Report T -225e33508861984dd2a774760bfdfc52 Intel::FILE_HASH Mandiant Apt1 Report T -2272791cadf422ce02a117a3a857f84e Intel::FILE_HASH Mandiant Apt1 Report T -22aa55134d621672e93c6de928c8b122 Intel::FILE_HASH Mandiant Apt1 Report T -22d9466d6aab8410bea006b5d3df8bd0 Intel::FILE_HASH Mandiant Apt1 Report T -23059de2797774bbdd9b21f979aaec51 Intel::FILE_HASH Mandiant Apt1 Report T -23e371b816bab10cd9cfc4a46154022c Intel::FILE_HASH Mandiant Apt1 Report T -24259ae8b0018b0ce9992fb1d9b69e2a Intel::FILE_HASH Mandiant Apt1 Report T -2479a9a50308cb72fcd5e4e18ef06468 Intel::FILE_HASH Mandiant Apt1 Report T -24c4ed0a6cc4e9671b72c104977fa215 Intel::FILE_HASH Mandiant Apt1 Report T -24f1b8266f4faf550999581bf0edac83 Intel::FILE_HASH Mandiant Apt1 Report T -24fefb8b9338e2300308260be19bbaab Intel::FILE_HASH Mandiant Apt1 Report T -251c817f4144264c3e7a9dac03071daf Intel::FILE_HASH Mandiant Apt1 Report T -255cd53f9bdb6f3755e621885cb34382 Intel::FILE_HASH Mandiant Apt1 Report T -257258344edad17f689b1c6d14833cbc Intel::FILE_HASH Mandiant Apt1 Report T -25f240aed433c4ea52ccdb898e43756f Intel::FILE_HASH Mandiant Apt1 Report T -2640cb47de607a8276c26e8a27f1150b Intel::FILE_HASH Mandiant Apt1 Report T -268988aa1df82ab073f527b5b6c8bff7 Intel::FILE_HASH Mandiant Apt1 Report T -268eef019bf65b2987e945afaf29643f Intel::FILE_HASH Mandiant Apt1 Report T -270d42f292105951ee81e4085ea45054 Intel::FILE_HASH Mandiant Apt1 Report T -2762fb36161086f7ef3f33232aa790dc Intel::FILE_HASH Mandiant Apt1 Report T -277964807a66aeeb6bd81dbfcaa3e4e6 Intel::FILE_HASH Mandiant Apt1 Report T -277f95bff2e0fe317f86b5010bd83a18 Intel::FILE_HASH Mandiant Apt1 Report T -286f48dda20e2ccc3250a6e09a130db1 Intel::FILE_HASH Mandiant Apt1 Report T -28dbd86bd86eb9153ecb20d883c41ae0 Intel::FILE_HASH Mandiant Apt1 Report T -28e64dfeab48030bc532ae4ace2c9e4c Intel::FILE_HASH Mandiant Apt1 Report T -2976a62c2a829a153a9b0b5f433bdc77 Intel::FILE_HASH Mandiant Apt1 Report T -29c691978af80dc23c4df96b5f6076bb Intel::FILE_HASH Mandiant Apt1 Report T -2a214ce037f5f6bb01ddc453f0265d92 Intel::FILE_HASH Mandiant Apt1 Report T -2a4604fcae876dee445de5ad74fd7835 Intel::FILE_HASH Mandiant Apt1 Report T -2a84b88c4a2ce0fb6227f7990f465737 Intel::FILE_HASH Mandiant Apt1 Report T -2acfc925e66e1b820a67c4d0f3e6ae8c Intel::FILE_HASH Mandiant Apt1 Report T -2af105519133baaee57c9ade00543de2 Intel::FILE_HASH Mandiant Apt1 Report T -2b379d5346ffd386c28038630a9b0292 Intel::FILE_HASH Mandiant Apt1 Report T -2b659d71ae168e774faaf38db30f4a84 Intel::FILE_HASH Mandiant Apt1 Report T -2b732257d8d9f09560fdcb7d84d430ca Intel::FILE_HASH Mandiant Apt1 Report T -2ba0d0083976a5c1e3315413cdcffcd2 Intel::FILE_HASH Mandiant Apt1 Report T -2bd02b41817d227058522cca40acd390 Intel::FILE_HASH Mandiant Apt1 Report T -2bdc196cdac4478ae325c94bab433732 Intel::FILE_HASH Mandiant Apt1 Report T -2c49f47c98203b110799ab622265f4ef Intel::FILE_HASH Mandiant Apt1 Report T -2c78d8bb5912d8174042f81197d9b449 Intel::FILE_HASH Mandiant Apt1 Report T -2c9c691e15a48b20dbead0a6d6bf0300 Intel::FILE_HASH Mandiant Apt1 Report T -2ca8ba14ff07ef8616372c53ee84d20e Intel::FILE_HASH Mandiant Apt1 Report T -2cdbeebcf4e0b6dbd24b8c7b4cd6d862 Intel::FILE_HASH Mandiant Apt1 Report T -2d08595e73de31a36c1187fcaac73bf0 Intel::FILE_HASH Mandiant Apt1 Report T -2d57aa4e7f2f4088f1b96313b24c7602 Intel::FILE_HASH Mandiant Apt1 Report T -2daa4a4574ba06aa3203ae0e0b45b3b8 Intel::FILE_HASH Mandiant Apt1 Report T -2dd892986b2249b5214639ecc8ac0223 Intel::FILE_HASH Mandiant Apt1 Report T -2e8484f59899046452392c236460ebb6 Intel::FILE_HASH Mandiant Apt1 Report T -2ef062fa86537db34f5907a9775664a1 Intel::FILE_HASH Mandiant Apt1 Report T -2f5979eaa728550a352c1ffee0b31236 Intel::FILE_HASH Mandiant Apt1 Report T -2f930d92dc5ebc9d53ad2a2b451ebf65 Intel::FILE_HASH Mandiant Apt1 Report T -2fae9efa753d3d821e1efdbc1335b966 Intel::FILE_HASH Mandiant Apt1 Report T -2fccaa39533de02490b1c6395878dd79 Intel::FILE_HASH Mandiant Apt1 Report T -30a7aa13b1f8d272cb36576952e8b6c0 Intel::FILE_HASH Mandiant Apt1 Report T -30b3b17eab05ecffaa055b5091aa66f9 Intel::FILE_HASH Mandiant Apt1 Report T -30e78d186b27d2023a2a7319bb679c3f Intel::FILE_HASH Mandiant Apt1 Report T -3107de21e480ab1f2d67725f419b28d0 Intel::FILE_HASH Mandiant Apt1 Report T -3120fc8630c5252002f26f6e11b09eca Intel::FILE_HASH Mandiant Apt1 Report T -3122fbb558e1a5f32c90eba31f674add Intel::FILE_HASH Mandiant Apt1 Report T -31b1d316b46c967c80fe7398a9e4cf41 Intel::FILE_HASH Mandiant Apt1 Report T -31e5e58dbdfad05175613e795298ebb5 Intel::FILE_HASH Mandiant Apt1 Report T -321d75c9990408db812e5a248a74f8c8 Intel::FILE_HASH Mandiant Apt1 Report T -328c3ebb2fd2e170483e8d51ccc6c505 Intel::FILE_HASH Mandiant Apt1 Report T -32c32e936cffa8ab370c7f3f2dd43d65 Intel::FILE_HASH Mandiant Apt1 Report T -335df3ffb8cee61c20ab91a401204df4 Intel::FILE_HASH Mandiant Apt1 Report T -3364813bcbd111fc5ec1e4265c533506 Intel::FILE_HASH Mandiant Apt1 Report T -338782d2df367156a2c7e12e9526c600 Intel::FILE_HASH Mandiant Apt1 Report T -33d974011c4b047bf9874a71ba261a11 Intel::FILE_HASH Mandiant Apt1 Report T -33de5067a433a6ec5c328067dc18ec37 Intel::FILE_HASH Mandiant Apt1 Report T -33e9ccd45ef133b2c100d5a4f50635d5 Intel::FILE_HASH Mandiant Apt1 Report T -341f5e7215826d07ada1ed2b96264c0d Intel::FILE_HASH Mandiant Apt1 Report T -342939e5fe4770c545659a6bf1e50df4 Intel::FILE_HASH Mandiant Apt1 Report T -3441cbdf8de9472c19b021b241429b22 Intel::FILE_HASH Mandiant Apt1 Report T -349f6cfb77bb360063c477e9b6ca24d6 Intel::FILE_HASH Mandiant Apt1 Report T -34ca3fbcaac48498aeff6035b172bf69 Intel::FILE_HASH Mandiant Apt1 Report T -34cebbb4d35a66a7a7fb1ce857c195c9 Intel::FILE_HASH Mandiant Apt1 Report T -35008d12dfa47447112495f430e4aefe Intel::FILE_HASH Mandiant Apt1 Report T -351afebaf03ef12e6ad1b412612d0c53 Intel::FILE_HASH Mandiant Apt1 Report T -35b9f05cf70017cc485af87660109dc8 Intel::FILE_HASH Mandiant Apt1 Report T -35f32431a069398d25efda2dafa32d93 Intel::FILE_HASH Mandiant Apt1 Report T -36a7c3a6460c98e161e1005c925da0b2 Intel::FILE_HASH Mandiant Apt1 Report T -36c0d3f109aede4d76b05431f8a64f9e Intel::FILE_HASH Mandiant Apt1 Report T -36cd49ad631e99125a3bb2786e405cea Intel::FILE_HASH Mandiant Apt1 Report T -36d5c8fc4b14559f73b6136d85b94198 Intel::FILE_HASH Mandiant Apt1 Report T -370c50aea66cc338b37801e1bd1c244f Intel::FILE_HASH Mandiant Apt1 Report T -37cf3f25895c27ca5e647bbfdc1d5b2d Intel::FILE_HASH Mandiant Apt1 Report T -37ddd3d72ead03c7518f5d47650c8572 Intel::FILE_HASH Mandiant Apt1 Report T -37df1896ba54e85ef549ccc1a88d34ab Intel::FILE_HASH Mandiant Apt1 Report T -37e7dc80c1eb618b3cd1b442858afa60 Intel::FILE_HASH Mandiant Apt1 Report T -37eee514b04167f8e17e2caa3bfd3049 Intel::FILE_HASH Mandiant Apt1 Report T -389f43a8af199da8da6b7c75b2c69595 Intel::FILE_HASH Mandiant Apt1 Report T -390d1f2a620912104f53c034c8aef14b Intel::FILE_HASH Mandiant Apt1 Report T -39e28f48c138dc156d1436fd02222e45 Intel::FILE_HASH Mandiant Apt1 Report T -3a3e4bca1197e4abab03340ea97d718d Intel::FILE_HASH Mandiant Apt1 Report T -3a45d4bfd1f919f167ce4a5e5ba00e15 Intel::FILE_HASH Mandiant Apt1 Report T -3a4cda1973cacd78740ff30774d6375e Intel::FILE_HASH Mandiant Apt1 Report T -3abe9c84fc13d0a82c1c3e0dced5825d Intel::FILE_HASH Mandiant Apt1 Report T -3b0829e2e966dae17d4c235893a3ae8a Intel::FILE_HASH Mandiant Apt1 Report T -3b1b190407b868406c5c155a79f3d146 Intel::FILE_HASH Mandiant Apt1 Report T -3b320b90e024bfa48bda72aa7a82322c Intel::FILE_HASH Mandiant Apt1 Report T -3c1b2fabb7d74bc5be0820eae4107f8a Intel::FILE_HASH Mandiant Apt1 Report T -3c4066b252722c873348d43b4c3ec0e5 Intel::FILE_HASH Mandiant Apt1 Report T -3cda17269c246a2e3bfcda6fa02fceb8 Intel::FILE_HASH Mandiant Apt1 Report T -3d0c1dc5ac55f6d0e6b7fabfeb5158f5 Intel::FILE_HASH Mandiant Apt1 Report T -3d328395d0cefc67e2909774125196b1 Intel::FILE_HASH Mandiant Apt1 Report T -3d573866620eae070a220be89e113f69 Intel::FILE_HASH Mandiant Apt1 Report T -3d61d23c2be95177937aa50769c0c512 Intel::FILE_HASH Mandiant Apt1 Report T -3d6fe3928f2f5ce41622f3f958b894a0 Intel::FILE_HASH Mandiant Apt1 Report T -3de1bd0f2107198931177b2b23877df4 Intel::FILE_HASH Mandiant Apt1 Report T -3de60420845a582b0e44081b1138a7e4 Intel::FILE_HASH Mandiant Apt1 Report T -3e12ffa5ad676a41754e2cc59e980e57 Intel::FILE_HASH Mandiant Apt1 Report T -3e32ab6a2eac5bd1cddd3146d1a1348b Intel::FILE_HASH Mandiant Apt1 Report T -3e3e6fe1a8c6ffc00a9c644997a4f7a1 Intel::FILE_HASH Mandiant Apt1 Report T -3e69945e5865ccc861f69b24bc1166b6 Intel::FILE_HASH Mandiant Apt1 Report T -3e6ed3ee47bce9946e2541332cb34c69 Intel::FILE_HASH Mandiant Apt1 Report T -3e72fd40e47e232496b303734f1b2b11 Intel::FILE_HASH Mandiant Apt1 Report T -3e87051b1dc3463f378c7e1fe398dc7d Intel::FILE_HASH Mandiant Apt1 Report T -3ea7bf3b469499f0f6d4a78af865138f Intel::FILE_HASH Mandiant Apt1 Report T -3f19992be3606c136b15041207daf6e4 Intel::FILE_HASH Mandiant Apt1 Report T -3f243b304358041fb163007e0c066d4a Intel::FILE_HASH Mandiant Apt1 Report T -3f33c0dab564c35485fd227d97b98443 Intel::FILE_HASH Mandiant Apt1 Report T -3f34e41d8ea034e6246ef6426bc91336 Intel::FILE_HASH Mandiant Apt1 Report T -3f8682ab074a097ebbaadbf26dfff560 Intel::FILE_HASH Mandiant Apt1 Report T -3fb8f4cdcb4d1d48be2e473fd8727239 Intel::FILE_HASH Mandiant Apt1 Report T -3fc26910f9c31bd9ba3ccb09132d9ca3 Intel::FILE_HASH Mandiant Apt1 Report T -40831b3799c94b609a91d517d14bea21 Intel::FILE_HASH Mandiant Apt1 Report T -40b1e9cf468f499d749c0863cfa6c8c1 Intel::FILE_HASH Mandiant Apt1 Report T -40ee45b1343406b6f7ad6204f1af7693 Intel::FILE_HASH Mandiant Apt1 Report T -4111fbc14558385c10091543c439264a Intel::FILE_HASH Mandiant Apt1 Report T -411d770b2939e968c692dbdd3116e179 Intel::FILE_HASH Mandiant Apt1 Report T -4192479b055b2b21cb7e6c803b765d34 Intel::FILE_HASH Mandiant Apt1 Report T -41a5d40ecc735172b18b61e01a30a178 Intel::FILE_HASH Mandiant Apt1 Report T -41bb847963a8fce70ad21e70dd786107 Intel::FILE_HASH Mandiant Apt1 Report T -41d623c1de3b0d182c51e56b2a3f3fba Intel::FILE_HASH Mandiant Apt1 Report T -420deefd91db5e177b46e4134441a35e Intel::FILE_HASH Mandiant Apt1 Report T -4227f2872817cfc74d134ee9f3d06d14 Intel::FILE_HASH Mandiant Apt1 Report T -42462d31a2e5b1e4602a1a4d39abeca9 Intel::FILE_HASH Mandiant Apt1 Report T -435991e0c67f0c0b4504355b6d4493f0 Intel::FILE_HASH Mandiant Apt1 Report T -438401c9ae36e9ed1bf4f410ae116484 Intel::FILE_HASH Mandiant Apt1 Report T -438983192903f3fecf77500a39459ee6 Intel::FILE_HASH Mandiant Apt1 Report T -43b844c35e1a933e9214588be81ce772 Intel::FILE_HASH Mandiant Apt1 Report T -44066f29aab6a9379f8dd30f6bec257d Intel::FILE_HASH Mandiant Apt1 Report T -456d298649a7ec31a7250ed9312ebbaf Intel::FILE_HASH Mandiant Apt1 Report T -45aa4177bb42eb3ded5edf397a4aaded Intel::FILE_HASH Mandiant Apt1 Report T -465b085d3ddd22f63d8f7721ce5736d7 Intel::FILE_HASH Mandiant Apt1 Report T -46817cabd6618d2126067430a78f06a3 Intel::FILE_HASH Mandiant Apt1 Report T -468ff2c12cffc7e5b2fe0ee6bb3b239e Intel::FILE_HASH Mandiant Apt1 Report T -46a86e3c12d5025aa78c7ddf46717c38 Intel::FILE_HASH Mandiant Apt1 Report T -46acae84a04e41730d0502d9080bbb4a Intel::FILE_HASH Mandiant Apt1 Report T -46c36c11238100e155f6d418332869ea Intel::FILE_HASH Mandiant Apt1 Report T -471005f73280264c48f769e1c21fbcc1 Intel::FILE_HASH Mandiant Apt1 Report T -4749f6336eb86b5fa7029661f88ded20 Intel::FILE_HASH Mandiant Apt1 Report T -476fea8761a03bef16e322996c2f6666 Intel::FILE_HASH Mandiant Apt1 Report T -4788960e489197f2633f581607eb0d26 Intel::FILE_HASH Mandiant Apt1 Report T -47e7f92419eb4b98ff4124c3ca11b738 Intel::FILE_HASH Mandiant Apt1 Report T -494637c4ac6d04bb50a681e87b81043f Intel::FILE_HASH Mandiant Apt1 Report T -494fca685834f3158d133f6b09cbb507 Intel::FILE_HASH Mandiant Apt1 Report T -4962cb3f255b2eaf48847c754d2a553d Intel::FILE_HASH Mandiant Apt1 Report T -496f04719a365f9718919002eff5748b Intel::FILE_HASH Mandiant Apt1 Report T -497f07f54a4c29fe3be1a15f4516e32d Intel::FILE_HASH Mandiant Apt1 Report T -49bacedcd18f6d8929d43a10dae8645f Intel::FILE_HASH Mandiant Apt1 Report T -4a2320b41a5216c741bf63fce562961a Intel::FILE_HASH Mandiant Apt1 Report T -4a54d7878d4170c3d4e3c3606365c42c Intel::FILE_HASH Mandiant Apt1 Report T -4aadab80ce16c588b8719f15e84aba82 Intel::FILE_HASH Mandiant Apt1 Report T -4ab62c8e525bee410cd4b6cfeea7d221 Intel::FILE_HASH Mandiant Apt1 Report T -4ad4258b73430fc3e843a2e59d8ee70a Intel::FILE_HASH Mandiant Apt1 Report T -4b19a2a6d40a5825e868c6ef25ae445e Intel::FILE_HASH Mandiant Apt1 Report T -4c6bddcca2695d6202df38708e14fc7e Intel::FILE_HASH Mandiant Apt1 Report T -4c858a80df0d6de5d69824c9502b65cf Intel::FILE_HASH Mandiant Apt1 Report T -4c9c9dbf388a8d81d8cfb4d3fc05f8e4 Intel::FILE_HASH Mandiant Apt1 Report T -4cabfaef26fd8e5aec01d0c4b90a32f3 Intel::FILE_HASH Mandiant Apt1 Report T -4cd3bed14aaffcf61f4d2948484c4c90 Intel::FILE_HASH Mandiant Apt1 Report T -4d21cc82e4031e1d6bb15541827b9e67 Intel::FILE_HASH Mandiant Apt1 Report T -4e1a92036a577a87a6fa36168d192c4b Intel::FILE_HASH Mandiant Apt1 Report T -4e3ddb5c27e45ee0e6dcc02e87b0abb5 Intel::FILE_HASH Mandiant Apt1 Report T -4e551abcd14506092a0f8d54a45f3569 Intel::FILE_HASH Mandiant Apt1 Report T -4f65bc571cdd9c9cd11e771e1db35a4c Intel::FILE_HASH Mandiant Apt1 Report T -4f763b07a7b8a80f1f9408e590f79532 Intel::FILE_HASH Mandiant Apt1 Report T -50361f8793258b6e883b31269e053ed2 Intel::FILE_HASH Mandiant Apt1 Report T -50a3aaaebae6cee7ecb150ac395276b9 Intel::FILE_HASH Mandiant Apt1 Report T -50f35b7c86aede891a72fcb85f06b0b7 Intel::FILE_HASH Mandiant Apt1 Report T -5100f0a34695c4c9dc7e915177041cad Intel::FILE_HASH Mandiant Apt1 Report T -51326bf40da5a5357a143dd9a6e6a11c Intel::FILE_HASH Mandiant Apt1 Report T -51ce169debea41314f591290839fd55f Intel::FILE_HASH Mandiant Apt1 Report T -522d32a505f78f09303e689999a3e461 Intel::FILE_HASH Mandiant Apt1 Report T -523cf1c9741f5f9d11388a58de6a83a4 Intel::FILE_HASH Mandiant Apt1 Report T -523f56515221161579ee6090c962e5b1 Intel::FILE_HASH Mandiant Apt1 Report T -52509abd1cc7b7fb391b19929e0d99c0 Intel::FILE_HASH Mandiant Apt1 Report T -52bd3ceef33900d53315f89538128026 Intel::FILE_HASH Mandiant Apt1 Report T -52cb7fed85bd7ff6797fbc70105a09fe Intel::FILE_HASH Mandiant Apt1 Report T -531a3b0acd95f55c3a7418d31f741357 Intel::FILE_HASH Mandiant Apt1 Report T -53600687ec97c297f03b4f0f4710d0c5 Intel::FILE_HASH Mandiant Apt1 Report T -53b263dd41838aa178a5ced338a207f3 Intel::FILE_HASH Mandiant Apt1 Report T -543c283d691939d99667e22bcb7be610 Intel::FILE_HASH Mandiant Apt1 Report T -543e03cc5872e9ed870b2d64363f518b Intel::FILE_HASH Mandiant Apt1 Report T -54d5d171a482278cc8eacf08d9175fd7 Intel::FILE_HASH Mandiant Apt1 Report T -5537bdce991797198a9ff97ff1492f90 Intel::FILE_HASH Mandiant Apt1 Report T -55886d571c2a57984ea9659b57e1c63a Intel::FILE_HASH Mandiant Apt1 Report T -55bd26326db3d512b6bd9f75d6671819 Intel::FILE_HASH Mandiant Apt1 Report T -55f60194833efcbc8ac16bd0a1cced1a Intel::FILE_HASH Mandiant Apt1 Report T -55fb1409170c91740359d1d96364f17b Intel::FILE_HASH Mandiant Apt1 Report T -5613e6d7111b327307c02bec1701ac3f Intel::FILE_HASH Mandiant Apt1 Report T -565b6fedccab184c92e40483ea49a25f Intel::FILE_HASH Mandiant Apt1 Report T -567395a3c720fcd09eb75b6c188b8687 Intel::FILE_HASH Mandiant Apt1 Report T -56892b0befe8b7a188fdb7e72a07e60f Intel::FILE_HASH Mandiant Apt1 Report T -56a5d0575c0c712deb16f465ac888a65 Intel::FILE_HASH Mandiant Apt1 Report T -56c26b175ae23d90244805a6ec347e42 Intel::FILE_HASH Mandiant Apt1 Report T -56c8ff5c6832f1e31a59e0717c3ab79c Intel::FILE_HASH Mandiant Apt1 Report T -56de2854ef64d869b5df7af5e4effe3e Intel::FILE_HASH Mandiant Apt1 Report T -56dff5cdfee293100b59096326fb0daf Intel::FILE_HASH Mandiant Apt1 Report T -57326cd78a56d26e349bbd4bcc5b9fa2 Intel::FILE_HASH Mandiant Apt1 Report T -575836ebb1b8849f04e994e9160370e4 Intel::FILE_HASH Mandiant Apt1 Report T -5790c7c09735cf1ccf10625c7cd87f5e Intel::FILE_HASH Mandiant Apt1 Report T -57cbf78c226265cc1e61ad86779bf906 Intel::FILE_HASH Mandiant Apt1 Report T -57cfef3e32e60df11b8d2c5375f3185c Intel::FILE_HASH Mandiant Apt1 Report T -57e79f7df13c0cb01910d0c688fcd296 Intel::FILE_HASH Mandiant Apt1 Report T -57f98d16ac439a11012860f88db21831 Intel::FILE_HASH Mandiant Apt1 Report T -580a4c05982accc678a72c366b45815d Intel::FILE_HASH Mandiant Apt1 Report T -585691777080b419b523938edd3ba2d6 Intel::FILE_HASH Mandiant Apt1 Report T -588c40520a3cea27d2b35cd1fa05e23f Intel::FILE_HASH Mandiant Apt1 Report T -58b020fd3bc0d34e8c4eaf0a3f3135af Intel::FILE_HASH Mandiant Apt1 Report T -592a33f691daa01ccbfc8078ad961b43 Intel::FILE_HASH Mandiant Apt1 Report T -59620925bf1c4f760c4bf225c7efd6c0 Intel::FILE_HASH Mandiant Apt1 Report T -5a032c13942a46c5ae015f53d9ce138a Intel::FILE_HASH Mandiant Apt1 Report T -5a3abb8053c271c58e879b3b9cf8c8f5 Intel::FILE_HASH Mandiant Apt1 Report T -5a728cb9ce56763dccb32b5298d0f050 Intel::FILE_HASH Mandiant Apt1 Report T -5aeaa53340a281074fcb539967438e3f Intel::FILE_HASH Mandiant Apt1 Report T -5bac505fdc202e1c6507ef381a881ed1 Intel::FILE_HASH Mandiant Apt1 Report T -5bcaa2f4bc7567f6ffd5507a161e221a Intel::FILE_HASH Mandiant Apt1 Report T -5bd5a22d42c04db7ac1343a2a9f471fe Intel::FILE_HASH Mandiant Apt1 Report T -5c4806b5859b35a3df03763e9c7ecbf6 Intel::FILE_HASH Mandiant Apt1 Report T -5c6f30cc369cd164d44941d381e282cc Intel::FILE_HASH Mandiant Apt1 Report T -5ccb52a8e3c31dde2ddbc486a2215e85 Intel::FILE_HASH Mandiant Apt1 Report T -5cd578614afb50b925008b68b3accdb9 Intel::FILE_HASH Mandiant Apt1 Report T -5cd7526fc7d849cbbf8c9d1ffe97a991 Intel::FILE_HASH Mandiant Apt1 Report T -5cf0959687427850a92d7f69edd41b86 Intel::FILE_HASH Mandiant Apt1 Report T -5d8129be965fab8115eca34fc84bd7f0 Intel::FILE_HASH Mandiant Apt1 Report T -5dea347d29a3e9c21c52385a10224b65 Intel::FILE_HASH Mandiant Apt1 Report T -5e17055c51724b0b89ff036d02f5208a Intel::FILE_HASH Mandiant Apt1 Report T -5e1d81618eaf005b8e0cd63fbc9a4937 Intel::FILE_HASH Mandiant Apt1 Report T -5e33a9835bced338cb1959c347ac6798 Intel::FILE_HASH Mandiant Apt1 Report T -5e42780f52763c77d592044e535e4b01 Intel::FILE_HASH Mandiant Apt1 Report T -5e686bd284022e35559a9c6118df8f1e Intel::FILE_HASH Mandiant Apt1 Report T -5f837bbfd3b458321070e2aebca4ec46 Intel::FILE_HASH Mandiant Apt1 Report T -5fa50476240c9c59cb72b345751434ce Intel::FILE_HASH Mandiant Apt1 Report T -5ff3269faca4a67d1a4c537154aaad4b Intel::FILE_HASH Mandiant Apt1 Report T -6040dd5b603483f738be6a02a63538f2 Intel::FILE_HASH Mandiant Apt1 Report T -605c1dc91a5c85024160ce78dfac842d Intel::FILE_HASH Mandiant Apt1 Report T -609d917a7f0c526b0d8091c8191da376 Intel::FILE_HASH Mandiant Apt1 Report T -611b1577ba976f76fc01368545bc395c Intel::FILE_HASH Mandiant Apt1 Report T -611c8f862864af818202865b78ad7ca8 Intel::FILE_HASH Mandiant Apt1 Report T -61daab56e07dfa3a236d8aec9eb80545 Intel::FILE_HASH Mandiant Apt1 Report T -61e0da42d5d084af24d31fbcef4ff409 Intel::FILE_HASH Mandiant Apt1 Report T -620c6a6cff832e35090487680123f52b Intel::FILE_HASH Mandiant Apt1 Report T -62a35021454e17f4a913e577d7ecd22f Intel::FILE_HASH Mandiant Apt1 Report T -62bee50b480f6a6aa427a00464baf376 Intel::FILE_HASH Mandiant Apt1 Report T -62c72767508e461cfe94b0c706e6d446 Intel::FILE_HASH Mandiant Apt1 Report T -62d60a1cd1e7ba73aebc98812e5ac266 Intel::FILE_HASH Mandiant Apt1 Report T -62ea10608f0d54cd284e8d7be32f206e Intel::FILE_HASH Mandiant Apt1 Report T -633cb95904ab9dc0a3de4ddd443494e8 Intel::FILE_HASH Mandiant Apt1 Report T -6377ec0c87f4ec1e7897751dd85d73d4 Intel::FILE_HASH Mandiant Apt1 Report T -63db2f4fd717723f0e6f94e0a6a62c7b Intel::FILE_HASH Mandiant Apt1 Report T -6461ea41f179e660c40ed65aee1a4a2d Intel::FILE_HASH Mandiant Apt1 Report T -648ce1c45927b24563dd8361a1b74311 Intel::FILE_HASH Mandiant Apt1 Report T -649d54bc9eef5a60a4b9d8b889fee139 Intel::FILE_HASH Mandiant Apt1 Report T -64fa1239f5aa9a9031e61533283f8c22 Intel::FILE_HASH Mandiant Apt1 Report T -65018cd542145a3792ba09985734c12a Intel::FILE_HASH Mandiant Apt1 Report T -650a6fca433ee243391e4b4c11f09438 Intel::FILE_HASH Mandiant Apt1 Report T -6510cee34da30c7ef5e5e39980402257 Intel::FILE_HASH Mandiant Apt1 Report T -651d83c1b85acb204abd5bf7990a1298 Intel::FILE_HASH Mandiant Apt1 Report T -656baf38fa5ee776e2576cead664d004 Intel::FILE_HASH Mandiant Apt1 Report T -6570163cd34454b3d1476c134d44b9d9 Intel::FILE_HASH Mandiant Apt1 Report T -6576c196385407b0f7f4b1b537d88983 Intel::FILE_HASH Mandiant Apt1 Report T -668b92feb7cbcc7ac75ff97dcec28d10 Intel::FILE_HASH Mandiant Apt1 Report T -66c287675cd4c7172590f71181e723a8 Intel::FILE_HASH Mandiant Apt1 Report T -67504a0c2c2bf47efccdab5ca981ad7d Intel::FILE_HASH Mandiant Apt1 Report T -6767eeb485232436de9553988765fb89 Intel::FILE_HASH Mandiant Apt1 Report T -67f62f5accfeacf5e828c3b3905248fe Intel::FILE_HASH Mandiant Apt1 Report T -6808ec6dbb23f0fa7637c108f44c5c80 Intel::FILE_HASH Mandiant Apt1 Report T -6846ad52c9208830ceaf4cfd81402015 Intel::FILE_HASH Mandiant Apt1 Report T -687a58dcbc076b04bef4ec6050310fb5 Intel::FILE_HASH Mandiant Apt1 Report T -689dcd40d5eae8c0d315265f3d90ffae Intel::FILE_HASH Mandiant Apt1 Report T -68af7be698e8a7408451c158c04a9712 Intel::FILE_HASH Mandiant Apt1 Report T -68c67a6e26855ebc2569d67689c69a6e Intel::FILE_HASH Mandiant Apt1 Report T -68d2fd5049e70942d164e4e25d13dd8e Intel::FILE_HASH Mandiant Apt1 Report T -68e5bff12ac33ecb98977afed51ebad0 Intel::FILE_HASH Mandiant Apt1 Report T -693f711d8fab66a3efca98a19a733d56 Intel::FILE_HASH Mandiant Apt1 Report T -698fbe7ed1ddd7f5c76b86fad3f7a485 Intel::FILE_HASH Mandiant Apt1 Report T -69dc1e1ee273e531e91c60eb86396cc8 Intel::FILE_HASH Mandiant Apt1 Report T -6a4fbcfb44717eae2145c761c1c99b6a Intel::FILE_HASH Mandiant Apt1 Report T -6a88f170ab6cb0f9b3252adc61b4f487 Intel::FILE_HASH Mandiant Apt1 Report T -6ab7fa8e5fb63b8d0723387d0a1ffe6d Intel::FILE_HASH Mandiant Apt1 Report T -6b3d19cc86d82b06f5db3ae9d5ba8a5f Intel::FILE_HASH Mandiant Apt1 Report T -6b4ac249f918be9f7bc64ae7fdda947e Intel::FILE_HASH Mandiant Apt1 Report T -6b6c4c0e2959df248be90d89899953a9 Intel::FILE_HASH Mandiant Apt1 Report T -6bf8f1f99ac5bba0db1b66518df378a4 Intel::FILE_HASH Mandiant Apt1 Report T -6bf9083f1567edce004bd1f7c456659d Intel::FILE_HASH Mandiant Apt1 Report T -6c5c5e4049265fffc87973f3e4978b26 Intel::FILE_HASH Mandiant Apt1 Report T -6c65c697bcff935484a5cd2e7dd2e7d2 Intel::FILE_HASH Mandiant Apt1 Report T -6c9c9e40683467f60b910d5bad5285ae Intel::FILE_HASH Mandiant Apt1 Report T -6ca59c9c4165796e08ba6ca3eeffdee6 Intel::FILE_HASH Mandiant Apt1 Report T -6d2320af561b2315c1241e3efd86067f Intel::FILE_HASH Mandiant Apt1 Report T -6db47757ba324bb61ce3cbcabbec52d4 Intel::FILE_HASH Mandiant Apt1 Report T -6deae79fc82df523ba99852266a33f9e Intel::FILE_HASH Mandiant Apt1 Report T -6e442c5ef460bee4c9457c6bf7a132d6 Intel::FILE_HASH Mandiant Apt1 Report T -6e8f302794cfaae731840e345063e652 Intel::FILE_HASH Mandiant Apt1 Report T -6e9bedcf80f21171adb951a0d85d2adb Intel::FILE_HASH Mandiant Apt1 Report T -6eb99bed5b5fcb3fdb26f37aff2c9adb Intel::FILE_HASH Mandiant Apt1 Report T -6ebbfa603aa4e90148ad0b726806c359 Intel::FILE_HASH Mandiant Apt1 Report T -6ebd05a02459d3b22a9d4a79b8626bf1 Intel::FILE_HASH Mandiant Apt1 Report T -6eebee2aebd5194db62cb8230502378c Intel::FILE_HASH Mandiant Apt1 Report T -6f4182baa5a57b717cb9d850dfadb60a Intel::FILE_HASH Mandiant Apt1 Report T -6f551594fdf3539c62389c0cf0d2e16a Intel::FILE_HASH Mandiant Apt1 Report T -6f6abd53e10567d1534514fc36fca2e9 Intel::FILE_HASH Mandiant Apt1 Report T -6f9992c486195edcf0bf2f6ee6c3ec74 Intel::FILE_HASH Mandiant Apt1 Report T -6faa4740f99408d4d2dddd0b09bbdefd Intel::FILE_HASH Mandiant Apt1 Report T -6fbf667e82c1477c4ce635b57b83bfa0 Intel::FILE_HASH Mandiant Apt1 Report T -6fdec862951e8b128cd7a07b2031eef6 Intel::FILE_HASH Mandiant Apt1 Report T -70a55fdc712c6e31e013e6b5d412b0d6 Intel::FILE_HASH Mandiant Apt1 Report T -70bb674fc97d7bf4d8dbbe3636f65c4a Intel::FILE_HASH Mandiant Apt1 Report T -70c10f8b4dcd01b07be6cfb4df0d3348 Intel::FILE_HASH Mandiant Apt1 Report T -70e2827ab4af1a38dc09a02fa95b82fe Intel::FILE_HASH Mandiant Apt1 Report T -71173ad2bc7b39342b1bdaadeaaa0d8a Intel::FILE_HASH Mandiant Apt1 Report T -7127241c033c403b18bd281d0dfc4e31 Intel::FILE_HASH Mandiant Apt1 Report T -71536d2e95420c55412c12dffea1a0a6 Intel::FILE_HASH Mandiant Apt1 Report T -7253de652a025b2b4fa7b02e97a1ee6b Intel::FILE_HASH Mandiant Apt1 Report T -727a6800991eead454e53e8af164a99c Intel::FILE_HASH Mandiant Apt1 Report T -7388d67561d0a7989202ad4d37eff24f Intel::FILE_HASH Mandiant Apt1 Report T -73a63c21a08b0ad2c69999e448f8e6a1 Intel::FILE_HASH Mandiant Apt1 Report T -73d125f84503bd87f8142cf2ba8ab05e Intel::FILE_HASH Mandiant Apt1 Report T -74b3ee9f3f6c52413db6e5c9ace34893 Intel::FILE_HASH Mandiant Apt1 Report T -75372eb37415140fa5464f1ebb8a0e74 Intel::FILE_HASH Mandiant Apt1 Report T -753ec12f61c2f7c9a5763c9063a16106 Intel::FILE_HASH Mandiant Apt1 Report T -759b320aca72ba446e7e156407ebc10d Intel::FILE_HASH Mandiant Apt1 Report T -75dad1ccabae8adeb5bae899d0c630f8 Intel::FILE_HASH Mandiant Apt1 Report T -75f37a69664362462ad491741a34f195 Intel::FILE_HASH Mandiant Apt1 Report T -75ff4bd6b209b6f10472c4cd22e3f9e6 Intel::FILE_HASH Mandiant Apt1 Report T -760339e927e391e289bd91bad4cd59c3 Intel::FILE_HASH Mandiant Apt1 Report T -769aeae232c6162cedcb6c7255640c4c Intel::FILE_HASH Mandiant Apt1 Report T -76ba06bac23a2c445cb982bf38b82199 Intel::FILE_HASH Mandiant Apt1 Report T -76bf44d7734ec8581e846a9f3005aed4 Intel::FILE_HASH Mandiant Apt1 Report T -76c1b246703a10cb6e71a3e5b7b55b24 Intel::FILE_HASH Mandiant Apt1 Report T -76f6c7301dbf0219eae991d65804292a Intel::FILE_HASH Mandiant Apt1 Report T -7704ad9e8e0e3d75075e4c294f698d53 Intel::FILE_HASH Mandiant Apt1 Report T -7712d05c8b499fc7a1f4a6a6b6dee825 Intel::FILE_HASH Mandiant Apt1 Report T -772c771e13e599cbf25bf9e0199681f7 Intel::FILE_HASH Mandiant Apt1 Report T -77382bb7fd431211b32d84d4de74b043 Intel::FILE_HASH Mandiant Apt1 Report T -775459afc5415984dfa2a0f533011763 Intel::FILE_HASH Mandiant Apt1 Report T -77afced93e20b1bb906796197fa1dd1d Intel::FILE_HASH Mandiant Apt1 Report T -77dc072fdd632c12bacc09ceb8e6ee39 Intel::FILE_HASH Mandiant Apt1 Report T -77fbfed235d6062212a3e43211a5706e Intel::FILE_HASH Mandiant Apt1 Report T -785003a405bc7a4ebcbb21ddb757bf3f Intel::FILE_HASH Mandiant Apt1 Report T -78524ba7f66c0ec4a3755e51709db1aa Intel::FILE_HASH Mandiant Apt1 Report T -7852b941a46e37fe9b332b1be77a6960 Intel::FILE_HASH Mandiant Apt1 Report T -79841c13f645118a600d19def3642d1a Intel::FILE_HASH Mandiant Apt1 Report T -79f3bac2826f8511c96240758af116b4 Intel::FILE_HASH Mandiant Apt1 Report T -7a2692cafec377c444bc3147fc43e57f Intel::FILE_HASH Mandiant Apt1 Report T -7a2eba5ca6f9b2cec61c5cc55dfca762 Intel::FILE_HASH Mandiant Apt1 Report T -7a660a9e48f6065333f388f2c0a67bd8 Intel::FILE_HASH Mandiant Apt1 Report T -7a670d13d4d014169c4080328b8feb86 Intel::FILE_HASH Mandiant Apt1 Report T -7a7a46e8fbc25a624d58e897dee04ffa Intel::FILE_HASH Mandiant Apt1 Report T -7ab86c938b960dfc0c4ffbadd4163666 Intel::FILE_HASH Mandiant Apt1 Report T -7acb0d1df51706536f33bbdb990041d3 Intel::FILE_HASH Mandiant Apt1 Report T -7aecb34616245eb6b2906358151be55b Intel::FILE_HASH Mandiant Apt1 Report T -7aef47f9fd84669976c4b152910a6328 Intel::FILE_HASH Mandiant Apt1 Report T -7af399ff99109a9501da73337c0bdf4b Intel::FILE_HASH Mandiant Apt1 Report T -7b3ce6c2af1acd119a25831fac670bab Intel::FILE_HASH Mandiant Apt1 Report T -7b42b35832855ab4ff37ae9b8fa9e571 Intel::FILE_HASH Mandiant Apt1 Report T -7b451bbbdc840378b785bed6b9e30e0f Intel::FILE_HASH Mandiant Apt1 Report T -7be6c90facbfe9ecf470fb27e6673fbc Intel::FILE_HASH Mandiant Apt1 Report T -7bfeb0eaa1c51513e60bc0abafb1be9f Intel::FILE_HASH Mandiant Apt1 Report T -7c82cd17b0fa420f09f97e060621ed7b Intel::FILE_HASH Mandiant Apt1 Report T -7cb055ac3acbf53e07e20b65ec9126a1 Intel::FILE_HASH Mandiant Apt1 Report T -7ce16b35201d8d35965ec7aeebdc80ff Intel::FILE_HASH Mandiant Apt1 Report T -7d0efb2480834a6a80210b7342d51154 Intel::FILE_HASH Mandiant Apt1 Report T -7d25a80fe2c42368adaea5fcbab866b6 Intel::FILE_HASH Mandiant Apt1 Report T -7d3140bd028f70f1fa865364b69c5999 Intel::FILE_HASH Mandiant Apt1 Report T -7deed54a40efc12ea03e3f1859522862 Intel::FILE_HASH Mandiant Apt1 Report T -7e56369d466dd3d85a9b31f65ee8e551 Intel::FILE_HASH Mandiant Apt1 Report T -7e64b28b0050d23970478c81e8037470 Intel::FILE_HASH Mandiant Apt1 Report T -7e8d1f26679a88268e273ab498e597f4 Intel::FILE_HASH Mandiant Apt1 Report T -7eedcd6d00b4f08b825b4c134b6d8f1a Intel::FILE_HASH Mandiant Apt1 Report T -7f1a4bc267ace340a5aa7a0b79cbf349 Intel::FILE_HASH Mandiant Apt1 Report T -7f26403f8e59a5f2728af2d3e0efaabb Intel::FILE_HASH Mandiant Apt1 Report T -7f398b00546c3a0946cd6142c308a556 Intel::FILE_HASH Mandiant Apt1 Report T -7fc52a32337386d867a952a2c8644353 Intel::FILE_HASH Mandiant Apt1 Report T -80856bd8ef7d5dbc3dc774f581855549 Intel::FILE_HASH Mandiant Apt1 Report T -80bca9f272152280a462f84f1588c0cc Intel::FILE_HASH Mandiant Apt1 Report T -8153b612499dbf432e2d9805b20ae783 Intel::FILE_HASH Mandiant Apt1 Report T -815a89041dea3e56348f8f5c8b7d1457 Intel::FILE_HASH Mandiant Apt1 Report T -81602ce95a4b7f3d3cd1953a2456cd92 Intel::FILE_HASH Mandiant Apt1 Report T -81b03cbcfc4b9d090cd8f5e5da816895 Intel::FILE_HASH Mandiant Apt1 Report T -81ce61ed2dc567ce70589386563890ca Intel::FILE_HASH Mandiant Apt1 Report T -82390e18379710df84d48881a1c1d0ed Intel::FILE_HASH Mandiant Apt1 Report T -827040a5f5ae8de281a63899224b2f3a Intel::FILE_HASH Mandiant Apt1 Report T -82b065518f085c6ceb0a9135ab51df41 Intel::FILE_HASH Mandiant Apt1 Report T -830a748959bdd1ad3b6a1f72aab6f063 Intel::FILE_HASH Mandiant Apt1 Report T -830e5cd6d590aa65dd3e2c1a01b42259 Intel::FILE_HASH Mandiant Apt1 Report T -831a67dc75e2d4505180888747bc8ea9 Intel::FILE_HASH Mandiant Apt1 Report T -8387adb5325035baa3fe3a2b0cb4921a Intel::FILE_HASH Mandiant Apt1 Report T -839c8c06c4d81f523078b0d45d8250ff Intel::FILE_HASH Mandiant Apt1 Report T -83b3711c32d28a87b173e7e5aba5f826 Intel::FILE_HASH Mandiant Apt1 Report T -8412a3e37499f8289faf54546824ab61 Intel::FILE_HASH Mandiant Apt1 Report T -8442ae37b91f279a9f06de4c60b286a3 Intel::FILE_HASH Mandiant Apt1 Report T -8454918f639a1b0719e00627f211d2ed Intel::FILE_HASH Mandiant Apt1 Report T -8462a62f13f92c34e4b89a7d13a185ad Intel::FILE_HASH Mandiant Apt1 Report T -855ca1b45a247754ad91d50827a2e16c Intel::FILE_HASH Mandiant Apt1 Report T -85c4081a97255ac7ca7d0d5554e86ec1 Intel::FILE_HASH Mandiant Apt1 Report T -85c828f5ea5d99e0c98017f6d6be243f Intel::FILE_HASH Mandiant Apt1 Report T -86a906db5686bbf487689937d15bf71a Intel::FILE_HASH Mandiant Apt1 Report T -86b1f3874bf741a3f9c0d74625af5f8d Intel::FILE_HASH Mandiant Apt1 Report T -86b68ad2e9c33eadf134285ea142ccc2 Intel::FILE_HASH Mandiant Apt1 Report T -86dd715a8d28788e68a575207d66df34 Intel::FILE_HASH Mandiant Apt1 Report T -871cc547feb9dbec0285321068e392b8 Intel::FILE_HASH Mandiant Apt1 Report T -8725870a43192cb0176c82012996910a Intel::FILE_HASH Mandiant Apt1 Report T -874bb818208655b59a8c4c1ae2aef379 Intel::FILE_HASH Mandiant Apt1 Report T -876ee736ebad6917a259456fc3a2f11b Intel::FILE_HASH Mandiant Apt1 Report T -87efe3671ef8f1eca57f2d8f7e4711d9 Intel::FILE_HASH Mandiant Apt1 Report T -8845cb5b4e450cb10a3b6ca41a9b4319 Intel::FILE_HASH Mandiant Apt1 Report T -88b5f635ac9031bcdeda1f751952f966 Intel::FILE_HASH Mandiant Apt1 Report T -88c7c50cd4130561d57a1d3b82c5b953 Intel::FILE_HASH Mandiant Apt1 Report T -88dbcc682635b4013bcba5ad28bb976b Intel::FILE_HASH Mandiant Apt1 Report T -8913ac72cdb8afd98bd8446896e1595a Intel::FILE_HASH Mandiant Apt1 Report T -89164a973ae081991a973aa9d5cdee7c Intel::FILE_HASH Mandiant Apt1 Report T -8934aeed5d213fe29e858eee616a6ec7 Intel::FILE_HASH Mandiant Apt1 Report T -898a8a43c8708961094944fb42c278ab Intel::FILE_HASH Mandiant Apt1 Report T -89a2802e2f2356ce6a757f833c3ba3ef Intel::FILE_HASH Mandiant Apt1 Report T -8a7764ded8467bd0fd0c30adc2acc1d4 Intel::FILE_HASH Mandiant Apt1 Report T -8a86df3d382bfd1e4c4165f4cacfdff8 Intel::FILE_HASH Mandiant Apt1 Report T -8b75bcbff174c25a0161f30758509a44 Intel::FILE_HASH Mandiant Apt1 Report T -8bf9698c18b2aa23f71444af2571a6ad Intel::FILE_HASH Mandiant Apt1 Report T -8c57b287a1d2140ccedd6cd097d62ded Intel::FILE_HASH Mandiant Apt1 Report T -8c6ece2ade2bfad3171c925baa64af50 Intel::FILE_HASH Mandiant Apt1 Report T -8c9871a9eb88ffc43507f988b222dc52 Intel::FILE_HASH Mandiant Apt1 Report T -8cb321a7871706fb6246489cb7c4da03 Intel::FILE_HASH Mandiant Apt1 Report T -8cda4e0ee20ddd00003caf7947af7fe4 Intel::FILE_HASH Mandiant Apt1 Report T -8d251ef81b1e2251601a7b2b0c03ec05 Intel::FILE_HASH Mandiant Apt1 Report T -8d81eeaeb0bd74a1faab257079452078 Intel::FILE_HASH Mandiant Apt1 Report T -8dc3561ca52bfe40089f3ee0af7fdd9d Intel::FILE_HASH Mandiant Apt1 Report T -8dfbf8a46d3a302fd420305918e9414d Intel::FILE_HASH Mandiant Apt1 Report T -8e1ec7e556b8c6612b6c34e310c50b66 Intel::FILE_HASH Mandiant Apt1 Report T -8e8622c393d7e832d39e620ead5d3b49 Intel::FILE_HASH Mandiant Apt1 Report T -8f3d20c983f9d82a8ff17466f45ee757 Intel::FILE_HASH Mandiant Apt1 Report T -8f4863b4dfb52d8362c031d3720a6d97 Intel::FILE_HASH Mandiant Apt1 Report T -8fc5fb519a222ab919f28d21545774c6 Intel::FILE_HASH Mandiant Apt1 Report T -8fdb15f3d5480de78c61ccef23722683 Intel::FILE_HASH Mandiant Apt1 Report T -91dc97c4b66e3282e1aa831e0bb0bb14 Intel::FILE_HASH Mandiant Apt1 Report T -91deceb64c795927c6ea07f695f67334 Intel::FILE_HASH Mandiant Apt1 Report T -91f538c08b9dee1bb0c6b6c82f727c5d Intel::FILE_HASH Mandiant Apt1 Report T -9206ae65b685dc7ea1cf1ec02606de6c Intel::FILE_HASH Mandiant Apt1 Report T -929802a27737cebc59d19da724fdf30a Intel::FILE_HASH Mandiant Apt1 Report T -933b11bc4799f8d9f65466fb2e3ea659 Intel::FILE_HASH Mandiant Apt1 Report T -9371fcd92ef86ccf450af903bc74ec01 Intel::FILE_HASH Mandiant Apt1 Report T -9400fb97c145587b17fb456fac636771 Intel::FILE_HASH Mandiant Apt1 Report T -94a59ce0fadf84f6efa10fe7d5ee3a03 Intel::FILE_HASH Mandiant Apt1 Report T -950234183528ce107d65b700be1bbbd3 Intel::FILE_HASH Mandiant Apt1 Report T -9548e5ed4fbacd0ed4a9d6a27f5d8fec Intel::FILE_HASH Mandiant Apt1 Report T -959c680c26f26e7f1dd61607942dc96a Intel::FILE_HASH Mandiant Apt1 Report T -95d85aa629a786bb67439a064c4349ec Intel::FILE_HASH Mandiant Apt1 Report T -95f25d3afc5370f5d9fd8e65c17d3599 Intel::FILE_HASH Mandiant Apt1 Report T -966db6a32ccf7e57394706abc3999189 Intel::FILE_HASH Mandiant Apt1 Report T -9675827a495f4ba6a4efd4dd70932b7c Intel::FILE_HASH Mandiant Apt1 Report T -973f4a238d6d19bdc7b42977b07b9cef Intel::FILE_HASH Mandiant Apt1 Report T -97c83d85bd76a38b13cea960a1a97f70 Intel::FILE_HASH Mandiant Apt1 Report T -98409dbf432419024dbf028c004344c1 Intel::FILE_HASH Mandiant Apt1 Report T -989b797c2a63fbfc8e1c6e8a8ccd6204 Intel::FILE_HASH Mandiant Apt1 Report T -98bddd6c789a883afa1de3524bb8ea8e Intel::FILE_HASH Mandiant Apt1 Report T -98cf219830733fb98fd2a957b7c4b163 Intel::FILE_HASH Mandiant Apt1 Report T -98d257a13d176940910d6441a854d7a4 Intel::FILE_HASH Mandiant Apt1 Report T -99882234b814b860a22b4d441b92fd82 Intel::FILE_HASH Mandiant Apt1 Report T -99a29ccea951a950040f3944abafed40 Intel::FILE_HASH Mandiant Apt1 Report T -99a39866a657a10949fcb6d634bb30d5 Intel::FILE_HASH Mandiant Apt1 Report T -99a7e4a01b813b9b26ba76bf0b484742 Intel::FILE_HASH Mandiant Apt1 Report T -9a58cc73e103fd5a14ef3564e35c03df Intel::FILE_HASH Mandiant Apt1 Report T -9a66fa24268d158341d497feecbed889 Intel::FILE_HASH Mandiant Apt1 Report T -9ad292de00b2175a80b5909fa173cdcd Intel::FILE_HASH Mandiant Apt1 Report T -9c03ab63a45d29aee90b72ae89f2f613 Intel::FILE_HASH Mandiant Apt1 Report T -9c36333385d351e59d6c4372d757479e Intel::FILE_HASH Mandiant Apt1 Report T -9cb07b71dcd1ac9dfdbf9f4cdfd4f273 Intel::FILE_HASH Mandiant Apt1 Report T -9d1d58e370bea4b5e79a1f914516cbc0 Intel::FILE_HASH Mandiant Apt1 Report T -9d5aabcda9106132d1e1b6cf6cae28aa Intel::FILE_HASH Mandiant Apt1 Report T -9d7499c3a01daba5c9b5090b079808ca Intel::FILE_HASH Mandiant Apt1 Report T -9d75897d9c0a5da7e95082ea5ae1f648 Intel::FILE_HASH Mandiant Apt1 Report T -9d85a2ae1e7971a49cb417d97797ac8a Intel::FILE_HASH Mandiant Apt1 Report T -9d8a7970be7826d29732817c0cc84bde Intel::FILE_HASH Mandiant Apt1 Report T -9d93fc89fb6e0a8142e837b2de045fdd Intel::FILE_HASH Mandiant Apt1 Report T -9dab4da07ed669b44f409eb60f3b0e50 Intel::FILE_HASH Mandiant Apt1 Report T -9df30198f52b16925db1e3da61cfc754 Intel::FILE_HASH Mandiant Apt1 Report T -9e30b1665077b7e65bc8ff1e7c752306 Intel::FILE_HASH Mandiant Apt1 Report T -9e511dc5ad8a884f4416e68c54f742e1 Intel::FILE_HASH Mandiant Apt1 Report T -9e860622fee66074dfe81dcfcc40c4e2 Intel::FILE_HASH Mandiant Apt1 Report T -9ea3c16194ce354c244c1b74c46cd92e Intel::FILE_HASH Mandiant Apt1 Report T -9ecf9d5d8872fe55ab120265c3749ffc Intel::FILE_HASH Mandiant Apt1 Report T -9f11bc08af048c5c3a110e567082fe0b Intel::FILE_HASH Mandiant Apt1 Report T -9f3fbec4341f246aa6131ab01d6e4234 Intel::FILE_HASH Mandiant Apt1 Report T -9fc3ed6c9b8056fbf155f79569ca7cb1 Intel::FILE_HASH Mandiant Apt1 Report T -a039a61e4c274811b0388aa517d29fbb Intel::FILE_HASH Mandiant Apt1 Report T -a1468ce16f2d17979cc1a61878c1c8c6 Intel::FILE_HASH Mandiant Apt1 Report T -a14e8df8bc55f7459d24fe526f51a16d Intel::FILE_HASH Mandiant Apt1 Report T -a17bb80ae02c8b003cf69222fa13f506 Intel::FILE_HASH Mandiant Apt1 Report T -a1b8aa19c92c257cbace54337f6672d3 Intel::FILE_HASH Mandiant Apt1 Report T -a1b924b8c8fa157ae8775fd86f692053 Intel::FILE_HASH Mandiant Apt1 Report T -a1cb8a9f2b8926afeb254a64f1d78ee3 Intel::FILE_HASH Mandiant Apt1 Report T -a24112e4b875038331d2672b6427763c Intel::FILE_HASH Mandiant Apt1 Report T -a241eec892637dec971bd925a40d3efb Intel::FILE_HASH Mandiant Apt1 Report T -a2534e9b7e4146368ea3245381830eb0 Intel::FILE_HASH Mandiant Apt1 Report T -a28ee614e3d783a7561cf8a5a469959f Intel::FILE_HASH Mandiant Apt1 Report T -a2cd1189860b9ba214421aab86ecbc8a Intel::FILE_HASH Mandiant Apt1 Report T -a2feee5e0ac3f825d4b7de7e0b95bb1f Intel::FILE_HASH Mandiant Apt1 Report T -a311516cdf06d3db4f49e67da5213ebe Intel::FILE_HASH Mandiant Apt1 Report T -a316d5aeca269ca865077e7fff356e7d Intel::FILE_HASH Mandiant Apt1 Report T -a34234a27157851300d9b698f6c56d9a Intel::FILE_HASH Mandiant Apt1 Report T -a354e3c566645100e757f3e43c9b007d Intel::FILE_HASH Mandiant Apt1 Report T -a360b16c19ab9dea6763f777257c5f38 Intel::FILE_HASH Mandiant Apt1 Report T -a38a367d6696ba90b2e778a5a4bf98fd Intel::FILE_HASH Mandiant Apt1 Report T -a40e20ff8b991308f508239625f275d8 Intel::FILE_HASH Mandiant Apt1 Report T -a4143ade719c2222d8602819a3e212ae Intel::FILE_HASH Mandiant Apt1 Report T -a44312eb63de002383a57b5a93271cdc Intel::FILE_HASH Mandiant Apt1 Report T -a4903f7c293993069f865468bd7cec78 Intel::FILE_HASH Mandiant Apt1 Report T -a4ad7335aa391519cc5fc9140f2562f2 Intel::FILE_HASH Mandiant Apt1 Report T -a510d0c9b7930abaa7aa6b0ac294e675 Intel::FILE_HASH Mandiant Apt1 Report T -a517ca12e2648b0590a5af565f8346b3 Intel::FILE_HASH Mandiant Apt1 Report T -a565682d8a13a5719977223e0d9c7aa4 Intel::FILE_HASH Mandiant Apt1 Report T -a5b581c0600815b1112ca2fed578928b Intel::FILE_HASH Mandiant Apt1 Report T -a5d4ebc0285f0213e0c29d23bc410889 Intel::FILE_HASH Mandiant Apt1 Report T -a6117891e42ee7db36253b57839c8b8f Intel::FILE_HASH Mandiant Apt1 Report T -a639f598d4c0b9aa7a4691d05f27d977 Intel::FILE_HASH Mandiant Apt1 Report T -a6725f263daf3e94adc3668751b909d0 Intel::FILE_HASH Mandiant Apt1 Report T -a6a583aeaf4952787e15f30d289ca138 Intel::FILE_HASH Mandiant Apt1 Report T -a6b99080565aa7933d946b8b9d9d7476 Intel::FILE_HASH Mandiant Apt1 Report T -a70aaf335f7f1a04c7fe194602b11c14 Intel::FILE_HASH Mandiant Apt1 Report T -a7117612ea6b6fa3307943f5ed21fbb4 Intel::FILE_HASH Mandiant Apt1 Report T -a7f17c75519fb8a39d37c47617202b05 Intel::FILE_HASH Mandiant Apt1 Report T -a807ad465b2fe5859c85626e97eaf907 Intel::FILE_HASH Mandiant Apt1 Report T -a810ab506857c933df2bea40ae0eb548 Intel::FILE_HASH Mandiant Apt1 Report T -a8b183fe32ad8d426e20227f3c8b7592 Intel::FILE_HASH Mandiant Apt1 Report T -a8b2ac446c614fd5d4880d95369deb3b Intel::FILE_HASH Mandiant Apt1 Report T -a8f259bb36e00d124963cfa9b86f502e Intel::FILE_HASH Mandiant Apt1 Report T -a96a6c91e71e243f00a64f53e2fd6415 Intel::FILE_HASH Mandiant Apt1 Report T -a9993969be3ea340d420eea5868c0d1d Intel::FILE_HASH Mandiant Apt1 Report T -a99e06e2f90db4e506ef1347a8774dd5 Intel::FILE_HASH Mandiant Apt1 Report T -aa4f1ecc4d25b33395196b5d51a06790 Intel::FILE_HASH Mandiant Apt1 Report T -ab00b38179851c8aa3f9bc80ed7baa23 Intel::FILE_HASH Mandiant Apt1 Report T -ab208f0b517ba9850f1551c9555b5313 Intel::FILE_HASH Mandiant Apt1 Report T -ab445da3ee4e81a84d644476f669d35c Intel::FILE_HASH Mandiant Apt1 Report T -abcaf816de63c632ec23d6bda3f02bb5 Intel::FILE_HASH Mandiant Apt1 Report T -abe6ab89f957f6edf8f41b5ad198e5e6 Intel::FILE_HASH Mandiant Apt1 Report T -abff707cb54a6e5a9fcbb3fef74dbddc Intel::FILE_HASH Mandiant Apt1 Report T -ac87816b9a371e72512d8fd82f61c737 Intel::FILE_HASH Mandiant Apt1 Report T -acb99e5318f7001298df1aef51a9463e Intel::FILE_HASH Mandiant Apt1 Report T -ace798670a64b38aa7d065c776b49f17 Intel::FILE_HASH Mandiant Apt1 Report T -ad3cccbe9ddff04b670d353b938f5da9 Intel::FILE_HASH Mandiant Apt1 Report T -ad7bdadde9a4da73ffc776c606dbb75e Intel::FILE_HASH Mandiant Apt1 Report T -ad8cde8841208ff226e04e8514dc699c Intel::FILE_HASH Mandiant Apt1 Report T -adb2fc194b960e694aa450161f1df6fc Intel::FILE_HASH Mandiant Apt1 Report T -adb62105427567ddc11124fc27921c40 Intel::FILE_HASH Mandiant Apt1 Report T -ae1dda87cc5998de79ecb68527bbd191 Intel::FILE_HASH Mandiant Apt1 Report T -af2745e8888f2ba17a9cf2e0779d3874 Intel::FILE_HASH Mandiant Apt1 Report T -af2f7b070245c90bd2a0a0845314173a Intel::FILE_HASH Mandiant Apt1 Report T -af719814507fdca4b96184f33b6b92ea Intel::FILE_HASH Mandiant Apt1 Report T -b0538781d47dde1e9a46a2610155c2d3 Intel::FILE_HASH Mandiant Apt1 Report T -b07322743778b5868475dbe66eedac4f Intel::FILE_HASH Mandiant Apt1 Report T -b0d4fbcc0c65c7d5ef7e1c4309c719cb Intel::FILE_HASH Mandiant Apt1 Report T -b145e4d19f5ecfaad45c795aee69c8dc Intel::FILE_HASH Mandiant Apt1 Report T -b1838a6c341260fbdaf288795cc63900 Intel::FILE_HASH Mandiant Apt1 Report T -b1912db011633d98bc40ac568a4167a7 Intel::FILE_HASH Mandiant Apt1 Report T -b1ee00cec6c2318fa86f320dd7fc99a8 Intel::FILE_HASH Mandiant Apt1 Report T -b1ff1ef983a1aee3a395788ec441d006 Intel::FILE_HASH Mandiant Apt1 Report T -b2599b3078c28a278a3e7cd8b46304da Intel::FILE_HASH Mandiant Apt1 Report T -b305b543da332a2fcf6e1ce55ed2ea79 Intel::FILE_HASH Mandiant Apt1 Report T -b36168ea438520875c621f5603db003f Intel::FILE_HASH Mandiant Apt1 Report T -b3848edbabfbce246a9faf5466e743bf Intel::FILE_HASH Mandiant Apt1 Report T -b3af1381f69e36b72e5b272f06aa1fa2 Intel::FILE_HASH Mandiant Apt1 Report T -b3bc979d8de3be09728c5de1a0297c4b Intel::FILE_HASH Mandiant Apt1 Report T -b3defdbd173738d44137f88a571647e1 Intel::FILE_HASH Mandiant Apt1 Report T -b43266a047b2895399f4883cfe37c089 Intel::FILE_HASH Mandiant Apt1 Report T -b47e5d095be9fd61016817359f6c2887 Intel::FILE_HASH Mandiant Apt1 Report T -b54f58c484f56c704858ccfffbb9d535 Intel::FILE_HASH Mandiant Apt1 Report T -b5a430a0696b5b25ae6b4fa5cbfe3333 Intel::FILE_HASH Mandiant Apt1 Report T -b5e9ce72771217680efaeecfafe3da3f Intel::FILE_HASH Mandiant Apt1 Report T -b631a3d832f7c22c26554711188f59c3 Intel::FILE_HASH Mandiant Apt1 Report T -b63452ecd2da62f30923a124bcd41b45 Intel::FILE_HASH Mandiant Apt1 Report T -b661f78279ca0b2e0ae611013eb00f20 Intel::FILE_HASH Mandiant Apt1 Report T -b6f2f483e03b9399f055a1ba5e0713a4 Intel::FILE_HASH Mandiant Apt1 Report T -b74022a7b9b63fdc541ae0848b28a962 Intel::FILE_HASH Mandiant Apt1 Report T -b743f6af7e307221ba425d6023ebe42c Intel::FILE_HASH Mandiant Apt1 Report T -b7dba6184f07b1e824362a2307d91ae2 Intel::FILE_HASH Mandiant Apt1 Report T -b8277cce81e0a372bc35d33a0c9483c2 Intel::FILE_HASH Mandiant Apt1 Report T -b86e89a42a1c1bc6ea15096c68e38ba4 Intel::FILE_HASH Mandiant Apt1 Report T -b883f8e5a1420d1f511266b9253c11c4 Intel::FILE_HASH Mandiant Apt1 Report T -b8dfe540bef505cd1adbd5f8ff31d028 Intel::FILE_HASH Mandiant Apt1 Report T -b8f61242e28f2edf6cb1be8781438491 Intel::FILE_HASH Mandiant Apt1 Report T -b92db06d17d3bf906c47a0384e771076 Intel::FILE_HASH Mandiant Apt1 Report T -b9b3673a721578b230490f7dfc6df21e Intel::FILE_HASH Mandiant Apt1 Report T -ba0c4d3dbf07d407211b5828405a9b91 Intel::FILE_HASH Mandiant Apt1 Report T -ba10b9486043f76bb9e9a160bc1d2576 Intel::FILE_HASH Mandiant Apt1 Report T -ba56035e10b423734e0ce01bb7bb8b6d Intel::FILE_HASH Mandiant Apt1 Report T -ba773e1608198cf8337c5902d7930710 Intel::FILE_HASH Mandiant Apt1 Report T -baabd9b76bff84ed27fd432cfc6df241 Intel::FILE_HASH Mandiant Apt1 Report T -bac2e89bd92ce23e1e93a63d26dea01a Intel::FILE_HASH Mandiant Apt1 Report T -bb286e9969ca197b461286b679c0886e Intel::FILE_HASH Mandiant Apt1 Report T -bc7092008ca37adf497b75eb98e2e175 Intel::FILE_HASH Mandiant Apt1 Report T -bc723e4f93a3bf85f4d1e1910393d1a3 Intel::FILE_HASH Mandiant Apt1 Report T -bc756bb6bf4e7b2058e8dce6ba8b1a79 Intel::FILE_HASH Mandiant Apt1 Report T -bca9bd0abbb31a422458abf521a6a2fb Intel::FILE_HASH Mandiant Apt1 Report T -bcb087f69792b69494a3edad51a842bb Intel::FILE_HASH Mandiant Apt1 Report T -bcbdef1678049378be04719ed29078d2 Intel::FILE_HASH Mandiant Apt1 Report T -bcdf8cb0868daaec3ba6176e3e7d3cfc Intel::FILE_HASH Mandiant Apt1 Report T -bce4b77a4e4acc70a3f6f52ec0a2f033 Intel::FILE_HASH Mandiant Apt1 Report T -bd15714360c12ffca4c3c1e86fc69d0e Intel::FILE_HASH Mandiant Apt1 Report T -bd402e910e03b70f00685d8b8be5093c Intel::FILE_HASH Mandiant Apt1 Report T -bd8b082b7711bc980252f988bb0ca936 Intel::FILE_HASH Mandiant Apt1 Report T -bdc5e16aec2c3796fb879a5c260d6ca9 Intel::FILE_HASH Mandiant Apt1 Report T -bdd2ad4c0e1e5667d117810ae9e36c4b Intel::FILE_HASH Mandiant Apt1 Report T -be58ff564c854be419a19a030af25c86 Intel::FILE_HASH Mandiant Apt1 Report T -be74bf5afd4ba64cc8ce237307e9254d Intel::FILE_HASH Mandiant Apt1 Report T -bebbbc50a561681f48d174d6b7c2824e Intel::FILE_HASH Mandiant Apt1 Report T -bee9b7835a02973678e9ead683da1ac4 Intel::FILE_HASH Mandiant Apt1 Report T -bf0d5aff9c1f33e089c9c85f03c6ba8a Intel::FILE_HASH Mandiant Apt1 Report T -bf0ee4367ea32f8e3b911c304258e439 Intel::FILE_HASH Mandiant Apt1 Report T -bf80dbf969b73790253f683cd723fd71 Intel::FILE_HASH Mandiant Apt1 Report T -bf9aeefc53d97bb23d35d47986504cef Intel::FILE_HASH Mandiant Apt1 Report T -bfcae0468de0c7bcf92e9989589082f1 Intel::FILE_HASH Mandiant Apt1 Report T -c0134285a276ab933e2a2b9b33b103cd Intel::FILE_HASH Mandiant Apt1 Report T -c044715c2626ab515f6c85a21c47c7dd Intel::FILE_HASH Mandiant Apt1 Report T -c04c796ef126ad7429be7d55720fe392 Intel::FILE_HASH Mandiant Apt1 Report T -c0a33a1b472a8c16123fd696a5ce5ebb Intel::FILE_HASH Mandiant Apt1 Report T -c0a494e643c42a89d5bf718ea274df04 Intel::FILE_HASH Mandiant Apt1 Report T -c110f08399c5dca64d7dc4539eb82083 Intel::FILE_HASH Mandiant Apt1 Report T -c116f5f89e24c7de3ea9cae83b7fc829 Intel::FILE_HASH Mandiant Apt1 Report T -c1bd23ece59e36143d80f7eec0e38c52 Intel::FILE_HASH Mandiant Apt1 Report T -c21591aa72ac72872f5bd05bbca5e4da Intel::FILE_HASH Mandiant Apt1 Report T -c2a79bb15a31fd6584d9bf0891673d14 Intel::FILE_HASH Mandiant Apt1 Report T -c2e06531a2e6de3c1b7d18b14af53fdf Intel::FILE_HASH Mandiant Apt1 Report T -c2fa9f567fd34fb14fee6a38b6644ff9 Intel::FILE_HASH Mandiant Apt1 Report T -c307bad133cc160a0129fda4c57e0f52 Intel::FILE_HASH Mandiant Apt1 Report T -c30c7fa2eb06fc8c9ebbe955abe26edd Intel::FILE_HASH Mandiant Apt1 Report T -c39bc83c16f9db8a7c43a966048bca7b Intel::FILE_HASH Mandiant Apt1 Report T -c39e272e9ea15d61e0c8e6b749a1ad46 Intel::FILE_HASH Mandiant Apt1 Report T -c3af09a9fc487314eb4c9fe92a01845a Intel::FILE_HASH Mandiant Apt1 Report T -c3dbd79adfa21706f5451cc68331d31e Intel::FILE_HASH Mandiant Apt1 Report T -c3de028cbc5aa0934008d95689d5f334 Intel::FILE_HASH Mandiant Apt1 Report T -c3e5603a38e700274d1ab30ce93d08b9 Intel::FILE_HASH Mandiant Apt1 Report T -c4188c3bb6982d41aa783c499113a8e3 Intel::FILE_HASH Mandiant Apt1 Report T -c41e44045cebebfba234063de8fd7c4d Intel::FILE_HASH Mandiant Apt1 Report T -c425b8782075da33cba5aae5ad612582 Intel::FILE_HASH Mandiant Apt1 Report T -c4c638750526e28f68d6d71fd1266bdf Intel::FILE_HASH Mandiant Apt1 Report T -c4f144febf16ff8f36df15353d5347ce Intel::FILE_HASH Mandiant Apt1 Report T -c53332a5bf112f03ed22b06d85140626 Intel::FILE_HASH Mandiant Apt1 Report T -c65617a4eedb8e0369ef8fe58ce20a02 Intel::FILE_HASH Mandiant Apt1 Report T -c69a708a2a8e4581dd95f90da3833840 Intel::FILE_HASH Mandiant Apt1 Report T -c6a29993234488fcbdcf45668eac9c47 Intel::FILE_HASH Mandiant Apt1 Report T -c6a4bb1a4e4f69ec71855d70d6960859 Intel::FILE_HASH Mandiant Apt1 Report T -c72edb12880a9af12b439a7a2d0584c1 Intel::FILE_HASH Mandiant Apt1 Report T -c763e041c8e85c195ade90e120338be7 Intel::FILE_HASH Mandiant Apt1 Report T -c799e1d25839e1efb2b3d42d6d6efd26 Intel::FILE_HASH Mandiant Apt1 Report T -c7b48b6965642b504f6f36933762df8a Intel::FILE_HASH Mandiant Apt1 Report T -c8d2b7f92fff545b3b19e9b1e1057071 Intel::FILE_HASH Mandiant Apt1 Report T -c9172b3e83c782bc930c06b628f31fa5 Intel::FILE_HASH Mandiant Apt1 Report T -c91eacab7655870764d13ba741aa9a73 Intel::FILE_HASH Mandiant Apt1 Report T -c99fa835350aa9e2427ce69323b061a9 Intel::FILE_HASH Mandiant Apt1 Report T -c9f77569aa98f71cc42644d66d9f371c Intel::FILE_HASH Mandiant Apt1 Report T -ca27a87928443e21dc279008008018ba Intel::FILE_HASH Mandiant Apt1 Report T -ca327bc83fbe38b3689cd1a5505dfc33 Intel::FILE_HASH Mandiant Apt1 Report T -ca68ccc887cfe5d2194f6a4d3101ae66 Intel::FILE_HASH Mandiant Apt1 Report T -ca6fe7a1315af5afeac2961460a80569 Intel::FILE_HASH Mandiant Apt1 Report T -ca899eda2c32e7d305272dd48bc8e1e1 Intel::FILE_HASH Mandiant Apt1 Report T -ca9c1f8d709ed34d388dc7cba2bd7602 Intel::FILE_HASH Mandiant Apt1 Report T -caf33d1e15953c0e782846e1709498f6 Intel::FILE_HASH Mandiant Apt1 Report T -cb15768a3e5c86d22289dcefec56d8a2 Intel::FILE_HASH Mandiant Apt1 Report T -cb3a9d7505be48019e242fbccc7e5f6b Intel::FILE_HASH Mandiant Apt1 Report T -cb3c5c3f53ecb2cb656fb0f4b8de03f6 Intel::FILE_HASH Mandiant Apt1 Report T -cc0b9bf4ea738d63f06bfe411460412b Intel::FILE_HASH Mandiant Apt1 Report T -cc17fe9f2d254ad28d050bf5c1df983d Intel::FILE_HASH Mandiant Apt1 Report T -cc3a9a7b026bfe0e55ff219fd6aa7d94 Intel::FILE_HASH Mandiant Apt1 Report T -cc7c8aba24c66373502ba5934696b7b6 Intel::FILE_HASH Mandiant Apt1 Report T -cca290cd2abe96392378b71e9835ce06 Intel::FILE_HASH Mandiant Apt1 Report T -ccfb7a84bb87cc8f86ddd260ad38ed5b Intel::FILE_HASH Mandiant Apt1 Report T -cd2102c5db1ed828a9c196448c40af3e Intel::FILE_HASH Mandiant Apt1 Report T -cd4674e2b7be30121a46a053205472a8 Intel::FILE_HASH Mandiant Apt1 Report T -cd677f9ede43b4b86b421db249c0e020 Intel::FILE_HASH Mandiant Apt1 Report T -cd6c1dbf08d8864b382678284ef13358 Intel::FILE_HASH Mandiant Apt1 Report T -ce003a75c85627cbc7e6eb39beff0722 Intel::FILE_HASH Mandiant Apt1 Report T -cf038194f0fe222f31ec24cb80941bb1 Intel::FILE_HASH Mandiant Apt1 Report T -cf9c2d5a8fbdd1c5adc20cfc5e663c21 Intel::FILE_HASH Mandiant Apt1 Report T -cfc6112254a69030521d0d2bba152d4d Intel::FILE_HASH Mandiant Apt1 Report T -cfce9478c880934b3548c3022a956e14 Intel::FILE_HASH Mandiant Apt1 Report T -cfe738fcc07b9ece6a11c3390d43b5df Intel::FILE_HASH Mandiant Apt1 Report T -d0d5a20c5a6c4fddab4d43b85632b6a9 Intel::FILE_HASH Mandiant Apt1 Report T -d0fb18b1e1f642f595a4746826350c21 Intel::FILE_HASH Mandiant Apt1 Report T -d16947b200afa74a917f055597b772c0 Intel::FILE_HASH Mandiant Apt1 Report T -d197c388184fef263b7944a7186bc6db Intel::FILE_HASH Mandiant Apt1 Report T -d1a18c7de189170c588e7128ec3f8453 Intel::FILE_HASH Mandiant Apt1 Report T -d20f0fbd001fd30610c3317fd3c6f7c0 Intel::FILE_HASH Mandiant Apt1 Report T -d22863c5e6f098a4b52688b021beef0a Intel::FILE_HASH Mandiant Apt1 Report T -d25be76b6d871a26eec08ad1bee0273d Intel::FILE_HASH Mandiant Apt1 Report T -d262cb8267beb0e218f6d11d6af9052e Intel::FILE_HASH Mandiant Apt1 Report T -d263fed2e1c18f2cb439afcef0cd1b45 Intel::FILE_HASH Mandiant Apt1 Report T -d271ae0f4e9230af3b61eafe7f671fde Intel::FILE_HASH Mandiant Apt1 Report T -d2c616bf238fc18f9ea0a1643bd2d4bc Intel::FILE_HASH Mandiant Apt1 Report T -d2f1be7e10ed39aa8bc0f7f671d824d2 Intel::FILE_HASH Mandiant Apt1 Report T -d3358ed4001ec0366fa23fe82759df2a Intel::FILE_HASH Mandiant Apt1 Report T -d34e357461c55d90c52309c1ff952b4c Intel::FILE_HASH Mandiant Apt1 Report T -d3f9d4bc51db1e602093e3003fc789d9 Intel::FILE_HASH Mandiant Apt1 Report T -d41c6005a75a6d28480d63f540d36c70 Intel::FILE_HASH Mandiant Apt1 Report T -d47b04327157fb188c0e81886e346c48 Intel::FILE_HASH Mandiant Apt1 Report T -d4ba6430996fb4021241efc97c607504 Intel::FILE_HASH Mandiant Apt1 Report T -d4c1bfc5cd3e33643a562696d5d29bf2 Intel::FILE_HASH Mandiant Apt1 Report T -d4c7f1f80883412f9796f1270accff50 Intel::FILE_HASH Mandiant Apt1 Report T -d5e56f7da9d2a78e49d3d0685e9613ca Intel::FILE_HASH Mandiant Apt1 Report T -d5fd1ce9189cd54f157d691e317c0821 Intel::FILE_HASH Mandiant Apt1 Report T -d60ee4a39667a733c075bb7f7b36285a Intel::FILE_HASH Mandiant Apt1 Report T -d62cd4ad2a919b6acfa6d49d446dffdb Intel::FILE_HASH Mandiant Apt1 Report T -d6a01b61f490488d61dfb9376186d844 Intel::FILE_HASH Mandiant Apt1 Report T -d74b169e98dd16d0f3af0dc770dffac0 Intel::FILE_HASH Mandiant Apt1 Report T -d751c7f7d2eab52c43ab31312e229307 Intel::FILE_HASH Mandiant Apt1 Report T -d76ea982d614c66c5faa36ab5fdd8b41 Intel::FILE_HASH Mandiant Apt1 Report T -d776379bda9fdf695d6a54db8a5b4c72 Intel::FILE_HASH Mandiant Apt1 Report T -d7796209412da17b2ee2ccf2309b4abf Intel::FILE_HASH Mandiant Apt1 Report T -d7aa32b7465f55c368230bb52d52d885 Intel::FILE_HASH Mandiant Apt1 Report T -d802a0c3e0c3dcac43877bd488f2b042 Intel::FILE_HASH Mandiant Apt1 Report T -d8238e950608e5aba3d3e9e83e9ee2cc Intel::FILE_HASH Mandiant Apt1 Report T -d8315c114107b7418c32f85e263766b7 Intel::FILE_HASH Mandiant Apt1 Report T -d8b7b276710127d233abcdb7313aac36 Intel::FILE_HASH Mandiant Apt1 Report T -d8fdd9cfca25315635378dd2564094ca Intel::FILE_HASH Mandiant Apt1 Report T -d915f1c6792eed61dddb30e512e6c202 Intel::FILE_HASH Mandiant Apt1 Report T -d9b1c95fb4424cf69a0ac8e40b3ab39b Intel::FILE_HASH Mandiant Apt1 Report T -d9c4ebd61c1aee52b3597aae048a592f Intel::FILE_HASH Mandiant Apt1 Report T -d9fb6620e4402764bbf2088de02898ca Intel::FILE_HASH Mandiant Apt1 Report T -d9fbf759f527af373e34673dc3aca462 Intel::FILE_HASH Mandiant Apt1 Report T -da383cc098a5ea8fbb87643611e4bfb6 Intel::FILE_HASH Mandiant Apt1 Report T -da52e6701c9eba92459c6be28efdba74 Intel::FILE_HASH Mandiant Apt1 Report T -da5ff7927d608d7ccc7495939d457bd3 Intel::FILE_HASH Mandiant Apt1 Report T -da60673b4f2a4660d2734a16a832282f Intel::FILE_HASH Mandiant Apt1 Report T -da6b0ee7ec735029d1ff4fa863a71de8 Intel::FILE_HASH Mandiant Apt1 Report T -db05df0498b59b42a8e493cf3c10c578 Intel::FILE_HASH Mandiant Apt1 Report T -db2580f5675f04716481b24bb7af468e Intel::FILE_HASH Mandiant Apt1 Report T -db50416d9e67f4982e89e0ffb0ade6f3 Intel::FILE_HASH Mandiant Apt1 Report T -db5805604f84b7303fa04feb18ce8271 Intel::FILE_HASH Mandiant Apt1 Report T -dba356a4726b94731e6ea97aa73cfc3f Intel::FILE_HASH Mandiant Apt1 Report T -dbdd2a9c86e71ba0c9953ff4f89cc25b Intel::FILE_HASH Mandiant Apt1 Report T -dc059121677ec7a038589cda28cbcc49 Intel::FILE_HASH Mandiant Apt1 Report T -dc1cff84900afc9d292b305f9b9aae34 Intel::FILE_HASH Mandiant Apt1 Report T -dc373f011e86d5528ca4824bb287c406 Intel::FILE_HASH Mandiant Apt1 Report T -dc78fd49b7f39fa3bb06b927e8413dd0 Intel::FILE_HASH Mandiant Apt1 Report T -dcb90efe7e09d6900242af25aeca7b73 Intel::FILE_HASH Mandiant Apt1 Report T -dd1222f96024ac28179c7508e4193285 Intel::FILE_HASH Mandiant Apt1 Report T -dd1bede0e42d26fd2439a6e48547023c Intel::FILE_HASH Mandiant Apt1 Report T -dd21d1ea2146861a4219b1cbdaefe59b Intel::FILE_HASH Mandiant Apt1 Report T -ddf3db31f9fa21cd43ff19dde393aba8 Intel::FILE_HASH Mandiant Apt1 Report T -de016572ade175d37cfbfabe8174391a Intel::FILE_HASH Mandiant Apt1 Report T -df4da15796910690b05e393561b86fa1 Intel::FILE_HASH Mandiant Apt1 Report T -df5c89d49ef8997c9b5abd8f808298c8 Intel::FILE_HASH Mandiant Apt1 Report T -dff4d874b2bfc64a4d1805959c379074 Intel::FILE_HASH Mandiant Apt1 Report T -dffd04ea26c03d3f6c67e10405abc5ad Intel::FILE_HASH Mandiant Apt1 Report T -e06145fccac413d8c753bc822619945c Intel::FILE_HASH Mandiant Apt1 Report T -e0c4cbf3ed293e8a8df3f3987b42caac Intel::FILE_HASH Mandiant Apt1 Report T -e0fc0fae758d7c6091cdb11d5ef98e0e Intel::FILE_HASH Mandiant Apt1 Report T -e1b6940985a23e5639450f8391820655 Intel::FILE_HASH Mandiant Apt1 Report T -e22f2e9ee73ab8b12ee5069f7e39a615 Intel::FILE_HASH Mandiant Apt1 Report T -e24e889e826df04f552e0d133548b693 Intel::FILE_HASH Mandiant Apt1 Report T -e43040ede0645a38ea5a35c26192126f Intel::FILE_HASH Mandiant Apt1 Report T -e476e4a24f8b4ff4c8a0b260aa35fc9f Intel::FILE_HASH Mandiant Apt1 Report T -e480c8839e819eaa9b19d53acfa95052 Intel::FILE_HASH Mandiant Apt1 Report T -e4a9b8993e55e3d0ba355b13d1f27a2e Intel::FILE_HASH Mandiant Apt1 Report T -e4be1e46775081b1d5405b3dd7dd1c64 Intel::FILE_HASH Mandiant Apt1 Report T -e50af782414228e52e59bcbe518b1966 Intel::FILE_HASH Mandiant Apt1 Report T -e5237615fde0977c0ea3626fba609ab8 Intel::FILE_HASH Mandiant Apt1 Report T -e54ce5f0112c9fdfe86db17e85a5e2c5 Intel::FILE_HASH Mandiant Apt1 Report T -e55f7d80d99b6aacb0c8d9ed46856d25 Intel::FILE_HASH Mandiant Apt1 Report T -e56e4b20ef6dc09d29be49481bd29561 Intel::FILE_HASH Mandiant Apt1 Report T -e649f31f7f3a7b15ce1290e8d096c058 Intel::FILE_HASH Mandiant Apt1 Report T -e64d657ce32118b415fa91dc05037c4c Intel::FILE_HASH Mandiant Apt1 Report T -e65c0b3f4dd2f3c9f728077ed1e48f7e Intel::FILE_HASH Mandiant Apt1 Report T -e65db662e449cab03a6c1ac51af41360 Intel::FILE_HASH Mandiant Apt1 Report T -e689b1fb0610b752f42adafc403fa49f Intel::FILE_HASH Mandiant Apt1 Report T -e6c25f9994b723d39c785ddfd38a31b8 Intel::FILE_HASH Mandiant Apt1 Report T -e6ff0431a9a9028808efc582405ea7df Intel::FILE_HASH Mandiant Apt1 Report T -e7f728e3bce0e59c3ba973545a3b3a92 Intel::FILE_HASH Mandiant Apt1 Report T -e83f60fb0e0396ea309faf0aed64e53f Intel::FILE_HASH Mandiant Apt1 Report T -e9df2f69ed3d9c895ad9d399eaff1bc8 Intel::FILE_HASH Mandiant Apt1 Report T -ea1b44094ae4d8e2b63a1771a3e61fd5 Intel::FILE_HASH Mandiant Apt1 Report T -ea3155748f9788b741b6799691250579 Intel::FILE_HASH Mandiant Apt1 Report T -ea34b72cbeb07aaac2398704c3ca6b0f Intel::FILE_HASH Mandiant Apt1 Report T -ea47431d832faff7802710dae0abb0d3 Intel::FILE_HASH Mandiant Apt1 Report T -ea502cd3504e74bac454835bd23e019b Intel::FILE_HASH Mandiant Apt1 Report T -ea7309fa59e9347a0715f164edf6b200 Intel::FILE_HASH Mandiant Apt1 Report T -ea7aeea782173eb19ef880c6a54456f2 Intel::FILE_HASH Mandiant Apt1 Report T -ea8b6c2c083d6b7b2b6ebc015b0488ca Intel::FILE_HASH Mandiant Apt1 Report T -eb0c8b05ee6a4334f45968cf45656597 Intel::FILE_HASH Mandiant Apt1 Report T -eb50c166074ae4f13cfea362dc7b668a Intel::FILE_HASH Mandiant Apt1 Report T -eb61cedc9793226a66e4611e6ea25d7f Intel::FILE_HASH Mandiant Apt1 Report T -ebf8eebe3aa218dea5e3f0b2222267b0 Intel::FILE_HASH Mandiant Apt1 Report T -ec09d3b72b282872db4afb0cc9ba7d9d Intel::FILE_HASH Mandiant Apt1 Report T -ec3a2197ca6b63ee1454d99a6ae145ab Intel::FILE_HASH Mandiant Apt1 Report T -ec63f49236858c85168da81c1ac7802a Intel::FILE_HASH Mandiant Apt1 Report T -ec82a53f44511ac09e916bde02cddef0 Intel::FILE_HASH Mandiant Apt1 Report T -ec8aa67b05407c01094184c33d2b5a44 Intel::FILE_HASH Mandiant Apt1 Report T -ec8c89aa5e521572c74e2dd02a4daf78 Intel::FILE_HASH Mandiant Apt1 Report T -eca18e3872fd32f17410167871fbd1d2 Intel::FILE_HASH Mandiant Apt1 Report T -ecf18654e4a2668fb8b2e3db144809af Intel::FILE_HASH Mandiant Apt1 Report T -ecf900c9d743631b59442240ac4ce9da Intel::FILE_HASH Mandiant Apt1 Report T -edb4faeee6542572aff2ec1b6affbd28 Intel::FILE_HASH Mandiant Apt1 Report T -eef298d0bc5b8c89f582e48556d77b6a Intel::FILE_HASH Mandiant Apt1 Report T -eef80511aa490b2168ed4c9fa5eafef0 Intel::FILE_HASH Mandiant Apt1 Report T -eefa8d6c9a26dcc13604b11bbe5635c1 Intel::FILE_HASH Mandiant Apt1 Report T -ef0a6c79f99a537f932a5e64999972b3 Intel::FILE_HASH Mandiant Apt1 Report T -ef29229f7b633f634db3a5c49a3f4a1c Intel::FILE_HASH Mandiant Apt1 Report T -ef349196b0ffef5a02d30413c8dffc7c Intel::FILE_HASH Mandiant Apt1 Report T -ef6c375e3e6930e2b50e1e97fe6fbcc9 Intel::FILE_HASH Mandiant Apt1 Report T -ef8e0fb20e7228c7492ccdc59d87c690 Intel::FILE_HASH Mandiant Apt1 Report T -efc2025431e7ec8f8784fe81389c77cf Intel::FILE_HASH Mandiant Apt1 Report T -effa99ea879e5be518f242d5820be070 Intel::FILE_HASH Mandiant Apt1 Report T -f02abd537e481109142b6170933d1b3d Intel::FILE_HASH Mandiant Apt1 Report T -f07ac0b4301fccbae233a44e07a2a634 Intel::FILE_HASH Mandiant Apt1 Report T -f0bab119faa296c680a10ba81693915e Intel::FILE_HASH Mandiant Apt1 Report T -f0d2ad2002557a86ecc780bf938b6dfd Intel::FILE_HASH Mandiant Apt1 Report T -f113e1c754679164b0e137449b7631cc Intel::FILE_HASH Mandiant Apt1 Report T -f172ff6b65140f342e6ee51966ea3c4c Intel::FILE_HASH Mandiant Apt1 Report T -f1ad5daacace5d4a7b18a03132ec2716 Intel::FILE_HASH Mandiant Apt1 Report T -f1db65d3c48ad5a9d1576aefdca036d1 Intel::FILE_HASH Mandiant Apt1 Report T -f1e5d9bf7705b4dc5be0b8a90b73a863 Intel::FILE_HASH Mandiant Apt1 Report T -f1eea61e49a3f86e95836d1c9f67e074 Intel::FILE_HASH Mandiant Apt1 Report T -f2009007bd6718582ad62ad29b742f6b Intel::FILE_HASH Mandiant Apt1 Report T -f2693de8b687c20aca98bfc1c5aa5b38 Intel::FILE_HASH Mandiant Apt1 Report T -f3611c5c793f521f7ff2a69c22d4174e Intel::FILE_HASH Mandiant Apt1 Report T -f38e76417c0f87322d55062428283e58 Intel::FILE_HASH Mandiant Apt1 Report T -f3b54c188185ee0921848b3a6ad4751e Intel::FILE_HASH Mandiant Apt1 Report T -f3f2881a1cf3f81f1ecd952ccb616504 Intel::FILE_HASH Mandiant Apt1 Report T -f445b22897a27ac5852ee19589bea8c2 Intel::FILE_HASH Mandiant Apt1 Report T -f4bea18e9d38ab9fa7c1cf6eea2bdc79 Intel::FILE_HASH Mandiant Apt1 Report T -f4ed3b7a8a58453052db4b5be3707342 Intel::FILE_HASH Mandiant Apt1 Report T -f4f8067d501bfef385274912d2a833b5 Intel::FILE_HASH Mandiant Apt1 Report T -f627990bbe2ec5c48c180f724490c332 Intel::FILE_HASH Mandiant Apt1 Report T -f6549d4a4097bac446acf8b31d250d2e Intel::FILE_HASH Mandiant Apt1 Report T -f65eee78ac150924cd37c7f1f3c96518 Intel::FILE_HASH Mandiant Apt1 Report T -f6655e39465c2ff5b016980d918ea028 Intel::FILE_HASH Mandiant Apt1 Report T -f67357d9fa1c3014050f2feefd39c784 Intel::FILE_HASH Mandiant Apt1 Report T -f7c63592ffb87b81ce45c89d207e9403 Intel::FILE_HASH Mandiant Apt1 Report T -f7f85d7f628ce62d1d8f7b39d8940472 Intel::FILE_HASH Mandiant Apt1 Report T -f802b6e448c054c9c16b97ff85646825 Intel::FILE_HASH Mandiant Apt1 Report T -f81991fab3b7d58d66629e26d21176ed Intel::FILE_HASH Mandiant Apt1 Report T -f8437e44748d2c3fcf84019766f4e6dc Intel::FILE_HASH Mandiant Apt1 Report T -f8892c6dacbf7ac756abb361e48bbc82 Intel::FILE_HASH Mandiant Apt1 Report T -f904ea9bc8e2d7ce13a6007183da5957 Intel::FILE_HASH Mandiant Apt1 Report T -f9a46d5024c05a827912a89ca270c553 Intel::FILE_HASH Mandiant Apt1 Report T -f9ed623f13481da16a97aeacdca646dc Intel::FILE_HASH Mandiant Apt1 Report T -fa11cb78f53db2d2718d536d4bd20b85 Intel::FILE_HASH Mandiant Apt1 Report T -fa66312d7e2ed95814f30871cae61d7c Intel::FILE_HASH Mandiant Apt1 Report T -fab6b0b33d59f393e142000f128a9652 Intel::FILE_HASH Mandiant Apt1 Report T -fab7c555a511f4d4e318817455bbb75a Intel::FILE_HASH Mandiant Apt1 Report T -fad92f849e3bbfab211af339eb6a8d66 Intel::FILE_HASH Mandiant Apt1 Report T -fade2270a6c7cb47893ac600a9a0509f Intel::FILE_HASH Mandiant Apt1 Report T -fae6eaf695af058af4b8dfee0709bf51 Intel::FILE_HASH Mandiant Apt1 Report T -fb671e6de6e301c892d2fdaa58f9cd9a Intel::FILE_HASH Mandiant Apt1 Report T -fbde5068f85ce0aac2e9ff387b5f8c06 Intel::FILE_HASH Mandiant Apt1 Report T -fc1937c1aa536b3744ebdfb1716fd54d Intel::FILE_HASH Mandiant Apt1 Report T -fc50743af221ccbff7b7c7ec378117f4 Intel::FILE_HASH Mandiant Apt1 Report T -fc89424a2d33ea5af3f49b02e743773b Intel::FILE_HASH Mandiant Apt1 Report T -fc9d20d555a88fc827f3a2bfec4dfa36 Intel::FILE_HASH Mandiant Apt1 Report T -fcdaa67e33357f64bc4ce7b57491fc53 Intel::FILE_HASH Mandiant Apt1 Report T -fd37fa026747059559197461aa7c63e6 Intel::FILE_HASH Mandiant Apt1 Report T -fdef1329ae626656c8389f82c4f9ad38 Intel::FILE_HASH Mandiant Apt1 Report T -fe5ba680a96757ff232d4bad9c0db2b8 Intel::FILE_HASH Mandiant Apt1 Report T -fe8ff84a23feb673a59d8571575fee0b Intel::FILE_HASH Mandiant Apt1 Report T -feb406ff01d9fd5abc5ea079e0543e31 Intel::FILE_HASH Mandiant Apt1 Report T -fefa3638e4d6f2e00b5194ae3fa0c931 Intel::FILE_HASH Mandiant Apt1 Report T -ff085d421518772ce2df75282363279f Intel::FILE_HASH Mandiant Apt1 Report T -ff9aa093a37819af65a06046ea0c830c Intel::FILE_HASH Mandiant Apt1 Report T -ffcc7271e951055f12b61f520ce1e4c7 Intel::FILE_HASH Mandiant Apt1 Report T diff --git a/salt/deprecated-bro/policy/securityonion/bpfconf.bro b/salt/deprecated-bro/policy/securityonion/bpfconf.bro deleted file mode 100644 index 595aef8f2..000000000 --- a/salt/deprecated-bro/policy/securityonion/bpfconf.bro +++ /dev/null @@ -1,106 +0,0 @@ -##! This script is to support the bpf.conf file like other network monitoring tools use. -##! Please don't try to learn from this script right now, there are a large number of -##! hacks in it to work around bugs discovered in Bro. - -@load base/frameworks/notice - -module BPFConf; - -export { - ## The file that is watched on disk for BPF filter changes. - ## Two templated variables are available; "sensorname" and "interface". - ## They can be used by surrounding the term by doubled curly braces. - const filename = "/opt/bro/share/bro/site/bpf" &redef; - - redef enum Notice::Type += { - ## Invalid filter notice. - InvalidFilter - }; -} - -global filter_parts: vector of string = vector(); -global current_filter_filename = ""; - -type FilterLine: record { - s: string; -}; - -redef enum PcapFilterID += { - BPFConfPcapFilter, -}; - -event BPFConf::line(description: Input::EventDescription, tpe: Input::Event, s: string) - { - local part = sub(s, /[[:blank:]]*#.*$/, ""); - - # We don't want any blank parts. - if ( part != "" ) - filter_parts[|filter_parts|] = part; - } - -event Input::end_of_data(name: string, source:string) - { - if ( name == "bpfconf" ) - { - local filter = join_string_vec(filter_parts, " "); - capture_filters["bpf.conf"] = filter; - if ( Pcap::precompile_pcap_filter(BPFConfPcapFilter, filter) ) - { - PacketFilter::install(); - } - else - { - NOTICE([$note=InvalidFilter, - $msg=fmt("Compiling packet filter from %s failed", filename), - $sub=filter]); - } - - filter_parts=vector(); - } - } - - -function add_filter_file() - { - local real_filter_filename = BPFConf::filename; - - # Support the interface template value. - #if ( SecurityOnion::sensorname != "" ) - # real_filter_filename = gsub(real_filter_filename, /\{\{sensorname\}\}/, SecurityOnion::sensorname); - - # Support the interface template value. - #if ( SecurityOnion::interface != "" ) - # real_filter_filename = gsub(real_filter_filename, /\{\{interface\}\}/, SecurityOnion::interface); - - #if ( /\{\{/ in real_filter_filename ) - # { - # return; - # } - #else - # Reporter::info(fmt("BPFConf filename set: %s (%s)", real_filter_filename, Cluster::node)); - - if ( real_filter_filename != current_filter_filename ) - { - current_filter_filename = real_filter_filename; - Input::add_event([$source=real_filter_filename, - $name="bpfconf", - $reader=Input::READER_RAW, - $mode=Input::REREAD, - $want_record=F, - $fields=FilterLine, - $ev=BPFConf::line]); - } - } - -#event SecurityOnion::found_sensorname(name: string) -# { -# add_filter_file(); -# } - -event bro_init() &priority=5 - { - if ( BPFConf::filename != "" ) - add_filter_file(); - } - - diff --git a/salt/deprecated-bro/policy/securityonion/conn-add-sensorname.bro b/salt/deprecated-bro/policy/securityonion/conn-add-sensorname.bro deleted file mode 100644 index 0fbe50297..000000000 --- a/salt/deprecated-bro/policy/securityonion/conn-add-sensorname.bro +++ /dev/null @@ -1,10 +0,0 @@ -global sensorname = "{{ grains.host }}"; - -redef record Conn::Info += { - sensorname: string &log &optional; -}; - -event connection_state_remove(c: connection) - { - c$conn$sensorname = sensorname; - } diff --git a/salt/deprecated-bro/policy/securityonion/file-extraction/__load__.bro b/salt/deprecated-bro/policy/securityonion/file-extraction/__load__.bro deleted file mode 100644 index b2707c803..000000000 --- a/salt/deprecated-bro/policy/securityonion/file-extraction/__load__.bro +++ /dev/null @@ -1 +0,0 @@ -@load ./extract diff --git a/salt/deprecated-bro/policy/securityonion/file-extraction/extract.bro b/salt/deprecated-bro/policy/securityonion/file-extraction/extract.bro deleted file mode 100644 index 7f0f1c902..000000000 --- a/salt/deprecated-bro/policy/securityonion/file-extraction/extract.bro +++ /dev/null @@ -1,21 +0,0 @@ -global ext_map: table[string] of string = { - ["application/x-dosexec"] = "exe", - ["text/plain"] = "txt", - ["image/jpeg"] = "jpg", - ["image/png"] = "png", - ["text/html"] = "html", -} &default =""; - -event file_sniff(f: fa_file, meta: fa_metadata) - { - if ( ! meta?$mime_type || meta$mime_type != "application/x-dosexec" ) - return; - - local ext = ""; - - if ( meta?$mime_type ) - ext = ext_map[meta$mime_type]; - - local fname = fmt("/nsm/bro/extracted/%s-%s.%s", f$source, f$id, ext); - Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]); - } diff --git a/salt/deprecated-bro/policy/securityonion/json-logs/__load__.bro b/salt/deprecated-bro/policy/securityonion/json-logs/__load__.bro deleted file mode 100644 index 780208248..000000000 --- a/salt/deprecated-bro/policy/securityonion/json-logs/__load__.bro +++ /dev/null @@ -1,3 +0,0 @@ -@load tuning/json-logs -redef LogAscii::json_timestamps = JSON::TS_ISO8601; -redef LogAscii::use_json = T; diff --git a/salt/domainstats/init.sls b/salt/domainstats/init.sls index 01e673764..8d329c785 100644 --- a/salt/domainstats/init.sls +++ b/salt/domainstats/init.sls @@ -13,6 +13,8 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} + # Create the group dstatsgroup: group.present: @@ -37,13 +39,13 @@ dstatslogdir: so-domainstatsimage: cmd.run: - - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-domainstats:HH1.0.3 + - name: docker pull --disable-content-trust=false docker.io/{{ IMAGEREPO }}/so-domainstats:HH1.0.3 so-domainstats: docker_container.running: - require: - so-domainstatsimage - - image: docker.io/soshybridhunter/so-domainstats:HH1.0.3 + - image: docker.io/{{ IMAGEREPO }}/so-domainstats:HH1.0.3 - hostname: domainstats - name: so-domainstats - user: domainstats diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index 9bfc8ded4..5703b8717 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -13,6 +13,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} {% if grains['role'] in ['so-eval','so-managersearch', 'so-manager', 'so-standalone'] %} @@ -101,7 +102,7 @@ elastaconf: so-elastalert: docker_container.running: - - image: {{ MANAGER }}:5000/soshybridhunter/so-elastalert:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elastalert:{{ VERSION }} - hostname: elastalert - name: so-elastalert - user: elastalert diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 14cc38434..7a791c0d2 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -13,6 +13,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} {% set FEATURES = salt['pillar.get']('elastic:features', False) %} @@ -101,7 +102,7 @@ eslogdir: so-elasticsearch: docker_container.running: - - image: {{ MANAGER }}:5000/soshybridhunter/so-elasticsearch:{{ VERSION }}{{ FEATURES }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elasticsearch:{{ VERSION }}{{ FEATURES }} - hostname: elasticsearch - name: so-elasticsearch - user: elasticsearch diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 8a2b868ce..6889b892f 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -12,6 +12,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} {% set MANAGERIP = salt['pillar.get']('static:managerip', '') %} {% set FEATURES = salt['pillar.get']('elastic:features', False) %} @@ -51,7 +52,7 @@ filebeatconfsync: OUTPUT: {{ salt['pillar.get']('filebeat:config:output', {}) }} so-filebeat: docker_container.running: - - image: {{ MANAGER }}:5000/soshybridhunter/so-filebeat:{{ VERSION }}{{ FEATURES }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-filebeat:{{ VERSION }}{{ FEATURES }} - hostname: so-filebeat - user: root - extra_hosts: {{ MANAGER }}:{{ MANAGERIP }} diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls index 7858ca298..0b402a54b 100644 --- a/salt/fleet/init.sls +++ b/salt/fleet/init.sls @@ -2,6 +2,7 @@ {%- set FLEETPASS = salt['pillar.get']('secrets:fleet', None) -%} {%- set FLEETJWT = salt['pillar.get']('secrets:fleet_jwt', None) -%} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} {% set FLEETARCH = salt['grains.get']('role') %} @@ -105,7 +106,7 @@ fleet_password_none: so-fleet: docker_container.running: - - image: {{ MANAGER }}:5000/soshybridhunter/so-fleet:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-fleet:{{ VERSION }} - hostname: so-fleet - port_bindings: - 0.0.0.0:8080:8080 diff --git a/salt/freqserver/init.sls b/salt/freqserver/init.sls index 783d11b6a..08661f3da 100644 --- a/salt/freqserver/init.sls +++ b/salt/freqserver/init.sls @@ -13,6 +13,8 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} + # Create the user fservergroup: group.present: @@ -37,13 +39,13 @@ freqlogdir: so-freqimage: cmd.run: - - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-freqserver:HH1.0.3 + - name: docker pull --disable-content-trust=false docker.io/{{ IMAGEREPO }}/so-freqserver:HH1.0.3 so-freq: docker_container.running: - require: - so-freqimage - - image: docker.io/soshybridhunter/so-freqserver:HH1.0.3 + - image: docker.io/{{ IMAGEREPO }}/so-freqserver:HH1.0.3 - hostname: freqserver - name: so-freqserver - user: freqserver diff --git a/salt/grafana/init.sls b/salt/grafana/init.sls index 1f448f6f0..e3119314b 100644 --- a/salt/grafana/init.sls +++ b/salt/grafana/init.sls @@ -1,6 +1,7 @@ {% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} {% set MANAGER = salt['grains.get']('master') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone'] and GRAFANA == 1 %} @@ -216,7 +217,7 @@ dashboard-{{ SN }}: so-grafana: docker_container.running: - - image: {{ MANAGER }}:5000/soshybridhunter/so-grafana:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-grafana:{{ VERSION }} - hostname: grafana - user: socore - binds: diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls index 68d14d397..3313fa901 100644 --- a/salt/idstools/init.sls +++ b/salt/idstools/init.sls @@ -13,6 +13,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} # IDSTools Setup idstoolsdir: @@ -60,7 +61,7 @@ synclocalnidsrules: so-idstools: docker_container.running: - - image: {{ MANAGER }}:5000/soshybridhunter/so-idstools:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-idstools:{{ VERSION }} - hostname: so-idstools - user: socore - binds: diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index 6d6bfd328..6d8ba4566 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -1,7 +1,7 @@ {% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} {% set MANAGER = salt['grains.get']('master') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} - +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone'] and GRAFANA == 1 %} @@ -26,7 +26,7 @@ influxdbconf: so-influxdb: docker_container.running: - - image: {{ MANAGER }}:5000/soshybridhunter/so-influxdb:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-influxdb:{{ VERSION }} - hostname: influxdb - environment: - INFLUXDB_HTTP_LOG_ENABLED=false diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index 792f41579..9521c5bb1 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -1,4 +1,5 @@ {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} {% set FEATURES = salt['pillar.get']('elastic:features', False) %} {% if FEATURES %} @@ -69,7 +70,7 @@ kibanabin: # Start the kibana docker so-kibana: docker_container.running: - - image: {{ MANAGER }}:5000/soshybridhunter/so-kibana:{{ VERSION }}{{ FEATURES }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-kibana:{{ VERSION }}{{ FEATURES }} - hostname: kibana - user: kibana - environment: diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index 784db9525..87f348744 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -13,6 +13,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} {% set FEATURES = salt['pillar.get']('elastic:features', False) %} @@ -159,7 +160,7 @@ lslogdir: so-logstash: docker_container.running: - - image: {{ MANAGER }}:5000/soshybridhunter/so-logstash:{{ VERSION }}{{ FEATURES }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-logstash:{{ VERSION }}{{ FEATURES }} - hostname: so-logstash - name: so-logstash - user: logstash diff --git a/salt/manager/files/registry/scripts/so-docker-download b/salt/manager/files/registry/scripts/so-docker-download deleted file mode 100644 index dcba7a531..000000000 --- a/salt/manager/files/registry/scripts/so-docker-download +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/bash - -MANAGER={{ MANAGER }} -VERSION="HH1.2.2" -TRUSTED_CONTAINERS=( \ -"so-nginx:$VERSION" \ -"so-cyberchef:$VERSION" \ -"so-acng:$VERSION" \ -"so-soc:$VERSION" \ -"so-kratos:$VERSION" \ -"so-fleet:$VERSION" \ -"so-soctopus:$VERSION" \ -"so-steno:$VERSION" \ -"so-playbook:$VERSION" \ -"so-thehive-cortex:$VERSION" \ -"so-thehive:$VERSION" \ -"so-thehive-es:$VERSION" \ -"so-wazuh:$VERSION" \ -"so-kibana:$VERSION" \ -"so-elastalert:$VERSION" \ -"so-filebeat:$VERSION" \ -"so-suricata:$VERSION" \ -"so-logstash:$VERSION" \ -"so-bro:$VERSION" \ -"so-idstools:$VERSION" \ -"so-fleet-launcher:$VERSION" \ -"so-freqserver:$VERSION" \ -"so-influxdb:$VERSION" \ -"so-grafana:$VERSION" \ -"so-telegraf:$VERSION" \ -"so-redis:$VERSION" \ -"so-mysql:$VERSION" \ -"so-curtor:$VERSION" \ -"so-elasticsearch:$VERSION" \ -"so-domainstats:$VERSION" \ -"so-tcpreplay:$VERSION" \ -) - -for i in "${TRUSTED_CONTAINERS[@]}" -do - # Pull down the trusted docker image - docker pull --disable-content-trust=false docker.io/soshybridhunter/$i - # Tag it with the new registry destination - docker tag soshybridhunter/$i $MANAGER:5000/soshybridhunter/$i - docker push $MANAGER:5000/soshybridhunter/$i -done diff --git a/salt/manager/init.sls b/salt/manager/init.sls index e1d8cdb12..43200cd5c 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -13,6 +13,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} {% set managerproxy = salt['pillar.get']('static:managerupdate', '0') %} @@ -59,7 +60,7 @@ acngcopyconf: # Install the apt-cacher-ng container so-aptcacherng: docker_container.running: - - image: {{ MANAGER }}:5000/soshybridhunter/so-acng:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-acng:{{ VERSION }} - hostname: so-acng - restart_policy: always - port_bindings: diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index e8120724c..c4caa5fcd 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -1,6 +1,7 @@ {%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) %} {%- set MANAGERIP = salt['pillar.get']('static:managerip', '') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} {% set MAINIP = salt['pillar.get']('elasticsearch:mainip') %} {% set FLEETARCH = salt['grains.get']('role') %} @@ -71,7 +72,7 @@ mysql_password_none: so-mysql: docker_container.running: - - image: {{ MANAGER }}:5000/soshybridhunter/so-mysql:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-mysql:{{ VERSION }} - hostname: so-mysql - user: socore - port_bindings: diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls index 8bbdced0f..53bb13eec 100644 --- a/salt/nginx/init.sls +++ b/salt/nginx/init.sls @@ -2,6 +2,7 @@ {% set FLEETNODE = salt['pillar.get']('static:fleet_node', False) %} {% set MANAGER = salt['grains.get']('master') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} # Drop the correct nginx config based on role nginxconfdir: @@ -61,7 +62,7 @@ navigatordefaultlayer: so-nginx: docker_container.running: - - image: {{ MANAGER }}:5000/soshybridhunter/so-nginx:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-nginx:{{ VERSION }} - hostname: so-nginx - binds: - /opt/so/conf/nginx/nginx.conf:/etc/nginx/nginx.conf:ro diff --git a/salt/nodered/init.sls b/salt/nodered/init.sls index c501445a2..bec8f266a 100644 --- a/salt/nodered/init.sls +++ b/salt/nodered/init.sls @@ -13,6 +13,8 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} + # Create the nodered group noderedgroup: group.present: @@ -61,7 +63,7 @@ noderedlog: so-nodered: docker_container.running: - - image: soshybridhunter/so-nodered:HH1.2.2 + - image: {{ IMAGEREPO }}/so-nodered:HH1.2.2 - interactive: True - binds: - /opt/so/conf/nodered/:/data:rw diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls index dc3db3c21..7a235516a 100644 --- a/salt/pcap/init.sls +++ b/salt/pcap/init.sls @@ -13,6 +13,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} {% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %} {% set BPF_STENO = salt['pillar.get']('steno:bpf', None) %} @@ -129,7 +130,7 @@ sensoronilog: so-steno: docker_container.running: - - image: {{ MANAGER }}:5000/soshybridhunter/so-steno:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-steno:{{ VERSION }} - network_mode: host - privileged: True - port_bindings: @@ -146,7 +147,7 @@ so-steno: so-sensoroni: docker_container.running: - - image: {{ MANAGER }}:5000/soshybridhunter/so-soc:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-soc:{{ VERSION }} - network_mode: host - binds: - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index 6de1c121d..c2380ab3a 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -1,5 +1,6 @@ {% set MANAGERIP = salt['pillar.get']('manager:mainip', '') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} {% set MAINIP = salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('manager:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] %} {%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) -%} @@ -73,7 +74,7 @@ playbook_password_none: so-playbook: docker_container.running: - - image: {{ MANAGER }}:5000/soshybridhunter/so-playbook:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-playbook:{{ VERSION }} - hostname: playbook - name: so-playbook - environment: diff --git a/salt/reactor/fleet.sls b/salt/reactor/fleet.sls index c29ab85ed..507fab620 100644 --- a/salt/reactor/fleet.sls +++ b/salt/reactor/fleet.sls @@ -1,3 +1,5 @@ +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} + #!py from time import gmtime, strftime @@ -59,7 +61,7 @@ def run(): # Run Docker container that will build the packages gen_packages = subprocess.run(["docker", "run","--rm", "--mount", f"type=bind,source={LOCAL_SALT_DIR}/salt/fleet/packages,target=/output", \ - "--mount", "type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt", f"{ MANAGER }:5000/soshybridhunter/so-fleet-launcher:{ VERSION }", \ + "--mount", "type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt", f"{ MANAGER }:5000/{{ IMAGEREPO }}/so-fleet-launcher:{ VERSION }", \ f"{ESECRET}", f"{PACKAGEHOSTNAME}:8090", f"{PACKAGEVERSION}.1.1"], stdout=subprocess.PIPE, encoding='ascii') # Update the 'packages-built' timestamp on the webpage (stored in the static pillar) diff --git a/salt/redis/init.sls b/salt/redis/init.sls index 4b61c35ef..5a981e688 100644 --- a/salt/redis/init.sls +++ b/salt/redis/init.sls @@ -13,6 +13,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} # Redis Setup @@ -47,7 +48,7 @@ redisconfsync: so-redis: docker_container.running: - - image: {{ MANAGER }}:5000/soshybridhunter/so-redis:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-redis:{{ VERSION }} - hostname: so-redis - user: socore - port_bindings: diff --git a/salt/soc/init.sls b/salt/soc/init.sls index 0490aa13d..e3fdf538a 100644 --- a/salt/soc/init.sls +++ b/salt/soc/init.sls @@ -1,4 +1,5 @@ {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} socdir: @@ -33,7 +34,7 @@ socsync: so-soc: docker_container.running: - - image: {{ MANAGER }}:5000/soshybridhunter/so-soc:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-soc:{{ VERSION }} - hostname: soc - name: so-soc - binds: @@ -84,7 +85,7 @@ kratossync: so-kratos: docker_container.running: - - image: {{ MANAGER }}:5000/soshybridhunter/so-kratos:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-kratos:{{ VERSION }} - hostname: kratos - name: so-kratos - binds: diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls index 11727e149..3fcdf8717 100644 --- a/salt/soctopus/init.sls +++ b/salt/soctopus/init.sls @@ -1,4 +1,5 @@ {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} {%- set MANAGER_URL = salt['pillar.get']('manager:url_base', '') %} {%- set MANAGER_IP = salt['pillar.get']('static:managerip', '') %} @@ -50,7 +51,7 @@ playbookrulessync: so-soctopus: docker_container.running: - - image: {{ MANAGER }}:5000/soshybridhunter/so-soctopus:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-soctopus:{{ VERSION }} - hostname: soctopus - name: so-soctopus - binds: diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index b34ee92da..c6a900e8e 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -15,6 +15,7 @@ {%- set MANAGER = salt['grains.get']('master') %} {%- set MANAGERIP = salt['pillar.get']('static:managerip', '') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} {%- set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') -%} # Strelka config @@ -79,7 +80,7 @@ strelkastagedir: strelka_coordinator: docker_container.running: - - image: {{ MANAGER }}:5000/soshybridhunter/so-redis:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-redis:{{ VERSION }} - name: so-strelka-coordinator - entrypoint: redis-server --save "" --appendonly no - port_bindings: @@ -87,7 +88,7 @@ strelka_coordinator: strelka_gatekeeper: docker_container.running: - - image: {{ MANAGER }}:5000/soshybridhunter/so-redis:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-redis:{{ VERSION }} - name: so-strelka-gatekeeper - entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru - port_bindings: @@ -95,7 +96,7 @@ strelka_gatekeeper: strelka_frontend: docker_container.running: - - image: {{ MANAGER }}:5000/soshybridhunter/so-strelka-frontend:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-strelka-frontend:{{ VERSION }} - binds: - /opt/so/conf/strelka/frontend/:/etc/strelka/:ro - /nsm/strelka/log/:/var/log/strelka/:rw @@ -107,7 +108,7 @@ strelka_frontend: strelka_backend: docker_container.running: - - image: {{ MANAGER }}:5000/soshybridhunter/so-strelka-backend:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-strelka-backend:{{ VERSION }} - binds: - /opt/so/conf/strelka/backend/:/etc/strelka/:ro - /opt/so/conf/strelka/rules/:/etc/yara/:ro @@ -117,7 +118,7 @@ strelka_backend: strelka_manager: docker_container.running: - - image: {{ MANAGER }}:5000/soshybridhunter/so-strelka-manager:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-strelka-manager:{{ VERSION }} - binds: - /opt/so/conf/strelka/manager/:/etc/strelka/:ro - name: so-strelka-manager @@ -125,7 +126,7 @@ strelka_manager: strelka_filestream: docker_container.running: - - image: {{ MANAGER }}:5000/soshybridhunter/so-strelka-filestream:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-strelka-filestream:{{ VERSION }} - binds: - /opt/so/conf/strelka/filestream/:/etc/strelka/:ro - /nsm/strelka:/nsm/strelka diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 0dc16e6b0..4bb192316 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -16,6 +16,7 @@ {% set interface = salt['pillar.get']('sensor:interface', 'bond0') %} {% set BROVER = salt['pillar.get']('static:broversion', '') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} {% set BPF_NIDS = salt['pillar.get']('nids:bpf') %} {% set BPF_STATUS = 0 %} @@ -132,7 +133,7 @@ suribpf: so-suricata: docker_container.running: - - image: {{ MANAGER }}:5000/soshybridhunter/so-suricata:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-suricata:{{ VERSION }} - privileged: True - environment: - INTERFACE={{ interface }} diff --git a/salt/tcpreplay/init.sls b/salt/tcpreplay/init.sls index 460552bf8..7247e4505 100644 --- a/salt/tcpreplay/init.sls +++ b/salt/tcpreplay/init.sls @@ -1,11 +1,12 @@ {% if grains['role'] == 'so-sensor' or grains['role'] == 'so-eval' %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} so-tcpreplay: docker_container.running: - network_mode: "host" - - image: {{ MANAGER }}:5000/soshybridhunter/so-tcpreplay:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-tcpreplay:{{ VERSION }} - name: so-tcpreplay - user: root - interactive: True diff --git a/salt/telegraf/init.sls b/salt/telegraf/init.sls index e75608c6a..99e12a60b 100644 --- a/salt/telegraf/init.sls +++ b/salt/telegraf/init.sls @@ -1,5 +1,6 @@ {% set MANAGER = salt['grains.get']('master') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} # Add Telegraf to monitor all the things. tgraflogdir: @@ -36,7 +37,7 @@ tgrafconf: so-telegraf: docker_container.running: - - image: {{ MANAGER }}:5000/soshybridhunter/so-telegraf:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-telegraf:{{ VERSION }} - environment: - HOST_PROC=/host/proc - HOST_ETC=/host/etc diff --git a/salt/thehive/init.sls b/salt/thehive/init.sls index 6d8ac494d..07eff0939 100644 --- a/salt/thehive/init.sls +++ b/salt/thehive/init.sls @@ -1,5 +1,6 @@ {% set MANAGERIP = salt['pillar.get']('manager:mainip', '') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} thehiveconfdir: file.directory: @@ -71,7 +72,7 @@ thehiveesdata: so-thehive-es: docker_container.running: - - image: {{ MANAGER }}:5000/soshybridhunter/so-thehive-es:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-thehive-es:{{ VERSION }} - hostname: so-thehive-es - name: so-thehive-es - user: 939 @@ -99,7 +100,7 @@ so-thehive-es: # Install Cortex so-cortex: docker_container.running: - - image: {{ MANAGER }}:5000/soshybridhunter/so-thehive-cortex:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-thehive-cortex:{{ VERSION }} - hostname: so-cortex - name: so-cortex - user: 939 @@ -118,7 +119,7 @@ cortexscript: so-thehive: docker_container.running: - - image: {{ MANAGER }}:5000/soshybridhunter/so-thehive:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-thehive:{{ VERSION }} - environment: - ELASTICSEARCH_HOST={{ MANAGERIP }} - hostname: so-thehive diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index c4ca27d95..2ae4ea715 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -1,5 +1,6 @@ {%- set HOSTNAME = salt['grains.get']('host', '') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} # Add ossec group ossecgroup: @@ -83,7 +84,7 @@ wazuhmgrwhitelist: so-wazuh: docker_container.running: - - image: {{ MANAGER }}:5000/soshybridhunter/so-wazuh:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-wazuh:{{ VERSION }} - hostname: {{HOSTNAME}}-wazuh-manager - name: so-wazuh - detach: True diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index 4fb7fe458..103f36c5a 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -1,4 +1,5 @@ {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} {% set BPF_ZEEK = salt['pillar.get']('zeek:bpf', {}) %} {% set BPF_STATUS = 0 %} @@ -156,7 +157,7 @@ localzeeksync: so-zeek: docker_container.running: - - image: {{ MANAGER }}:5000/soshybridhunter/so-zeek:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-zeek:{{ VERSION }} - privileged: True - binds: - /nsm/zeek/logs:/nsm/zeek/logs:rw diff --git a/setup/so-common-functions b/setup/so-common-functions index fc380f85b..078a721bf 100644 --- a/setup/so-common-functions +++ b/setup/so-common-functions @@ -1,6 +1,7 @@ #!/bin/bash source ./so-variables +source ../salt/common/tools/sbin/so-common # Helper functions diff --git a/setup/so-functions b/setup/so-functions index 7d05852e0..03265c1e4 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -797,14 +797,14 @@ docker_seed_registry() { set_progress_str "$percent" "Downloading $i" { - if ! docker pull --disable-content-trust=false docker.io/soshybridhunter/"$i"; then + if ! docker pull --disable-content-trust=false docker.io/$IMAGEREPO/"$i"; then sleep 5 - docker pull --disable-content-trust=false docker.io/soshybridhunter/"$i" + docker pull --disable-content-trust=false docker.io/$IMAGEREPO/"$i" fi # Tag it with the new registry destination - docker tag soshybridhunter/"$i" "$HOSTNAME":5000/soshybridhunter/"$i" - docker push "$HOSTNAME":5000/soshybridhunter/"$i" - #docker rmi soshybridhunter/"$i" + docker tag $IMAGEREPO/"$i" "$HOSTNAME":5000/$IMAGEREPO/"$i" + docker push "$HOSTNAME":5000/$IMAGEREPO/"$i" + #docker rmi $IMAGEREPO/"$i" } >> "$setup_log" 2>&1 done else @@ -1023,6 +1023,7 @@ manager_static() { " sensoronikey: $SENSORONIKEY"\ " wazuh: $WAZUH"\ " managerupdate: $MANAGERUPDATES"\ + " imagerepo: $IMAGEREPO"\ "strelka:"\ " enabled: $STRELKA"\ " rules: $STRELKARULES"\ diff --git a/upgrade/so-update-functions b/upgrade/so-update-functions index a0a4b0288..3ab79df39 100644 --- a/upgrade/so-update-functions +++ b/upgrade/so-update-functions @@ -15,8 +15,9 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -# Set the new SO Version +. /usr/sbin/so-common +# Set the new SO Version UPDATEVERSION=1.2.2 BUILD=HH @@ -184,16 +185,16 @@ update_docker_containers() { do # Pull down the trusted docker image echo "Downloading $i" - docker pull --disable-content-trust=false docker.io/soshybridhunter/$i + docker pull --disable-content-trust=false docker.io/$IMAGEREPO/$i # Tag it with the new registry destination - docker tag soshybridhunter/$i $HOSTNAME:5000/soshybridhunter/$i - docker push $HOSTNAME:5000/soshybridhunter/$i + docker tag $IMAGEREPO/$i $HOSTNAME:5000/$IMAGEREPO/$i + docker push $HOSTNAME:5000/$IMAGEREPO/$i done for i in "${TRUSTED_CONTAINERS[@]}" do echo "Removing $i locally" - docker rmi soshybridhunter/$i + docker rmi $IMAGEREPO/$i done } From d75d64c8ed5e4359833d4142960c1c42ddb05fad Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 13 Jul 2020 21:03:47 -0400 Subject: [PATCH 214/314] Mount imported pcap dirs into sensoroni container for imported PCAP pivots --- salt/pcap/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls index 7a235516a..1a9de6611 100644 --- a/salt/pcap/init.sls +++ b/salt/pcap/init.sls @@ -152,6 +152,7 @@ so-sensoroni: - binds: - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw - /nsm/pcap:/nsm/pcap:rw + - /nsm/import:/nsm/import:rw - /nsm/pcapout:/nsm/pcapout:rw - /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro - /opt/so/log/sensoroni:/opt/sensoroni/logs:rw From 09c460dbe99e7428395826ad36b53b3cfa32943f Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 14 Jul 2020 00:45:20 -0400 Subject: [PATCH 215/314] Switch to final image repository prefix 'securityonion' for RC1 --- salt/common/tools/sbin/so-common | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 8db8fea52..5b3eeb647 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -15,7 +15,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -IMAGEREPO=soshybridhunter +IMAGEREPO=securityonion # Check for prerequisites if [ "$(id -u)" -ne 0 ]; then From 178ac79da8b65b56fa110da0d2658de899b13bad Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 14 Jul 2020 09:05:09 -0400 Subject: [PATCH 216/314] [refactor] Set $REDIRECTIT outside of subshell --- setup/so-functions | 23 +++++++++++------------ setup/so-setup | 3 +-- 2 files changed, 12 insertions(+), 14 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index df7a3f254..26f7af0fc 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -871,6 +871,17 @@ get_redirect() { if [ "$REDIRECTINFO" = "OTHER" ]; then whiptail_set_redirect_host fi + case $REDIRECTINFO in + 'IP') + export REDIRECTIT="$MAINIP" + ;; + 'HOSTNAME') + export REDIRECTIT="$HOSTNAME" + ;; + *) + export REDIRECTIT="$REDIRECTHOST" + ;; + esac } got_root() { @@ -938,18 +949,6 @@ manager_pillar() { " mtu: $MTU" >> "$pillar_file" fi - case $REDIRECTINFO in - 'IP') - export REDIRECTIT="$MAINIP" - ;; - 'HOSTNAME') - export REDIRECTIT=$HOSTNAME - ;; - *) - export REDIRECTIT="$REDIRECTHOST" - ;; - esac - printf '%s\n'\ " elastalert: 1"\ " nids_rules: $RULESETUP"\ diff --git a/setup/so-setup b/setup/so-setup index c10ff4737..6ca4d3d57 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -378,8 +378,6 @@ if [[ $is_minion ]]; then copy_ssh_key >> $setup_log 2>&1 fi - - # Begin install { # Set initial percentage to 0 @@ -633,6 +631,7 @@ else fi if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then + echo "Running so-allow -${ALLOW_ROLE} for ${ALLOW_CIDR}" IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1 fi From b884e09e7a7c4f51540392d39b14f0f28bbbd40c Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 14 Jul 2020 09:09:47 -0400 Subject: [PATCH 217/314] Playbook db init fix --- salt/playbook/init.sls | 15 +++------------ setup/so-setup | 6 +++--- 2 files changed, 6 insertions(+), 15 deletions(-) diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index c2380ab3a..44b806f9a 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -6,18 +6,9 @@ {%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) -%} {%- set PLAYBOOKPASS = salt['pillar.get']('secrets:playbook', None) -%} -{% if salt['mysql.db_exists']('playbook') %} - #Playbook database exists - Do nothing -{% else %} -salt://playbook/files/playbook_db_init.sh: - cmd.script: - - cwd: /root - - template: jinja - -'sleep 5': - cmd.run -{% endif %} - +include: + - mysql + create_playbookdbuser: module.run: - mysql.user_create: diff --git a/setup/so-setup b/setup/so-setup index 31baf3deb..c84e0dfe5 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -539,9 +539,9 @@ fi fi if [[ "$PLAYBOOK" = 1 ]]; then - set_progress_str 73 "$(print_salt_state_apply 'mysql')" - salt-call state.apply -l info mysql >> $setup_log 2>&1 - + set_progress_str 73 "$(print_salt_state_apply 'playbook.db_init')" + salt-call state.apply -l info playbook.db_init >> $setup_log 2>&1 + set_progress_str 73 "$(print_salt_state_apply 'playbook')" salt-call state.apply -l info playbook >> $setup_log 2>&1 so-playbook-ruleupdate >> /root/setup_playbook_rule_update.log 2>&1 & From 2c729400103d60cf528b81fab95e262ab8b8f8a7 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 14 Jul 2020 09:09:55 -0400 Subject: [PATCH 218/314] Playbook db init fix --- salt/playbook/db_init.sls | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 salt/playbook/db_init.sls diff --git a/salt/playbook/db_init.sls b/salt/playbook/db_init.sls new file mode 100644 index 000000000..1b2bf7b1a --- /dev/null +++ b/salt/playbook/db_init.sls @@ -0,0 +1,14 @@ + +# This state will import the initial default playbook database. +# If there is an existing playbook database, it will be overwritten - no backups are made. + +include: + - mysql + +salt://playbook/files/playbook_db_init.sh: + cmd.script: + - cwd: /root + - template: jinja + +'sleep 5': + cmd.run \ No newline at end of file From d6afde90b06fbc437d44f1395f854909da73377e Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 14 Jul 2020 13:37:00 +0000 Subject: [PATCH 219/314] Convert message timestamp to @timestamp --- salt/elasticsearch/files/ingest/suricata.common | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/elasticsearch/files/ingest/suricata.common b/salt/elasticsearch/files/ingest/suricata.common index dd08b08a0..435f845c1 100644 --- a/salt/elasticsearch/files/ingest/suricata.common +++ b/salt/elasticsearch/files/ingest/suricata.common @@ -12,6 +12,8 @@ { "remove":{ "field": "dataset", "ignore_failure": true } }, { "rename":{ "field": "message2.event_type", "target_field": "dataset", "ignore_failure": true } }, { "set": { "field": "observer.name", "value": "{{agent.name}}" } }, + { "set": { "field": "ingest.timestamp", "value": "{{@timestamp}}" } }, + { "set": { "field": "@timestamp", "value": "{{message2.timestamp}}" } }, { "remove":{ "field": "agent", "ignore_failure": true } }, { "pipeline": { "name": "suricata.{{dataset}}" } } ] From d4e6189f6e470921d35c14a2cbd9e45a98c409cb Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 14 Jul 2020 09:39:56 -0400 Subject: [PATCH 220/314] Fix spelling error in actions --- salt/curator/files/action/so-beats-close.yml | 2 +- salt/curator/files/action/so-firewall-close.yml | 2 +- salt/curator/files/action/so-ids-close.yml | 2 +- salt/curator/files/action/so-import-close.yml | 2 +- salt/curator/files/action/so-osquery-close.yml | 2 +- salt/curator/files/action/so-ossec-close.yml | 2 +- salt/curator/files/action/so-strelka-close.yml | 2 +- salt/curator/files/action/so-syslog-close.yml | 2 +- salt/curator/files/action/so-zeek-close.yml | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/salt/curator/files/action/so-beats-close.yml b/salt/curator/files/action/so-beats-close.yml index dbbcca1c8..4c606d4bc 100644 --- a/salt/curator/files/action/so-beats-close.yml +++ b/salt/curator/files/action/so-beats-close.yml @@ -1,4 +1,4 @@ -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settins:so-beats:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-beats:close', 30) -%} --- # Remember, leave a key empty if there is no value. None will be a string, # not a Python "NoneType" diff --git a/salt/curator/files/action/so-firewall-close.yml b/salt/curator/files/action/so-firewall-close.yml index 46f0b39a9..c30daa6bb 100644 --- a/salt/curator/files/action/so-firewall-close.yml +++ b/salt/curator/files/action/so-firewall-close.yml @@ -1,4 +1,4 @@ -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settins:so-firewall:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-firewall:close', 30) -%} --- # Remember, leave a key empty if there is no value. None will be a string, # not a Python "NoneType" diff --git a/salt/curator/files/action/so-ids-close.yml b/salt/curator/files/action/so-ids-close.yml index 89f08d8d1..05583d853 100644 --- a/salt/curator/files/action/so-ids-close.yml +++ b/salt/curator/files/action/so-ids-close.yml @@ -1,4 +1,4 @@ -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settins:so-ids:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-ids:close', 30) -%} --- # Remember, leave a key empty if there is no value. None will be a string, # not a Python "NoneType" diff --git a/salt/curator/files/action/so-import-close.yml b/salt/curator/files/action/so-import-close.yml index b9ee6e5da..d7ae725d1 100644 --- a/salt/curator/files/action/so-import-close.yml +++ b/salt/curator/files/action/so-import-close.yml @@ -1,4 +1,4 @@ -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settins:so-import:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-import:close', 30) -%} --- # Remember, leave a key empty if there is no value. None will be a string, # not a Python "NoneType" diff --git a/salt/curator/files/action/so-osquery-close.yml b/salt/curator/files/action/so-osquery-close.yml index 152a41afa..e58643175 100644 --- a/salt/curator/files/action/so-osquery-close.yml +++ b/salt/curator/files/action/so-osquery-close.yml @@ -1,4 +1,4 @@ -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settins:so-osquery:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-osquery:close', 30) -%} --- # Remember, leave a key empty if there is no value. None will be a string, # not a Python "NoneType" diff --git a/salt/curator/files/action/so-ossec-close.yml b/salt/curator/files/action/so-ossec-close.yml index 5ee8c91de..6243fabd6 100644 --- a/salt/curator/files/action/so-ossec-close.yml +++ b/salt/curator/files/action/so-ossec-close.yml @@ -1,4 +1,4 @@ -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settins:so-ossec:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-ossec:close', 30) -%} --- # Remember, leave a key empty if there is no value. None will be a string, # not a Python "NoneType" diff --git a/salt/curator/files/action/so-strelka-close.yml b/salt/curator/files/action/so-strelka-close.yml index a07ab94e8..da0fafcbb 100644 --- a/salt/curator/files/action/so-strelka-close.yml +++ b/salt/curator/files/action/so-strelka-close.yml @@ -1,4 +1,4 @@ -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settins:so-strelka:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-strelka:close', 30) -%} --- # Remember, leave a key empty if there is no value. None will be a string, # not a Python "NoneType" diff --git a/salt/curator/files/action/so-syslog-close.yml b/salt/curator/files/action/so-syslog-close.yml index 3aae50566..225458048 100644 --- a/salt/curator/files/action/so-syslog-close.yml +++ b/salt/curator/files/action/so-syslog-close.yml @@ -1,4 +1,4 @@ -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settins:so-syslog:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-syslog:close', 30) -%} --- # Remember, leave a key empty if there is no value. None will be a string, # not a Python "NoneType" diff --git a/salt/curator/files/action/so-zeek-close.yml b/salt/curator/files/action/so-zeek-close.yml index ec1ab9eff..7692d26eb 100644 --- a/salt/curator/files/action/so-zeek-close.yml +++ b/salt/curator/files/action/so-zeek-close.yml @@ -1,4 +1,4 @@ -{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settins:so-zeek:close', 30) -%} +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-zeek:close', 30) -%} --- # Remember, leave a key empty if there is no value. None will be a string, # not a Python "NoneType" From 67f2edce28c36dd9781afb46c150ba1f21ebb315 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 14 Jul 2020 09:40:13 -0400 Subject: [PATCH 221/314] Resolve merge conflict that reverted import URL back to Kibana --- salt/common/tools/sbin/so-import-pcap | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-import-pcap b/salt/common/tools/sbin/so-import-pcap index 92dc27f50..730013b4d 100755 --- a/salt/common/tools/sbin/so-import-pcap +++ b/salt/common/tools/sbin/so-import-pcap @@ -209,7 +209,7 @@ cat << EOF Import complete! You can use the following hyperlink to view data in the time range of your import. You can triple-click to quickly highlight the entire hyperlink and you can then copy it into your browser: -https://{{ MANAGERIP }}/kibana/app/kibana#/dashboard/a8411b30-6d03-11ea-b301-3d6c35840645?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:'${START_OLDEST}T00:00:00.000Z',mode:absolute,to:'${END_NEWEST}T00:00:00.000Z')) +https://{{ MANAGERIP }}/#/hunt?q=%2a%20%7C%20groupby%20event.module%20event.dataset&t=${START_OLDEST_SLASH}%2000%3A00%3A00%20PM%20-%20${END_NEWEST_SLASH}%2000%3A00%3A00%20PM or you can manually set your Time Range to be: From: $START_OLDEST To: $END_NEWEST From e404a41d8ab13e603150ec637452922a79786ae6 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 14 Jul 2020 10:04:15 -0400 Subject: [PATCH 222/314] Add all actions to cron --- salt/curator/files/bin/so-curator-close | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/curator/files/bin/so-curator-close b/salt/curator/files/bin/so-curator-close index dff6bbb39..11324dd31 100644 --- a/salt/curator/files/bin/so-curator-close +++ b/salt/curator/files/bin/so-curator-close @@ -1,2 +1,2 @@ #!/bin/bash -/usr/sbin/so-curator-closed-delete > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/close.yml > /dev/null 2>&1 +/usr/sbin/so-curator-closed-delete > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-zeek-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-beats-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-firewall-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ids-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-import-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-osquery-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-syslog-close.yml > /dev/null 2>&1 From 4ab90a9a30ac4a7783419e4a2d9f9257883ee0c6 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 14 Jul 2020 10:12:51 -0400 Subject: [PATCH 223/314] [fix] Move redirect var to function after $MAINIP has been set --- setup/so-functions | 25 ++++++++++++++----------- setup/so-setup | 5 ++++- 2 files changed, 18 insertions(+), 12 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 26f7af0fc..ee5c15368 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -871,17 +871,6 @@ get_redirect() { if [ "$REDIRECTINFO" = "OTHER" ]; then whiptail_set_redirect_host fi - case $REDIRECTINFO in - 'IP') - export REDIRECTIT="$MAINIP" - ;; - 'HOSTNAME') - export REDIRECTIT="$HOSTNAME" - ;; - *) - export REDIRECTIT="$REDIRECTHOST" - ;; - esac } got_root() { @@ -1653,6 +1642,20 @@ set_node_type() { esac } +set_redirect() { + case $REDIRECTINFO in + 'IP') + REDIRECTIT="$MAINIP" + ;; + 'HOSTNAME') + REDIRECTIT="$HOSTNAME" + ;; + *) + REDIRECTIT="$REDIRECTHOST" + ;; + esac +} + set_updates() { if [ "$MANAGERUPDATES" = '1' ]; then if [ "$OS" = 'centos' ]; then diff --git a/setup/so-setup b/setup/so-setup index 6ca4d3d57..4f681e12e 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -369,7 +369,10 @@ if [[ $is_manager && ! $is_eval ]]; then add_soremote_user_manager >> $setup_log 2>&1 fi -set_main_ip >> $setup_log 2>&1 +{ + set_main_ip; + set_redirect; +} >> $setup_log 2>&1 host_pillar >> $setup_log 2>&1 From 57cd2cdbeb4c5ee6dee2e4f402a112657a339d27 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 14 Jul 2020 10:37:49 -0400 Subject: [PATCH 224/314] Change opt/so perms --- salt/common/init.sls | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/salt/common/init.sls b/salt/common/init.sls index ef558d3e5..bb241c805 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -15,6 +15,13 @@ socore: - createhome: True - shell: /bin/bash +soperms: + file.directory: + - name: /opt/so + - uid: 939 + - gid: 939 + - dir_mode: 770 + # Create a state directory statedir: file.directory: From ad3c4c49503369306873e08a6372d96327053c0c Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 14 Jul 2020 11:09:12 -0400 Subject: [PATCH 225/314] [fix] master -> manager --- salt/motd/files/so_motd.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/motd/files/so_motd.jinja b/salt/motd/files/so_motd.jinja index 941aa2350..4b22eb56c 100644 --- a/salt/motd/files/so_motd.jinja +++ b/salt/motd/files/so_motd.jinja @@ -1,5 +1,5 @@ {% set needs_restarting_check = salt['mine.get']('*', 'needs_restarting.check', tgt_type='glob') -%} -{% set url = salt['pillar.get']('master:url_base') -%} +{% set url = salt['pillar.get']('manager:url_base') -%} Access the Security Onion web interface at https://{{ url }} From caf9e3f75a6ac679bab56038cb23870bcc12757a Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 14 Jul 2020 11:13:50 -0400 Subject: [PATCH 226/314] [fix] Redirect hive_init output to log --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 4f681e12e..91c2d4806 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -630,7 +630,7 @@ if [[ -n $SO_ERROR ]]; then whiptail_setup_failed else whiptail_setup_complete - if [[ $THEHIVE == 1 ]]; then check_hive_init; fi + if [[ $THEHIVE == 1 ]]; then check_hive_init >> $setup_log 2>&1; fi fi if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then From ba8395fc118458a0109353cce4a027917e9380d6 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 14 Jul 2020 13:04:29 -0400 Subject: [PATCH 227/314] Fleet reactor fix --- salt/fleet/event_gen-packages.sls | 3 ++- salt/reactor/fleet.sls | 5 ++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/fleet/event_gen-packages.sls b/salt/fleet/event_gen-packages.sls index 1cf7e331a..4aaf631e7 100644 --- a/salt/fleet/event_gen-packages.sls +++ b/salt/fleet/event_gen-packages.sls @@ -3,6 +3,7 @@ {% set CURRENTPACKAGEVERSION = salt['pillar.get']('static:fleet_packages-version') %} {% set VERSION = salt['pillar.get']('static:soversion') %} {% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('static:fleet_custom_hostname', None) %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} {% if CUSTOM_FLEET_HOSTNAME != None and CUSTOM_FLEET_HOSTNAME != '' %} {% set HOSTNAME = CUSTOM_FLEET_HOSTNAME %} @@ -21,4 +22,4 @@ so/fleet: current-package-version: {{ CURRENTPACKAGEVERSION }} manager: {{ MANAGER }} version: {{ VERSION }} - \ No newline at end of file + imagerepo: {{ IMAGEREPO }} \ No newline at end of file diff --git a/salt/reactor/fleet.sls b/salt/reactor/fleet.sls index 507fab620..177dabf3a 100644 --- a/salt/reactor/fleet.sls +++ b/salt/reactor/fleet.sls @@ -1,5 +1,3 @@ -{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} - #!py from time import gmtime, strftime @@ -55,13 +53,14 @@ def run(): MANAGER = data['data']['manager'] VERSION = data['data']['version'] ESECRET = data['data']['enroll-secret'] + IMAGEREPO = data['data']['imagerepo'] # Increment the package version by 1 PACKAGEVERSION += 1 # Run Docker container that will build the packages gen_packages = subprocess.run(["docker", "run","--rm", "--mount", f"type=bind,source={LOCAL_SALT_DIR}/salt/fleet/packages,target=/output", \ - "--mount", "type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt", f"{ MANAGER }:5000/{{ IMAGEREPO }}/so-fleet-launcher:{ VERSION }", \ + "--mount", "type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt", f"{ MANAGER }:5000/{ IMAGEREPO }/so-fleet-launcher:{ VERSION }", \ f"{ESECRET}", f"{PACKAGEHOSTNAME}:8090", f"{PACKAGEVERSION}.1.1"], stdout=subprocess.PIPE, encoding='ascii') # Update the 'packages-built' timestamp on the webpage (stored in the static pillar) From f9df39977b2dc928f218bacff1b120569aadf2b9 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 14 Jul 2020 17:38:43 +0000 Subject: [PATCH 228/314] Add observer name for Strelka events --- salt/elasticsearch/files/ingest/strelka.file | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elasticsearch/files/ingest/strelka.file b/salt/elasticsearch/files/ingest/strelka.file index 17c1dca62..78fa5a10e 100644 --- a/salt/elasticsearch/files/ingest/strelka.file +++ b/salt/elasticsearch/files/ingest/strelka.file @@ -19,6 +19,7 @@ } } }, + { "set": { "field": "observer.name", "value": "{{agent.name}}", { "remove": { "field": ["host", "path", "message", "scan.exiftool.keys"], "ignore_missing": true } }, { "pipeline": { "name": "common" } } ] From a1e6a85a68bfa638571fd037fb09d7fc1595bd2f Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 14 Jul 2020 15:49:46 -0400 Subject: [PATCH 229/314] explicitly set Suricata timestamp timezone to UTC --- salt/elasticsearch/files/ingest/suricata.common | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/suricata.common b/salt/elasticsearch/files/ingest/suricata.common index 435f845c1..2bc727012 100644 --- a/salt/elasticsearch/files/ingest/suricata.common +++ b/salt/elasticsearch/files/ingest/suricata.common @@ -13,7 +13,7 @@ { "rename":{ "field": "message2.event_type", "target_field": "dataset", "ignore_failure": true } }, { "set": { "field": "observer.name", "value": "{{agent.name}}" } }, { "set": { "field": "ingest.timestamp", "value": "{{@timestamp}}" } }, - { "set": { "field": "@timestamp", "value": "{{message2.timestamp}}" } }, + { "date": { "field": "message2.timestamp", "target_field": "@timestamp", "formats": ["ISO8601", "UNIX"], "timezone": "UTC", "ignore_failure": true } }, { "remove":{ "field": "agent", "ignore_failure": true } }, { "pipeline": { "name": "suricata.{{dataset}}" } } ] From 57bf23d83c7317e3cabec3658a02b213bc012775 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 14 Jul 2020 16:07:46 -0400 Subject: [PATCH 230/314] move templates from logstash to elasticsearch --- pillar/elasticsearch/search.sls | 13 +++++++ pillar/logstash/eval.sls | 29 -------------- pillar/logstash/search.sls | 12 ------ pillar/top.sls | 3 ++ .../tools/sbin/so-elasticsearch-templates | 4 +- salt/elasticsearch/init.sls | 39 +++++++++++++++++++ .../custom/place_custom_template_in_local | 0 .../templates/so/so-beats-template.json.jinja | 0 .../templates/so/so-common-template.json | 0 .../so/so-firewall-template.json.jinja | 0 .../templates/so/so-flow-template.json.jinja | 0 .../templates/so/so-ids-template.json.jinja | 0 .../so/so-import-template.json.jinja | 0 .../so/so-osquery-template.json.jinja | 0 .../templates/so/so-ossec-template.json.jinja | 0 .../so/so-strelka-template.json.jinja | 0 .../so/so-syslog-template.json.jinja | 0 .../templates/so/so-zeek-template.json.jinja | 0 salt/logstash/init.sls | 35 +---------------- .../config/so/9000_output_zeek.conf.jinja | 2 +- .../config/so/9002_output_import.conf.jinja | 2 +- .../config/so/9004_output_flow.conf.jinja | 2 +- .../config/so/9033_output_snort.conf.jinja | 2 +- .../config/so/9034_output_syslog.conf.jinja | 2 +- .../config/so/9100_output_osquery.conf.jinja | 2 +- .../config/so/9200_output_firewall.conf.jinja | 2 +- .../config/so/9400_output_suricata.conf.jinja | 2 +- .../config/so/9500_output_beats.conf.jinja | 2 +- .../config/so/9600_output_ossec.conf.jinja | 2 +- .../config/so/9700_output_strelka.conf.jinja | 2 +- 30 files changed, 70 insertions(+), 87 deletions(-) create mode 100644 pillar/elasticsearch/search.sls delete mode 100644 pillar/logstash/eval.sls rename salt/{logstash/pipelines => elasticsearch}/templates/custom/place_custom_template_in_local (100%) rename salt/{logstash/pipelines => elasticsearch}/templates/so/so-beats-template.json.jinja (100%) rename salt/{logstash/pipelines => elasticsearch}/templates/so/so-common-template.json (100%) rename salt/{logstash/pipelines => elasticsearch}/templates/so/so-firewall-template.json.jinja (100%) rename salt/{logstash/pipelines => elasticsearch}/templates/so/so-flow-template.json.jinja (100%) rename salt/{logstash/pipelines => elasticsearch}/templates/so/so-ids-template.json.jinja (100%) rename salt/{logstash/pipelines => elasticsearch}/templates/so/so-import-template.json.jinja (100%) rename salt/{logstash/pipelines => elasticsearch}/templates/so/so-osquery-template.json.jinja (100%) rename salt/{logstash/pipelines => elasticsearch}/templates/so/so-ossec-template.json.jinja (100%) rename salt/{logstash/pipelines => elasticsearch}/templates/so/so-strelka-template.json.jinja (100%) rename salt/{logstash/pipelines => elasticsearch}/templates/so/so-syslog-template.json.jinja (100%) rename salt/{logstash/pipelines => elasticsearch}/templates/so/so-zeek-template.json.jinja (100%) diff --git a/pillar/elasticsearch/search.sls b/pillar/elasticsearch/search.sls new file mode 100644 index 000000000..9ff97de5b --- /dev/null +++ b/pillar/elasticsearch/search.sls @@ -0,0 +1,13 @@ +elasticsearch: + templates: + - so/so-beats-template.json.jinja + - so/so-common-template.json + - so/so-firewall-template.json.jinja + - so/so-flow-template.json.jinja + - so/so-ids-template.json.jinja + - so/so-import-template.json.jinja + - so/so-osquery-template.json.jinja + - so/so-ossec-template.json.jinja + - so/so-strelka-template.json.jinja + - so/so-syslog-template.json.jinja + - so/so-zeek-template.json.jinja diff --git a/pillar/logstash/eval.sls b/pillar/logstash/eval.sls deleted file mode 100644 index fcdd13bb7..000000000 --- a/pillar/logstash/eval.sls +++ /dev/null @@ -1,29 +0,0 @@ -logstash: - pipelines: - eval: - config: - - so/0800_input_eval.conf - - so/1002_preprocess_json.conf - - so/1033_preprocess_snort.conf - - so/7100_osquery_wel.conf - - so/8999_postprocess_rename_type.conf - - so/9000_output_bro.conf.jinja - - so/9002_output_import.conf.jinja - - so/9033_output_snort.conf.jinja - - so/9100_output_osquery.conf.jinja - - so/9400_output_suricata.conf.jinja - - so/9500_output_beats.conf.jinja - - so/9600_output_ossec.conf.jinja - - so/9700_output_strelka.conf.jinja - templates: - - so/so-beats-template.json.jinja - - so/so-common-template.json - - so/so-firewall-template.json.jinja - - so/so-flow-template.json.jinja - - so/so-ids-template.json.jinja - - so/so-import-template.json.jinja - - so/so-osquery-template.json.jinja - - so/so-ossec-template.json.jinja - - so/so-strelka-template.json.jinja - - so/so-syslog-template.json.jinja - - so/so-zeek-template.json.jinja diff --git a/pillar/logstash/search.sls b/pillar/logstash/search.sls index 9c069fd20..486deb408 100644 --- a/pillar/logstash/search.sls +++ b/pillar/logstash/search.sls @@ -11,15 +11,3 @@ logstash: - so/9500_output_beats.conf.jinja - so/9600_output_ossec.conf.jinja - so/9700_output_strelka.conf.jinja - templates: - - so/so-beats-template.json.jinja - - so/so-common-template.json - - so/so-firewall-template.json.jinja - - so/so-flow-template.json.jinja - - so/so-ids-template.json.jinja - - so/so-import-template.json.jinja - - so/so-osquery-template.json.jinja - - so/so-ossec-template.json.jinja - - so/so-strelka-template.json.jinja - - so/so-syslog-template.json.jinja - - so/so-zeek-template.json.jinja diff --git a/pillar/top.sls b/pillar/top.sls index 6eba800a9..e3ae34f28 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -11,6 +11,7 @@ base: - logstash - logstash.manager - logstash.search + - elasticsearch.search '*_sensor': - static @@ -41,6 +42,7 @@ base: - logstash - logstash.manager - logstash.search + - elasticsearch.search - data.* - brologs - secrets @@ -75,4 +77,5 @@ base: - static - logstash - logstash.search + - elasticsearch.search - minions.{{ grains.id }} diff --git a/salt/common/tools/sbin/so-elasticsearch-templates b/salt/common/tools/sbin/so-elasticsearch-templates index 6b3e19d30..dfbf07c42 100755 --- a/salt/common/tools/sbin/so-elasticsearch-templates +++ b/salt/common/tools/sbin/so-elasticsearch-templates @@ -15,13 +15,13 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -default_salt_dir=/opt/so/saltstack/default +default_conf_dir=/opt/so/conf ELASTICSEARCH_HOST="{{ MANAGERIP}}" ELASTICSEARCH_PORT=9200 #ELASTICSEARCH_AUTH="" # Define a default directory to load pipelines from -ELASTICSEARCH_TEMPLATES="$default_salt_dir/salt/logstash/pipelines/templates/so/" +ELASTICSEARCH_TEMPLATES="$default_conf_dir/elasticsearch/templates/" # Wait for ElasticSearch to initialize echo -n "Waiting for ElasticSearch..." diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 7a791c0d2..357a9f415 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -31,6 +31,8 @@ {% set esheap = salt['pillar.get']('elasticsearch:esheap', '') %} {% endif %} +{% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %} + vm.max_map_count: sysctl.present: - value: 262144 @@ -63,6 +65,13 @@ esingestdir: - group: 939 - makedirs: True +estemplatedir: + file.directory: + - name: /opt/so/conf/elasticsearch/templates + - user: 930 + - group: 939 + - makedirs: True + esingestconf: file.recurse: - name: /opt/so/conf/elasticsearch/ingest @@ -86,6 +95,36 @@ esyml: - group: 939 - template: jinja +#sync templates to /opt/so/conf/elasticsearch/templates +{% for TEMPLATE in TEMPLATES %} +es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}: + file.managed: + - source: salt://elasticsearch/templates/{{TEMPLATE}} + {% if 'jinja' in TEMPLATE.split('.')[-1] %} + - name: /opt/so/conf/elasticsearch/templates/{{TEMPLATE.split('/')[1] | replace(".jinja", "")}} + - template: jinja + {% else %} + - name: /opt/so/conf/elasticsearch/templates/{{TEMPLATE.split('/')[1]}} + {% endif %} + - user: 930 + - group: 939 +{% endfor %} + +es_templates: + file.recurse: + - name: /opt/so/conf/elasticsearch/templates + - source: salt://elasticsearch/templates + - user: 930 + - group: 939 + - template: jinja + - clean: True +{% if TEMPLATES %} + - require: + {% for TEMPLATE in TEMPLATES %} + - file: es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }} + {% endfor %} +{% endif %} + nsmesdir: file.directory: - name: /nsm/elasticsearch diff --git a/salt/logstash/pipelines/templates/custom/place_custom_template_in_local b/salt/elasticsearch/templates/custom/place_custom_template_in_local similarity index 100% rename from salt/logstash/pipelines/templates/custom/place_custom_template_in_local rename to salt/elasticsearch/templates/custom/place_custom_template_in_local diff --git a/salt/logstash/pipelines/templates/so/so-beats-template.json.jinja b/salt/elasticsearch/templates/so/so-beats-template.json.jinja similarity index 100% rename from salt/logstash/pipelines/templates/so/so-beats-template.json.jinja rename to salt/elasticsearch/templates/so/so-beats-template.json.jinja diff --git a/salt/logstash/pipelines/templates/so/so-common-template.json b/salt/elasticsearch/templates/so/so-common-template.json similarity index 100% rename from salt/logstash/pipelines/templates/so/so-common-template.json rename to salt/elasticsearch/templates/so/so-common-template.json diff --git a/salt/logstash/pipelines/templates/so/so-firewall-template.json.jinja b/salt/elasticsearch/templates/so/so-firewall-template.json.jinja similarity index 100% rename from salt/logstash/pipelines/templates/so/so-firewall-template.json.jinja rename to salt/elasticsearch/templates/so/so-firewall-template.json.jinja diff --git a/salt/logstash/pipelines/templates/so/so-flow-template.json.jinja b/salt/elasticsearch/templates/so/so-flow-template.json.jinja similarity index 100% rename from salt/logstash/pipelines/templates/so/so-flow-template.json.jinja rename to salt/elasticsearch/templates/so/so-flow-template.json.jinja diff --git a/salt/logstash/pipelines/templates/so/so-ids-template.json.jinja b/salt/elasticsearch/templates/so/so-ids-template.json.jinja similarity index 100% rename from salt/logstash/pipelines/templates/so/so-ids-template.json.jinja rename to salt/elasticsearch/templates/so/so-ids-template.json.jinja diff --git a/salt/logstash/pipelines/templates/so/so-import-template.json.jinja b/salt/elasticsearch/templates/so/so-import-template.json.jinja similarity index 100% rename from salt/logstash/pipelines/templates/so/so-import-template.json.jinja rename to salt/elasticsearch/templates/so/so-import-template.json.jinja diff --git a/salt/logstash/pipelines/templates/so/so-osquery-template.json.jinja b/salt/elasticsearch/templates/so/so-osquery-template.json.jinja similarity index 100% rename from salt/logstash/pipelines/templates/so/so-osquery-template.json.jinja rename to salt/elasticsearch/templates/so/so-osquery-template.json.jinja diff --git a/salt/logstash/pipelines/templates/so/so-ossec-template.json.jinja b/salt/elasticsearch/templates/so/so-ossec-template.json.jinja similarity index 100% rename from salt/logstash/pipelines/templates/so/so-ossec-template.json.jinja rename to salt/elasticsearch/templates/so/so-ossec-template.json.jinja diff --git a/salt/logstash/pipelines/templates/so/so-strelka-template.json.jinja b/salt/elasticsearch/templates/so/so-strelka-template.json.jinja similarity index 100% rename from salt/logstash/pipelines/templates/so/so-strelka-template.json.jinja rename to salt/elasticsearch/templates/so/so-strelka-template.json.jinja diff --git a/salt/logstash/pipelines/templates/so/so-syslog-template.json.jinja b/salt/elasticsearch/templates/so/so-syslog-template.json.jinja similarity index 100% rename from salt/logstash/pipelines/templates/so/so-syslog-template.json.jinja rename to salt/elasticsearch/templates/so/so-syslog-template.json.jinja diff --git a/salt/logstash/pipelines/templates/so/so-zeek-template.json.jinja b/salt/elasticsearch/templates/so/so-zeek-template.json.jinja similarity index 100% rename from salt/logstash/pipelines/templates/so/so-zeek-template.json.jinja rename to salt/elasticsearch/templates/so/so-zeek-template.json.jinja diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index 87f348744..dbf345822 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -36,7 +36,6 @@ {% endif %} {% set PIPELINES = salt['pillar.get']('logstash:pipelines', {}) %} -{% set TEMPLATES = salt['pillar.get']('logstash:templates', {}) %} {% set DOCKER_OPTIONS = salt['pillar.get']('logstash:docker_options', {}) %} # Create the logstash group @@ -94,21 +93,6 @@ ls_pipeline_{{PL}}: {% endfor %} -#sync templates to /opt/so/conf/logstash/etc -{% for TEMPLATE in TEMPLATES %} -ls_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}: - file.managed: - - source: salt://logstash/pipelines/templates/{{TEMPLATE}} - {% if 'jinja' in TEMPLATE.split('.')[-1] %} - - name: /opt/so/conf/logstash/etc/{{TEMPLATE.split('/')[1] | replace(".jinja", "")}} - - template: jinja - {% else %} - - name: /opt/so/conf/logstash/etc/{{TEMPLATE.split('/')[1]}} - {% endif %} - - user: 931 - - group: 939 -{% endfor %} - lspipelinesyml: file.managed: - name: /opt/so/conf/logstash/etc/pipelines.yml @@ -126,12 +110,6 @@ lsetcsync: - group: 939 - template: jinja - clean: True -{% if TEMPLATES %} - - require: - {% for TEMPLATE in TEMPLATES %} - - file: ls_template_{{TEMPLATE.split('.')[0] | replace("/","_") }} - {% endfor %} -{% endif %} - exclude_pat: pipelines* # Create the import directory @@ -171,13 +149,7 @@ so-logstash: - {{ BINDING }} {% endfor %} - binds: -{% for TEMPLATE in TEMPLATES %} - {% if 'jinja' in TEMPLATE.split('.')[-1] %} - - /opt/so/conf/logstash/etc/{{TEMPLATE.split('/')[1] | replace(".jinja", "")}}:/{{TEMPLATE.split('/')[1] | replace(".jinja", "")}}:ro - {% else %} - - /opt/so/conf/logstash/etc/{{TEMPLATE.split('/')[1]}}:/{{TEMPLATE.split('/')[1]}}:ro - {% endif %} -{% endfor %} + - /opt/so/conf/elasticsearch/templates/:/templates/:ro - /opt/so/conf/logstash/etc/log4j2.properties:/usr/share/logstash/config/log4j2.properties:ro - /opt/so/conf/logstash/etc/logstash.yml:/usr/share/logstash/config/logstash.yml:ro - /opt/so/conf/logstash/etc/pipelines.yml:/usr/share/logstash/config/pipelines.yml @@ -206,7 +178,4 @@ so-logstash: - file: ls_pipeline_{{PL}}_{{CONFIGFILE.split('.')[0] | replace("/","_") }} {% endfor %} {% endfor %} -{% for TEMPLATE in TEMPLATES %} - - file: ls_template_{{TEMPLATE.split('.')[0] | replace("/","_") }} -{% endfor %} -# - file: /opt/so/conf/logstash/rulesets + - file: /opt/so/conf/elasticsearch/templates/* \ No newline at end of file diff --git a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja index 54a30f272..f86bf946c 100644 --- a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja +++ b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja @@ -10,7 +10,7 @@ output { hosts => "{{ ES }}" index => "so-zeek-%{+YYYY.MM.dd}" template_name => "so-zeek" - template => "/so-zeek-template.json" + template => "/templates/so-zeek-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja index 563e5984e..52c9f034a 100644 --- a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja +++ b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja @@ -10,7 +10,7 @@ output { hosts => "{{ ES }}" index => "so-import-%{+YYYY.MM.dd}" template_name => "so-import" - template => "/so-import-template.json" + template => "/templates/so-import-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja index 007713811..740676367 100644 --- a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja +++ b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja @@ -9,7 +9,7 @@ output { hosts => "{{ ES }}" index => "so-flow-%{+YYYY.MM.dd}" template_name => "so-flow" - template => "/so-flow-template.json" + template => "/templates/so-flow-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja index 065653f01..fed1ffdf5 100644 --- a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja +++ b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja @@ -9,7 +9,7 @@ output { hosts => "{{ ES }}" index => "so-ids-%{+YYYY.MM.dd}" template_name => "so-ids" - template => "/so-ids-template.json" + template => "/templates/so-ids-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja index cd7e44d74..5087f41da 100644 --- a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja +++ b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja @@ -10,7 +10,7 @@ output { hosts => "{{ ES }}" index => "so-syslog-%{+YYYY.MM.dd}" template_name => "so-syslog" - template => "/so-syslog-template.json" + template => "/templates/so-syslog-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja index 3b99a7afa..01436cf5f 100644 --- a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja +++ b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja @@ -10,7 +10,7 @@ output { hosts => "{{ ES }}" index => "so-osquery-%{+YYYY.MM.dd}" template_name => "so-osquery" - template => "/so-osquery-template.json" + template => "/templates/so-osquery-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja index 9407fe79e..a295b5f7a 100644 --- a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja +++ b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja @@ -9,7 +9,7 @@ output { hosts => "{{ ES }}" index => "so-firewall-%{+YYYY.MM.dd}" template_name => "so-firewall" - template => "/so-firewall-template.json" + template => "/templates/so-firewall-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja index d3026aa20..ace7cccf1 100644 --- a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja +++ b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja @@ -10,7 +10,7 @@ output { hosts => "{{ ES }}" index => "so-ids-%{+YYYY.MM.dd}" template_name => "so-ids" - template => "/so-ids-template.json" + template => "/templates/so-ids-template.json" } } } diff --git a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja index 6874e5e76..ed513f597 100644 --- a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja +++ b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja @@ -10,7 +10,7 @@ output { hosts => "{{ ES }}" index => "so-beats-%{+YYYY.MM.dd}" template_name => "so-beats" - template => "/so-beats-template.json" + template => "/templates/so-beats-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja index 77610d9e0..14a9bc1d1 100644 --- a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja +++ b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja @@ -10,7 +10,7 @@ output { hosts => "{{ ES }}" index => "so-ossec-%{+YYYY.MM.dd}" template_name => "so-ossec" - template => "/so-ossec-template.json" + template => "/templates/so-ossec-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja index b92e2a3d9..9fd074f3f 100644 --- a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja +++ b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja @@ -10,7 +10,7 @@ output { hosts => "{{ ES }}" index => "so-strelka-%{+YYYY.MM.dd}" template_name => "so-strelka" - template => "/so-strelka-template.json" + template => "/templates/so-strelka-template.json" template_overwrite => true } } From 8647944ae641700fd42eddafd145dbae221a65c1 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 14 Jul 2020 16:59:06 -0400 Subject: [PATCH 231/314] Parsing & Hunt query updates --- salt/elasticsearch/files/ingest/beats.common | 3 ++- salt/soc/files/soc/soc.json | 8 ++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/salt/elasticsearch/files/ingest/beats.common b/salt/elasticsearch/files/ingest/beats.common index 5ca41e5f5..cafbc9e94 100644 --- a/salt/elasticsearch/files/ingest/beats.common +++ b/salt/elasticsearch/files/ingest/beats.common @@ -4,7 +4,8 @@ {"community_id": {"if": "ctx.winlog.event_data?.Protocol != null", "field":["winlog.event_data.SourceIp","winlog.event_data.SourcePort","winlog.event_data.DestinationIp","winlog.event_data.DestinationPort","winlog.event_data.Protocol"],"target_field":"network.community_id"}}, { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational'", "field": "event.module", "value": "sysmon", "override": true } }, { "set": { "if": "ctx.winlog?.channel != null", "field": "event.module", "value": "windows_eventlog", "override": false, "ignore_failure": true } }, - { "set": { "if": "ctx.agent?.type != null", "field": "module", "value": "{{agent.type}}", "override": true } }, + { "set": { "if": "ctx.agent?.type != null", "field": "module", "value": "{{agent.type}}", "override": true } }, + { "set": { "if": "ctx.winlog?.channel != 'Microsoft-Windows-Sysmon/Operational'", "field": "event.dataset", "value": "{{winlog.channel}}", "override": true } }, { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 3", "field": "event.category", "value": "host,process,network", "override": true } }, { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 1", "field": "event.category", "value": "host,process", "override": true } }, { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 1", "field": "event.dataset", "value": "process_creation", "override": true } }, diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 6b6a84d50..31e49fc86 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -78,8 +78,8 @@ "su" : ["soc_timestamp", "message" ], "sudo" : ["soc_timestamp", "message" ], "systemd": ["soc_timestamp", "message" ], - "sysmon": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "computer_name", "event_id", "parent_image_path", "source_name", "task", "username" ], - "wineventlog": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "computer_name", "event_id", "log_name", "source_name", "task" ] + "sysmon": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "host.name", "event.dataset", "parent_image_path", "source_name", "task", "user.name" ], + "wineventlog": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "host.name", "event.code", "event.dataset", "source_name", "task" ] }, "queries": [ { "name": "Default Query", "description": "Show all events grouped by the origin host", "query": "* | groupby observer.name"}, @@ -91,8 +91,8 @@ { "name": "Wazuh/OSSEC Commands", "description": "Show all Wazuh alerts grouped by command line", "query": "event.module:ossec AND event.dataset:alert | groupby process.command_line"}, { "name": "Wazuh/OSSEC Processes", "description": "Show all Wazuh alerts grouped by process name", "query": "event.module:ossec AND event.dataset:alert | groupby process.name"}, { "name": "Wazuh/OSSEC Users", "description": "Show all Wazuh alerts grouped by username", "query": "event.module:ossec AND event.dataset:alert | groupby user.name"}, - { "name": "Sysmon Events", "description": "Show all Sysmon logs grouped by event_id", "query": "event_type:sysmon | groupby event_id"}, - { "name": "Sysmon Usernames", "description": "Show all Sysmon logs grouped by username", "query": "event_type:sysmon | groupby username"}, + { "name": "Sysmon Events", "description": "Show all Sysmon logs grouped by event type", "query": "event.module:sysmon | groupby event.dataset"}, + { "name": "Sysmon Usernames", "description": "Show all Sysmon logs grouped by username", "query": "event.module:sysmon | groupby event.dataset, user.name.keyword"}, { "name": "Zeek Notice", "description": "Show notices from Zeek", "query": "event.dataset:notice | groupby notice.note notice.message"}, { "name": "Connections", "description": "Connections grouped by IP and Port", "query": "event.dataset:conn | groupby source.ip destination.ip network.protocol destination.port"}, { "name": "Connections", "description": "Connections grouped by Service", "query": "event.dataset:conn | groupby network.protocol destination.port"}, From acaec6c1251c3c3d883a60f557ff25d22afbcdab Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 14 Jul 2020 17:12:29 -0400 Subject: [PATCH 232/314] remove recurse causing issues --- salt/elasticsearch/init.sls | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 357a9f415..7e09ed6c1 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -110,21 +110,6 @@ es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}: - group: 939 {% endfor %} -es_templates: - file.recurse: - - name: /opt/so/conf/elasticsearch/templates - - source: salt://elasticsearch/templates - - user: 930 - - group: 939 - - template: jinja - - clean: True -{% if TEMPLATES %} - - require: - {% for TEMPLATE in TEMPLATES %} - - file: es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }} - {% endfor %} -{% endif %} - nsmesdir: file.directory: - name: /nsm/elasticsearch From 9bbbaa485cc55a1d801e2f024a38a6f71c28f0d9 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 14 Jul 2020 16:52:49 -0400 Subject: [PATCH 233/314] Switch PM to AM since we want to span midnight to midnight --- salt/common/tools/sbin/so-import-pcap | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-import-pcap b/salt/common/tools/sbin/so-import-pcap index 730013b4d..ae7f996ac 100755 --- a/salt/common/tools/sbin/so-import-pcap +++ b/salt/common/tools/sbin/so-import-pcap @@ -209,7 +209,7 @@ cat << EOF Import complete! You can use the following hyperlink to view data in the time range of your import. You can triple-click to quickly highlight the entire hyperlink and you can then copy it into your browser: -https://{{ MANAGERIP }}/#/hunt?q=%2a%20%7C%20groupby%20event.module%20event.dataset&t=${START_OLDEST_SLASH}%2000%3A00%3A00%20PM%20-%20${END_NEWEST_SLASH}%2000%3A00%3A00%20PM +https://{{ MANAGERIP }}/#/hunt?q=%2a%20%7C%20groupby%20event.module%20event.dataset&t=${START_OLDEST_SLASH}%2000%3A00%3A00%20AM%20-%20${END_NEWEST_SLASH}%2000%3A00%3A00%20AM or you can manually set your Time Range to be: From: $START_OLDEST To: $END_NEWEST From acb800d1c9f7ad9946f48ca156c27f8b9bafcadb Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 14 Jul 2020 17:36:26 -0400 Subject: [PATCH 234/314] Using static UID for Grafana overview dashboard to allow SOC to directly link to those dashboards --- salt/grafana/init.sls | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/grafana/init.sls b/salt/grafana/init.sls index e3119314b..e63c9a9c4 100644 --- a/salt/grafana/init.sls +++ b/salt/grafana/init.sls @@ -93,7 +93,7 @@ dashboard-manager: MANINT: {{ SNDATA.manint }} MONINT: {{ SNDATA.manint }} CPUS: {{ SNDATA.totalcpus }} - UID: {{ SNDATA.guid }} + UID: so_overview ROOTFS: {{ SNDATA.rootfs }} NSMFS: {{ SNDATA.nsmfs }} @@ -116,7 +116,7 @@ dashboard-managersearch: MANINT: {{ SNDATA.manint }} MONINT: {{ SNDATA.manint }} CPUS: {{ SNDATA.totalcpus }} - UID: {{ SNDATA.guid }} + UID: so_overview ROOTFS: {{ SNDATA.rootfs }} NSMFS: {{ SNDATA.nsmfs }} @@ -139,7 +139,7 @@ dashboard-standalone: MANINT: {{ SNDATA.manint }} MONINT: {{ SNDATA.manint }} CPUS: {{ SNDATA.totalcpus }} - UID: {{ SNDATA.guid }} + UID: so_overview ROOTFS: {{ SNDATA.rootfs }} NSMFS: {{ SNDATA.nsmfs }} @@ -208,7 +208,7 @@ dashboard-{{ SN }}: MANINT: {{ SNDATA.manint }} MONINT: {{ SNDATA.monint }} CPUS: {{ SNDATA.totalcpus }} - UID: {{ SNDATA.guid }} + UID: so_overview ROOTFS: {{ SNDATA.rootfs }} NSMFS: {{ SNDATA.nsmfs }} From 5cf71596b295a282cf5f6d417332c33839de1d08 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 14 Jul 2020 17:36:52 -0400 Subject: [PATCH 235/314] add curlys --- salt/elasticsearch/files/ingest/strelka.file | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/strelka.file b/salt/elasticsearch/files/ingest/strelka.file index 78fa5a10e..d9d6fc0f0 100644 --- a/salt/elasticsearch/files/ingest/strelka.file +++ b/salt/elasticsearch/files/ingest/strelka.file @@ -19,7 +19,7 @@ } } }, - { "set": { "field": "observer.name", "value": "{{agent.name}}", + { "set": { "field": "observer.name", "value": "{{agent.name}}" }}, { "remove": { "field": ["host", "path", "message", "scan.exiftool.keys"], "ignore_missing": true } }, { "pipeline": { "name": "common" } } ] From c0960e58e8d75d2de364ec78441e531687203881 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 14 Jul 2020 19:42:50 -0400 Subject: [PATCH 236/314] Improve grammer of so-allow input prompt --- setup/so-whiptail | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 0650dd256..74847f688 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1075,7 +1075,7 @@ whiptail_so_allow() { if [[ $exitstatus == 0 ]]; then ALLOW_CIDR=$(whiptail --title "Security Onion Setup" \ - --inputbox "Enter a single ip address or range (in CIDR notation) to allow" \ + --inputbox "Enter a single IP address, or an IP range, in CIDR notation, to allow:" \ 10 75 3>&1 1>&2 2>&3) local exitstatus=$? From b53ce392ef8e5cdb44ecbc88ea79c90060999c69 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 14 Jul 2020 22:45:38 -0400 Subject: [PATCH 237/314] Improve grammer of summary screen in whiptail --- setup/so-whiptail | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 74847f688..e48850cb1 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1034,11 +1034,11 @@ whiptail_setup_complete() { fi read -r -d '' message <<- EOM - Finished ${install_type} install + Finished ${install_type} installation. - ${sentence_prefix} the web interface at https://${REDIRECTIT} + ${sentence_prefix} the web interface at: https://${REDIRECTIT} - Press ENTER to reboot + Press ENTER to reboot. EOM whiptail --title "Security Onion Setup" --msgbox "$message" 12 75 From 9dc115134779a480c5be80f0a2bcf19e998186fa Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 14 Jul 2020 22:59:42 -0400 Subject: [PATCH 238/314] Imported logs are sent to so-import index on eval installations --- salt/filebeat/etc/filebeat.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 6aeac7bba..1342775b7 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -127,7 +127,7 @@ filebeat.inputs: imported: true processors: - add_tags: - tags: [import] + tags: ["import"] - dissect: tokenizer: "/nsm/import/%{import.id}/zeek/logs/%{import.file}" field: "log.file.path" @@ -167,7 +167,7 @@ filebeat.inputs: imported: true processors: - add_tags: - tags: [import] + tags: ["import"] - dissect: tokenizer: "/nsm/import/%{import.id}/suricata/%{import.file}" field: "log.file.path" @@ -260,6 +260,9 @@ output.elasticsearch: pipelines: - pipeline: "%{[module]}.%{[dataset]}" indices: + - index: "so-import-%{+yyyy.MM.dd}" + when.contains: + tags: "import" - index: "so-zeek-%{+yyyy.MM.dd}" when.contains: module: "zeek" From e4fff05dbc3d1af6885a10c0e15c7a60b0f9f2d0 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 15 Jul 2020 08:30:43 -0400 Subject: [PATCH 239/314] load templates for es for eval --- pillar/elasticsearch/eval.sls | 13 +++++++++++++ pillar/top.sls | 3 ++- 2 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 pillar/elasticsearch/eval.sls diff --git a/pillar/elasticsearch/eval.sls b/pillar/elasticsearch/eval.sls new file mode 100644 index 000000000..2dbb08f59 --- /dev/null +++ b/pillar/elasticsearch/eval.sls @@ -0,0 +1,13 @@ +elasticsearch: + templates: + - so/so-beats-template.json.jinja + - so/so-common-template.json + - so/so-firewall-template.json.jinja + - so/so-flow-template.json.jinja + - so/so-ids-template.json.jinja + - so/so-import-template.json.jinja + - so/so-osquery-template.json.jinja + - so/so-ossec-template.json.jinja + - so/so-strelka-template.json.jinja + - so/so-syslog-template.json.jinja + - so/so-zeek-template.json.jinja \ No newline at end of file diff --git a/pillar/top.sls b/pillar/top.sls index e3ae34f28..9ab170a97 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -31,11 +31,12 @@ base: - logstash.manager '*_eval': - - static - data.* - brologs - secrets - healthcheck.eval + - elasticsearch.eval + - static - minions.{{ grains.id }} '*_standalone': From 3c42f50e990fa5ce549e844d2e814547b5ff9686 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 15 Jul 2020 11:12:44 -0400 Subject: [PATCH 240/314] Ensure whiptail success/summary screen is final step before reboot --- setup/so-setup | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index e96b7edb6..149f4768d 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -626,18 +626,20 @@ success=$(tail -10 $setup_log | grep Failed | awk '{ print $2}') if [[ $success != 0 ]]; then SO_ERROR=1; fi # evaluate success first so it doesn't check against the output of so-allow if [[ -n $SO_ERROR ]]; then + echo "Errors detected during setup; skipping post-setup steps to allow for analysis of failures." >> $setup_log 2>&1 SKIP_REBOOT=1 whiptail_setup_failed else - whiptail_setup_complete + if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then + echo "Running so-allow -${ALLOW_ROLE} for ${ALLOW_CIDR}" >> $setup_log 2>&1 + IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1 + fi + if [[ $THEHIVE == 1 ]]; then check_hive_init >> $setup_log 2>&1; fi -fi -if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then - echo "Running so-allow -${ALLOW_ROLE} for ${ALLOW_CIDR}" - IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1 -fi + install_cleanup >> $setup_log 2>&1 -install_cleanup >> $setup_log 2>&1 + whiptail_setup_complete +fi if [[ -z $SKIP_REBOOT ]]; then shutdown -r now; else exit; fi From d11ef08961bfec650efc58321d30eb35545d63ee Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 15 Jul 2020 12:37:04 -0400 Subject: [PATCH 241/314] Playbook anonymous perms fix --- salt/playbook/files/playbook_db_init.sql | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/salt/playbook/files/playbook_db_init.sql b/salt/playbook/files/playbook_db_init.sql index c74869e82..1b1535fe3 100644 --- a/salt/playbook/files/playbook_db_init.sql +++ b/salt/playbook/files/playbook_db_init.sql @@ -315,7 +315,7 @@ CREATE TABLE `custom_field_enumerations` ( `active` tinyint(1) NOT NULL DEFAULT '1', `position` int(11) NOT NULL DEFAULT '1', PRIMARY KEY (`id`) -) ENGINE=InnoDB AUTO_INCREMENT=3 DEFAULT CHARSET=latin1; +) ENGINE=InnoDB DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; -- @@ -455,7 +455,7 @@ CREATE TABLE `custom_values` ( PRIMARY KEY (`id`), KEY `custom_values_customized` (`customized_type`,`customized_id`), KEY `index_custom_values_on_custom_field_id` (`custom_field_id`) -) ENGINE=InnoDB AUTO_INCREMENT=120758 DEFAULT CHARSET=latin1; +) ENGINE=InnoDB AUTO_INCREMENT=134139 DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; -- @@ -825,7 +825,7 @@ CREATE TABLE `journal_details` ( `value` longtext, PRIMARY KEY (`id`), KEY `journal_details_journal_id` (`journal_id`) -) ENGINE=InnoDB AUTO_INCREMENT=2278 DEFAULT CHARSET=latin1; +) ENGINE=InnoDB AUTO_INCREMENT=9 DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; -- @@ -857,7 +857,7 @@ CREATE TABLE `journals` ( KEY `index_journals_on_user_id` (`user_id`), KEY `index_journals_on_journalized_id` (`journalized_id`), KEY `index_journals_on_created_on` (`created_on`) -) ENGINE=InnoDB AUTO_INCREMENT=7616 DEFAULT CHARSET=latin1; +) ENGINE=InnoDB AUTO_INCREMENT=8218 DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; -- @@ -1310,7 +1310,7 @@ CREATE TABLE `settings` ( LOCK TABLES `settings` WRITE; /*!40000 ALTER TABLE `settings` DISABLE KEYS */; -INSERT INTO `settings` VALUES (1,'ui_theme','circle','2020-04-26 13:11:26'),(2,'default_language','en','2020-04-26 13:11:26'),(3,'force_default_language_for_anonymous','0','2020-04-26 13:11:26'),(4,'force_default_language_for_loggedin','0','2020-04-26 13:11:26'),(5,'start_of_week','','2020-04-26 13:11:26'),(6,'date_format','','2020-04-26 13:11:26'),(7,'time_format','','2020-04-26 13:11:26'),(8,'timespan_format','decimal','2020-04-26 13:11:26'),(9,'user_format','firstname_lastname','2020-05-02 12:45:00'),(10,'gravatar_enabled','1','2020-05-02 12:41:07'),(11,'thumbnails_enabled','1','2020-04-26 13:11:26'),(12,'thumbnails_size','100','2020-04-26 13:11:26'),(13,'new_item_menu_tab','0','2020-04-26 13:11:30'),(14,'login_required','0','2020-07-10 19:32:45'),(15,'autologin','0','2020-04-26 13:11:54'),(16,'self_registration','0','2020-04-26 13:11:54'),(17,'show_custom_fields_on_registration','0','2020-04-26 13:11:54'),(18,'password_min_length','8','2020-04-26 13:11:54'),(19,'password_required_char_classes','--- []\n','2020-04-26 13:11:54'),(20,'password_max_age','0','2020-04-26 13:11:54'),(21,'lost_password','1','2020-04-26 13:11:54'),(22,'openid','0','2020-04-26 13:11:55'),(23,'session_lifetime','0','2020-04-26 13:11:55'),(24,'session_timeout','0','2020-04-26 13:11:55'),(25,'rest_api_enabled','1','2020-04-26 13:11:58'),(26,'jsonp_enabled','0','2020-04-26 13:11:58'),(27,'default_projects_public','0','2020-04-26 13:12:21'),(28,'default_projects_modules','---\n- sigma_editor\n','2020-04-26 13:12:21'),(29,'default_projects_tracker_ids','--- []\n','2020-04-26 13:12:21'),(30,'sequential_project_identifiers','0','2020-04-26 13:12:21'),(31,'project_list_defaults','---\n:column_names:\n- name\n- identifier\n- short_description\n','2020-04-26 13:12:21'),(32,'app_title','Playbook','2020-04-26 18:17:51'),(33,'welcome_text','','2020-04-26 18:17:51'),(34,'per_page_options','25,75,150','2020-05-02 12:41:38'),(35,'search_results_per_page','10','2020-04-26 18:17:51'),(36,'activity_days_default','30','2020-04-26 18:17:51'),(37,'host_name','localhost:3000','2020-04-26 18:17:51'),(38,'protocol','http','2020-04-26 18:17:51'),(39,'text_formatting','textile','2020-04-26 18:17:51'),(40,'cache_formatted_text','0','2020-04-26 18:17:51'),(41,'wiki_compression','','2020-04-26 18:17:51'),(42,'feeds_limit','15','2020-04-26 18:17:51'),(43,'plugin_redmine_playbook','--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nproject: \'1\'\nconvert_url: http://10.66.166.141:7000/playbook/sigmac\ncreate_url: http://10.66.166.141:7000/playbook/play','2020-05-02 12:39:20'),(44,'cross_project_issue_relations','0','2020-05-01 16:27:33'),(45,'link_copied_issue','no','2020-05-01 16:27:33'),(46,'cross_project_subtasks','','2020-05-01 16:27:33'),(47,'close_duplicate_issues','0','2020-05-01 16:27:33'),(48,'issue_group_assignment','0','2020-05-01 16:27:33'),(49,'default_issue_start_date_to_creation_date','1','2020-05-01 16:27:33'),(50,'display_subprojects_issues','0','2020-05-01 16:27:33'),(51,'issue_done_ratio','issue_field','2020-05-01 16:27:33'),(52,'non_working_week_days','---\n- \'6\'\n- \'7\'\n','2020-05-01 16:27:33'),(53,'issues_export_limit','500','2020-05-01 16:27:33'),(54,'gantt_items_limit','500','2020-05-01 16:27:33'),(55,'gantt_months_limit','24','2020-05-01 16:27:33'),(56,'parent_issue_dates','derived','2020-05-01 16:27:33'),(57,'parent_issue_priority','derived','2020-05-01 16:27:33'),(58,'parent_issue_done_ratio','derived','2020-05-01 16:27:33'),(59,'issue_list_default_columns','---\n- status\n- cf_10\n- cf_13\n- cf_14\n- cf_1\n- updated_on\n','2020-05-01 19:32:13'),(60,'issue_list_default_totals','--- []\n','2020-05-01 16:27:33'),(61,'enabled_scm','--- []\n','2020-05-01 16:27:47'),(62,'autofetch_changesets','0','2020-05-01 16:27:47'),(63,'sys_api_enabled','0','2020-05-01 16:27:47'),(64,'repository_log_display_limit','100','2020-05-01 16:27:47'),(65,'commit_logs_formatting','1','2020-05-01 16:27:47'),(66,'commit_ref_keywords','refs,references,IssueID','2020-05-01 16:27:47'),(67,'commit_cross_project_ref','0','2020-05-01 16:27:47'),(68,'commit_logtime_enabled','0','2020-05-01 16:27:47'),(69,'commit_update_keywords','--- []\n','2020-05-01 16:27:47'),(70,'gravatar_default','','2020-05-02 12:41:07'); +INSERT INTO `settings` VALUES (1,'ui_theme','circle','2020-04-26 13:11:26'),(2,'default_language','en','2020-04-26 13:11:26'),(3,'force_default_language_for_anonymous','0','2020-04-26 13:11:26'),(4,'force_default_language_for_loggedin','0','2020-04-26 13:11:26'),(5,'start_of_week','','2020-04-26 13:11:26'),(6,'date_format','','2020-04-26 13:11:26'),(7,'time_format','','2020-04-26 13:11:26'),(8,'timespan_format','decimal','2020-04-26 13:11:26'),(9,'user_format','firstname_lastname','2020-05-02 12:45:00'),(10,'gravatar_enabled','1','2020-05-02 12:41:07'),(11,'thumbnails_enabled','1','2020-04-26 13:11:26'),(12,'thumbnails_size','100','2020-04-26 13:11:26'),(13,'new_item_menu_tab','0','2020-04-26 13:11:30'),(14,'login_required','0','2020-07-10 19:32:45'),(15,'autologin','0','2020-04-26 13:11:54'),(16,'self_registration','0','2020-04-26 13:11:54'),(17,'show_custom_fields_on_registration','0','2020-04-26 13:11:54'),(18,'password_min_length','8','2020-04-26 13:11:54'),(19,'password_required_char_classes','--- []\n','2020-04-26 13:11:54'),(20,'password_max_age','0','2020-04-26 13:11:54'),(21,'lost_password','1','2020-04-26 13:11:54'),(22,'openid','0','2020-04-26 13:11:55'),(23,'session_lifetime','0','2020-04-26 13:11:55'),(24,'session_timeout','0','2020-04-26 13:11:55'),(25,'rest_api_enabled','1','2020-04-26 13:11:58'),(26,'jsonp_enabled','0','2020-04-26 13:11:58'),(27,'default_projects_public','0','2020-04-26 13:12:21'),(28,'default_projects_modules','---\n- sigma_editor\n','2020-04-26 13:12:21'),(29,'default_projects_tracker_ids','--- []\n','2020-04-26 13:12:21'),(30,'sequential_project_identifiers','0','2020-04-26 13:12:21'),(31,'project_list_defaults','---\n:column_names:\n- name\n- identifier\n- short_description\n','2020-04-26 13:12:21'),(32,'app_title','Playbook','2020-04-26 18:17:51'),(33,'welcome_text','','2020-04-26 18:17:51'),(34,'per_page_options','25,75,150','2020-05-02 12:41:38'),(35,'search_results_per_page','10','2020-04-26 18:17:51'),(36,'activity_days_default','30','2020-04-26 18:17:51'),(37,'host_name','localhost:3000','2020-04-26 18:17:51'),(38,'protocol','http','2020-04-26 18:17:51'),(39,'text_formatting','textile','2020-04-26 18:17:51'),(40,'cache_formatted_text','0','2020-04-26 18:17:51'),(41,'wiki_compression','','2020-04-26 18:17:51'),(42,'feeds_limit','15','2020-04-26 18:17:51'),(43,'plugin_redmine_playbook','--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nproject: \'1\'\nconvert_url: http://10.66.166.188:7000/playbook/sigmac\ncreate_url: http://10.66.166.188:7000/playbook/play','2020-05-02 12:39:20'),(44,'cross_project_issue_relations','0','2020-05-01 16:27:33'),(45,'link_copied_issue','no','2020-05-01 16:27:33'),(46,'cross_project_subtasks','','2020-05-01 16:27:33'),(47,'close_duplicate_issues','0','2020-05-01 16:27:33'),(48,'issue_group_assignment','0','2020-05-01 16:27:33'),(49,'default_issue_start_date_to_creation_date','1','2020-05-01 16:27:33'),(50,'display_subprojects_issues','0','2020-05-01 16:27:33'),(51,'issue_done_ratio','issue_field','2020-05-01 16:27:33'),(52,'non_working_week_days','---\n- \'6\'\n- \'7\'\n','2020-05-01 16:27:33'),(53,'issues_export_limit','500','2020-05-01 16:27:33'),(54,'gantt_items_limit','500','2020-05-01 16:27:33'),(55,'gantt_months_limit','24','2020-05-01 16:27:33'),(56,'parent_issue_dates','derived','2020-05-01 16:27:33'),(57,'parent_issue_priority','derived','2020-05-01 16:27:33'),(58,'parent_issue_done_ratio','derived','2020-05-01 16:27:33'),(59,'issue_list_default_columns','---\n- status\n- cf_10\n- cf_13\n- cf_14\n- cf_1\n- updated_on\n','2020-05-01 19:32:13'),(60,'issue_list_default_totals','--- []\n','2020-05-01 16:27:33'),(61,'enabled_scm','--- []\n','2020-05-01 16:27:47'),(62,'autofetch_changesets','0','2020-05-01 16:27:47'),(63,'sys_api_enabled','0','2020-05-01 16:27:47'),(64,'repository_log_display_limit','100','2020-05-01 16:27:47'),(65,'commit_logs_formatting','1','2020-05-01 16:27:47'),(66,'commit_ref_keywords','refs,references,IssueID','2020-05-01 16:27:47'),(67,'commit_cross_project_ref','0','2020-05-01 16:27:47'),(68,'commit_logtime_enabled','0','2020-05-01 16:27:47'),(69,'commit_update_keywords','--- []\n','2020-05-01 16:27:47'),(70,'gravatar_default','','2020-05-02 12:41:07'); /*!40000 ALTER TABLE `settings` ENABLE KEYS */; UNLOCK TABLES; @@ -1371,7 +1371,7 @@ CREATE TABLE `tokens` ( PRIMARY KEY (`id`), UNIQUE KEY `tokens_value` (`value`), KEY `index_tokens_on_user_id` (`user_id`) -) ENGINE=InnoDB AUTO_INCREMENT=72 DEFAULT CHARSET=latin1; +) ENGINE=InnoDB AUTO_INCREMENT=62 DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; -- @@ -1380,7 +1380,7 @@ CREATE TABLE `tokens` ( LOCK TABLES `tokens` WRITE; /*!40000 ALTER TABLE `tokens` DISABLE KEYS */; -INSERT INTO `tokens` VALUES (3,1,'feeds','6e5575602e1227c188cd85ef6d12608bb8701193','2020-04-26 13:10:46','2020-04-26 13:10:46'),(4,1,'session','999412fa9badda7423c6c654d6364c32c20b3eac','2020-04-26 18:07:03','2020-04-26 18:12:02'),(5,1,'session','124ad4acbf87a942426350e7ad028c1d119c3851','2020-04-26 18:17:11','2020-04-26 18:19:24'),(9,1,'session','2890c663e0552f26ddb92acad6ab3b6d05b92915','2020-04-26 18:51:15','2020-04-26 18:51:15'),(19,1,'session','b7ffb106ea0b34650dd9c1770f74c2b0ffe166b2','2020-05-01 16:52:33','2020-05-01 18:02:30'),(20,1,'session','f44cfcf918eef59ffda47991c431d9c2b2ac6113','2020-05-01 18:05:56','2020-05-01 18:05:56'),(23,9,'feeds','211918c9d7168979b5dc19bebb14573b928a5067','2020-05-01 18:26:17','2020-05-01 18:26:17'),(25,9,'api','de6639318502476f2fa5aa06f43f51fb389a3d7f','2020-05-01 18:26:31','2020-05-01 18:26:31'),(46,1,'session','2d0c8f8ae641c06d8c2362746846440d465d53c0','2020-05-06 20:48:01','2020-05-06 20:48:07'),(59,1,'session','2afe6590653d59a697d1436729c64f322a2eff82','2020-07-01 18:11:07','2020-07-01 20:30:43'); +INSERT INTO `tokens` VALUES (3,1,'feeds','6e5575602e1227c188cd85ef6d12608bb8701193','2020-04-26 13:10:46','2020-04-26 13:10:46'),(4,1,'session','999412fa9badda7423c6c654d6364c32c20b3eac','2020-04-26 18:07:03','2020-04-26 18:12:02'),(5,1,'session','124ad4acbf87a942426350e7ad028c1d119c3851','2020-04-26 18:17:11','2020-04-26 18:19:24'),(9,1,'session','2890c663e0552f26ddb92acad6ab3b6d05b92915','2020-04-26 18:51:15','2020-04-26 18:51:15'),(19,1,'session','b7ffb106ea0b34650dd9c1770f74c2b0ffe166b2','2020-05-01 16:52:33','2020-05-01 18:02:30'),(20,1,'session','f44cfcf918eef59ffda47991c431d9c2b2ac6113','2020-05-01 18:05:56','2020-05-01 18:05:56'),(23,9,'feeds','211918c9d7168979b5dc19bebb14573b928a5067','2020-05-01 18:26:17','2020-05-01 18:26:17'),(25,9,'api','de6639318502476f2fa5aa06f43f51fb389a3d7f','2020-05-01 18:26:31','2020-05-01 18:26:31'),(46,1,'session','2d0c8f8ae641c06d8c2362746846440d465d53c0','2020-05-06 20:48:01','2020-05-06 20:48:07'),(59,1,'session','2afe6590653d59a697d1436729c64f322a2eff82','2020-07-01 18:11:07','2020-07-01 20:30:43'),(61,1,'session','b01f95709ca1ab086a049cf9c5afd81ca9d4526e','2020-07-15 16:30:42','2020-07-15 16:31:40'); /*!40000 ALTER TABLE `tokens` ENABLE KEYS */; UNLOCK TABLES; @@ -1481,7 +1481,7 @@ CREATE TABLE `users` ( LOCK TABLES `users` WRITE; /*!40000 ALTER TABLE `users` DISABLE KEYS */; -INSERT INTO `users` VALUES (1,'admin','95535e9f7a386c412f20134ebb869c00cf346477','Admin','Admin',1,1,'2020-07-10 23:37:45','',NULL,'2020-04-26 13:08:34','2020-04-26 13:10:45','User',NULL,'all','5ceb2c95ce1593d4ba034d385ceefb2f',0,'2020-04-26 13:10:27'),(2,'','','','Anonymous users',0,1,NULL,'',NULL,'2020-04-26 13:08:38','2020-04-26 13:08:38','GroupAnonymous',NULL,'',NULL,0,NULL),(3,'','','','Non member users',0,1,NULL,'',NULL,'2020-04-26 13:08:38','2020-04-26 13:08:38','GroupNonMember',NULL,'',NULL,0,NULL),(4,'','','','Anonymous',0,0,NULL,'',NULL,'2020-04-26 13:09:44','2020-04-26 13:09:44','AnonymousUser',NULL,'only_my_events',NULL,0,NULL),(5,'','','','Analysts',0,1,NULL,'',NULL,'2020-04-26 18:43:40','2020-04-26 18:43:40','Group',NULL,'',NULL,0,NULL),(6,'','','','Automation',0,1,NULL,'',NULL,'2020-04-26 18:43:47','2020-04-26 18:43:47','Group',NULL,'',NULL,0,NULL),(7,'','','','Admins',0,1,NULL,'',NULL,'2020-04-26 18:43:58','2020-04-26 18:43:58','Group',NULL,'',NULL,0,NULL),(9,'automation','d2e7d78af1f0c0637765ae8cf1a359c4a30034c9','SecOps','Automation',0,1,'2020-05-01 18:26:17','en',NULL,'2020-04-26 18:47:46','2020-05-01 18:26:10','User',NULL,'none','41043e596f70e327e34fc99c861f5b31',0,'2020-05-01 18:26:10'); +INSERT INTO `users` VALUES (1,'admin','95535e9f7a386c412f20134ebb869c00cf346477','Admin','Admin',1,1,'2020-07-15 16:30:42','',NULL,'2020-04-26 13:08:34','2020-04-26 13:10:45','User',NULL,'all','5ceb2c95ce1593d4ba034d385ceefb2f',0,'2020-04-26 13:10:27'),(2,'','','','Anonymous users',0,1,NULL,'',NULL,'2020-04-26 13:08:38','2020-04-26 13:08:38','GroupAnonymous',NULL,'',NULL,0,NULL),(3,'','','','Non member users',0,1,NULL,'',NULL,'2020-04-26 13:08:38','2020-04-26 13:08:38','GroupNonMember',NULL,'',NULL,0,NULL),(4,'','','','Anonymous',0,0,NULL,'',NULL,'2020-04-26 13:09:44','2020-04-26 13:09:44','AnonymousUser',NULL,'only_my_events',NULL,0,NULL),(5,'','','','Analysts',0,1,NULL,'',NULL,'2020-04-26 18:43:40','2020-04-26 18:43:40','Group',NULL,'',NULL,0,NULL),(6,'','','','Automation',0,1,NULL,'',NULL,'2020-04-26 18:43:47','2020-04-26 18:43:47','Group',NULL,'',NULL,0,NULL),(7,'','','','Admins',0,1,NULL,'',NULL,'2020-04-26 18:43:58','2020-04-26 18:43:58','Group',NULL,'',NULL,0,NULL),(9,'automation','d2e7d78af1f0c0637765ae8cf1a359c4a30034c9','SecOps','Automation',0,1,'2020-05-01 18:26:17','en',NULL,'2020-04-26 18:47:46','2020-05-01 18:26:10','User',NULL,'none','41043e596f70e327e34fc99c861f5b31',0,'2020-05-01 18:26:10'); /*!40000 ALTER TABLE `users` ENABLE KEYS */; UNLOCK TABLES; @@ -1567,7 +1567,7 @@ CREATE TABLE `webhooks` ( LOCK TABLES `webhooks` WRITE; /*!40000 ALTER TABLE `webhooks` DISABLE KEYS */; -INSERT INTO `webhooks` VALUES (1,'http://10.66.166.141:7000/playbook/webhook',1); +INSERT INTO `webhooks` VALUES (1,'http://10.66.166.188:7000/playbook/webhook',1); /*!40000 ALTER TABLE `webhooks` ENABLE KEYS */; UNLOCK TABLES; @@ -1742,7 +1742,7 @@ CREATE TABLE `workflows` ( KEY `index_workflows_on_role_id` (`role_id`), KEY `index_workflows_on_new_status_id` (`new_status_id`), KEY `index_workflows_on_tracker_id` (`tracker_id`) -) ENGINE=InnoDB AUTO_INCREMENT=642 DEFAULT CHARSET=latin1; +) ENGINE=InnoDB AUTO_INCREMENT=648 DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; -- @@ -1751,7 +1751,7 @@ CREATE TABLE `workflows` ( LOCK TABLES `workflows` WRITE; /*!40000 ALTER TABLE `workflows` DISABLE KEYS */; -INSERT INTO `workflows` VALUES (132,1,2,0,3,0,0,'WorkflowPermission','14','readonly'),(134,1,2,0,3,0,0,'WorkflowPermission','16','readonly'),(151,1,3,0,3,0,0,'WorkflowPermission','14','readonly'),(153,1,3,0,3,0,0,'WorkflowPermission','16','readonly'),(170,1,4,0,3,0,0,'WorkflowPermission','14','readonly'),(172,1,4,0,3,0,0,'WorkflowPermission','16','readonly'),(189,1,5,0,3,0,0,'WorkflowPermission','14','readonly'),(191,1,5,0,3,0,0,'WorkflowPermission','16','readonly'),(208,1,6,0,3,0,0,'WorkflowPermission','14','readonly'),(210,1,6,0,3,0,0,'WorkflowPermission','16','readonly'),(220,1,2,3,3,0,0,'WorkflowTransition',NULL,NULL),(221,1,2,3,4,0,0,'WorkflowTransition',NULL,NULL),(222,1,2,3,5,0,0,'WorkflowTransition',NULL,NULL),(223,1,2,6,3,0,0,'WorkflowTransition',NULL,NULL),(224,1,2,6,4,0,0,'WorkflowTransition',NULL,NULL),(225,1,2,6,5,0,0,'WorkflowTransition',NULL,NULL),(226,1,3,4,3,0,0,'WorkflowTransition',NULL,NULL),(227,1,3,4,4,0,0,'WorkflowTransition',NULL,NULL),(228,1,3,4,5,0,0,'WorkflowTransition',NULL,NULL),(229,1,4,5,3,0,0,'WorkflowTransition',NULL,NULL),(230,1,4,5,4,0,0,'WorkflowTransition',NULL,NULL),(231,1,4,5,5,0,0,'WorkflowTransition',NULL,NULL),(232,1,4,6,3,0,0,'WorkflowTransition',NULL,NULL),(233,1,4,6,4,0,0,'WorkflowTransition',NULL,NULL),(234,1,4,6,5,0,0,'WorkflowTransition',NULL,NULL),(235,1,6,3,3,0,0,'WorkflowTransition',NULL,NULL),(236,1,6,3,4,0,0,'WorkflowTransition',NULL,NULL),(237,1,6,3,5,0,0,'WorkflowTransition',NULL,NULL),(239,1,2,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(240,1,3,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(241,1,4,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(242,1,5,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(243,1,6,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(244,1,0,2,5,0,0,'WorkflowTransition',NULL,NULL),(245,1,0,2,4,0,0,'WorkflowTransition',NULL,NULL),(246,1,0,6,5,0,0,'WorkflowTransition',NULL,NULL),(352,1,2,0,3,0,0,'WorkflowPermission','project_id','readonly'),(353,1,2,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(354,1,2,0,3,0,0,'WorkflowPermission','subject','readonly'),(355,1,2,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(356,1,2,0,3,0,0,'WorkflowPermission','is_private','readonly'),(357,1,2,0,3,0,0,'WorkflowPermission','description','readonly'),(358,1,2,0,3,0,0,'WorkflowPermission','1','readonly'),(359,1,2,0,3,0,0,'WorkflowPermission','2','readonly'),(360,1,2,0,3,0,0,'WorkflowPermission','10','readonly'),(361,1,2,0,3,0,0,'WorkflowPermission','20','readonly'),(362,1,2,0,3,0,0,'WorkflowPermission','8','readonly'),(363,1,2,0,3,0,0,'WorkflowPermission','15','readonly'),(364,1,2,0,3,0,0,'WorkflowPermission','11','readonly'),(365,1,2,0,3,0,0,'WorkflowPermission','12','readonly'),(366,1,2,0,3,0,0,'WorkflowPermission','19','readonly'),(367,1,2,0,3,0,0,'WorkflowPermission','7','readonly'),(368,1,2,0,3,0,0,'WorkflowPermission','3','readonly'),(369,1,2,0,3,0,0,'WorkflowPermission','5','readonly'),(370,1,2,0,3,0,0,'WorkflowPermission','6','readonly'),(371,1,2,0,3,0,0,'WorkflowPermission','22','readonly'),(372,1,3,0,3,0,0,'WorkflowPermission','project_id','readonly'),(373,1,3,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(374,1,3,0,3,0,0,'WorkflowPermission','subject','readonly'),(375,1,3,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(376,1,3,0,3,0,0,'WorkflowPermission','is_private','readonly'),(377,1,3,0,3,0,0,'WorkflowPermission','description','readonly'),(378,1,3,0,3,0,0,'WorkflowPermission','1','readonly'),(379,1,3,0,3,0,0,'WorkflowPermission','2','readonly'),(380,1,3,0,3,0,0,'WorkflowPermission','10','readonly'),(381,1,3,0,3,0,0,'WorkflowPermission','20','readonly'),(382,1,3,0,3,0,0,'WorkflowPermission','8','readonly'),(383,1,3,0,3,0,0,'WorkflowPermission','15','readonly'),(384,1,3,0,3,0,0,'WorkflowPermission','11','readonly'),(385,1,3,0,3,0,0,'WorkflowPermission','12','readonly'),(386,1,3,0,3,0,0,'WorkflowPermission','19','readonly'),(387,1,3,0,3,0,0,'WorkflowPermission','7','readonly'),(388,1,3,0,3,0,0,'WorkflowPermission','3','readonly'),(389,1,3,0,3,0,0,'WorkflowPermission','5','readonly'),(390,1,3,0,3,0,0,'WorkflowPermission','6','readonly'),(391,1,3,0,3,0,0,'WorkflowPermission','22','readonly'),(392,1,4,0,3,0,0,'WorkflowPermission','project_id','readonly'),(393,1,4,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(394,1,4,0,3,0,0,'WorkflowPermission','subject','readonly'),(395,1,4,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(396,1,4,0,3,0,0,'WorkflowPermission','is_private','readonly'),(397,1,4,0,3,0,0,'WorkflowPermission','description','readonly'),(398,1,4,0,3,0,0,'WorkflowPermission','1','readonly'),(399,1,4,0,3,0,0,'WorkflowPermission','2','readonly'),(400,1,4,0,3,0,0,'WorkflowPermission','10','readonly'),(401,1,4,0,3,0,0,'WorkflowPermission','20','readonly'),(402,1,4,0,3,0,0,'WorkflowPermission','8','readonly'),(403,1,4,0,3,0,0,'WorkflowPermission','15','readonly'),(404,1,4,0,3,0,0,'WorkflowPermission','11','readonly'),(405,1,4,0,3,0,0,'WorkflowPermission','12','readonly'),(406,1,4,0,3,0,0,'WorkflowPermission','19','readonly'),(407,1,4,0,3,0,0,'WorkflowPermission','7','readonly'),(408,1,4,0,3,0,0,'WorkflowPermission','3','readonly'),(409,1,4,0,3,0,0,'WorkflowPermission','5','readonly'),(410,1,4,0,3,0,0,'WorkflowPermission','6','readonly'),(411,1,4,0,3,0,0,'WorkflowPermission','22','readonly'),(412,1,5,0,3,0,0,'WorkflowPermission','project_id','readonly'),(413,1,5,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(414,1,5,0,3,0,0,'WorkflowPermission','subject','readonly'),(415,1,5,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(416,1,5,0,3,0,0,'WorkflowPermission','is_private','readonly'),(417,1,5,0,3,0,0,'WorkflowPermission','description','readonly'),(418,1,5,0,3,0,0,'WorkflowPermission','1','readonly'),(419,1,5,0,3,0,0,'WorkflowPermission','2','readonly'),(420,1,5,0,3,0,0,'WorkflowPermission','10','readonly'),(421,1,5,0,3,0,0,'WorkflowPermission','20','readonly'),(422,1,5,0,3,0,0,'WorkflowPermission','8','readonly'),(423,1,5,0,3,0,0,'WorkflowPermission','15','readonly'),(424,1,5,0,3,0,0,'WorkflowPermission','11','readonly'),(425,1,5,0,3,0,0,'WorkflowPermission','12','readonly'),(426,1,5,0,3,0,0,'WorkflowPermission','19','readonly'),(427,1,5,0,3,0,0,'WorkflowPermission','7','readonly'),(428,1,5,0,3,0,0,'WorkflowPermission','3','readonly'),(429,1,5,0,3,0,0,'WorkflowPermission','5','readonly'),(430,1,5,0,3,0,0,'WorkflowPermission','6','readonly'),(431,1,5,0,3,0,0,'WorkflowPermission','22','readonly'),(432,1,6,0,3,0,0,'WorkflowPermission','project_id','readonly'),(433,1,6,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(434,1,6,0,3,0,0,'WorkflowPermission','subject','readonly'),(435,1,6,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(436,1,6,0,3,0,0,'WorkflowPermission','is_private','readonly'),(437,1,6,0,3,0,0,'WorkflowPermission','description','readonly'),(438,1,6,0,3,0,0,'WorkflowPermission','1','readonly'),(439,1,6,0,3,0,0,'WorkflowPermission','2','readonly'),(440,1,6,0,3,0,0,'WorkflowPermission','10','readonly'),(441,1,6,0,3,0,0,'WorkflowPermission','20','readonly'),(442,1,6,0,3,0,0,'WorkflowPermission','8','readonly'),(443,1,6,0,3,0,0,'WorkflowPermission','15','readonly'),(444,1,6,0,3,0,0,'WorkflowPermission','11','readonly'),(445,1,6,0,3,0,0,'WorkflowPermission','12','readonly'),(446,1,6,0,3,0,0,'WorkflowPermission','19','readonly'),(447,1,6,0,3,0,0,'WorkflowPermission','7','readonly'),(448,1,6,0,3,0,0,'WorkflowPermission','3','readonly'),(449,1,6,0,3,0,0,'WorkflowPermission','5','readonly'),(450,1,6,0,3,0,0,'WorkflowPermission','6','readonly'),(451,1,6,0,3,0,0,'WorkflowPermission','22','readonly'),(537,1,2,0,2,0,0,'WorkflowPermission','project_id','readonly'),(538,1,2,0,2,0,0,'WorkflowPermission','tracker_id','readonly'),(539,1,2,0,2,0,0,'WorkflowPermission','subject','readonly'),(540,1,2,0,2,0,0,'WorkflowPermission','priority_id','readonly'),(541,1,2,0,2,0,0,'WorkflowPermission','is_private','readonly'),(542,1,2,0,2,0,0,'WorkflowPermission','description','readonly'),(543,1,2,0,2,0,0,'WorkflowPermission','1','readonly'),(544,1,2,0,2,0,0,'WorkflowPermission','2','readonly'),(545,1,2,0,2,0,0,'WorkflowPermission','10','readonly'),(546,1,2,0,2,0,0,'WorkflowPermission','20','readonly'),(547,1,2,0,2,0,0,'WorkflowPermission','8','readonly'),(548,1,2,0,2,0,0,'WorkflowPermission','15','readonly'),(549,1,2,0,2,0,0,'WorkflowPermission','11','readonly'),(550,1,2,0,2,0,0,'WorkflowPermission','12','readonly'),(551,1,2,0,2,0,0,'WorkflowPermission','19','readonly'),(552,1,2,0,2,0,0,'WorkflowPermission','17','readonly'),(553,1,2,0,2,0,0,'WorkflowPermission','7','readonly'),(554,1,2,0,2,0,0,'WorkflowPermission','3','readonly'),(555,1,2,0,2,0,0,'WorkflowPermission','5','readonly'),(556,1,2,0,2,0,0,'WorkflowPermission','6','readonly'),(557,1,2,0,2,0,0,'WorkflowPermission','22','readonly'),(558,1,3,0,2,0,0,'WorkflowPermission','project_id','readonly'),(559,1,3,0,2,0,0,'WorkflowPermission','tracker_id','readonly'),(560,1,3,0,2,0,0,'WorkflowPermission','subject','readonly'),(561,1,3,0,2,0,0,'WorkflowPermission','priority_id','readonly'),(562,1,3,0,2,0,0,'WorkflowPermission','is_private','readonly'),(563,1,3,0,2,0,0,'WorkflowPermission','description','readonly'),(564,1,3,0,2,0,0,'WorkflowPermission','1','readonly'),(565,1,3,0,2,0,0,'WorkflowPermission','2','readonly'),(566,1,3,0,2,0,0,'WorkflowPermission','10','readonly'),(567,1,3,0,2,0,0,'WorkflowPermission','20','readonly'),(568,1,3,0,2,0,0,'WorkflowPermission','8','readonly'),(569,1,3,0,2,0,0,'WorkflowPermission','15','readonly'),(570,1,3,0,2,0,0,'WorkflowPermission','11','readonly'),(571,1,3,0,2,0,0,'WorkflowPermission','12','readonly'),(572,1,3,0,2,0,0,'WorkflowPermission','19','readonly'),(573,1,3,0,2,0,0,'WorkflowPermission','17','readonly'),(574,1,3,0,2,0,0,'WorkflowPermission','7','readonly'),(575,1,3,0,2,0,0,'WorkflowPermission','3','readonly'),(576,1,3,0,2,0,0,'WorkflowPermission','5','readonly'),(577,1,3,0,2,0,0,'WorkflowPermission','6','readonly'),(578,1,3,0,2,0,0,'WorkflowPermission','22','readonly'),(579,1,4,0,2,0,0,'WorkflowPermission','project_id','readonly'),(580,1,4,0,2,0,0,'WorkflowPermission','tracker_id','readonly'),(581,1,4,0,2,0,0,'WorkflowPermission','subject','readonly'),(582,1,4,0,2,0,0,'WorkflowPermission','priority_id','readonly'),(583,1,4,0,2,0,0,'WorkflowPermission','is_private','readonly'),(584,1,4,0,2,0,0,'WorkflowPermission','description','readonly'),(585,1,4,0,2,0,0,'WorkflowPermission','1','readonly'),(586,1,4,0,2,0,0,'WorkflowPermission','2','readonly'),(587,1,4,0,2,0,0,'WorkflowPermission','10','readonly'),(588,1,4,0,2,0,0,'WorkflowPermission','20','readonly'),(589,1,4,0,2,0,0,'WorkflowPermission','8','readonly'),(590,1,4,0,2,0,0,'WorkflowPermission','15','readonly'),(591,1,4,0,2,0,0,'WorkflowPermission','11','readonly'),(592,1,4,0,2,0,0,'WorkflowPermission','12','readonly'),(593,1,4,0,2,0,0,'WorkflowPermission','19','readonly'),(594,1,4,0,2,0,0,'WorkflowPermission','17','readonly'),(595,1,4,0,2,0,0,'WorkflowPermission','7','readonly'),(596,1,4,0,2,0,0,'WorkflowPermission','3','readonly'),(597,1,4,0,2,0,0,'WorkflowPermission','5','readonly'),(598,1,4,0,2,0,0,'WorkflowPermission','6','readonly'),(599,1,4,0,2,0,0,'WorkflowPermission','22','readonly'),(600,1,5,0,2,0,0,'WorkflowPermission','project_id','readonly'),(601,1,5,0,2,0,0,'WorkflowPermission','tracker_id','readonly'),(602,1,5,0,2,0,0,'WorkflowPermission','subject','readonly'),(603,1,5,0,2,0,0,'WorkflowPermission','priority_id','readonly'),(604,1,5,0,2,0,0,'WorkflowPermission','is_private','readonly'),(605,1,5,0,2,0,0,'WorkflowPermission','description','readonly'),(606,1,5,0,2,0,0,'WorkflowPermission','1','readonly'),(607,1,5,0,2,0,0,'WorkflowPermission','2','readonly'),(608,1,5,0,2,0,0,'WorkflowPermission','10','readonly'),(609,1,5,0,2,0,0,'WorkflowPermission','20','readonly'),(610,1,5,0,2,0,0,'WorkflowPermission','8','readonly'),(611,1,5,0,2,0,0,'WorkflowPermission','15','readonly'),(612,1,5,0,2,0,0,'WorkflowPermission','11','readonly'),(613,1,5,0,2,0,0,'WorkflowPermission','12','readonly'),(614,1,5,0,2,0,0,'WorkflowPermission','19','readonly'),(615,1,5,0,2,0,0,'WorkflowPermission','17','readonly'),(616,1,5,0,2,0,0,'WorkflowPermission','7','readonly'),(617,1,5,0,2,0,0,'WorkflowPermission','3','readonly'),(618,1,5,0,2,0,0,'WorkflowPermission','5','readonly'),(619,1,5,0,2,0,0,'WorkflowPermission','6','readonly'),(620,1,5,0,2,0,0,'WorkflowPermission','22','readonly'),(621,1,6,0,2,0,0,'WorkflowPermission','project_id','readonly'),(622,1,6,0,2,0,0,'WorkflowPermission','tracker_id','readonly'),(623,1,6,0,2,0,0,'WorkflowPermission','subject','readonly'),(624,1,6,0,2,0,0,'WorkflowPermission','priority_id','readonly'),(625,1,6,0,2,0,0,'WorkflowPermission','is_private','readonly'),(626,1,6,0,2,0,0,'WorkflowPermission','description','readonly'),(627,1,6,0,2,0,0,'WorkflowPermission','1','readonly'),(628,1,6,0,2,0,0,'WorkflowPermission','2','readonly'),(629,1,6,0,2,0,0,'WorkflowPermission','10','readonly'),(630,1,6,0,2,0,0,'WorkflowPermission','20','readonly'),(631,1,6,0,2,0,0,'WorkflowPermission','8','readonly'),(632,1,6,0,2,0,0,'WorkflowPermission','15','readonly'),(633,1,6,0,2,0,0,'WorkflowPermission','11','readonly'),(634,1,6,0,2,0,0,'WorkflowPermission','12','readonly'),(635,1,6,0,2,0,0,'WorkflowPermission','19','readonly'),(636,1,6,0,2,0,0,'WorkflowPermission','17','readonly'),(637,1,6,0,2,0,0,'WorkflowPermission','7','readonly'),(638,1,6,0,2,0,0,'WorkflowPermission','3','readonly'),(639,1,6,0,2,0,0,'WorkflowPermission','5','readonly'),(640,1,6,0,2,0,0,'WorkflowPermission','6','readonly'),(641,1,6,0,2,0,0,'WorkflowPermission','22','readonly'); +INSERT INTO `workflows` VALUES (132,1,2,0,3,0,0,'WorkflowPermission','14','readonly'),(134,1,2,0,3,0,0,'WorkflowPermission','16','readonly'),(151,1,3,0,3,0,0,'WorkflowPermission','14','readonly'),(153,1,3,0,3,0,0,'WorkflowPermission','16','readonly'),(170,1,4,0,3,0,0,'WorkflowPermission','14','readonly'),(172,1,4,0,3,0,0,'WorkflowPermission','16','readonly'),(189,1,5,0,3,0,0,'WorkflowPermission','14','readonly'),(191,1,5,0,3,0,0,'WorkflowPermission','16','readonly'),(208,1,6,0,3,0,0,'WorkflowPermission','14','readonly'),(210,1,6,0,3,0,0,'WorkflowPermission','16','readonly'),(220,1,2,3,3,0,0,'WorkflowTransition',NULL,NULL),(221,1,2,3,4,0,0,'WorkflowTransition',NULL,NULL),(222,1,2,3,5,0,0,'WorkflowTransition',NULL,NULL),(223,1,2,6,3,0,0,'WorkflowTransition',NULL,NULL),(224,1,2,6,4,0,0,'WorkflowTransition',NULL,NULL),(225,1,2,6,5,0,0,'WorkflowTransition',NULL,NULL),(226,1,3,4,3,0,0,'WorkflowTransition',NULL,NULL),(227,1,3,4,4,0,0,'WorkflowTransition',NULL,NULL),(228,1,3,4,5,0,0,'WorkflowTransition',NULL,NULL),(229,1,4,5,3,0,0,'WorkflowTransition',NULL,NULL),(230,1,4,5,4,0,0,'WorkflowTransition',NULL,NULL),(231,1,4,5,5,0,0,'WorkflowTransition',NULL,NULL),(232,1,4,6,3,0,0,'WorkflowTransition',NULL,NULL),(233,1,4,6,4,0,0,'WorkflowTransition',NULL,NULL),(234,1,4,6,5,0,0,'WorkflowTransition',NULL,NULL),(235,1,6,3,3,0,0,'WorkflowTransition',NULL,NULL),(236,1,6,3,4,0,0,'WorkflowTransition',NULL,NULL),(237,1,6,3,5,0,0,'WorkflowTransition',NULL,NULL),(239,1,2,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(240,1,3,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(241,1,4,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(242,1,5,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(243,1,6,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(244,1,0,2,5,0,0,'WorkflowTransition',NULL,NULL),(245,1,0,2,4,0,0,'WorkflowTransition',NULL,NULL),(246,1,0,6,5,0,0,'WorkflowTransition',NULL,NULL),(352,1,2,0,3,0,0,'WorkflowPermission','project_id','readonly'),(353,1,2,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(354,1,2,0,3,0,0,'WorkflowPermission','subject','readonly'),(355,1,2,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(356,1,2,0,3,0,0,'WorkflowPermission','is_private','readonly'),(357,1,2,0,3,0,0,'WorkflowPermission','description','readonly'),(358,1,2,0,3,0,0,'WorkflowPermission','1','readonly'),(359,1,2,0,3,0,0,'WorkflowPermission','2','readonly'),(360,1,2,0,3,0,0,'WorkflowPermission','10','readonly'),(361,1,2,0,3,0,0,'WorkflowPermission','20','readonly'),(362,1,2,0,3,0,0,'WorkflowPermission','8','readonly'),(363,1,2,0,3,0,0,'WorkflowPermission','15','readonly'),(364,1,2,0,3,0,0,'WorkflowPermission','11','readonly'),(365,1,2,0,3,0,0,'WorkflowPermission','12','readonly'),(366,1,2,0,3,0,0,'WorkflowPermission','19','readonly'),(367,1,2,0,3,0,0,'WorkflowPermission','7','readonly'),(368,1,2,0,3,0,0,'WorkflowPermission','3','readonly'),(369,1,2,0,3,0,0,'WorkflowPermission','5','readonly'),(370,1,2,0,3,0,0,'WorkflowPermission','6','readonly'),(371,1,2,0,3,0,0,'WorkflowPermission','22','readonly'),(372,1,3,0,3,0,0,'WorkflowPermission','project_id','readonly'),(373,1,3,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(374,1,3,0,3,0,0,'WorkflowPermission','subject','readonly'),(375,1,3,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(376,1,3,0,3,0,0,'WorkflowPermission','is_private','readonly'),(377,1,3,0,3,0,0,'WorkflowPermission','description','readonly'),(378,1,3,0,3,0,0,'WorkflowPermission','1','readonly'),(379,1,3,0,3,0,0,'WorkflowPermission','2','readonly'),(380,1,3,0,3,0,0,'WorkflowPermission','10','readonly'),(381,1,3,0,3,0,0,'WorkflowPermission','20','readonly'),(382,1,3,0,3,0,0,'WorkflowPermission','8','readonly'),(383,1,3,0,3,0,0,'WorkflowPermission','15','readonly'),(384,1,3,0,3,0,0,'WorkflowPermission','11','readonly'),(385,1,3,0,3,0,0,'WorkflowPermission','12','readonly'),(386,1,3,0,3,0,0,'WorkflowPermission','19','readonly'),(387,1,3,0,3,0,0,'WorkflowPermission','7','readonly'),(388,1,3,0,3,0,0,'WorkflowPermission','3','readonly'),(389,1,3,0,3,0,0,'WorkflowPermission','5','readonly'),(390,1,3,0,3,0,0,'WorkflowPermission','6','readonly'),(391,1,3,0,3,0,0,'WorkflowPermission','22','readonly'),(392,1,4,0,3,0,0,'WorkflowPermission','project_id','readonly'),(393,1,4,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(394,1,4,0,3,0,0,'WorkflowPermission','subject','readonly'),(395,1,4,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(396,1,4,0,3,0,0,'WorkflowPermission','is_private','readonly'),(397,1,4,0,3,0,0,'WorkflowPermission','description','readonly'),(398,1,4,0,3,0,0,'WorkflowPermission','1','readonly'),(399,1,4,0,3,0,0,'WorkflowPermission','2','readonly'),(400,1,4,0,3,0,0,'WorkflowPermission','10','readonly'),(401,1,4,0,3,0,0,'WorkflowPermission','20','readonly'),(402,1,4,0,3,0,0,'WorkflowPermission','8','readonly'),(403,1,4,0,3,0,0,'WorkflowPermission','15','readonly'),(404,1,4,0,3,0,0,'WorkflowPermission','11','readonly'),(405,1,4,0,3,0,0,'WorkflowPermission','12','readonly'),(406,1,4,0,3,0,0,'WorkflowPermission','19','readonly'),(407,1,4,0,3,0,0,'WorkflowPermission','7','readonly'),(408,1,4,0,3,0,0,'WorkflowPermission','3','readonly'),(409,1,4,0,3,0,0,'WorkflowPermission','5','readonly'),(410,1,4,0,3,0,0,'WorkflowPermission','6','readonly'),(411,1,4,0,3,0,0,'WorkflowPermission','22','readonly'),(412,1,5,0,3,0,0,'WorkflowPermission','project_id','readonly'),(413,1,5,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(414,1,5,0,3,0,0,'WorkflowPermission','subject','readonly'),(415,1,5,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(416,1,5,0,3,0,0,'WorkflowPermission','is_private','readonly'),(417,1,5,0,3,0,0,'WorkflowPermission','description','readonly'),(418,1,5,0,3,0,0,'WorkflowPermission','1','readonly'),(419,1,5,0,3,0,0,'WorkflowPermission','2','readonly'),(420,1,5,0,3,0,0,'WorkflowPermission','10','readonly'),(421,1,5,0,3,0,0,'WorkflowPermission','20','readonly'),(422,1,5,0,3,0,0,'WorkflowPermission','8','readonly'),(423,1,5,0,3,0,0,'WorkflowPermission','15','readonly'),(424,1,5,0,3,0,0,'WorkflowPermission','11','readonly'),(425,1,5,0,3,0,0,'WorkflowPermission','12','readonly'),(426,1,5,0,3,0,0,'WorkflowPermission','19','readonly'),(427,1,5,0,3,0,0,'WorkflowPermission','7','readonly'),(428,1,5,0,3,0,0,'WorkflowPermission','3','readonly'),(429,1,5,0,3,0,0,'WorkflowPermission','5','readonly'),(430,1,5,0,3,0,0,'WorkflowPermission','6','readonly'),(431,1,5,0,3,0,0,'WorkflowPermission','22','readonly'),(432,1,6,0,3,0,0,'WorkflowPermission','project_id','readonly'),(433,1,6,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(434,1,6,0,3,0,0,'WorkflowPermission','subject','readonly'),(435,1,6,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(436,1,6,0,3,0,0,'WorkflowPermission','is_private','readonly'),(437,1,6,0,3,0,0,'WorkflowPermission','description','readonly'),(438,1,6,0,3,0,0,'WorkflowPermission','1','readonly'),(439,1,6,0,3,0,0,'WorkflowPermission','2','readonly'),(440,1,6,0,3,0,0,'WorkflowPermission','10','readonly'),(441,1,6,0,3,0,0,'WorkflowPermission','20','readonly'),(442,1,6,0,3,0,0,'WorkflowPermission','8','readonly'),(443,1,6,0,3,0,0,'WorkflowPermission','15','readonly'),(444,1,6,0,3,0,0,'WorkflowPermission','11','readonly'),(445,1,6,0,3,0,0,'WorkflowPermission','12','readonly'),(446,1,6,0,3,0,0,'WorkflowPermission','19','readonly'),(447,1,6,0,3,0,0,'WorkflowPermission','7','readonly'),(448,1,6,0,3,0,0,'WorkflowPermission','3','readonly'),(449,1,6,0,3,0,0,'WorkflowPermission','5','readonly'),(450,1,6,0,3,0,0,'WorkflowPermission','6','readonly'),(451,1,6,0,3,0,0,'WorkflowPermission','22','readonly'),(537,1,2,0,2,0,0,'WorkflowPermission','project_id','readonly'),(538,1,2,0,2,0,0,'WorkflowPermission','tracker_id','readonly'),(539,1,2,0,2,0,0,'WorkflowPermission','subject','readonly'),(540,1,2,0,2,0,0,'WorkflowPermission','priority_id','readonly'),(541,1,2,0,2,0,0,'WorkflowPermission','is_private','readonly'),(542,1,2,0,2,0,0,'WorkflowPermission','description','readonly'),(543,1,2,0,2,0,0,'WorkflowPermission','1','readonly'),(544,1,2,0,2,0,0,'WorkflowPermission','2','readonly'),(545,1,2,0,2,0,0,'WorkflowPermission','10','readonly'),(546,1,2,0,2,0,0,'WorkflowPermission','20','readonly'),(547,1,2,0,2,0,0,'WorkflowPermission','8','readonly'),(548,1,2,0,2,0,0,'WorkflowPermission','15','readonly'),(549,1,2,0,2,0,0,'WorkflowPermission','11','readonly'),(550,1,2,0,2,0,0,'WorkflowPermission','12','readonly'),(551,1,2,0,2,0,0,'WorkflowPermission','19','readonly'),(552,1,2,0,2,0,0,'WorkflowPermission','17','readonly'),(553,1,2,0,2,0,0,'WorkflowPermission','7','readonly'),(554,1,2,0,2,0,0,'WorkflowPermission','3','readonly'),(555,1,2,0,2,0,0,'WorkflowPermission','5','readonly'),(556,1,2,0,2,0,0,'WorkflowPermission','6','readonly'),(557,1,2,0,2,0,0,'WorkflowPermission','22','readonly'),(558,1,3,0,2,0,0,'WorkflowPermission','project_id','readonly'),(559,1,3,0,2,0,0,'WorkflowPermission','tracker_id','readonly'),(560,1,3,0,2,0,0,'WorkflowPermission','subject','readonly'),(561,1,3,0,2,0,0,'WorkflowPermission','priority_id','readonly'),(562,1,3,0,2,0,0,'WorkflowPermission','is_private','readonly'),(563,1,3,0,2,0,0,'WorkflowPermission','description','readonly'),(564,1,3,0,2,0,0,'WorkflowPermission','1','readonly'),(565,1,3,0,2,0,0,'WorkflowPermission','2','readonly'),(566,1,3,0,2,0,0,'WorkflowPermission','10','readonly'),(567,1,3,0,2,0,0,'WorkflowPermission','20','readonly'),(568,1,3,0,2,0,0,'WorkflowPermission','8','readonly'),(569,1,3,0,2,0,0,'WorkflowPermission','15','readonly'),(570,1,3,0,2,0,0,'WorkflowPermission','11','readonly'),(571,1,3,0,2,0,0,'WorkflowPermission','12','readonly'),(572,1,3,0,2,0,0,'WorkflowPermission','19','readonly'),(573,1,3,0,2,0,0,'WorkflowPermission','17','readonly'),(574,1,3,0,2,0,0,'WorkflowPermission','7','readonly'),(575,1,3,0,2,0,0,'WorkflowPermission','3','readonly'),(576,1,3,0,2,0,0,'WorkflowPermission','5','readonly'),(577,1,3,0,2,0,0,'WorkflowPermission','6','readonly'),(578,1,3,0,2,0,0,'WorkflowPermission','22','readonly'),(579,1,4,0,2,0,0,'WorkflowPermission','project_id','readonly'),(580,1,4,0,2,0,0,'WorkflowPermission','tracker_id','readonly'),(581,1,4,0,2,0,0,'WorkflowPermission','subject','readonly'),(582,1,4,0,2,0,0,'WorkflowPermission','priority_id','readonly'),(583,1,4,0,2,0,0,'WorkflowPermission','is_private','readonly'),(584,1,4,0,2,0,0,'WorkflowPermission','description','readonly'),(585,1,4,0,2,0,0,'WorkflowPermission','1','readonly'),(586,1,4,0,2,0,0,'WorkflowPermission','2','readonly'),(587,1,4,0,2,0,0,'WorkflowPermission','10','readonly'),(588,1,4,0,2,0,0,'WorkflowPermission','20','readonly'),(589,1,4,0,2,0,0,'WorkflowPermission','8','readonly'),(590,1,4,0,2,0,0,'WorkflowPermission','15','readonly'),(591,1,4,0,2,0,0,'WorkflowPermission','11','readonly'),(592,1,4,0,2,0,0,'WorkflowPermission','12','readonly'),(593,1,4,0,2,0,0,'WorkflowPermission','19','readonly'),(594,1,4,0,2,0,0,'WorkflowPermission','17','readonly'),(595,1,4,0,2,0,0,'WorkflowPermission','7','readonly'),(596,1,4,0,2,0,0,'WorkflowPermission','3','readonly'),(597,1,4,0,2,0,0,'WorkflowPermission','5','readonly'),(598,1,4,0,2,0,0,'WorkflowPermission','6','readonly'),(599,1,4,0,2,0,0,'WorkflowPermission','22','readonly'),(600,1,5,0,2,0,0,'WorkflowPermission','project_id','readonly'),(601,1,5,0,2,0,0,'WorkflowPermission','tracker_id','readonly'),(602,1,5,0,2,0,0,'WorkflowPermission','subject','readonly'),(603,1,5,0,2,0,0,'WorkflowPermission','priority_id','readonly'),(604,1,5,0,2,0,0,'WorkflowPermission','is_private','readonly'),(605,1,5,0,2,0,0,'WorkflowPermission','description','readonly'),(606,1,5,0,2,0,0,'WorkflowPermission','1','readonly'),(607,1,5,0,2,0,0,'WorkflowPermission','2','readonly'),(608,1,5,0,2,0,0,'WorkflowPermission','10','readonly'),(609,1,5,0,2,0,0,'WorkflowPermission','20','readonly'),(610,1,5,0,2,0,0,'WorkflowPermission','8','readonly'),(611,1,5,0,2,0,0,'WorkflowPermission','15','readonly'),(612,1,5,0,2,0,0,'WorkflowPermission','11','readonly'),(613,1,5,0,2,0,0,'WorkflowPermission','12','readonly'),(614,1,5,0,2,0,0,'WorkflowPermission','19','readonly'),(615,1,5,0,2,0,0,'WorkflowPermission','17','readonly'),(616,1,5,0,2,0,0,'WorkflowPermission','7','readonly'),(617,1,5,0,2,0,0,'WorkflowPermission','3','readonly'),(618,1,5,0,2,0,0,'WorkflowPermission','5','readonly'),(619,1,5,0,2,0,0,'WorkflowPermission','6','readonly'),(620,1,5,0,2,0,0,'WorkflowPermission','22','readonly'),(621,1,6,0,2,0,0,'WorkflowPermission','project_id','readonly'),(622,1,6,0,2,0,0,'WorkflowPermission','tracker_id','readonly'),(623,1,6,0,2,0,0,'WorkflowPermission','subject','readonly'),(624,1,6,0,2,0,0,'WorkflowPermission','priority_id','readonly'),(625,1,6,0,2,0,0,'WorkflowPermission','is_private','readonly'),(626,1,6,0,2,0,0,'WorkflowPermission','description','readonly'),(627,1,6,0,2,0,0,'WorkflowPermission','1','readonly'),(628,1,6,0,2,0,0,'WorkflowPermission','2','readonly'),(629,1,6,0,2,0,0,'WorkflowPermission','10','readonly'),(630,1,6,0,2,0,0,'WorkflowPermission','20','readonly'),(631,1,6,0,2,0,0,'WorkflowPermission','8','readonly'),(632,1,6,0,2,0,0,'WorkflowPermission','15','readonly'),(633,1,6,0,2,0,0,'WorkflowPermission','11','readonly'),(634,1,6,0,2,0,0,'WorkflowPermission','12','readonly'),(635,1,6,0,2,0,0,'WorkflowPermission','19','readonly'),(636,1,6,0,2,0,0,'WorkflowPermission','17','readonly'),(637,1,6,0,2,0,0,'WorkflowPermission','7','readonly'),(638,1,6,0,2,0,0,'WorkflowPermission','3','readonly'),(639,1,6,0,2,0,0,'WorkflowPermission','5','readonly'),(640,1,6,0,2,0,0,'WorkflowPermission','6','readonly'),(641,1,6,0,2,0,0,'WorkflowPermission','22','readonly'),(642,1,2,3,2,0,0,'WorkflowTransition',NULL,NULL),(643,1,2,6,2,0,0,'WorkflowTransition',NULL,NULL),(644,1,3,4,2,0,0,'WorkflowTransition',NULL,NULL),(645,1,4,5,2,0,0,'WorkflowTransition',NULL,NULL),(646,1,4,6,2,0,0,'WorkflowTransition',NULL,NULL),(647,1,6,3,2,0,0,'WorkflowTransition',NULL,NULL); /*!40000 ALTER TABLE `workflows` ENABLE KEYS */; UNLOCK TABLES; /*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */; @@ -1764,4 +1764,4 @@ UNLOCK TABLES; /*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */; /*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */; --- Dump completed on 2020-07-10 23:39:20 +-- Dump completed on 2020-07-15 16:33:41 From 0a976861f3b5905c2cb7d654fd1bab7b77652fa6 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 15 Jul 2020 13:22:11 -0400 Subject: [PATCH 242/314] Dynamically set sensor checkin interval; allow overrides if var is preset --- salt/pcap/files/sensoroni.json | 3 ++- setup/so-functions | 10 ++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/salt/pcap/files/sensoroni.json b/salt/pcap/files/sensoroni.json index 81fc4569b..76fb0e502 100644 --- a/salt/pcap/files/sensoroni.json +++ b/salt/pcap/files/sensoroni.json @@ -1,10 +1,11 @@ {%- set MANAGER = salt['grains.get']('master') -%} {%- set SENSORONIKEY = salt['pillar.get']('static:sensoronikey', '') -%} +{%- set CHECKININTERVALMS = salt['pillar.get']('pcap:sensor_checkin_interval_ms') -%} { "logFilename": "/opt/sensoroni/logs/sensoroni.log", "logLevel":"debug", "agent": { - "pollIntervalMs": 10000, + "pollIntervalMs": {{ CHECKININTERVALMS }}, "serverUrl": "https://{{ MANAGER }}/sensoroniagents", "verifyCert": false, "modules": { diff --git a/setup/so-functions b/setup/so-functions index f4f5d9ba1..0bbc013b2 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -923,6 +923,13 @@ manager_pillar() { local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls + if [ -z "$SENSOR_CHECKIN_INTERVAL_MS" ]; then + SENSOR_CHECKIN_INTERVAL_MS=10000 + if [ "$install_type" = 'EVAL' ] || [ "$install_type" = 'STANDALONE' ]; then + SENSOR_CHECKIN_INTERVAL_MS=1000 + fi + fi + # Create the manager pillar printf '%s\n'\ "manager:"\ @@ -969,6 +976,9 @@ manager_pillar() { " lsheap: $LS_HEAP_SIZE"\ " ls_pipeline_workers: $num_cpu_cores"\ ""\ + "pcap:">> "$pillar_file"\ + " sensor_checkin_interval_ms: $SENSOR_CHECKIN_INTERVAL_MS"\ + ""\ "kratos:" >> "$pillar_file" printf '%s\n'\ From 9781d8d0e74862c7d095b62826d6a0df93bb8524 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 15 Jul 2020 13:53:28 -0400 Subject: [PATCH 243/314] Ensure permissions are consistently applied to all imported PCAP files --- salt/common/tools/sbin/so-import-pcap | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/tools/sbin/so-import-pcap b/salt/common/tools/sbin/so-import-pcap index ae7f996ac..a45fe6777 100755 --- a/salt/common/tools/sbin/so-import-pcap +++ b/salt/common/tools/sbin/so-import-pcap @@ -180,6 +180,7 @@ for PCAP in "$@"; do fi cp -f "${PCAP}" "${PCAP_DIR}"/data.pcap + chmod 644 "${PCAP_DIR}"/data.pcap fi # end of valid pcap From d71dc89b136b5577232771c67a2415aa088fd7c2 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 15 Jul 2020 17:46:33 -0400 Subject: [PATCH 244/314] New SOUP --- exclude-list.txt | 0 salt/common/tools/sbin/so-docker-refresh | 1 + salt/common/tools/sbin/so-features-enable | 11 ++ salt/common/tools/sbin/soup | 167 ++++++++++++++++-- upgrade/so-update-functions | 205 ---------------------- upgrade/soup | 27 --- 6 files changed, 169 insertions(+), 242 deletions(-) delete mode 100644 exclude-list.txt delete mode 100644 upgrade/so-update-functions delete mode 100644 upgrade/soup diff --git a/exclude-list.txt b/exclude-list.txt deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/common/tools/sbin/so-docker-refresh b/salt/common/tools/sbin/so-docker-refresh index 11200864f..16b8fb930 100644 --- a/salt/common/tools/sbin/so-docker-refresh +++ b/salt/common/tools/sbin/so-docker-refresh @@ -78,6 +78,7 @@ if [ $MANAGERCHECK != 'so-helix' ]; then "so-logstash:$VERSION" \ "so-mysql:$VERSION" \ "so-nginx:$VERSION" \ + "so-pcaptools:$VERSION" \ "so-playbook:$VERSION" \ "so-redis:$VERSION" \ "so-soc:$VERSION" \ diff --git a/salt/common/tools/sbin/so-features-enable b/salt/common/tools/sbin/so-features-enable index edc378bc5..b4e471c99 100755 --- a/salt/common/tools/sbin/so-features-enable +++ b/salt/common/tools/sbin/so-features-enable @@ -17,6 +17,17 @@ . /usr/sbin/so-common local_salt_dir=/opt/so/saltstack/local +manager_check() { + # Check to see if this is a manager + MANAGERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}') + if [ $MANAGERCHECK == 'so-eval' OR $MANAGERCHECK == 'so-manager' OR $MANAGERCHECK == 'so-managersearch' ]; then + echo "This is a manager. We can proceed." + else + echo "Please run so-features-enable on the manager." + exit 0 +} + +manager_check VERSION=$(grep soversion $local_salt_dir/pillar/static.sls | cut -d':' -f2|sed 's/ //g') # Modify static.sls to enable Features sed -i 's/features: False/features: True/' $local_salt_dir/pillar/static.sls diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 7c471aa34..7ce5b2ac0 100644 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -15,23 +15,170 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -clone_to_tmp() { +. /usr/sbin/so-common +UPDATE_DIR=/tmp/sogh/securityonion +INSTALLEDVERSION=$(cat /etc/soversion) +default_salt_dir=/opt/so/saltstack/default +manager_check() { + # Check to see if this is a manager + MANAGERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}') + if [ $MANAGERCHECK == 'so-eval' OR $MANAGERCHECK == 'so-manager' OR $MANAGERCHECK == 'so-managersearch' ]; then + echo "This is a manager. We can proceed" + else + echo "Please run soup on the manager. The manager controls all updates." + exit 0 +} + +clean_dockers() { + # Place Holder for cleaning up old docker images + echo "" +} + +clone_to_tmp() { # TODO Need to add a air gap option + # Clean old files + rm -rf /tmp/sogh # Make a temp location for the files - rm -rf /tmp/soup - mkdir -p /tmp/soup - cd /tmp/soup - #git clone -b dev https://github.com/Security-Onion-Solutions/securityonion-saltstack.git - git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack.git + mkdir -p /tmp/sogh + cd /tmp/sogh + #git clone -b dev https://github.com/Security-Onion-Solutions/securityonion.git + git clone https://github.com/Security-Onion-Solutions/securityonion.git + cd /tmp + if [ ! -f $UPDATE_DIR/VERSION ]; then + echo "Update was unable to pull from github. Please check your internet." + exit 0 + fi +} + +copy_new_files() { + # Copy new files over to the salt dir + cd /tmp/sogh/securityonion + rsync -a salt $default_salt_dir/ + rsync -a pillar $default_salt_dir/ + chown -R socore:socore $default_salt_dir/ + chmod 755 $default_salt_dir/pillar/firewall/addfirewall.sh + cd /tmp +} + +highstate() { + # Run a highstate but first cancel a running one. + salt-call saltutil.kill_all_jobs + salt-call state.highstate +} + +pillar_changes() { + # This function is to add any new pillar items if needed. + echo "Checking to see if pillar changes are needed" } -# Prompt the user that this requires internets +update_dockers() { + # List all the containers + if [ $MANAGERCHECK != 'so-helix' ]; then + TRUSTED_CONTAINERS=( \ + "so-acng" \ + "so-thehive-cortex" \ + "so-curator" \ + "so-domainstats" \ + "so-elastalert" \ + "so-elasticsearch" \ + "so-filebeat" \ + "so-fleet" \ + "so-fleet-launcher" \ + "so-freqserver" \ + "so-grafana" \ + "so-idstools" \ + "so-influxdb" \ + "so-kibana" \ + "so-kratos" \ + "so-logstash" \ + "so-mysql" \ + "so-nginx" \ + "so-pcaptools" \ + "so-playbook" \ + "so-redis" \ + "so-soc" \ + "so-soctopus" \ + "so-steno" \ + "so-strelka" \ + "so-suricata" \ + "so-telegraf" \ + "so-thehive" \ + "so-thehive-es" \ + "so-wazuh" \ + "so-zeek" ) + else + TRUSTED_CONTAINERS=( \ + "so-filebeat" \ + "so-idstools" \ + "so-logstash" \ + "so-nginx" \ + "so-redis" \ + "so-steno" \ + "so-suricata" \ + "so-telegraf" \ + "so-zeek" ) + fi +# Download the containers from the interwebs + for i in "${TRUSTED_CONTAINERS[@]}" + do + # Pull down the trusted docker image + echo "Downloading $i:$NEWVERSION" + docker pull --disable-content-trust=false docker.io/$IMAGEREPO/$i:$NEWVERSION + # Tag it with the new registry destination + docker tag $IMAGEREPO/$i $HOSTNAME:5000/$IMAGEREPO/$i:$NEWVERSION + docker push $HOSTNAME:5000/$IMAGEREPO/$i:$NEWVERSION + done + +} + +update_version() { + # Update the version to the latest + echo "Updating the version file." + echo $NEWVERSION > /etc/soversion +} + +upgrade_check() { + # Let's make sure we actually need to update. + NEWVERSION=$(cat $UPDATE_DIR/VERSION) + if [ $INSTALLEDVERSION == $NEWVERSION ]; then + echo "You are already running the latest version of Security Onion." + exit 0 + else + echo "Performing Upgrade from $INSTALLEDVERSION to $NEWVERSION" + fi +} + +verify_latest_update_script() { + # Check to see if the update scripts match. If not run the new one. + CURRENTSOUP=$(md5sum /usr/sbin/soup) + GITSOUP=$(md5sum /tmp/sogh/securityonion/salt/common/tools/sbin/soup) + if [ $CURRENTSOUP == $GITSOUP ]; then + echo "The scripts match" + else + echo "They don't match" + cp $UPDATE_DIR/salt/sommon/tools/sbin/soup /usr/sbin/soup + cp $UPDATE_DIR/salt/common/tools/sbin/soup $default_salt_dir/salt/common/tools/sbin/ + echo "soup has been updated. Please run soup again" + exit 0 + fi +} + +manager_check clone_to_tmp -cd /tmp/soup/securityonion-saltstack/update -chmod +x soup -./soup +verify_latest_update_script +upgrade_check +pillar_changes +clean_dockers +update_dockers +copy_new_files +highstate +update_version + + + + diff --git a/upgrade/so-update-functions b/upgrade/so-update-functions deleted file mode 100644 index 3ab79df39..000000000 --- a/upgrade/so-update-functions +++ /dev/null @@ -1,205 +0,0 @@ -#!/bin/bash - -# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -. /usr/sbin/so-common - -# Set the new SO Version -UPDATEVERSION=1.2.2 -BUILD=HH - -#Determine the current install version - -if [ -f /etc/soversion ]; then - OLDVERSION=$(cat /etc/soversion) -else - OLDVERSION=1.1.4 -fi - -# Use the hostname -HOSTNAME=$(hostname) - -# List all the containers -if [ $MANAGERCHECK != 'so-helix' ]; then - TRUSTED_CONTAINERS=( \ - "so-acng:$BUILD$UPDATEVERSION" \ - "so-thehive-cortex:$BUILD$UPDATEVERSION" \ - "so-curator:$BUILD$UPDATEVERSION" \ - "so-domainstats:$BUILD$UPDATEVERSION" \ - "so-elastalert:$BUILD$UPDATEVERSION" \ - "so-elasticsearch:$BUILD$UPDATEVERSION" \ - "so-filebeat:$BUILD$UPDATEVERSION" \ - "so-fleet:$BUILD$UPDATEVERSION" \ - "so-fleet-launcher:$BUILD$UPDATEVERSION" \ - "so-freqserver:$BUILD$UPDATEVERSION" \ - "so-grafana:$BUILD$UPDATEVERSION" \ - "so-idstools:$BUILD$UPDATEVERSION" \ - "so-influxdb:$BUILD$UPDATEVERSION" \ - "so-kibana:$BUILD$UPDATEVERSION" \ - "so-kratos:$BUILD$UPDATEVERSION" \ - "so-logstash:$BUILD$UPDATEVERSION" \ - "so-mysql:$BUILD$UPDATEVERSION" \ - "so-nginx:$BUILD$UPDATEVERSION" \ - "so-playbook:$BUILD$UPDATEVERSION" \ - "so-redis:$BUILD$UPDATEVERSION" \ - "so-soc:$BUILD$UPDATEVERSION" \ - "so-soctopus:$BUILD$UPDATEVERSION" \ - "so-steno:$BUILD$UPDATEVERSION" \ - "so-strelka:$BUILD$UPDATEVERSION" \ - "so-suricata:$BUILD$UPDATEVERSION" \ - "so-telegraf:$BUILD$UPDATEVERSION" \ - "so-thehive:$BUILD$UPDATEVERSION" \ - "so-thehive-es:$BUILD$UPDATEVERSION" \ - "so-wazuh:$BUILD$UPDATEVERSION" \ - "so-zeek:$BUILD$UPDATEVERSION" ) - else - TRUSTED_CONTAINERS=( \ - "so-filebeat:$BUILD$UPDATEVERSION" \ - "so-idstools:$BUILD$UPDATEVERSION" \ - "so-logstash:$BUILD$UPDATEVERSION" \ - "so-nginx:$BUILD$UPDATEVERSION" \ - "so-redis:$BUILD$UPDATEVERSION" \ - "so-steno:$BUILD$UPDATEVERSION" \ - "so-suricata:$BUILD$UPDATEVERSION" \ - "so-telegraf:$BUILD$UPDATEVERSION" \ - "so-zeek:$BUILD$UPDATEVERSION" ) - fi - - -clone_to_tmp() { - - # TODO Need to add a air gap option - # Make a temp location for the files - mkdir /tmp/sogh - cd /tmp/sogh - #git clone -b dev https://github.com/Security-Onion-Solutions/securityonion-saltstack.git - git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack.git - cd /tmp - -} - -copy_new_files() { - - # Copy new files over to the salt dir - cd /tmp/sogh/securityonion-saltstack - rsync -a --exclude-from 'exclude-list.txt' salt $default_salt_dir/ - chown -R socore:socore $default_salt_dir/salt - chmod 755 $default_salt_dir/pillar/firewall/addfirewall.sh - cd /tmp -} - -detect_os() { - - # Detect Base OS - echo "Detecting Base OS" >> $UPDATELOG 2>&1 - if [ -f /etc/redhat-release ]; then - OS=centos - if grep -q "CentOS Linux release 7" /etc/redhat-release; then - OSVER=7 - elif grep -q "CentOS Linux release 8" /etc/redhat-release; then - OSVER=8 - echo "We currently do not support CentOS $OSVER but we are working on it!" - exit - else - echo "We do not support the version of CentOS you are trying to use" - exit - fi - - elif [ -f /etc/os-release ]; then - OS=ubuntu - if grep -q "UBUNTU_CODENAME=bionic" /etc/os-release; then - OSVER=bionic - elif grep -q "UBUNTU_CODENAME=xenial" /etc/os-release; then - OSVER=xenial - else - echo "We do not support your current version of Ubuntu" - exit - fi - else - echo "We were unable to determine if you are using a supported OS." >> $UPDATELOG 2>&1 - exit - fi - - echo "Found OS: $OS $OSVER" >> $UPDATELOG 2>&1 - -} - -manager_check() { - # Check to see if this is a manager - MANAGERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}') - if [ $MANAGERCHECK == 'so-eval' OR $MANAGERCHECK == 'so-manager' OR $MANAGERCHECK == 'so-managersearch' ]; then - echo "This is a manager. We can proceed" - else - echo "Please run soup on the manager. The manager controls all updates." - exit -} - -salt_highstate() { - - salt-call state.highstate - -} - -update_held_packages() { - - if [ $OS == "centos" ] - SALTVER=2019.2.4 - DOCKERVER= - yum -y --disableexcludes=all update salt-$SALTVER - yum -y --disableexcludes=all update docker-ce-$DOCKERVER - else - SALTVER=2019.2.4+ds-1 - DOCKERVER=5:19.03.8~3-0~ubuntu-xenial - fi - -} - -update_all_packages() { - - # Update all the things based on OS - if [ $OS == "centos" ]; then - yum -y update - else - apt -y update && apt -y upgrade - fi - -} - -update_docker_containers() { - - # Download the containers from the interwebs - for i in "${TRUSTED_CONTAINERS[@]}" - do - # Pull down the trusted docker image - echo "Downloading $i" - docker pull --disable-content-trust=false docker.io/$IMAGEREPO/$i - # Tag it with the new registry destination - docker tag $IMAGEREPO/$i $HOSTNAME:5000/$IMAGEREPO/$i - docker push $HOSTNAME:5000/$IMAGEREPO/$i - done - - for i in "${TRUSTED_CONTAINERS[@]}" - do - echo "Removing $i locally" - docker rmi $IMAGEREPO/$i - done - -} - -update_hh_version() { - # Change the version number in the static pillar - -} diff --git a/upgrade/soup b/upgrade/soup deleted file mode 100644 index 068782f04..000000000 --- a/upgrade/soup +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/bash - -# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -SCRIPTDIR=$(dirname "$0") -source $SCRIPTDIR/so-update-functions - -# Update Packages -manager_check -update_all_packages -update_held_packages - - - From 473606371ab59cf40721e576c886391a00d8d9fe Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 15 Jul 2020 17:49:13 -0400 Subject: [PATCH 245/314] Fix Features Download --- salt/common/tools/sbin/so-features-enable | 5 ----- 1 file changed, 5 deletions(-) diff --git a/salt/common/tools/sbin/so-features-enable b/salt/common/tools/sbin/so-features-enable index b4e471c99..a7507290f 100755 --- a/salt/common/tools/sbin/so-features-enable +++ b/salt/common/tools/sbin/so-features-enable @@ -47,8 +47,3 @@ do docker tag $IMAGEREPO/$i $HOSTNAME:5000/$IMAGEREPO/$i docker push $HOSTNAME:5000/$IMAGEREPO/$i done -for i in "${TRUSTED_CONTAINERS[@]}" -do - echo "Removing $i locally" - docker rmi $IMAGEREPO/$i -done From a4672dedee9fd022c79d5b8ff8e412506fe4793c Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 15 Jul 2020 18:17:05 -0400 Subject: [PATCH 246/314] Update README.md --- README.md | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/README.md b/README.md index 1cff4b355..474041903 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,30 @@ +## Security Onion 2.0.0.rc1 + +Security Onion 2.0.0 RC1 is here! This will require a fresh install but there is good news: From here on out you will be able to use soup on the master to upgrade your environment to RC2 and beyond! The team here has been hard at work to bring you the following changes: + +- You will notice we have done a little re-branding to give 2.0 a fresh look. +- We have removed all references to "master" in the code and now call it a "manager". +- All documentation has moved to our docs site. +- soup is alive! This will only update the Security Onion components. Please use the build in OS update process to keep the OS up to date. +- so-features-enable should now properly work. +- so-import-pcap! See the docs here. +- You can now pivot to PCAP from Suricata alerts. +- ISO install now prompts you to create an admin user instead of using onion. This user has full sudo rights. +- The disk should now more reliably clean itself up. +- Changed the default permissions for /opt/so to keep non-priviledged users from accessing salt and related files. +- Locked down access to certain SSL keys. +- Suricata logs will now compress after they roll over. +- You can now customize shard counts per index. +- Elastic ingest parsing improvements. +- Elastic nodes are now "hot" by default. This will allow adding a warm node easier. +- so-allow will now run at the end of an install so you can enable access right away. + + +## Hybrid Hunter Beta 1.4.1 - Beta 3 + +- Fix install script to handle hostnames properly. + + ## Hybrid Hunter Beta 1.4.0 - Beta 3 - Complete overhaul of the way we handle custom and default settings and data. You will now see a default and local directory under the saltstack directory. All customizations are stored in local. From 48c9244a8114c30f7ddbc151ff54813d5d21e398 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 15 Jul 2020 19:05:49 -0400 Subject: [PATCH 247/314] Update README.md --- README.md | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 474041903..fea8247c5 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ ## Security Onion 2.0.0.rc1 -Security Onion 2.0.0 RC1 is here! This will require a fresh install but there is good news: From here on out you will be able to use soup on the master to upgrade your environment to RC2 and beyond! The team here has been hard at work to bring you the following changes: +Security Onion 2.0.0 RC1 is here! This will require a fresh install but there is good news: From here on out you will be able to use soup on the manager to upgrade your environment to RC2 and beyond! The team here has been hard at work to bring you the following changes: - You will notice we have done a little re-branding to give 2.0 a fresh look. - We have removed all references to "master" in the code and now call it a "manager". @@ -18,6 +18,18 @@ Security Onion 2.0.0 RC1 is here! This will require a fresh install but there is - Elastic ingest parsing improvements. - Elastic nodes are now "hot" by default. This will allow adding a warm node easier. - so-allow will now run at the end of an install so you can enable access right away. +- Alert severities across Wazuh, Suricata and Playbook (Sigma) have been standardised and copied to `event.severity` (1-Low/2-Medium/3-High/4-Critical) +- Initial implementation of alerting queues: + - Low & Medium alerts are accessible through Kibana & SOC Hunt + - High & Critical alerts are accessible through Kibana, SOC Hunt and sent to TheHive for immediate viewing +- ATT&CK Navigator is now a statically-hosted site in the nginx container +- Playbook + - All Sigma rules in the community repo are now imported & kept up to date (500+) + - Initial implementation of automated testing when a Play's detection logic has been edited (ie Unit Testing) + - UI Theme has been updated + - Once authenticated through SOC, you can now access Playbook with analyst permissions without login +- Ingest parsing updates for Windows Eventlogs & Sysmon logs shipped with WinLogbeat & Osquery (ECS) +- Kolide Launcher update to include the ability to pass arbitrary flags - new functionality sponsored by SOS ## Hybrid Hunter Beta 1.4.1 - Beta 3 From 29c28fcb5e811703ef1a273bd850453a6fbb5a82 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 15 Jul 2020 19:06:36 -0400 Subject: [PATCH 248/314] Update README.md --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index fea8247c5..e5f3f8b27 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,8 @@ Security Onion 2.0.0 RC1 is here! This will require a fresh install but there is - Elastic ingest parsing improvements. - Elastic nodes are now "hot" by default. This will allow adding a warm node easier. - so-allow will now run at the end of an install so you can enable access right away. -- Alert severities across Wazuh, Suricata and Playbook (Sigma) have been standardised and copied to `event.severity` (1-Low/2-Medium/3-High/4-Critical) +- Alert severities across Wazuh, Suricata and Playbook (Sigma) have been standardised and copied to `event.severity`: + - 1-Low / 2-Medium / 3-High / 4-Critical - Initial implementation of alerting queues: - Low & Medium alerts are accessible through Kibana & SOC Hunt - High & Critical alerts are accessible through Kibana, SOC Hunt and sent to TheHive for immediate viewing From 350d2fbeda449f807647797b536eef359b8b28ac Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 15 Jul 2020 19:07:25 -0400 Subject: [PATCH 249/314] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e5f3f8b27..8016d2fcc 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ Security Onion 2.0.0 RC1 is here! This will require a fresh install but there is - 1-Low / 2-Medium / 3-High / 4-Critical - Initial implementation of alerting queues: - Low & Medium alerts are accessible through Kibana & SOC Hunt - - High & Critical alerts are accessible through Kibana, SOC Hunt and sent to TheHive for immediate viewing + - High & Critical alerts are accessible through Kibana, SOC Hunt and sent to TheHive for immediate analysis - ATT&CK Navigator is now a statically-hosted site in the nginx container - Playbook - All Sigma rules in the community repo are now imported & kept up to date (500+) From f7d527bb9016f46d5f70914774c3251da429ced1 Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 16 Jul 2020 08:14:23 -0400 Subject: [PATCH 250/314] Update README.md --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index 8016d2fcc..ca6f12699 100644 --- a/README.md +++ b/README.md @@ -31,6 +31,12 @@ Security Onion 2.0.0 RC1 is here! This will require a fresh install but there is - Once authenticated through SOC, you can now access Playbook with analyst permissions without login - Ingest parsing updates for Windows Eventlogs & Sysmon logs shipped with WinLogbeat & Osquery (ECS) - Kolide Launcher update to include the ability to pass arbitrary flags - new functionality sponsored by SOS +- Fixed issue with Wazuh authd registration service port not being correctly exposed +- Added option for exposure of ES Rest API (port 9200) to so-allow for easier external querying/integration with other tools +- Added option to so-allow for external Strelka file uploads (ex. via `strelka-fileshot`) +- Added default YARA rules for Strelka -- default rules are fmaintained by Florian Roth and pulled from https://github.com/Neo23x0/signature-base +- Added the ability to use custom Zeek scripts +- Improved unification of Zeek and Strelka file data ## Hybrid Hunter Beta 1.4.1 - Beta 3 From 7fecfdab32d5c31e221be639724ffcd54235790f Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 16 Jul 2020 08:14:47 -0400 Subject: [PATCH 251/314] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ca6f12699..6c55eb65e 100644 --- a/README.md +++ b/README.md @@ -34,7 +34,7 @@ Security Onion 2.0.0 RC1 is here! This will require a fresh install but there is - Fixed issue with Wazuh authd registration service port not being correctly exposed - Added option for exposure of ES Rest API (port 9200) to so-allow for easier external querying/integration with other tools - Added option to so-allow for external Strelka file uploads (ex. via `strelka-fileshot`) -- Added default YARA rules for Strelka -- default rules are fmaintained by Florian Roth and pulled from https://github.com/Neo23x0/signature-base +- Added default YARA rules for Strelka -- default rules are maintained by Florian Roth and pulled from https://github.com/Neo23x0/signature-base - Added the ability to use custom Zeek scripts - Improved unification of Zeek and Strelka file data From 5190e5d4342b2c8019234319cb135c731cde9a93 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 16 Jul 2020 09:20:20 -0400 Subject: [PATCH 252/314] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 6c55eb65e..9a71e2b49 100644 --- a/README.md +++ b/README.md @@ -37,6 +37,7 @@ Security Onion 2.0.0 RC1 is here! This will require a fresh install but there is - Added default YARA rules for Strelka -- default rules are maintained by Florian Roth and pulled from https://github.com/Neo23x0/signature-base - Added the ability to use custom Zeek scripts - Improved unification of Zeek and Strelka file data +- The web email & password set during setup is also used to create the initial accounts for TheHive, Cortex, and Fleet ## Hybrid Hunter Beta 1.4.1 - Beta 3 From 8275f458a18f3187a8c14ee3435072052f77e016 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 16 Jul 2020 13:30:38 +0000 Subject: [PATCH 253/314] Fix module eval --- .../logstash/pipelines/config/so/9700_output_strelka.conf.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja index 9fd074f3f..0e6977e29 100644 --- a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja +++ b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja @@ -4,7 +4,7 @@ {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} output { - if [event_type] =~ "strelka" { + if [module] =~ "strelka" { elasticsearch { pipeline => "%{module}.%{dataset}" hosts => "{{ ES }}" From f10f47ad4e303645437b000b7ebccda4f66c560e Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 16 Jul 2020 10:12:10 -0400 Subject: [PATCH 254/314] including elasticsearch in logstash state --- salt/logstash/init.sls | 3 +++ salt/top.sls | 6 ------ 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index dbf345822..60e0967c3 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -38,6 +38,9 @@ {% set PIPELINES = salt['pillar.get']('logstash:pipelines', {}) %} {% set DOCKER_OPTIONS = salt['pillar.get']('logstash:docker_options', {}) %} +include: + - elasticsearch + # Create the logstash group logstashgroup: group.present: diff --git a/salt/top.sls b/salt/top.sls index a04e75657..f95223354 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -138,7 +138,6 @@ base: {%- if WAZUH != 0 %} - wazuh {%- endif %} - - elasticsearch - logstash - kibana - elastalert @@ -185,7 +184,6 @@ base: {%- if WAZUH != 0 %} - wazuh {%- endif %} - - elasticsearch - logstash - kibana - pcap @@ -237,7 +235,6 @@ base: - common - firewall - logstash - - elasticsearch - curator {%- if FLEETMANAGER or FLEETNODE %} - fleet.install_package @@ -265,7 +262,6 @@ base: - wazuh {%- endif %} - logstash - - elasticsearch - curator - filebeat {%- if FLEETMANAGER or FLEETNODE %} @@ -309,7 +305,6 @@ base: - wazuh {%- endif %} - logstash - - elasticsearch - curator - kibana - elastalert @@ -345,7 +340,6 @@ base: - wazuh {%- endif %} - logstash - - elasticsearch - curator - filebeat {%- if FLEETMANAGER or FLEETNODE %} From 5d2c6d330fbfb8d45971ba4f7025a38091e51c36 Mon Sep 17 00:00:00 2001 From: phil1090 Date: Thu, 16 Jul 2020 10:15:40 -0400 Subject: [PATCH 255/314] Update README.md --- README.md | 59 +++++++++++++++++++++++++++---------------------------- 1 file changed, 29 insertions(+), 30 deletions(-) diff --git a/README.md b/README.md index 9a71e2b49..8f779a71e 100644 --- a/README.md +++ b/README.md @@ -1,44 +1,43 @@ ## Security Onion 2.0.0.rc1 -Security Onion 2.0.0 RC1 is here! This will require a fresh install but there is good news: From here on out you will be able to use soup on the manager to upgrade your environment to RC2 and beyond! The team here has been hard at work to bring you the following changes: +Security Onion 2.0.0 RC1 is here! This version requires a fresh install, but there is good news - we have brought back soup! From now on, you should be able to run soup on the manager to upgrade your environment to RC2 and beyond! -- You will notice we have done a little re-branding to give 2.0 a fresh look. -- We have removed all references to "master" in the code and now call it a "manager". -- All documentation has moved to our docs site. -- soup is alive! This will only update the Security Onion components. Please use the build in OS update process to keep the OS up to date. -- so-features-enable should now properly work. -- so-import-pcap! See the docs here. -- You can now pivot to PCAP from Suricata alerts. -- ISO install now prompts you to create an admin user instead of using onion. This user has full sudo rights. -- The disk should now more reliably clean itself up. -- Changed the default permissions for /opt/so to keep non-priviledged users from accessing salt and related files. -- Locked down access to certain SSL keys. -- Suricata logs will now compress after they roll over. -- You can now customize shard counts per index. -- Elastic ingest parsing improvements. -- Elastic nodes are now "hot" by default. This will allow adding a warm node easier. -- so-allow will now run at the end of an install so you can enable access right away. -- Alert severities across Wazuh, Suricata and Playbook (Sigma) have been standardised and copied to `event.severity`: +### Changes: +- Re-branded 2.0 to give it a fresh look +- All documentation has moved to our [docs site](https://docs.securityonion.net/en/2.0) +- soup is alive! Note: This tool only updates Security Onion components. Please use the built-in OS update process to keep the OS and other components up to date. +- so-import-pcap is back! See the docs [here](http://docs.securityonion.net/en/2.0/so-import-pcap). +- Fixed issue with so-features-enable +- Users can now pivot to PCAP from Suricata alerts +- ISO install now prompts users to create an admin/sudo user instead of using a default account name +- The web email & password set during setup is now used to create the initial accounts for TheHive, Cortex, and Fleet +- Fixed issue with disk cleanup +- Changed the default permissions for /opt/so to keep non-priviledged users from accessing salt and related files +- Locked down access to certain SSL keys +- Suricata logs now compress after they roll over +- Users can now easily customize shard counts per index +- Improved Elastic ingest parsers including Windows event logs and Sysmon logs shipped with WinLogbeat and Osquery (ECS) +- Elastic nodes are now "hot" by default, making it easier to add a warm node later +- so-allow now runs at the end of an install so users can enable access right away +- Alert severities across Wazuh, Suricata and Playbook (Sigma) have been standardized and copied to `event.severity`: - 1-Low / 2-Medium / 3-High / 4-Critical - Initial implementation of alerting queues: - - Low & Medium alerts are accessible through Kibana & SOC Hunt - - High & Critical alerts are accessible through Kibana, SOC Hunt and sent to TheHive for immediate analysis + - Low & Medium alerts are accessible through Kibana & Hunt + - High & Critical alerts are accessible through Kibana, Hunt and sent to TheHive for immediate analysis - ATT&CK Navigator is now a statically-hosted site in the nginx container - Playbook - - All Sigma rules in the community repo are now imported & kept up to date (500+) - - Initial implementation of automated testing when a Play's detection logic has been edited (ie Unit Testing) - - UI Theme has been updated - - Once authenticated through SOC, you can now access Playbook with analyst permissions without login -- Ingest parsing updates for Windows Eventlogs & Sysmon logs shipped with WinLogbeat & Osquery (ECS) -- Kolide Launcher update to include the ability to pass arbitrary flags - new functionality sponsored by SOS + - All Sigma rules in the community repo (500+) are now imported and kept up to date + - Initial implementation of automated testing when a Play's detection logic has been edited (i.e., Unit Testing) + - Updated UI Theme + - Once authenticated through SOC, users can now access Playbook with analyst permissions without login +- Kolide Launcher has been updated to include the ability to pass arbitrary flags - new functionality sponsored by SOS - Fixed issue with Wazuh authd registration service port not being correctly exposed -- Added option for exposure of ES Rest API (port 9200) to so-allow for easier external querying/integration with other tools -- Added option to so-allow for external Strelka file uploads (ex. via `strelka-fileshot`) +- Added option for exposure of Elasticsearch REST API (port 9200) to so-allow for easier external querying/integration with other tools +- Added option to so-allow for external Strelka file uploads (e.g., via `strelka-fileshot`) - Added default YARA rules for Strelka -- default rules are maintained by Florian Roth and pulled from https://github.com/Neo23x0/signature-base - Added the ability to use custom Zeek scripts +- Renamed "master server" to "manager node" - Improved unification of Zeek and Strelka file data -- The web email & password set during setup is also used to create the initial accounts for TheHive, Cortex, and Fleet - ## Hybrid Hunter Beta 1.4.1 - Beta 3 From a041be5c218a39cc68bf16cef7aa8d82d1d42ab4 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 16 Jul 2020 11:33:11 -0400 Subject: [PATCH 256/314] [fix] Don't force YARA Strelka rules during setup --- setup/so-whiptail | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index e48850cb1..3556a8245 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1094,14 +1094,7 @@ whiptail_strelka_rules() { local exitstatus=$? - if [ $exitstatus == 0 ]; then - export STRELKARULES=1 - else - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - export STRELKARULES - - fi + if [[ $exitstatus == 0 ]]; then export STRELKARULES=1; fi } whiptail_suricata_pins() { From 9606d86e846d45448382f5e38012c9b06eb259be Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 16 Jul 2020 13:36:44 -0400 Subject: [PATCH 257/314] dont run templates script if there arent templates --- salt/elasticsearch/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 7e09ed6c1..909d30152 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -166,7 +166,7 @@ so-elasticsearch-pipelines: - file: esyml - file: so-elasticsearch-pipelines-file -{% if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone'] %} +{% if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone'] and TEMPLATES %} so-elasticsearch-templates: cmd.run: - name: /usr/sbin/so-elasticsearch-templates From 25dbcfaebe0fcec669dfe4dc6ab1a42685e87df5 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 16 Jul 2020 14:08:56 -0400 Subject: [PATCH 258/314] [refactor] Add check for "Result: False" in setup --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 149f4768d..7cf0c70f8 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -55,7 +55,7 @@ echo "---- Starting setup at $(date -u) ----" >> $setup_log 2>&1 automated=no function progress() { local title='Security Onion Install' - if grep -q "ERROR" $setup_log || [[ -s /var/spool/mail/root ]]; then + if grep -q -E "ERROR|Result: False" $setup_log || [[ -s /var/spool/mail/root ]]; then if [[ -s /var/spool/mail/root ]]; then echo '[ ERROR ] /var/spool/mail/root grew unexpectedly' >> $setup_log 2>&1 fi From c61a52cc5eb4c80790a34057a519ce5748ea52fd Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 16 Jul 2020 15:05:54 -0400 Subject: [PATCH 259/314] fix the container watch for logstash container state --- salt/logstash/init.sls | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index 60e0967c3..61d6aecc1 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -37,6 +37,7 @@ {% set PIPELINES = salt['pillar.get']('logstash:pipelines', {}) %} {% set DOCKER_OPTIONS = salt['pillar.get']('logstash:docker_options', {}) %} +{% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %} include: - elasticsearch @@ -181,4 +182,6 @@ so-logstash: - file: ls_pipeline_{{PL}}_{{CONFIGFILE.split('.')[0] | replace("/","_") }} {% endfor %} {% endfor %} - - file: /opt/so/conf/elasticsearch/templates/* \ No newline at end of file +{% for TEMPLATE in TEMPLATES %} + - file: es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }} +{% endfor %} \ No newline at end of file From 07626905c5cd5b47cfca22ed35f1a149ce5600eb Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 16 Jul 2020 15:20:11 -0400 Subject: [PATCH 260/314] Fix telegraf script perms --- salt/telegraf/init.sls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/telegraf/init.sls b/salt/telegraf/init.sls index 99e12a60b..668a8839a 100644 --- a/salt/telegraf/init.sls +++ b/salt/telegraf/init.sls @@ -21,9 +21,9 @@ tgrafetsdir: tgrafsyncscripts: file.recurse: - name: /opt/so/conf/telegraf/scripts - - user: 939 + - user: 0 - group: 939 - - file_mode: 755 + - file_mode: 700 - template: jinja - source: salt://telegraf/scripts From d31ce4aa4864033543aa3e81174762bdd0763ae3 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 16 Jul 2020 16:32:38 -0400 Subject: [PATCH 261/314] Fix soup issues --- salt/common/tools/sbin/soup | 22 +++++++++------------- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 7ce5b2ac0..0cec8fe72 100644 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -23,11 +23,12 @@ default_salt_dir=/opt/so/saltstack/default manager_check() { # Check to see if this is a manager MANAGERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}') - if [ $MANAGERCHECK == 'so-eval' OR $MANAGERCHECK == 'so-manager' OR $MANAGERCHECK == 'so-managersearch' ]; then + if [[ "$MANAGERCHECK" =~ ^('so-eval'|'so-manager'|'so-managersearch')$ ]]; then echo "This is a manager. We can proceed" else echo "Please run soup on the manager. The manager controls all updates." exit 0 + fi } clean_dockers() { @@ -143,7 +144,7 @@ update_version() { upgrade_check() { # Let's make sure we actually need to update. NEWVERSION=$(cat $UPDATE_DIR/VERSION) - if [ $INSTALLEDVERSION == $NEWVERSION ]; then + if [ "$INSTALLEDVERSION" == "$NEWVERSION" ]; then echo "You are already running the latest version of Security Onion." exit 0 else @@ -155,12 +156,13 @@ verify_latest_update_script() { # Check to see if the update scripts match. If not run the new one. CURRENTSOUP=$(md5sum /usr/sbin/soup) GITSOUP=$(md5sum /tmp/sogh/securityonion/salt/common/tools/sbin/soup) - if [ $CURRENTSOUP == $GITSOUP ]; then - echo "The scripts match" + if [ "$CURRENTSOUP" == "$GITSOUP" ]; then + echo "This version of the soup script is up to date. Verifying versions." else - echo "They don't match" - cp $UPDATE_DIR/salt/sommon/tools/sbin/soup /usr/sbin/soup + echo "You are not running the latest soup version. Updating soup." cp $UPDATE_DIR/salt/common/tools/sbin/soup $default_salt_dir/salt/common/tools/sbin/ + salt-call state.apply common queue=True + echo "" echo "soup has been updated. Please run soup again" exit 0 fi @@ -175,10 +177,4 @@ clean_dockers update_dockers copy_new_files highstate -update_version - - - - - - +update_version \ No newline at end of file From 51beb52bb843c6136e92af265d3ecccccf93d453 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 16 Jul 2020 16:35:51 -0400 Subject: [PATCH 262/314] Osquery packages hostname fix --- salt/fleet/event_gen-packages.sls | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/salt/fleet/event_gen-packages.sls b/salt/fleet/event_gen-packages.sls index 4aaf631e7..24b013704 100644 --- a/salt/fleet/event_gen-packages.sls +++ b/salt/fleet/event_gen-packages.sls @@ -4,11 +4,14 @@ {% set VERSION = salt['pillar.get']('static:soversion') %} {% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('static:fleet_custom_hostname', None) %} {% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} +{%- set FLEETNODE = salt['pillar.get']('static:fleet_node') -%} {% if CUSTOM_FLEET_HOSTNAME != None and CUSTOM_FLEET_HOSTNAME != '' %} {% set HOSTNAME = CUSTOM_FLEET_HOSTNAME %} -{% else %} +{% elif FLEETNODE %} {% set HOSTNAME = grains.host %} +{% else %} + {% set HOSTNAME = salt['pillar.get']('manager:url_base') %} {% endif %} so/fleet: From 21f09a9cd5f91bb23d2d8d9162dadfe9078d1ec0 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 16 Jul 2020 16:37:48 -0400 Subject: [PATCH 263/314] Fix salt refresh script --- salt/common/tools/sbin/so-saltstack-update | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-saltstack-update b/salt/common/tools/sbin/so-saltstack-update index 59c497487..73688dc08 100644 --- a/salt/common/tools/sbin/so-saltstack-update +++ b/salt/common/tools/sbin/so-saltstack-update @@ -32,8 +32,8 @@ copy_new_files() { # Copy new files over to the salt dir cd /tmp/sogh/securityonion git checkout $BRANCH - rsync -a --exclude-from 'exclude-list.txt' salt $default_salt_dir/ - rsync -a --exclude-from 'exclude-list.txt' pillar $default_salt_dir/ + rsync -a salt $default_salt_dir/ + rsync -a pillar $default_salt_dir/ chown -R socore:socore $default_salt_dir/salt chown -R socore:socore $default_salt_dir/pillar chmod 755 $default_salt_dir/pillar/firewall/addfirewall.sh From 258d9d3bfc171aa753691908b58b1ebb664fe1db Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 16 Jul 2020 17:07:04 -0400 Subject: [PATCH 264/314] change salt perms --- salt/common/init.sls | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/salt/common/init.sls b/salt/common/init.sls index bb241c805..69aaa4a17 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -15,13 +15,20 @@ socore: - createhome: True - shell: /bin/bash -soperms: +soconfperms: file.directory: - - name: /opt/so + - name: /opt/so/conf - uid: 939 - gid: 939 - dir_mode: 770 - + +sosaltstackperms: + file.directory: + - name: /opt/so/saltstack + - uid: 939 + - gid: 939 + - dir_mode: 770 + # Create a state directory statedir: file.directory: From 2d68d5419b5f5d4097284b4047e2e7e2cb1ea43d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 16 Jul 2020 19:47:15 -0400 Subject: [PATCH 265/314] fix adtotab perms --- salt/manager/init.sls | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 43200cd5c..aef705724 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -26,6 +26,11 @@ socore_own_saltstack: - user - group +/opt/so/saltstack/default/pillar/data/addtotab.sh: + file.managed: + - mode: 750 + - replace: False + {% if managerproxy == 1 %} # Create the directories for apt-cacher-ng From cc77a50d8d7f3f91ba1a580aa0fbcb55995de321 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 16 Jul 2020 21:05:44 -0400 Subject: [PATCH 266/314] change from manager to master for salt config.get --- salt/yum/etc/yum.conf.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/yum/etc/yum.conf.jinja b/salt/yum/etc/yum.conf.jinja index 81f981c1d..aab63550b 100644 --- a/salt/yum/etc/yum.conf.jinja +++ b/salt/yum/etc/yum.conf.jinja @@ -12,5 +12,5 @@ bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://b distroverpkg=centos-release {% if salt['pillar.get']('static:managerupdate', '0') %} -proxy=http://{{ salt['pillar.get']('yum:config:proxy', salt['config.get']('manager')) }}:3142 +proxy=http://{{ salt['pillar.get']('yum:config:proxy', salt['config.get']('master')) }}:3142 {% endif %} \ No newline at end of file From 32a6f825c20f03887f7488bdaa7a4d8c7f7ff9b0 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Fri, 17 Jul 2020 08:14:37 -0400 Subject: [PATCH 267/314] Kibana dashboard updates --- salt/kibana/files/saved_objects.ndjson | 1435 ++++++++++++------------ 1 file changed, 725 insertions(+), 710 deletions(-) diff --git a/salt/kibana/files/saved_objects.ndjson b/salt/kibana/files/saved_objects.ndjson index 152393142..81051c94b 100644 --- a/salt/kibana/files/saved_objects.ndjson +++ b/salt/kibana/files/saved_objects.ndjson @@ -1,710 +1,725 @@ -{"attributes":{"fieldFormatMap":"{\"match_body.source_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"match_body.destination_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}}}","fields":"[{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"alert_info.slack_username_override\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert_info.slack_username_override.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_info.slack_webhook_url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert_info.slack_webhook_url.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_info.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert_info.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_sent\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.rule\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.rule.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"endtime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"exponent\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hits\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.@version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.signature_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.signature_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body._id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body._id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body._index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body._index.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body._type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body._type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.alert\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.alert.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.category.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.classification\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.classification.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.connection_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.connection_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.connection_state_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.connection_state_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.country_code2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.country_code3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.country_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.location.lat\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.location.lon\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_ip.keyword\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.duration\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.history\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.history.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.local_orig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.local_orig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.local_respond\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.local_respond.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.logstash_time\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.missed_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.num_hits\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.num_matches\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.original_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.original_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.original_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.original_ipbytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.original_ipbytes.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.original_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.respond_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.respond_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.respond_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.respond_ipbytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.respond_ipbytes.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.respond_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.rev\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.rev.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.rule\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.rule.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.rule_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.rule_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.sensor_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.sensor_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.service\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.service.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.sid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.source_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.source_ip.keyword\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.source_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.source_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.source_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-facility.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-host_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-host_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-legacy_msghdr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-legacy_msghdr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-sourceip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-sourceip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.total_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.tunnel_parents\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.tunnel_parents.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"matches\",\"type\":\"number\",\"count\":3,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_name\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"starttime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"time_taken\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traceback\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"traceback.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"until\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]","notExpandable":true,"timeFieldName":"@timestamp","title":"*:elastalert_status*"},"id":"*:elastalert_status*","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-06-15T18:49:59.193Z","version":"WzkwLDFd"} -{"attributes":{"fieldFormatMap":"{\"_id\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://PCAPPLACEHOLDER/securityonion/joblookup?esid={{ value }}\",\"labelTemplate\":\"{{value}}\"}},\"uid\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"source_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"destination_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"source_port\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'source_port:\\\"{{value}}\\\" OR destination_port:\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"destination_port\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'source_port:\\\"{{value}}\\\" OR destination_port:\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"fuid\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"resp_fuids\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"orig_fuids\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"sid\":{\"id\":\"number\",\"params\":{\"pattern\":\"0\"}},\"port\":{\"id\":\"number\",\"params\":{\"pattern\":\"0.[000]\"}},\"query\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"query.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"server_name\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"server_name.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"virtual_host\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"virtual_host.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"indicator\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"indicator.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"file_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"file_ip.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"signature_info\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"{{rawValue}}\",\"labelTemplate\":\"{{value}}\"}},\"highest_registered_domain\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"highest_registered_domain.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"domain_name\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"domain_name.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"duration\":{\"id\":\"duration\",\"params\":{\"outputFormat\":\"asSeconds\",\"outputPrecision\":6}},\"missed_bytes\":{\"id\":\"bytes\"},\"missing_bytes\":{\"id\":\"bytes\"},\"original_bytes\":{\"id\":\"bytes\"},\"original_ip_bytes\":{\"id\":\"bytes\"},\"overflow_bytes\":{\"id\":\"bytes\"},\"respond_bytes\":{\"id\":\"bytes\"},\"respond_ip_bytes\":{\"id\":\"bytes\"},\"seen_bytes\":{\"id\":\"bytes\"},\"total_bytes\":{\"id\":\"bytes\"},\"rtt\":{\"id\":\"number\",\"params\":{\"pattern\":\"0,0.[0000000]\"}},\"uids\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"osquery.LiveQuery\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"fleet/queries/new?host_uuids={{rawValue}}\",\"labelTemplate\":\"LiveQuery\"}},\"TheHive\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"\",\"labelTemplate\":\"Add2Hive\"}}}","fields":"[{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"aa\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"aa.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ack\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ack.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"additional_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"additional_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"age\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"age.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_level\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"analyzer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"analyzer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"answers\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"answers.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"assigned_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"assigned_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auth\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"auth.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_attempts\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"basic_constraints.path_len\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"basic_constraints_ca\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"basic_constraints_ca.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"basic_constraints_path_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat_host.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_host.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"bound_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"call_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"call_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"category.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cc\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cc.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_chain_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_chain_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_chain_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_common_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_curve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_curve.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_exponent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_exponent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_issuer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_issuer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_key_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_key_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_locality\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_locality.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_not_valid_after\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_not_valid_before\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_number_days_valid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_organization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_organization.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_organization_unit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_organization_unit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_permanent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_permanent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_serial\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_serial.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_serial_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_serial_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_signing_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_signing_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"checksum\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"checksum.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cipher\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cipher.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cipher_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cipher_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"class\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"class.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"classification\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"classification.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_build\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_build.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_chain_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_chain_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_digital_product_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_digital_product_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_fqdn\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_fqdn.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_host_key_algorithms\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_host_key_algorithms.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_issuer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_issuer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_major_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_major_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_minor_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_minor_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"community\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"community.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"company.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"compile_ts\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"compile_ts.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"compression_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"compression_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connect_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connect_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection_state_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection_state_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"content_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cookie\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cookie.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"creation_date\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"creation_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"current_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"current_directory.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"curve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"curve.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.arch\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.arch.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.data.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.dpkg_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.dpkg_status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.file\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.file.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.cpu_cores\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.cpu_cores.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.cpu_mhz\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.cpu_mhz.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.cpu_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.cpu_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.ram_free\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.ram_free.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.ram_total\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.ram_total.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.ram_usage\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.ram_usage.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.serial\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.serial.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.address.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.broadcast\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.broadcast.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.dhcp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.dhcp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.gateway\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.gateway.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.metric\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.metric.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.netmask\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.netmask.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv6.address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv6.address.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv6.dhcp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv6.dhcp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv6.netmask\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv6.netmask.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.mac\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.mac.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.mtu\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.mtu.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.rx_bytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_bytes.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.rx_dropped\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_dropped.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.rx_errors\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_errors.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.rx_packets\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_packets.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.tx_bytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_bytes.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.tx_dropped\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_dropped.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.tx_errors\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_errors.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.tx_packets\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_packets.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.architecture.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.codename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.codename.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.major\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.major.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.minor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.minor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.platform\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.platform.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.release\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.release.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.release_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.release_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.sysname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.sysname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.package\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.package.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.inode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.inode.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.local_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.local_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.local_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.local_port.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.remote_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.remote_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.remote_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.remote_port.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.rx_queue\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.rx_queue.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.tx_queue\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.tx_queue.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.args\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.args.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.cmd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.cmd.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.egroup\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.egroup.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.euser\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.euser.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.fgroup\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.fgroup.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.nice\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.nice.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.nlwp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.nlwp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.pgrp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.pgrp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.ppid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.ppid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.processor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.processor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.resident\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.resident.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.rgroup\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.rgroup.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.ruser\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.ruser.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.session\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.session.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.sgroup\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.sgroup.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.share\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.share.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.start_time\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.start_time.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.stime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.stime.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.suser\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.suser.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.tgid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.tgid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.tty.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.utime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.utime.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.vm_size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.vm_size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.architecture.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.format\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.format.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.multiarch\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.multiarch.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.section\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.section.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.source\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.source.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.vendor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.vendor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.pwd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.pwd.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.title\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.title.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.tty.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_destination_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_destination_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_passive\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data_channel_passive.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_source_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dcc_file_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dcc_mime_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_mime_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"decoder.ftscomment\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"decoder.ftscomment.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"decoder.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"decoder.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"decoder.parent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"decoder.parent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"depth\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_height\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"desktop_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_width\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dest_is_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dest_is_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_city\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_city.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.city_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.continent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_code2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_code3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_iso_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.longitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.postal_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.region_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.region_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.region_iso_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.region_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_latitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_longitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_region\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_region.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"details\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"details.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dir\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dir.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"direction\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"direction.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"display_string\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"display_string.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"domain_age\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"domain_age.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"domain_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"domain_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dropped\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dropped.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"duration\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"enabled\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"enabled.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"encryption_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"encryption_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"encryption_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"encryption_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"endpoint\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"endpoint.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"entry\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"entry.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"entry_location\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"entry_location.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"error_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"error_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"escalated_user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"escalated_user.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"established\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"established.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"exception\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"exception.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"extracted\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"extracted.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"extracted_cutoff\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"extracted_cutoff.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"facility.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fc_reply\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fc_reply.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fc_request\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fc_request.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_mime_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_mime_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"first_received\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"first_received.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"flow_label\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"flow_label.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"forwardable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"forwardable.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"framed_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"framed_addr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"freq_virtual_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"freq_virtual_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"frequency_scores\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"frequency_scores.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp_argument\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp_argument.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"full_log\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"full_log.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"function\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"function.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"get_bulk_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"get_bulk_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"get_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"get_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"get_responses\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"get_responses.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_cert_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_cert_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_debug_data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_debug_data.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_export_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_export_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_import_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_import_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh_algorithms\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh_algorithms.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh_server\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh_server.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh_server_algorithms\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh_server_algorithms.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"height\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"helo\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"helo.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"highest_registered_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"highest_registered_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"highest_registered_domain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"history\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"history.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hop_limit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hop_limit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_key\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_key.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_key_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_key_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"iin\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"iin.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"image_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"in_reply_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"in_reply_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"indicator\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"indicator.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"indicator_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"indicator_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"info_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"info_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"info_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"initiated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"initiated.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"input.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"input.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"integrity_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"integrity_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"interface\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"interface.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ip_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_ecn\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_ecn.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_flags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_offset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_offset.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_protocol_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_tos\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_tos.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_ttl\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"irc_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"irc_username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc_username.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_64bit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_64bit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_exe\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_exe.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_orig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_orig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_source_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_source_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_webmail\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_webmail.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_common_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_distinguished_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_distinguished_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_locality\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_locality.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_organization.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization_unit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_organization_unit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_serial_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_serial_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ja3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ja3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ja3s\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ja3s.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kerberos_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kex_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kex_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"keyboard_layout\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"keyboard_layout.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"last_alert\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"last_alert.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"last_reply\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"last_reply.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"launch_string\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"launch_string.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"lease_time\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"lease_time.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"length\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"length.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"local_orig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"local_orig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"local_respond\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"local_respond.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"location\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"location.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log.file.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.file.path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logged\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logged.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash_time\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mac\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mac.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mac_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mac_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"machine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"machine.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mail_date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mail_date.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mail_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mail_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"manager.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"manager.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"matched\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"matched.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"md5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message_types.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mimetype\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mimetype.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"missed_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"missing_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_argument\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_argument.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"n\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"named_pipe\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"named_pipe.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"native_file_system\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"native_file_system.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"next_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"next_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nick\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"nick.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"note\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"note.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"notice\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ntlm_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"num_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"offset\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"operation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"options\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"options.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_filenames\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_filenames.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_mime_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_mime_types.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"original_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_ip_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"os.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.EndpointIP1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.EndpointIP1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.EndpointIP2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.EndpointIP2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.LiveQuery\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.LiveQuery.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.calendarTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.calendarTime.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.codename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.codename.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.directory.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.gid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.gid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.gid_signed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.gid_signed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.shell\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.shell.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.uid_signed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.uid_signed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.username.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.uuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.uuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.counter\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.epoch\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.hardware_serial\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.hardware_serial.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.hostIdentifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.hostIdentifier.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.unixTime\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ossec_agent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ossec_agent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ossec_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ossec_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"overflow_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"p\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_image_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"password\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"password.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"peer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"peer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"peer_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"peer_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pesha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pesha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pesha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pesha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"port.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"predecoder.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"predecoder.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"predecoder.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"predecoder.timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"prev_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"prev_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_arguments\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_arguments.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_guid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"profile\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"profile.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"program\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"program.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"prospector.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"prospector.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"proxied\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"proxied.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_class\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_class_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query_class_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_type\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_type_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query_type_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ra\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ra.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rcode\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rcode_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rcode_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rd.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reason.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"recipient_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"recipient_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"referrer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rejected\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rejected.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"remote_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"remote_location.country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"renewable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"renewable.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_body_len\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_body_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_port.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_color_depth\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"requested_color_depth.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_resource\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"requested_resource.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_filenames\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_filenames.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_mime_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_mime_types.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"respond_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_ip_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_body_len\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_body_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"result\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"result.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resumed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resumed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rev\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rev.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rows\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rows.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rtt\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rtt.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule_signature.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"san_dns\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"san_dns.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"second_received\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"second_received.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"section_names\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"section_names.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"security_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"security_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_node\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seen_node.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_where\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seen_where.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sensor_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sensor_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seq\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seq.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sequence_number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_certificate_fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_certificate_fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_dns_computer_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_dns_computer_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_host_key_algorithms\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_host_key_algorithms.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_major_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_major_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_minor_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_minor_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_nb_computer_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_nb_computer_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_tree_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_tree_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"set_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"set_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"severity.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"share_flag\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"share_flag.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"share_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"share_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signature_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"site\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"site.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.city_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.country_code2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.country_code3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.country_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.postal_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.region_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.region_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sources\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sources.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status_msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sub_msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sub_msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sub_rule_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sub_rule_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subdomain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subsystem\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subsystem.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"suppress_for\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.event\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.event.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.gid_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.gid_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.gname_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.gname_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.inode_after\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.md5_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.md5_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.md5_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.md5_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.mtime_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.mtime_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.mtime_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.mtime_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.perm_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.perm_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.sha1_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.sha1_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.sha1_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.sha1_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.sha256_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.sha256_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.sha256_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.sha256_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.size_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.size_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.size_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.size_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.uid_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.uid_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.uname_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.uname_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-facility.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-host_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-host_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-legacy_msghdr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-legacy_msghdr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-sourceip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sysmon_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sysmon_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_filename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_filename.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tc\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tc.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tcp_flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tcp_flags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"terminal_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"terminal_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"timed_out\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"timed_out.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_accessed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_accessed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_changed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_changed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_created\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_created.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_modified\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_modified.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tld.subdomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tld.subdomain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tls\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tls.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"top_level_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"top_level_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"total_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tracker_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tracker_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"trans_depth\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"transaction_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ttls\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tty.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tunnel_parents\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel_parents.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tunnel_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"unparsed_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"unparsed_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"up_since\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"up_since.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"urg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"urg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uri\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uri.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uri_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_agent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"useragent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"useragent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"useragent_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"username.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_aslr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_aslr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_code_integrity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_code_integrity.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_dep\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_dep.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_seh\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_seh.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"valid_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"valid_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"valid_till\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"valid_till.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"validation_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"validation_status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_additional_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_additional_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_major\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_major.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"virtual_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"warning\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"warning.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.firedtimes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.gdpr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.gdpr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.gpg13\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.gpg13.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.groups\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.groups.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.mail\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.pci_dss\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.pci_dss.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"width\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"width.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"window\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"window.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x_originating_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"year\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"z\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"z.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"TheHive\",\"type\":\"string\",\"count\":0,\"scripted\":true,\"script\":\"'soctopus/thehive/alert/' + doc['_id'].value\",\"lang\":\"painless\",\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false}]","notExpandable":true,"timeFieldName":"@timestamp","title":"*:logstash-*"},"id":"*:logstash-*","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEzLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"title":"Security Onion - Network Data","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Network Data\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Home](/kibana/app/kibana#/dashboard/a8411b30-6d03-11ea-b301-3d6c35840645) \\n \\n**Datasets** \\n[Connections](/kibana/app/kibana#/dashboard/0cc628b0-6e9f-11ea-9266-1fd14ca6af34) | [DCE/RPC](/kibana/app/kibana#/dashboard/9e882df0-72c5-11ea-8dd2-9d8795a1200b) |\\n[DHCP](/kibana/app/kibana#/dashboard/80625c10-96dd-11ea-814e-bb515e873c2c) \\n[DNP3](/kibana/app/kibana#/dashboard/b1f52180-755a-11ea-9565-7315f4ee5cac) | [DNS](/kibana/app/kibana#/dashboard/55ac6bf0-6ec4-11ea-9266-1fd14ca6af34) |\\n[FTP](/kibana/app/kibana#/dashboard/739bfad0-755a-11ea-9565-7315f4ee5cac) |\\n[HTTP](/kibana/app/kibana#/dashboard/44e9c820-6eb1-11ea-9266-1fd14ca6af34) | [IRC](/kibana/app/kibana#/dashboard/38523560-75ba-11ea-9565-7315f4ee5cac) |\\n[Kerberos](/kibana/app/kibana#/dashboard/b207ab90-75bc-11ea-9565-7315f4ee5cac) \\n[Modbus](/kibana/app/kibana#/dashboard/886a7b90-75bd-11ea-9565-7315f4ee5cac) | \\n[MySQL](/kibana/app/kibana#/dashboard/c3ced6d0-75be-11ea-9565-7315f4ee5cac) | \\n[NTLM](/kibana/app/kibana#/dashboard/558292e0-75c1-11ea-9565-7315f4ee5cac) | \\n[RADIUS](/kibana/app/kibana#/dashboard/b9769e60-75c4-11ea-9565-7315f4ee5cac) | [RDP](/kibana/app/kibana#/dashboard/5b743150-75c5-11ea-9565-7315f4ee5cac) | \\n[RFB](/kibana/app/kibana#/dashboard/c8b3c360-75c6-11ea-9565-7315f4ee5cac) | [SIP](/kibana/app/kibana#/dashboard/dd98e260-75c6-11ea-9565-7315f4ee5cac) \\n[SMB](/kibana/app/kibana#/dashboard/f24d7b80-75c6-11ea-9565-7315f4ee5cac) | [SMTP](/kibana/app/kibana#/dashboard/00304500-75e7-11ea-9565-7315f4ee5cac) | [SNMP](/kibana/app/kibana#/dashboard/96522610-75e8-11ea-9565-7315f4ee5cac) | \\n[SSH](/kibana/app/kibana#/dashboard/9dfd77e0-75eb-11ea-9565-7315f4ee5cac) | [SSL](/kibana/app/kibana#/dashboard/efae8de0-75eb-11ea-9565-7315f4ee5cac) | [Syslog](/kibana/app/kibana#/dashboard/66499a20-75ed-11ea-9565-7315f4ee5cac) | [Tunnels](/kibana/app/kibana#/dashboard/c962dd60-75ed-11ea-9565-7315f4ee5cac) | [X.509](/kibana/app/kibana#/dashboard/2e0865f0-75ee-11ea-9565-7315f4ee5cac) \\n\"},\"aggs\":[]}"},"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEsMV0="} -{"attributes":{"fieldFormatMap":"{\"network.community_id\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:network.community_id,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(network.community_id:'{{ value }}')))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"source.ip\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.ip.keyword:'{{ value }}')),(term:(destination.ip.keyword:'{{ value }}')))),meta:(alias:'source.ip:%20!'{{ value }}!'%20OR%20destination.ip:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.ip.keyword%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.ip.keyword%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"destination.ip\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.ip.keyword:'{{ value }}')),(term:(destination.ip.keyword:'{{ value }}')))),meta:(alias:'source.ip:%20!'{{ value }}!'%20OR%20destination.ip:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.ip.keyword%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.ip.keyword%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"source.ip.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.ip.keyword:'{{ value }}')),(term:(destination.ip.keyword:'{{ value }}')))),meta:(alias:'source.ip:%20!'{{ value }}!'%20OR%20destination.ip:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.ip.keyword%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.ip.keyword%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"destination.ip.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.ip.keyword:'{{ value }}')),(term:(destination.ip.keyword:'{{ value }}')))),meta:(alias:'source.ip:%20!'{{ value }}!'%20OR%20destination.ip:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.ip.keyword%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.ip.keyword%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"source.port\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.port:'{{ value }}')),(term:(destination.port:'{{ value }}')))),meta:(alias:'source.port:%20!'{{ value }}!'%20OR%20destination.port:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.port%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.port%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"destination.port\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.port:'{{ value }}')),(term:(destination.port:'{{ value }}')))),meta:(alias:'source.port:%20!'{{ value }}!'%20OR%20destination.port:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.port%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.port%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"log.id.fuid\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:log.id.fuid,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(log.id.fuid:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"log.id.fuid.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:log.id.fuid,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(log.id.fuid:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"log.id.uid\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:log.id.uid,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(log.id.uid:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"log.id.uid.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:log.id.uid,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(log.id.uid:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"_id\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"https://PLACEHOLDER/securityonion/joblookup?esid={{ value }}\",\"labelTemplate\":\"{{ value }}\"}},\"client.bytes\":{\"id\":\"bytes\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"server.bytes\":{\"id\":\"bytes\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"Push to TheHive\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"\",\"labelTemplate\":\"Click to create an alert in TheHive\"}},\"event.dataset\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:event.dataset.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.dataset.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"event.dataset.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:event.dataset.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.dataset.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"event.module\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:event.module.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.module.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now%2Fw,to:now%2Fw))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"event.module.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:event.module.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.module.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now%2Fw,to:now%2Fw))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"agent.name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:agent.name.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(agent.name.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now%2Fw,to:now%2Fw))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"agent.name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:agent.name.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(agent.name.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now%2Fw,to:now%2Fw))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"rule.name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:rule.name,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(rule.name:'{{ value }}')))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:''),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"rule.name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:rule.name,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(rule.name:'{{ value }}')))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:''),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"osquery.result.live_query\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"https://FLEETPLACEHOLDER/fleet/queries/new?host_uuids={{rawValue}}\",\"labelTemplate\":\"Live Query\"}},\"osquery.result.live_query.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"https://FLEETPLACEHOLDER/fleet/queries/new?host_uuids={{rawValue}}\",\"labelTemplate\":\"Live Query\"}}}","fields":"[{\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.ephemeral_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.ephemeral_id\"}}},{\"name\":\"agent.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.hostname\"}}},{\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.id\"}}},{\"name\":\"agent.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.ip\"}}},{\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.name\"}}},{\"name\":\"agent.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.type\"}}},{\"name\":\"agent.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.version\"}}},{\"name\":\"client.address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.address\"}}},{\"name\":\"client.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client.id.product\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.id.product.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.id.product\"}}},{\"name\":\"client.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.ip\"}}},{\"name\":\"client.ip_bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.name\"}}},{\"name\":\"client.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client.port\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.port.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.port\"}}},{\"name\":\"client.user_agent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.user_agent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.user_agent\"}}},{\"name\":\"connection.bytes.missed\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection.history\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection.history.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"connection.history\"}}},{\"name\":\"connection.local.originator\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection.local.responder\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection.state\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection.state.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"connection.state\"}}},{\"name\":\"connection.state_description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection.state_description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"connection.state_description\"}}},{\"name\":\"data.data\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.data.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.data\"}}},{\"name\":\"data.euid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.euid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.euid\"}}},{\"name\":\"data.file\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.file.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.file\"}}},{\"name\":\"data.gid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.gid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gid\"}}},{\"name\":\"data.home\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.home.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.home\"}}},{\"name\":\"data.pwd\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.pwd.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.pwd\"}}},{\"name\":\"data.shell\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.shell.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.shell\"}}},{\"name\":\"data.srcport\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.srcport.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.srcport\"}}},{\"name\":\"data.srcuser\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.srcuser.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.srcuser\"}}},{\"name\":\"data.title\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.title.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.title\"}}},{\"name\":\"data.tty\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.tty.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.tty\"}}},{\"name\":\"data.uid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.uid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.uid\"}}},{\"name\":\"dce_rpc.endpoint\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dce_rpc.endpoint.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dce_rpc.endpoint\"}}},{\"name\":\"dce_rpc.named_pipe\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dce_rpc.named_pipe.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dce_rpc.named_pipe\"}}},{\"name\":\"dce_rpc.operation\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dce_rpc.operation.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dce_rpc.operation\"}}},{\"name\":\"destination.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.city_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.city_name\"}}},{\"name\":\"destination.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.continent_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.continent_name\"}}},{\"name\":\"destination.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.country_iso_code.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.country_iso_code\"}}},{\"name\":\"destination.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.country_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.country_name\"}}},{\"name\":\"destination.geo.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.ip\"}}},{\"name\":\"destination.geo.location.lat\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.location.lon\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.region_iso_code.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.region_iso_code\"}}},{\"name\":\"destination.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.region_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.region_name\"}}},{\"name\":\"destination.geo.timezone\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.timezone.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.timezone\"}}},{\"name\":\"destination.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.hostname\"}}},{\"name\":\"destination.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.ip\"}}},{\"name\":\"destination.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.latitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.longitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dhcp.assigned_ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dhcp.assigned_ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dhcp.assigned_ip\"}}},{\"name\":\"dhcp.lease_time\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dhcp.message_types\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dhcp.message_types.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dhcp.message_types\"}}},{\"name\":\"dhcp.requested_address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dhcp.requested_address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dhcp.requested_address\"}}},{\"name\":\"dnp3.fc_reply\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dnp3.fc_reply.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dnp3.fc_reply\"}}},{\"name\":\"dnp3.fc_request\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dnp3.fc_request.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dnp3.fc_request\"}}},{\"name\":\"dnp3.iin\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.answers\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.answers.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.answers\"}}},{\"name\":\"dns.authoritative\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.highest_registered_domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.highest_registered_domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.highest_registered_domain\"}}},{\"name\":\"dns.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.parent_domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.parent_domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.parent_domain\"}}},{\"name\":\"dns.parent_domain_length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.class\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.class_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.query.class_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.query.class_name\"}}},{\"name\":\"dns.query.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.query.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.query.name\"}}},{\"name\":\"dns.query.rejected\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.type\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.type_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.query.type_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.query.type_name\"}}},{\"name\":\"dns.recursion.available\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.recursion.desired\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.reserved\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.response.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.response.code_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.response.code_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.response.code_name\"}}},{\"name\":\"dns.subdomain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.subdomain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.subdomain\"}}},{\"name\":\"dns.subdomain_length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.top_level_domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.top_level_domain\"}}},{\"name\":\"dns.truncated\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.ttls\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ecs.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ecs.version\"}}},{\"name\":\"error.reason\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"error.reason.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"error.reason\"}}},{\"name\":\"event.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.action\"}}},{\"name\":\"event.category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.category.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.category\"}}},{\"name\":\"event.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.created\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.created.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.created\"}}},{\"name\":\"event.dataset\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.dataset.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.dataset\"}}},{\"name\":\"event.duration\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.kind\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.kind.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.kind\"}}},{\"name\":\"event.module\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.module.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.module\"}}},{\"name\":\"event.provider\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.provider.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.provider\"}}},{\"name\":\"event.timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.timestamp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.timestamp\"}}},{\"name\":\"file.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.action\"}}},{\"name\":\"file.analyzer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.analyzer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.analyzer\"}}},{\"name\":\"file.aslr\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.bytes.missing\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.bytes.overflow\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.bytes.seen\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.bytes.total\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.code_integrity\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.compile_timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.compile_timestamp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.compile_timestamp\"}}},{\"name\":\"file.debug_data\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.dep\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.extracted.cutoff\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.extracted.filename\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.extracted.filename.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.extracted.filename\"}}},{\"name\":\"file.is_64bit\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.is_exe\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.is_orig\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.local_orig\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.machine\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.machine.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.machine\"}}},{\"name\":\"file.mime_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.mime_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.mime_type\"}}},{\"name\":\"file.mimetype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.mimetype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.mimetype\"}}},{\"name\":\"file.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.name\"}}},{\"name\":\"file.orig_filenames\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.orig_filenames.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.orig_filenames\"}}},{\"name\":\"file.orig_mime_types\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.orig_mime_types.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.orig_mime_types\"}}},{\"name\":\"file.os\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.os.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.os\"}}},{\"name\":\"file.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.path\"}}},{\"name\":\"file.resp_filenames\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.resp_filenames.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.resp_filenames\"}}},{\"name\":\"file.resp_mime_types\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.resp_mime_types.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.resp_mime_types\"}}},{\"name\":\"file.section_names\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.section_names.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.section_names\"}}},{\"name\":\"file.seh\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.size\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.source.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.source\"}}},{\"name\":\"file.subsystem\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.subsystem.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.subsystem\"}}},{\"name\":\"file.table.cert\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.table.export\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.table.import\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.timed_out\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.times_accessed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.times_accessed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.times_accessed\"}}},{\"name\":\"file.times_changed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.times_changed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.times_changed\"}}},{\"name\":\"file.times_created\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.times_created.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.times_created\"}}},{\"name\":\"file.times_modified\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.times_modified.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.times_modified\"}}},{\"name\":\"ftp.argument\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.argument.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.argument\"}}},{\"name\":\"ftp.command\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.command.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.command\"}}},{\"name\":\"ftp.data_channel_destination.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.data_channel_destination.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.data_channel_destination.ip\"}}},{\"name\":\"ftp.data_channel_destination.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp.data_channel_passive\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp.data_channel_source.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.data_channel_source.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.data_channel_source.ip\"}}},{\"name\":\"ftp.password\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.password.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.password\"}}},{\"name\":\"ftp.user\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.user.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.user\"}}},{\"name\":\"geoip.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.latitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.longitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash.hassh\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.hassh.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.hassh\"}}},{\"name\":\"hash.ja3\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.ja3.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.ja3\"}}},{\"name\":\"hash.ja3s\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.ja3s.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.ja3s\"}}},{\"name\":\"hash.md5\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.md5.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.md5\"}}},{\"name\":\"hash.sha1\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.sha1.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.sha1\"}}},{\"name\":\"host.architecture\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.architecture.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.architecture\"}}},{\"name\":\"host.domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.domain\"}}},{\"name\":\"host.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.hostname\"}}},{\"name\":\"host.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.id\"}}},{\"name\":\"host.mac\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.mac.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.mac\"}}},{\"name\":\"host.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.name\"}}},{\"name\":\"host.os.build\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.build.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.build\"}}},{\"name\":\"host.os.family\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.family.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.family\"}}},{\"name\":\"host.os.kernel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.kernel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.kernel\"}}},{\"name\":\"host.os.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.name\"}}},{\"name\":\"host.os.platform\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.platform.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.platform\"}}},{\"name\":\"host.os.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.version\"}}},{\"name\":\"host.syscheck.event\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.event.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.event\"}}},{\"name\":\"host.syscheck.gid_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.gid_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.gid_after\"}}},{\"name\":\"host.syscheck.gname_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.gname_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.gname_after\"}}},{\"name\":\"host.syscheck.inode_after\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.syscheck.inode_before\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.syscheck.md5_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.md5_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.md5_after\"}}},{\"name\":\"host.syscheck.md5_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.md5_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.md5_before\"}}},{\"name\":\"host.syscheck.mtime_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.mtime_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.mtime_after\"}}},{\"name\":\"host.syscheck.mtime_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.mtime_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.mtime_before\"}}},{\"name\":\"host.syscheck.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.path\"}}},{\"name\":\"host.syscheck.perm_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.perm_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.perm_after\"}}},{\"name\":\"host.syscheck.sha1_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.sha1_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha1_after\"}}},{\"name\":\"host.syscheck.sha1_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.sha1_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha1_before\"}}},{\"name\":\"host.syscheck.sha256_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.sha256_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha256_after\"}}},{\"name\":\"host.syscheck.sha256_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.sha256_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha256_before\"}}},{\"name\":\"host.syscheck.size_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.size_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.size_after\"}}},{\"name\":\"host.syscheck.size_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.size_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.size_before\"}}},{\"name\":\"host.syscheck.uid_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.uid_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.uid_after\"}}},{\"name\":\"host.syscheck.uname_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.uname_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.uname_after\"}}},{\"name\":\"http.info_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.info_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.info_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.info_message\"}}},{\"name\":\"http.method\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.method.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.method\"}}},{\"name\":\"http.proxied\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.proxied.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.proxied\"}}},{\"name\":\"http.referrer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.referrer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.referrer\"}}},{\"name\":\"http.request.body.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.response.body.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.status_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.status_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.status_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.status_message\"}}},{\"name\":\"http.trans_depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.uri\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.uri.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.uri\"}}},{\"name\":\"http.useragent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.useragent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.useragent\"}}},{\"name\":\"http.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.version\"}}},{\"name\":\"http.virtual_host\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.virtual_host.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.virtual_host\"}}},{\"name\":\"ingest.timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ingest.timestamp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ingest.timestamp\"}}},{\"name\":\"irc.command.info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.command.info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.command.info\"}}},{\"name\":\"irc.command.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.command.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.command.type\"}}},{\"name\":\"irc.command.value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.command.value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.command.value\"}}},{\"name\":\"irc.nickname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.nickname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.nickname\"}}},{\"name\":\"irc.username\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.username.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.username\"}}},{\"name\":\"kerberos.client\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.client.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.client\"}}},{\"name\":\"kerberos.error_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.error_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.error_message\"}}},{\"name\":\"kerberos.request_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.request_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.request_type\"}}},{\"name\":\"kerberos.server.certificate.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.server.certificate.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.server.certificate.subject\"}}},{\"name\":\"kerberos.service\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.service.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.service\"}}},{\"name\":\"kerberos.success\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kerberos.ticket.cipher\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.ticket.cipher.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.ticket.cipher\"}}},{\"name\":\"kerberos.ticket.forwardable\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kerberos.ticket.renewable\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kerberos.ticket.valid.from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.ticket.valid.from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.ticket.valid.from\"}}},{\"name\":\"kerberos.ticket.valid.until\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.ticket.valid.until.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.ticket.valid.until\"}}},{\"name\":\"log.file.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.file.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.file.path\"}}},{\"name\":\"log.full\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.full.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.full\"}}},{\"name\":\"log.id.client_certificate_fuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.client_certificate_fuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.client_certificate_fuid\"}}},{\"name\":\"log.id.fuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.fuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.fuid\"}}},{\"name\":\"log.id.fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.fuids\"}}},{\"name\":\"log.id.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.id\"}}},{\"name\":\"log.id.orig_fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.orig_fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.orig_fuids\"}}},{\"name\":\"log.id.resp_fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.resp_fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.resp_fuids\"}}},{\"name\":\"log.id.server_certificate_fuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.server_certificate_fuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.server_certificate_fuid\"}}},{\"name\":\"log.id.tunnel_parents\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.tunnel_parents.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.tunnel_parents\"}}},{\"name\":\"log.id.uid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.uid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.uid\"}}},{\"name\":\"log.id.uids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.uids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.uids\"}}},{\"name\":\"log.level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.level.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.level\"}}},{\"name\":\"log.location\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.location.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.location\"}}},{\"name\":\"log.offset\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log.previous_log\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.previous_log.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.previous_log\"}}},{\"name\":\"log.previous_output\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.previous_output.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.previous_output\"}}},{\"name\":\"manager.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"manager.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"manager.name\"}}},{\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message\"}}},{\"name\":\"modbus.exception\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"modbus.exception.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"modbus.exception\"}}},{\"name\":\"modbus.function\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"modbus.function.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"modbus.function\"}}},{\"name\":\"mysql.argument\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql.argument.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"mysql.argument\"}}},{\"name\":\"mysql.command\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql.command.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"mysql.command\"}}},{\"name\":\"mysql.response\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql.response.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"mysql.response\"}}},{\"name\":\"mysql.rows\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.success\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.community_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network.community_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network.community_id\"}}},{\"name\":\"network.data.decoded\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network.data.decoded.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network.data.decoded\"}}},{\"name\":\"network.protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network.protocol.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network.protocol\"}}},{\"name\":\"network.transport\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network.transport.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network.transport\"}}},{\"name\":\"notice.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.action\"}}},{\"name\":\"notice.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.message\"}}},{\"name\":\"notice.note\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.note.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.note\"}}},{\"name\":\"notice.p\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"notice.peer_description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.peer_description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.peer_description\"}}},{\"name\":\"notice.sub_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.sub_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.sub_message\"}}},{\"name\":\"notice.suppress_for\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ntlm.server.dns.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm.server.dns.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ntlm.server.dns.name\"}}},{\"name\":\"ntlm.server.nb.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm.server.nb.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ntlm.server.nb.name\"}}},{\"name\":\"ntlm.server.tree.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm.server.tree.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ntlm.server.tree.name\"}}},{\"name\":\"ntlm.success\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"observer.analyzer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"observer.analyzer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"observer.analyzer\"}}},{\"name\":\"observer.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"observer.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"observer.name\"}}},{\"name\":\"osquery.result.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.action\"}}},{\"name\":\"osquery.result.calendar_time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.calendar_time.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.calendar_time\"}}},{\"name\":\"osquery.result.codename\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.codename.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.codename\"}}},{\"name\":\"osquery.result.columns.address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.address\"}}},{\"name\":\"osquery.result.columns.description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.description\"}}},{\"name\":\"osquery.result.columns.directory\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.directory.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.directory\"}}},{\"name\":\"osquery.result.columns.gid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.gid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.gid\"}}},{\"name\":\"osquery.result.columns.gid_signed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.gid_signed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.gid_signed\"}}},{\"name\":\"osquery.result.columns.hostnames\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.hostnames.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.hostnames\"}}},{\"name\":\"osquery.result.columns.shell\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.shell.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.shell\"}}},{\"name\":\"osquery.result.columns.uid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.uid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.uid\"}}},{\"name\":\"osquery.result.columns.uid_signed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.uid_signed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.uid_signed\"}}},{\"name\":\"osquery.result.columns.username\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.username.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.username\"}}},{\"name\":\"osquery.result.columns.uuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.uuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.uuid\"}}},{\"name\":\"osquery.result.counter\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.result.endpoint_ip1\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.endpoint_ip1.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.endpoint_ip1\"}}},{\"name\":\"osquery.result.endpoint_ip2\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.endpoint_ip2.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.endpoint_ip2\"}}},{\"name\":\"osquery.result.epoch\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.result.hardware_serial\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.hardware_serial.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.hardware_serial\"}}},{\"name\":\"osquery.result.host_identifier\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.host_identifier.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.host_identifier\"}}},{\"name\":\"osquery.result.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.hostname\"}}},{\"name\":\"osquery.result.live_query\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.live_query.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.live_query\"}}},{\"name\":\"osquery.result.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.name\"}}},{\"name\":\"osquery.result.numerics\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.result.unix_time\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.command_line\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.command_line.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.command_line\"}}},{\"name\":\"process.entity_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.entity_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.entity_id\"}}},{\"name\":\"process.executable\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.executable.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.executable\"}}},{\"name\":\"process.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.name\"}}},{\"name\":\"process.parent.command_line\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.parent.command_line.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.parent.command_line\"}}},{\"name\":\"process.parent.entity_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.parent.entity_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.parent.entity_id\"}}},{\"name\":\"process.parent.executable\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.parent.executable.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.parent.executable\"}}},{\"name\":\"process.pe.description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pe.description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pe.description\"}}},{\"name\":\"process.pe.file_version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pe.file_version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pe.file_version\"}}},{\"name\":\"process.pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pe.original_file_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pe.original_file_name\"}}},{\"name\":\"process.pe.product\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pe.product.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pe.product\"}}},{\"name\":\"process.pid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pid\"}}},{\"name\":\"process.ppid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.ppid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.ppid\"}}},{\"name\":\"process.working_directory\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.working_directory.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.working_directory\"}}},{\"name\":\"radius.framed_address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"radius.framed_address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"radius.framed_address\"}}},{\"name\":\"radius.reply_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"radius.reply_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"radius.reply_message\"}}},{\"name\":\"radius.result\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"radius.result.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"radius.result\"}}},{\"name\":\"rdp.certificate_count\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rdp.certificate_permanent\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rdp.certificate_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.certificate_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.certificate_type\"}}},{\"name\":\"rdp.client_build\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.client_build.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.client_build\"}}},{\"name\":\"rdp.cookie\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.cookie.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.cookie\"}}},{\"name\":\"rdp.desktop.height\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rdp.desktop.width\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rdp.encryption_level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.encryption_level.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.encryption_level\"}}},{\"name\":\"rdp.encryption_method\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.encryption_method.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.encryption_method\"}}},{\"name\":\"rdp.keyboard_layout\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.keyboard_layout.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.keyboard_layout\"}}},{\"name\":\"rdp.requested_color_depth\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.requested_color_depth.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.requested_color_depth\"}}},{\"name\":\"rdp.result\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.result.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.result\"}}},{\"name\":\"rdp.security_protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.security_protocol.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.security_protocol\"}}},{\"name\":\"rule.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.action\"}}},{\"name\":\"rule.category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.category.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.category\"}}},{\"name\":\"rule.cis\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.cis.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.cis\"}}},{\"name\":\"rule.firedtimes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.frequency\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.gdpr\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.gdpr.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.gdpr\"}}},{\"name\":\"rule.gid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.gpg13\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.gpg13.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.gpg13\"}}},{\"name\":\"rule.groups\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.groups.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.groups\"}}},{\"name\":\"rule.hipaa\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.hipaa.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.hipaa\"}}},{\"name\":\"rule.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.id\"}}},{\"name\":\"rule.level\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.mail\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.metadata.affected_product\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.affected_product.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.affected_product\"}}},{\"name\":\"rule.metadata.attack_target\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.attack_target.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.attack_target\"}}},{\"name\":\"rule.metadata.created_at\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.created_at.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.created_at\"}}},{\"name\":\"rule.metadata.deployment\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.deployment.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.deployment\"}}},{\"name\":\"rule.metadata.former_category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.former_category.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.former_category\"}}},{\"name\":\"rule.metadata.malware_family\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.malware_family.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.malware_family\"}}},{\"name\":\"rule.metadata.performance_impact\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.performance_impact.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.performance_impact\"}}},{\"name\":\"rule.metadata.signature_severity\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.signature_severity.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.signature_severity\"}}},{\"name\":\"rule.metadata.tag\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.tag.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.tag\"}}},{\"name\":\"rule.metadata.updated_at\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.updated_at.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.updated_at\"}}},{\"name\":\"rule.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.name\"}}},{\"name\":\"rule.nist_800_53\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.nist_800_53.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.nist_800_53\"}}},{\"name\":\"rule.pci_dss\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.pci_dss.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.pci_dss\"}}},{\"name\":\"rule.rev\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.rule\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.rule.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.rule\"}}},{\"name\":\"rule.severity\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.uuid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"server.address\"}}},{\"name\":\"server.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"server.ip\"}}},{\"name\":\"server.ip_bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.port\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.port.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"server.port\"}}},{\"name\":\"server.reply_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.reply_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.reply_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"server.reply_message\"}}},{\"name\":\"server.status_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.status_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.status_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"server.status_message\"}}},{\"name\":\"sip.call_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.call_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.call_id\"}}},{\"name\":\"sip.content_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.content_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.content_type\"}}},{\"name\":\"sip.date\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.date.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.date\"}}},{\"name\":\"sip.method\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.method.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.method\"}}},{\"name\":\"sip.request.body.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sip.request.from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.request.from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.request.from\"}}},{\"name\":\"sip.request.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.request.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.request.path\"}}},{\"name\":\"sip.request.to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.request.to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.request.to\"}}},{\"name\":\"sip.response.body.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sip.response.from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.response.from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.response.from\"}}},{\"name\":\"sip.response.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.response.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.response.path\"}}},{\"name\":\"sip.response.to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.response.to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.response.to\"}}},{\"name\":\"sip.seq\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.seq.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.seq\"}}},{\"name\":\"sip.transaction.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sip.uri\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.uri.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.uri\"}}},{\"name\":\"sip.warning\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.warning.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.warning\"}}},{\"name\":\"smb.file_system\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smb.file_system.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smb.file_system\"}}},{\"name\":\"smb.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smb.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smb.path\"}}},{\"name\":\"smb.service\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smb.service.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smb.service\"}}},{\"name\":\"smb.share_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smb.share_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smb.share_type\"}}},{\"name\":\"smtp.cc\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.cc.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.cc\"}}},{\"name\":\"smtp.first_received\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.first_received.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.first_received\"}}},{\"name\":\"smtp.from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.from\"}}},{\"name\":\"smtp.helo\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.helo.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.helo\"}}},{\"name\":\"smtp.in_reply_to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.in_reply_to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.in_reply_to\"}}},{\"name\":\"smtp.is_webmail\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"smtp.last_reply\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.last_reply.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.last_reply\"}}},{\"name\":\"smtp.mail_date\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.mail_date.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.mail_date\"}}},{\"name\":\"smtp.mail_from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.mail_from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.mail_from\"}}},{\"name\":\"smtp.message_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.message_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.message_id\"}}},{\"name\":\"smtp.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.path\"}}},{\"name\":\"smtp.recipient_to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.recipient_to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.recipient_to\"}}},{\"name\":\"smtp.second_received\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.second_received.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.second_received\"}}},{\"name\":\"smtp.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.subject\"}}},{\"name\":\"smtp.tls\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"smtp.to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.to\"}}},{\"name\":\"smtp.transaction_depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"smtp.useragent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.useragent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.useragent\"}}},{\"name\":\"snmp.community\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"snmp.community.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"snmp.community\"}}},{\"name\":\"snmp.display_string\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"snmp.display_string.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"snmp.display_string\"}}},{\"name\":\"snmp.get.bulk_requests\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"snmp.get.requests\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"snmp.get.responses\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"snmp.set.requests\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"snmp.up_since\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"snmp.up_since.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"snmp.up_since\"}}},{\"name\":\"snmp.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"snmp.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"snmp.version\"}}},{\"name\":\"socks.bound.host\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"socks.bound.host.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"socks.bound.host\"}}},{\"name\":\"socks.bound.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"socks.request.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"socks.request.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"socks.request.name\"}}},{\"name\":\"socks.request.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"socks.status\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"socks.status.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"socks.status\"}}},{\"name\":\"socks.user\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"socks.user.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"socks.user\"}}},{\"name\":\"socks.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"software.name\"}}},{\"name\":\"software.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"software.type\"}}},{\"name\":\"software.version.additional_info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software.version.additional_info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"software.version.additional_info\"}}},{\"name\":\"software.version.major\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software.version.minor\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software.version.minor2\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software.version.unparsed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software.version.unparsed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"software.version.unparsed\"}}},{\"name\":\"source.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.city_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.city_name\"}}},{\"name\":\"source.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.continent_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.continent_name\"}}},{\"name\":\"source.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.country_iso_code.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.country_iso_code\"}}},{\"name\":\"source.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.country_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.country_name\"}}},{\"name\":\"source.geo.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.ip\"}}},{\"name\":\"source.geo.location.lat\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.location.lon\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.region_iso_code.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.region_iso_code\"}}},{\"name\":\"source.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.region_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.region_name\"}}},{\"name\":\"source.geo.timezone\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.timezone.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.timezone\"}}},{\"name\":\"source.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.hostname\"}}},{\"name\":\"source.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.ip\"}}},{\"name\":\"source.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.latitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.longitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssh.authentication.attempts\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssh.authentication.success\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssh.cipher_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.cipher_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.cipher_algorithm\"}}},{\"name\":\"ssh.client\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.client.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.client\"}}},{\"name\":\"ssh.client_host_key_algorithms\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.client_host_key_algorithms.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.client_host_key_algorithms\"}}},{\"name\":\"ssh.compression_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.compression_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.compression_algorithm\"}}},{\"name\":\"ssh.direction\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.direction.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.direction\"}}},{\"name\":\"ssh.hassh_algorithms\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.hassh_algorithms.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_algorithms\"}}},{\"name\":\"ssh.hassh_server\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.hassh_server.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_server\"}}},{\"name\":\"ssh.hassh_server_algorithms\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.hassh_server_algorithms.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_server_algorithms\"}}},{\"name\":\"ssh.hassh_version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.hassh_version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_version\"}}},{\"name\":\"ssh.host_key\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.host_key.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.host_key\"}}},{\"name\":\"ssh.host_key_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.host_key_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.host_key_algorithm\"}}},{\"name\":\"ssh.kex_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.kex_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.kex_algorithm\"}}},{\"name\":\"ssh.mac_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.mac_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.mac_algorithm\"}}},{\"name\":\"ssh.server\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.server.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.server\"}}},{\"name\":\"ssh.server_host_key_algorithms\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.server_host_key_algorithms.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.server_host_key_algorithms\"}}},{\"name\":\"ssh.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssl.certificate.chain_fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.certificate.chain_fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.certificate.chain_fuids\"}}},{\"name\":\"ssl.certificate.issuer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.certificate.issuer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.certificate.issuer\"}}},{\"name\":\"ssl.certificate.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.certificate.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.certificate.subject\"}}},{\"name\":\"ssl.cipher\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.cipher.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.cipher\"}}},{\"name\":\"ssl.client.certificate.chain_fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.client.certificate.chain_fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.client.certificate.chain_fuids\"}}},{\"name\":\"ssl.client.issuer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.client.issuer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.client.issuer\"}}},{\"name\":\"ssl.client.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.client.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.client.subject\"}}},{\"name\":\"ssl.curve\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.curve.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.curve\"}}},{\"name\":\"ssl.established\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssl.last_alert\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.last_alert.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.last_alert\"}}},{\"name\":\"ssl.next_protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.next_protocol.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.next_protocol\"}}},{\"name\":\"ssl.resumed\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssl.server_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.server_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.server_name\"}}},{\"name\":\"ssl.validation_status\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.validation_status.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.validation_status\"}}},{\"name\":\"ssl.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.version\"}}},{\"name\":\"syslog.facility\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog.facility.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syslog.facility\"}}},{\"name\":\"syslog.severity\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog.severity.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syslog.severity\"}}},{\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tags\"}}},{\"name\":\"tunnel.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tunnel.type\"}}},{\"name\":\"user.escalated\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user.escalated.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user.escalated\"}}},{\"name\":\"user.gid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user.gid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user.gid\"}}},{\"name\":\"user.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user.name\"}}},{\"name\":\"user.shell\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user.shell.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user.shell\"}}},{\"name\":\"user.uid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user.uid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user.uid\"}}},{\"name\":\"version.minor3\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"weird.additional_info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"weird.additional_info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"weird.additional_info\"}}},{\"name\":\"weird.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"weird.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"weird.name\"}}},{\"name\":\"weird.notice\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"weird.peer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"weird.peer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"weird.peer\"}}},{\"name\":\"x509.basic_constraints.ca\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x509.certificate.curve\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.curve.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.curve\"}}},{\"name\":\"x509.certificate.exponent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.exponent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.exponent\"}}},{\"name\":\"x509.certificate.issuer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.issuer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.issuer\"}}},{\"name\":\"x509.certificate.key.algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.key.algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.key.algorithm\"}}},{\"name\":\"x509.certificate.key.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x509.certificate.key.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.key.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.key.type\"}}},{\"name\":\"x509.certificate.not_valid_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.not_valid_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.not_valid_after\"}}},{\"name\":\"x509.certificate.not_valid_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.not_valid_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.not_valid_before\"}}},{\"name\":\"x509.certificate.serial\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.serial.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.serial\"}}},{\"name\":\"x509.certificate.signing_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.signing_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.signing_algorithm\"}}},{\"name\":\"x509.certificate.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.subject\"}}},{\"name\":\"x509.certificate.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x509.san_dns\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.san_dns.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.san_dns\"}}},{\"name\":\"Push to TheHive\",\"type\":\"string\",\"count\":0,\"scripted\":true,\"script\":\"'https://PLACEHOLDER/soctopus/thehive/alert/' + doc['_id'].value\",\"lang\":\"painless\",\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false}]","timeFieldName":"@timestamp","title":"*:so-*"},"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-06-16T12:45:20.069Z","version":"Wzc1MywyXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - All Logs","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - All Logs\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":29}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}"},"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMsMV0="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Logs Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Logs Over Time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":null,\"y\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}]}"},"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQsMV0="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Source IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Source IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}"},"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUsMV0="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Destination IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Destination IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}}]}"},"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYsMV0="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMTP - Sender","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMTP - Sender\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smtp.from.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"From\"}}]}"},"id":"7a789740-75e7-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzcsMV0="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMTP - Recipient","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMTP - Recipient\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"To\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smtp.to.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Recipient\"}}]}"},"id":"a5742950-75e7-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzgsMV0="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMTP - TLS","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - SMTP - TLS\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"boolean\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"smtp.tls: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"smtp.tls\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"TLS\"}}]}"},"id":"e77a2b60-75e7-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzksMV0="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMTP - Subject","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMTP - Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"smtp.subject.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smtp.subject.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Subject\"}}]}"},"id":"0713ebf0-75e8-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEwLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMTP - User Agent","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMTP - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smtp.useragent.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"User Agent\"}}]}"},"id":"4178ce00-75e8-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzExLDFd"} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:smtp\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":9,\"i\":\"a603d9db-ab4e-40b0-aeb8-0f1c1f84bd85\"},\"panelIndex\":\"a603d9db-ab4e-40b0-aeb8-0f1c1f84bd85\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":14,\"y\":0,\"w\":16,\"h\":9,\"i\":\"6fd30865-1d5d-4f8f-9173-77220bb23395\"},\"panelIndex\":\"6fd30865-1d5d-4f8f-9173-77220bb23395\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":9,\"i\":\"1b0acf7a-2a47-4eb4-9cb2-34cd6c499472\"},\"panelIndex\":\"1b0acf7a-2a47-4eb4-9cb2-34cd6c499472\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":9,\"h\":18,\"i\":\"d31027fb-a090-474f-9863-712ef30c0b3e\"},\"panelIndex\":\"d31027fb-a090-474f-9863-712ef30c0b3e\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":9,\"w\":9,\"h\":18,\"i\":\"fb5452b7-cb91-4415-ad6b-37f2c05955fa\"},\"panelIndex\":\"fb5452b7-cb91-4415-ad6b-37f2c05955fa\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":18,\"y\":9,\"w\":15,\"h\":18,\"i\":\"9aaa1369-1a61-4bb0-bb30-6bbb476fbb8a\"},\"panelIndex\":\"9aaa1369-1a61-4bb0-bb30-6bbb476fbb8a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":33,\"y\":9,\"w\":15,\"h\":18,\"i\":\"4bf1751e-8da2-4f5a-b66d-2f09338b2053\"},\"panelIndex\":\"4bf1751e-8da2-4f5a-b66d-2f09338b2053\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":18,\"h\":18,\"i\":\"9365d9e9-478f-499d-aa41-d8f42081ff1c\"},\"panelIndex\":\"9365d9e9-478f-499d-aa41-d8f42081ff1c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":18,\"y\":27,\"w\":15,\"h\":18,\"i\":\"18ad4f7a-1a1e-4dcb-8810-bb74d247c9fa\"},\"panelIndex\":\"18ad4f7a-1a1e-4dcb-8810-bb74d247c9fa\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":33,\"y\":27,\"w\":15,\"h\":18,\"i\":\"44a5b84f-2636-45f4-bb5e-9f8ab11f4107\"},\"panelIndex\":\"44a5b84f-2636-45f4-bb5e-9f8ab11f4107\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Security Onion - SMTP","version":1},"id":"00304500-75e7-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"7a789740-75e7-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"a5742950-75e7-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"e77a2b60-75e7-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"0713ebf0-75e8-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"},{"id":"4178ce00-75e8-11ea-9565-7315f4ee5cac","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEyLDFd"} -{"attributes":{"columns":["note","source_ip","destination_ip","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event_type:bro_notice\",\"default_field\":\"*\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Notices - Logs","version":1},"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE0LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Notices - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Notices - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"3027c4f0-34e4-11e7-9669-7f1d3242b798","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE1LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"},"title":"Navigation","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Home](/kibana/app/kibana#/dashboard/94b52620-342a-11e7-9d52-4f090484f59e) \\n[Help](/kibana/app/kibana#/dashboard/AV6-POJSDwoBUzALqKAg) \\n\\n**Alert Data** \\n[Bro Notices](/kibana/app/kibana#/dashboard/01600fb0-34e4-11e7-9669-7f1d3242b798) \\n[ElastAlert](/kibana/app/kibana#/dashboard/1d98d620-7dce-11e7-846a-150cdcaf3374) \\n[HIDS](/kibana/app/kibana#/dashboard/0de7a390-3644-11e7-a6f7-4f44d7bf1c33) \\n[NIDS](/kibana/app/kibana#/dashboard/7f27a830-34e5-11e7-9669-7f1d3242b798)   \\n\\n**Bro Hunting** \\n[Connections](/kibana/app/kibana#/dashboard/e0a34b90-34e6-11e7-9118-45bd317f0ca4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/46582d50-3af2-11e7-a83b-b1b4da7d15f4) \\n[DHCP](/kibana/app/kibana#/dashboard/85348270-357b-11e7-ac34-8965f6420c51) \\n[DNP3](/kibana/app/kibana#/dashboard/2fdf5bf0-3581-11e7-98ef-19df58fe538b) \\n[DNS](/kibana/app/kibana#/dashboard/ebf5ec90-34bf-11e7-9b32-bb903919ead9) \\n[Files](/kibana/app/kibana#/dashboard/2d315d80-3582-11e7-98ef-19df58fe538b) \\n[FTP](/kibana/app/kibana#/dashboard/27f3b380-3583-11e7-a588-05992195c551) \\n[HTTP](/kibana/app/kibana#/dashboard/230134a0-34c6-11e7-8360-0b86c90983fd) \\n[Intel](/kibana/app/kibana#/dashboard/468022c0-3583-11e7-a588-05992195c551) \\n[IRC](/kibana/app/kibana#/dashboard/56a34ce0-3583-11e7-a588-05992195c551) \\n[Kerberos](/kibana/app/kibana#/dashboard/6b0d4870-3583-11e7-a588-05992195c551) \\n[Modbus](/kibana/app/kibana#/dashboard/70c005f0-3583-11e7-a588-05992195c551) \\n[MySQL](/kibana/app/kibana#/dashboard/7929f430-3583-11e7-a588-05992195c551) \\n[NTLM](/kibana/app/kibana#/dashboard/022713e0-3ab0-11e7-a83b-b1b4da7d15f4) \\n[PE](/kibana/app/kibana#/dashboard/8a10e380-3583-11e7-a588-05992195c551) \\n[RADIUS](/kibana/app/kibana#/dashboard/90b246c0-3583-11e7-a588-05992195c551) \\n[RDP](/kibana/app/kibana#/dashboard/97f8c3a0-3583-11e7-a588-05992195c551) \\n[RFB](/kibana/app/kibana#/dashboard/9ef20ae0-3583-11e7-a588-05992195c551) \\n[SIP](/kibana/app/kibana#/dashboard/ad3c0830-3583-11e7-a588-05992195c551) \\n[SMB](/kibana/app/kibana#/dashboard/b3a53710-3aaa-11e7-8b17-0d8709b02c80) \\n[SMTP](/kibana/app/kibana#/dashboard/b10a9c60-3583-11e7-a588-05992195c551) \\n[SNMP](/kibana/app/kibana#/dashboard/b65c2710-3583-11e7-a588-05992195c551) \\n[Software](/kibana/app/kibana#/dashboard/c2c99c30-3583-11e7-a588-05992195c551) \\n[SSH](/kibana/app/kibana#/dashboard/c6ccfc00-3583-11e7-a588-05992195c551) \\n[SSL](/kibana/app/kibana#/dashboard/cca67b60-3583-11e7-a588-05992195c551) \\n[Syslog](/kibana/app/kibana#/dashboard/c4bbe040-76b3-11e7-ba96-cba76a1e264d) \\n[Tunnels](/kibana/app/kibana#/dashboard/d7b54ae0-3583-11e7-a588-05992195c551) \\n[Weird](/kibana/app/kibana#/dashboard/de2da250-3583-11e7-a588-05992195c551) \\n[X.509](/kibana/app/kibana#/dashboard/e5aa7170-3583-11e7-a588-05992195c551) \\n\\n**Host Hunting** \\n[Autoruns](/kibana/app/kibana#/dashboard/61d43810-6d62-11e7-8ddb-e71eb260f4a3) \\n[Beats](/kibana/app/kibana#/dashboard/AWBLNS3CRuBloj96jxub) \\n[Osquery](/kibana/app/kibana#/dashboard/9d0e2da0-14e1-11e9-82f7-0da02d93a48b) \\n[OSSEC](/kibana/app/kibana#/dashboard/3a457d70-3583-11e7-a588-05992195c551)  \\n[Sysmon](/kibana/app/kibana#/dashboard/6d189680-6d62-11e7-8ddb-e71eb260f4a3) \\n\\n**Other** \\n[Domain Stats](/kibana/app/kibana#/dashboard/AWAi6wvxAvKNGEbUWO_j) \\n[Firewall](/kibana/app/kibana#/dashboard/50173bd0-3582-11e7-98ef-19df58fe538b) \\n[Frequency](/kibana/app/kibana#/dashboard/AWAi5k4jAvKNGEbUWFis) \\n[Stats](/kibana/app/kibana#/dashboard/130017f0-46ce-11e7-946f-1bfb1be7c36b) \\n[Syslog](/kibana/app/kibana#/dashboard/4323af90-76e5-11e7-ab14-e1a4c1bc11e0)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}"},"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","migrationVersion":{"visualization":"7.7.0"},"references":[],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE2LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Notices - Source IP Addresses","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Notices - Source IP Addresses\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"66e26ad0-3580-11e7-98ef-19df58fe538b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE3LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Notices - Destination IP Addresses","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Notices - Destination IP Addresses\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"7c47b650-3580-11e7-98ef-19df58fe538b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE4LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Notices - Notice Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Notices - Notice Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"note.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type\"}}],\"listeners\":{}}"},"id":"07fdf9e0-39ad-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE5LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Notices - File MIME Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Notices - File MIME Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file_mime_type.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}],\"listeners\":{}}"},"id":"53c62730-39ad-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIwLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Notices - File Description","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Notices - File Description\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file_description.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Description\"}}],\"listeners\":{}}"},"id":"793c2640-39ad-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIxLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Notice - Destination Port (Vertical Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Notice - Destination Port (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"Port\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}]}"},"id":"e85e2150-6e0e-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIyLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Notice - Message/Sub-Message","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Bro - Notice - Message/Sub-Message\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"msg.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Message\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sub_msg.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Sub-Message\"}}],\"listeners\":{}}"},"id":"bfeb6210-7bb9-11e7-90ec-cdd3dff73b38","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIzLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Notices - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Notices - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG1uC-xQT5EBNmq3dP","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI0LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Bro - Notices - Notice Types","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Bro - Notices - Notice Types\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"note.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Note\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}]}"},"id":"2a949080-4a3d-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI1LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Notices - Destination Country","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Notices - Destination Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"1a879c90-4ca5-11e8-888d-71b91451cf05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI2LDFd"} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"4\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"4\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"7\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":48,\"i\":\"7\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":48,\"i\":\"8\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":72,\"i\":\"11\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"12\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":72,\"i\":\"12\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":136,\"i\":\"13\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"14\",\"gridData\":{\"w\":40,\"h\":16,\"x\":8,\"y\":32,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"15\",\"gridData\":{\"w\":48,\"h\":40,\"x\":0,\"y\":96,\"i\":\"15\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"16\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"16\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"17\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":160,\"i\":\"17\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{}},{\"panelIndex\":\"18\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":8,\"i\":\"18\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"panelIndex\":\"19\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":8,\"i\":\"19\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - Notices","version":1},"id":"01600fb0-34e4-11e7-9669-7f1d3242b798","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"3027c4f0-34e4-11e7-9669-7f1d3242b798","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"66e26ad0-3580-11e7-98ef-19df58fe538b","name":"panel_2","type":"visualization"},{"id":"7c47b650-3580-11e7-98ef-19df58fe538b","name":"panel_3","type":"visualization"},{"id":"07fdf9e0-39ad-11e7-8472-0151e5b2b475","name":"panel_4","type":"visualization"},{"id":"53c62730-39ad-11e7-8472-0151e5b2b475","name":"panel_5","type":"visualization"},{"id":"793c2640-39ad-11e7-8472-0151e5b2b475","name":"panel_6","type":"visualization"},{"id":"e85e2150-6e0e-11e7-8624-1fb07dd76c6a","name":"panel_7","type":"visualization"},{"id":"bfeb6210-7bb9-11e7-90ec-cdd3dff73b38","name":"panel_8","type":"visualization"},{"id":"AWDG1uC-xQT5EBNmq3dP","name":"panel_9","type":"visualization"},{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"panel_10","type":"search"},{"id":"2a949080-4a3d-11e8-9b0a-f1d33346f773","name":"panel_11","type":"visualization"},{"id":"1a879c90-4ca5-11e8-888d-71b91451cf05","name":"panel_12","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI3LDFd"} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_ntlm\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"NTLM - Logs","version":1},"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI4LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"NTLM - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per minute\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"36f23eb0-3ab0-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI5LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Hostname","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Hostname\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hostname.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Hostname\"}}],\"listeners\":{}}"},"id":"e2c8e040-3ab0-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMwLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Username","uiStateJSON":"{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}","version":1,"visState":"{\"title\":\"NTLM - Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}],\"listeners\":{}}"},"id":"4d869ee0-3ab1-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMxLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"d37b9330-3af1-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMyLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"f3a92f50-3af1-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMzLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"d7f162b0-6e1c-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM0LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"NTLM - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHCEx7xQT5EBNmq4Vf","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM1LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"NTLM - Hostname to Username","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Hostname to Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hostname.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Hostname\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"domain_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Domain\"}}]}"},"id":"75ab1050-4a59-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM2LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Server NetBIOS Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Server NetBIOS Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_nb_computer_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server NetBIOS Name\"}}]}"},"id":"c23ea470-0edc-11e9-9846-59f545e7293f","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM3LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Server DNS Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Server DNS Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_dns_computer_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server DNS Name\"}}]}"},"id":"ee6a03f0-0edc-11e9-9846-59f545e7293f","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM4LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Server Tree Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Server Tree Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_tree_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server Tree Name\"}}]}"},"id":"2a054320-0edd-11e9-9846-59f545e7293f","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM5LDFd"} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":53,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"x\":0,\"y\":77,\"w\":48,\"h\":24,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":36,\"y\":8,\"w\":12,\"h\":24,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":24,\"y\":8,\"w\":12,\"h\":24,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":16,\"y\":53,\"w\":16,\"h\":24,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":0,\"y\":53,\"w\":16,\"h\":24,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":32,\"y\":53,\"w\":16,\"h\":24,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"15\"},\"panelIndex\":\"15\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"gridData\":{\"x\":8,\"y\":8,\"w\":16,\"h\":24,\"i\":\"16\"},\"panelIndex\":\"16\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"x\":35,\"y\":32,\"w\":13,\"h\":21,\"i\":\"17\"},\"panelIndex\":\"17\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":22,\"y\":32,\"w\":13,\"h\":21,\"i\":\"18\"},\"panelIndex\":\"18\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":32,\"w\":14,\"h\":21,\"i\":\"19\"},\"panelIndex\":\"19\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"}]","timeRestore":false,"title":"Bro - NTLM","version":1},"id":"022713e0-3ab0-11e7-a83b-b1b4da7d15f4","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"36f23eb0-3ab0-11e7-a83b-b1b4da7d15f4","name":"panel_1","type":"visualization"},{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"panel_2","type":"search"},{"id":"e2c8e040-3ab0-11e7-a83b-b1b4da7d15f4","name":"panel_3","type":"visualization"},{"id":"4d869ee0-3ab1-11e7-a83b-b1b4da7d15f4","name":"panel_4","type":"visualization"},{"id":"d37b9330-3af1-11e7-a83b-b1b4da7d15f4","name":"panel_5","type":"visualization"},{"id":"f3a92f50-3af1-11e7-a83b-b1b4da7d15f4","name":"panel_6","type":"visualization"},{"id":"d7f162b0-6e1c-11e7-b553-7f80727663c1","name":"panel_7","type":"visualization"},{"id":"AWDHCEx7xQT5EBNmq4Vf","name":"panel_8","type":"visualization"},{"id":"75ab1050-4a59-11e8-9b0a-f1d33346f773","name":"panel_9","type":"visualization"},{"id":"c23ea470-0edc-11e9-9846-59f545e7293f","name":"panel_10","type":"visualization"},{"id":"ee6a03f0-0edc-11e9-9846-59f545e7293f","name":"panel_11","type":"visualization"},{"id":"2a054320-0edd-11e9-9846-59f545e7293f","name":"panel_12","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQwLDFd"} -{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.category:network\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Security Onion - Network Data","version":1},"id":"387f44c0-6ea7-11ea-9266-1fd14ca6af34","migrationVersion":{"search":"7.4.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUwLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Network - Source IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Network - Source IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"source.ip.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}"},"id":"0242ab70-6eae-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"387f44c0-6ea7-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY3OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"title":"Security Onion - Files","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Files\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Home](/kibana/app/kibana#/dashboard/a8411b30-6d03-11ea-b301-3d6c35840645) \\n \\n**Modules** \\n[Strelka](/kibana/app/kibana#/dashboard/ff689c50-75f3-11ea-9565-7315f4ee5cac) \\n[Zeek](/kibana/app/kibana#/dashboard/ad4d5d60-75f4-11ea-9565-7315f4ee5cac)\"},\"aggs\":[]}"},"id":"9a5058f0-6e99-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQxLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Log Count Over Time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true}],\"addTooltip\":false,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"HH:mm\"}},\"params\":{\"date\":true,\"interval\":\"PT30M\",\"intervalESValue\":30,\"intervalESUnit\":\"m\",\"format\":\"HH:mm\",\"bounds\":{\"min\":\"2020-03-29T18:17:18.800Z\",\"max\":\"2020-03-30T18:17:18.800Z\"}},\"label\":\"@timestamp per 30 minutes\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\",\"mode\":\"quick\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}]}"},"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQyLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.module:*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Modules","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Modules\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"event.module.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.module.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Module\"}}]}"},"id":"8b065a80-6eca-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQzLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Dataset","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Dataset\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Dataset\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"event.dataset.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.dataset.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Dataset\"}}]}"},"id":"ad398b70-6e9a-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ0LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - File - Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - File - Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.name.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}]}"},"id":"bcf25e30-75f1-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ1LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - FIle - Total Bytes","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}}","version":1,"visState":"{\"title\":\"Security Onion - FIle - Total Bytes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.bytes.total: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.bytes.total\",\"orderBy\":\"_key\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Total Bytes\"}}]}"},"id":"efc25540-75f1-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ2LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - File - MIME Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - File - MIME Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.mime_type.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.mime_type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MIMEType\"}}]}"},"id":"e8d35c50-75f3-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ3LDFd"} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:file*\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":7,\"h\":7,\"i\":\"6948ea4a-398f-4ab1-a269-e1e6ecd29e12\"},\"panelIndex\":\"6948ea4a-398f-4ab1-a269-e1e6ecd29e12\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":7,\"y\":0,\"w\":15,\"h\":7,\"i\":\"d09eef70-f2b5-4085-b619-11cae812be58\"},\"panelIndex\":\"d09eef70-f2b5-4085-b619-11cae812be58\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":22,\"y\":0,\"w\":26,\"h\":7,\"i\":\"0dd18bd2-6631-4772-b3d0-4a92ff713e3a\"},\"panelIndex\":\"0dd18bd2-6631-4772-b3d0-4a92ff713e3a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":7,\"w\":8,\"h\":20,\"i\":\"86d343d4-c030-46a3-9f3e-083ccbf28b04\"},\"panelIndex\":\"86d343d4-c030-46a3-9f3e-083ccbf28b04\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":7,\"w\":8,\"h\":20,\"i\":\"2fb5d1e8-4ac6-42c4-852e-9046c2970086\"},\"panelIndex\":\"2fb5d1e8-4ac6-42c4-852e-9046c2970086\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":16,\"y\":7,\"w\":10,\"h\":20,\"i\":\"7875de58-924b-4b27-bd51-159b5657659f\"},\"panelIndex\":\"7875de58-924b-4b27-bd51-159b5657659f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":26,\"y\":7,\"w\":10,\"h\":20,\"i\":\"f1f8a5c7-9e9f-460d-a2b8-eaca8d834c6b\"},\"panelIndex\":\"f1f8a5c7-9e9f-460d-a2b8-eaca8d834c6b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":36,\"y\":7,\"w\":12,\"h\":20,\"i\":\"06055634-ec80-478d-93d5-67e1cc46e1ab\"},\"panelIndex\":\"06055634-ec80-478d-93d5-67e1cc46e1ab\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - Files","version":1},"id":"0245be10-6ec1-11ea-9266-1fd14ca6af34","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"9a5058f0-6e99-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"8b065a80-6eca-11ea-9266-1fd14ca6af34","name":"panel_3","type":"visualization"},{"id":"ad398b70-6e9a-11ea-9266-1fd14ca6af34","name":"panel_4","type":"visualization"},{"id":"bcf25e30-75f1-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"efc25540-75f1-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"e8d35c50-75f3-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ4LDFd"} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_ssl\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"SSL - Logs","version":1},"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI2MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SSL - Version (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SSL - Version (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":false,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"version.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"02699580-365a-11e7-bf60-314364dd1cde","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU3OCwxXQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_sip\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"SIP - Logs","version":1},"id":"9e131480-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ2MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SIP - Status","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - Status\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"status_code\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Code\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"status_msg.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Message\"}}]}"},"id":"0291dba0-4c78-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ3NiwxXQ=="} -{"attributes":{"columns":["osquery.columns.permissions","osquery.columns.name"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_type: osquery AND osquery.name:*chrome* AND osquery.columns.permissions:('all_urls','privacy')\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"osquery - Chrome Extensions - Sensitive Permissions","version":1},"id":"040dda10-18d8-11e9-932c-d12d2cf4ee95","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ4NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"04e1aea0-3750-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ2NiwxXQ=="} -{"attributes":{"columns":["osquery.hostname","osquery.columns.username","osquery.LiveQuery","osquery.columns.name"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_type: osquery AND osquery.name:*chrome*\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"osquery - Chrome Extensions","version":1},"id":"0eee4360-18d4-11e9-932c-d12d2cf4ee95","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ4MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"osquery - Chrome Extensions - Changes by Hostname","uiStateJSON":"{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}","version":1,"visState":"{\"title\":\"osquery - Chrome Extensions - Changes by Hostname\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Changes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.hostname.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Hostname\"}}]}"},"id":"04f86530-1a59-11e9-ac0b-cb0ba10141ab","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0eee4360-18d4-11e9-932c-d12d2cf4ee95","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ4NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"network.protocol:*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Top Network Protocols","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Top Network Protocols\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false,\"metric\":{\"type\":\"vis_dimension\",\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}}},\"bucket\":{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"network.protocol.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}}]}"},"id":"d9eb5b30-6ea9-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ5LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Network - Transport","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Network - Transport\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":false,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"network.transport.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"network.transport.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"79cc9670-6ead-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"387f44c0-6ea7-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUxLDFd"} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.category: network\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":9,\"i\":\"b18f064d-2fba-45d8-a3c3-700ecec939a3\"},\"panelIndex\":\"b18f064d-2fba-45d8-a3c3-700ecec939a3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":14,\"h\":9,\"i\":\"3bf59d17-132e-47bc-b548-e1e073491ec5\"},\"panelIndex\":\"3bf59d17-132e-47bc-b548-e1e073491ec5\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":27,\"y\":0,\"w\":21,\"h\":9,\"i\":\"49c9ae10-3f16-4cec-b044-c5cf2db199ae\"},\"panelIndex\":\"49c9ae10-3f16-4cec-b044-c5cf2db199ae\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":13,\"h\":19,\"i\":\"87427ca5-e0b9-4ec8-bb5f-3452803befe1\"},\"panelIndex\":\"87427ca5-e0b9-4ec8-bb5f-3452803befe1\",\"embeddableConfig\":{\"legendOpen\":false,\"vis\":{\"legendOpen\":true}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":24,\"y\":9,\"w\":12,\"h\":19,\"i\":\"a7745b0f-1c69-4837-9f7e-3d79b5a2ac60\"},\"panelIndex\":\"a7745b0f-1c69-4837-9f7e-3d79b5a2ac60\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":36,\"y\":9,\"w\":12,\"h\":19,\"i\":\"221a543a-98d4-46dd-8e7c-bf97bb292021\"},\"panelIndex\":\"221a543a-98d4-46dd-8e7c-bf97bb292021\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":9,\"w\":11,\"h\":19,\"i\":\"3d3199e1-d839-4738-bc99-e030365b7070\"},\"panelIndex\":\"3d3199e1-d839-4738-bc99-e030365b7070\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - Network","version":1},"id":"04ff3ef0-6ea4-11ea-9266-1fd14ca6af34","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"d9eb5b30-6ea9-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"79cc9670-6ead-11ea-9266-1fd14ca6af34","name":"panel_3","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"ad398b70-6e9a-11ea-9266-1fd14ca6af34","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUyLDFd"} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"size\":10,\"query\":{\"query_string\":{\"query\":\"event_type:bro_conn\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Connections - Logs","version":1},"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIwNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Missed Bytes","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Missed Bytes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"missed_bytes\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Missed Bytes\"}}],\"listeners\":{}}"},"id":"05088150-3670-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYyMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMB - Path","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMB - Path\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"smb.path.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smb.path.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Path\"}}]}"},"id":"052df440-75f0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY2NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Rule - GID/SID","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Rule - GID/SID\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"GID\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"SID\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rule.rev: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.gid\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"GID\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.signature_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"SID\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.rev\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Revision\"}}]}"},"id":"053f7130-7734-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY3OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Source - Originator Bytes ( Tile Map)","uiStateJSON":"{\"mapZoom\":3,\"mapCenter\":[39.70718665682654,-44.912109375]}","version":1,"visState":"{\"title\":\"Connections - Source - Originator Bytes ( Tile Map)\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"original_bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}"},"id":"05809df0-46cb-11e7-946f-1bfb1be7c36b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI2NywxXQ=="} -{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_type: osquery\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"osquery - Logs","version":1},"id":"84116380-14e1-11e9-82f7-0da02d93a48b","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQwMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"osquery - Changes by Hostname","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"osquery - Changes by Hostname\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Changes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.hostname.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Hostname\"}}]}"},"id":"05a5ed10-14e4-11e9-82f7-0da02d93a48b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"84116380-14e1-11e9-82f7-0da02d93a48b","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQwMywxXQ=="} -{"attributes":{"columns":["source_ip","destination_ip","destination_port","uid","fuid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_ftp\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"FTP - Logs","version":1},"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzExNSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"FTP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"06f21d60-35b6-11e7-a994-c528746bc6e8","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzExNiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DNS - Query","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DNS - Query\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"dns.query.name.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dns.query.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Query\"}}]}"},"id":"07065340-72ba-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIyMiwxXQ=="} -{"attributes":{"columns":["source_ip","destination_ip","destination_port","uid","fuid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_intel\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Intel - Logs","version":1},"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE5MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Intel - Indicator Type (Vertical Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Intel - Indicator Type (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Indicator Type\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"indicator_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Indicator Type\"}}]}"},"id":"07622d60-6e16-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIwMSwxXQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_mysql\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"MySQL - Logs","version":1},"id":"5d624230-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMwOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"MySQL - Command/Argument","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"MySQL - Command/Argument\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mysql_command.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Command\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mysql_argument.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Argument\"}}],\"listeners\":{}}"},"id":"07e25650-3812-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5d624230-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMxMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - HTTP - Method","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - Method\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"http.method.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"http.method.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Method\"}}]}"},"id":"088aad70-7377-11ea-a3da-cbdb4f8a90c0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE3NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Hash - SHA256","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Hash - SHA256\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.hash.sha256.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hash.sha256.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"08c0b770-772e-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY3NSwxXQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_ssh\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"SSH - Logs","version":1},"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU1NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSH - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SSH - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"09457310-3641-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU1NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Hash - MD5","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Hash - MD5\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hash.md5.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MD5\"}}]}"},"id":"09fc6ef0-7732-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ3OCwxXQ=="} -{"attributes":{"columns":["source_ip","syslog-host_from","syslog-priority"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"tags:syslog\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Syslog (All) - Logs","version":1},"id":"5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE2MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Syslog - Host From","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Syslog - Host From\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog-host_from.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Host (From)\"}}],\"listeners\":{}}"},"id":"0a2ce700-76e6-11e7-ab14-e1a4c1bc11e0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE2NSwxXQ=="} -{"attributes":{"columns":["host","certificate_subject","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_x509\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"X.509 - Logs","version":1},"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYyOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"X.509 - Certificate Issuer","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"X.509 - Certificate Issuer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"certificate_issuer.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Issuer\"}}],\"listeners\":{}}"},"id":"0a5f7b30-37d9-11e7-9efb-91e89505091f","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYzMiwxXQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_rdp\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"RDP - Logs","version":1},"id":"823dd600-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM4NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RDP - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RDP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"0b9dea80-371c-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM5MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RDP - Certificate Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RDP - Certificate Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rdp.certificate_type.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rdp.certificate_type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Type\"}}]}"},"id":"0c006bb0-75c6-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIzNiwxXQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_dns\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"DNS - Logs","version":1},"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI1NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNS - Query Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Query Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"query_type_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query Type\"}}]}"},"id":"0c338e50-4a4e-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY0OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RADIUS - Reply","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RADIUS - Reply\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"radius.reply_message.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"radius.reply_message.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Reply\"}}]}"},"id":"0ca071b0-75c5-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUzMywxXQ=="} -{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:conn\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Security Onion - Connections","version":1},"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","migrationVersion":{"search":"7.4.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUzLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Connections Over Time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date_range\",\"params\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}}},\"params\":{},\"label\":\"@timestamp date ranges\",\"aggType\":\"date_range\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}]}"},"id":"34721460-6ebc-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU0LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}"},"id":"c9121690-6ea0-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU1LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - State","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - State\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"connection.state.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"connection.state.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"State\"}}]}"},"id":"23b65290-6ea2-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU2LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - Client Bytes","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - Client Bytes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Client Bytes\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"client.bytes\",\"orderBy\":\"_key\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Client Bytes\"}}]}"},"id":"98f6e9d0-6ea1-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU3LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - Responder Bytes","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - Responder Bytes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Server Bytes\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server.bytes\",\"orderBy\":\"_key\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server Bytes\"}}]}"},"id":"70565ec0-6ea1-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU4LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - History","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - History\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"connection.history.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"History\"}}]}"},"id":"5414ad60-6ea2-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU5LDFd"} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:conn\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":9,\"i\":\"a05b7540-74b1-40db-b1d6-0e151f5bbaba\"},\"panelIndex\":\"a05b7540-74b1-40db-b1d6-0e151f5bbaba\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":13,\"h\":9,\"i\":\"78f096e9-6e6b-4144-a63f-3767deab6c8c\"},\"panelIndex\":\"78f096e9-6e6b-4144-a63f-3767deab6c8c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":26,\"y\":0,\"w\":22,\"h\":9,\"i\":\"f24faa4b-0270-44e6-af45-639e2d39c2c3\"},\"panelIndex\":\"f24faa4b-0270-44e6-af45-639e2d39c2c3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":11,\"h\":18,\"i\":\"8cc3f2ee-fcc8-4ddb-8f44-ec0b08da4756\"},\"panelIndex\":\"8cc3f2ee-fcc8-4ddb-8f44-ec0b08da4756\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":11,\"y\":9,\"w\":12,\"h\":18,\"i\":\"5558d00d-f3fd-4051-96a4-384134149228\"},\"panelIndex\":\"5558d00d-f3fd-4051-96a4-384134149228\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":23,\"y\":9,\"w\":13,\"h\":18,\"i\":\"ccdbd90c-299e-4e60-a139-1505f1329071\"},\"panelIndex\":\"ccdbd90c-299e-4e60-a139-1505f1329071\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":36,\"y\":9,\"w\":12,\"h\":18,\"i\":\"d678bf2f-f183-4981-9142-976880029daa\"},\"panelIndex\":\"d678bf2f-f183-4981-9142-976880029daa\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":6,\"y\":27,\"w\":11,\"h\":18,\"i\":\"598bda31-1136-4474-9384-451491a71d23\"},\"panelIndex\":\"598bda31-1136-4474-9384-451491a71d23\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":17,\"y\":27,\"w\":12,\"h\":18,\"i\":\"8192def5-399b-4728-8646-edf393b63b7e\"},\"panelIndex\":\"8192def5-399b-4728-8646-edf393b63b7e\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":27,\"w\":13,\"h\":18,\"i\":\"755322ff-13a8-4121-a2db-6322c037e8b3\"},\"panelIndex\":\"755322ff-13a8-4121-a2db-6322c037e8b3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Security Onion - Connections","version":1},"id":"0cc628b0-6e9f-11ea-9266-1fd14ca6af34","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"34721460-6ebc-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"c9121690-6ea0-11ea-9266-1fd14ca6af34","name":"panel_5","type":"visualization"},{"id":"23b65290-6ea2-11ea-9266-1fd14ca6af34","name":"panel_6","type":"visualization"},{"id":"98f6e9d0-6ea1-11ea-9266-1fd14ca6af34","name":"panel_7","type":"visualization"},{"id":"70565ec0-6ea1-11ea-9266-1fd14ca6af34","name":"panel_8","type":"visualization"},{"id":"5414ad60-6ea2-11ea-9266-1fd14ca6af34","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYwLDFd"} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_modbus\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Modbus - Logs","version":1},"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI5NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Modbus - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Modbus - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"0d168a30-363f-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI5NiwxXQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_weird\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Weird - Logs","version":1},"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYwNiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Weird - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"@timestamp per 12 hours\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Weird - Log Count Over TIme\",\"type\":\"line\"}"},"id":"0dbcade0-3642-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYwNywxXQ=="} -{"attributes":{"columns":["alert_level","classification","description"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[{\"meta\":{\"negate\":false,\"key\":\"tags\",\"value\":\"alert\",\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"tags\":{\"query\":\"alert\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"query\":{\"query_string\":{\"query\":\"event_type:ossec\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"OSSEC - Alerts","version":1},"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYxLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"OSSEC Alerts - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"OSSEC Alerts - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"4fa0e530-3644-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYyLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"OSSEC Alerts - Alert Level (Pie Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"OSSEC Alerts - Alert Level (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"alert_level.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Alert Level\"}}]}"},"id":"69d98570-398b-11e7-84f8-a1f7cef50fcb","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYzLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"OSSEC Alerts - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"OSSEC Alerts - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG4pcDxQT5EBNmq3pi","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY0LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"OSSEC Alerts - Event Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"OSSEC Alerts - Event Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"description.keyword\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Description\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.name.keyword\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Agent\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"\",\"customLabel\":\"Username\"}}]}"},"id":"ee0ba080-4a3d-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY1LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"OSSEC Alerts - User to Escalated User (Data Table)","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"OSSEC Alerts - User to Escalated User (Data Table)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"User\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"escalated_user.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Escalated User\"}}]}"},"id":"1de31b40-4a42-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY2LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"OSSEC Alerts - Command (Data Table)","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"OSSEC Alerts - Command (Data Table)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"command.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Command\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}]}"},"id":"9ff34f60-4a42-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY3LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"OSSEC Alerts - Process and Username (Data Table)","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"OSSEC Alerts - Process and Username (Data Table)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Process\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}]}"},"id":"447bd2f0-4a43-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY4LDFd"} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"h\":60,\"i\":\"1\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":28,\"i\":\"6\",\"w\":16,\"x\":32,\"y\":8},\"panelIndex\":\"6\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"gridData\":{\"h\":56,\"i\":\"11\",\"w\":48,\"x\":0,\"y\":88},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{\"columns\":[\"alert_level\",\"classification\",\"description\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"12\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"gridData\":{\"h\":28,\"i\":\"13\",\"w\":24,\"x\":8,\"y\":8},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{}},{\"gridData\":{\"h\":24,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":36},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"gridData\":{\"h\":28,\"i\":\"15\",\"w\":48,\"x\":0,\"y\":60},\"panelIndex\":\"15\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"embeddableConfig\":{\"spy\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":24,\"i\":\"16\",\"w\":24,\"x\":8,\"y\":36},\"panelIndex\":\"16\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"OSSEC Alerts","version":1},"id":"0de7a390-3644-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"4fa0e530-3644-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"69d98570-398b-11e7-84f8-a1f7cef50fcb","name":"panel_2","type":"visualization"},{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"panel_3","type":"search"},{"id":"AWDG4pcDxQT5EBNmq3pi","name":"panel_4","type":"visualization"},{"id":"ee0ba080-4a3d-11e8-9b0a-f1d33346f773","name":"panel_5","type":"visualization"},{"id":"1de31b40-4a42-11e8-9b0a-f1d33346f773","name":"panel_6","type":"visualization"},{"id":"9ff34f60-4a42-11e8-9b0a-f1d33346f773","name":"panel_7","type":"visualization"},{"id":"447bd2f0-4a43-11e8-9b0a-f1d33346f773","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY5LDFd"} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_snmp\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"SNMP - Logs","version":1},"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUyMywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SNMP - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SNMP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"0defabb0-36b9-11e7-9786-41a1d72e15ad","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUyNiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"title":"Security Onion - Alert Data","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Alert Data\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Home](/kibana/app/kibana#/dashboard/a8411b30-6d03-11ea-b301-3d6c35840645) \\n \\n**Modules** \\n[Suricata](/kibana/app/kibana#/dashboard/81057f40-7733-11ea-bee5-af7f7c7b8e05) \\n[Zeek](/kibana/app/kibana#/dashboard/fa9ed760-7734-11ea-bee5-af7f7c7b8e05) \\n[Wazuh](/kibana/app/kibana#/dashboard/9480f190-7732-11ea-bee5-af7f7c7b8e05)\"},\"aggs\":[]}"},"id":"30df00e0-7733-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzcwLDFd"} -{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:alert\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Security Onion - Alerts","version":1},"id":"5c3effd0-72ae-11ea-8dd2-9d8795a1200b","migrationVersion":{"search":"7.4.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzcxLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Alerts - Count","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Alerts - Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":40}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}"},"id":"931cb6f0-72ae-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5c3effd0-72ae-11ea-8dd2-9d8795a1200b","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzcyLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Alerts Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Alerts Over Time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":null,\"y\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}]}"},"id":"b419b100-72ae-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5c3effd0-72ae-11ea-8dd2-9d8795a1200b","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzczLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Rule - Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Rule - Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rule.name.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}]}"},"id":"508fb520-72af-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5c3effd0-72ae-11ea-8dd2-9d8795a1200b","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"Wzc0LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Rule - Severity","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Rule - Severity\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"rule.severity\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Severity\"}}]}"},"id":"a37b9fa0-72b0-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"Wzc1LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Rule - Category","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Rule - Category\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.category.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Category\"}}]}"},"id":"f7e1d570-72ae-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5c3effd0-72ae-11ea-8dd2-9d8795a1200b","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"Wzc2LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Destination Ports","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Destination Ports\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"destination.port: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}"},"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"Wzc3LDFd"} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: alert\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"c2ddba4b-b0a1-4204-b952-fdc8073dd3c6\",\"w\":10,\"x\":0,\"y\":0},\"panelIndex\":\"c2ddba4b-b0a1-4204-b952-fdc8073dd3c6\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"5a22818d-a0f7-4b39-978f-bee1e4280a54\",\"w\":13,\"x\":10,\"y\":0},\"panelIndex\":\"5a22818d-a0f7-4b39-978f-bee1e4280a54\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"41a7c313-2dc3-4563-8545-a55f57af532c\",\"w\":25,\"x\":23,\"y\":0},\"panelIndex\":\"41a7c313-2dc3-4563-8545-a55f57af532c\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"7f00befc-4315-45d2-b686-fa99db9fb79c\",\"w\":29,\"x\":0,\"y\":8},\"panelIndex\":\"7f00befc-4315-45d2-b686-fa99db9fb79c\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"1fa5c765-6991-4ece-a6a4-cdb6f2d35553\",\"w\":19,\"x\":29,\"y\":8},\"panelIndex\":\"1fa5c765-6991-4ece-a6a4-cdb6f2d35553\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"eee74597-fa74-4bf6-9c71-429bfe4c3ecd\",\"w\":19,\"x\":0,\"y\":27},\"panelIndex\":\"eee74597-fa74-4bf6-9c71-429bfe4c3ecd\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"fa0e8955-a837-400c-abcb-43394471b39d\",\"w\":10,\"x\":19,\"y\":27},\"panelIndex\":\"fa0e8955-a837-400c-abcb-43394471b39d\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"b60abef8-9b1e-4bae-ac3f-d7eb5a230430\",\"w\":10,\"x\":29,\"y\":27},\"panelIndex\":\"b60abef8-9b1e-4bae-ac3f-d7eb5a230430\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"799598a4-39de-455d-bc39-409466b8b119\",\"w\":9,\"x\":39,\"y\":27},\"panelIndex\":\"799598a4-39de-455d-bc39-409466b8b119\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - Alerts","version":1},"id":"0e4af1d0-72ae-11ea-8dd2-9d8795a1200b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"30df00e0-7733-11ea-bee5-af7f7c7b8e05","name":"panel_0","type":"visualization"},{"id":"931cb6f0-72ae-11ea-8dd2-9d8795a1200b","name":"panel_1","type":"visualization"},{"id":"b419b100-72ae-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"508fb520-72af-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"a37b9fa0-72b0-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"f7e1d570-72ae-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_6","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_7","type":"visualization"},{"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"Wzc4LDFd"} -{"attributes":{"columns":["event_type","source_ip","source_port","destination_ip","destination_port","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:sysmon\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Sysmon - Logs","version":1},"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI4MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Sysmon - Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"image_path.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Image\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_hostname.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source Hostname\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_hostname.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Hostname\"}},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}],\"listeners\":{}}"},"id":"0eb1fd80-6d70-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI4NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Kerberos Client","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Kerberos Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"kerberos.client.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"kerberos.client.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Client\"}}]}"},"id":"0ecc7310-75bd-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUwNiwxXQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"All Logs","version":1},"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"Wzc5LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Sensors/Devices - Total Number of Logs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sensors/Devices - Total Number of Logs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog-host_from.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Sensor/Device\"}}]}"},"id":"0f25aac0-3434-11e7-8867-29a39c0f86b2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzgxLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSH - Direction","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - SSH - Direction\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssh.direction.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ssh.direction.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Direction\"}}]}"},"id":"104a4a90-75eb-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQwOCwxXQ=="} -{"attributes":{"columns":["source_ip","destination_ip","message_types","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event_type:bro_dhcp\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"DHCP - Logs","version":1},"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMzNSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DHCP - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DHCP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"}}]}"},"id":"1055ada0-3655-11e7-baa7-b7de4ee40605","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMzNywxXQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_dce_rpc\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"DCE/RPC - Logs","version":1},"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE3OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"10b8a610-3af3-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE4MiwxXQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_radius\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"RADIUS - Logs","version":1},"id":"75545310-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM1NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RADIUS - MAC","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RADIUS - MAC\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mac.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MAC Address\"}}],\"listeners\":{}}"},"id":"10cd7190-3809-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM2MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Source - Sum of Total Bytes ( Tile Map)","uiStateJSON":"{\"mapZoom\":3,\"mapCenter\":[39.70718665682654,-44.912109375]}","version":1,"visState":"{\"title\":\"Connections - Source - Sum of Total Bytes ( Tile Map)\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}"},"id":"1156b1e0-46c7-11e7-946f-1bfb1be7c36b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY2MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Logstash - Processing Performance","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Logstash - Processing Performance\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Log Type\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Average processing time\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"4\",\"label\":\"Standard Deviation of logstash_time\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"avg\",\"schema\":\"metric\",\"params\":{\"field\":\"logstash_time\",\"customLabel\":\"Average processing time\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event_type.keyword\",\"size\":20,\"orderAgg\":{\"id\":\"2-orderAgg\",\"enabled\":true,\"type\":\"avg\",\"schema\":\"orderAgg\",\"params\":{\"field\":\"logstash_time\"}},\"order\":\"desc\",\"orderBy\":\"custom\",\"customLabel\":\"Log Type\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"std_dev\",\"schema\":\"metric\",\"params\":{\"field\":\"logstash_time\"}}],\"listeners\":{}}"},"id":"f86bc870-46ce-11e7-946f-1bfb1be7c36b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzgwLDFd"} -{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"tags:_grokparsefailure OR tags:_csvparsefailure OR tags:_rubyexception\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Errors","version":1},"id":"ef487fd0-46cf-11e7-ba56-317a6969f55c","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzgyLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Logstash - Error Type (Donut Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Logstash - Error Type (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"tags.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"exclude\":\"\",\"include\":\"_csvparsefailure|_grokparsefailure|_rubyexception\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"3a273780-46d0-11e7-946f-1bfb1be7c36b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ef487fd0-46cf-11e7-ba56-317a6969f55c","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzgzLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Logstash - Avg Processing Time","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Logstash - Avg Processing Time\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"avg\",\"schema\":\"metric\",\"params\":{\"field\":\"logstash_time\"}}],\"listeners\":{}}"},"id":"AWDHIynExQT5EBNmq49q","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"Wzg0LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Logstash - Median Processing TIme","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Logstash - Median Processing TIme\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"median\",\"schema\":\"metric\",\"params\":{\"field\":\"logstash_time\",\"percents\":[50]}}],\"listeners\":{}}"},"id":"AWDHJY1BxQT5EBNmq5Ay","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"Wzg1LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Logstash - Max Processing Time","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Logstash - Max Processing Time\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"logstash_time\"}}],\"listeners\":{}}"},"id":"AWDHJpuBxQT5EBNmq5Cr","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"Wzg2LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"tags:_grokparsefailure OR tags:_csvparsefailure OR tags:_rubyexception\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Logstash - Error Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Logstash - Error Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHKEF2xQT5EBNmq5FA","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"Wzg3LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Sensors/Devices and Services","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sensors/Devices and Services\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sensor_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Sensor\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"service.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Service\"}}]}"},"id":"d8214de0-4a3a-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"Wzg4LDFd"} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":12,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":12,\"h\":28,\"x\":8,\"y\":36,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":64,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":8,\"h\":64,\"x\":0,\"y\":0,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":48,\"h\":64,\"x\":0,\"y\":88,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"columns\":[\"_source\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":12,\"x\":8,\"y\":0,\"i\":\"15\"},\"panelIndex\":\"15\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":12,\"x\":16,\"y\":0,\"i\":\"16\"},\"panelIndex\":\"16\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":12,\"x\":24,\"y\":0,\"i\":\"17\"},\"panelIndex\":\"17\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":12,\"x\":32,\"y\":0,\"i\":\"18\"},\"panelIndex\":\"18\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}},\"gridData\":{\"w\":28,\"h\":28,\"x\":20,\"y\":36,\"i\":\"19\"},\"panelIndex\":\"19\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Stats","version":1},"id":"130017f0-46ce-11e7-946f-1bfb1be7c36b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"f86bc870-46ce-11e7-946f-1bfb1be7c36b","name":"panel_0","type":"visualization"},{"id":"0f25aac0-3434-11e7-8867-29a39c0f86b2","name":"panel_1","type":"visualization"},{"id":"3a273780-46d0-11e7-946f-1bfb1be7c36b","name":"panel_2","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_3","type":"visualization"},{"id":"ef487fd0-46cf-11e7-ba56-317a6969f55c","name":"panel_4","type":"search"},{"id":"AWDHIynExQT5EBNmq49q","name":"panel_5","type":"visualization"},{"id":"AWDHJY1BxQT5EBNmq5Ay","name":"panel_6","type":"visualization"},{"id":"AWDHJpuBxQT5EBNmq5Cr","name":"panel_7","type":"visualization"},{"id":"AWDHKEF2xQT5EBNmq5FA","name":"panel_8","type":"visualization"},{"id":"d8214de0-4a3a-11e8-9b0a-f1d33346f773","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"Wzg5LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Destination - Sum of Total Bytes ( Tile Map)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Destination - Sum of Total Bytes ( Tile Map)\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}"},"id":"1342e630-4632-11e7-9903-85f789353078","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU4NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Sysmon - Username","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon - Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"User\"}}]}"},"id":"13ed0810-6d72-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI4OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Connection State","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Connection State\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"connection_state_description.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Connection State Description\"}}],\"listeners\":{}}"},"id":"13fe29c0-3b17-11e7-b871-5f76306b9694","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYyMiwxXQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_rfb\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"RFB - Logs","version":1},"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQxNSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Exclusive Session (Donut Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":true}}","version":1,"visState":"{\"title\":\"RFB - Exclusive Session (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"share_flag.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"14274040-371f-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQxOSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Agents","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Agents\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"agent.type.keyword: Descending\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"agent.version.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Agent\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Version\"}}]}"},"id":"14ed9540-6ed7-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY4MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"X.509 - Certificate Key Length (Vertical Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"X.509 - Certificate Key Length (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Key Length\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"certificate_key_length\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Key Length\"}}],\"listeners\":{}}"},"id":"150f7280-6e37-11e7-a8d6-ed2e692de531","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYzMywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Rule - Description","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Rule - Description\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.description.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}]}"},"id":"1563f380-7737-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY4MSwxXQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query_string\":{\"query\":\"(event_type:bro_smb_mapping OR event_type:bro_smb_files)\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"SMB - Logs","version":1},"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUxMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMB - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMB - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"15b4e7a0-3aad-11e7-8b17-0d8709b02c80","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUxMiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DHCP - Server Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DHCP - Server Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Server Address\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server.address.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server Address\"}}]}"},"id":"15fa3b30-7375-11ea-a3da-cbdb4f8a90c0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY4MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Modbus - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Modbus - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"178209e0-6e1b-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI5OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"RDP - Destination Port","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RDP - Destination Port\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"19dfd180-371c-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM5MSwxXQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event_type:ids\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"NIDS - Alerts","version":1},"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI1NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS - Drilldown - Alert Title","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"NIDS - Drilldown - Alert Title\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":false},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":12}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"top_hits\",\"schema\":\"metric\",\"params\":{\"field\":\"alert.keyword\",\"aggregate\":\"concat\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"}}]}"},"id":"1b3faca0-e064-11e9-8f0c-2ddbf5ed9290","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY1MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Weird - Source IP Address","uiStateJSON":"{\"P-5\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-6\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Weird - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"1b837b00-364e-11e7-9dc3-d35061cb642d","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYwOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Total Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Total Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"1c2aeb50-365e-11e7-b896-5bdd6bfa1561","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM3NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMB - Service","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMB - Service\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smb.service.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"1c6567b0-75f0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY2MywxXQ=="} -{"attributes":{"columns":["entry","entry_location","image_path","hostname","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:autoruns\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Autoruns - Logs","version":1},"id":"dd700830-6d69-11e7-ad64-15aa071374a6","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIzOSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Profile","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Autoruns - Profile\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"profile.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Profile\"}}],\"listeners\":{}}"},"id":"1cd6a970-6d79-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI0MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"ElastAlert - Log Count Over Time","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"ElastAlert - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"969e4820-7dce-11e7-a1a2-3be6827d22ce","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzkxLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"ElastAlert - Alert Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"ElastAlert - Alert Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"alert_info.type.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Alert Type\"}}],\"listeners\":{}}"},"id":"f7998d60-7dce-11e7-a1a2-3be6827d22ce","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzkyLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"ElastAlert - Rule","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"ElastAlert - Rule\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule_name\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Rule\"}}],\"listeners\":{}}"},"id":"5e1dc100-7dcf-11e7-a1a2-3be6827d22ce","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzkzLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"ElastAlert - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"ElastAlert - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"match_body.source_ip.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}}],\"listeners\":{}}"},"id":"8ec77cb0-7dcf-11e7-a1a2-3be6827d22ce","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"Wzk0LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"ElastAlert - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"ElastAlert - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"match_body.destination_ip.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}}],\"listeners\":{}}"},"id":"a26faee0-7dcf-11e7-a1a2-3be6827d22ce","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"Wzk1LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"ElastAlert - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"ElastAlert - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"match_body.destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"ce25b750-7dcf-11e7-a1a2-3be6827d22ce","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"Wzk2LDFd"} -{"attributes":{"columns":["rule_name","matches","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"ElastAlert","version":1},"id":"e8840d40-7dcf-11e7-a1a2-3be6827d22ce","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"Wzk3LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Elastalert - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Elastalert - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG7DVRxQT5EBNmq3zM","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"Wzk4LDFd"} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":56,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"4\",\"gridData\":{\"x\":8,\"y\":8,\"w\":16,\"h\":24,\"i\":\"4\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"5\",\"gridData\":{\"x\":24,\"y\":8,\"w\":24,\"h\":24,\"i\":\"5\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"6\",\"gridData\":{\"x\":8,\"y\":32,\"w\":14,\"h\":24,\"i\":\"6\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"7\",\"gridData\":{\"x\":22,\"y\":32,\"w\":14,\"h\":24,\"i\":\"7\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":36,\"y\":32,\"w\":12,\"h\":24,\"i\":\"8\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"9\",\"gridData\":{\"x\":0,\"y\":56,\"w\":48,\"h\":48,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{\"columns\":[\"rule_name\",\"matches\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"10\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"10\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"},\"legendOpen\":false}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"ElastAlert","version":1},"id":"1d98d620-7dce-11e7-846a-150cdcaf3374","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"969e4820-7dce-11e7-a1a2-3be6827d22ce","name":"panel_1","type":"visualization"},{"id":"f7998d60-7dce-11e7-a1a2-3be6827d22ce","name":"panel_2","type":"visualization"},{"id":"5e1dc100-7dcf-11e7-a1a2-3be6827d22ce","name":"panel_3","type":"visualization"},{"id":"8ec77cb0-7dcf-11e7-a1a2-3be6827d22ce","name":"panel_4","type":"visualization"},{"id":"a26faee0-7dcf-11e7-a1a2-3be6827d22ce","name":"panel_5","type":"visualization"},{"id":"ce25b750-7dcf-11e7-a1a2-3be6827d22ce","name":"panel_6","type":"visualization"},{"id":"e8840d40-7dcf-11e7-a1a2-3be6827d22ce","name":"panel_7","type":"search"},{"id":"AWDG7DVRxQT5EBNmq3zM","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"Wzk5LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNS - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"DNS - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"1ecdd2e0-34c0-11e7-9b32-bb903919ead9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY0MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Method (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SIP - Method (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"method.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Method\"}}],\"listeners\":{}}"},"id":"1ef5c230-6e24-11e7-a261-55504638cf3b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ3MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - MySQL - Command/Argument","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - MySQL - Command/Argument\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"mysql.command.keyword: Descending\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"mysql.argument.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mysql.command.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Command\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mysql.argument.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Argument\"}}]}"},"id":"1f306f60-75c0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU0MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Modbus - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Modbus - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"20eabd60-380b-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI5NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DNP3 - FC Reply","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - DNP3 - FC Reply\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dnp3.fc_reply.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"FC Reply\"}}]}"},"id":"214793c0-75b9-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUwNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Destination Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Destination Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"21d090d0-365b-11e7-8bd0-1db2c55fb7a1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU4MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNS - Response Code (Name)","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Response Code (Name)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rcode_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Response Code (Name)\"}}]}"},"id":"22f7de30-4949-11e8-9576-313be7c6b44b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY0NywxXQ=="} -{"attributes":{"columns":["source_ip","destination_ip","destination_port","resp_fuids","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_http\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"HTTP - Logs","version":1},"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEwMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"HTTP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"37f19e40-34c6-11e7-8360-0b86c90983fd","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEwMSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - Sites","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - Sites\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"virtual_host.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Site\"}}],\"listeners\":{}}"},"id":"8ba31820-34c6-11e7-8360-0b86c90983fd","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEwMiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query_string\":{\"query\":\"\\\"application/x-dosexec\\\"\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"HTTP - Sites Hosting EXEs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - Sites Hosting EXEs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"virtual_host.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Site\"}}],\"listeners\":{}}"},"id":"7153e7f0-34c7-11e7-8360-0b86c90983fd","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEwMywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - URIs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - URIs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"uri.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"URI\"}}],\"listeners\":{}}"},"id":"aa7abb00-34e3-11e7-9669-7f1d3242b798","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEwNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"ae1f1fb0-3648-11e7-bf60-314364dd1cde","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEwNSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"d0f56da0-3648-11e7-bf60-314364dd1cde","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEwNiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - User Agent","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"useragent.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"User Agent\"}}],\"listeners\":{}}"},"id":"ae591c20-4164-11e7-9850-b78558d0ac17","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEwNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - Referrer","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - Referrer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"referrer.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"2a7c21d0-4165-11e7-9850-b78558d0ac17","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEwOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - MIME Type (Tag Cloud)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"HTTP - MIME Type (Tag Cloud)\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":14,\"maxFontSize\":40},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"resp_mime_types.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}],\"listeners\":{}}"},"id":"934fe550-6e08-11e7-9370-174c4785d3e1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEwOSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"HTTP - Destination Port (Vertical Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"HTTP - Destination Port (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":75},\"title\":{\"text\":\"Port\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}]}"},"id":"3f4abb40-6e0a-11e7-84cc-b363f104b3c7","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzExMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"HTTP - Destination Country (Vertical Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"HTTP - Destination Country (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"Country\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}]}"},"id":"e41a0bd0-6e0a-11e7-84cc-b363f104b3c7","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzExMSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"HTTP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG97t7xQT5EBNmq4E1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzExMiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"HTTP - Status and Method","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}","version":1,"visState":"{\"title\":\"HTTP - Status and Method\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"status_message.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Status Message\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"method.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Method\"}}]}"},"id":"66faa650-4c99-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzExMywxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":52,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"5\",\"gridData\":{\"x\":0,\"y\":88,\"w\":48,\"h\":24,\"i\":\"5\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"6\",\"gridData\":{\"x\":0,\"y\":112,\"w\":48,\"h\":24,\"i\":\"6\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":0,\"y\":136,\"w\":48,\"h\":24,\"i\":\"8\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"9\",\"gridData\":{\"x\":0,\"y\":216,\"w\":48,\"h\":36,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"resp_fuids\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"14\",\"gridData\":{\"x\":0,\"y\":52,\"w\":24,\"h\":24,\"i\":\"14\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"15\",\"gridData\":{\"x\":24,\"y\":52,\"w\":24,\"h\":24,\"i\":\"15\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"16\",\"gridData\":{\"x\":0,\"y\":188,\"w\":48,\"h\":28,\"i\":\"16\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"17\",\"gridData\":{\"x\":0,\"y\":160,\"w\":48,\"h\":28,\"i\":\"17\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"19\",\"gridData\":{\"x\":0,\"y\":76,\"w\":48,\"h\":12,\"i\":\"19\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{}},{\"panelIndex\":\"20\",\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":20,\"i\":\"20\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"panelIndex\":\"21\",\"gridData\":{\"x\":8,\"y\":8,\"w\":20,\"h\":20,\"i\":\"21\"},\"embeddableConfig\":{\"vis\":{\"colors\":{\"Count\":\"#629E51\"}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"},{\"panelIndex\":\"23\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"23\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\"},{\"panelIndex\":\"24\",\"gridData\":{\"x\":8,\"y\":28,\"w\":40,\"h\":24,\"i\":\"24\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_14\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - HTTP","version":1},"id":"230134a0-34c6-11e7-8360-0b86c90983fd","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"37f19e40-34c6-11e7-8360-0b86c90983fd","name":"panel_1","type":"visualization"},{"id":"8ba31820-34c6-11e7-8360-0b86c90983fd","name":"panel_2","type":"visualization"},{"id":"7153e7f0-34c7-11e7-8360-0b86c90983fd","name":"panel_3","type":"visualization"},{"id":"aa7abb00-34e3-11e7-9669-7f1d3242b798","name":"panel_4","type":"visualization"},{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"panel_5","type":"search"},{"id":"ae1f1fb0-3648-11e7-bf60-314364dd1cde","name":"panel_6","type":"visualization"},{"id":"d0f56da0-3648-11e7-bf60-314364dd1cde","name":"panel_7","type":"visualization"},{"id":"ae591c20-4164-11e7-9850-b78558d0ac17","name":"panel_8","type":"visualization"},{"id":"2a7c21d0-4165-11e7-9850-b78558d0ac17","name":"panel_9","type":"visualization"},{"id":"934fe550-6e08-11e7-9370-174c4785d3e1","name":"panel_10","type":"visualization"},{"id":"3f4abb40-6e0a-11e7-84cc-b363f104b3c7","name":"panel_11","type":"visualization"},{"id":"e41a0bd0-6e0a-11e7-84cc-b363f104b3c7","name":"panel_12","type":"visualization"},{"id":"AWDG97t7xQT5EBNmq4E1","name":"panel_13","type":"visualization"},{"id":"66faa650-4c99-11e8-9b0a-f1d33346f773","name":"panel_14","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzExNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Validation Status","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Validation Status\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"validation_status.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Validation Status\"}}],\"listeners\":{}}"},"id":"23d22bd0-70b4-11e7-810e-2bafe9e41c10","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU4MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"},"title":"Connections - Bytes and Duration","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Bytes and Duration\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Top Total Bytes](/kibana/app/kibana#/dashboard/a2ab0c40-3b0a-11e7-a6f9-5d3fe735ec2b) \\n[Source - Originator Bytes](/kibana/app/kibana#/dashboard/68f738e0-46ca-11e7-946f-1bfb1be7c36b) | [Destination - Responder Bytes](/kibana/app/kibana#/dashboard/b65775e0-46cb-11e7-946f-1bfb1be7c36b) \\n[Source - Sum of Total Bytes](/kibana/app/kibana#/dashboard/f042ad60-46c6-11e7-946f-1bfb1be7c36b) | [Destination - Sum of Total Bytes](/kibana/app/kibana#/dashboard/ccfcc540-4638-11e7-a82e-d97152153689) \\n[Source - Top Connection Duration](/kibana/app/kibana#/dashboard/4e108070-46c7-11e7-946f-1bfb1be7c36b) | [Destination - Top Connection Duration](/kibana/app/kibana#/dashboard/ea211360-46c4-11e7-a82e-d97152153689)\",\"fontSize\":12,\"openLinksInNewTab\":false},\"aggs\":[]}"},"id":"25ce6eb0-463b-11e7-a82e-d97152153689","migrationVersion":{"visualization":"7.7.0"},"references":[],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYyMywxXQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_tunnels\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Tunnels - Logs","version":1},"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU4OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Tunnels - Destination Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Tunnels - Destination Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"26457730-3808-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU5MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RFB - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"265a04d0-3640-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQxNiwxXQ=="} -{"attributes":{"columns":["source_ip","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_syslog\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Syslog (Bro) - Logs","version":1},"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU0NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SIP - Method","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SIP - Method\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"sip.method.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sip.method.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Method\"}}]}"},"id":"272b8ab0-75ca-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU5OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Bro - Connections - Service By Destination Country","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Bro - Connections - Service By Destination Country\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\",\"row\":false}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"service.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Service\"}}]}"},"id":"277f3250-4161-11e7-8493-51634b0a4565","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM3NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RADIUS - Result","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - RADIUS - Result\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"radius.result.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Result\"}}]}"},"id":"27ab8260-75c5-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUzNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Argument","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FTP - Argument\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ftp_argument.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Argument\"}}],\"listeners\":{}}"},"id":"e1907430-35b6-11e7-a994-c528746bc6e8","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzExNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Reply Message","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FTP - Reply Message\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"reply_message.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Reply Message\"}}],\"listeners\":{}}"},"id":"adcd38e0-3679-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzExOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"FTP - Reply Code","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"FTP - Reply Code\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"reply_code.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"a0cb0860-367a-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzExOSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FTP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"cf9e5660-367a-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEyMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Destination Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FTP - Destination Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"f1d3d070-367a-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEyMSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Username","uiStateJSON":"{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}","version":1,"visState":"{\"title\":\"FTP - Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}],\"listeners\":{}}"},"id":"f9904390-3bff-11e7-be35-e7fc4052ff75","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEyMiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FTP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"eead8540-6e14-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEyMywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"FTP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG9sT_xQT5EBNmq4DI","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEyNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"FTP - Command","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FTP - Command\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ftp_command.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Command\"}}]}"},"id":"d5681260-4c8c-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEyNSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"2\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":16,\"h\":24,\"x\":20,\"y\":8,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":32,\"i\":\"8\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":8,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{}},{\"panelIndex\":\"10\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":56,\"i\":\"10\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":56,\"i\":\"11\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"12\",\"gridData\":{\"w\":16,\"h\":24,\"x\":8,\"y\":32,\"i\":\"12\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":80,\"i\":\"13\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"uid\",\"fuid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"14\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":56,\"i\":\"14\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"15\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"15\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"panelIndex\":\"16\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":8,\"i\":\"16\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - FTP","version":1},"id":"27f3b380-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"06f21d60-35b6-11e7-a994-c528746bc6e8","name":"panel_1","type":"visualization"},{"id":"e1907430-35b6-11e7-a994-c528746bc6e8","name":"panel_2","type":"visualization"},{"id":"adcd38e0-3679-11e7-8c78-e3086faf385c","name":"panel_3","type":"visualization"},{"id":"a0cb0860-367a-11e7-8c78-e3086faf385c","name":"panel_4","type":"visualization"},{"id":"cf9e5660-367a-11e7-8c78-e3086faf385c","name":"panel_5","type":"visualization"},{"id":"f1d3d070-367a-11e7-8c78-e3086faf385c","name":"panel_6","type":"visualization"},{"id":"f9904390-3bff-11e7-be35-e7fc4052ff75","name":"panel_7","type":"visualization"},{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"panel_8","type":"search"},{"id":"eead8540-6e14-11e7-8624-1fb07dd76c6a","name":"panel_9","type":"visualization"},{"id":"AWDG9sT_xQT5EBNmq4DI","name":"panel_10","type":"visualization"},{"id":"d5681260-4c8c-11e8-9b0a-f1d33346f773","name":"panel_11","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEyNiwxXQ=="} -{"attributes":{"columns":["alert_level","classification","description"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query_string\":{\"query\":\"event_type:ossec\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"OSSEC - Logs","version":1},"id":"efba60c0-3642-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE1NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"OSSEC - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"OSSEC - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"2817b300-3643-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"efba60c0-3642-11e7-a6f7-4f44d7bf1c33","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE1OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - X.509 - Key Type","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - X.509 - Key Type\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"boolean\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"x509.basic_constraints.ca: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"x509.certificate.key.type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"2895c940-75ef-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE0MCwxXQ=="} -{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:http\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Security Onion - HTTP","version":1},"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","migrationVersion":{"search":"7.4.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE2OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - Virtual Host","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - Virtual Host\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"http.virtual_host.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Virtual Host\"}}]}"},"id":"28bf2ef0-6eb7-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE3NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Top Source IPs","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Top Source IPs\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"source_ip\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"28c27f80-3b05-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU3NCwxXQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","request_type","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_kerberos\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Kerberos - Logs","version":1},"id":"452daa10-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI2OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Kerberos - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"28d04080-3636-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI3NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSH - Client","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SSH - Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"CLient\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssh.client.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Client\"}}]}"},"id":"292b1db0-75ea-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQwNSwxXQ=="} -{"attributes":{"columns":["file_ip","destination_ip","source","uid","fuid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event_type:bro_files\"}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Files - Logs","version":1},"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEyNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FIles - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FIles - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"295d7ed0-3656-11e7-baa7-b7de4ee40605","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEzMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Sysmon - Target Filename","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon - Target Filename\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"target_filename.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Filename\"}}],\"listeners\":{}}"},"id":"29611940-6d75-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI5MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Source Country","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Source Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_geo.country_name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}],\"listeners\":{}}"},"id":"296823d0-366f-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYxOCwxXQ=="} -{"attributes":{"columns":["action","reason","source_ip","source_port","destination_ip","destination_port","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:firewall\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Firewall - Logs","version":1},"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIwOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Firewall - Action/Reason (Vertical Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Firewall - Action/Reason (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"Action\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"action.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Action\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"reason.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Reason\"}}],\"listeners\":{}}"},"id":"2a1eb100-6d82-11e7-bcd4-0d514e0e7da1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIxMiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SNMP - Version","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SNMP - Version\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"version.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"2a3ae810-36ba-11e7-9786-41a1d72e15ad","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUyOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DHCP - Lease Time","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DHCP - Lease Time\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"dhcp.lease_time: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dhcp.lease_time\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Lease Time\"}}]}"},"id":"2af5f980-96e2-11ea-814e-bb515e873c2c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMzMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSH - Client/Server","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSH - Client/Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"client.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}],\"listeners\":{}}"},"id":"2bbdc020-6e34-11e7-9a19-a5996f8250c6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU2MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Files - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Files - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"6571ee10-3584-11e7-a588-05992195c551","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEyOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Files - Files By Size (Bytes)","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Files - Files By Size (Bytes)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"seen_bytes\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Bytes Seen\"}}],\"listeners\":{}}"},"id":"cb3f3850-3585-11e7-8f28-2b291d0f6d86","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEyOSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FIles - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FIles - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file_ip.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File IP Address\"}}],\"listeners\":{}}"},"id":"67ab33d0-3656-11e7-baa7-b7de4ee40605","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEzMSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Files - MIME Type (Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Files - MIME Type (Bar Chart)\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"MIME Type\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"mimetype.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}]}"},"id":"8c57f3d0-3674-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEzMiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FIles - MIME Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FIles - MIME Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mimetype.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}],\"listeners\":{}}"},"id":"aa021c90-3678-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEzMywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Files - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Files - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG9goqxQT5EBNmq4BP","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEzNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Files - Source","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Files - Source\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source\"}}]}"},"id":"dff32860-4c8b-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEzNSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"2\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"2\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"panelIndex\":\"3\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":72,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"file_ip\",\"destination_ip\",\"source\",\"uid\",\"fuid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"6\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":24,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"7\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":48,\"i\":\"7\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":48,\"i\":\"8\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":40,\"h\":16,\"x\":8,\"y\":8,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"panelIndex\":\"10\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":48,\"i\":\"10\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"11\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"12\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":24,\"i\":\"12\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - Files","version":1},"id":"2d315d80-3582-11e7-98ef-19df58fe538b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"6571ee10-3584-11e7-a588-05992195c551","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"panel_2","type":"search"},{"id":"cb3f3850-3585-11e7-8f28-2b291d0f6d86","name":"panel_3","type":"visualization"},{"id":"295d7ed0-3656-11e7-baa7-b7de4ee40605","name":"panel_4","type":"visualization"},{"id":"67ab33d0-3656-11e7-baa7-b7de4ee40605","name":"panel_5","type":"visualization"},{"id":"8c57f3d0-3674-11e7-8c78-e3086faf385c","name":"panel_6","type":"visualization"},{"id":"aa021c90-3678-11e7-8c78-e3086faf385c","name":"panel_7","type":"visualization"},{"id":"AWDG9goqxQT5EBNmq4BP","name":"panel_8","type":"visualization"},{"id":"dff32860-4c8b-11e8-9b0a-f1d33346f773","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEzNiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Kerberos - Request Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Kerberos - Request Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"kerberos.request_type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Request Type\"}}]}"},"id":"2d73e460-75bd-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUwNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"2da139c0-34e7-11e7-9118-45bd317f0ca4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYxNiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SIP - Content Type (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SIP - Content Type (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"content_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"2db47070-3754-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ3MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - X.509 - Subject","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - X.509 - Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"x509.certificate.subject.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Subject\"}}]}"},"id":"e3fb39a0-75ee-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEzNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - X.509 - Issuer","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - X.509 - Issuer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"x509.certificate.issuer.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"x509.certificate.issuer.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Issuer\"}}]}"},"id":"b7334c00-75ee-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEzOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - X.509 - SAN DNS","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - X.509 - SAN DNS\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"x509.san_dns.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"x509.san_dns.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"SAN DNS\"}}]}"},"id":"47f40770-75ef-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEzOSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:x509\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":8,\"i\":\"2d374b61-ac4b-4f89-aec2-254ab0a2e011\"},\"panelIndex\":\"2d374b61-ac4b-4f89-aec2-254ab0a2e011\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":14,\"y\":0,\"w\":16,\"h\":8,\"i\":\"7372042e-3e70-4764-abb1-0c4c9288ff23\"},\"panelIndex\":\"7372042e-3e70-4764-abb1-0c4c9288ff23\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":8,\"i\":\"eee8c3b6-66eb-4427-99ed-459c294599c7\"},\"panelIndex\":\"eee8c3b6-66eb-4427-99ed-459c294599c7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":21,\"h\":21,\"i\":\"3c5d4fc3-bad7-435e-aadc-21de562b638d\"},\"panelIndex\":\"3c5d4fc3-bad7-435e-aadc-21de562b638d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":21,\"y\":8,\"w\":27,\"h\":21,\"i\":\"0a395978-b95f-4bfc-82fa-737307cd8ebd\"},\"panelIndex\":\"0a395978-b95f-4bfc-82fa-737307cd8ebd\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":21,\"y\":29,\"w\":27,\"h\":18,\"i\":\"3fb3ec30-312a-45aa-93be-b8955615bf71\"},\"panelIndex\":\"3fb3ec30-312a-45aa-93be-b8955615bf71\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":29,\"w\":21,\"h\":18,\"i\":\"007d1727-a948-4770-96c8-a5f130261cf8\"},\"panelIndex\":\"007d1727-a948-4770-96c8-a5f130261cf8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - X509","version":1},"id":"2e0865f0-75ee-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"e3fb39a0-75ee-11ea-9565-7315f4ee5cac","name":"panel_3","type":"visualization"},{"id":"b7334c00-75ee-11ea-9565-7315f4ee5cac","name":"panel_4","type":"visualization"},{"id":"47f40770-75ef-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"2895c940-75ef-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE0MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RDP - Cookie","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RDP - Cookie\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rdp.cookie.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rdp.cookie.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Cookie\"}}]}"},"id":"2e7363f0-75c6-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIzNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Entry","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Autoruns - Entry\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"entry.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Entry\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"entry_location.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Entry Location\"}}],\"listeners\":{}}"},"id":"2ef9ccd0-6d7a-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI0NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"osquery - Change Stats","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"osquery - Change Stats\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Changes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"osquery.hostIdentifier.keyword\",\"customLabel\":\"Endpoints\"}}]}"},"id":"2f556c90-14e3-11e9-82f7-0da02d93a48b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"84116380-14e1-11e9-82f7-0da02d93a48b","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQwMSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.dataset:files\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - File - Analyzer","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - File - Analyzer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.analyzer.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.analyzer.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Analyzer\"}}]}"},"id":"2fc4bea0-7730-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ3OSwxXQ=="} -{"attributes":{"columns":["source_ip","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_dnp3\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"DNP3 - Logs","version":1},"id":"c2587840-342d-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE0MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNP3 - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"DNP3 - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"593f1850-3581-11e7-98ef-19df58fe538b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE0MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNP3 - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNP3 - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"dde8c8a0-3719-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE0NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNP3 - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNP3 - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"ef7546c0-3719-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE0NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNP3 - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNP3 - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"4898f230-6e0e-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE0NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNP3 - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"DNP3 - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG9DWvxQT5EBNmq3-m","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE0NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNP3 - Function Request","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNP3 - Function Request\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"fc_request.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Request\"}}]}"},"id":"857c6760-4a4d-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE0OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNP3 - Function Reply","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNP3 - Function Reply\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"fc_reply.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Reply\"}}]}"},"id":"bd5435f0-4a4d-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE0OSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":56,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"7\",\"gridData\":{\"x\":8,\"y\":32,\"w\":12,\"h\":24,\"i\":\"7\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":20,\"y\":32,\"w\":12,\"h\":24,\"i\":\"8\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"10\",\"gridData\":{\"x\":0,\"y\":56,\"w\":48,\"h\":24,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"11\",\"gridData\":{\"x\":32,\"y\":32,\"w\":16,\"h\":24,\"i\":\"11\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"12\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"12\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"13\",\"gridData\":{\"x\":8,\"y\":8,\"w\":20,\"h\":24,\"i\":\"13\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"14\",\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":24,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - DNP3","version":1},"id":"2fdf5bf0-3581-11e7-98ef-19df58fe538b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"593f1850-3581-11e7-98ef-19df58fe538b","name":"panel_1","type":"visualization"},{"id":"dde8c8a0-3719-11e7-90f8-87842d5eedc9","name":"panel_2","type":"visualization"},{"id":"ef7546c0-3719-11e7-90f8-87842d5eedc9","name":"panel_3","type":"visualization"},{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"panel_4","type":"search"},{"id":"4898f230-6e0e-11e7-8624-1fb07dd76c6a","name":"panel_5","type":"visualization"},{"id":"AWDG9DWvxQT5EBNmq3-m","name":"panel_6","type":"visualization"},{"id":"857c6760-4a4d-11e8-9b0a-f1d33346f773","name":"panel_7","type":"visualization"},{"id":"bd5435f0-4a4d-11e8-9b0a-f1d33346f773","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE1MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Intel - Seen (Donut Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":true}}","version":1,"visState":"{\"title\":\"Intel - Seen (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"seen_where.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Seen (Where)\"}}]}"},"id":"3013af40-399b-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE5MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"RADIUS - Authentication Result","uiStateJSON":"{\"vis\":{\"legendOpen\":true}}","version":1,"visState":"{\"title\":\"RADIUS - Authentication Result\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"result.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"30348db0-4a5b-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM2NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMB - File/Path Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"desc\"}}}}","version":1,"visState":"{\"title\":\"SMB - File/Path Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"path.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File Path\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"name.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"File Name\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"action.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Action\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}],\"listeners\":{}}"},"id":"306c4330-4175-11e7-a0f7-47f4c03e3306","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUxNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Sysmon - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_hostname.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Hostname\"}}]}"},"id":"3072c750-6d71-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI4NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"title":"Security Onion - Navigation","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Navigation\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Home](/kibana/app/kibana#/dashboard/a8411b30-6d03-11ea-b301-3d6c35840645) \\n \\n**Event Category** \\n[Alert](/kibana/app/kibana#/dashboard/0e4af1d0-72ae-11ea-8dd2-9d8795a1200b) | \\n[File](/kibana/app/kibana#/dashboard/0245be10-6ec1-11ea-9266-1fd14ca6af34) |\\n[Host](/kibana/app/kibana#/dashboard/92e63cc0-6ec0-11ea-9266-1fd14ca6af34) | [Network](/kibana/app/kibana#/dashboard/04ff3ef0-6ea4-11ea-9266-1fd14ca6af34) \"},\"aggs\":[]}"},"id":"8cfec8c0-6ec2-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE1MSwxXQ=="} -{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Security Onion - All Logs","version":1},"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","migrationVersion":{"search":"7.4.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE1MiwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"*\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":9,\"h\":8,\"i\":\"c706b8e5-9d49-4700-a3ea-26e86ac3a4c4\"},\"panelIndex\":\"c706b8e5-9d49-4700-a3ea-26e86ac3a4c4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":0,\"w\":16,\"h\":8,\"i\":\"77c5d557-83e4-40b9-9177-388db29d711d\"},\"panelIndex\":\"77c5d557-83e4-40b9-9177-388db29d711d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":25,\"y\":0,\"w\":23,\"h\":8,\"i\":\"f044ff9c-455a-4085-88c8-92e9ead2bba0\"},\"panelIndex\":\"f044ff9c-455a-4085-88c8-92e9ead2bba0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":19,\"i\":\"54873f75-4452-4938-840d-3a2f50547a88\"},\"panelIndex\":\"54873f75-4452-4938-840d-3a2f50547a88\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":8,\"w\":13,\"h\":19,\"i\":\"30749cb6-18ad-4069-b18d-5912086fff9c\"},\"panelIndex\":\"30749cb6-18ad-4069-b18d-5912086fff9c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":22,\"y\":8,\"w\":13,\"h\":19,\"i\":\"7c498d50-d009-493a-a8c9-c91303ad5556\"},\"panelIndex\":\"7c498d50-d009-493a-a8c9-c91303ad5556\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":35,\"y\":8,\"w\":13,\"h\":19,\"i\":\"2f69e716-e6e9-4595-801d-8f59b7d2c574\"},\"panelIndex\":\"2f69e716-e6e9-4595-801d-8f59b7d2c574\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":31,\"i\":\"6ddfd0a2-337e-47d1-8d4c-bc386a4210af\"},\"panelIndex\":\"6ddfd0a2-337e-47d1-8d4c-bc386a4210af\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - Indicator","version":1},"id":"30d0ac90-729f-11ea-8dd2-9d8795a1200b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"8cfec8c0-6ec2-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"d9eb5b30-6ea9-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"ad398b70-6e9a-11ea-9266-1fd14ca6af34","name":"panel_3","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_6","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_7","type":"search"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE1MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - Destination IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - Destination IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Source IP\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}}]}"},"id":"30e97190-6eb6-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE3MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Weird - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Weird - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"312cd460-364e-11e7-9dc3-d35061cb642d","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYwOSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RFB - Server Version","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RFB - Server Version\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rfb.server_major_version.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rfb.server_major_version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Major Version\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rfb.server_minor_version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Minor Version\"}}]}"},"id":"316e90a0-75c8-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU2OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DHCP - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DHCP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"}}]}"},"id":"317f8410-3655-11e7-baa7-b7de4ee40605","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMzOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMB - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMB - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"31f5e040-3aad-11e7-8b17-0d8709b02c80","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUxMywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Tunnels - Action (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Tunnels - Action (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"action.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Action\"}}]}"},"id":"33b39a60-6e35-11e7-9a19-a5996f8250c6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU5NSwxXQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_irc\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"IRC - Logs","version":1},"id":"344c6010-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIyNSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Syslog - Severity (Horizontal Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false},\"spy\":{\"mode\":{\"name\":null,\"fill\":false}}}","version":1,"visState":"{\"title\":\"Bro - Syslog - Severity (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":false,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{\"text\":\"Severity\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"severity.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Severity\"}}],\"listeners\":{}}"},"id":"346e5c30-76b7-11e7-94e1-3d2ec4e57ed9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU1MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMB - Share Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMB - Share Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smb.share_type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"34762420-75f0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY2MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Intel - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"361d0bd0-35b7-11e7-a994-c528746bc6e8","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE5MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"osquery - Changes by Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"osquery - Changes by Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Change Type\"}}]}"},"id":"369e16e0-14e4-11e9-82f7-0da02d93a48b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"84116380-14e1-11e9-82f7-0da02d93a48b","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQwMiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Certificate Subject","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Certificate Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"certificate_subject.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Subject\"}}],\"listeners\":{}}"},"id":"3753e110-365a-11e7-bf60-314364dd1cde","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU3NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - IRC - Command Info","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - IRC - Command Info\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"irc.command.info.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"irc.command.info.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Command Info\"}}]}"},"id":"db279540-75bb-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE1NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - User Command Overview","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - User Command Overview\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"irc.nickname.keyword: Descending\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Command Type\",\"aggType\":\"terms\"},{\"accessor\":4,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"irc.username.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"irc.username.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"irc.nickname.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"irc.command.type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Command Type\"}}]}"},"id":"f7ee5fb0-75bb-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE1NSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:irc\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"2d2b4444-14c0-4812-a22e-ca6d509a0c7f\",\"w\":13,\"x\":0,\"y\":0},\"panelIndex\":\"2d2b4444-14c0-4812-a22e-ca6d509a0c7f\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"0035e7f6-2c85-494d-88aa-0f6ebc21f6c8\",\"w\":16,\"x\":13,\"y\":0},\"panelIndex\":\"0035e7f6-2c85-494d-88aa-0f6ebc21f6c8\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"147c5d40-556b-4b41-a1bb-ed0976fae0c8\",\"w\":19,\"x\":29,\"y\":0},\"panelIndex\":\"147c5d40-556b-4b41-a1bb-ed0976fae0c8\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"9a9084a5-0f74-4bdd-befd-b9bece56ea53\",\"w\":8,\"x\":0,\"y\":8},\"panelIndex\":\"9a9084a5-0f74-4bdd-befd-b9bece56ea53\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"9ffba622-36f6-4343-b0a3-1c59e3f6d297\",\"w\":9,\"x\":8,\"y\":8},\"panelIndex\":\"9ffba622-36f6-4343-b0a3-1c59e3f6d297\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"f0f0af04-4f81-437a-ada5-173a1ef8bd11\",\"w\":15,\"x\":17,\"y\":8},\"panelIndex\":\"f0f0af04-4f81-437a-ada5-173a1ef8bd11\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"3dab7339-3266-4127-86f3-eef2108d5dbf\",\"w\":16,\"x\":32,\"y\":8},\"panelIndex\":\"3dab7339-3266-4127-86f3-eef2108d5dbf\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - IRC","version":1},"id":"38523560-75ba-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"db279540-75bb-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"f7ee5fb0-75bb-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE1NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"NIDS - Alert Summary - Drilldown","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS - Alert Summary - Drilldown\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP Address\"}}]}"},"id":"3a1b54b0-e061-11e9-8f0c-2ddbf5ed9290","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY1MSwxXQ=="} -{"attributes":{"columns":["message"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:ossec_archive\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"OSSEC - Archive","version":1},"id":"ebf74e90-342f-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE1OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"OSSEC - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"OSSEC - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHHXl3xQT5EBNmq42U","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"efba60c0-3642-11e7-a6f7-4f44d7bf1c33","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE2MCwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":8,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"alert_level\",\"classification\",\"description\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"5\",\"gridData\":{\"w\":48,\"h\":28,\"x\":0,\"y\":48,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{\"columns\":[\"message\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"6\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"6\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}}]","timeRestore":false,"title":"OSSEC","version":1},"id":"3a457d70-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"2817b300-3643-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"efba60c0-3642-11e7-a6f7-4f44d7bf1c33","name":"panel_2","type":"search"},{"id":"ebf74e90-342f-11e7-9e93-53b62e1857b2","name":"panel_3","type":"search"},{"id":"AWDHHXl3xQT5EBNmq42U","name":"panel_4","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE2MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - MySQL - Response","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - MySQL - Response\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mysql.response.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"3af496e0-75c0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU0NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"},"savedSearchRefName":"search_0","title":"Sysmon - Image","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}","version":1,"visState":"{\"title\":\"Sysmon - Image\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"image_path.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"None\",\"exclude\":\"\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Image\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"parent_image_path.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"None\",\"exclude\":\"\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Parent Image\"}}]}"},"id":"3b6c92c0-6d72-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI4OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Syslog - Priority (Vertical bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Syslog - Priority (Vertical bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Priority\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"syslog-priority.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Priority\"}}],\"listeners\":{}}"},"id":"3bf1fdc0-76e6-11e7-ab14-e1a4c1bc11e0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE2NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"IRC - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"IRC - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}]}"},"id":"3c073d20-6e17-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIyOSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Modbus - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Modbus - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}]}"},"id":"3c65f500-380b-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI5OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Tunnels - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Tunnels - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"3cdf2400-3808-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU5MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - File - Source","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - File - Source\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.action.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.source.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"3e6037d0-75f2-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY4MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"NIDS - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}]}"},"id":"3f040620-4a44-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMyNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Kerberos - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"3f34faa0-3636-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI3NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Agent - Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Agent - Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}]}"},"id":"407784f0-7738-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM3MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Connections - Top 10 - Total Bytes By Source IP","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Top 10 - Total Bytes By Source IP\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Source IP Address\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"left\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Total Bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total Bytes\"},\"type\":\"value\"}],\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes\",\"customLabel\":\"Total Bytes\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"source_ip\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"source_ip\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP Address\"}}]}"},"id":"41a33c80-3b0d-11e7-a6f9-5d3fe735ec2b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ1NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"X.509 - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"X.509 - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"41bee360-3642-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYyOSwxXQ=="} -{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query_string\":{\"query\":\"event_type:bro_dns AND _exists_:creation_date AND creation_date:[now-3M TO now]\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"DNS - Domains with creation date < 3 months","version":1},"id":"fce833e0-6f12-11e7-86c8-a1b6db3b051a","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ0MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNS - Baby Domain Requests","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Baby Domain Requests\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"highest_registered_domain.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Domain\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"creation_date\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"_term\"}}],\"listeners\":{}}"},"id":"41ec0ca0-6f13-11e7-86c8-a1b6db3b051a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fce833e0-6f12-11e7-86c8-a1b6db3b051a","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ0MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SNMP - Community String","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SNMP - Community String\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"snmp.community.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"snmp.community.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Community String\"}}]}"},"id":"424ace90-75e9-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM4NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"endpoint.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Endpoint\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"operation.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Operation\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"named_pipe.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Named Pipe\"}}]}"},"id":"42b17660-4a47-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE4OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Syslog - Log Count Over Time","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Syslog - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 10 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"79a2a4e0-76e5-11e7-ab14-e1a4c1bc11e0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE2MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Syslog - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Syslog - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog-sourceip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"}}]}"},"id":"e7a99b10-76e5-11e7-ab14-e1a4c1bc11e0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE2NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Syslog - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Syslog - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHKVLMxQT5EBNmq5HX","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE2NywxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"2\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"5\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":24,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"6\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":24,\"i\":\"6\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"7\",\"gridData\":{\"w\":40,\"h\":16,\"x\":8,\"y\":8,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{}},{\"panelIndex\":\"9\",\"gridData\":{\"w\":48,\"h\":60,\"x\":0,\"y\":48,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"syslog-host_from\",\"syslog-priority\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"10\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}}]","timeRestore":false,"title":"Syslog","version":1},"id":"4323af90-76e5-11e7-ab14-e1a4c1bc11e0","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"79a2a4e0-76e5-11e7-ab14-e1a4c1bc11e0","name":"panel_1","type":"visualization"},{"id":"e7a99b10-76e5-11e7-ab14-e1a4c1bc11e0","name":"panel_2","type":"visualization"},{"id":"0a2ce700-76e6-11e7-ab14-e1a4c1bc11e0","name":"panel_3","type":"visualization"},{"id":"3bf1fdc0-76e6-11e7-ab14-e1a4c1bc11e0","name":"panel_4","type":"visualization"},{"id":"5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0","name":"panel_5","type":"search"},{"id":"AWDHKVLMxQT5EBNmq5HX","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE2OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Tunnels - Type (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Tunnels - Type (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"tunnel_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"43b2b040-3807-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU5MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"X.509 - Certificate Key Algorithm (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"X.509 - Certificate Key Algorithm (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"certificate_key_algorithm.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Algorithm\"}}],\"listeners\":{}}"},"id":"446e85c0-6e37-11e7-a8d6-ed2e692de531","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYzNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Least Common HTTP Methods","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Least Common HTTP Methods\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":13,\"maxFontSize\":39,\"showLabel\":false,\"metric\":{\"type\":\"vis_dimension\",\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}}},\"bucket\":{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"http.method.keyword\",\"orderBy\":\"1\",\"order\":\"asc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"6411e5b0-6eb2-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE3MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"destination.port: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Port\"}}]}"},"id":"51ad64d0-6eb7-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE3MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - Source IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - Source IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Destination IP\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}"},"id":"6d0fb2b0-6eb6-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE3MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - UserAgent","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - UserAgent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"http.useragent.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"UserAgent\"}}]}"},"id":"c2f93f40-6ed7-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE3NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - URI","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - URI\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"http.uri.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"http.uri.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"URI\"}}]}"},"id":"f22e8660-6eb6-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE3NywxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:http\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":9,\"i\":\"6e3caf86-a1ea-4363-9c73-205de5f43ba9\"},\"panelIndex\":\"6e3caf86-a1ea-4363-9c73-205de5f43ba9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":14,\"y\":0,\"w\":16,\"h\":9,\"i\":\"0b0546ef-637b-4a40-b87b-a454b78cc810\"},\"panelIndex\":\"0b0546ef-637b-4a40-b87b-a454b78cc810\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":9,\"i\":\"9c49b93a-5b5d-4613-8342-c01c69970bce\"},\"panelIndex\":\"9c49b93a-5b5d-4613-8342-c01c69970bce\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":16,\"y\":9,\"w\":9,\"h\":18,\"i\":\"377e3099-7aec-474c-9201-2f1845c58d24\"},\"panelIndex\":\"377e3099-7aec-474c-9201-2f1845c58d24\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":8,\"h\":18,\"i\":\"15d7c88b-1619-4290-8968-fa2adfddd72f\"},\"panelIndex\":\"15d7c88b-1619-4290-8968-fa2adfddd72f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":9,\"w\":8,\"h\":18,\"i\":\"d1219968-6b7f-4040-9c75-0611b9cbf8a0\"},\"panelIndex\":\"d1219968-6b7f-4040-9c75-0611b9cbf8a0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":25,\"y\":9,\"w\":23,\"h\":18,\"i\":\"1b444602-2f1c-4c32-85fc-1e5f46235303\"},\"panelIndex\":\"1b444602-2f1c-4c32-85fc-1e5f46235303\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":11,\"h\":18,\"i\":\"9b1df72c-b6fd-4abd-a961-32176c26cc3d\"},\"panelIndex\":\"9b1df72c-b6fd-4abd-a961-32176c26cc3d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":11,\"y\":27,\"w\":10,\"h\":18,\"i\":\"52c3ab70-9b8d-4c26-953d-f1a943fdff38\"},\"panelIndex\":\"52c3ab70-9b8d-4c26-953d-f1a943fdff38\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":21,\"y\":27,\"w\":27,\"h\":18,\"i\":\"ea97cb71-fbb6-46ae-bb4a-4d01c3a6edb2\"},\"panelIndex\":\"ea97cb71-fbb6-46ae-bb4a-4d01c3a6edb2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Security Onion - HTTP","version":1},"id":"44e9c820-6eb1-11ea-9266-1fd14ca6af34","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"6411e5b0-6eb2-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"51ad64d0-6eb7-11ea-9266-1fd14ca6af34","name":"panel_3","type":"visualization"},{"id":"6d0fb2b0-6eb6-11ea-9266-1fd14ca6af34","name":"panel_4","type":"visualization"},{"id":"30e97190-6eb6-11ea-9266-1fd14ca6af34","name":"panel_5","type":"visualization"},{"id":"c2f93f40-6ed7-11ea-9266-1fd14ca6af34","name":"panel_6","type":"visualization"},{"id":"088aad70-7377-11ea-a3da-cbdb4f8a90c0","name":"panel_7","type":"visualization"},{"id":"28bf2ef0-6eb7-11ea-9266-1fd14ca6af34","name":"panel_8","type":"visualization"},{"id":"f22e8660-6eb6-11ea-9266-1fd14ca6af34","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE3OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Modbus - Function","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Modbus - Function\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"function.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Function\"}}]}"},"id":"453f8b90-4a58-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMwMSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"NIDS Alerts - Category","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"NIDS Alerts - Category\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Category\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"category.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Category\"}}]}"},"id":"45464b50-3af6-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMyMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNS - Query Class (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"DNS - Query Class (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"query_class_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query Class\"}}]}"},"id":"45a652b0-34c1-11e7-917c-af7a9d11771a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI1OSwxXQ=="} -{"attributes":{"columns":["message","fuid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_pe\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"PE - Logs","version":1},"id":"66288140-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM0OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"PE - OS (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"PE - OS (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"os.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"45c4ae10-380c-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"66288140-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM1MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSH - Server","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SSH - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssh.server.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssh.server.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server\"}}]}"},"id":"46221fe0-75ea-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQwNiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"DCE/RPC - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"cbb67b00-3af2-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE4MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"f52f8bc0-3af2-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE4MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Endpoint","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Endpoint\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"endpoint.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Endpoint\"}}],\"listeners\":{}}"},"id":"553acbb0-3af3-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE4MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Named Pipe","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Named Pipe\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"named_pipe.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Named Pipe\"}}],\"listeners\":{}}"},"id":"6b7122d0-3af3-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE4NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Operation","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Operation\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"operation.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Operation\"}}],\"listeners\":{}}"},"id":"86107960-3af3-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE4NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Round Trip Time","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Round Trip Time\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rtt\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Round Trip Time\"}}]}"},"id":"f275f490-3af3-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE4NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG8k4OxQT5EBNmq37a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE4NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}]}"},"id":"d979b0f0-4a45-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE4OCwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":104,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"4\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":32,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":56,\"i\":\"8\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":56,\"i\":\"9\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":8,\"i\":\"10\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":80,\"i\":\"11\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"14\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"14\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"16\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":8,\"i\":\"16\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{}},{\"panelIndex\":\"17\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":80,\"i\":\"17\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - DCE/RPC","version":1},"id":"46582d50-3af2-11e7-a83b-b1b4da7d15f4","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"panel_0","type":"search"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"cbb67b00-3af2-11e7-a83b-b1b4da7d15f4","name":"panel_2","type":"visualization"},{"id":"f52f8bc0-3af2-11e7-a83b-b1b4da7d15f4","name":"panel_3","type":"visualization"},{"id":"10b8a610-3af3-11e7-a83b-b1b4da7d15f4","name":"panel_4","type":"visualization"},{"id":"553acbb0-3af3-11e7-a83b-b1b4da7d15f4","name":"panel_5","type":"visualization"},{"id":"6b7122d0-3af3-11e7-a83b-b1b4da7d15f4","name":"panel_6","type":"visualization"},{"id":"86107960-3af3-11e7-a83b-b1b4da7d15f4","name":"panel_7","type":"visualization"},{"id":"f275f490-3af3-11e7-a83b-b1b4da7d15f4","name":"panel_8","type":"visualization"},{"id":"AWDG8k4OxQT5EBNmq37a","name":"panel_9","type":"visualization"},{"id":"d979b0f0-4a45-11e8-9b0a-f1d33346f773","name":"panel_10","type":"visualization"},{"id":"42b17660-4a47-11e8-9b0a-f1d33346f773","name":"panel_11","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE5MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Source","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Intel - Source\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sources.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source\"}}],\"listeners\":{}}"},"id":"613de590-399b-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE5NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Intel - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"a5571030-399b-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE5NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Intel - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"ba2d3b10-399b-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE5NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Indicator","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Intel - Indicator\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"indicator.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Indicator\"}}],\"listeners\":{}}"},"id":"6380b430-399c-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE5NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - MIME Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Intel - MIME Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mimetype.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}],\"listeners\":{}}"},"id":"af614b80-399c-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE5OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Matched","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Intel - Matched\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"matched.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type Matched\"}}],\"listeners\":{}}"},"id":"c8540380-399c-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE5OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Intel - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"a5bcec80-6e15-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIwMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Intel - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG-Qf8xQT5EBNmq4G5","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIwMiwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"gridData\":{\"w\":20,\"h\":16,\"x\":8,\"y\":8,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":24,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":72,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":72,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":24,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":28,\"h\":24,\"x\":20,\"y\":48,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":0,\"y\":48,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":96,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"uid\",\"fuid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":72,\"i\":\"15\"},\"panelIndex\":\"15\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"gridData\":{\"w\":20,\"h\":16,\"x\":28,\"y\":8,\"i\":\"16\"},\"panelIndex\":\"16\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"17\"},\"panelIndex\":\"17\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"}]","timeRestore":false,"title":"Bro - Intel","version":1},"id":"468022c0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"361d0bd0-35b7-11e7-a994-c528746bc6e8","name":"panel_1","type":"visualization"},{"id":"3013af40-399b-11e7-8472-0151e5b2b475","name":"panel_2","type":"visualization"},{"id":"613de590-399b-11e7-8472-0151e5b2b475","name":"panel_3","type":"visualization"},{"id":"a5571030-399b-11e7-8472-0151e5b2b475","name":"panel_4","type":"visualization"},{"id":"ba2d3b10-399b-11e7-8472-0151e5b2b475","name":"panel_5","type":"visualization"},{"id":"6380b430-399c-11e7-8472-0151e5b2b475","name":"panel_6","type":"visualization"},{"id":"af614b80-399c-11e7-8472-0151e5b2b475","name":"panel_7","type":"visualization"},{"id":"c8540380-399c-11e7-8472-0151e5b2b475","name":"panel_8","type":"visualization"},{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"panel_9","type":"search"},{"id":"a5bcec80-6e15-11e7-8624-1fb07dd76c6a","name":"panel_10","type":"visualization"},{"id":"07622d60-6e16-11e7-8624-1fb07dd76c6a","name":"panel_11","type":"visualization"},{"id":"AWDG-Qf8xQT5EBNmq4G5","name":"panel_12","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIwMywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Category","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Autoruns - Category\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":75},\"title\":{\"text\":\"Category\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"category.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Category\"}}],\"listeners\":{}}"},"id":"482be9b0-6d78-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI0MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Kerberos - Service","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Kerberos - Service\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"kerberos.service.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"kerberos.service.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Service\"}}]}"},"id":"48331f00-75bd-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUwOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SIP - Request From","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SIP - Request From\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"sip.request.from.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sip.request.from.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Request From\"}}]}"},"id":"49384710-75ca-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYwMiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"network.transport:*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Network - Transport","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Network - Transport\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"network.transport.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"network.transport.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Network Transport\"}}]}"},"id":"499a0690-6ead-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY4NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Strelka - File - Source","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Strelka - File - Source\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.source.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source\"}}]}"},"id":"49cfe850-772c-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ4MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNS - Protocol (Donut Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"DNS - Protocol (Donut Chart)\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"protocol.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Protocol\"}}]}"},"id":"49e04860-4a4e-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY0OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Kerberos - Request Type (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Kerberos - Request Type (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"request_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Request Type\"}}]}"},"id":"4aa0b2a0-6e1a-11e7-89e4-613b96f597e1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI3OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Network - Destination IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Network - Destination IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IPs\"}}]}"},"id":"4adca340-6eae-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"387f44c0-6ea7-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY4NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_dns AND highest_registered_domain:google.com~ -highest_registered_domain:google.com AND highest_registered_domain:youtube.com~ -highest_registered_domain:youtube.com AND highest_registered_domain:facebook.com~ -highest_registered_domain:facebook.com AND highest_registered_domain:wikipedia.org~ -highest_registered_domain:wikipedia.org AND highest_registered_domain:google.co.in~ -highest_registered_domain:google.co.in AND highest_registered_domain:reddit.com~ -highest_registered_domain:reddit.com AND highest_registered_domain:amazon.com~ -highest_registered_domain:amazon.com AND highest_registered_domain:taobao.com~ -highest_registered_domain:taobao.com AND highest_registered_domain:twitter.com~ -highest_registered_domain:twitter.com AND highest_registered_domain:google.co.jp~ -highest_registered_domain:google.co.jp AND highest_registered_domain:instagram.com~ -highest_registered_domain:instagram.com AND highest_registered_domain:sina.com.cn~ -highest_registered_domain:sina.com.cn AND highest_registered_domain:google.co.uk~ -highest_registered_domain:google.co.uk AND highest_registered_domain:linkedin.com~ -highest_registered_domain:linkedin.com AND highest_registered_domain:list.tmall.com~ -highest_registered_domain:list.tmall.com AND highest_registered_domain:google.com.br~ -highest_registered_domain:google.com.br AND highest_registered_domain:google.com.hk~ -highest_registered_domain:google.com.hk AND highest_registered_domain:netflix.com~ -highest_registered_domain:netflix.com AND highest_registered_domain:yahoo.co.jp~ -highest_registered_domain:yahoo.co.jp AND highest_registered_domain:pornhub.com~ -highest_registered_domain:pornhub.com AND highest_registered_domain:xvideos.com~ -highest_registered_domain:xvideos.com AND highest_registered_domain:microsoft.com~ -highest_registered_domain:microsoft.com AND highest_registered_domain:livejasmin.com~ -highest_registered_domain:livejasmin.com AND highest_registered_domain:aliexpress.com~ -highest_registered_domain:aliexpress.com AND highest_registered_domain:stackoverflow.com~ -highest_registered_domain:stackoverflow.com AND highest_registered_domain:wordpress.com~ -highest_registered_domain:wordpress.com AND highest_registered_domain:hao123.com~ -highest_registered_domain:hao123.com AND highest_registered_domain:github.com~ -highest_registered_domain:github.com AND highest_registered_domain:amazon.co.jp~ -highest_registered_domain:amazon.co.jp AND highest_registered_domain:blogspot.com~ -highest_registered_domain:blogspot.com AND highest_registered_domain:pinterest.com~ -highest_registered_domain:pinterest.com AND highest_registered_domain:bongacams.com~ -highest_registered_domain:bongacams.com AND highest_registered_domain:google.com.tr~ -highest_registered_domain:google.com.tr AND highest_registered_domain:popads.net~ -highest_registered_domain:popads.net AND highest_registered_domain:paypal.com~ -highest_registered_domain:paypal.com AND highest_registered_domain:office.com~ -highest_registered_domain:office.com AND highest_registered_domain:google.com.tw~ -highest_registered_domain:google.com.tw AND highest_registered_domain:google.com.au~ -highest_registered_domain:google.com.au AND highest_registered_domain:whatsapp.com~ -highest_registered_domain:whatsapp.com AND highest_registered_domain:microsoftonline.com~ -highest_registered_domain:microsoftonline.com\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"DNS - Phishing Attempts Against Alexa Top Sites","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 0\":\"rgb(0,104,55)\",\"1 - 999999\":\"rgb(165,0,38)\"}}}","version":1,"visState":"{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Phishing attempts against your domain(s)\"},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"gauge\":{\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":0},{\"from\":1,\"to\":999999}],\"extendRange\":true,\"gaugeColorMode\":\"Labels\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Arc\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":true},\"style\":{\"bgColor\":false,\"bgFill\":\"#eee\",\"bgMask\":false,\"bgWidth\":0.9,\"fontSize\":60,\"labelColor\":true,\"mask\":false,\"maskBars\":50,\"subText\":\"Edit this to reflect your domain(s)\",\"width\":0.9},\"type\":\"meter\",\"alignment\":\"horizontal\"}},\"title\":\"DNS - Phishing Attempts Against Alexa Top Sites\",\"type\":\"gauge\"}"},"id":"4d89e140-6f09-11e7-9d31-23c0596994a7","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY0MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Source - Top Connection Duration (Tile Map)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Source - Top Connection Duration (Tile Map)\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"duration\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}"},"id":"5ea38360-46c7-11e7-946f-1bfb1be7c36b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIwNSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"mapCenter\":[14.604847155053898,0.17578125],\"mapZoom\":2}}]","timeRestore":false,"title":"Connections - Source - Top Connection Duration","version":1},"id":"4e108070-46c7-11e7-946f-1bfb1be7c36b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"5ea38360-46c7-11e7-946f-1bfb1be7c36b","name":"panel_1","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIwNiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"PE - Section Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"PE - Section Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"section_names.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"4e56b4d0-416f-11e7-9850-b78558d0ac17","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"66288140-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM1MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DHCP - IP to MAC Assignment","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DHCP - IP to MAC Assignment\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"assigned_ip.keyword\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Assigned IP Address\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mac.keyword\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MAC Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP Address\"}}]}"},"id":"4e877100-4a48-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM0MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSL - Issuer","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SSL - Issuer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssl.certificate.issuer.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssl.certificate.issuer.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Issuer\"}}]}"},"id":"4e8cbf80-75ec-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY1OCwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":false}","panelsJSON":"[]","timeRestore":false,"title":"OSSEC","version":1},"id":"4f6f3440-6d62-11e7-8ddb-e71eb260f4a3","migrationVersion":{"dashboard":"7.3.0"},"references":[],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIwNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Server Version","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RFB - Server Version\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_major_version.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Major Version\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_minor_version.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Minor Version\"}}],\"listeners\":{}}"},"id":"4fade7b0-6e22-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQyNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Host - Process Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Host - Process Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Process Name\"}}]}"},"id":"4fe16b60-72bd-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM2OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Firewall - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Firewall - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"e76d2eb0-6d6b-11e7-ad64-15aa071374a6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIwOSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Firewall - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Firewall - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"c3a06740-6d75-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIxMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Firewall - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Firewall - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"df06de60-6d75-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIxMSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Firewall - Destination Port","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Firewall - Destination Port\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"fcf75bc0-6d75-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIxMywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Firewall - Protocol","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Firewall - Protocol\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"ipv4_protocol.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"f8f0dbc0-6d82-11e7-912f-0950e6d5c322","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIxNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Firewall - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Firewall - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHH3kBxQT5EBNmq459","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIxNSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":60,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":36,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"5\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":36,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"7\",\"gridData\":{\"w\":24,\"h\":16,\"x\":8,\"y\":8,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{}},{\"panelIndex\":\"8\",\"gridData\":{\"w\":16,\"h\":16,\"x\":32,\"y\":8,\"i\":\"8\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{}},{\"panelIndex\":\"9\",\"gridData\":{\"w\":40,\"h\":12,\"x\":8,\"y\":24,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"panelIndex\":\"10\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":60,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{\"columns\":[\"action\",\"reason\",\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"11\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}}]","timeRestore":false,"title":"Firewall","version":1},"id":"50173bd0-3582-11e7-98ef-19df58fe538b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"e76d2eb0-6d6b-11e7-ad64-15aa071374a6","name":"panel_1","type":"visualization"},{"id":"c3a06740-6d75-11e7-b09b-f57b22df6524","name":"panel_2","type":"visualization"},{"id":"df06de60-6d75-11e7-b09b-f57b22df6524","name":"panel_3","type":"visualization"},{"id":"2a1eb100-6d82-11e7-bcd4-0d514e0e7da1","name":"panel_4","type":"visualization"},{"id":"fcf75bc0-6d75-11e7-b09b-f57b22df6524","name":"panel_5","type":"visualization"},{"id":"f8f0dbc0-6d82-11e7-912f-0950e6d5c322","name":"panel_6","type":"visualization"},{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"panel_7","type":"search"},{"id":"AWDHH3kBxQT5EBNmq459","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIxNiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - File Size","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - File Size\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.size: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.size\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Size\"}}]}"},"id":"50b4c880-72df-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY4NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RDP - Client","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RDP - Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"client_name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client\"}}],\"listeners\":{}}"},"id":"524e13b0-371c-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM5MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DNS - Answers","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DNS - Answers\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"dns.answers.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dns.answers.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Answer\"}}]}"},"id":"536876a0-72ba-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIyMywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Tunnels - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Tunnels - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"53824da0-6e35-11e7-9a19-a5996f8250c6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU5NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SIP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"5393c710-3640-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ2NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Server","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}],\"listeners\":{}}"},"id":"53ac63e0-365b-11e7-8bd0-1db2c55fb7a1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI2MSwxXQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_smtp\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"SMTP - Logs","version":1},"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ4OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - Webmail - True/False (Vertical Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"SMTP - Webmail - True/False (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Webmail\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"is_webmail.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Webmail\"}}],\"listeners\":{}}"},"id":"53beb0d0-6e29-11e7-8b76-75eee0095daa","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ5OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSH - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSH - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"54d78f50-6e33-11e7-9a19-a5996f8250c6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU1OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - NTLM - Success","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - NTLM - Success\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"boolean\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ntlm.success: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ntlm.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Success\"}}]}"},"id":"e9f31a70-75c2-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIxNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - NTLM - Tree","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - NTLM - Tree\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ntlm.server.tree.name.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ntlm.server.tree.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Tree\"}}]}"},"id":"8cb83890-75c2-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIxOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - NTLM - Server","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - NTLM - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Netbios\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"DNS\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ntlm.server.nb.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"NetBIOS\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ntlm.server.dns.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"\",\"customLabel\":\"DNS\"}}]}"},"id":"63f139c0-75c2-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIxOSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:ntlm\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":9,\"i\":\"4555a871-9c2c-48d4-b143-bffc6d41ea4d\"},\"panelIndex\":\"4555a871-9c2c-48d4-b143-bffc6d41ea4d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":14,\"y\":0,\"w\":16,\"h\":9,\"i\":\"0bc9ae29-cbc1-4272-ad27-9c2ff51c19ff\"},\"panelIndex\":\"0bc9ae29-cbc1-4272-ad27-9c2ff51c19ff\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":9,\"i\":\"d32748d9-d47b-41bb-ab9f-b59817230998\"},\"panelIndex\":\"d32748d9-d47b-41bb-ab9f-b59817230998\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":8,\"h\":18,\"i\":\"2f7a5ee8-2258-4c8d-af2d-99a9e11defa2\"},\"panelIndex\":\"2f7a5ee8-2258-4c8d-af2d-99a9e11defa2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":9,\"w\":8,\"h\":18,\"i\":\"4a50def3-c905-4493-b352-59741d68326e\"},\"panelIndex\":\"4a50def3-c905-4493-b352-59741d68326e\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":16,\"y\":9,\"w\":10,\"h\":18,\"i\":\"075d7365-e106-4a1e-b003-bab7abbb7146\"},\"panelIndex\":\"075d7365-e106-4a1e-b003-bab7abbb7146\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":26,\"y\":9,\"w\":9,\"h\":18,\"i\":\"5202d0b2-7f34-4182-8e25-ec87d4df0965\"},\"panelIndex\":\"5202d0b2-7f34-4182-8e25-ec87d4df0965\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":35,\"y\":9,\"w\":13,\"h\":18,\"i\":\"f93042fa-bdd7-495f-af7b-eec95073e015\"},\"panelIndex\":\"f93042fa-bdd7-495f-af7b-eec95073e015\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - NTLM","version":1},"id":"558292e0-75c1-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"e9f31a70-75c2-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"8cb83890-75c2-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"63f139c0-75c2-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIyMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DNS - Response Code Name","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - DNS - Response Code Name\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"dns.response.code_name.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dns.response.code_name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}]}"},"id":"a9bd4090-72b9-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIyMSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:dns\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":9,\"i\":\"ae3e83b1-5e53-40eb-8e4f-541e4851ddd2\"},\"panelIndex\":\"ae3e83b1-5e53-40eb-8e4f-541e4851ddd2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":14,\"y\":0,\"w\":14,\"h\":9,\"i\":\"4b8b4859-bd5c-446c-94e1-6d9b57cbe922\"},\"panelIndex\":\"4b8b4859-bd5c-446c-94e1-6d9b57cbe922\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":28,\"y\":0,\"w\":20,\"h\":9,\"i\":\"ee03c5c1-9e26-42e3-b569-afa2712d7047\"},\"panelIndex\":\"ee03c5c1-9e26-42e3-b569-afa2712d7047\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":9,\"h\":19,\"i\":\"706d8a5a-a263-48d0-8eb8-12eeade27115\"},\"panelIndex\":\"706d8a5a-a263-48d0-8eb8-12eeade27115\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":9,\"w\":9,\"h\":19,\"i\":\"bf29b086-8b8d-47a5-8280-afeb737d6163\"},\"panelIndex\":\"bf29b086-8b8d-47a5-8280-afeb737d6163\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":18,\"y\":9,\"w\":8,\"h\":19,\"i\":\"e99fb09c-6d8a-4a26-87ca-9ab82ef137c9\"},\"panelIndex\":\"e99fb09c-6d8a-4a26-87ca-9ab82ef137c9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":26,\"y\":9,\"w\":22,\"h\":19,\"i\":\"bf16d99c-68ac-41ea-8047-04e7c363dce3\"},\"panelIndex\":\"bf16d99c-68ac-41ea-8047-04e7c363dce3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":28,\"w\":23,\"h\":21,\"i\":\"e41240ec-8024-4f3f-9de0-869622470e4d\"},\"panelIndex\":\"e41240ec-8024-4f3f-9de0-869622470e4d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":23,\"y\":28,\"w\":25,\"h\":21,\"i\":\"fe297ab2-9a4b-438c-913b-7b5d1dea6182\"},\"panelIndex\":\"fe297ab2-9a4b-438c-913b-7b5d1dea6182\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - DNS","version":1},"id":"55ac6bf0-6ec4-11ea-9266-1fd14ca6af34","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"a9bd4090-72b9-11ea-8dd2-9d8795a1200b","name":"panel_6","type":"visualization"},{"id":"07065340-72ba-11ea-8dd2-9d8795a1200b","name":"panel_7","type":"visualization"},{"id":"536876a0-72ba-11ea-8dd2-9d8795a1200b","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIyNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"IRC - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"IRC - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"85b1f890-35b7-11e7-a994-c528746bc6e8","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIyNiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"IRC - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"IRC - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"bf959cb0-35b7-11e7-a994-c528746bc6e8","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIyNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"IRC - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"IRC - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"e4615200-35b7-11e7-a994-c528746bc6e8","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIyOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"IRC - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"IRC - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG_HoKxQT5EBNmq4KN","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIzMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"IRC - Destination Country","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"IRC - Destination Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Country\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_geo.city_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination City\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}]}"},"id":"f625b7b0-4a56-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIzMSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"IRC - Command","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"IRC - Command\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"irc_command.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Command\"}}]}"},"id":"7bc09930-4a57-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIzMiwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"2\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"4\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":32,\"i\":\"5\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":32,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"11\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":32,\"i\":\"11\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"12\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"12\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":8,\"i\":\"13\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"15\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":8,\"i\":\"15\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - IRC","version":1},"id":"56a34ce0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"85b1f890-35b7-11e7-a994-c528746bc6e8","name":"panel_1","type":"visualization"},{"id":"bf959cb0-35b7-11e7-a994-c528746bc6e8","name":"panel_2","type":"visualization"},{"id":"e4615200-35b7-11e7-a994-c528746bc6e8","name":"panel_3","type":"visualization"},{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"panel_4","type":"search"},{"id":"3c073d20-6e17-11e7-8624-1fb07dd76c6a","name":"panel_5","type":"visualization"},{"id":"AWDG_HoKxQT5EBNmq4KN","name":"panel_6","type":"visualization"},{"id":"f625b7b0-4a56-11e8-9b0a-f1d33346f773","name":"panel_7","type":"visualization"},{"id":"7bc09930-4a57-11e8-9b0a-f1d33346f773","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIzMywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNS - Client","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client\"}}],\"listeners\":{}}"},"id":"57a9a3f0-34c0-11e7-9b32-bb903919ead9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYzOSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DHCP - Lease Time","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DHCP - Lease Time\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"lease_time.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Lease Time\"}}]}"},"id":"58c84f60-0edb-11e9-9846-59f545e7293f","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM0MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Devices - Log Count By Device","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Devices - Log Count By Device\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog-host_from.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Device\"}}]}"},"id":"5b3988c0-a840-11e7-893a-1b88920b2837","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM3OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RDP - Client Build","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RDP - Client Build\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rdp.client_build.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rdp.client_build.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Build\"}}]}"},"id":"bdae8640-75c5-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIzNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RDP - Security Protocol","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RDP - Security Protocol\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rdp.security_protocol.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rdp.security_protocol.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}}]}"},"id":"dad85840-75c5-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIzNSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:rdp\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"1aacbaf6-078a-4b6e-bbd2-ae21a4974aba\",\"w\":13,\"x\":0,\"y\":0},\"panelIndex\":\"1aacbaf6-078a-4b6e-bbd2-ae21a4974aba\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"8abc0250-1076-45e8-b62b-54dc7dd0cfca\",\"w\":16,\"x\":13,\"y\":0},\"panelIndex\":\"8abc0250-1076-45e8-b62b-54dc7dd0cfca\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"dc48b27e-f00b-4723-87ab-64f726e51e74\",\"w\":19,\"x\":29,\"y\":0},\"panelIndex\":\"dc48b27e-f00b-4723-87ab-64f726e51e74\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"da3945b4-9e74-4bb9-8868-a13f1d9bc0d8\",\"w\":9,\"x\":0,\"y\":8},\"panelIndex\":\"da3945b4-9e74-4bb9-8868-a13f1d9bc0d8\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"f4437b55-61ef-4818-a8c4-448407c7052b\",\"w\":9,\"x\":9,\"y\":8},\"panelIndex\":\"f4437b55-61ef-4818-a8c4-448407c7052b\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"33630c53-4de4-4064-a319-bd71be01dc06\",\"w\":7,\"x\":18,\"y\":8},\"panelIndex\":\"33630c53-4de4-4064-a319-bd71be01dc06\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"ed8dee78-79d4-47cf-9ed5-6120f00f3aaf\",\"w\":7,\"x\":25,\"y\":8},\"panelIndex\":\"ed8dee78-79d4-47cf-9ed5-6120f00f3aaf\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"35083762-4591-44ac-a31f-36bed3414af2\",\"w\":7,\"x\":32,\"y\":8},\"panelIndex\":\"35083762-4591-44ac-a31f-36bed3414af2\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"66e7cf00-ec90-4df3-acd3-02fb271f0959\",\"w\":9,\"x\":39,\"y\":8},\"panelIndex\":\"66e7cf00-ec90-4df3-acd3-02fb271f0959\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - RDP","version":1},"id":"5b743150-75c5-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"bdae8640-75c5-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"dad85840-75c5-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"0c006bb0-75c6-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"2e7363f0-75c6-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIzOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Nodes","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Nodes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}]}"},"id":"5cba9760-6e9b-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY4NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"MySQL - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"MySQL - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"5d9031a0-363f-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5d624230-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMwOSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RFB - Client Version","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RFB - Client Version\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Major Version\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rfb.client_major_version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Major Version\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rfb.client_minor_version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Minor Version\"}}]}"},"id":"5dcf09e0-75c8-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU2OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RADIUS - Connection Information","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RADIUS - Connection Information\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"connect_info.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Connection Info\"}}],\"listeners\":{}}"},"id":"5df79fe0-3809-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM2MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - URI","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - URI\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"uri.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"URI\"}}],\"listeners\":{}}"},"id":"5e36c370-3753-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ2OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - FTP - Argument","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - FTP - Argument\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ftp.argument.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"5fcdb0c0-755f-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMwNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMB - FIle Path","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMB - FIle Path\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"path.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File Path\"}}],\"listeners\":{}}"},"id":"60384e00-3aaf-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUxNSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Data Types","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Data Types\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event_type.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Data Type\"}}],\"listeners\":{}}"},"id":"60925490-34bf-11e7-9b32-bb903919ead9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI1NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SSL - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"6139edd0-3641-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU3NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Autoruns - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"bf5ab2d0-6d6b-11e7-ad64-15aa071374a6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI0MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Hostname (Tag Cloud)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Autoruns - Hostname (Tag Cloud)\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":10,\"maxFontSize\":30},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"hostname.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"c5d58f60-6d78-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI0MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Hostname","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Autoruns - Hostname\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hostname.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Hostname\"}}],\"listeners\":{}}"},"id":"df5e9e80-6d79-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI0NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Launch String","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Autoruns - Launch String\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"launch_string.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Launch String\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"image_path.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Image\"}}],\"listeners\":{}}"},"id":"cfd94590-6d7a-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI0NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Company","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Autoruns - Company\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":14,\"maxFontSize\":36},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"company.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"96105ff0-6d7b-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI0NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Signer","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Autoruns - Signer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"signer.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Signer\"}}],\"listeners\":{}}"},"id":"6cf187b0-6d7c-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI0OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Autoruns - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHG1IaxQT5EBNmq4yR","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI0OSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":40,\"h\":16,\"x\":8,\"y\":8,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{}},{\"panelIndex\":\"6\",\"gridData\":{\"w\":16,\"h\":24,\"x\":8,\"y\":24,\"i\":\"6\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{}},{\"panelIndex\":\"7\",\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":24,\"i\":\"7\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":12,\"h\":24,\"x\":24,\"y\":24,\"i\":\"8\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":72,\"i\":\"9\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":96,\"i\":\"10\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":28,\"h\":24,\"x\":20,\"y\":48,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{}},{\"panelIndex\":\"12\",\"gridData\":{\"w\":20,\"h\":24,\"x\":0,\"y\":48,\"i\":\"12\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":48,\"h\":32,\"x\":0,\"y\":120,\"i\":\"13\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{\"columns\":[\"entry\",\"entry_location\",\"image_path\",\"hostname\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"14\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"14\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"}]","timeRestore":false,"title":"Autoruns","version":1},"id":"61d43810-6d62-11e7-8ddb-e71eb260f4a3","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"bf5ab2d0-6d6b-11e7-ad64-15aa071374a6","name":"panel_1","type":"visualization"},{"id":"482be9b0-6d78-11e7-b09b-f57b22df6524","name":"panel_2","type":"visualization"},{"id":"c5d58f60-6d78-11e7-b09b-f57b22df6524","name":"panel_3","type":"visualization"},{"id":"1cd6a970-6d79-11e7-b09b-f57b22df6524","name":"panel_4","type":"visualization"},{"id":"df5e9e80-6d79-11e7-b09b-f57b22df6524","name":"panel_5","type":"visualization"},{"id":"2ef9ccd0-6d7a-11e7-b09b-f57b22df6524","name":"panel_6","type":"visualization"},{"id":"cfd94590-6d7a-11e7-b09b-f57b22df6524","name":"panel_7","type":"visualization"},{"id":"96105ff0-6d7b-11e7-b09b-f57b22df6524","name":"panel_8","type":"visualization"},{"id":"6cf187b0-6d7c-11e7-b09b-f57b22df6524","name":"panel_9","type":"visualization"},{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"panel_10","type":"search"},{"id":"AWDHG1IaxQT5EBNmq4yR","name":"panel_11","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI1MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS Alerts - Source Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS Alerts - Source Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"620283e0-3af5-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMxOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Modbus - Function","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Modbus - Function\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"modbus.function.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"modbus.function.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function\"}}]}"},"id":"62449800-75be-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM0NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - MySQL - Success","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - MySQL - Success\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mysql.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Success\"}}]}"},"id":"62969db0-75c0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY4OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - Top Destination IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - Top Destination IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}}]}"},"id":"62ac4060-6ea0-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY4OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Desktop Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RFB - Desktop Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"desktop_name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Desktop Name\"}}],\"listeners\":{}}"},"id":"63c072c0-371f-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQyMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS - Drilldown - Rule Signature","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS - Drilldown - Rule Signature\",\"type\":\"table\",\"params\":{\"perPage\":1,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"top_hits\",\"schema\":\"metric\",\"params\":{\"field\":\"rule_signature.keyword\",\"aggregate\":\"concat\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\",\"customLabel\":\"NIDS Signature\"}}]}"},"id":"6533dd40-e064-11e9-8f0c-2ddbf5ed9290","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY1MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Syslog - Facility","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Syslog - Facility\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"syslog.facility.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog.facility.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Facility\"}}]}"},"id":"e017cb80-777b-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI1MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Syslog - Severity","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Syslog - Severity\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"syslog.severity.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"syslog.severity.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Severity\"}}]}"},"id":"fc8d41a0-777b-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI1MiwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:syslog\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"9c4d23d9-2dd5-4a9f-aa67-edc6b73f3086\"},\"panelIndex\":\"9c4d23d9-2dd5-4a9f-aa67-edc6b73f3086\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":16,\"h\":8,\"i\":\"a3e3afae-dd54-4024-9d09-608a6baecd42\"},\"panelIndex\":\"a3e3afae-dd54-4024-9d09-608a6baecd42\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":8,\"i\":\"e7dbc7be-d1ef-499a-bbb6-2963bfdaabfb\"},\"panelIndex\":\"e7dbc7be-d1ef-499a-bbb6-2963bfdaabfb\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":10,\"h\":19,\"i\":\"e1ea8adf-acd8-4577-9c81-1acb711d20ce\"},\"panelIndex\":\"e1ea8adf-acd8-4577-9c81-1acb711d20ce\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":10,\"y\":8,\"w\":10,\"h\":19,\"i\":\"16f2046a-4417-4e78-9699-65d253db78cb\"},\"panelIndex\":\"16f2046a-4417-4e78-9699-65d253db78cb\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":20,\"y\":8,\"w\":9,\"h\":19,\"i\":\"226810af-b55b-4fba-99c8-0c28ca99aa37\"},\"panelIndex\":\"226810af-b55b-4fba-99c8-0c28ca99aa37\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":8,\"w\":8,\"h\":19,\"i\":\"9cc5fffe-3834-4550-84e3-33d1246f68f6\"},\"panelIndex\":\"9cc5fffe-3834-4550-84e3-33d1246f68f6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":37,\"y\":8,\"w\":11,\"h\":19,\"i\":\"8cf5472b-8421-4577-81ad-2c496b1c71ce\"},\"panelIndex\":\"8cf5472b-8421-4577-81ad-2c496b1c71ce\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - Syslog","version":1},"id":"66499a20-75ed-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"e017cb80-777b-11ea-bee5-af7f7c7b8e05","name":"panel_6","type":"visualization"},{"id":"fc8d41a0-777b-11ea-bee5-af7f7c7b8e05","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI1MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNS - Query/Answer","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Query/Answer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"query.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"answers.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Answer\"}}],\"listeners\":{}}"},"id":"e8e3b8a0-34c1-11e7-917c-af7a9d11771a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI1NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS - Alerts","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS - Alerts\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"alert.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"c7eed4c0-3649-11e7-bf60-314364dd1cde","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI1OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNS - Server","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}],\"listeners\":{}}"},"id":"6ef90c30-34c0-11e7-9b32-bb903919ead9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI2MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Sensors - Sensor and Services (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Sensors - Sensor and Services (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"sensor_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Sensor\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"service.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"9c979ea0-345b-11e7-8867-29a39c0f86b2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI2MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Top 50 - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Top 50 - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP\"}}]}"},"id":"73806f30-4948-11e8-9576-313be7c6b44b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI2NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Top 50 - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Top 50 - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP\"}}]}"},"id":"c0de57b0-4948-11e8-9576-313be7c6b44b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI2NSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"2\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":0,\"i\":\"2\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"4\",\"gridData\":{\"w\":32,\"h\":24,\"x\":16,\"y\":120,\"i\":\"4\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":144,\"i\":\"5\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":144,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":180,\"i\":\"8\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":180,\"i\":\"9\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":24,\"i\":\"13\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"16\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":120,\"i\":\"16\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"18\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":48,\"i\":\"18\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{\"columns\":[\"hostname\",\"alert_level\",\"description\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"19\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":204,\"i\":\"19\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"20\",\"gridData\":{\"w\":48,\"h\":12,\"x\":0,\"y\":168,\"i\":\"20\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"panelIndex\":\"21\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":144,\"i\":\"21\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\",\"embeddableConfig\":{}},{\"panelIndex\":\"22\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":96,\"i\":\"22\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\"},{\"panelIndex\":\"23\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":96,\"i\":\"23\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_14\"},{\"panelIndex\":\"24\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":24,\"i\":\"24\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_15\"},{\"panelIndex\":\"26\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":0,\"i\":\"26\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_16\",\"embeddableConfig\":{}},{\"panelIndex\":\"27\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":72,\"i\":\"27\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_17\",\"embeddableConfig\":{}},{\"panelIndex\":\"28\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":72,\"i\":\"28\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_18\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Indicator","version":1},"id":"68563ed0-34bf-11e7-9b32-bb903919ead9","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"60925490-34bf-11e7-9b32-bb903919ead9","name":"panel_1","type":"visualization"},{"id":"e8e3b8a0-34c1-11e7-917c-af7a9d11771a","name":"panel_2","type":"visualization"},{"id":"ae1f1fb0-3648-11e7-bf60-314364dd1cde","name":"panel_3","type":"visualization"},{"id":"d0f56da0-3648-11e7-bf60-314364dd1cde","name":"panel_4","type":"visualization"},{"id":"8ba31820-34c6-11e7-8360-0b86c90983fd","name":"panel_5","type":"visualization"},{"id":"7153e7f0-34c7-11e7-8360-0b86c90983fd","name":"panel_6","type":"visualization"},{"id":"c7eed4c0-3649-11e7-bf60-314364dd1cde","name":"panel_7","type":"visualization"},{"id":"45a652b0-34c1-11e7-917c-af7a9d11771a","name":"panel_8","type":"visualization"},{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"panel_9","type":"search"},{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"panel_10","type":"search"},{"id":"934fe550-6e08-11e7-9370-174c4785d3e1","name":"panel_11","type":"visualization"},{"id":"3f4abb40-6e0a-11e7-84cc-b363f104b3c7","name":"panel_12","type":"visualization"},{"id":"53ac63e0-365b-11e7-8bd0-1db2c55fb7a1","name":"panel_13","type":"visualization"},{"id":"6ef90c30-34c0-11e7-9b32-bb903919ead9","name":"panel_14","type":"visualization"},{"id":"07fdf9e0-39ad-11e7-8472-0151e5b2b475","name":"panel_15","type":"visualization"},{"id":"9c979ea0-345b-11e7-8867-29a39c0f86b2","name":"panel_16","type":"visualization"},{"id":"73806f30-4948-11e8-9576-313be7c6b44b","name":"panel_17","type":"visualization"},{"id":"c0de57b0-4948-11e8-9576-313be7c6b44b","name":"panel_18","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI2NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Network Data - Count","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Network Data - Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":false},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":40}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}"},"id":"689991b0-6ea7-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"387f44c0-6ea7-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY5MCwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"mapCenter\":[25.16517336866393,0.17578125],\"mapZoom\":2}}]","timeRestore":false,"title":"Connections - Source - Originator Bytes","version":1},"id":"68f738e0-46ca-11e7-946f-1bfb1be7c36b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"05809df0-46cb-11e7-946f-1bfb1be7c36b","name":"panel_1","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI2OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMTP - Version","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - SMTP - Version\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"snmp.version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Version\"}}]}"},"id":"690ef880-75e9-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM4NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Weird - Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Weird - Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Name\"}}]}"},"id":"691ade50-4c85-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYxNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Kerberos - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"c97cd4c0-35ba-11e7-b9ee-834112670159","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI3MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Client","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Kerberos - Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"client.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client\"}}],\"listeners\":{}}"},"id":"710ccbf0-35bb-11e7-b9ee-834112670159","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI3MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Kerberos - Success Status (Donut Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Kerberos - Success Status (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"kerberos_success.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"b31231c0-35bb-11e7-b9ee-834112670159","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI3MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Server","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Kerberos - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"service.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}],\"listeners\":{}}"},"id":"f0178840-35bb-11e7-b9ee-834112670159","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI3MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Kerberos - Cipher (Donut Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Kerberos - Cipher (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"cipher.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"e3fffae0-3635-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI3NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Kerberos - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"84f28670-3636-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI3NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Service","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Kerberos - Service\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"service.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Service\"}}],\"listeners\":{}}"},"id":"f7c48a20-6e19-11e7-89e4-613b96f597e1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI3OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Renewable","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Kerberos - Renewable\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"renewable.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Renewable\"}}],\"listeners\":{}}"},"id":"bb748470-6e1a-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI4MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Kerberos - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG_UbkxQT5EBNmq4Lg","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI4MSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":120,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"request_type\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"embeddableConfig\":{},\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":48,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"gridData\":{\"w\":20,\"h\":16,\"x\":28,\"y\":8,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":48,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"gridData\":{\"w\":20,\"h\":16,\"x\":8,\"y\":8,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":96,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":96,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":96,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":28,\"h\":24,\"x\":0,\"y\":72,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":24,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":72,\"i\":\"15\"},\"panelIndex\":\"15\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"16\"},\"panelIndex\":\"16\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\"}]","timeRestore":false,"title":"Bro - Kerberos","version":1},"id":"6b0d4870-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"c97cd4c0-35ba-11e7-b9ee-834112670159","name":"panel_1","type":"visualization"},{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"panel_2","type":"search"},{"id":"710ccbf0-35bb-11e7-b9ee-834112670159","name":"panel_3","type":"visualization"},{"id":"b31231c0-35bb-11e7-b9ee-834112670159","name":"panel_4","type":"visualization"},{"id":"f0178840-35bb-11e7-b9ee-834112670159","name":"panel_5","type":"visualization"},{"id":"e3fffae0-3635-11e7-a6f7-4f44d7bf1c33","name":"panel_6","type":"visualization"},{"id":"28d04080-3636-11e7-a6f7-4f44d7bf1c33","name":"panel_7","type":"visualization"},{"id":"3f34faa0-3636-11e7-a6f7-4f44d7bf1c33","name":"panel_8","type":"visualization"},{"id":"84f28670-3636-11e7-a6f7-4f44d7bf1c33","name":"panel_9","type":"visualization"},{"id":"f7c48a20-6e19-11e7-89e4-613b96f597e1","name":"panel_10","type":"visualization"},{"id":"4aa0b2a0-6e1a-11e7-89e4-613b96f597e1","name":"panel_11","type":"visualization"},{"id":"bb748470-6e1a-11e7-b553-7f80727663c1","name":"panel_12","type":"visualization"},{"id":"AWDG_UbkxQT5EBNmq4Lg","name":"panel_13","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI4MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Sysmon - Destination Port","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Sysmon - Destination Port\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Port\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"6b70b840-6d75-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI5MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Syslog - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Bro - Syslog - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"6c60a280-76b5-11e7-94e1-3d2ec4e57ed9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU0OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Sysmon - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Sysmon - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"8cfdeff0-6d6b-11e7-ad64-15aa071374a6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI4NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Sysmon - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_hostname.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Hostname\"}}],\"listeners\":{}}"},"id":"7bc74b40-6d71-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI4NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Sysmon - Event ID (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Sysmon - Event ID (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"event_id\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Event Type\"}}]}"},"id":"e09f6010-6d72-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI5MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Sysmon - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Sysmon - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHHk1sxQT5EBNmq43Y","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI5MywxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"2\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"2\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":96,\"i\":\"6\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"7\",\"gridData\":{\"w\":20,\"h\":28,\"x\":8,\"y\":20,\"i\":\"7\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":20,\"h\":28,\"x\":28,\"y\":20,\"i\":\"8\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":72,\"i\":\"9\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":48,\"i\":\"10\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":8,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"12\",\"gridData\":{\"w\":32,\"h\":24,\"x\":16,\"y\":72,\"i\":\"12\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":8,\"i\":\"13\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}},{\"panelIndex\":\"14\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":120,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{\"columns\":[\"event_type\",\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"15\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"15\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"}]","timeRestore":false,"title":"Sysmon - Logs","version":1},"id":"6d189680-6d62-11e7-8ddb-e71eb260f4a3","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"8cfdeff0-6d6b-11e7-ad64-15aa071374a6","name":"panel_1","type":"visualization"},{"id":"0eb1fd80-6d70-11e7-b09b-f57b22df6524","name":"panel_2","type":"visualization"},{"id":"3072c750-6d71-11e7-b09b-f57b22df6524","name":"panel_3","type":"visualization"},{"id":"7bc74b40-6d71-11e7-b09b-f57b22df6524","name":"panel_4","type":"visualization"},{"id":"13ed0810-6d72-11e7-b09b-f57b22df6524","name":"panel_5","type":"visualization"},{"id":"3b6c92c0-6d72-11e7-b09b-f57b22df6524","name":"panel_6","type":"visualization"},{"id":"e09f6010-6d72-11e7-b09b-f57b22df6524","name":"panel_7","type":"visualization"},{"id":"29611940-6d75-11e7-b09b-f57b22df6524","name":"panel_8","type":"visualization"},{"id":"6b70b840-6d75-11e7-b09b-f57b22df6524","name":"panel_9","type":"visualization"},{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"panel_10","type":"search"},{"id":"AWDHHk1sxQT5EBNmq43Y","name":"panel_11","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI5NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SMB - Action (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SMB - Action (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"action.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"6f883480-3aad-11e7-8b17-0d8709b02c80","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUxNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSL - Subject","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SSL - Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssl.certificate.subject.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssl.certificate.subject.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Subject\"}}]}"},"id":"6fccb600-75ec-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY1NywxXQ=="} -{"attributes":{"buildNum":29118,"dashboard:defaultDarkTheme":true,"defaultIndex":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute":"/app/kibana#/dashboard/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize":"100","theme:darkMode":true,"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\",\n \"mode\": \"quick\"\n}"},"id":"7.6.1","references":[],"type":"config","updated_at":"2020-06-15T18:49:59.193Z","version":"WzAsMV0="} -{"attributes":{"buildNum":30896,"dashboard:defaultDarkTheme":true,"defaultIndex":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute":"/app/kibana#/dashboard/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize":"100","theme:darkMode":true,"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\",\n \"mode\": \"quick\"\n}"},"id":"7.7.1","references":[],"type":"config","updated_at":"2020-06-15T19:30:22.411Z","version":"WzcwNCwyXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Strelka - File - MIME Flavors","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Strelka - File - MIME Flavors\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.flavors.mime.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"70243970-772c-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY3MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Modbus - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Modbus - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG_9KpxQT5EBNmq4Oo","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMwMCwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"2\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":32,\"i\":\"6\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"8\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"9\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":32,\"i\":\"9\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"10\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":8,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - Modbus","version":1},"id":"70c005f0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"0d168a30-363f-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"20eabd60-380b-11e7-a1cc-ebc6a7e70e84","name":"panel_2","type":"visualization"},{"id":"3c65f500-380b-11e7-a1cc-ebc6a7e70e84","name":"panel_3","type":"visualization"},{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"panel_4","type":"search"},{"id":"178209e0-6e1b-11e7-b553-7f80727663c1","name":"panel_5","type":"visualization"},{"id":"AWDG_9KpxQT5EBNmq4Oo","name":"panel_6","type":"visualization"},{"id":"453f8b90-4a58-11e8-9b0a-f1d33346f773","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMwMiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"osquery - Chrome Extensions - Change Stats","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"osquery - ChromeExt - Change Stats\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":70}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Changes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"osquery.hostIdentifier.keyword\",\"customLabel\":\"Endpoints\"}}]}"},"id":"71538370-18d5-11e9-932c-d12d2cf4ee95","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0eee4360-18d4-11e9-932c-d12d2cf4ee95","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ4MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Connections - Total Bytes Per Source/Destination IP Pair","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Total Bytes\",\"field\":\"total_bytes\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_term\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source IP\",\"field\":\"source_ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderAgg\":{\"enabled\":true,\"id\":\"2-orderAgg\",\"params\":{\"field\":\"total_bytes\"},\"schema\":{\"aggFilter\":[\"!top_hits\",\"!percentiles\",\"!median\",\"!std_dev\",\"!derivative\",\"!moving_avg\",\"!serial_diff\",\"!cumulative_sum\",\"!avg_bucket\",\"!max_bucket\",\"!min_bucket\",\"!sum_bucket\"],\"deprecate\":false,\"editor\":false,\"group\":\"none\",\"hideCustomLabel\":true,\"max\":null,\"min\":0,\"name\":\"orderAgg\",\"params\":[],\"title\":\"Order Agg\"},\"type\":\"cardinality\"},\"orderBy\":\"custom\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination IP\",\"field\":\"destination_ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderAgg\":{\"enabled\":true,\"id\":\"3-orderAgg\",\"params\":{\"field\":\"total_bytes\"},\"schema\":{\"aggFilter\":[\"!top_hits\",\"!percentiles\",\"!median\",\"!std_dev\",\"!derivative\",\"!moving_avg\",\"!serial_diff\",\"!cumulative_sum\",\"!avg_bucket\",\"!max_bucket\",\"!min_bucket\",\"!sum_bucket\"],\"deprecate\":false,\"editor\":false,\"group\":\"none\",\"hideCustomLabel\":true,\"max\":null,\"min\":0,\"name\":\"orderAgg\",\"params\":[],\"title\":\"Order Agg\"},\"type\":\"cardinality\"},\"orderBy\":\"custom\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connections - Total Bytes Per Source/Destination IP Pair\",\"type\":\"table\"}"},"id":"726cc040-48cf-11e8-9576-313be7c6b44b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ1NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMB - File Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMB - File Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File Name\"}}],\"listeners\":{}}"},"id":"72f0f010-3aaf-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUxNiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Log Type Per Sensor/Device","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Log Type Per Sensor/Device\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog-host_from.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Sensor/Device\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Log Type\"}}]}"},"id":"733ce440-494d-11e8-9576-313be7c6b44b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM4MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"X.509 - Certificate Signing Algorithm","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"X.509 - Certificate Signing Algorithm\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"certificate_signing_algorithm.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Algorithm\"}}]}"},"id":"738127f0-37d7-11e7-9efb-91e89505091f","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYzMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - FTP - Command","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - FTP - Command\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ftp.command.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"d3435690-755f-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMwMywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - FTP - User","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"ftp.user.keyword\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/kibana\",\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\"}}},\"label\":\"ftp.user.keyword: Descending\",\"params\":{}}],\"metrics\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Security Onion - FTP - User\",\"type\":\"table\"}"},"id":"8346bc70-7561-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMwNSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - FTP - Password","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - FTP - Password\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ftp.password.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ftp.password.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Password\"}}]}"},"id":"bc3e2bd0-7561-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMwNiwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.dataset:ftp\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"728d0151-5dc6-429d-9b14-b457ab73d3fd\"},\"panelIndex\":\"728d0151-5dc6-429d-9b14-b457ab73d3fd\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":15,\"h\":8,\"i\":\"1b99097d-a957-4163-9810-263a0e653c18\"},\"panelIndex\":\"1b99097d-a957-4163-9810-263a0e653c18\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":28,\"y\":0,\"w\":20,\"h\":8,\"i\":\"43bb3cf4-ee4a-4eba-8eea-8e133957fd48\"},\"panelIndex\":\"43bb3cf4-ee4a-4eba-8eea-8e133957fd48\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":19,\"i\":\"87f23747-38c9-4d15-a85b-8beff66abaf4\"},\"panelIndex\":\"87f23747-38c9-4d15-a85b-8beff66abaf4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":8,\"w\":9,\"h\":19,\"i\":\"d10ae5ac-6400-4a2c-a376-e6e74ed529ad\"},\"panelIndex\":\"d10ae5ac-6400-4a2c-a376-e6e74ed529ad\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":18,\"y\":8,\"w\":13,\"h\":19,\"i\":\"1bf79bc6-8595-41e0-8a7e-2b21bd2bd928\"},\"panelIndex\":\"1bf79bc6-8595-41e0-8a7e-2b21bd2bd928\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":31,\"y\":8,\"w\":17,\"h\":19,\"i\":\"e244437a-17a5-4e00-9176-f4e88ac54938\"},\"panelIndex\":\"e244437a-17a5-4e00-9176-f4e88ac54938\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":22,\"h\":16,\"i\":\"9196bb67-30ad-4a8e-b75f-22a9cced6f35\"},\"panelIndex\":\"9196bb67-30ad-4a8e-b75f-22a9cced6f35\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":22,\"y\":27,\"w\":26,\"h\":16,\"i\":\"9da1ff1b-aebe-45fb-9e48-420eafb1b655\"},\"panelIndex\":\"9da1ff1b-aebe-45fb-9e48-420eafb1b655\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - FTP","version":1},"id":"739bfad0-755a-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"d3435690-755f-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"5fcdb0c0-755f-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"8346bc70-7561-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"bc3e2bd0-7561-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMwNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - \"From\" Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMTP - \\\"From\\\" Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mail_from.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\\\"From\\\" Address\"}}],\"listeners\":{}}"},"id":"73b1b240-39a2-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ5MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - User Agent","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"user_agent.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"User Agent\"}}],\"listeners\":{}}"},"id":"73f663f0-3753-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ3MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_dns AND highest_registered_domain:securityonion.net~ -securityonion.net\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"DNS - Phishing Attempts Against Organizational Domain(s)","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 0\":\"rgb(0,104,55)\",\"1 - 999999\":\"rgb(165,0,38)\"}}}","version":1,"visState":"{\"title\":\"DNS - Phishing Attempts Against Organizational Domain(s)\",\"type\":\"gauge\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"gauge\":{\"extendRange\":true,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":0},{\"from\":1,\"to\":999999}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":true,\"labels\":false,\"color\":\"#333\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"#eee\",\"bgColor\":false,\"subText\":\"Edit this to reflect your domain(s)\",\"fontSize\":60,\"labelColor\":true},\"alignment\":\"horizontal\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Phishing attempts against your domain(s)\"}}],\"listeners\":{}}"},"id":"74861280-6f06-11e7-b253-211f64f37eda","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY0MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RDP - Cookie","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RDP - Cookie\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"cookie.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Cookie\"}}],\"listeners\":{}}"},"id":"75597b60-371c-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM5MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Host - Process CLI","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Host - Process CLI\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"process.command_line.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process.command_line.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Command Line\"}}]}"},"id":"758187b0-72bd-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM3MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Username","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"user.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Username\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"},\"title\":\"Security Onion - Username\"}"},"id":"767c89f0-af4c-11ea-b262-353d451b125b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T21:09:12.842Z","version":"WzcwNiwyXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Tunnels - Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Tunnels - Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"tunnel.type.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"tunnel.type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Type\"}}]}"},"id":"781447d0-75ef-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY5MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"osquery - Chrome Extensions - Sensitive Permissions","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"osquery - Chrome Extensions - Sensitive Permissions\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.columns.name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Extension Name\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.columns.permissions.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Permissions\"}}]}"},"id":"78cf8bf0-1a59-11e9-ac0b-cb0ba10141ab","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"040dda10-18d8-11e9-932c-d12d2cf4ee95","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ4NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"MySQL - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"MySQL - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHBRrrxQT5EBNmq4TI","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5d624230-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMxMSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"MySQL - Response","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"MySQL - Response\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"response.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Response\"}}]}"},"id":"9c411ad0-4a58-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5d624230-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMxMiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"MySQL - Success","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"MySQL - Success\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"mysql_success.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"c48925a0-4a58-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5d624230-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMxMywxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":8,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":16,\"h\":24,\"x\":8,\"y\":8,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - MySQL","version":1},"id":"7929f430-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"5d9031a0-363f-11e7-a6f7-4f44d7bf1c33","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"07e25650-3812-11e7-a1cc-ebc6a7e70e84","name":"panel_2","type":"visualization"},{"id":"5d624230-342e-11e7-9e93-53b62e1857b2","name":"panel_3","type":"search"},{"id":"AWDHBRrrxQT5EBNmq4TI","name":"panel_4","type":"visualization"},{"id":"9c411ad0-4a58-11e8-9b0a-f1d33346f773","name":"panel_5","type":"visualization"},{"id":"c48925a0-4a58-11e8-9b0a-f1d33346f773","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMxNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - FIle - Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - FIle - Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"File Name\"}}]}"},"id":"7a88adc0-75f0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY3MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Client Version","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RFB - Client Version\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"client_major_version.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Major Version\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"client_minor_version.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Minor Version\"}}],\"listeners\":{}}"},"id":"7c1e3f70-6e22-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQyNSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SMTP - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"7c922990-3640-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ4OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_http AND _exists_:virtual_host_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"HTTP - Virtual Host Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - Virtual Host Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"virtual_host_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"virtual_host.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Virtual Host\"}}],\"listeners\":{}}"},"id":"7d1ede50-6f19-11e7-86c8-a1b6db3b051a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQzMiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSH - Authentication Sucess","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - SSH - Authentication Sucess\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"boolean\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssh.authentication.success: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ssh.authentication.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Success\"}}]}"},"id":"7d61f430-75ea-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQwNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SNMP - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SNMP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"7dc62970-6e2a-11e7-8b76-75eee0095daa","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUyOSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"PE - Machine","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"PE - Machine\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"machine.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Machine\"}}],\"listeners\":{}}"},"id":"7de76e10-6e1f-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"66288140-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM1MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_dns AND _exists_:highest_registered_domain_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"DNS - Highest Registered Domain Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Highest Registered Domain Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"highest_registered_domain_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"highest_registered_domain.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Domain\"}}],\"listeners\":{}}"},"id":"7f1f00a0-6f04-11e7-b253-211f64f37eda","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQzMSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS - Alerts Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"NIDS - Alerts Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"d58ec1a0-34e4-11e7-9669-7f1d3242b798","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMxNSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS Alerts - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS Alerts - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"a6df8820-399f-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMxNiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS Alerts - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS Alerts - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"db04aef0-399f-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMxNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS Alerts - Severity (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"NIDS Alerts - Severity (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"priority.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Priority\"}}],\"listeners\":{}}"},"id":"ba60bcf0-3af5-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMxOSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS - Alerts By Country (Vertical Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"NIDS - Alerts By Country (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":75},\"title\":{\"text\":\"Country\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}],\"listeners\":{}}"},"id":"81de16f0-6e0f-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMyMSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS - Alert Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"NIDS - Alert Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG3ym0xQT5EBNmq3mG","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMyMiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"NIDS - Alert Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS - Alert Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"alert.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Alert\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}]}"},"id":"96c2cf10-4a3d-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMyMywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"NIDS - Classification","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS - Classification\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"classification.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Classification\"}}]}"},"id":"d66d54c0-4c89-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMyNSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"panelIndex\":\"4\",\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"6\",\"gridData\":{\"w\":48,\"h\":68,\"x\":0,\"y\":120,\"i\":\"6\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"8\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":96,\"i\":\"8\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":96,\"i\":\"9\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"12\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":72,\"i\":\"12\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":72,\"i\":\"13\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"panelIndex\":\"14\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":8,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"15\",\"gridData\":{\"w\":40,\"h\":12,\"x\":8,\"y\":32,\"i\":\"15\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{}},{\"panelIndex\":\"16\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"16\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"17\",\"gridData\":{\"w\":48,\"h\":28,\"x\":0,\"y\":44,\"i\":\"17\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{}},{\"panelIndex\":\"18\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":72,\"i\":\"18\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"panelIndex\":\"19\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":8,\"i\":\"19\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"NIDS","version":1},"id":"7f27a830-34e5-11e7-9669-7f1d3242b798","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"d58ec1a0-34e4-11e7-9669-7f1d3242b798","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"panel_2","type":"search"},{"id":"a6df8820-399f-11e7-8472-0151e5b2b475","name":"panel_3","type":"visualization"},{"id":"db04aef0-399f-11e7-8472-0151e5b2b475","name":"panel_4","type":"visualization"},{"id":"620283e0-3af5-11e7-a83b-b1b4da7d15f4","name":"panel_5","type":"visualization"},{"id":"ba60bcf0-3af5-11e7-a83b-b1b4da7d15f4","name":"panel_6","type":"visualization"},{"id":"45464b50-3af6-11e7-a83b-b1b4da7d15f4","name":"panel_7","type":"visualization"},{"id":"81de16f0-6e0f-11e7-8624-1fb07dd76c6a","name":"panel_8","type":"visualization"},{"id":"AWDG3ym0xQT5EBNmq3mG","name":"panel_9","type":"visualization"},{"id":"96c2cf10-4a3d-11e8-9b0a-f1d33346f773","name":"panel_10","type":"visualization"},{"id":"3f040620-4a44-11e8-9b0a-f1d33346f773","name":"panel_11","type":"visualization"},{"id":"d66d54c0-4c89-11e8-9b0a-f1d33346f773","name":"panel_12","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMyNiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Destination - Top Connection Duration (Tile Map)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Destination - Top Connection Duration (Tile Map)\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"duration\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}"},"id":"7f7492d0-46c4-11e7-a82e-d97152153689","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYzNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Host - MAC","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Host - MAC\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"host.mac.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MAC\"}}]}"},"id":"eaa31ba0-7374-11ea-a3da-cbdb4f8a90c0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMyNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DHCP - Requested Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DHCP - Requested Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dhcp.requested_address.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Requested Address\"}}]}"},"id":"9a693c50-7374-11ea-a3da-cbdb4f8a90c0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMyOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DHCP - Assigned Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DHCP - Assigned Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dhcp.assigned_ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Assigned Address\"}}]}"},"id":"cc3aaf20-7374-11ea-a3da-cbdb4f8a90c0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMyOSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DHCP - Message Type","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - DHCP - Message Type\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dhcp.message_types.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Message Type\"}}]}"},"id":"af26c6e0-96e6-11ea-814e-bb515e873c2c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMzMSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:dhcp\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":9,\"i\":\"7e10f47b-2096-452d-9b40-be150226504f\"},\"panelIndex\":\"7e10f47b-2096-452d-9b40-be150226504f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":10,\"h\":9,\"i\":\"a795e5b9-2afd-43ef-91db-cd9c23a996f9\"},\"panelIndex\":\"a795e5b9-2afd-43ef-91db-cd9c23a996f9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":23,\"y\":0,\"w\":25,\"h\":9,\"i\":\"d0f65b83-17cd-4a8c-950d-06e5e88bf80b\"},\"panelIndex\":\"d0f65b83-17cd-4a8c-950d-06e5e88bf80b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":8,\"h\":20,\"i\":\"c5565d1e-719c-4401-b886-1ad84638b855\"},\"panelIndex\":\"c5565d1e-719c-4401-b886-1ad84638b855\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":9,\"w\":8,\"h\":20,\"i\":\"ada9481a-335b-4091-ac4e-5f94c96e4cea\"},\"panelIndex\":\"ada9481a-335b-4091-ac4e-5f94c96e4cea\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":16,\"y\":9,\"w\":8,\"h\":20,\"i\":\"bcba795f-8008-4f91-887d-35b5aff11022\"},\"panelIndex\":\"bcba795f-8008-4f91-887d-35b5aff11022\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":24,\"y\":9,\"w\":7,\"h\":20,\"i\":\"a9615bc2-7e50-4a88-be1c-53eb7096e093\"},\"panelIndex\":\"a9615bc2-7e50-4a88-be1c-53eb7096e093\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":31,\"y\":9,\"w\":17,\"h\":20,\"i\":\"c3c45ad6-fbbb-40d9-96e4-8bf2006ca138\"},\"panelIndex\":\"c3c45ad6-fbbb-40d9-96e4-8bf2006ca138\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - DHCP","version":1},"id":"80625c10-96dd-11ea-814e-bb515e873c2c","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"eaa31ba0-7374-11ea-a3da-cbdb4f8a90c0","name":"panel_3","type":"visualization"},{"id":"9a693c50-7374-11ea-a3da-cbdb4f8a90c0","name":"panel_4","type":"visualization"},{"id":"cc3aaf20-7374-11ea-a3da-cbdb4f8a90c0","name":"panel_5","type":"visualization"},{"id":"2af5f980-96e2-11ea-814e-bb515e873c2c","name":"panel_6","type":"visualization"},{"id":"af26c6e0-96e6-11ea-814e-bb515e873c2c","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMzMiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"PE - Subsystem (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"PE - Subsystem (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"subsystem.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"807da390-380c-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"66288140-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM1MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - MySQL - Success","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - MySQL - Success\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"boolean\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"mysql.success: Descending\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"mysql.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Success\"}}]}"},"id":"80aa0c60-75c0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY5MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Rule - SID","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Rule - SID\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.uuid\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Rule ID\"}}]}"},"id":"a47ffc70-96f0-11ea-814e-bb515e873c2c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMzMywxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:alert AND event.module:suricata\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":7,\"h\":7,\"i\":\"afb23064-13dc-4b97-b1be-cf672a6cfb56\"},\"panelIndex\":\"afb23064-13dc-4b97-b1be-cf672a6cfb56\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":7,\"y\":0,\"w\":17,\"h\":7,\"i\":\"67961875-85aa-443b-9cac-130c8783cd8d\"},\"panelIndex\":\"67961875-85aa-443b-9cac-130c8783cd8d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":7,\"i\":\"44bf55fb-18d8-4ae6-a15a-902042d3623c\"},\"panelIndex\":\"44bf55fb-18d8-4ae6-a15a-902042d3623c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":7,\"w\":19,\"h\":20,\"i\":\"cedf23aa-c331-496a-bf27-7c9c8f587d80\"},\"panelIndex\":\"cedf23aa-c331-496a-bf27-7c9c8f587d80\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":19,\"y\":7,\"w\":9,\"h\":20,\"i\":\"a2e54d3b-ee05-4d67-82d2-4ac917d9ec4b\"},\"panelIndex\":\"a2e54d3b-ee05-4d67-82d2-4ac917d9ec4b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":28,\"y\":7,\"w\":10,\"h\":20,\"i\":\"ab088b32-c40e-4a1c-9dcd-758c1ad97edc\"},\"panelIndex\":\"ab088b32-c40e-4a1c-9dcd-758c1ad97edc\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":38,\"y\":7,\"w\":10,\"h\":20,\"i\":\"2faea405-e4d3-488b-adfa-373b135d2122\"},\"panelIndex\":\"2faea405-e4d3-488b-adfa-373b135d2122\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":16,\"h\":18,\"i\":\"728a4c22-9a7e-4152-a4d6-eed2d728abb8\"},\"panelIndex\":\"728a4c22-9a7e-4152-a4d6-eed2d728abb8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":16,\"y\":27,\"w\":22,\"h\":18,\"i\":\"32459b34-f7be-4ac0-a672-7a9697ce3bca\"},\"panelIndex\":\"32459b34-f7be-4ac0-a672-7a9697ce3bca\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":38,\"y\":27,\"w\":10,\"h\":18,\"i\":\"0681c2c1-531d-4f5e-a73f-8382789cbd14\"},\"panelIndex\":\"0681c2c1-531d-4f5e-a73f-8382789cbd14\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Security Onion - Alerts - Suricata","version":1},"id":"81057f40-7733-11ea-bee5-af7f7c7b8e05","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"30df00e0-7733-11ea-bee5-af7f7c7b8e05","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"508fb520-72af-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_6","type":"visualization"},{"id":"a37b9fa0-72b0-11ea-8dd2-9d8795a1200b","name":"panel_7","type":"visualization"},{"id":"f7e1d570-72ae-11ea-8dd2-9d8795a1200b","name":"panel_8","type":"visualization"},{"id":"a47ffc70-96f0-11ea-814e-bb515e873c2c","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMzNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SIP - Response From","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SIP - Response From\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"sip.response.from.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sip.response.from.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Response From\"}}]}"},"id":"81a1a740-75ca-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYwMywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"8261cf00-366e-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU3MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SNMP - Community String","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SNMP - Community String\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"community.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Community String\"}}]}"},"id":"83a91450-4c79-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUzMSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Network Data Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Network Data Over Time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":true},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":true,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"HH:mm\"}},\"params\":{\"date\":true,\"interval\":\"PT30M\",\"intervalESValue\":30,\"intervalESUnit\":\"m\",\"format\":\"HH:mm\",\"bounds\":{\"min\":\"2020-03-24T15:15:25.819Z\",\"max\":\"2020-03-25T15:15:25.819Z\"}},\"label\":\"@timestamp per 30 minutes\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\",\"mode\":\"quick\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}]}"},"id":"8491c4b0-6eab-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"387f44c0-6ea7-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY5MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DHCP - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"DHCP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"e9a7fe80-357b-11e7-ac34-8965f6420c51","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMzNiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DHCP - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"DHCP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG80RwxQT5EBNmq38x","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMzOSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DHCP - Message Types","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DHCP - Message Types\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"message_types.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Message Types\"}}]}"},"id":"a88e1020-0edb-11e9-9846-59f545e7293f","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM0MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DHCP - Domain Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DHCP - Domain Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"domain_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Domain Name\"}}]}"},"id":"ce859b40-0edb-11e9-9846-59f545e7293f","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM0MywxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":76,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":21,\"y\":52,\"w\":13,\"h\":24,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":8,\"y\":52,\"w\":13,\"h\":24,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"gridData\":{\"x\":8,\"y\":8,\"w\":40,\"h\":25,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":76,\"w\":48,\"h\":20,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":null}}}},\"gridData\":{\"x\":34,\"y\":52,\"w\":14,\"h\":24,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":33,\"w\":26,\"h\":19,\"i\":\"15\"},\"panelIndex\":\"15\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"gridData\":{\"x\":34,\"y\":33,\"w\":14,\"h\":19,\"i\":\"16\"},\"version\":\"7.3.0\",\"panelIndex\":\"16\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Bro - DHCP","version":1},"id":"85348270-357b-11e7-ac34-8965f6420c51","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"e9a7fe80-357b-11e7-ac34-8965f6420c51","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"1055ada0-3655-11e7-baa7-b7de4ee40605","name":"panel_2","type":"visualization"},{"id":"317f8410-3655-11e7-baa7-b7de4ee40605","name":"panel_3","type":"visualization"},{"id":"AWDG80RwxQT5EBNmq38x","name":"panel_4","type":"visualization"},{"id":"4e877100-4a48-11e8-9b0a-f1d33346f773","name":"panel_5","type":"visualization"},{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"panel_6","type":"search"},{"id":"58c84f60-0edb-11e9-9846-59f545e7293f","name":"panel_7","type":"visualization"},{"id":"a88e1020-0edb-11e9-9846-59f545e7293f","name":"panel_8","type":"visualization"},{"id":"ce859b40-0edb-11e9-9846-59f545e7293f","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM0NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMB - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SMB - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per minute\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"85e40a70-3aac-11e7-8b17-0d8709b02c80","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUxMSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Authentication Status (Donut Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RFB - Authentication Status (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"auth.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Authentication Status\"}}],\"listeners\":{}}"},"id":"869e3030-371e-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQxNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Modbus - Exception","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Modbus - Exception\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"modbus.exception.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"modbus.exception.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Exception\"}}]}"},"id":"93cdb730-75be-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM0NiwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:modbus\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"dcdc1d0b-bec1-402d-a34b-39464e9a2749\"},\"panelIndex\":\"dcdc1d0b-bec1-402d-a34b-39464e9a2749\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":17,\"h\":8,\"i\":\"ccbb40c9-d2e4-4592-a91f-b1f6912a35f9\"},\"panelIndex\":\"ccbb40c9-d2e4-4592-a91f-b1f6912a35f9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":8,\"i\":\"32fd8cfa-64ad-41d7-b4f7-2c71f351916a\"},\"panelIndex\":\"32fd8cfa-64ad-41d7-b4f7-2c71f351916a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":8,\"h\":19,\"i\":\"b15f438a-6f24-4099-90e6-d66f950029bc\"},\"panelIndex\":\"b15f438a-6f24-4099-90e6-d66f950029bc\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":8,\"w\":8,\"h\":19,\"i\":\"089f29d5-cf23-4b6a-8b80-27911ffd6b1a\"},\"panelIndex\":\"089f29d5-cf23-4b6a-8b80-27911ffd6b1a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":16,\"y\":8,\"w\":14,\"h\":19,\"i\":\"4154e8b1-e314-4623-aaf4-0404a108551a\"},\"panelIndex\":\"4154e8b1-e314-4623-aaf4-0404a108551a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":8,\"w\":18,\"h\":19,\"i\":\"8acbc44d-4fe2-42b0-a6e9-4a3bc4e4aeb6\"},\"panelIndex\":\"8acbc44d-4fe2-42b0-a6e9-4a3bc4e4aeb6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - Modbus","version":1},"id":"886a7b90-75bd-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"62449800-75be-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"93cdb730-75be-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM0NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"PE - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"PE - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"9cffd160-363f-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"66288140-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM0OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"PE - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"PE - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHCUeZxQT5EBNmq4Xy","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"66288140-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM1NCwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"gridData\":{\"w\":20,\"h\":16,\"x\":28,\"y\":8,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":20,\"h\":16,\"x\":8,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":48,\"h\":28,\"x\":0,\"y\":48,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"columns\":[\"fuid\",\"machine\",\"is_exe\",\"is_64bit\",\"subsystem\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":24,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":24,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Bro - PE","version":1},"id":"8a10e380-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"9cffd160-363f-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"45c4ae10-380c-11e7-a1cc-ebc6a7e70e84","name":"panel_2","type":"visualization"},{"id":"807da390-380c-11e7-a1cc-ebc6a7e70e84","name":"panel_3","type":"visualization"},{"id":"66288140-342e-11e7-9e93-53b62e1857b2","name":"panel_4","type":"search"},{"id":"4e56b4d0-416f-11e7-9850-b78558d0ac17","name":"panel_5","type":"visualization"},{"id":"7de76e10-6e1f-11e7-b553-7f80727663c1","name":"panel_6","type":"visualization"},{"id":"AWDHCUeZxQT5EBNmq4Xy","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM1NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSH - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSH - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"8a60eb50-365f-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU1NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSH - HASSH","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SSH - HASSH\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hash.hassh.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"8afa5f50-75eb-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQwOSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Weird - Notice Generated (Donut Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Weird - Notice Generated (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"notice.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"8dbbbed0-364e-11e7-9dc3-d35061cb642d","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYxMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"RDP - Client Build","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RDP - Client Build\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"client_build.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client Build\"}}]}"},"id":"8e18ee60-371c-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM5NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_ssl AND _exists_:certificate_common_name_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"SSL - Certificate Common Name Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Certificate Common Name Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"certificate_common_name_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"certificate_common_name.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Common Name\"}}],\"listeners\":{}}"},"id":"8fa702e0-6f0b-11e7-9d31-23c0596994a7","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQzMywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Files - MIME Type","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Files - MIME Type\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.mimetype.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"file.mimetype.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MIMEType\"}}]}"},"id":"8fb3c480-75f2-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY5NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"All Sensors - Log Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"All Sensors - Log Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Log Type(s)\"}}]}"},"id":"901bda80-a83f-11e7-893a-1b88920b2837","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM3NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RADIUS - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RADIUS - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"ccb3e270-363f-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM1NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RADIUS - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RADIUS - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"b48442b0-3808-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM1OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RADIUS - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RADIUS - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"cea78b70-3808-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM1OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RADIUS - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RADIUS - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"b0456970-6e1f-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM2MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RADIUS - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"RADIUS - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHCgWzxQT5EBNmq4Y5","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM2MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"RADIUS - Username","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RADIUS - Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}]}"},"id":"e827bab0-4a5a-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM2NCwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":56,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"6\",\"gridData\":{\"x\":8,\"y\":32,\"w\":14,\"h\":24,\"i\":\"6\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"7\",\"gridData\":{\"x\":22,\"y\":32,\"w\":14,\"h\":24,\"i\":\"7\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":24,\"y\":56,\"w\":24,\"h\":24,\"i\":\"8\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"9\",\"gridData\":{\"x\":0,\"y\":56,\"w\":24,\"h\":24,\"i\":\"9\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"11\",\"gridData\":{\"x\":0,\"y\":80,\"w\":48,\"h\":24,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"12\",\"gridData\":{\"x\":36,\"y\":32,\"w\":12,\"h\":24,\"i\":\"12\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"14\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"14\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"15\",\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":24,\"i\":\"15\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}},{\"panelIndex\":\"16\",\"gridData\":{\"x\":8,\"y\":8,\"w\":20,\"h\":24,\"i\":\"16\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - RADIUS","version":1},"id":"90b246c0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"ccb3e270-363f-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"b48442b0-3808-11e7-a1cc-ebc6a7e70e84","name":"panel_2","type":"visualization"},{"id":"cea78b70-3808-11e7-a1cc-ebc6a7e70e84","name":"panel_3","type":"visualization"},{"id":"10cd7190-3809-11e7-a1cc-ebc6a7e70e84","name":"panel_4","type":"visualization"},{"id":"5df79fe0-3809-11e7-a1cc-ebc6a7e70e84","name":"panel_5","type":"visualization"},{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"panel_6","type":"search"},{"id":"b0456970-6e1f-11e7-b553-7f80727663c1","name":"panel_7","type":"visualization"},{"id":"AWDHCgWzxQT5EBNmq4Y5","name":"panel_8","type":"visualization"},{"id":"e827bab0-4a5a-11e8-9b0a-f1d33346f773","name":"panel_9","type":"visualization"},{"id":"30348db0-4a5b-11e8-9b0a-f1d33346f773","name":"panel_10","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM2NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SIP - Destination Country (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SIP - Destination Country (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"90bf0a80-3750-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ2NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Rule - ID","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Rule - ID\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.id.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"ID\"}}]}"},"id":"91bd9990-7737-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM3MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Syslog - Log Count Over Time","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Bro - Syslog - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"92b202e0-76b4-11e7-94e1-3d2ec4e57ed9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU0NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"title":"Security Onion - Host Data","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Host Data\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Home](/kibana/app/kibana#/dashboard/a8411b30-6d03-11ea-b301-3d6c35840645) \\n \\n**Modules** \\n[Osquery](/kibana/app/kibana#/dashboard/bf7cf8d0-7732-11ea-bee5-af7f7c7b8e05) \\n[Wazuh](/kibana/app/kibana#/dashboard/9480f190-7732-11ea-bee5-af7f7c7b8e05) \\n\"},\"aggs\":[]}"},"id":"df50eba0-6ec0-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM2NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Host - Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Host - Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Agent Name\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}]}"},"id":"f03402e0-72bc-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM2OCwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.category:host\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"c743998d-d4c5-429f-87ce-67bac2649e72\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"c743998d-d4c5-429f-87ce-67bac2649e72\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"8acc6336-35b7-4c1a-b0ef-3b3ec6870b1f\",\"w\":15,\"x\":8,\"y\":0},\"panelIndex\":\"8acc6336-35b7-4c1a-b0ef-3b3ec6870b1f\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"8485e0bf-8342-42ff-82b4-eb2611191060\",\"w\":25,\"x\":23,\"y\":0},\"panelIndex\":\"8485e0bf-8342-42ff-82b4-eb2611191060\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"ba08df96-10b9-4b30-803f-f40387867ccc\",\"w\":7,\"x\":0,\"y\":8},\"panelIndex\":\"ba08df96-10b9-4b30-803f-f40387867ccc\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"254bcae3-60d3-4193-b258-6f9f3eba0af3\",\"w\":7,\"x\":7,\"y\":8},\"panelIndex\":\"254bcae3-60d3-4193-b258-6f9f3eba0af3\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"89d115c0-ee70-4250-9742-fb3c554e69a7\",\"w\":8,\"x\":14,\"y\":8},\"panelIndex\":\"89d115c0-ee70-4250-9742-fb3c554e69a7\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"6220624b-e5d5-4fa2-82e1-85287afb280a\",\"w\":9,\"x\":22,\"y\":8},\"panelIndex\":\"6220624b-e5d5-4fa2-82e1-85287afb280a\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"0c1675bb-01ef-4020-95f1-3f35e0c6fad8\",\"w\":17,\"x\":31,\"y\":8},\"panelIndex\":\"0c1675bb-01ef-4020-95f1-3f35e0c6fad8\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - Host","version":1},"id":"92e63cc0-6ec0-11ea-9266-1fd14ca6af34","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"df50eba0-6ec0-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"8b065a80-6eca-11ea-9266-1fd14ca6af34","name":"panel_3","type":"visualization"},{"id":"ad398b70-6e9a-11ea-9266-1fd14ca6af34","name":"panel_4","type":"visualization"},{"id":"f03402e0-72bc-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"4fe16b60-72bd-11ea-8dd2-9d8795a1200b","name":"panel_6","type":"visualization"},{"id":"758187b0-72bd-11ea-8dd2-9d8795a1200b","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM3MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Content Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - Content Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"content_type.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Content Type\"}}],\"listeners\":{}}"},"id":"930b1600-3753-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ3MSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.module:ossec AND event.dataset:alert\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":8,\"i\":\"c2172038-7740-458c-977a-98d139c438c2\"},\"panelIndex\":\"c2172038-7740-458c-977a-98d139c438c2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":0,\"w\":18,\"h\":8,\"i\":\"b18f1671-c1a0-44c8-946b-71bc21e62482\"},\"panelIndex\":\"b18f1671-c1a0-44c8-946b-71bc21e62482\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":26,\"y\":0,\"w\":22,\"h\":8,\"i\":\"b26faccc-11d5-4cc3-8fd2-484b5e3659bc\"},\"panelIndex\":\"b26faccc-11d5-4cc3-8fd2-484b5e3659bc\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":12,\"h\":19,\"i\":\"1f88747a-06f5-4450-8d08-150d0cd37667\"},\"panelIndex\":\"1f88747a-06f5-4450-8d08-150d0cd37667\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":12,\"y\":8,\"w\":11,\"h\":19,\"i\":\"0b5a83d1-8f56-4616-b0aa-af25a1995379\"},\"panelIndex\":\"0b5a83d1-8f56-4616-b0aa-af25a1995379\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":23,\"y\":8,\"w\":7,\"h\":19,\"i\":\"a4bd8139-6fdd-476e-b6ff-8dd036e0f747\"},\"panelIndex\":\"a4bd8139-6fdd-476e-b6ff-8dd036e0f747\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":8,\"w\":8,\"h\":19,\"i\":\"df2cccc2-5ac2-4522-9756-76a16ba2b0ce\"},\"panelIndex\":\"df2cccc2-5ac2-4522-9756-76a16ba2b0ce\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":38,\"y\":8,\"w\":10,\"h\":19,\"i\":\"8b5674df-aad2-4af7-aa91-90a9d3e3980c\"},\"panelIndex\":\"8b5674df-aad2-4af7-aa91-90a9d3e3980c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":21,\"i\":\"28431fa5-4ce9-40db-a190-541b3390f9d0\"},\"panelIndex\":\"28431fa5-4ce9-40db-a190-541b3390f9d0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - Wazuh","version":1},"id":"9480f190-7732-11ea-bee5-af7f7c7b8e05","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"30df00e0-7733-11ea-bee5-af7f7c7b8e05","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"508fb520-72af-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"f7e1d570-72ae-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"91bd9990-7737-11ea-bee5-af7f7c7b8e05","name":"panel_5","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_6","type":"visualization"},{"id":"407784f0-7738-11ea-bee5-af7f7c7b8e05","name":"panel_7","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_8","type":"search"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM3NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Total Number of Logs","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Total Number of Logs\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Total Number of Logs\"}}],\"listeners\":{}}"},"id":"AWDGyaGxxQT5EBNmq3K9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM3OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Sensors - Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Sensors - Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"sensor_name.keyword\"}}],\"listeners\":{}}"},"id":"AWDGzmzcxQT5EBNmq3Sj","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM4MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Devices - Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Devices - Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"syslog-host_from.keyword\"}}],\"listeners\":{}}"},"id":"AWDG0UDvxQT5EBNmq3WD","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM4MSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"8\",\"gridData\":{\"w\":48,\"h\":64,\"x\":0,\"y\":132,\"i\":\"8\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"12\",\"gridData\":{\"w\":28,\"h\":8,\"x\":20,\"y\":0,\"i\":\"12\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"19\",\"gridData\":{\"w\":48,\"h\":16,\"x\":0,\"y\":56,\"i\":\"19\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"21\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":8,\"i\":\"21\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"23\",\"gridData\":{\"w\":16,\"h\":32,\"x\":32,\"y\":24,\"i\":\"23\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"32\",\"gridData\":{\"w\":12,\"h\":8,\"x\":8,\"y\":0,\"i\":\"32\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"33\",\"gridData\":{\"w\":8,\"h\":16,\"x\":32,\"y\":8,\"i\":\"33\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"34\",\"gridData\":{\"w\":8,\"h\":16,\"x\":40,\"y\":8,\"i\":\"34\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"35\",\"gridData\":{\"w\":16,\"h\":8,\"x\":0,\"y\":72,\"i\":\"35\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"36\",\"gridData\":{\"w\":16,\"h\":8,\"x\":16,\"y\":72,\"i\":\"36\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"panelIndex\":\"37\",\"gridData\":{\"w\":16,\"h\":8,\"x\":32,\"y\":72,\"i\":\"37\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\"},{\"panelIndex\":\"38\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":32,\"i\":\"38\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\",\"embeddableConfig\":{}},{\"panelIndex\":\"39\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":108,\"i\":\"39\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\",\"embeddableConfig\":{}},{\"panelIndex\":\"40\",\"gridData\":{\"w\":24,\"h\":28,\"x\":24,\"y\":80,\"i\":\"40\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_14\",\"embeddableConfig\":{}},{\"panelIndex\":\"41\",\"gridData\":{\"w\":24,\"h\":28,\"x\":0,\"y\":80,\"i\":\"41\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_15\"}]","timeRestore":false,"title":"Overview","version":1},"id":"94b52620-342a-11e7-9d52-4f090484f59e","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"panel_1","type":"search"},{"id":"1c2aeb50-365e-11e7-b896-5bdd6bfa1561","name":"panel_2","type":"visualization"},{"id":"277f3250-4161-11e7-8493-51634b0a4565","name":"panel_3","type":"visualization"},{"id":"901bda80-a83f-11e7-893a-1b88920b2837","name":"panel_4","type":"visualization"},{"id":"5b3988c0-a840-11e7-893a-1b88920b2837","name":"panel_5","type":"visualization"},{"id":"AWDGyaGxxQT5EBNmq3K9","name":"panel_6","type":"visualization"},{"id":"AWDGzmzcxQT5EBNmq3Sj","name":"panel_7","type":"visualization"},{"id":"AWDG0UDvxQT5EBNmq3WD","name":"panel_8","type":"visualization"},{"id":"AWDG1uC-xQT5EBNmq3dP","name":"panel_9","type":"visualization"},{"id":"AWDG3ym0xQT5EBNmq3mG","name":"panel_10","type":"visualization"},{"id":"AWDG4pcDxQT5EBNmq3pi","name":"panel_11","type":"visualization"},{"id":"733ce440-494d-11e8-9576-313be7c6b44b","name":"panel_12","type":"visualization"},{"id":"2a949080-4a3d-11e8-9b0a-f1d33346f773","name":"panel_13","type":"visualization"},{"id":"96c2cf10-4a3d-11e8-9b0a-f1d33346f773","name":"panel_14","type":"visualization"},{"id":"ee0ba080-4a3d-11e8-9b0a-f1d33346f773","name":"panel_15","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM4MywxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:snmp\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"752f2974-3abc-482c-afdc-c85cf5643cc6\",\"w\":13,\"x\":0,\"y\":0},\"panelIndex\":\"752f2974-3abc-482c-afdc-c85cf5643cc6\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"dfa3b3da-b86b-4d11-add3-c7e18c40654b\",\"w\":17,\"x\":13,\"y\":0},\"panelIndex\":\"dfa3b3da-b86b-4d11-add3-c7e18c40654b\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"4c444c07-93f9-43d2-966e-1a0db864c011\",\"w\":18,\"x\":30,\"y\":0},\"panelIndex\":\"4c444c07-93f9-43d2-966e-1a0db864c011\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"3f20fbbb-d47b-4b9e-94a0-f5f144ce0dd2\",\"w\":9,\"x\":0,\"y\":8},\"panelIndex\":\"3f20fbbb-d47b-4b9e-94a0-f5f144ce0dd2\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"5c5850b6-1e17-4d4a-9122-8d6a6b275fb0\",\"w\":10,\"x\":9,\"y\":8},\"panelIndex\":\"5c5850b6-1e17-4d4a-9122-8d6a6b275fb0\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"2df47b07-dcfd-46a9-a908-cd03bb3ae82e\",\"w\":11,\"x\":19,\"y\":8},\"panelIndex\":\"2df47b07-dcfd-46a9-a908-cd03bb3ae82e\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"7fec36da-2c28-4eef-9d15-bd5d64628d1d\",\"w\":18,\"x\":30,\"y\":8},\"panelIndex\":\"7fec36da-2c28-4eef-9d15-bd5d64628d1d\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - SNMP","version":1},"id":"96522610-75e8-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"424ace90-75e9-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"690ef880-75e9-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM4NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - \"To\" Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMTP - \\\"To\\\" Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"recipient_to.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\\\"To\\\" Address\"}}],\"listeners\":{}}"},"id":"96767400-39a2-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ5MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RDP - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RDP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"fd549d70-363f-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM4OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RDP - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RDP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"f9a16c80-371b-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM4OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"RDP - Keyboard Layout (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RDP - Keyboard Layout (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"keyboard_layout.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Keyboard Layout\"}}]}"},"id":"be7637c0-371c-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM5NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"RDP - Result (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RDP - Result (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"result.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Result\"}}]}"},"id":"c4f37d70-6e20-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM5NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"RDP - Encryption Level (Vertical Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"RDP - Encryption Level (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Encryption Level\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"encryption_level.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Encryption Level\"}}]}"},"id":"ef307a70-6e20-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM5NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RDP - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"RDP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHCvBexQT5EBNmq4aK","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM5OCwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":80,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":32,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"gridData\":{\"w\":12,\"h\":12,\"x\":36,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":56,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":56,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":12,\"h\":12,\"x\":8,\"y\":8,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"gridData\":{\"w\":16,\"h\":12,\"x\":20,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":20,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":20,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"}]","timeRestore":false,"title":"Bro - RDP","version":1},"id":"97f8c3a0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"fd549d70-363f-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"panel_2","type":"search"},{"id":"f9a16c80-371b-11e7-90f8-87842d5eedc9","name":"panel_3","type":"visualization"},{"id":"0b9dea80-371c-11e7-90f8-87842d5eedc9","name":"panel_4","type":"visualization"},{"id":"19dfd180-371c-11e7-90f8-87842d5eedc9","name":"panel_5","type":"visualization"},{"id":"524e13b0-371c-11e7-90f8-87842d5eedc9","name":"panel_6","type":"visualization"},{"id":"75597b60-371c-11e7-90f8-87842d5eedc9","name":"panel_7","type":"visualization"},{"id":"8e18ee60-371c-11e7-90f8-87842d5eedc9","name":"panel_8","type":"visualization"},{"id":"be7637c0-371c-11e7-90f8-87842d5eedc9","name":"panel_9","type":"visualization"},{"id":"c4f37d70-6e20-11e7-b553-7f80727663c1","name":"panel_10","type":"visualization"},{"id":"ef307a70-6e20-11e7-b553-7f80727663c1","name":"panel_11","type":"visualization"},{"id":"AWDHCvBexQT5EBNmq4aK","name":"panel_12","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM5OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSH - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSH - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"9a33f9a0-365f-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU1OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"9a54f150-366e-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYxNywxXQ=="} -{"attributes":{"columns":["source_ip","name","software_type"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_software\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Software - Logs","version":1},"id":"ba3d77e0-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUzNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Software - Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Software - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Name\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"version_major.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Major Version\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"version_minor.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Minor Version\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"software_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}}]}"},"id":"9b0f6a80-4c7a-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ba3d77e0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU0MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Zeek - Notice","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Zeek - Notice\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"notice.note.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Notice\"}}]}"},"id":"9c6ccff0-7a84-11ea-9d13-57f5db13d1ed","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY2NywxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[{\"meta\":{\"negate\":true,\"disabled\":true,\"alias\":\"Initial Systems/Queries\",\"type\":\"phrase\",\"key\":\"osquery.counter\",\"value\":\"0\",\"params\":{\"query\":0,\"type\":\"phrase\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"osquery.counter\":{\"query\":0,\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"type\":\"phrases\",\"key\":\"osquery.codename\",\"value\":\"server\",\"params\":[\"server\"],\"negate\":false,\"disabled\":true,\"alias\":\"Servers Only\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"bool\":{\"should\":[{\"match_phrase\":{\"osquery.codename\":\"server\"}}],\"minimum_should_match\":1}},\"$state\":{\"store\":\"appState\"}}],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":64,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{\"columns\":[\"osquery.hostname\",\"osquery.name\",\"osquery.LiveQuery\",\"osquery.EndpointIP1\",\"osquery.EndpointIP2\"]},\"gridData\":{\"x\":8,\"y\":27,\"w\":40,\"h\":21,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":17,\"h\":13,\"i\":\"12\"},\"panelIndex\":\"12\",\"title\":\"\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"gridData\":{\"x\":8,\"y\":13,\"w\":40,\"h\":14,\"i\":\"13\"},\"version\":\"7.3.0\",\"panelIndex\":\"13\",\"embeddableConfig\":{},\"title\":\"Changes by Type\",\"panelRefName\":\"panel_3\"},{\"gridData\":{\"x\":25,\"y\":0,\"w\":23,\"h\":13,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelIndex\":\"14\",\"embeddableConfig\":{},\"title\":\"Changes by Hostname\",\"panelRefName\":\"panel_4\"}]","timeRestore":false,"title":"osquery - Overview","version":1},"id":"9d0e2da0-14e1-11e9-82f7-0da02d93a48b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"},{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index","type":"index-pattern"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"84116380-14e1-11e9-82f7-0da02d93a48b","name":"panel_1","type":"search"},{"id":"2f556c90-14e3-11e9-82f7-0da02d93a48b","name":"panel_2","type":"visualization"},{"id":"369e16e0-14e4-11e9-82f7-0da02d93a48b","name":"panel_3","type":"visualization"},{"id":"05a5ed10-14e4-11e9-82f7-0da02d93a48b","name":"panel_4","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQwNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - Top Source Ports","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - Top Source Ports\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source Port\"}}]}"},"id":"9d3413c0-6ea0-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY5NSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.dataset:ssh\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"b816ee0e-45c6-438d-a4ed-799d9e80a9f0\"},\"panelIndex\":\"b816ee0e-45c6-438d-a4ed-799d9e80a9f0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":17,\"h\":8,\"i\":\"cbfd7081-d82b-4e29-b21c-6e9584d67328\"},\"panelIndex\":\"cbfd7081-d82b-4e29-b21c-6e9584d67328\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":8,\"i\":\"d9b0c92a-8625-4e72-8a7c-333381e17244\"},\"panelIndex\":\"d9b0c92a-8625-4e72-8a7c-333381e17244\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":10,\"h\":19,\"i\":\"766c95ce-e20f-4e88-935f-2211b7be6b65\"},\"panelIndex\":\"766c95ce-e20f-4e88-935f-2211b7be6b65\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":10,\"y\":8,\"w\":10,\"h\":19,\"i\":\"e9ec8c9e-8a76-4501-abcb-2c9c08adfc44\"},\"panelIndex\":\"e9ec8c9e-8a76-4501-abcb-2c9c08adfc44\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":20,\"y\":8,\"w\":13,\"h\":19,\"i\":\"c2747e56-14c2-4a70-a1a7-e31affae20f8\"},\"panelIndex\":\"c2747e56-14c2-4a70-a1a7-e31affae20f8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":33,\"y\":8,\"w\":15,\"h\":19,\"i\":\"ff324073-699d-4b26-b4fd-28190fa3803b\"},\"panelIndex\":\"ff324073-699d-4b26-b4fd-28190fa3803b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":17,\"h\":18,\"i\":\"248c6442-b868-4e06-bfaa-e6da2d2d7463\"},\"panelIndex\":\"248c6442-b868-4e06-bfaa-e6da2d2d7463\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":17,\"y\":27,\"w\":16,\"h\":18,\"i\":\"d24e4833-8b52-45ac-ac3f-bb31379e8380\"},\"panelIndex\":\"d24e4833-8b52-45ac-ac3f-bb31379e8380\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":33,\"y\":27,\"w\":15,\"h\":18,\"i\":\"6711f807-284e-4025-99bb-cee25c0e970d\"},\"panelIndex\":\"6711f807-284e-4025-99bb-cee25c0e970d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Security Onion - SSH","version":1},"id":"9dfd77e0-75eb-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"292b1db0-75ea-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"46221fe0-75ea-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"7d61f430-75ea-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"104a4a90-75eb-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"},{"id":"8afa5f50-75eb-11ea-9565-7315f4ee5cac","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQxMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DCE/RPC - Endpoint","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DCE/RPC - Endpoint\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dce_rpc.endpoint.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Endpoint\"}}]}"},"id":"a427d6e0-96db-11ea-814e-bb515e873c2c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQxMSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DCE/RPC - Named Pipe","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DCE/RPC - Named Pipe\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dce_rpc.named_pipe.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Named Pipe\"}}]}"},"id":"c2f21270-96db-11ea-814e-bb515e873c2c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQxMiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DCE/RPC - Operation","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DCE/RPC - Operation\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dce_rpc.operation.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Operation\"}}]}"},"id":"df7989f0-96db-11ea-814e-bb515e873c2c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQxMywxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:dce_rpc\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":9,\"i\":\"95dc50d5-926a-4ab3-a746-0e53f475d658\"},\"panelIndex\":\"95dc50d5-926a-4ab3-a746-0e53f475d658\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":14,\"y\":0,\"w\":14,\"h\":9,\"i\":\"5b559994-ed67-43c8-8eed-ab30fd8b3d26\"},\"panelIndex\":\"5b559994-ed67-43c8-8eed-ab30fd8b3d26\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":28,\"y\":0,\"w\":20,\"h\":9,\"i\":\"4251a61c-1dcd-47b3-9866-f7ed939c73d4\"},\"panelIndex\":\"4251a61c-1dcd-47b3-9866-f7ed939c73d4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":8,\"h\":21,\"i\":\"e74255f5-4dc6-4df0-ab24-032dd7d4bc02\"},\"panelIndex\":\"e74255f5-4dc6-4df0-ab24-032dd7d4bc02\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":9,\"w\":8,\"h\":21,\"i\":\"55f5c9e0-264b-44d1-9b49-0bb7890ef4bd\"},\"panelIndex\":\"55f5c9e0-264b-44d1-9b49-0bb7890ef4bd\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":16,\"y\":9,\"w\":9,\"h\":21,\"i\":\"2a33a3df-4690-4ea4-a71a-9c98cb612213\"},\"panelIndex\":\"2a33a3df-4690-4ea4-a71a-9c98cb612213\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":25,\"y\":9,\"w\":8,\"h\":21,\"i\":\"ee61c32f-e801-494f-a819-b5788bed856f\"},\"panelIndex\":\"ee61c32f-e801-494f-a819-b5788bed856f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":33,\"y\":9,\"w\":15,\"h\":21,\"i\":\"f7c23591-431c-4a4c-a69b-a349c37697da\"},\"panelIndex\":\"f7c23591-431c-4a4c-a69b-a349c37697da\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - DCE/RPC","version":1},"id":"9e882df0-72c5-11ea-8dd2-9d8795a1200b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"a427d6e0-96db-11ea-814e-bb515e873c2c","name":"panel_5","type":"visualization"},{"id":"c2f21270-96db-11ea-814e-bb515e873c2c","name":"panel_6","type":"visualization"},{"id":"df7989f0-96db-11ea-814e-bb515e873c2c","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQxNCwxXQ=="} -{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.module:osquery\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Security Onion - Osquery","version":1},"id":"9eed5fc0-afcb-11ea-b262-353d451b125b","migrationVersion":{"search":"7.4.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-16T12:19:26.779Z","version":"WzcyMywyXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Authentication Method","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RFB - Authentication Method\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"authentication_method.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Authentication Method\"}}],\"listeners\":{}}"},"id":"bf47f4c0-371e-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQxOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RFB - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"bbbe5a80-6e21-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQyMSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RFB - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"d6ec3570-6e21-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQyMiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RFB - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"e8982270-6e21-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQyMywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Authentication Method (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RFB - Authentication Method (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"authentication_method.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Method\"}}],\"listeners\":{}}"},"id":"c24191f0-6e22-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQyNiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"RFB - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHC8iGxQT5EBNmq4bs","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQyNywxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":8,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{}},{\"panelIndex\":\"6\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":56,\"i\":\"6\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"7\",\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":8,\"i\":\"7\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":32,\"i\":\"8\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":48,\"h\":28,\"x\":0,\"y\":104,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"11\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":56,\"i\":\"11\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"12\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":56,\"i\":\"12\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":80,\"i\":\"13\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"14\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":80,\"i\":\"14\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"},{\"panelIndex\":\"15\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":80,\"i\":\"15\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"},{\"panelIndex\":\"16\",\"gridData\":{\"w\":40,\"h\":12,\"x\":8,\"y\":20,\"i\":\"16\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\",\"embeddableConfig\":{}},{\"panelIndex\":\"17\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"17\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_13\"}]","timeRestore":false,"title":"Bro - RFB","version":1},"id":"9ef20ae0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"265a04d0-3640-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"869e3030-371e-11e7-90f8-87842d5eedc9","name":"panel_2","type":"visualization"},{"id":"bf47f4c0-371e-11e7-90f8-87842d5eedc9","name":"panel_3","type":"visualization"},{"id":"14274040-371f-11e7-90f8-87842d5eedc9","name":"panel_4","type":"visualization"},{"id":"63c072c0-371f-11e7-90f8-87842d5eedc9","name":"panel_5","type":"visualization"},{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"panel_6","type":"search"},{"id":"bbbe5a80-6e21-11e7-b553-7f80727663c1","name":"panel_7","type":"visualization"},{"id":"d6ec3570-6e21-11e7-b553-7f80727663c1","name":"panel_8","type":"visualization"},{"id":"e8982270-6e21-11e7-b553-7f80727663c1","name":"panel_9","type":"visualization"},{"id":"4fade7b0-6e22-11e7-b553-7f80727663c1","name":"panel_10","type":"visualization"},{"id":"7c1e3f70-6e22-11e7-b553-7f80727663c1","name":"panel_11","type":"visualization"},{"id":"c24191f0-6e22-11e7-b553-7f80727663c1","name":"panel_12","type":"visualization"},{"id":"AWDHC8iGxQT5EBNmq4bs","name":"panel_13","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQyOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SIP - Content Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SIP - Content Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"sip.content_type.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sip.content_type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Type\"}}]}"},"id":"9ff24600-75ca-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYwMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":{\"match_all\":{}},\"language\":\"lucene\"},\"filter\":[]}"},"title":"Help","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Help\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"markdown\":\"## Introduction\\nWelcome to the Security Onion Elastic Stack! This is our implementation of the Elastic Stack on Security Onion. The Elastic Stack consists of three primary components:\\n- `Elasticsearch` - stores logs\\n- `Logstash` - collects and enriches logs before storing them in Elasticsearch\\n- `Kibana` - web interface for visualizing logs\\n\\n## Sidebar\\nStarting on the far left side of the page, you see the Sidebar. This contains links such as:\\n- `Discover` - search data\\n- `Visualize` - create visualizations based on searches\\n- `Dashboard` - view or create dashboards based on visualizations\\n- `Timelion` - timeline analysis\\n- `Dev Tools` - query Elasticsearch directly\\n- `Management` - view or modify Kibana settings\\n- `Squert` - separate web interface for viewing NIDS and HIDS alerts\\n- `Logout` - log out of your session\\n\\nThe first six of those links are within Kibana itself. If you click one of those and then want to get back to the Dashboards area where you started, simply click the `Dashboard` link.\\n\\nClicking the `Squert` link will take you out of Kibana and into Squert. You will not be required to authenticate to Squert since you already have an active Single Sign On (SSO) session.\\n\\nClicking the `Logout` link in either Squert or Kibana will log you out of your SSO session and take you back to the logon screen.\\n\\n## Navigation Panel\\nWhen you are in the Kibana Dashboard area, the panel to the immediate right of the sidebar is the Navigation Panel and it includes links to our dashboards such as Home, Help (this page), Bro Notices, ElastAlert, HIDS, NIDS, etc. Clicking one of the links in the Navigation Panel will take you to a dashboard dedicated to that particular log type. \\n\\n## Dashboards\\nAll dashboards are designed to work at 1024x768 screen resolution in order to maximize compatibility.\\n\\n### Dashboard Hyperlinks\\n\\nThe `source_ip` and `destination_ip` fields are hyperlinked. These hyperlinks will take you to the Indicator dashboard which will help you analyze the traffic relating to that particular IP address.\\n\\n`UID` fields are also hyperlinked. This hyperlink will start a new Kibana search for that particular UID. In the case of Bro UIDs this will show you all Bro logs related to that particular connection.\\n\\nEach log entry also has an `_id` field that is hyperlinked. This hyperlink will take you to CapMe, allowing you to request full packet capture for any arbitrary log type. This assumes that the log is for tcp or udp traffic that was seen by Bro and Bro recorded it correctly in its conn.log. \\n\\n### Overview Dashboard\\nWhen you first go to the Kibana Dashboard area, you are automatically placed into the Overview dashboard, where you will see overview information, such as total number of logs and sensors. Use the information on the Overview dashboard to determine which of the other dashboards on the Navigation Panel you might want to visit next.\\n\\n### Dashboard Categories\\nOur remaining dashboards are grouped into a few categories:\\n- `Alert Data` - dashboards that display alerts created by rules or signatures\\n- `Bro Hunting` - dashboards that allow you to slice and dice network metadata for hunting\\n- `Host Hunting` - dashboards that allow you to hunt via host telemetry\\n- `Other` - dashboards that don't fit into the categories above\\n\\n### Bro Notices\\nBro sniffs network traffic and generates notices such as `SSL::Invalid Server Cert` and `TeamCymruMalwareHashRegistry::Match`.\\n\\n### ElastAlert\\nElastAlert queries Elasticsearch on a regular basis and then generates alerts based on your desired criteria. Security Onion includes two example rules that alert on new IDS events and new connection logs. You can add your own ElastAlert rules in `/etc/elastalert/rules/`.\\n\\n### HIDS\\nOSSEC analyzes log files and generates Host Intrusion Detection System alerts based on its ruleset at `/var/ossec/rules/`. You can add your own rules in `/var/ossec/rules/local_rules.xml`.\\n\\n### NIDS\\nSecurity Onion can use either Snort or Suricata to sniff network traffic and generate Network Intrusion Detection System alerts. \\n\\n### Connections\\nBro sniffs network traffic and logs connection metadata including source IP/port, destination IP/port, protocol, and number of bytes.\\n\\n### DCE/RPC\\nBro sniffs network traffic and logs DCE/RPC metadata including source IP/port, destination IP/port, operation, endpoint, and named pipe.\\n\\n### DHCP\\nBro sniffs network traffic and logs DHCP requests and responses including source IP/port, destination IP/port, and MAC addresses.\\n\\n### DNP3\\nBro sniffs network traffic and logs DNP3 metadata including source IP/port, destination IP/port, function request, function reply.\\n\\n### DNS\\nBro sniffs network traffic and logs DNS queries and answers. Bro also includes other name lookups such as Windows NetBIOS name service requests and Bonjour.\\n\\n### Files\\nBro sniffs network traffic and logs metadata related to files being transferred over the network including IP addresses, MIME type, source, and checksums.\\n\\n### FTP\\nBro sniffs network traffic and logs FTP metadata including source IP/port, destination IP/port, command, reply code, argument, and username.\\n\\n### HTTP\\nBro sniffs network traffic and logs HTTP metadata including source IP/port, destination IP/port, method, status message, MIME type, site name, referer, and user agent.\\n\\n### Intel\\nBro sniffs network traffic and watches for indicators using the Intel framework. You can add your own indicators to `/opt/bro/share/bro/intel/intel.dat`.\\n\\n### IRC\\nBro sniffs network traffic and logs IRC metadata including source IP/port, destination IP/port, command, and username.\\n\\n### Kerberos\\nBro sniffs network traffic and logs Kerberos metadata including source IP/port, destination IP/port, cipher, client, server, service, request type, and success status.\\n\\n### Modbus\\nBro sniffs network traffic and logs Modbus metadata including source IP/port, destination IP/port, and function.\\n\\n### MySQL\\nBro sniffs network traffic and logs MySQL metadata including source IP/port, destination IP/port, command/argument, status, and response.\\n\\n### NTLM\\nBro sniffs network traffic and logs NTLM metadata including source IP/port, destination IP/port, hostname, username, and status.\\n\\n### PE\\nBro sniffs network traffic and logs PE metadata including OS, subsystem, machine, and section name.\\n\\n### RADIUS\\nBro sniffs network traffic and logs RADIUS metadata including source IP/port, destination IP/port, username, and result.\\n\\n### RDP\\nBro sniffs network traffic and logs RDP metadata including source IP/port, destination IP/port, client build, keyboard layout, encryption level, and result.\\n\\n### RFB\\nBro sniffs network traffic and logs RFB metadata including source IP/port, destination IP/port, authentication method, authentication status, client version, server version, and desktop name.\\n\\n### SIP\\nBro sniffs network traffic and logs SIP metadata including source IP/port, destination IP/port, method, content type, status, uri, and user agent.\\n\\n### SMB\\nBro sniffs network traffic and logs SMB metadata including source IP/port, destination IP/port, file name, and action.\\n\\n### SMTP\\nBro sniffs network traffic and logs SMTP metadata including source IP/port, destination IP/port, from, to, subject, and user agent.\\n\\n### SNMP\\nBro sniffs network traffic and logs SNMP metadata including source IP/port, destination IP/port, version, community, and duration.\\n\\n### Software\\nBro sniffs network traffic and logs metadata relating to the kinds of software that generated that traffic including name, type, and version.\\n\\n### SSH\\nBro sniffs network traffic and logs SSH metadata including source IP/port, destination IP/port, client version, server version, and success.\\n\\n### SSL\\nBro sniffs network traffic and logs SSL metadata including source IP/port, destination IP/port, server name, certificate subject, cipher, and validation status.\\n\\n### Syslog\\nBro sniffs network traffic and logs Syslog metadata including source IP/port, destination IP/port, severity, and protocol.\\n\\n### Tunnels\\nBro sniffs network traffic and detects IP, GRE, SOCKS, TEREDO, and AVAYA tunnels. It logs metadata including source IP/port, destination IP/port, type, and action.\\n\\n### Weird\\nBro sniffs network traffic and logs protocol anomalies metadata including source IP/port, destination IP/port, and the type of anomaly.\\n\\n### X.509\\nBro sniffs network traffic and logs X.509 metadata including certificate subject, issuer, key algorithm, key length, and signing algorithm.\\n\\n### Autoruns\\nSysinternals Autoruns can identify the processes which Windows is configured to automatically run. Autoruns data can then be ingested via [Autoruns To WinEventLog](https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog).\\n\\n### Beats\\nElastic Beats can be deployed on endpoints to collect host telemetry and send to Logstash for storage in Elasticsearch.\\n\\n### OSSEC\\nOSSEC agents can be deployed on endpoints to collect host telemetry and send to the OSSEC Server included in Security Onion. OSSEC Alerts can be found in the Alert Data category at the top of the Navigation Panel. This OSSEC hunting dashboard will allow you to hunt through all OSSEC logs, not just alerts.\\n\\n### Sysmon\\nSysinternal Sysmon provides comprehensive telemetry for Windows hosts. Its logs can be consumed using Beats, OSSEC, or other transport mechanism.\\n\\n### Domain Stats\\nSecurity Onion includes a tool called domain_stats which will do a whois lookup on a domain name to determine the age of the domain. If enabled, this dashboard looks for baby domains that have been recently registered. Please note that domain_stats is only enabled when running in Evaluation Mode.\\n\\n### Firewall\\nFirewall logs can be consumed via syslog or other transport mechanism. Once consumed, this dashboard allows you to slice and dice those firewall logs based on source IP/port, destination IP/port, protocol, and action.\\n\\n### Frequency\\nSecurity Onion includes a tool called freq_server which can perform frequency analysis of hostnames. If enabled, this dashboard will show hostnames with a frequency analysis score that indicates that they could have been randomly generated. Please note that freq_server is only enabled when running in Evaluation Mode.\\n\\n### Stats\\nThis dashboard shows statistics for Logstash including processing times for different log types and any errors that may have occurred.\\n\\n## More Information\\nFor additional information, please refer to our documentation at:\\n\\nhttps://securityonion.net/docs/Elastic\",\"type\":\"markdown\"},\"aggs\":[]}"},"id":"AV6-PHKnDwoBUzALqJ_c","migrationVersion":{"visualization":"7.7.0"},"references":[],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQyOSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"match_all\":{}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":40,\"h\":204,\"x\":8,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"2\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Help","version":1},"id":"AV6-POJSDwoBUzALqKAg","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"AV6-PHKnDwoBUzALqJ_c","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQzMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_ssl AND _exists_:issuer_common_name_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"SSL - Certificate Issuer Common Name Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Certificate Issuer Common Name Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"issuer_common_name_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"issuer_common_name.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Issuer Common Name\"}}],\"listeners\":{}}"},"id":"a83f17c0-6f0b-11e7-9d31-23c0596994a7","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQzNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_ssl AND _exists_:server_name_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"SSL - Certificate Server Name Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Certificate Server Name Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"server_name_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_name.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Server Name\"}}],\"listeners\":{}}"},"id":"c2e54c20-6f0b-11e7-9d31-23c0596994a7","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQzNSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_x509 AND _exists_:certificate_common_name_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"X.509 - Certificate Common Name Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"X.509 - Certificate Common Name Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"certificate_common_name_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"certificate_common_name.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Common Name\"}}],\"listeners\":{}}"},"id":"e03ba1d0-6f0a-11e7-83d2-adea2f314dc5","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQzNiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_x509 AND _exists_:issuer_common_name_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"X.509 - Certificate Issuer Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"X.509 - Certificate Issuer Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"issuer_common_name_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"issuer_common_name.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Issuer\"}}],\"listeners\":{}}"},"id":"acd38970-6f0a-11e7-83d2-adea2f314dc5","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQzNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_x509 AND _exists_:issuer_organization_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"X.509 - Certificate Issuer Organization Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"X.509 - Certificate Issuer Organization Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"issuer_organization_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"issuer_organization.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Issuer Organization\"}}],\"listeners\":{}}"},"id":"c3f244c0-6f0a-11e7-83d2-adea2f314dc5","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQzOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_dns AND _exists_:parent_domain_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"DNS - Parent Domain Frequency Analysis","uiStateJSON":"{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}","version":1,"visState":"{\"title\":\"DNS - Parent Domain Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"parent_domain_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"highest_registered_domain.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Domain\"}}],\"listeners\":{}}"},"id":"c9f5d3a0-6f05-11e7-b253-211f64f37eda","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQzOSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"match_all\":{}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"2\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":52,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":76,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"5\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":76,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"6\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":100,\"i\":\"6\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"7\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":100,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"8\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":124,\"i\":\"8\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"9\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":124,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"10\",\"gridData\":{\"w\":8,\"h\":52,\"x\":0,\"y\":0,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{}},{\"panelIndex\":\"11\",\"gridData\":{\"w\":48,\"h\":80,\"x\":0,\"y\":148,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"12\",\"gridData\":{\"w\":40,\"h\":28,\"x\":8,\"y\":24,\"i\":\"12\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}]","timeRestore":false,"title":"Frequency Analysis","version":1},"id":"AWAi5k4jAvKNGEbUWFis","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f1f00a0-6f04-11e7-b253-211f64f37eda","name":"panel_0","type":"visualization"},{"id":"7d1ede50-6f19-11e7-86c8-a1b6db3b051a","name":"panel_1","type":"visualization"},{"id":"8fa702e0-6f0b-11e7-9d31-23c0596994a7","name":"panel_2","type":"visualization"},{"id":"a83f17c0-6f0b-11e7-9d31-23c0596994a7","name":"panel_3","type":"visualization"},{"id":"c2e54c20-6f0b-11e7-9d31-23c0596994a7","name":"panel_4","type":"visualization"},{"id":"e03ba1d0-6f0a-11e7-83d2-adea2f314dc5","name":"panel_5","type":"visualization"},{"id":"acd38970-6f0a-11e7-83d2-adea2f314dc5","name":"panel_6","type":"visualization"},{"id":"c3f244c0-6f0a-11e7-83d2-adea2f314dc5","name":"panel_7","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_8","type":"visualization"},{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"panel_9","type":"search"},{"id":"c9f5d3a0-6f05-11e7-b253-211f64f37eda","name":"panel_10","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ0MCwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"match_all\":{}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":40,\"h\":48,\"x\":8,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"2\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":48,\"h\":36,\"x\":0,\"y\":48,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"_source\"],\"sort\":[\"@timestamp\",\"desc\"]}}]","timeRestore":false,"title":"Baby Domains","version":1},"id":"AWAi6wvxAvKNGEbUWO_j","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"41ec0ca0-6f13-11e7-86c8-a1b6db3b051a","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"fce833e0-6f12-11e7-86c8-a1b6db3b051a","name":"panel_2","type":"search"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ0MywxXQ=="} -{"attributes":{"fieldFormatMap":"{\"process_id\":{\"id\":\"number\",\"params\":{\"pattern\":\"0\"}},\"event_id\":{\"id\":\"number\",\"params\":{\"pattern\":\"0\"}}}","fields":"[{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"aa\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"aa.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"activity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"additional_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"additional_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"age\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"age.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_level\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"analyzer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"analyzer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"answers\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"answers.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"apache2.access.body_sent.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.geoip.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.geoip.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.http_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.remote_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.response_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.device\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.os_major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.os_minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.os_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.patch\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.client\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"apache2.error.module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.tid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"assigned_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"assigned_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.a0\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.acct\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.geoip.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.geoip.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.item\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.items\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.new_auid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.new_ses\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.old_auid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.old_ses\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.ppid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.record_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.res\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.sequence\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auth\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"auth.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_attempts\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"basic_constraints_ca\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"basic_constraints_ca.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"basic_constraints_path_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"bound_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"call_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"call_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"category.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cc\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cc.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_chain_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_chain_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_common_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_curve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_curve.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_exponent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_exponent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_issuer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_issuer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_key_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_key_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_locality\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_locality.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_not_valid_after\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_not_valid_before\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_number_days_valid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_organization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_organization.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_organization_unit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_organization_unit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_permanent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_permanent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_serial\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_serial.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_serial_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_serial_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_signing_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_signing_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"checksum\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"checksum.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cipher\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cipher.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cipher_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cipher_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"class\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"class.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"classification\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"classification.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_build\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_build.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_chain_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_chain_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_digital_product_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_digital_product_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_issuer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_issuer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_major_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_major_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_minor_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_minor_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"community\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"community.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"company.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"compile_ts\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"compile_ts.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"compression_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"compression_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"computer_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"computer_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connect_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connect_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection_state_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection_state_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"content_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cookie\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cookie.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"creation_date\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"creation_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"current_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"current_directory.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"curve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"curve.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_destination_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_destination_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_passive\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data_channel_passive.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_source_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dcc_file_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dcc_mime_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_mime_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"depth\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_height\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"desktop_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_width\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dest_is_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dest_is_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_city\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_city.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.city_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.longitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.postal_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.region_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.region_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_latitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_longitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_region\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_region.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"details\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"details.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dir\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dir.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"direction\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"direction.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"display_string\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"display_string.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"docker.container.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"docker.container.image\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"docker.container.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"domain_age\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"domain_age.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"domain_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"domain_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dropped\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dropped.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"duration\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"enabled\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"enabled.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"encryption_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"encryption_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"encryption_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"encryption_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"endpoint\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"endpoint.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"entry\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"entry.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"entry_location\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"entry_location.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"error.code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"error.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"error.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"error_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"error_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"escalated_user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"escalated_user.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"established\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"established.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.AccountName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.AlgorithmName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.AuthenticationPackageName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Binary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.CommandLine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Configuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ConfigurationFileHash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.CreationUtcTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.CurrentDirectory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DestinationIp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DestinationIsIpv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DestinationPort\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Details\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DeviceName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DeviceNameLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DeviceTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DeviceVersionMajor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DeviceVersionMinor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DirtyPages\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ElevatedToken\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.EventType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ExtraInfoLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ExtraInfoString\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.FilterID\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.FinalStatus\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Hashes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.HiveName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.HiveNameLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Image\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ImagePath\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ImpersonationLevel\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Initiated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.IntegrityLevel\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.IpAddress\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.IpPort\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.KeyFilePath\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.KeyLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.KeyName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.KeyType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.KeysUpdated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.LmPackageName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.LogonGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.LogonId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.LogonProcessName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.LogonType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.NewSize\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.NewTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.OldTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.OriginalSize\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ParentCommandLine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ParentImage\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ParentProcessGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ParentProcessId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.PreviousCreationUtcTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.PreviousTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.PrivilegeList\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ProcessGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ProcessId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ProcessName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ProviderName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.RestrictedAdminMode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ReturnCode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SchemaVersion\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ServiceName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ServiceType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SourceHostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SourceIp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SourceIsIpv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SourcePort\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.StartType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.State\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SubjectDomainName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SubjectLogonId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SubjectUserName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SubjectUserSid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetDomainName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetFilename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetLinkedLogonId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetLogonId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetObject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetOutboundDomainName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetOutboundUserName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetUserName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetUserSid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TerminalSessionId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TransmittedServices\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.User\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.UtcTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.VirtualAccount\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Workstation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WorkstationName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param10\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param11\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param12\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param13\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param14\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param15\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param16\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param17\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param19\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param20\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param21\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param22\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param4\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param7\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param8\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param9\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.serviceGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.updateGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.updateRevisionNumber\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.updateTitle\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"exception\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"exception.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"extracted\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"extracted.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"facility.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fc_reply\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fc_reply.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fc_request\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fc_request.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_mime_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_mime_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fileset.module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fileset.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"first_received\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"first_received.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"flow_label\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"flow_label.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"forwardable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"forwardable.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"freq_virtual_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"freq_virtual_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"frequency_scores\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"frequency_scores.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp_argument\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp_argument.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"function\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"function.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"get_bulk_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"get_bulk_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"get_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"get_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_cert_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_cert_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_debug_data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_debug_data.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_export_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_export_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_import_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_import_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"height\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"helo\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"helo.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"highest_registered_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"highest_registered_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"highest_registered_domain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"history\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"history.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hop_limit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hop_limit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_key\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_key.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_key_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_key_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.debug.facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.debug.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"icinga.debug.severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.main.facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.main.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"icinga.main.severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.startup.facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.startup.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"icinga.startup.severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"iin\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"iin.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"image_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"in_reply_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"in_reply_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"indicator\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"indicator.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"indicator_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"indicator_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"info_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"info_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"info_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"initiated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"initiated.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"integrity_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"integrity_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"interface\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"interface.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ip_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_flags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_offset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_offset.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_protocol_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_tos\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_tos.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_ttl\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"irc_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_64bit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_64bit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_exe\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_exe.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_orig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_orig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_source_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_source_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_webmail\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_webmail.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_common_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_distinguished_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_distinguished_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_locality\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_locality.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_organization.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization_unit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_organization_unit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_serial_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_serial_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kafka.log.class\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kafka.log.component\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kafka.log.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kafka.log.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kafka.log.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kafka.log.trace.class\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kafka.log.trace.full\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kafka.log.trace.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kex_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kex_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"keyboard_layout\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"keyboard_layout.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"keywords\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kubernetes.container.image\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kubernetes.container.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kubernetes.namespace\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kubernetes.pod.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"last_alert\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"last_alert.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"last_reply\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"last_reply.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"launch_string\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"launch_string.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"lease_time\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"lease_time.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"length\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"length.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"local_orig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"local_orig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"local_respond\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"local_respond.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"location\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"location.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logged\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logged.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.log.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.log.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.log.module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.log.thread\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.slowlog.event\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.slowlog.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.slowlog.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.slowlog.module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.slowlog.plugin_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.slowlog.plugin_params\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.slowlog.plugin_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.slowlog.thread\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.slowlog.took_in_millis\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.slowlog.took_in_nanos\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash_time\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mac\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mac.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mac_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mac_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"machine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"machine.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mail_date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mail_date.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mail_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mail_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"matched\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"matched.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"md5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message_error\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.availability_zone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.instance_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.instance_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.machine_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.project_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.provider\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.region\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mimetype\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mimetype.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"missed_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"missing_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.error.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.error.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql.error.thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.error.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.lock_time.sec\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.query_time.sec\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.rows_examined\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.rows_sent\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.timestamp\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_argument\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_argument.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"n\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"named_pipe\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"named_pipe.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"native_file_system\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"native_file_system.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"next_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"next_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"nginx.access.body_sent.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.geoip.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.geoip.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.http_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.remote_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.response_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.device\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.os_major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.os_minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.os_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.patch\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.error.connection_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.error.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.error.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"nginx.error.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.error.tid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nick\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"nick.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"note\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"note.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"notice\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ntlm_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"num_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"offset\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"opcode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"operation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_filenames\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_filenames.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_mime_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_mime_types.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"original_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_ip_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"os.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ossec_agent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ossec_agent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ossec_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ossec_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"overflow_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"p\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_image_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"password\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"password.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"peer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"peer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"peer_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"peer_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pesha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pesha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pesha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pesha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"port.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.database\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.duration\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"postgresql.log.query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"prev_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"prev_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_arguments\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_arguments.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_guid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"profile\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"profile.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"program\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"program.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"prospector.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"provider_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"proxied\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"proxied.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_class\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_class_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query_class_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_type\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_type_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query_type_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ra\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ra.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rcode\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rcode_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rcode_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rd.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"read_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reason.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"recipient_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"recipient_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"record_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.log.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.log.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"redis.log.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.log.role\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.slowlog.args\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.slowlog.cmd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.slowlog.duration.us\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.slowlog.id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.slowlog.key\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"referrer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rejected\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rejected.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"related_activity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"remote_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"renewable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"renewable.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_body_len\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_body_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_port.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_color_depth\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"requested_color_depth.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_resource\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"requested_resource.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_filenames\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_filenames.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_mime_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_mime_types.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_ip_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_body_len\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_body_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"result\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"result.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resumed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resumed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rev\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rev.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rows\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rows.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rtt\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rtt.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"san_dns\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"san_dns.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"second_received\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"second_received.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"section_names\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"section_names.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"security_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"security_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_node\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seen_node.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_where\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seen_where.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sensor_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sensor_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seq\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seq.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_certificate_fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_certificate_fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_major_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_major_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_minor_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_minor_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"set_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"set_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"severity.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"share_flag\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"share_flag.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"share_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"share_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signature_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"site\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"site.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.city_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.postal_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.region_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.region_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sources\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sources.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status_msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"stream\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sub_msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sub_msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sub_rule_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sub_rule_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subdomain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subsystem\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subsystem.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"suppress_for\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-facility.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-host_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-host_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-legacy_msghdr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-legacy_msghdr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-sourceip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sysmon_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sysmon_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.groupadd.gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.groupadd.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.program\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.dropped_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.event\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.geoip.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.geoip.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.error\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.pwd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.home\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.shell\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.uid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.syslog.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.syslog.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.syslog.pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.syslog.program\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.syslog.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_filename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_filename.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"task\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tc\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tc.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"terminal_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"terminal_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"timed_out\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"timed_out.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_accessed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_accessed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_changed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_changed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_created\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_created.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_modified\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_modified.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tld.subdomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tld.subdomain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tls\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tls.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"top_level_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"top_level_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"total_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tracker_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tracker_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"traefik.access.backend_url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"traefik.access.body_sent.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.frontend_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"traefik.access.geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.geoip.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.geoip.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.http_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.remote_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.request_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.response_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.device\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.os_major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.os_minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.os_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.patch\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"trans_depth\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"transaction_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ttls\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tty.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tunnel_parents\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel_parents.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tunnel_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"unparsed_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"unparsed_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"up_since\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"up_since.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uri\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uri.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uri_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_agent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.binaryData\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.binaryDataSize\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.param1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.param2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.xml_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"useragent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"useragent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"useragent_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"username.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_aslr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_aslr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_code_integrity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_code_integrity.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_dep\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_dep.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_seh\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_seh.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"valid_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"valid_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"valid_till\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"valid_till.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"validation_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"validation_status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_additional_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_additional_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_major\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_major.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"virtual_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"warning\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"warning.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"width\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"width.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x_originating_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"xml\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"year\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"z\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"z.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]","notExpandable":true,"timeFieldName":"@timestamp","title":"*:logstash-beats-*"},"id":"AWBLHZaBRuBloj96jvrD","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ0NCwxXQ=="} -{"attributes":{"columns":["computer_name","process_id","user.name","event_id","event_data.Image"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"All Beats Logs","version":1},"id":"AWBLMr9vRuBloj96jxp1","migrationVersion":{"search":"7.4.0"},"references":[{"id":"AWBLHZaBRuBloj96jvrD","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ0NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Beats - Process IDs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Beats - Process IDs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_id\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"AWBLN7X2RuBloj96jxxY","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"AWBLHZaBRuBloj96jvrD","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ0NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Beats - Computer Names","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Beats - Computer Names\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"computer_name.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"AWBLNriuRuBloj96jxv3","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"AWBLHZaBRuBloj96jvrD","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ0NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Beats - Event IDs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Beats - Event IDs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event_id\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"AWBLOT8MRuBloj96jx0N","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"AWBLHZaBRuBloj96jvrD","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ0OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Beats - Usernames","uiStateJSON":"{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}","version":1,"visState":"{\"title\":\"Beats - Usernames\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"user.name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"AWBLONJCRuBloj96jxzY","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"AWBLHZaBRuBloj96jvrD","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ0OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Beats - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Beats - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"line\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"AWBLQ2__RuBloj96jyDn","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"AWBLHZaBRuBloj96jvrD","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ1MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Beats - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Beats - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHHHR8xQT5EBNmq4z7","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"AWBLHZaBRuBloj96jvrD","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ1MSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"match_all\":{}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":48,\"h\":44,\"x\":0,\"y\":56,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{\"columns\":[\"computer_name\",\"process_id\",\"user.name\",\"event_id\",\"event_data.Image\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"2\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":8,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":32,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":32,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"5\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":8,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"7\",\"gridData\":{\"w\":28,\"h\":8,\"x\":20,\"y\":0,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}}},{\"panelIndex\":\"8\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"8\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"panelIndex\":\"9\",\"gridData\":{\"w\":12,\"h\":8,\"x\":8,\"y\":0,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}}]","timeRestore":false,"title":"Beats","version":1},"id":"AWBLNS3CRuBloj96jxub","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"AWBLMr9vRuBloj96jxp1","name":"panel_0","type":"search"},{"id":"AWBLNriuRuBloj96jxv3","name":"panel_1","type":"visualization"},{"id":"AWBLN7X2RuBloj96jxxY","name":"panel_2","type":"visualization"},{"id":"AWBLOT8MRuBloj96jx0N","name":"panel_3","type":"visualization"},{"id":"AWBLONJCRuBloj96jxzY","name":"panel_4","type":"visualization"},{"id":"AWBLQ2__RuBloj96jyDn","name":"panel_5","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_6","type":"visualization"},{"id":"AWDHHHR8xQT5EBNmq4z7","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ1MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Connections - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG71xFxQT5EBNmq336","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYyNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNS - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"DNS - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG9Qx0xQT5EBNmq3_2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY0NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SNMP - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"SNMP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHD-LfxQT5EBNmq4iB","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUzMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"SIP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHDNS4xQT5EBNmq4dF","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ3NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMB - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"SMB - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHDfDkxQT5EBNmq4fQ","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUxOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"SMTP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHDsr0xQT5EBNmq4gw","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUwMSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Syslog - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Bro - Syslog - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHE-_wxQT5EBNmq4n3","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU1MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Software - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Software - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHEKJUxQT5EBNmq4jW","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ba3d77e0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUzOSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSH - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"SSH - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHEYk4xQT5EBNmq4k5","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU2MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"SSL - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHElRWxQT5EBNmq4lz","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU4NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Tunnels - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Tunnels - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHFYrqxQT5EBNmq4qT","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU5NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Weird - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Weird - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHGXk-xQT5EBNmq4uf","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYxMywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"X.509 - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"X.509 - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHGklsxQT5EBNmq4wG","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYzNSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Top 10 - Total Bytes By Connection","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Top 10 - Total Bytes By Connection\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Connection ID\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"left\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Total Bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total Bytes\"},\"type\":\"value\"}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes\",\"customLabel\":\"Total Bytes\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"uid.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Connection ID\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"uid.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Connection ID\"}}],\"listeners\":{}}"},"id":"f1325230-3b0d-11e7-a0fe-29878c6f414a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ1MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Top 10 - Total Bytes By Destination Port","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Top 10 - Total Bytes By Destination Port\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Destination Port\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Max total_bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total Bytes\"},\"type\":\"value\"}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"destination_port\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_port\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}],\"listeners\":{}}"},"id":"acd65230-3b0d-11e7-a0fe-29878c6f414a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ1NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Top 10 - Total Bytes By Destination IP","uiStateJSON":"{}","version":1,"visState":"{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Bytes\",\"field\":\"total_bytes\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination IP Address\",\"field\":\"destination_ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Destination IP Address\",\"field\":\"destination_ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Destination IP Address\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Total Bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total Bytes\"},\"type\":\"value\"}]},\"title\":\"Connections - Top 10 - Total Bytes By Destination IP\",\"type\":\"histogram\"}"},"id":"eeafbb70-3b0c-11e7-a6f9-5d3fe735ec2b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ1NywxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":71,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":20,\"h\":18,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":28,\"y\":0,\"w\":20,\"h\":18,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":18,\"w\":20,\"h\":20,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":38,\"w\":40,\"h\":33,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"gridData\":{\"x\":0,\"y\":71,\"w\":48,\"h\":35,\"i\":\"6\"},\"version\":\"7.3.0\",\"panelIndex\":\"6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"gridData\":{\"x\":28,\"y\":18,\"w\":20,\"h\":20,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelIndex\":\"7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Connections - Total Bytes","version":1},"id":"a2ab0c40-3b0a-11e7-a6f9-5d3fe735ec2b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"f1325230-3b0d-11e7-a0fe-29878c6f414a","name":"panel_1","type":"visualization"},{"id":"acd65230-3b0d-11e7-a0fe-29878c6f414a","name":"panel_2","type":"visualization"},{"id":"41a33c80-3b0d-11e7-a6f9-5d3fe735ec2b","name":"panel_3","type":"visualization"},{"id":"726cc040-48cf-11e8-9576-313be7c6b44b","name":"panel_4","type":"visualization"},{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"panel_5","type":"search"},{"id":"eeafbb70-3b0c-11e7-a6f9-5d3fe735ec2b","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ1OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMTP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"a5045e20-3bd1-11e7-a3ae-1754b87179c0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ5NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SMB - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMB - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}]}"},"id":"a663e070-4c78-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUxOSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SNMP - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SNMP - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"a67546c0-3640-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUyNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Strelka - Request - Client","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Strelka - Request - Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"request.client.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"request.client.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Client\"}}]}"},"id":"a7ebb450-772c-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY3NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Data Overview","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Data Overview\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":false,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":false,\"last_level\":false,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Category\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"url\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:event.module.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.module.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now%2Fw,to:now%2Fw))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"params\":{},\"label\":\"event.module.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event.category.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Category\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event.module.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"ac6b1720-7559-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ1OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"observer.name:* OR agent.name:*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Log Count By Node ","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Log Count By Node \",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"observer.name.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"observer.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Node\"}}]}"},"id":"a9fae5c0-6e9b-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ2MCwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"e243c0f0-f7cf-453e-8f5c-dc93e4651d69\",\"w\":9,\"x\":0,\"y\":0},\"panelIndex\":\"e243c0f0-f7cf-453e-8f5c-dc93e4651d69\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"5fdac8ff-799a-4d54-8dcb-ee1728d9623d\",\"w\":17,\"x\":9,\"y\":0},\"panelIndex\":\"5fdac8ff-799a-4d54-8dcb-ee1728d9623d\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"126f5365-8829-469d-8349-a08874975584\",\"w\":22,\"x\":26,\"y\":0},\"panelIndex\":\"126f5365-8829-469d-8349-a08874975584\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":26,\"i\":\"9c61759c-0b14-433b-bca7-fd22f9a20630\",\"w\":22,\"x\":0,\"y\":8},\"panelIndex\":\"9c61759c-0b14-433b-bca7-fd22f9a20630\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":26,\"i\":\"504e0ba1-08f7-4601-833d-6615d84e8fba\",\"w\":9,\"x\":22,\"y\":8},\"panelIndex\":\"504e0ba1-08f7-4601-833d-6615d84e8fba\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":26,\"i\":\"e3425787-250b-4dad-8244-4c7ba65df3d9\",\"w\":8,\"x\":31,\"y\":8},\"panelIndex\":\"e3425787-250b-4dad-8244-4c7ba65df3d9\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":26,\"i\":\"9c133f8f-ca11-4a4b-ac5a-3dfe3b87f20e\",\"w\":9,\"x\":39,\"y\":8},\"panelIndex\":\"9c133f8f-ca11-4a4b-ac5a-3dfe3b87f20e\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - Home","version":1},"id":"a8411b30-6d03-11ea-b301-3d6c35840645","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"8cfec8c0-6ec2-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"ac6b1720-7559-11ea-9565-7315f4ee5cac","name":"panel_3","type":"visualization"},{"id":"ad398b70-6e9a-11ea-9266-1fd14ca6af34","name":"panel_4","type":"visualization"},{"id":"8b065a80-6eca-11ea-9266-1fd14ca6af34","name":"panel_5","type":"visualization"},{"id":"a9fae5c0-6e9b-11ea-9266-1fd14ca6af34","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ2MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Security Onion - Osquery - Query Results Count","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.result.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Query Results\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.result.hostname.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Endpoint\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.result.live_query.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Live Query Pivot\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.result.endpoint_ip1.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Endpoint Primary IP\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"},\"title\":\"Security Onion - Osquery - Query Results Count\"}"},"id":"ab47a590-afcc-11ea-b262-353d451b125b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9eed5fc0-afcb-11ea-b262-353d451b125b","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-16T12:58:03.053Z","version":"Wzc1NCwyXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"3919aa4b-bef6-4545-a780-484bae2df9ee\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"3919aa4b-bef6-4545-a780-484bae2df9ee\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_0\"}]","timeRestore":false,"title":"Security Onion - Users","version":1},"id":"abbe1140-72c7-11ea-8dd2-9d8795a1200b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"8cfec8c0-6ec2-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ2MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Dataset By Node","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Dataset By Node\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Dataset\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"event.dataset.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.dataset.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Dataset\"}}]}"},"id":"abffa080-6ec9-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY5NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"f5166880-374f-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ2NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Request Path","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - Request Path\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"request_path.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Request Path\"}}],\"listeners\":{}}"},"id":"dddb4430-3752-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ2OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"dfd1dc00-6e24-11e7-a261-55504638cf3b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ3NCwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":48,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"5\",\"gridData\":{\"x\":0,\"y\":72,\"w\":16,\"h\":24,\"i\":\"5\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"6\",\"gridData\":{\"x\":16,\"y\":72,\"w\":16,\"h\":24,\"i\":\"6\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"9\",\"gridData\":{\"x\":20,\"y\":8,\"w\":12,\"h\":16,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{}},{\"panelIndex\":\"11\",\"gridData\":{\"x\":0,\"y\":96,\"w\":48,\"h\":24,\"i\":\"11\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"13\",\"gridData\":{\"x\":20,\"y\":48,\"w\":28,\"h\":24,\"i\":\"13\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"14\",\"gridData\":{\"x\":32,\"y\":24,\"w\":16,\"h\":24,\"i\":\"14\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"15\",\"gridData\":{\"x\":0,\"y\":48,\"w\":20,\"h\":24,\"i\":\"15\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"16\",\"gridData\":{\"x\":8,\"y\":8,\"w\":12,\"h\":16,\"i\":\"16\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}},{\"panelIndex\":\"17\",\"gridData\":{\"x\":0,\"y\":120,\"w\":48,\"h\":30,\"i\":\"17\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"18\",\"gridData\":{\"x\":32,\"y\":8,\"w\":16,\"h\":16,\"i\":\"18\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"panelIndex\":\"19\",\"gridData\":{\"x\":32,\"y\":72,\"w\":16,\"h\":24,\"i\":\"19\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"},{\"panelIndex\":\"20\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"20\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\"},{\"panelIndex\":\"21\",\"gridData\":{\"x\":8,\"y\":24,\"w\":24,\"h\":24,\"i\":\"21\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_14\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - SIP","version":1},"id":"ad3c0830-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"5393c710-3640-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"f5166880-374f-11e7-b74a-f5057991ccd2","name":"panel_2","type":"visualization"},{"id":"04e1aea0-3750-11e7-b74a-f5057991ccd2","name":"panel_3","type":"visualization"},{"id":"90bf0a80-3750-11e7-b74a-f5057991ccd2","name":"panel_4","type":"visualization"},{"id":"dddb4430-3752-11e7-b74a-f5057991ccd2","name":"panel_5","type":"visualization"},{"id":"5e36c370-3753-11e7-b74a-f5057991ccd2","name":"panel_6","type":"visualization"},{"id":"73f663f0-3753-11e7-b74a-f5057991ccd2","name":"panel_7","type":"visualization"},{"id":"930b1600-3753-11e7-b74a-f5057991ccd2","name":"panel_8","type":"visualization"},{"id":"2db47070-3754-11e7-b74a-f5057991ccd2","name":"panel_9","type":"visualization"},{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"panel_10","type":"search"},{"id":"1ef5c230-6e24-11e7-a261-55504638cf3b","name":"panel_11","type":"visualization"},{"id":"dfd1dc00-6e24-11e7-a261-55504638cf3b","name":"panel_12","type":"visualization"},{"id":"AWDHDNS4xQT5EBNmq4dF","name":"panel_13","type":"visualization"},{"id":"0291dba0-4c78-11e8-9b0a-f1d33346f773","name":"panel_14","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ3NywxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:files\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":7,\"i\":\"257c130f-3673-410c-9f60-d67deb13b580\"},\"panelIndex\":\"257c130f-3673-410c-9f60-d67deb13b580\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":0,\"w\":17,\"h\":7,\"i\":\"de6206b4-7adb-44a0-ae00-2d28274478c8\"},\"panelIndex\":\"de6206b4-7adb-44a0-ae00-2d28274478c8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":25,\"y\":0,\"w\":23,\"h\":7,\"i\":\"93532ba0-f446-4a97-8783-a04dd4347485\"},\"panelIndex\":\"93532ba0-f446-4a97-8783-a04dd4347485\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":7,\"w\":8,\"h\":19,\"i\":\"a2af856c-7069-46b2-974c-e8b9054af929\"},\"panelIndex\":\"a2af856c-7069-46b2-974c-e8b9054af929\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":7,\"w\":9,\"h\":19,\"i\":\"4a3de026-5001-46a6-af20-78db885bd4bb\"},\"panelIndex\":\"4a3de026-5001-46a6-af20-78db885bd4bb\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":17,\"y\":7,\"w\":17,\"h\":19,\"i\":\"74071657-abfc-49e7-a0c3-e318b72a9d4c\"},\"panelIndex\":\"74071657-abfc-49e7-a0c3-e318b72a9d4c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":34,\"y\":7,\"w\":14,\"h\":19,\"i\":\"2379029c-c749-4804-91df-3d9be3fc4f8a\"},\"panelIndex\":\"2379029c-c749-4804-91df-3d9be3fc4f8a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":26,\"w\":21,\"h\":19,\"i\":\"0e36a0b5-5905-43c6-8ae1-f3eb348571a0\"},\"panelIndex\":\"0e36a0b5-5905-43c6-8ae1-f3eb348571a0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":21,\"y\":26,\"w\":8,\"h\":19,\"i\":\"99813eab-a19b-47d2-a8ee-8bcb667eedbf\"},\"panelIndex\":\"99813eab-a19b-47d2-a8ee-8bcb667eedbf\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":26,\"w\":10,\"h\":19,\"i\":\"18a734f4-78a1-4d84-9f7f-7c5aa6d3b1c2\"},\"panelIndex\":\"18a734f4-78a1-4d84-9f7f-7c5aa6d3b1c2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":39,\"y\":26,\"w\":9,\"h\":19,\"i\":\"c51df9f8-9010-4cae-9c7c-76ca7af98f13\"},\"panelIndex\":\"c51df9f8-9010-4cae-9c7c-76ca7af98f13\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":45,\"w\":48,\"h\":24,\"i\":\"226350dd-3afe-4135-a8da-71db63287a95\"},\"panelIndex\":\"226350dd-3afe-4135-a8da-71db63287a95\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"}]","timeRestore":false,"title":"Security Onion - Zeek Files","version":1},"id":"ad4d5d60-75f4-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"8cfec8c0-6ec2-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"bcf25e30-75f1-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"e8d35c50-75f3-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"09fc6ef0-7732-11ea-bee5-af7f7c7b8e05","name":"panel_7","type":"visualization"},{"id":"2fc4bea0-7730-11ea-bee5-af7f7c7b8e05","name":"panel_8","type":"visualization"},{"id":"49cfe850-772c-11ea-bee5-af7f7c7b8e05","name":"panel_9","type":"visualization"},{"id":"efc25540-75f1-11ea-9565-7315f4ee5cac","name":"panel_10","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_11","type":"search"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ4MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Syslog - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Bro - Syslog - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"ae4e88b0-76b5-11e7-94e1-3d2ec4e57ed9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU0OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SSL - Destination Country (Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SSL - Destination Country (Bar Chart)\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"destination_geo.country_name.keyword: Descending\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"ae959820-365c-11e7-8bd0-1db2c55fb7a1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU4MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - TLS - True/False (Vertical Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"SMTP - TLS - True/False (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"TLS\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"tls.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"TLS\"}}],\"listeners\":{}}"},"id":"aeb71cc0-6e29-11e7-8b76-75eee0095daa","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ5OSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":\"Initial Systems/Queries\",\"disabled\":true,\"key\":\"osquery.counter\",\"negate\":true,\"params\":{\"query\":0,\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"0\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"osquery.counter\":{\"query\":0,\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":\"Servers Only\",\"disabled\":true,\"key\":\"osquery.codename\",\"negate\":false,\"params\":{\"query\":\"server\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"server\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"match\":{\"osquery.codename\":{\"query\":\"server\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":64,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":17,\"h\":11,\"i\":\"16\"},\"panelIndex\":\"16\",\"title\":\"\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":29,\"w\":40,\"h\":20,\"i\":\"18\"},\"panelIndex\":\"18\",\"title\":\"Chrome Extensions - Logs\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":11,\"w\":40,\"h\":18,\"i\":\"19\"},\"panelIndex\":\"19\",\"title\":\"Chrome Extensions - Sensitive Permissions\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"gridData\":{\"x\":25,\"y\":0,\"w\":23,\"h\":11,\"i\":\"20\"},\"version\":\"7.3.0\",\"panelIndex\":\"20\",\"embeddableConfig\":{},\"title\":\"Chrome Extensions - Changes by Hostname\",\"panelRefName\":\"panel_4\"}]","timeRestore":false,"title":"osquery - Chrome Extensions","version":1},"id":"af0ea750-18d3-11e9-932c-d12d2cf4ee95","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"},{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index","type":"index-pattern"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"71538370-18d5-11e9-932c-d12d2cf4ee95","name":"panel_1","type":"visualization"},{"id":"0eee4360-18d4-11e9-932c-d12d2cf4ee95","name":"panel_2","type":"search"},{"id":"78cf8bf0-1a59-11e9-ac0b-cb0ba10141ab","name":"panel_3","type":"visualization"},{"id":"04f86530-1a59-11e9-ac0b-cb0ba10141ab","name":"panel_4","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ4NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Security Onion - Osquery - Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rule.name.keyword: Descending\",\"aggType\":\"terms\"}]}},\"title\":\"Security Onion - Osquery - Name\"}"},"id":"af139720-afcb-11ea-b262-353d451b125b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5c3effd0-72ae-11ea-8dd2-9d8795a1200b","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-16T12:19:53.873Z","version":"WzcyNywyXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - Subject","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMTP - Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"subject.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"SMTP\"}}],\"listeners\":{}}"},"id":"c47e2a10-39a1-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ5MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SMTP - Destination Country (Donut Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SMTP - Destination Country (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}]}"},"id":"dfe23030-39a1-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ5MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - TLS (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SMTP - TLS (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"tls.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"c3bb32c0-39a2-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ5NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMTP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"f18a0480-3bd0-11e7-9c09-4f161b0766dd","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ5NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - User Agent","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMTP - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"useragent.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"d776e510-6e28-11e7-8b76-75eee0095daa","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ5NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMTP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"d5aa6d00-6e29-11e7-8b76-75eee0095daa","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUwMCwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":32,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":80,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":80,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":56,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":16,\"y\":56,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"gridData\":{\"w\":48,\"h\":28,\"x\":0,\"y\":104,\"i\":\"15\"},\"panelIndex\":\"15\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":32,\"i\":\"16\"},\"panelIndex\":\"16\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":20,\"i\":\"17\"},\"panelIndex\":\"17\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":20,\"i\":\"18\"},\"panelIndex\":\"18\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":56,\"i\":\"19\"},\"panelIndex\":\"19\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"20\"},\"panelIndex\":\"20\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_14\"}]","timeRestore":false,"title":"Bro - SMTP","version":1},"id":"b10a9c60-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"7c922990-3640-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"c47e2a10-39a1-11e7-8472-0151e5b2b475","name":"panel_2","type":"visualization"},{"id":"dfe23030-39a1-11e7-8472-0151e5b2b475","name":"panel_3","type":"visualization"},{"id":"73b1b240-39a2-11e7-8472-0151e5b2b475","name":"panel_4","type":"visualization"},{"id":"96767400-39a2-11e7-8472-0151e5b2b475","name":"panel_5","type":"visualization"},{"id":"c3bb32c0-39a2-11e7-8472-0151e5b2b475","name":"panel_6","type":"visualization"},{"id":"f18a0480-3bd0-11e7-9c09-4f161b0766dd","name":"panel_7","type":"visualization"},{"id":"a5045e20-3bd1-11e7-a3ae-1754b87179c0","name":"panel_8","type":"visualization"},{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"panel_9","type":"search"},{"id":"d776e510-6e28-11e7-8b76-75eee0095daa","name":"panel_10","type":"visualization"},{"id":"53beb0d0-6e29-11e7-8b76-75eee0095daa","name":"panel_11","type":"visualization"},{"id":"aeb71cc0-6e29-11e7-8b76-75eee0095daa","name":"panel_12","type":"visualization"},{"id":"d5aa6d00-6e29-11e7-8b76-75eee0095daa","name":"panel_13","type":"visualization"},{"id":"AWDHDsr0xQT5EBNmq4gw","name":"panel_14","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUwMiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DNP3 - IIN","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DNP3 - IIN\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"dnp3.iin: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dnp3.iin\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IIN\"}}]}"},"id":"f991b6d0-75b8-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUwMywxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:dnp3\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"728d0151-5dc6-429d-9b14-b457ab73d3fd\"},\"panelIndex\":\"728d0151-5dc6-429d-9b14-b457ab73d3fd\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":15,\"h\":8,\"i\":\"1b99097d-a957-4163-9810-263a0e653c18\"},\"panelIndex\":\"1b99097d-a957-4163-9810-263a0e653c18\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":28,\"y\":0,\"w\":20,\"h\":8,\"i\":\"43bb3cf4-ee4a-4eba-8eea-8e133957fd48\"},\"panelIndex\":\"43bb3cf4-ee4a-4eba-8eea-8e133957fd48\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":8,\"h\":19,\"i\":\"87f23747-38c9-4d15-a85b-8beff66abaf4\"},\"panelIndex\":\"87f23747-38c9-4d15-a85b-8beff66abaf4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":8,\"w\":8,\"h\":19,\"i\":\"d10ae5ac-6400-4a2c-a376-e6e74ed529ad\"},\"panelIndex\":\"d10ae5ac-6400-4a2c-a376-e6e74ed529ad\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":16,\"y\":8,\"w\":12,\"h\":19,\"i\":\"a9916c8f-c82b-413d-8561-64ce0d68d3b8\"},\"panelIndex\":\"a9916c8f-c82b-413d-8561-64ce0d68d3b8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":19,\"i\":\"04426d00-3313-40eb-a0c9-2541a7ea99f3\"},\"panelIndex\":\"04426d00-3313-40eb-a0c9-2541a7ea99f3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - DNP3","version":1},"id":"b1f52180-755a-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"f991b6d0-75b8-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"214793c0-75b9-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUwNSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RFB - Authentication Method","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RFB - Authentication Method\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rfb.authentication.method.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rfb.authentication.method.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Method\"}}]}"},"id":"b2053990-75c7-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU2NSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.dataset:kerberos\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":9,\"i\":\"caa0aaa2-ed03-47b4-9a9f-c0f9b8d50da9\"},\"panelIndex\":\"caa0aaa2-ed03-47b4-9a9f-c0f9b8d50da9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":14,\"y\":0,\"w\":15,\"h\":9,\"i\":\"e0e4a50d-887b-472b-a790-302966fb6f49\"},\"panelIndex\":\"e0e4a50d-887b-472b-a790-302966fb6f49\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":9,\"i\":\"5cca2c4b-7299-4122-a3d5-3637ef23dc5d\"},\"panelIndex\":\"5cca2c4b-7299-4122-a3d5-3637ef23dc5d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":10,\"h\":19,\"i\":\"aa944a94-288e-490f-9e04-f5b3bc2cf19f\"},\"panelIndex\":\"aa944a94-288e-490f-9e04-f5b3bc2cf19f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":10,\"y\":9,\"w\":10,\"h\":19,\"i\":\"ebc359a7-3dce-4e7d-bd70-355cc8099437\"},\"panelIndex\":\"ebc359a7-3dce-4e7d-bd70-355cc8099437\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":20,\"y\":9,\"w\":11,\"h\":19,\"i\":\"251dacac-b4c5-481a-9e41-8173e9bc27ab\"},\"panelIndex\":\"251dacac-b4c5-481a-9e41-8173e9bc27ab\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":31,\"y\":9,\"w\":7,\"h\":19,\"i\":\"1a78a61c-7b0a-425f-ade8-bcbb302a2585\"},\"panelIndex\":\"1a78a61c-7b0a-425f-ade8-bcbb302a2585\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":38,\"y\":9,\"w\":10,\"h\":19,\"i\":\"eba2e210-8b36-41a7-8ac5-7d63cfc022e1\"},\"panelIndex\":\"eba2e210-8b36-41a7-8ac5-7d63cfc022e1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - Kerberos","version":1},"id":"b207ab90-75bc-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"0ecc7310-75bd-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"2d73e460-75bd-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"48331f00-75bd-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUwOSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":104,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"4\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":56,\"i\":\"5\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":56,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":8,\"i\":\"8\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{}},{\"panelIndex\":\"9\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":32,\"i\":\"9\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":8,\"i\":\"10\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":80,\"i\":\"11\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"13\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"14\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":32,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - SMB","version":1},"id":"b3a53710-3aaa-11e7-8b17-0d8709b02c80","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"panel_0","type":"search"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"85e40a70-3aac-11e7-8b17-0d8709b02c80","name":"panel_2","type":"visualization"},{"id":"15b4e7a0-3aad-11e7-8b17-0d8709b02c80","name":"panel_3","type":"visualization"},{"id":"31f5e040-3aad-11e7-8b17-0d8709b02c80","name":"panel_4","type":"visualization"},{"id":"6f883480-3aad-11e7-8b17-0d8709b02c80","name":"panel_5","type":"visualization"},{"id":"60384e00-3aaf-11e7-a83b-b1b4da7d15f4","name":"panel_6","type":"visualization"},{"id":"72f0f010-3aaf-11e7-a83b-b1b4da7d15f4","name":"panel_7","type":"visualization"},{"id":"306c4330-4175-11e7-a0f7-47f4c03e3306","name":"panel_8","type":"visualization"},{"id":"AWDHDfDkxQT5EBNmq4fQ","name":"panel_9","type":"visualization"},{"id":"a663e070-4c78-11e8-9b0a-f1d33346f773","name":"panel_10","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUyMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Responder Bytes","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Responder Bytes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"respond_bytes\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Responder Bytes\"}}],\"listeners\":{}}"},"id":"b50912f0-366f-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYxOSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Tunnels - Type","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Tunnels - Type\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"tunnel.type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Type\"}}]}"},"id":"b6120810-75ef-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU3MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Source - Responder Bytes ( Tile Map)","uiStateJSON":"{\"mapZoom\":3,\"mapCenter\":[39.70718665682654,-44.912109375]}","version":1,"visState":"{\"title\":\"Connections - Source - Responder Bytes ( Tile Map)\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"respond_bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}"},"id":"f3bc9fa0-46cb-11e7-946f-1bfb1be7c36b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUyMSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"mapCenter\":[24.84656534821976,0.17578125],\"mapZoom\":2}}]","timeRestore":false,"title":"Connections - Source - Responder Bytes","version":1},"id":"b65775e0-46cb-11e7-946f-1bfb1be7c36b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"f3bc9fa0-46cb-11e7-946f-1bfb1be7c36b","name":"panel_1","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUyMiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SNMP - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SNMP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"e8511600-36b8-11e7-9786-41a1d72e15ad","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUyNSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SNMP - Session Duration","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SNMP - Session Duration\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"duration\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Duration\"}}],\"listeners\":{}}"},"id":"e47015d0-36b9-11e7-9786-41a1d72e15ad","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUyNywxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":16,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":12,\"h\":24,\"x\":24,\"y\":32,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":8,\"i\":\"9\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":8,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{}},{\"panelIndex\":\"11\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"12\",\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":32,\"i\":\"12\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"13\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"14\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":8,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - SNMP","version":1},"id":"b65c2710-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"a67546c0-3640-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"e8511600-36b8-11e7-9786-41a1d72e15ad","name":"panel_2","type":"visualization"},{"id":"0defabb0-36b9-11e7-9786-41a1d72e15ad","name":"panel_3","type":"visualization"},{"id":"e47015d0-36b9-11e7-9786-41a1d72e15ad","name":"panel_4","type":"visualization"},{"id":"2a3ae810-36ba-11e7-9786-41a1d72e15ad","name":"panel_5","type":"visualization"},{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"panel_6","type":"search"},{"id":"7dc62970-6e2a-11e7-8b76-75eee0095daa","name":"panel_7","type":"visualization"},{"id":"AWDHD-LfxQT5EBNmq4iB","name":"panel_8","type":"visualization"},{"id":"83a91450-4c79-11e8-9b0a-f1d33346f773","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUzMiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSL - Validation Status","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - SSL - Validation Status\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssl.validation_status.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ssl.validation_status.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Status\"}}]}"},"id":"b8371250-75ec-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY1NiwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:radius\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":9,\"i\":\"005ac000-9db8-4310-97d5-4574cdaf0e49\"},\"panelIndex\":\"005ac000-9db8-4310-97d5-4574cdaf0e49\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":17,\"h\":9,\"i\":\"a65d1358-9fa9-4457-8a46-5790a748d1fa\"},\"panelIndex\":\"a65d1358-9fa9-4457-8a46-5790a748d1fa\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":9,\"i\":\"d38d991e-53e4-4b71-8e3f-c0d4b0d454da\"},\"panelIndex\":\"d38d991e-53e4-4b71-8e3f-c0d4b0d454da\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":8,\"h\":19,\"i\":\"9304c1a2-e55f-4f51-bd04-d15892b754a4\"},\"panelIndex\":\"9304c1a2-e55f-4f51-bd04-d15892b754a4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":8,\"y\":9,\"w\":8,\"h\":19,\"i\":\"7075ea4f-e935-470c-9329-9a0b15202385\"},\"panelIndex\":\"7075ea4f-e935-470c-9329-9a0b15202385\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":16,\"y\":9,\"w\":8,\"h\":19,\"i\":\"91a90e9d-71f7-484c-a561-6aef6a3b8f09\"},\"panelIndex\":\"91a90e9d-71f7-484c-a561-6aef6a3b8f09\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":24,\"y\":9,\"w\":9,\"h\":19,\"i\":\"9058f9ee-39d1-4e2b-a99b-ed4c2fb26efd\"},\"panelIndex\":\"9058f9ee-39d1-4e2b-a99b-ed4c2fb26efd\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":33,\"y\":9,\"w\":15,\"h\":19,\"i\":\"766f8f9b-3f31-47d8-9734-442fc1fcff84\"},\"panelIndex\":\"766f8f9b-3f31-47d8-9734-442fc1fcff84\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - RADIUS","version":1},"id":"b9769e60-75c4-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"767c89f0-af4c-11ea-b262-353d451b125b","name":"panel_5","type":"visualization"},{"id":"0ca071b0-75c5-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"27ab8260-75c5-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T21:09:44.413Z","version":"WzcwNywyXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Connections - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}]}"},"id":"bc7fbe00-4a44-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYyNSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.module:osquery\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":7,\"h\":7,\"i\":\"7f9eaa30-b358-4027-a312-249defe273c4\"},\"panelIndex\":\"7f9eaa30-b358-4027-a312-249defe273c4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":7,\"y\":0,\"w\":17,\"h\":7,\"i\":\"ca041a33-b29f-4ce6-8762-2dd86a9c27a2\"},\"panelIndex\":\"ca041a33-b29f-4ce6-8762-2dd86a9c27a2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":7,\"i\":\"4e6cdaec-ad6d-46b2-abdc-7383382635c7\"},\"panelIndex\":\"4e6cdaec-ad6d-46b2-abdc-7383382635c7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":7,\"w\":48,\"h\":16,\"i\":\"fae63e28-6a3c-4641-94fd-e5b033ac55b9\"},\"panelIndex\":\"fae63e28-6a3c-4641-94fd-e5b033ac55b9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":23,\"w\":48,\"h\":31,\"i\":\"db4fa812-32fb-43c8-baa8-e88206cae126\"},\"panelIndex\":\"db4fa812-32fb-43c8-baa8-e88206cae126\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"}]","timeRestore":false,"title":"Security Onion - Osquery","version":1},"id":"bf7cf8d0-7732-11ea-bee5-af7f7c7b8e05","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"df50eba0-6ec0-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"ab47a590-afcc-11ea-b262-353d451b125b","name":"panel_3","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"search"}],"type":"dashboard","updated_at":"2020-06-16T12:33:26.077Z","version":"Wzc0MiwyXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Software - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Software - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"da4cc2c0-3640-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ba3d77e0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUzOCwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":48,\"h\":40,\"x\":0,\"y\":44,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"name\",\"software_type\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"10\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"10\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":40,\"h\":36,\"x\":8,\"y\":8,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - Software","version":1},"id":"c2c99c30-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"da4cc2c0-3640-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"ba3d77e0-342e-11e7-9e93-53b62e1857b2","name":"panel_2","type":"search"},{"id":"AWDHEKJUxQT5EBNmq4jW","name":"panel_3","type":"visualization"},{"id":"9b0f6a80-4c7a-11e8-9b0a-f1d33346f773","name":"panel_4","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU0MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Connections - Protocol (Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Connections - Protocol (Bar Chart)\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Protocol\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"protocol.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Protocol\"}}]}"},"id":"c3152010-3673-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYyMSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - MySQL - Success","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - MySQL - Success\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"mysql.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"ec40c5e0-75c0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU0MiwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.dataset:mysql\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":9,\"i\":\"b08e3120-b482-4817-b3e9-f521f5acd8f2\"},\"panelIndex\":\"b08e3120-b482-4817-b3e9-f521f5acd8f2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":16,\"h\":9,\"i\":\"e23b2681-5eae-4de6-8933-ba755508ec5b\"},\"panelIndex\":\"e23b2681-5eae-4de6-8933-ba755508ec5b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":9,\"i\":\"53e06ed2-d64f-46dc-b864-5b884a8c53dc\"},\"panelIndex\":\"53e06ed2-d64f-46dc-b864-5b884a8c53dc\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":9,\"h\":18,\"i\":\"2bfa498b-d0a8-48ee-9a47-bcf288127d2a\"},\"panelIndex\":\"2bfa498b-d0a8-48ee-9a47-bcf288127d2a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":9,\"w\":9,\"h\":18,\"i\":\"e6a27aaf-ef8d-41a3-aebc-9c26ab2dc189\"},\"panelIndex\":\"e6a27aaf-ef8d-41a3-aebc-9c26ab2dc189\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":18,\"y\":9,\"w\":15,\"h\":18,\"i\":\"e2f6f286-c4ba-4642-b650-366aca2c3d2d\"},\"panelIndex\":\"e2f6f286-c4ba-4642-b650-366aca2c3d2d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":33,\"y\":9,\"w\":15,\"h\":18,\"i\":\"f84a5dbd-d99c-4c24-895f-18f1d419af93\"},\"panelIndex\":\"f84a5dbd-d99c-4c24-895f-18f1d419af93\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":16,\"i\":\"3b2e66eb-aa46-4363-b8ad-efd564b95279\"},\"panelIndex\":\"3b2e66eb-aa46-4363-b8ad-efd564b95279\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - MySQL","version":1},"id":"c3ced6d0-75be-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"ec40c5e0-75c0-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"1f306f60-75c0-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"3af496e0-75c0-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU0NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Syslog - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Bro - Syslog - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"ca9ffc10-76b5-11e7-94e1-3d2ec4e57ed9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU1MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Syslog - Protocol","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Bro - Syslog - Protocol\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"protocol.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Protocol\"}}],\"listeners\":{}}"},"id":"e9d5ae30-76b6-11e7-94e1-3d2ec4e57ed9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU1MSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"5\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"6\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":32,\"i\":\"6\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"7\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":32,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"8\",\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":8,\"i\":\"8\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"9\",\"gridData\":{\"w\":28,\"h\":24,\"x\":8,\"y\":8,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"10\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}}]","timeRestore":false,"title":"Bro - Syslog","version":1},"id":"c4bbe040-76b3-11e7-ba96-cba76a1e264d","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"92b202e0-76b4-11e7-94e1-3d2ec4e57ed9","name":"panel_1","type":"visualization"},{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"panel_2","type":"search"},{"id":"6c60a280-76b5-11e7-94e1-3d2ec4e57ed9","name":"panel_3","type":"visualization"},{"id":"ae4e88b0-76b5-11e7-94e1-3d2ec4e57ed9","name":"panel_4","type":"visualization"},{"id":"ca9ffc10-76b5-11e7-94e1-3d2ec4e57ed9","name":"panel_5","type":"visualization"},{"id":"e9d5ae30-76b6-11e7-94e1-3d2ec4e57ed9","name":"panel_6","type":"visualization"},{"id":"346e5c30-76b7-11e7-94e1-3d2ec4e57ed9","name":"panel_7","type":"visualization"},{"id":"AWDHE-_wxQT5EBNmq4n3","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU1NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSH - Authentication Success","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"SSH - Authentication Success\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Authentication Success\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"authentication_success.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Authentication Success\"}}],\"listeners\":{}}"},"id":"dcea2790-6e33-11e7-9a19-a5996f8250c6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU2MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SSH -Server","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSH -Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}]}"},"id":"e64833a0-4c7b-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU2MywxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":56,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"7\",\"gridData\":{\"x\":8,\"y\":32,\"w\":14,\"h\":24,\"i\":\"7\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":22,\"y\":32,\"w\":14,\"h\":24,\"i\":\"8\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"10\",\"gridData\":{\"x\":0,\"y\":80,\"w\":48,\"h\":24,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"11\",\"gridData\":{\"x\":36,\"y\":32,\"w\":12,\"h\":24,\"i\":\"11\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"12\",\"gridData\":{\"x\":36,\"y\":8,\"w\":12,\"h\":24,\"i\":\"12\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"panelIndex\":\"13\",\"gridData\":{\"x\":0,\"y\":56,\"w\":48,\"h\":24,\"i\":\"13\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"14\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"14\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"15\",\"gridData\":{\"x\":8,\"y\":8,\"w\":28,\"h\":24,\"i\":\"15\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - SSH","version":1},"id":"c6ccfc00-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"09457310-3641-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"8a60eb50-365f-11e7-8c78-e3086faf385c","name":"panel_2","type":"visualization"},{"id":"9a33f9a0-365f-11e7-8c78-e3086faf385c","name":"panel_3","type":"visualization"},{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"panel_4","type":"search"},{"id":"54d78f50-6e33-11e7-9a19-a5996f8250c6","name":"panel_5","type":"visualization"},{"id":"dcea2790-6e33-11e7-9a19-a5996f8250c6","name":"panel_6","type":"visualization"},{"id":"2bbdc020-6e34-11e7-9a19-a5996f8250c6","name":"panel_7","type":"visualization"},{"id":"AWDHEYk4xQT5EBNmq4k5","name":"panel_8","type":"visualization"},{"id":"e64833a0-4c7b-11e8-9b0a-f1d33346f773","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU2NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - Count","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":false},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":40}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}"},"id":"c7484350-6eb1-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY5NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Zeek - Notice Message","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Zeek - Notice Message\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"notice.message.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"notice.message.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Message\"}}]}"},"id":"c8039090-7a84-11ea-9d13-57f5db13d1ed","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY2OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RFB - Share Flag","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - RFB - Share Flag\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"rfb.share_flag\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"d5e72b20-75c7-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU2NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RFB - Desktop Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RFB - Desktop Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rfb.desktop.name.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rfb.desktop.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Desktop Name\"}}]}"},"id":"fe62c910-75c7-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU2NywxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:rfb\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"f64f888f-f9bb-4be1-ab75-80d2a11303ed\"},\"panelIndex\":\"f64f888f-f9bb-4be1-ab75-80d2a11303ed\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":17,\"h\":8,\"i\":\"0e12fa96-b29d-4815-ae19-b6e894948597\"},\"panelIndex\":\"0e12fa96-b29d-4815-ae19-b6e894948597\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":8,\"i\":\"7c1a7e05-c37b-4f81-b6b6-b30cfa0897e2\"},\"panelIndex\":\"7c1a7e05-c37b-4f81-b6b6-b30cfa0897e2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":19,\"i\":\"c1bb39f4-4d9f-4154-a131-65e727fc0049\"},\"panelIndex\":\"c1bb39f4-4d9f-4154-a131-65e727fc0049\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":8,\"w\":9,\"h\":19,\"i\":\"e51c88d1-a11a-4d5f-b5a7-f6ac79b23054\"},\"panelIndex\":\"e51c88d1-a11a-4d5f-b5a7-f6ac79b23054\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":18,\"y\":8,\"w\":14,\"h\":19,\"i\":\"b9412112-bc5a-4b16-ba5e-ded11a0e299d\"},\"panelIndex\":\"b9412112-bc5a-4b16-ba5e-ded11a0e299d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":32,\"y\":8,\"w\":16,\"h\":19,\"i\":\"edfbec77-b174-40ac-9f11-776da22fe82d\"},\"panelIndex\":\"edfbec77-b174-40ac-9f11-776da22fe82d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":24,\"h\":15,\"i\":\"d2d1ebcb-83a9-44ca-80f2-2f0fc2abcecf\"},\"panelIndex\":\"d2d1ebcb-83a9-44ca-80f2-2f0fc2abcecf\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":24,\"y\":27,\"w\":12,\"h\":15,\"i\":\"aedad86f-ec5e-4330-bab0-468351eb8355\"},\"panelIndex\":\"aedad86f-ec5e-4330-bab0-468351eb8355\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":36,\"y\":27,\"w\":12,\"h\":15,\"i\":\"8092b313-2e40-47e4-96a2-51086f98e53f\"},\"panelIndex\":\"8092b313-2e40-47e4-96a2-51086f98e53f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Security Onion - RFB","version":1},"id":"c8b3c360-75c6-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"b2053990-75c7-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"d5e72b20-75c7-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"fe62c910-75c7-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"5dcf09e0-75c8-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"},{"id":"316e90a0-75c8-11ea-9565-7315f4ee5cac","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU3MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connection Count","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Connection Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":40}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}"},"id":"c94e2aa0-6e9f-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY5OCwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:tunnel\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"19aef080-5875-4182-81a8-2a6639c75489\"},\"panelIndex\":\"19aef080-5875-4182-81a8-2a6639c75489\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":16,\"h\":8,\"i\":\"70939be7-5bb9-4d13-ab89-683b3eda7a98\"},\"panelIndex\":\"70939be7-5bb9-4d13-ab89-683b3eda7a98\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":8,\"i\":\"21848a06-ca96-4869-b069-7524caf3ae06\"},\"panelIndex\":\"21848a06-ca96-4869-b069-7524caf3ae06\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":10,\"h\":19,\"i\":\"8020a914-8f9f-4bd6-be32-1c6afa27f9e4\"},\"panelIndex\":\"8020a914-8f9f-4bd6-be32-1c6afa27f9e4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":10,\"y\":8,\"w\":10,\"h\":19,\"i\":\"9f72f316-c3a2-4658-8d03-932fa590e216\"},\"panelIndex\":\"9f72f316-c3a2-4658-8d03-932fa590e216\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":20,\"y\":8,\"w\":9,\"h\":19,\"i\":\"fa1bc43a-2be3-4699-97af-677bded82273\"},\"panelIndex\":\"fa1bc43a-2be3-4699-97af-677bded82273\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":8,\"w\":19,\"h\":19,\"i\":\"7c522eab-36bc-4933-abea-29a4c4a4f918\"},\"panelIndex\":\"7c522eab-36bc-4933-abea-29a4c4a4f918\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - Tunnels","version":1},"id":"c962dd60-75ed-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"b6120810-75ef-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU3MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Weird - Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}","version":1,"visState":"{\"title\":\"Weird - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"name.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}],\"listeners\":{}}"},"id":"ca3e57d0-4172-11e7-9850-b78558d0ac17","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYxMSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DNP3 - FC Reply","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DNP3 - FC Reply\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"dnp3.fc_reply.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dnp3.fc_reply.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"FC Reply\"}}]}"},"id":"cb29fbe0-75b8-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY5OSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\",\"gridData\":{\"x\":12,\"y\":20,\"w\":24,\"h\":20,\"i\":\"1\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}},{\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\",\"gridData\":{\"x\":12,\"y\":0,\"w\":24,\"h\":20,\"i\":\"2\"},\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":40,\"i\":\"3\"},\"embeddableConfig\":{}},{\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\",\"gridData\":{\"x\":0,\"y\":40,\"w\":48,\"h\":24,\"i\":\"4\"},\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}}]","timeRestore":false,"title":"Connections - Top Source IPs","version":1},"id":"cb367060-3b04-11e7-a83b-b1b4da7d15f4","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"8261cf00-366e-11e7-8c78-e3086faf385c","name":"panel_0","type":"visualization"},{"id":"28c27f80-3b05-11e7-a83b-b1b4da7d15f4","name":"panel_1","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_2","type":"visualization"},{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"panel_3","type":"search"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU3NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"db570800-365a-11e7-8bd0-1db2c55fb7a1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU3OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"f0700840-365a-11e7-8bd0-1db2c55fb7a1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU4MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SSL - Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server Name\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"certificate_common_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Common Name\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"validation_status.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Validation Status\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"version.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"TLS Version\"}}]}"},"id":"ebec2ea0-4c7c-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU4NSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":80,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"7\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":8,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{}},{\"panelIndex\":\"9\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":104,\"i\":\"9\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":104,\"i\":\"10\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":20,\"h\":24,\"x\":16,\"y\":104,\"i\":\"11\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"12\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":56,\"i\":\"12\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"14\",\"gridData\":{\"w\":16,\"h\":24,\"x\":8,\"y\":8,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{}},{\"panelIndex\":\"15\",\"gridData\":{\"w\":48,\"h\":72,\"x\":0,\"y\":128,\"i\":\"15\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"19\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":56,\"i\":\"19\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"panelIndex\":\"20\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"20\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\"},{\"panelIndex\":\"21\",\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":32,\"i\":\"21\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"}]","timeRestore":false,"title":"Bro - SSL","version":1},"id":"cca67b60-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"6139edd0-3641-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"3753e110-365a-11e7-bf60-314364dd1cde","name":"panel_2","type":"visualization"},{"id":"02699580-365a-11e7-bf60-314364dd1cde","name":"panel_3","type":"visualization"},{"id":"db570800-365a-11e7-8bd0-1db2c55fb7a1","name":"panel_4","type":"visualization"},{"id":"f0700840-365a-11e7-8bd0-1db2c55fb7a1","name":"panel_5","type":"visualization"},{"id":"21d090d0-365b-11e7-8bd0-1db2c55fb7a1","name":"panel_6","type":"visualization"},{"id":"53ac63e0-365b-11e7-8bd0-1db2c55fb7a1","name":"panel_7","type":"visualization"},{"id":"ae959820-365c-11e7-8bd0-1db2c55fb7a1","name":"panel_8","type":"visualization"},{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"panel_9","type":"search"},{"id":"23d22bd0-70b4-11e7-810e-2bafe9e41c10","name":"panel_10","type":"visualization"},{"id":"AWDHElRWxQT5EBNmq4lz","name":"panel_11","type":"visualization"},{"id":"ebec2ea0-4c7c-11e8-9b0a-f1d33346f773","name":"panel_12","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU4NiwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{\"mapCenter\":[24.846565348219734,0.087890625],\"mapZoom\":2}},{\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Connections - Destination - Sum of Total Bytes","version":1},"id":"ccfcc540-4638-11e7-a82e-d97152153689","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"1342e630-4632-11e7-9903-85f789353078","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU4OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Strelka - File - Entropy","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}}","version":1,"visState":"{\"title\":\"Strelka - File - Entropy\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"scan.entropy.entropy\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Entropy\"}}]}"},"id":"ce9e03f0-772c-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY3MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SIP - Warning","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SIP - Warning\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"sip.warning.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sip.warning.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Warning\"}}]}"},"id":"cf56b070-75ca-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYwNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Tunnels - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Tunnels - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"e89c9700-3641-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU5MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Tunnels - Country","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Tunnels - Country\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Country\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}],\"listeners\":{}}"},"id":"f60e0c40-6e34-11e7-9a19-a5996f8250c6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU5NCwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"gridData\":{\"w\":20,\"h\":20,\"x\":28,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":48,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":48,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":72,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"gridData\":{\"w\":20,\"h\":20,\"x\":8,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":40,\"h\":20,\"x\":8,\"y\":28,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":48,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Bro - Tunnels","version":1},"id":"d7b54ae0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"e89c9700-3641-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"43b2b040-3807-11e7-a1cc-ebc6a7e70e84","name":"panel_2","type":"visualization"},{"id":"26457730-3808-11e7-a1cc-ebc6a7e70e84","name":"panel_3","type":"visualization"},{"id":"3cdf2400-3808-11e7-a1cc-ebc6a7e70e84","name":"panel_4","type":"visualization"},{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"panel_5","type":"search"},{"id":"f60e0c40-6e34-11e7-9a19-a5996f8250c6","name":"panel_6","type":"visualization"},{"id":"33b39a60-6e35-11e7-9a19-a5996f8250c6","name":"panel_7","type":"visualization"},{"id":"53824da0-6e35-11e7-9a19-a5996f8250c6","name":"panel_8","type":"visualization"},{"id":"AWDHFYrqxQT5EBNmq4qT","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU5OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event_type:bro_conn\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Connections - Service","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Service\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"service.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Service\"}}]}"},"id":"d7d3dda0-54b9-11e9-a48f-b7dfb1d0f288","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYyNiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSL - Server Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SSL - Server Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssl.server_name.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssl.server_name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server Name\"}}]}"},"id":"db4dc4a0-75ec-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY1NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Network Datasets","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Network Datasets\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Dataset\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"event.module.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.dataset.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Dataset\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.module.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Module\"}}]}"},"id":"dbe4cc20-6ea7-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"387f44c0-6ea7-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzcwMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Weird - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Weird - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"dbfe2f00-6e35-11e7-9a19-a5996f8250c6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYxMiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNS - Queries","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Queries\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"query.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query\"}}]}"},"id":"dcda5680-2927-11e8-b2a2-09f3986ae284","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY0NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SIP - URI","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SIP - URI\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sip.uri.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"f63cba40-75ca-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYwMSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:sip\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"1e84368a-ad74-4d57-9793-5c9ce813045b\"},\"panelIndex\":\"1e84368a-ad74-4d57-9793-5c9ce813045b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":17,\"h\":8,\"i\":\"304e7cd2-dc4f-4bf4-b1fe-747091d61b67\"},\"panelIndex\":\"304e7cd2-dc4f-4bf4-b1fe-747091d61b67\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":8,\"i\":\"e87052bf-935e-421b-8208-e798a37edf69\"},\"panelIndex\":\"e87052bf-935e-421b-8208-e798a37edf69\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":19,\"i\":\"b2055759-c7fd-43ab-8613-6031e8e148d3\"},\"panelIndex\":\"b2055759-c7fd-43ab-8613-6031e8e148d3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":8,\"w\":9,\"h\":19,\"i\":\"a303da32-bd43-45a5-acbf-093478d734f9\"},\"panelIndex\":\"a303da32-bd43-45a5-acbf-093478d734f9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":18,\"y\":8,\"w\":8,\"h\":19,\"i\":\"d8632aad-86f0-4290-9480-75ec477ae4cd\"},\"panelIndex\":\"d8632aad-86f0-4290-9480-75ec477ae4cd\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":26,\"y\":8,\"w\":8,\"h\":19,\"i\":\"ee3b0df5-4a03-470b-9d26-4eedf4f8b8d6\"},\"panelIndex\":\"ee3b0df5-4a03-470b-9d26-4eedf4f8b8d6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":34,\"y\":8,\"w\":14,\"h\":19,\"i\":\"dbe534a3-1a06-4185-b78a-293d7ec848c4\"},\"panelIndex\":\"dbe534a3-1a06-4185-b78a-293d7ec848c4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":12,\"h\":17,\"i\":\"45de60a4-61ab-4b78-8cc7-5a783070c9be\"},\"panelIndex\":\"45de60a4-61ab-4b78-8cc7-5a783070c9be\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":12,\"y\":27,\"w\":12,\"h\":17,\"i\":\"9cb368f2-b652-4dc9-8427-b88a592e8361\"},\"panelIndex\":\"9cb368f2-b652-4dc9-8427-b88a592e8361\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":24,\"y\":27,\"w\":24,\"h\":17,\"i\":\"b78c61e2-61c3-4c43-94d9-c3971ee375be\"},\"panelIndex\":\"b78c61e2-61c3-4c43-94d9-c3971ee375be\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"}]","timeRestore":false,"title":"Security Onion - SIP","version":1},"id":"dd98e260-75c6-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"272b8ab0-75ca-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"9ff24600-75ca-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"f63cba40-75ca-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"49384710-75ca-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"},{"id":"81a1a740-75ca-11ea-9565-7315f4ee5cac","name":"panel_9","type":"visualization"},{"id":"cf56b070-75ca-11ea-9565-7315f4ee5cac","name":"panel_10","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYwNSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":80,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"5\",\"gridData\":{\"x\":8,\"y\":32,\"w\":14,\"h\":24,\"i\":\"5\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"6\",\"gridData\":{\"x\":22,\"y\":32,\"w\":14,\"h\":24,\"i\":\"6\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":8,\"y\":8,\"w\":16,\"h\":24,\"i\":\"8\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{}},{\"panelIndex\":\"9\",\"gridData\":{\"x\":0,\"y\":80,\"w\":48,\"h\":24,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"10\",\"gridData\":{\"x\":8,\"y\":56,\"w\":40,\"h\":24,\"i\":\"10\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"12\",\"gridData\":{\"x\":36,\"y\":32,\"w\":12,\"h\":24,\"i\":\"12\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"13\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"13\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"14\",\"gridData\":{\"x\":24,\"y\":8,\"w\":24,\"h\":24,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - Weird","version":1},"id":"de2da250-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"0dbcade0-3642-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"1b837b00-364e-11e7-9dc3-d35061cb642d","name":"panel_2","type":"visualization"},{"id":"312cd460-364e-11e7-9dc3-d35061cb642d","name":"panel_3","type":"visualization"},{"id":"8dbbbed0-364e-11e7-9dc3-d35061cb642d","name":"panel_4","type":"visualization"},{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"panel_5","type":"search"},{"id":"ca3e57d0-4172-11e7-9850-b78558d0ac17","name":"panel_6","type":"visualization"},{"id":"dbfe2f00-6e35-11e7-9a19-a5996f8250c6","name":"panel_7","type":"visualization"},{"id":"AWDHGXk-xQT5EBNmq4uf","name":"panel_8","type":"visualization"},{"id":"691ade50-4c85-11e8-9b0a-f1d33346f773","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYxNSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Hash - SSDeep","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Hash - SSDeep\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Hash\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hash.ssdeep.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"SSDeep\"}}]}"},"id":"e087c7d0-772d-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY3NiwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":63,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":0,\"y\":63,\"w\":16,\"h\":28,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":16,\"y\":63,\"w\":16,\"h\":28,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":0,\"y\":91,\"w\":16,\"h\":24,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":16,\"y\":91,\"w\":16,\"h\":24,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":32,\"y\":91,\"w\":16,\"h\":24,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"gridData\":{\"x\":30,\"y\":8,\"w\":18,\"h\":16,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":8,\"y\":32,\"w\":40,\"h\":31,\"i\":\"19\"},\"panelIndex\":\"19\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"x\":0,\"y\":115,\"w\":48,\"h\":24,\"i\":\"25\"},\"panelIndex\":\"25\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"gridData\":{\"x\":30,\"y\":24,\"w\":18,\"h\":8,\"i\":\"26\"},\"panelIndex\":\"26\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"29\"},\"panelIndex\":\"29\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\"},{\"gridData\":{\"x\":32,\"y\":63,\"w\":16,\"h\":28,\"i\":\"31\"},\"panelIndex\":\"31\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":8,\"w\":22,\"h\":24,\"i\":\"32\"},\"panelIndex\":\"32\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\"}]","timeRestore":false,"title":"Bro - Connections","version":1},"id":"e0a34b90-34e6-11e7-9118-45bd317f0ca4","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"2da139c0-34e7-11e7-9118-45bd317f0ca4","name":"panel_1","type":"visualization"},{"id":"8261cf00-366e-11e7-8c78-e3086faf385c","name":"panel_2","type":"visualization"},{"id":"9a54f150-366e-11e7-8c78-e3086faf385c","name":"panel_3","type":"visualization"},{"id":"296823d0-366f-11e7-8c78-e3086faf385c","name":"panel_4","type":"visualization"},{"id":"b50912f0-366f-11e7-8c78-e3086faf385c","name":"panel_5","type":"visualization"},{"id":"05088150-3670-11e7-8c78-e3086faf385c","name":"panel_6","type":"visualization"},{"id":"c3152010-3673-11e7-8c78-e3086faf385c","name":"panel_7","type":"visualization"},{"id":"13fe29c0-3b17-11e7-b871-5f76306b9694","name":"panel_8","type":"visualization"},{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"panel_9","type":"search"},{"id":"25ce6eb0-463b-11e7-a82e-d97152153689","name":"panel_10","type":"visualization"},{"id":"AWDG71xFxQT5EBNmq336","name":"panel_11","type":"visualization"},{"id":"bc7fbe00-4a44-11e8-9b0a-f1d33346f773","name":"panel_12","type":"visualization"},{"id":"d7d3dda0-54b9-11e9-a48f-b7dfb1d0f288","name":"panel_13","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYyNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNS - Destination Port (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"DNS - Destination Port (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\"}}],\"listeners\":{}}"},"id":"e3717d80-6e0f-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY0MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"X.509 - Certificate Subject","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"X.509 - Certificate Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"certificate_subject.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Subject\"}}],\"listeners\":{}}"},"id":"fab4b560-37d8-11e7-9efb-91e89505091f","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYzMSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"4\",\"gridData\":{\"w\":48,\"h\":68,\"x\":0,\"y\":96,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"certificate_subject\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"7\",\"gridData\":{\"w\":20,\"h\":20,\"x\":8,\"y\":8,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{}},{\"panelIndex\":\"8\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":48,\"i\":\"8\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":72,\"i\":\"9\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":20,\"h\":20,\"x\":28,\"y\":8,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"panelIndex\":\"11\",\"gridData\":{\"w\":40,\"h\":20,\"x\":8,\"y\":28,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"12\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"12\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Bro - X.509","version":1},"id":"e5aa7170-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"41bee360-3642-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"panel_2","type":"search"},{"id":"738127f0-37d7-11e7-9efb-91e89505091f","name":"panel_3","type":"visualization"},{"id":"fab4b560-37d8-11e7-9efb-91e89505091f","name":"panel_4","type":"visualization"},{"id":"0a5f7b30-37d9-11e7-9efb-91e89505091f","name":"panel_5","type":"visualization"},{"id":"150f7280-6e37-11e7-a8d6-ed2e692de531","name":"panel_6","type":"visualization"},{"id":"446e85c0-6e37-11e7-a8d6-ed2e692de531","name":"panel_7","type":"visualization"},{"id":"AWDHGklsxQT5EBNmq4wG","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYzNiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Host - Domain","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Host - Domain\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.domain.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Domain\"}}]}"},"id":"e80aa100-7375-11ea-a3da-cbdb4f8a90c0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzcwMSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{\"mapCenter\":[39.639537564366684,0.17578125],\"mapZoom\":2}},{\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Connections - Destination - Top Connection Duration","version":1},"id":"ea211360-46c4-11e7-a82e-d97152153689","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f7492d0-46c4-11e7-a82e-d97152153689","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYzOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNS - Answers","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Answers\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"answers.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Answer\"}}]}"},"id":"ff2af9b0-2927-11e8-b2a2-09f3986ae284","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY0NiwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":68,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"5\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":44,\"i\":\"5\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":44,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"7\",\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":8,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{}},{\"panelIndex\":\"10\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":92,\"i\":\"10\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"13\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"16\",\"gridData\":{\"w\":48,\"h\":64,\"x\":0,\"y\":116,\"i\":\"16\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"17\",\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":8,\"i\":\"17\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"21\",\"gridData\":{\"w\":16,\"h\":12,\"x\":32,\"y\":44,\"i\":\"21\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"22\",\"gridData\":{\"w\":16,\"h\":12,\"x\":32,\"y\":56,\"i\":\"22\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"23\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"23\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"panelIndex\":\"24\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":68,\"i\":\"24\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"panelIndex\":\"25\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":68,\"i\":\"25\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\",\"embeddableConfig\":{}},{\"panelIndex\":\"26\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":20,\"i\":\"26\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\",\"embeddableConfig\":{}},{\"panelIndex\":\"27\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":20,\"i\":\"27\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_14\",\"embeddableConfig\":{}},{\"panelIndex\":\"28\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":20,\"i\":\"28\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_15\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - DNS","version":1},"id":"ebf5ec90-34bf-11e7-9b32-bb903919ead9","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"6ef90c30-34c0-11e7-9b32-bb903919ead9","name":"panel_1","type":"visualization"},{"id":"57a9a3f0-34c0-11e7-9b32-bb903919ead9","name":"panel_2","type":"visualization"},{"id":"45a652b0-34c1-11e7-917c-af7a9d11771a","name":"panel_3","type":"visualization"},{"id":"e8e3b8a0-34c1-11e7-917c-af7a9d11771a","name":"panel_4","type":"visualization"},{"id":"1ecdd2e0-34c0-11e7-9b32-bb903919ead9","name":"panel_5","type":"visualization"},{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"panel_6","type":"search"},{"id":"e3717d80-6e0f-11e7-8624-1fb07dd76c6a","name":"panel_7","type":"visualization"},{"id":"4d89e140-6f09-11e7-9d31-23c0596994a7","name":"panel_8","type":"visualization"},{"id":"74861280-6f06-11e7-b253-211f64f37eda","name":"panel_9","type":"visualization"},{"id":"AWDG9Qx0xQT5EBNmq3_2","name":"panel_10","type":"visualization"},{"id":"dcda5680-2927-11e8-b2a2-09f3986ae284","name":"panel_11","type":"visualization"},{"id":"ff2af9b0-2927-11e8-b2a2-09f3986ae284","name":"panel_12","type":"visualization"},{"id":"22f7de30-4949-11e8-9576-313be7c6b44b","name":"panel_13","type":"visualization"},{"id":"0c338e50-4a4e-11e8-9b0a-f1d33346f773","name":"panel_14","type":"visualization"},{"id":"49e04860-4a4e-11e8-9b0a-f1d33346f773","name":"panel_15","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY1MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMB - File System","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMB - File System\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"smb.file_system.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smb.file_system.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"File System\"}}]}"},"id":"ed215680-75ef-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY2NCwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"gridData\":{\"h\":51,\"i\":\"4\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":22,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":51},\"panelIndex\":\"6\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":17,\"i\":\"12\",\"w\":20,\"x\":8,\"y\":34},\"panelIndex\":\"12\",\"title\":\"NIDS Alert - Source Port\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"16\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"gridData\":{\"h\":17,\"i\":\"18\",\"w\":20,\"x\":28,\"y\":34},\"panelIndex\":\"18\",\"title\":\"NIDS Alert - Destination Port\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"19\",\"w\":40,\"x\":8,\"y\":18},\"panelIndex\":\"19\",\"title\":\"NIDS - Alert Summary \",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"20\",\"w\":17,\"x\":8,\"y\":8},\"panelIndex\":\"20\",\"title\":\"NIDS - Alert Title\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"21\",\"w\":23,\"x\":25,\"y\":8},\"panelIndex\":\"21\",\"title\":\"NIDS - Rule Signature\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"NIDS - SID Drilldown","version":1},"id":"ed6f7e20-e060-11e9-8f0c-2ddbf5ed9290","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"d58ec1a0-34e4-11e7-9669-7f1d3242b798","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"panel_2","type":"search"},{"id":"620283e0-3af5-11e7-a83b-b1b4da7d15f4","name":"panel_3","type":"visualization"},{"id":"AWDG3ym0xQT5EBNmq3mG","name":"panel_4","type":"visualization"},{"id":"3f040620-4a44-11e8-9b0a-f1d33346f773","name":"panel_5","type":"visualization"},{"id":"3a1b54b0-e061-11e9-8f0c-2ddbf5ed9290","name":"panel_6","type":"visualization"},{"id":"1b3faca0-e064-11e9-8f0c-2ddbf5ed9290","name":"panel_7","type":"visualization"},{"id":"6533dd40-e064-11e9-8f0c-2ddbf5ed9290","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY1NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - Version","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - Version\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"http.version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"ede56800-6ed7-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzcwMiwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:ssl\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"7ba54e84-e774-489e-b4e5-156bff163007\"},\"panelIndex\":\"7ba54e84-e774-489e-b4e5-156bff163007\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":16,\"h\":8,\"i\":\"83706228-debf-441c-ab7f-2e20c91ec132\"},\"panelIndex\":\"83706228-debf-441c-ab7f-2e20c91ec132\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":8,\"i\":\"e06b2a92-d78b-4d77-9948-40a96a630656\"},\"panelIndex\":\"e06b2a92-d78b-4d77-9948-40a96a630656\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":20,\"i\":\"6f2ba042-522e-43a3-8b9f-0d00e1b60070\"},\"panelIndex\":\"6f2ba042-522e-43a3-8b9f-0d00e1b60070\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":8,\"w\":10,\"h\":20,\"i\":\"f9b0f61d-4ff7-4bfb-a210-61ac7c07407a\"},\"panelIndex\":\"f9b0f61d-4ff7-4bfb-a210-61ac7c07407a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":19,\"y\":8,\"w\":11,\"h\":20,\"i\":\"19764782-13cb-4b14-b272-d30fbdead5a2\"},\"panelIndex\":\"19764782-13cb-4b14-b272-d30fbdead5a2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":8,\"w\":18,\"h\":20,\"i\":\"8e0caa58-2dba-4d73-bf54-2c5452b7e5ff\"},\"panelIndex\":\"8e0caa58-2dba-4d73-bf54-2c5452b7e5ff\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":28,\"w\":23,\"h\":20,\"i\":\"6ce88ef8-a636-4f1c-85e9-922ab70a500f\"},\"panelIndex\":\"6ce88ef8-a636-4f1c-85e9-922ab70a500f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":23,\"y\":28,\"w\":25,\"h\":20,\"i\":\"a804d523-cf9b-47f1-85ca-4931defc69ce\"},\"panelIndex\":\"a804d523-cf9b-47f1-85ca-4931defc69ce\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - SSL","version":1},"id":"efae8de0-75eb-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"db4dc4a0-75ec-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"b8371250-75ec-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"6fccb600-75ec-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"4e8cbf80-75ec-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY1OSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"mapCenter\":[24.84656534821976,0.17578125],\"mapZoom\":2}}]","timeRestore":false,"title":"Connections - Source - Sum of Total Bytes","version":1},"id":"f042ad60-46c6-11e7-946f-1bfb1be7c36b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"1156b1e0-46c7-11e7-946f-1bfb1be7c36b","name":"panel_1","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY2MSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:smb*\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"4f0e2e7d-aeee-4de8-82f0-9faffa596a05\"},\"panelIndex\":\"4f0e2e7d-aeee-4de8-82f0-9faffa596a05\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":16,\"h\":8,\"i\":\"efd2f5f0-c795-41e8-b0d7-7a3012e04d4d\"},\"panelIndex\":\"efd2f5f0-c795-41e8-b0d7-7a3012e04d4d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":8,\"i\":\"c4342fbe-e949-42d7-959c-c1ce6978033a\"},\"panelIndex\":\"c4342fbe-e949-42d7-959c-c1ce6978033a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":19,\"i\":\"f59a811c-5a72-4337-84bd-32a5d1dce308\"},\"panelIndex\":\"f59a811c-5a72-4337-84bd-32a5d1dce308\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":8,\"w\":9,\"h\":19,\"i\":\"5bb49dfa-0703-448b-a249-6cebb45e101c\"},\"panelIndex\":\"5bb49dfa-0703-448b-a249-6cebb45e101c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":18,\"y\":8,\"w\":10,\"h\":19,\"i\":\"4f886675-43c8-46c9-a471-717010d40e67\"},\"panelIndex\":\"4f886675-43c8-46c9-a471-717010d40e67\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":28,\"y\":8,\"w\":10,\"h\":19,\"i\":\"f00a4afd-cd5f-48a4-a8d3-bc80f7367285\"},\"panelIndex\":\"f00a4afd-cd5f-48a4-a8d3-bc80f7367285\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":38,\"y\":8,\"w\":10,\"h\":19,\"i\":\"c88f8f9f-c3d9-43c1-bfb1-bb2b7f64b92f\"},\"panelIndex\":\"c88f8f9f-c3d9-43c1-bfb1-bb2b7f64b92f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":20,\"i\":\"d76e30ec-3114-4100-a806-2a77ba987bbe\"},\"panelIndex\":\"d76e30ec-3114-4100-a806-2a77ba987bbe\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - SMB","version":1},"id":"f24d7b80-75c6-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"34762420-75f0-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"1c6567b0-75f0-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"ed215680-75ef-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"052df440-75f0-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY2NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Zeek - Notice Action","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Zeek - Notice Action\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"notice.p: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"notice.action.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"fafba910-7a84-11ea-9d13-57f5db13d1ed","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY2OSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:notice AND event.module:zeek\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":8,\"i\":\"3c981b35-b930-4523-bef4-7f5193148816\"},\"panelIndex\":\"3c981b35-b930-4523-bef4-7f5193148816\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":0,\"w\":16,\"h\":8,\"i\":\"eb1b234a-2d6b-46af-9afe-a420a389dad1\"},\"panelIndex\":\"eb1b234a-2d6b-46af-9afe-a420a389dad1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":8,\"i\":\"7d323b2f-3502-4397-93fd-b430d9011d92\"},\"panelIndex\":\"7d323b2f-3502-4397-93fd-b430d9011d92\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":19,\"h\":18,\"i\":\"298b9cf4-5e54-45f5-805c-e04b31044401\"},\"panelIndex\":\"298b9cf4-5e54-45f5-805c-e04b31044401\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":19,\"y\":8,\"w\":29,\"h\":18,\"i\":\"1fa5b7c2-2680-4dd0-9c07-a714d8d8968a\"},\"panelIndex\":\"1fa5b7c2-2680-4dd0-9c07-a714d8d8968a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":26,\"w\":11,\"h\":23,\"i\":\"9056cf20-d882-4316-ba02-91ecbd1d4df9\"},\"panelIndex\":\"9056cf20-d882-4316-ba02-91ecbd1d4df9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":11,\"y\":26,\"w\":11,\"h\":23,\"i\":\"5f855acb-fec5-4155-b2ef-0961a6d9a89c\"},\"panelIndex\":\"5f855acb-fec5-4155-b2ef-0961a6d9a89c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":22,\"y\":26,\"w\":10,\"h\":23,\"i\":\"208bc4b2-013a-4aab-b72c-45a618077791\"},\"panelIndex\":\"208bc4b2-013a-4aab-b72c-45a618077791\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":32,\"y\":26,\"w\":16,\"h\":23,\"i\":\"5429bbba-3d62-4a93-9932-4a2cc4369775\"},\"panelIndex\":\"5429bbba-3d62-4a93-9932-4a2cc4369775\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - Zeek - Notices","version":1},"id":"fa9ed760-7734-11ea-bee5-af7f7c7b8e05","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"30df00e0-7733-11ea-bee5-af7f7c7b8e05","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"9c6ccff0-7a84-11ea-9d13-57f5db13d1ed","name":"panel_3","type":"visualization"},{"id":"c8039090-7a84-11ea-9d13-57f5db13d1ed","name":"panel_4","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_6","type":"visualization"},{"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_7","type":"visualization"},{"id":"fafba910-7a84-11ea-9d13-57f5db13d1ed","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY3MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - Top Source IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - Top Source IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"source.ip.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}"},"id":"fd8b4640-6e9f-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzcwMywxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.module:strelka\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":7,\"i\":\"a2e0a619-a5c5-40d9-8593-e60f13ae22bf\"},\"panelIndex\":\"a2e0a619-a5c5-40d9-8593-e60f13ae22bf\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":0,\"w\":21,\"h\":7,\"i\":\"566a9d04-f2dc-4868-9625-97a19d985703\"},\"panelIndex\":\"566a9d04-f2dc-4868-9625-97a19d985703\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":7,\"i\":\"f247ec64-c278-4e05-ac4d-983bea9dfb7d\"},\"panelIndex\":\"f247ec64-c278-4e05-ac4d-983bea9dfb7d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":7,\"w\":12,\"h\":20,\"i\":\"6e80a142-ab0e-4fd3-891c-e495b78a1625\"},\"panelIndex\":\"6e80a142-ab0e-4fd3-891c-e495b78a1625\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":12,\"y\":7,\"w\":11,\"h\":20,\"i\":\"292cc879-6bc0-4541-ba92-3b3c5f4e3368\"},\"panelIndex\":\"292cc879-6bc0-4541-ba92-3b3c5f4e3368\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":23,\"y\":7,\"w\":14,\"h\":20,\"i\":\"66979b2c-e7c1-4291-91ac-16537b7f9ec3\"},\"panelIndex\":\"66979b2c-e7c1-4291-91ac-16537b7f9ec3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":37,\"y\":7,\"w\":11,\"h\":20,\"i\":\"8bb1cf98-0401-4a2d-9dd8-deca08205a22\"},\"panelIndex\":\"8bb1cf98-0401-4a2d-9dd8-deca08205a22\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":8,\"h\":20,\"i\":\"393f3cec-3ee0-4275-b319-f307e7a260c6\"},\"panelIndex\":\"393f3cec-3ee0-4275-b319-f307e7a260c6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":27,\"w\":15,\"h\":20,\"i\":\"0e8800a9-a6f5-4a79-8370-61713f584886\"},\"panelIndex\":\"0e8800a9-a6f5-4a79-8370-61713f584886\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":23,\"y\":27,\"w\":25,\"h\":20,\"i\":\"be9a0a2a-d8c6-4d15-b5d7-d5599d0482a3\"},\"panelIndex\":\"be9a0a2a-d8c6-4d15-b5d7-d5599d0482a3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":47,\"w\":48,\"h\":27,\"i\":\"40296d2b-cb6f-423f-989c-3fdaa82d2aad\"},\"panelIndex\":\"40296d2b-cb6f-423f-989c-3fdaa82d2aad\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"}]","timeRestore":false,"title":"Security Onion - Strelka","version":1},"id":"ff689c50-75f3-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"8cfec8c0-6ec2-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"7a88adc0-75f0-11ea-9565-7315f4ee5cac","name":"panel_3","type":"visualization"},{"id":"49cfe850-772c-11ea-bee5-af7f7c7b8e05","name":"panel_4","type":"visualization"},{"id":"70243970-772c-11ea-bee5-af7f7c7b8e05","name":"panel_5","type":"visualization"},{"id":"ce9e03f0-772c-11ea-bee5-af7f7c7b8e05","name":"panel_6","type":"visualization"},{"id":"a7ebb450-772c-11ea-bee5-af7f7c7b8e05","name":"panel_7","type":"visualization"},{"id":"08c0b770-772e-11ea-bee5-af7f7c7b8e05","name":"panel_8","type":"visualization"},{"id":"e087c7d0-772d-11ea-bee5-af7f7c7b8e05","name":"panel_9","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_10","type":"search"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY3NywxXQ=="} -{"exportedCount":709,"missingRefCount":0,"missingReferences":[]} \ No newline at end of file +{"attributes":{"fieldFormatMap":"{\"match_body.source_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"match_body.destination_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}}}","fields":"[{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"alert_info.slack_username_override\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert_info.slack_username_override.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_info.slack_webhook_url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert_info.slack_webhook_url.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_info.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert_info.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_sent\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.rule\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.rule.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"endtime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"exponent\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hits\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.@version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.signature_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.signature_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body._id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body._id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body._index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body._index.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body._type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body._type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.alert\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.alert.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.category.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.classification\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.classification.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.connection_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.connection_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.connection_state_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.connection_state_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.country_code2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.country_code3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.country_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.location.lat\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.location.lon\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_ip.keyword\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.duration\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.history\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.history.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.local_orig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.local_orig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.local_respond\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.local_respond.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.logstash_time\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.missed_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.num_hits\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.num_matches\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.original_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.original_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.original_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.original_ipbytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.original_ipbytes.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.original_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.respond_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.respond_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.respond_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.respond_ipbytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.respond_ipbytes.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.respond_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.rev\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.rev.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.rule\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.rule.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.rule_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.rule_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.sensor_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.sensor_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.service\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.service.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.sid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.source_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.source_ip.keyword\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.source_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.source_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.source_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-facility.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-host_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-host_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-legacy_msghdr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-legacy_msghdr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-sourceip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-sourceip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.total_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.tunnel_parents\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.tunnel_parents.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"matches\",\"type\":\"number\",\"count\":3,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_name\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"starttime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"time_taken\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traceback\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"traceback.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"until\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]","notExpandable":true,"timeFieldName":"@timestamp","title":"*:elastalert_status*"},"id":"*:elastalert_status*","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-07-15T13:17:15.442Z","version":"WzAsMV0="} +{"attributes":{"fieldFormatMap":"{\"_id\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://PCAPPLACEHOLDER/securityonion/joblookup?esid={{ value }}\",\"labelTemplate\":\"{{value}}\"}},\"uid\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"source_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"destination_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"source_port\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'source_port:\\\"{{value}}\\\" OR destination_port:\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"destination_port\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'source_port:\\\"{{value}}\\\" OR destination_port:\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"fuid\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"resp_fuids\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"orig_fuids\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"sid\":{\"id\":\"number\",\"params\":{\"pattern\":\"0\"}},\"port\":{\"id\":\"number\",\"params\":{\"pattern\":\"0.[000]\"}},\"query\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"query.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"server_name\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"server_name.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"virtual_host\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"virtual_host.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"indicator\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"indicator.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"file_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"file_ip.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"signature_info\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"{{rawValue}}\",\"labelTemplate\":\"{{value}}\"}},\"highest_registered_domain\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"highest_registered_domain.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"domain_name\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"domain_name.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"duration\":{\"id\":\"duration\",\"params\":{\"outputFormat\":\"asSeconds\",\"outputPrecision\":6}},\"missed_bytes\":{\"id\":\"bytes\"},\"missing_bytes\":{\"id\":\"bytes\"},\"original_bytes\":{\"id\":\"bytes\"},\"original_ip_bytes\":{\"id\":\"bytes\"},\"overflow_bytes\":{\"id\":\"bytes\"},\"respond_bytes\":{\"id\":\"bytes\"},\"respond_ip_bytes\":{\"id\":\"bytes\"},\"seen_bytes\":{\"id\":\"bytes\"},\"total_bytes\":{\"id\":\"bytes\"},\"rtt\":{\"id\":\"number\",\"params\":{\"pattern\":\"0,0.[0000000]\"}},\"uids\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"osquery.LiveQuery\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://FLEETPLACEHOLDER/queries/new?host_uuids={{rawValue}}\",\"labelTemplate\":\"LiveQuery\"}},\"TheHive\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"\",\"labelTemplate\":\"Add2Hive\"}}}","fields":"[{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"aa\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"aa.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ack\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ack.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"additional_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"additional_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"age\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"age.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_level\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"analyzer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"analyzer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"answers\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"answers.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"assigned_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"assigned_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auth\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"auth.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_attempts\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"basic_constraints.path_len\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"basic_constraints_ca\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"basic_constraints_ca.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"basic_constraints_path_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat_host.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_host.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"bound_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"call_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"call_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"category.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cc\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cc.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_chain_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_chain_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_chain_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_common_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_curve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_curve.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_exponent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_exponent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_issuer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_issuer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_key_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_key_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_locality\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_locality.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_not_valid_after\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_not_valid_before\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_number_days_valid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_organization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_organization.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_organization_unit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_organization_unit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_permanent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_permanent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_serial\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_serial.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_serial_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_serial_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_signing_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_signing_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"checksum\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"checksum.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cipher\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cipher.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cipher_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cipher_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"class\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"class.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"classification\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"classification.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_build\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_build.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_chain_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_chain_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_digital_product_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_digital_product_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_fqdn\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_fqdn.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_host_key_algorithms\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_host_key_algorithms.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_issuer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_issuer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_major_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_major_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_minor_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_minor_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"community\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"community.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"company.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"compile_ts\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"compile_ts.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"compression_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"compression_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connect_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connect_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection_state_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection_state_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"content_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cookie\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cookie.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"creation_date\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"creation_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"current_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"current_directory.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"curve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"curve.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.arch\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.arch.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.data.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.dpkg_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.dpkg_status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.file\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.file.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.cpu_cores\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.cpu_cores.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.cpu_mhz\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.cpu_mhz.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.cpu_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.cpu_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.ram_free\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.ram_free.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.ram_total\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.ram_total.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.ram_usage\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.ram_usage.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.serial\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.serial.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.address.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.broadcast\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.broadcast.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.dhcp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.dhcp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.gateway\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.gateway.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.metric\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.metric.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.netmask\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.netmask.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv6.address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv6.address.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv6.dhcp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv6.dhcp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv6.netmask\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv6.netmask.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.mac\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.mac.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.mtu\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.mtu.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.rx_bytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_bytes.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.rx_dropped\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_dropped.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.rx_errors\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_errors.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.rx_packets\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_packets.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.tx_bytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_bytes.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.tx_dropped\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_dropped.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.tx_errors\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_errors.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.tx_packets\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_packets.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.architecture.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.codename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.codename.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.major\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.major.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.minor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.minor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.platform\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.platform.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.release\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.release.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.release_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.release_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.sysname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.sysname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.package\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.package.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.inode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.inode.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.local_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.local_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.local_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.local_port.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.remote_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.remote_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.remote_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.remote_port.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.rx_queue\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.rx_queue.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.tx_queue\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.tx_queue.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.args\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.args.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.cmd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.cmd.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.egroup\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.egroup.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.euser\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.euser.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.fgroup\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.fgroup.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.nice\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.nice.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.nlwp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.nlwp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.pgrp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.pgrp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.ppid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.ppid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.processor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.processor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.resident\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.resident.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.rgroup\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.rgroup.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.ruser\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.ruser.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.session\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.session.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.sgroup\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.sgroup.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.share\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.share.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.start_time\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.start_time.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.stime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.stime.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.suser\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.suser.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.tgid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.tgid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.tty.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.utime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.utime.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.vm_size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.vm_size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.architecture.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.format\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.format.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.multiarch\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.multiarch.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.section\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.section.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.source\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.source.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.vendor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.vendor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.pwd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.pwd.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.title\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.title.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.tty.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_destination_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_destination_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_passive\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data_channel_passive.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_source_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dcc_file_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dcc_mime_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_mime_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"decoder.ftscomment\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"decoder.ftscomment.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"decoder.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"decoder.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"decoder.parent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"decoder.parent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"depth\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_height\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"desktop_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_width\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dest_is_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dest_is_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_city\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_city.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.city_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.continent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_code2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_code3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_iso_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.longitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.postal_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.region_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.region_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.region_iso_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.region_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_latitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_longitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_region\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_region.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"details\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"details.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dir\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dir.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"direction\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"direction.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"display_string\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"display_string.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"domain_age\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"domain_age.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"domain_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"domain_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dropped\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dropped.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"duration\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"enabled\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"enabled.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"encryption_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"encryption_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"encryption_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"encryption_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"endpoint\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"endpoint.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"entry\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"entry.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"entry_location\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"entry_location.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"error_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"error_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"escalated_user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"escalated_user.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"established\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"established.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"exception\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"exception.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"extracted\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"extracted.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"extracted_cutoff\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"extracted_cutoff.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"facility.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fc_reply\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fc_reply.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fc_request\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fc_request.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_mime_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_mime_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"first_received\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"first_received.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"flow_label\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"flow_label.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"forwardable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"forwardable.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"framed_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"framed_addr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"freq_virtual_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"freq_virtual_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"frequency_scores\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"frequency_scores.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp_argument\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp_argument.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"full_log\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"full_log.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"function\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"function.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"get_bulk_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"get_bulk_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"get_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"get_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"get_responses\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"get_responses.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_cert_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_cert_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_debug_data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_debug_data.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_export_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_export_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_import_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_import_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh_algorithms\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh_algorithms.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh_server\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh_server.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh_server_algorithms\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh_server_algorithms.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"height\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"helo\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"helo.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"highest_registered_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"highest_registered_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"highest_registered_domain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"history\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"history.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hop_limit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hop_limit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_key\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_key.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_key_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_key_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"iin\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"iin.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"image_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"in_reply_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"in_reply_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"indicator\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"indicator.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"indicator_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"indicator_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"info_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"info_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"info_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"initiated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"initiated.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"input.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"input.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"integrity_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"integrity_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"interface\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"interface.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ip_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_ecn\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_ecn.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_flags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_offset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_offset.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_protocol_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_tos\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_tos.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_ttl\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"irc_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"irc_username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc_username.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_64bit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_64bit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_exe\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_exe.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_orig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_orig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_source_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_source_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_webmail\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_webmail.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_common_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_distinguished_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_distinguished_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_locality\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_locality.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_organization.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization_unit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_organization_unit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_serial_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_serial_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ja3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ja3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ja3s\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ja3s.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kerberos_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kex_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kex_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"keyboard_layout\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"keyboard_layout.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"last_alert\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"last_alert.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"last_reply\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"last_reply.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"launch_string\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"launch_string.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"lease_time\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"lease_time.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"length\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"length.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"local_orig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"local_orig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"local_respond\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"local_respond.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"location\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"location.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log.file.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.file.path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logged\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logged.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash_time\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mac\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mac.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mac_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mac_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"machine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"machine.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mail_date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mail_date.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mail_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mail_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"manager.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"manager.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"matched\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"matched.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"md5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message_types.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mimetype\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mimetype.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"missed_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"missing_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_argument\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_argument.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"n\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"named_pipe\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"named_pipe.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"native_file_system\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"native_file_system.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"next_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"next_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nick\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"nick.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"note\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"note.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"notice\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ntlm_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"num_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"offset\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"operation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"options\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"options.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_filenames\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_filenames.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_mime_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_mime_types.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"original_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_ip_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"os.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.EndpointIP1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.EndpointIP1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.EndpointIP2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.EndpointIP2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.LiveQuery\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.LiveQuery.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.calendarTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.calendarTime.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.codename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.codename.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.directory.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.gid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.gid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.gid_signed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.gid_signed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.shell\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.shell.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.uid_signed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.uid_signed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.username.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.uuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.uuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.counter\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.epoch\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.hardware_serial\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.hardware_serial.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.hostIdentifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.hostIdentifier.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.unixTime\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ossec_agent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ossec_agent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ossec_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ossec_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"overflow_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"p\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_image_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"password\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"password.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"peer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"peer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"peer_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"peer_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pesha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pesha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pesha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pesha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"port.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"predecoder.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"predecoder.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"predecoder.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"predecoder.timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"prev_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"prev_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_arguments\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_arguments.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_guid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"profile\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"profile.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"program\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"program.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"prospector.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"prospector.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"proxied\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"proxied.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_class\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_class_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query_class_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_type\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_type_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query_type_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ra\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ra.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rcode\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rcode_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rcode_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rd.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reason.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"recipient_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"recipient_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"referrer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rejected\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rejected.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"remote_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"remote_location.country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"renewable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"renewable.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_body_len\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_body_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_port.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_color_depth\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"requested_color_depth.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_resource\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"requested_resource.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_filenames\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_filenames.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_mime_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_mime_types.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"respond_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_ip_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_body_len\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_body_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"result\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"result.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resumed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resumed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rev\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rev.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rows\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rows.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rtt\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rtt.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule_signature.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"san_dns\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"san_dns.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"second_received\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"second_received.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"section_names\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"section_names.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"security_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"security_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_node\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seen_node.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_where\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seen_where.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sensor_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sensor_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seq\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seq.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sequence_number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_certificate_fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_certificate_fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_dns_computer_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_dns_computer_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_host_key_algorithms\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_host_key_algorithms.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_major_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_major_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_minor_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_minor_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_nb_computer_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_nb_computer_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_tree_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_tree_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"set_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"set_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"severity.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"share_flag\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"share_flag.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"share_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"share_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signature_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"site\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"site.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.city_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.country_code2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.country_code3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.country_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.postal_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.region_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.region_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sources\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sources.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status_msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sub_msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sub_msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sub_rule_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sub_rule_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subdomain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subsystem\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subsystem.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"suppress_for\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.event\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.event.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.gid_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.gid_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.gname_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.gname_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.inode_after\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.md5_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.md5_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.md5_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.md5_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.mtime_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.mtime_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.mtime_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.mtime_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.perm_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.perm_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.sha1_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.sha1_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.sha1_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.sha1_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.sha256_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.sha256_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.sha256_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.sha256_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.size_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.size_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.size_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.size_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.uid_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.uid_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.uname_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.uname_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-facility.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-host_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-host_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-legacy_msghdr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-legacy_msghdr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-sourceip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sysmon_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sysmon_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_filename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_filename.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tc\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tc.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tcp_flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tcp_flags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"terminal_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"terminal_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"timed_out\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"timed_out.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_accessed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_accessed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_changed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_changed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_created\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_created.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_modified\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_modified.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tld.subdomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tld.subdomain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tls\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tls.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"top_level_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"top_level_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"total_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tracker_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tracker_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"trans_depth\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"transaction_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ttls\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tty.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tunnel_parents\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel_parents.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tunnel_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"unparsed_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"unparsed_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"up_since\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"up_since.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"urg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"urg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uri\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uri.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uri_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_agent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"useragent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"useragent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"useragent_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"username.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_aslr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_aslr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_code_integrity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_code_integrity.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_dep\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_dep.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_seh\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_seh.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"valid_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"valid_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"valid_till\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"valid_till.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"validation_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"validation_status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_additional_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_additional_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_major\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_major.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"virtual_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"warning\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"warning.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.firedtimes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.gdpr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.gdpr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.gpg13\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.gpg13.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.groups\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.groups.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.mail\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.pci_dss\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.pci_dss.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"width\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"width.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"window\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"window.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x_originating_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"year\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"z\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"z.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"TheHive\",\"type\":\"string\",\"count\":0,\"scripted\":true,\"script\":\"'soctopus/thehive/alert/' + doc['_id'].value\",\"lang\":\"painless\",\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false}]","notExpandable":true,"timeFieldName":"@timestamp","title":"*:logstash-*"},"id":"*:logstash-*","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEsMV0="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"title":"Security Onion - Network Data","uiStateJSON":"{}","version":1,"visState":"{\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Home](/kibana/app/kibana#/dashboard/a8411b30-6d03-11ea-b301-3d6c35840645) \\n \\n**Datasets** \\n[Connections](/kibana/app/kibana#/dashboard/0cc628b0-6e9f-11ea-9266-1fd14ca6af34) | [DCE/RPC](/kibana/app/kibana#/dashboard/9e882df0-72c5-11ea-8dd2-9d8795a1200b) |\\n[DHCP](/kibana/app/kibana#/dashboard/80625c10-96dd-11ea-814e-bb515e873c2c) \\n[DNP3](/kibana/app/kibana#/dashboard/b1f52180-755a-11ea-9565-7315f4ee5cac) | [DNS](/kibana/app/kibana#/dashboard/55ac6bf0-6ec4-11ea-9266-1fd14ca6af34) |\\n[FTP](/kibana/app/kibana#/dashboard/739bfad0-755a-11ea-9565-7315f4ee5cac) |\\n[HTTP](/kibana/app/kibana#/dashboard/44e9c820-6eb1-11ea-9266-1fd14ca6af34) | [IRC](/kibana/app/kibana#/dashboard/38523560-75ba-11ea-9565-7315f4ee5cac) |\\n[Kerberos](/kibana/app/kibana#/dashboard/b207ab90-75bc-11ea-9565-7315f4ee5cac) \\n[Modbus](/kibana/app/kibana#/dashboard/886a7b90-75bd-11ea-9565-7315f4ee5cac) | \\n[MySQL](/kibana/app/kibana#/dashboard/c3ced6d0-75be-11ea-9565-7315f4ee5cac) | \\n[NTLM](/kibana/app/kibana#/dashboard/558292e0-75c1-11ea-9565-7315f4ee5cac) | \\n[PE](kibana/app/kibana#/dashboard/94b55b90-c761-11ea-bebb-37c5ab5894ea) |\\n[RADIUS](/kibana/app/kibana#/dashboard/b9769e60-75c4-11ea-9565-7315f4ee5cac) | [RDP](/kibana/app/kibana#/dashboard/5b743150-75c5-11ea-9565-7315f4ee5cac) | \\n[RFB](/kibana/app/kibana#/dashboard/c8b3c360-75c6-11ea-9565-7315f4ee5cac) | [SIP](/kibana/app/kibana#/dashboard/dd98e260-75c6-11ea-9565-7315f4ee5cac) \\n[SMB](/kibana/app/kibana#/dashboard/f24d7b80-75c6-11ea-9565-7315f4ee5cac) | [SMTP](/kibana/app/kibana#/dashboard/00304500-75e7-11ea-9565-7315f4ee5cac) | [SNMP](/kibana/app/kibana#/dashboard/96522610-75e8-11ea-9565-7315f4ee5cac) | \\n[SSH](/kibana/app/kibana#/dashboard/9dfd77e0-75eb-11ea-9565-7315f4ee5cac) | [SSL](/kibana/app/kibana#/dashboard/efae8de0-75eb-11ea-9565-7315f4ee5cac) | [Syslog](/kibana/app/kibana#/dashboard/66499a20-75ed-11ea-9565-7315f4ee5cac) | [Tunnels](/kibana/app/kibana#/dashboard/c962dd60-75ed-11ea-9565-7315f4ee5cac) | [X.509](/kibana/app/kibana#/dashboard/2e0865f0-75ee-11ea-9565-7315f4ee5cac) \\n\"},\"title\":\"Security Onion - Network Data\"}"},"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[],"type":"visualization","updated_at":"2020-07-16T12:42:36.125Z","version":"WzcyNSwyXQ=="} +{"attributes":{"fieldFormatMap":"{\"network.community_id\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:network.community_id,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(network.community_id:'{{ value }}')))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"source.ip\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.ip.keyword:'{{ value }}')),(term:(destination.ip.keyword:'{{ value }}')))),meta:(alias:'source.ip:%20!'{{ value }}!'%20OR%20destination.ip:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.ip.keyword%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.ip.keyword%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"destination.ip\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.ip.keyword:'{{ value }}')),(term:(destination.ip.keyword:'{{ value }}')))),meta:(alias:'source.ip:%20!'{{ value }}!'%20OR%20destination.ip:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.ip.keyword%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.ip.keyword%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"source.ip.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.ip.keyword:'{{ value }}')),(term:(destination.ip.keyword:'{{ value }}')))),meta:(alias:'source.ip:%20!'{{ value }}!'%20OR%20destination.ip:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.ip.keyword%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.ip.keyword%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"destination.ip.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.ip.keyword:'{{ value }}')),(term:(destination.ip.keyword:'{{ value }}')))),meta:(alias:'source.ip:%20!'{{ value }}!'%20OR%20destination.ip:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.ip.keyword%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.ip.keyword%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"source.port\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.port:'{{ value }}')),(term:(destination.port:'{{ value }}')))),meta:(alias:'source.port:%20!'{{ value }}!'%20OR%20destination.port:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.port%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.port%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"destination.port\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.port:'{{ value }}')),(term:(destination.port:'{{ value }}')))),meta:(alias:'source.port:%20!'{{ value }}!'%20OR%20destination.port:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.port%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.port%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"log.id.fuid\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:log.id.fuid,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(log.id.fuid:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"log.id.fuid.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:log.id.fuid,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(log.id.fuid:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"log.id.uid\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:log.id.uid,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(log.id.uid:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"log.id.uid.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:log.id.uid,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(log.id.uid:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"_id\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"https://PLACEHOLDER/securityonion/joblookup?esid={{ value }}\",\"labelTemplate\":\"{{ value }}\"}},\"client.bytes\":{\"id\":\"bytes\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"server.bytes\":{\"id\":\"bytes\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"Push to TheHive\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"\",\"labelTemplate\":\"Click to create an alert in TheHive\"}},\"event.dataset\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:event.dataset.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.dataset.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"event.dataset.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:event.dataset.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.dataset.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"event.module\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:event.module.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.module.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now%2Fw,to:now%2Fw))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"event.module.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:event.module.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.module.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now%2Fw,to:now%2Fw))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"agent.name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:agent.name.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(agent.name.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now%2Fw,to:now%2Fw))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"agent.name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:agent.name.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(agent.name.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now%2Fw,to:now%2Fw))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"rule.name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:rule.name,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(rule.name:'{{ value }}')))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:''),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"rule.name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:rule.name,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(rule.name:'{{ value }}')))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:''),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"osquery.result.live_query\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"https://FLEETPLACEHOLDER/fleet/queries/new?host_uuids={{rawValue}}\",\"labelTemplate\":\"Live Query\"}},\"osquery.result.live_query.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"https://FLEETPLACEHOLDER/fleet/queries/new?host_uuids={{rawValue}}\",\"labelTemplate\":\"Live Query\"}},\"connection.state_description\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:connection.state_description,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(connection.state_description:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"connection.state_description.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:connection.state_description,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(connection.state_description:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"rule.category.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:rule.category,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(rule.category:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"rule.category\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:rule.category,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(rule.category:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"rule.uuid\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:rule.uuid,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(rule.uuid:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"connection.history\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:connection.history,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(connection.history:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"connection.history.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:connection.history,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(connection.history:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.message_types\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.message_types,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(dhcp.message_types:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.message_types.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.message_types,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(dhcp.message_types:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.requested_address\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.requested_address,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dhcp.requested_address:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.requested_address.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.requested_address,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dhcp.requested_address:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.assigned_ip\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.assigned_ip,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dhcp.assigned_ip:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.assigned_ip.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.assigned_ip,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dhcp.assigned_ip:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"host.mac\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:host.mac,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(host.mac:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"host.mac.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:host.mac,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(host.mac:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.lease_time\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.lease_time,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dhcp.lease_time:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dns.query.name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dns.query.name,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dns.query.name:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }{}\"}},\"dns.query.name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dns.query.name,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dns.query.name:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dns.answers\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dns.answers,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dns.answers:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dns.answers.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dns.answers,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dns.answers:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dns.response.code_name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dns.response.code_name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(dns.response.code_name:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dns.response.code_name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dns.response.code_name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(dns.response.code_name:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"file.name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:file.name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(file.name:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"file.mime_type\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:file.mime_type,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(file.mime_type:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"file.mime_type.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:file.mime_type,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(file.mime_type:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"file.name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:file.name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(file.name:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ftp.argument\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ftp.argument,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(ftp.argument:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ftp.argument.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ftp.argument,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(ftp.argument:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ftp.user\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ftp.user,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(ftp.user:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ftp.user.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ftp.user,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(ftp.user:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ftp.password\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ftp.password,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(ftp.password:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ftp.password.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ftp.password,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(ftp.password:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.useragent\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.useragent,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(http.useragent:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.useragent.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.useragent,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(http.useragent:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.method\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.method,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(http.method:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.method.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.method,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(http.method:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.virtual_host\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.virtual_host,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(http.virtual_host:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.virtual_host.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.virtual_host,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(http.virtual_host:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.uri.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.uri.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(http.uri.keyword:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.uri\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.uri.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(http.uri.keyword:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"notice.note.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:notice.note,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(notice.note:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"notice.message.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:notice.message,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(notice.message:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"notice.note\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:notice.note,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(notice.note:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"notice.message\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:notice.message,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(notice.message:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ssl.server_name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ssl.server_name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(ssl.server_name:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ssl.server_name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ssl.server_name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(ssl.server_name:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ssl.certificate.subject\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ssl.certificate.subject,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(ssl.certificate.subject:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ssl.certificate.subject.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ssl.certificate.subject,negate:!f,params:(query:'O%3DDefault%20Company%20Ltd,L%3DDefault%20City,C%3DXX'),type:phrase),query:(match_phrase:(ssl.certificate.subject:'O%3DDefault%20Company%20Ltd,L%3DDefault%20City,C%3DXX')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ssl.certificate.issuer\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ssl.certificate.issuer,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(ssl.certificate.issuer:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ssl.certificate.issuer.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ssl.certificate.issuer,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(ssl.certificate.issuer:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"syslog.facility\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:syslog.facility,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(syslog.facility:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"syslog.facility.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:syslog.facility,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(syslog.facility:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"syslog.severity\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:syslog.severity,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(syslog.severity:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"syslog.severity.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:syslog.severity,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(syslog.severity:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.certificate.subject\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.certificate.subject,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(x509.certificate.subject:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.certificate.subject.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.certificate.subject,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(x509.certificate.subject:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.certificate.issuer\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.certificate.issuer,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(x509.certificate.issuer:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.certificate.issuer.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.certificate.issuer,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(x509.certificate.issuer:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.san_dns\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.san_dns,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(x509.san_dns:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.san_dns.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.san_dns,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(x509.san_dns:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.certificate.key.type\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.certificate.key.type,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(x509.certificate.key.type:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:edit)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.certificate.key.type.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.certificate.key.type,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(x509.certificate.key.type:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:edit)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}}}","fields":"[{\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.ephemeral_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.ephemeral_id\"}}},{\"name\":\"agent.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.hostname\"}}},{\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.id\"}}},{\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.name\"}}},{\"name\":\"agent.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.type\"}}},{\"name\":\"agent.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.version\"}}},{\"name\":\"client.address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.address\"}}},{\"name\":\"client.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client.id.product\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.id.product.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.id.product\"}}},{\"name\":\"client.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.ip\"}}},{\"name\":\"client.ip_bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.name\"}}},{\"name\":\"client.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client.port\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.port.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.port\"}}},{\"name\":\"client.user_agent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.user_agent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.user_agent\"}}},{\"name\":\"connection.bytes.missed\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection.history\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection.history.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"connection.history\"}}},{\"name\":\"connection.local.originator\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection.local.responder\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection.state\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection.state.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"connection.state\"}}},{\"name\":\"connection.state_description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection.state_description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"connection.state_description\"}}},{\"name\":\"data.@timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.@timestamp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.@timestamp\"}}},{\"name\":\"data.@version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.@version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.@version\"}}},{\"name\":\"data._id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data._id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data._id\"}}},{\"name\":\"data._index\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data._index.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data._index\"}}},{\"name\":\"data._type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data._type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data._type\"}}},{\"name\":\"data.agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.agent.ephemeral_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.agent.ephemeral_id\"}}},{\"name\":\"data.agent.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.agent.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.agent.id\"}}},{\"name\":\"data.agent.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.agent.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.agent.name\"}}},{\"name\":\"data.agent.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.agent.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.agent.type\"}}},{\"name\":\"data.agent.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.agent.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.agent.version\"}}},{\"name\":\"data.ecs.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.ecs.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.ecs.version\"}}},{\"name\":\"data.event.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.event.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.event.action\"}}},{\"name\":\"data.event.category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.event.category.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.event.category\"}}},{\"name\":\"data.event.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.event.created\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.event.created.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.event.created\"}}},{\"name\":\"data.event.dataset\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.event.dataset.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.event.dataset\"}}},{\"name\":\"data.event.kind\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.event.kind.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.event.kind\"}}},{\"name\":\"data.event.module\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.event.module.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.event.module\"}}},{\"name\":\"data.event.provider\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.event.provider.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.event.provider\"}}},{\"name\":\"data.fields.module\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.fields.module.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.fields.module\"}}},{\"name\":\"data.host.architecture\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.architecture.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.architecture\"}}},{\"name\":\"data.host.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.hostname\"}}},{\"name\":\"data.host.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.id\"}}},{\"name\":\"data.host.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.name\"}}},{\"name\":\"data.host.os.build\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.os.build.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.os.build\"}}},{\"name\":\"data.host.os.family\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.os.family.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.os.family\"}}},{\"name\":\"data.host.os.kernel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.os.kernel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.os.kernel\"}}},{\"name\":\"data.host.os.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.os.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.os.name\"}}},{\"name\":\"data.host.os.platform\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.os.platform.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.os.platform\"}}},{\"name\":\"data.host.os.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.os.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.os.version\"}}},{\"name\":\"data.log.level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.log.level.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.log.level\"}}},{\"name\":\"data.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.message\"}}},{\"name\":\"data.module\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.module.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.module\"}}},{\"name\":\"data.num_hits\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.num_matches\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.command_line\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.command_line.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.command_line\"}}},{\"name\":\"data.process.entity_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.entity_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.entity_id\"}}},{\"name\":\"data.process.executable\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.executable.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.executable\"}}},{\"name\":\"data.process.parent.command_line\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.parent.command_line.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.parent.command_line\"}}},{\"name\":\"data.process.parent.entity_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.parent.entity_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.parent.entity_id\"}}},{\"name\":\"data.process.parent.executable\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.parent.executable.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.parent.executable\"}}},{\"name\":\"data.process.pe.description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.pe.description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.pe.description\"}}},{\"name\":\"data.process.pe.file_version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.pe.file_version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.pe.file_version\"}}},{\"name\":\"data.process.pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.pe.original_file_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.pe.original_file_name\"}}},{\"name\":\"data.process.pe.product\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.pe.product.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.pe.product\"}}},{\"name\":\"data.process.ppid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.ppid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.ppid\"}}},{\"name\":\"data.process.working_directory\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.working_directory.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.working_directory\"}}},{\"name\":\"data.tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.tags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.tags\"}}},{\"name\":\"data.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.type\"}}},{\"name\":\"data.user.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.user.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.user.name\"}}},{\"name\":\"data.winlog.api\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.api.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.api\"}}},{\"name\":\"data.winlog.channel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.channel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.channel\"}}},{\"name\":\"data.winlog.computer_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.computer_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.computer_name\"}}},{\"name\":\"data.winlog.event_data.Company\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.event_data.Company.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.event_data.Company\"}}},{\"name\":\"data.winlog.event_data.Hashes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.event_data.Hashes.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.event_data.Hashes\"}}},{\"name\":\"data.winlog.event_data.IntegrityLevel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.event_data.IntegrityLevel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.event_data.IntegrityLevel\"}}},{\"name\":\"data.winlog.event_data.LogonGuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.event_data.LogonGuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.event_data.LogonGuid\"}}},{\"name\":\"data.winlog.event_data.LogonId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.event_data.LogonId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.event_data.LogonId\"}}},{\"name\":\"data.winlog.event_data.ProcessId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.event_data.ProcessId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.event_data.ProcessId\"}}},{\"name\":\"data.winlog.event_data.RuleName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.event_data.RuleName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.event_data.RuleName\"}}},{\"name\":\"data.winlog.event_data.TerminalSessionId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.event_data.TerminalSessionId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.event_data.TerminalSessionId\"}}},{\"name\":\"data.winlog.event_data.UtcTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.event_data.UtcTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.event_data.UtcTime\"}}},{\"name\":\"data.winlog.event_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.winlog.opcode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.opcode.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.opcode\"}}},{\"name\":\"data.winlog.process.pid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.winlog.process.thread.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.winlog.provider_guid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.provider_guid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.provider_guid\"}}},{\"name\":\"data.winlog.provider_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.provider_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.provider_name\"}}},{\"name\":\"data.winlog.record_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.winlog.task\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.task.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.task\"}}},{\"name\":\"data.winlog.user.domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.user.domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.user.domain\"}}},{\"name\":\"data.winlog.user.identifier\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.user.identifier.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.user.identifier\"}}},{\"name\":\"data.winlog.user.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.user.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.user.name\"}}},{\"name\":\"data.winlog.user.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.user.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.user.type\"}}},{\"name\":\"data.winlog.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dce_rpc.endpoint\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dce_rpc.endpoint.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dce_rpc.endpoint\"}}},{\"name\":\"dce_rpc.named_pipe\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dce_rpc.named_pipe.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dce_rpc.named_pipe\"}}},{\"name\":\"dce_rpc.operation\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dce_rpc.operation.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dce_rpc.operation\"}}},{\"name\":\"destination.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.city_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.city_name\"}}},{\"name\":\"destination.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.continent_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.continent_name\"}}},{\"name\":\"destination.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.country_iso_code.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.country_iso_code\"}}},{\"name\":\"destination.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.country_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.country_name\"}}},{\"name\":\"destination.geo.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.ip\"}}},{\"name\":\"destination.geo.location.lat\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.location.lon\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.region_iso_code.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.region_iso_code\"}}},{\"name\":\"destination.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.region_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.region_name\"}}},{\"name\":\"destination.geo.timezone\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.timezone.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.timezone\"}}},{\"name\":\"destination.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.ip\"}}},{\"name\":\"destination.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.latitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.longitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dhcp.assigned_ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dhcp.assigned_ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dhcp.assigned_ip\"}}},{\"name\":\"dhcp.lease_time\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dhcp.message_types\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dhcp.message_types.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dhcp.message_types\"}}},{\"name\":\"dhcp.requested_address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dhcp.requested_address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dhcp.requested_address\"}}},{\"name\":\"dnp3.fc_reply\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dnp3.fc_reply.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dnp3.fc_reply\"}}},{\"name\":\"dnp3.fc_request\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dnp3.fc_request.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dnp3.fc_request\"}}},{\"name\":\"dnp3.iin\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.answers\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.answers.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.answers\"}}},{\"name\":\"dns.authoritative\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.highest_registered_domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.highest_registered_domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.highest_registered_domain\"}}},{\"name\":\"dns.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.parent_domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.parent_domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.parent_domain\"}}},{\"name\":\"dns.parent_domain_length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.class\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.class_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.query.class_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.query.class_name\"}}},{\"name\":\"dns.query.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.query.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.query.name\"}}},{\"name\":\"dns.query.rejected\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.type\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.type_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.query.type_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.query.type_name\"}}},{\"name\":\"dns.recursion.available\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.recursion.desired\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.reserved\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.response.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.response.code_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.response.code_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.response.code_name\"}}},{\"name\":\"dns.subdomain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.subdomain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.subdomain\"}}},{\"name\":\"dns.subdomain_length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.top_level_domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.top_level_domain\"}}},{\"name\":\"dns.truncated\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.ttls\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ecs.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ecs.version\"}}},{\"name\":\"error.reason\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"error.reason.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"error.reason\"}}},{\"name\":\"event.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.action\"}}},{\"name\":\"event.category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.category.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.category\"}}},{\"name\":\"event.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.created\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.created.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.created\"}}},{\"name\":\"event.dataset\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.dataset.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.dataset\"}}},{\"name\":\"event.duration\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.kind\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.kind.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.kind\"}}},{\"name\":\"event.module\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.module.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.module\"}}},{\"name\":\"event.provider\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.provider.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.provider\"}}},{\"name\":\"event.severity\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.severity_label\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.severity_label.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.severity_label\"}}},{\"name\":\"event.timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.timestamp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.timestamp\"}}},{\"name\":\"file.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.action\"}}},{\"name\":\"file.analyzer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.analyzer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.analyzer\"}}},{\"name\":\"file.aslr\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.bytes.missing\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.bytes.overflow\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.bytes.seen\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.bytes.total\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.code_integrity\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.compile_timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.compile_timestamp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.compile_timestamp\"}}},{\"name\":\"file.debug_data\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.dep\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.extracted.cutoff\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.extracted.filename\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.extracted.filename.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.extracted.filename\"}}},{\"name\":\"file.flavors.mime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.flavors.mime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.flavors.mime\"}}},{\"name\":\"file.flavors.yara\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.flavors.yara.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.flavors.yara\"}}},{\"name\":\"file.is_64bit\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.is_exe\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.is_orig\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.local_orig\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.machine\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.machine.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.machine\"}}},{\"name\":\"file.mime_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.mime_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.mime_type\"}}},{\"name\":\"file.mimetype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.mimetype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.mimetype\"}}},{\"name\":\"file.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.name\"}}},{\"name\":\"file.orig_filenames\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.orig_filenames.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.orig_filenames\"}}},{\"name\":\"file.orig_mime_types\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.orig_mime_types.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.orig_mime_types\"}}},{\"name\":\"file.os\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.os.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.os\"}}},{\"name\":\"file.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.path\"}}},{\"name\":\"file.resp_filenames\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.resp_filenames.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.resp_filenames\"}}},{\"name\":\"file.resp_mime_types\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.resp_mime_types.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.resp_mime_types\"}}},{\"name\":\"file.scanners\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.scanners.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.scanners\"}}},{\"name\":\"file.section_names\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.section_names.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.section_names\"}}},{\"name\":\"file.seh\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.size\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.source.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.source\"}}},{\"name\":\"file.subsystem\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.subsystem.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.subsystem\"}}},{\"name\":\"file.table.cert\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.table.export\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.table.import\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.timed_out\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.times_accessed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.times_accessed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.times_accessed\"}}},{\"name\":\"file.times_changed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.times_changed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.times_changed\"}}},{\"name\":\"file.times_created\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.times_created.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.times_created\"}}},{\"name\":\"file.times_modified\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.times_modified.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.times_modified\"}}},{\"name\":\"file.tree.node\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.tree.node.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.tree.node\"}}},{\"name\":\"file.tree.parent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.tree.parent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.tree.parent\"}}},{\"name\":\"file.tree.root\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.tree.root.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.tree.root\"}}},{\"name\":\"ftp.argument\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.argument.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.argument\"}}},{\"name\":\"ftp.command\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.command.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.command\"}}},{\"name\":\"ftp.data_channel_destination.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.data_channel_destination.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.data_channel_destination.ip\"}}},{\"name\":\"ftp.data_channel_destination.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp.data_channel_passive\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp.data_channel_source.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.data_channel_source.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.data_channel_source.ip\"}}},{\"name\":\"ftp.password\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.password.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.password\"}}},{\"name\":\"ftp.user\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.user.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.user\"}}},{\"name\":\"geoip.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.latitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.longitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash.hassh\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.hassh.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.hassh\"}}},{\"name\":\"hash.ja3\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.ja3.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.ja3\"}}},{\"name\":\"hash.ja3s\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.ja3s.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.ja3s\"}}},{\"name\":\"hash.md5\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.md5.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.md5\"}}},{\"name\":\"hash.sha1\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.sha1.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.sha1\"}}},{\"name\":\"hash.sha256\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.sha256.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.sha256\"}}},{\"name\":\"hash.ssdeep\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.ssdeep.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.ssdeep\"}}},{\"name\":\"host.architecture\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.architecture.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.architecture\"}}},{\"name\":\"host.domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.domain\"}}},{\"name\":\"host.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.hostname\"}}},{\"name\":\"host.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.id\"}}},{\"name\":\"host.mac\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.mac.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.mac\"}}},{\"name\":\"host.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.name\"}}},{\"name\":\"host.os.build\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.build.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.build\"}}},{\"name\":\"host.os.family\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.family.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.family\"}}},{\"name\":\"host.os.kernel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.kernel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.kernel\"}}},{\"name\":\"host.os.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.name\"}}},{\"name\":\"host.os.platform\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.platform.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.platform\"}}},{\"name\":\"host.os.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.version\"}}},{\"name\":\"host.syscheck.event\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.event.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.event\"}}},{\"name\":\"host.syscheck.gid_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.gid_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.gid_after\"}}},{\"name\":\"host.syscheck.gname_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.gname_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.gname_after\"}}},{\"name\":\"host.syscheck.inode_after\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.syscheck.inode_before\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.syscheck.md5_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.md5_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.md5_after\"}}},{\"name\":\"host.syscheck.md5_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.md5_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.md5_before\"}}},{\"name\":\"host.syscheck.mtime_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.mtime_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.mtime_after\"}}},{\"name\":\"host.syscheck.mtime_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.mtime_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.mtime_before\"}}},{\"name\":\"host.syscheck.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.path\"}}},{\"name\":\"host.syscheck.perm_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.perm_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.perm_after\"}}},{\"name\":\"host.syscheck.sha1_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.sha1_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha1_after\"}}},{\"name\":\"host.syscheck.sha1_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.sha1_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha1_before\"}}},{\"name\":\"host.syscheck.sha256_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.sha256_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha256_after\"}}},{\"name\":\"host.syscheck.sha256_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.sha256_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha256_before\"}}},{\"name\":\"host.syscheck.size_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.size_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.size_after\"}}},{\"name\":\"host.syscheck.uid_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.uid_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.uid_after\"}}},{\"name\":\"host.syscheck.uname_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.uname_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.uname_after\"}}},{\"name\":\"http.info_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.info_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.info_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.info_message\"}}},{\"name\":\"http.method\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.method.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.method\"}}},{\"name\":\"http.proxied\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.proxied.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.proxied\"}}},{\"name\":\"http.referrer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.referrer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.referrer\"}}},{\"name\":\"http.request.body.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.response.body.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.status_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.status_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.status_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.status_message\"}}},{\"name\":\"http.trans_depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.uri\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.uri.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.uri\"}}},{\"name\":\"http.useragent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.useragent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.useragent\"}}},{\"name\":\"http.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.version\"}}},{\"name\":\"http.virtual_host\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.virtual_host.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.virtual_host\"}}},{\"name\":\"ingest.timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ingest.timestamp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ingest.timestamp\"}}},{\"name\":\"irc.command.info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.command.info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.command.info\"}}},{\"name\":\"irc.command.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.command.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.command.type\"}}},{\"name\":\"irc.command.value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.command.value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.command.value\"}}},{\"name\":\"irc.nickname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.nickname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.nickname\"}}},{\"name\":\"irc.username\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.username.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.username\"}}},{\"name\":\"kerberos.client\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.client.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.client\"}}},{\"name\":\"kerberos.client_certificate_subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.client_certificate_subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.client_certificate_subject\"}}},{\"name\":\"kerberos.error_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.error_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.error_message\"}}},{\"name\":\"kerberos.request_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.request_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.request_type\"}}},{\"name\":\"kerberos.server_certificate_subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.server_certificate_subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.server_certificate_subject\"}}},{\"name\":\"kerberos.service\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.service.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.service\"}}},{\"name\":\"kerberos.success\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kerberos.ticket.cipher\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.ticket.cipher.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.ticket.cipher\"}}},{\"name\":\"kerberos.ticket.forwardable\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kerberos.ticket.renewable\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kerberos.ticket.valid.from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.ticket.valid.from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.ticket.valid.from\"}}},{\"name\":\"kerberos.ticket.valid.until\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.ticket.valid.until.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.ticket.valid.until\"}}},{\"name\":\"log.file.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.file.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.file.path\"}}},{\"name\":\"log.full\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.full.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.full\"}}},{\"name\":\"log.id.client_certificate_fuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.client_certificate_fuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.client_certificate_fuid\"}}},{\"name\":\"log.id.fuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.fuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.fuid\"}}},{\"name\":\"log.id.fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.fuids\"}}},{\"name\":\"log.id.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.id\"}}},{\"name\":\"log.id.orig_fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.orig_fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.orig_fuids\"}}},{\"name\":\"log.id.resp_fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.resp_fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.resp_fuids\"}}},{\"name\":\"log.id.server_certificate_fuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.server_certificate_fuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.server_certificate_fuid\"}}},{\"name\":\"log.id.tunnel_parents\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.tunnel_parents.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.tunnel_parents\"}}},{\"name\":\"log.id.uid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.uid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.uid\"}}},{\"name\":\"log.id.uids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.uids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.uids\"}}},{\"name\":\"log.level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.level.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.level\"}}},{\"name\":\"log.location\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.location.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.location\"}}},{\"name\":\"log.offset\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"manager.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"manager.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"manager.name\"}}},{\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message\"}}},{\"name\":\"modbus.exception\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"modbus.exception.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"modbus.exception\"}}},{\"name\":\"modbus.function\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"modbus.function.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"modbus.function\"}}},{\"name\":\"mysql.argument\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql.argument.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"mysql.argument\"}}},{\"name\":\"mysql.command\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql.command.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"mysql.command\"}}},{\"name\":\"mysql.response\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql.response.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"mysql.response\"}}},{\"name\":\"mysql.rows\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.success\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.community_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network.community_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network.community_id\"}}},{\"name\":\"network.data.decoded\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network.data.decoded.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network.data.decoded\"}}},{\"name\":\"network.protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network.protocol.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network.protocol\"}}},{\"name\":\"network.transport\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network.transport.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network.transport\"}}},{\"name\":\"notice.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.action\"}}},{\"name\":\"notice.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.message\"}}},{\"name\":\"notice.note\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.note.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.note\"}}},{\"name\":\"notice.p\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"notice.peer_description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.peer_description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.peer_description\"}}},{\"name\":\"notice.sub_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.sub_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.sub_message\"}}},{\"name\":\"notice.suppress_for\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ntlm.server.dns.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm.server.dns.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ntlm.server.dns.name\"}}},{\"name\":\"ntlm.server.nb.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm.server.nb.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ntlm.server.nb.name\"}}},{\"name\":\"ntlm.server.tree.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm.server.tree.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ntlm.server.tree.name\"}}},{\"name\":\"ntlm.success\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"observer.analyzer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"observer.analyzer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"observer.analyzer\"}}},{\"name\":\"observer.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"observer.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"observer.name\"}}},{\"name\":\"osquery.result.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.action\"}}},{\"name\":\"osquery.result.calendar_time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.calendar_time.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.calendar_time\"}}},{\"name\":\"osquery.result.codename\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.codename.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.codename\"}}},{\"name\":\"osquery.result.columns.description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.description\"}}},{\"name\":\"osquery.result.columns.directory\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.directory.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.directory\"}}},{\"name\":\"osquery.result.columns.gid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.gid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.gid\"}}},{\"name\":\"osquery.result.columns.gid_signed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.gid_signed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.gid_signed\"}}},{\"name\":\"osquery.result.columns.shell\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.shell.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.shell\"}}},{\"name\":\"osquery.result.columns.uid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.uid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.uid\"}}},{\"name\":\"osquery.result.columns.uid_signed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.uid_signed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.uid_signed\"}}},{\"name\":\"osquery.result.columns.username\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.username.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.username\"}}},{\"name\":\"osquery.result.columns.uuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.uuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.uuid\"}}},{\"name\":\"osquery.result.counter\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.result.endpoint_ip1\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.endpoint_ip1.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.endpoint_ip1\"}}},{\"name\":\"osquery.result.endpoint_ip2\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.endpoint_ip2.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.endpoint_ip2\"}}},{\"name\":\"osquery.result.epoch\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.result.hardware_serial\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.hardware_serial.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.hardware_serial\"}}},{\"name\":\"osquery.result.host_identifier\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.host_identifier.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.host_identifier\"}}},{\"name\":\"osquery.result.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.hostname\"}}},{\"name\":\"osquery.result.live_query\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.live_query.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.live_query\"}}},{\"name\":\"osquery.result.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.name\"}}},{\"name\":\"osquery.result.numerics\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.result.unix_time\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.command_line\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.command_line.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.command_line\"}}},{\"name\":\"process.entity_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.entity_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.entity_id\"}}},{\"name\":\"process.executable\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.executable.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.executable\"}}},{\"name\":\"process.parent.command_line\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.parent.command_line.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.parent.command_line\"}}},{\"name\":\"process.parent.entity_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.parent.entity_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.parent.entity_id\"}}},{\"name\":\"process.parent.executable\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.parent.executable.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.parent.executable\"}}},{\"name\":\"process.pe.description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pe.description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pe.description\"}}},{\"name\":\"process.pe.file_version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pe.file_version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pe.file_version\"}}},{\"name\":\"process.pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pe.original_file_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pe.original_file_name\"}}},{\"name\":\"process.pe.product\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pe.product.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pe.product\"}}},{\"name\":\"process.pid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pid\"}}},{\"name\":\"process.ppid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.ppid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.ppid\"}}},{\"name\":\"process.working_directory\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.working_directory.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.working_directory\"}}},{\"name\":\"radius.framed_address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"radius.framed_address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"radius.framed_address\"}}},{\"name\":\"radius.reply_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"radius.reply_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"radius.reply_message\"}}},{\"name\":\"radius.result\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"radius.result.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"radius.result\"}}},{\"name\":\"rdp.certificate_count\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rdp.certificate_permanent\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rdp.certificate_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.certificate_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.certificate_type\"}}},{\"name\":\"rdp.client_build\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.client_build.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.client_build\"}}},{\"name\":\"rdp.cookie\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.cookie.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.cookie\"}}},{\"name\":\"rdp.desktop.height\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rdp.desktop.width\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rdp.encryption_level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.encryption_level.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.encryption_level\"}}},{\"name\":\"rdp.encryption_method\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.encryption_method.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.encryption_method\"}}},{\"name\":\"rdp.keyboard_layout\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.keyboard_layout.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.keyboard_layout\"}}},{\"name\":\"rdp.requested_color_depth\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.requested_color_depth.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.requested_color_depth\"}}},{\"name\":\"rdp.result\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.result.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.result\"}}},{\"name\":\"rdp.security_protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.security_protocol.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.security_protocol\"}}},{\"name\":\"request.attributes.filename\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request.attributes.filename.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"request.attributes.filename\"}}},{\"name\":\"request.client\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request.client.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"request.client\"}}},{\"name\":\"request.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"request.id\"}}},{\"name\":\"request.source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request.source.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"request.source\"}}},{\"name\":\"request.time\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.action\"}}},{\"name\":\"rule.category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.category.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.category\"}}},{\"name\":\"rule.firedtimes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.gdpr\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.gdpr.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.gdpr\"}}},{\"name\":\"rule.gid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.gpg13\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.gpg13.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.gpg13\"}}},{\"name\":\"rule.groups\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.groups.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.groups\"}}},{\"name\":\"rule.hipaa\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.hipaa.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.hipaa\"}}},{\"name\":\"rule.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.id\"}}},{\"name\":\"rule.level\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.mail\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.metadata.affected_product\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.affected_product.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.affected_product\"}}},{\"name\":\"rule.metadata.attack_target\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.attack_target.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.attack_target\"}}},{\"name\":\"rule.metadata.created_at\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.created_at.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.created_at\"}}},{\"name\":\"rule.metadata.deployment\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.deployment.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.deployment\"}}},{\"name\":\"rule.metadata.former_category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.former_category.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.former_category\"}}},{\"name\":\"rule.metadata.malware_family\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.malware_family.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.malware_family\"}}},{\"name\":\"rule.metadata.performance_impact\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.performance_impact.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.performance_impact\"}}},{\"name\":\"rule.metadata.signature_severity\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.signature_severity.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.signature_severity\"}}},{\"name\":\"rule.metadata.tag\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.tag.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.tag\"}}},{\"name\":\"rule.metadata.updated_at\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.updated_at.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.updated_at\"}}},{\"name\":\"rule.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.name\"}}},{\"name\":\"rule.nist_800_53\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.nist_800_53.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.nist_800_53\"}}},{\"name\":\"rule.pci_dss\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.pci_dss.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.pci_dss\"}}},{\"name\":\"rule.rev\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.rule\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.rule.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.rule\"}}},{\"name\":\"rule.severity\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.uuid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.entropy.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.entropy.entropy\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.exiftool.About\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.About.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.About\"}}},{\"name\":\"scan.exiftool.AppVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.AppVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.AppVersion\"}}},{\"name\":\"scan.exiftool.Author\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Author.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Author\"}}},{\"name\":\"scan.exiftool.BitDepth\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.BitDepth.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.BitDepth\"}}},{\"name\":\"scan.exiftool.BuildID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.BuildID.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.BuildID\"}}},{\"name\":\"scan.exiftool.CharCountWithSpaces\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CharCountWithSpaces.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CharCountWithSpaces\"}}},{\"name\":\"scan.exiftool.CharacterSet\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CharacterSet.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CharacterSet\"}}},{\"name\":\"scan.exiftool.Characters\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Characters.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Characters\"}}},{\"name\":\"scan.exiftool.CodePage\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CodePage.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CodePage\"}}},{\"name\":\"scan.exiftool.CodeSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CodeSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CodeSize\"}}},{\"name\":\"scan.exiftool.ColorType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ColorType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ColorType\"}}},{\"name\":\"scan.exiftool.Comments\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Comments.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Comments\"}}},{\"name\":\"scan.exiftool.CompObjUserType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CompObjUserType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CompObjUserType\"}}},{\"name\":\"scan.exiftool.CompObjUserTypeLen\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CompObjUserTypeLen.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CompObjUserTypeLen\"}}},{\"name\":\"scan.exiftool.Company\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Company.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Company\"}}},{\"name\":\"scan.exiftool.CompanyName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CompanyName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CompanyName\"}}},{\"name\":\"scan.exiftool.Compression\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Compression.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Compression\"}}},{\"name\":\"scan.exiftool.CreateDate\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CreateDate.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CreateDate\"}}},{\"name\":\"scan.exiftool.Creator\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Creator.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Creator\"}}},{\"name\":\"scan.exiftool.CreatorTool\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CreatorTool.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CreatorTool\"}}},{\"name\":\"scan.exiftool.DerivedFromDocumentID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.DerivedFromDocumentID.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.DerivedFromDocumentID\"}}},{\"name\":\"scan.exiftool.DerivedFromInstanceID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.DerivedFromInstanceID.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.DerivedFromInstanceID\"}}},{\"name\":\"scan.exiftool.Directory\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Directory.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Directory\"}}},{\"name\":\"scan.exiftool.DocumentID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.DocumentID.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.DocumentID\"}}},{\"name\":\"scan.exiftool.EntryPoint\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.EntryPoint.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.EntryPoint\"}}},{\"name\":\"scan.exiftool.Error\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Error.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Error\"}}},{\"name\":\"scan.exiftool.ExifToolVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ExifToolVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ExifToolVersion\"}}},{\"name\":\"scan.exiftool.FileAccessDate\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileAccessDate.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileAccessDate\"}}},{\"name\":\"scan.exiftool.FileDescription\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileDescription.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileDescription\"}}},{\"name\":\"scan.exiftool.FileFlags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileFlags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileFlags\"}}},{\"name\":\"scan.exiftool.FileFlagsMask\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileFlagsMask.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileFlagsMask\"}}},{\"name\":\"scan.exiftool.FileInodeChangeDate\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileInodeChangeDate.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileInodeChangeDate\"}}},{\"name\":\"scan.exiftool.FileModifyDate\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileModifyDate.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileModifyDate\"}}},{\"name\":\"scan.exiftool.FileName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileName\"}}},{\"name\":\"scan.exiftool.FileOS\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileOS.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileOS\"}}},{\"name\":\"scan.exiftool.FilePermissions\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FilePermissions.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FilePermissions\"}}},{\"name\":\"scan.exiftool.FileSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileSize\"}}},{\"name\":\"scan.exiftool.FileSubtype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileSubtype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileSubtype\"}}},{\"name\":\"scan.exiftool.FileType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileType\"}}},{\"name\":\"scan.exiftool.FileTypeExtension\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileTypeExtension.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileTypeExtension\"}}},{\"name\":\"scan.exiftool.FileVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileVersion\"}}},{\"name\":\"scan.exiftool.FileVersionNumber\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileVersionNumber.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileVersionNumber\"}}},{\"name\":\"scan.exiftool.Filter\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Filter.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Filter\"}}},{\"name\":\"scan.exiftool.Format\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Format.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Format\"}}},{\"name\":\"scan.exiftool.HasXFA\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.HasXFA.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.HasXFA\"}}},{\"name\":\"scan.exiftool.HeadingPairs\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.HeadingPairs.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.HeadingPairs\"}}},{\"name\":\"scan.exiftool.HyperlinksChanged\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.HyperlinksChanged.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.HyperlinksChanged\"}}},{\"name\":\"scan.exiftool.ImageHeight\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ImageHeight.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ImageHeight\"}}},{\"name\":\"scan.exiftool.ImageSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ImageSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ImageSize\"}}},{\"name\":\"scan.exiftool.ImageVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ImageVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ImageVersion\"}}},{\"name\":\"scan.exiftool.ImageWidth\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ImageWidth.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ImageWidth\"}}},{\"name\":\"scan.exiftool.InitializedDataSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.InitializedDataSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.InitializedDataSize\"}}},{\"name\":\"scan.exiftool.InstanceID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.InstanceID.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.InstanceID\"}}},{\"name\":\"scan.exiftool.Interlace\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Interlace.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Interlace\"}}},{\"name\":\"scan.exiftool.InternalName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.InternalName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.InternalName\"}}},{\"name\":\"scan.exiftool.Keywords\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Keywords.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Keywords\"}}},{\"name\":\"scan.exiftool.Language\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Language.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Language\"}}},{\"name\":\"scan.exiftool.LanguageCode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.LanguageCode.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LanguageCode\"}}},{\"name\":\"scan.exiftool.LastModifiedBy\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.LastModifiedBy.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LastModifiedBy\"}}},{\"name\":\"scan.exiftool.LegalCopyright\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.LegalCopyright.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LegalCopyright\"}}},{\"name\":\"scan.exiftool.LegalTrademarks\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.LegalTrademarks.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LegalTrademarks\"}}},{\"name\":\"scan.exiftool.Linearized\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Linearized.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Linearized\"}}},{\"name\":\"scan.exiftool.Lines\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Lines.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Lines\"}}},{\"name\":\"scan.exiftool.LinkerVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.LinkerVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LinkerVersion\"}}},{\"name\":\"scan.exiftool.LinksUpToDate\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.LinksUpToDate.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LinksUpToDate\"}}},{\"name\":\"scan.exiftool.MIMEType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.MIMEType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.MIMEType\"}}},{\"name\":\"scan.exiftool.MachineType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.MachineType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.MachineType\"}}},{\"name\":\"scan.exiftool.Megapixels\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Megapixels.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Megapixels\"}}},{\"name\":\"scan.exiftool.ModifyDate\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ModifyDate.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ModifyDate\"}}},{\"name\":\"scan.exiftool.OSVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.OSVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.OSVersion\"}}},{\"name\":\"scan.exiftool.ObjectFileType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ObjectFileType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ObjectFileType\"}}},{\"name\":\"scan.exiftool.OriginalFileName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.OriginalFileName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.OriginalFileName\"}}},{\"name\":\"scan.exiftool.PDFVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.PDFVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PDFVersion\"}}},{\"name\":\"scan.exiftool.PEType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.PEType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PEType\"}}},{\"name\":\"scan.exiftool.PTEX_Fullbanner\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.PTEX_Fullbanner.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PTEX_Fullbanner\"}}},{\"name\":\"scan.exiftool.PageCount\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.PageCount.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PageCount\"}}},{\"name\":\"scan.exiftool.Pages\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Pages.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Pages\"}}},{\"name\":\"scan.exiftool.Paragraphs\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Paragraphs.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Paragraphs\"}}},{\"name\":\"scan.exiftool.PrivateBuild\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.PrivateBuild.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PrivateBuild\"}}},{\"name\":\"scan.exiftool.Producer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Producer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Producer\"}}},{\"name\":\"scan.exiftool.ProductName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ProductName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ProductName\"}}},{\"name\":\"scan.exiftool.ProductVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ProductVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ProductVersion\"}}},{\"name\":\"scan.exiftool.ProductVersionNumber\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ProductVersionNumber.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ProductVersionNumber\"}}},{\"name\":\"scan.exiftool.RevisionNumber\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.RevisionNumber.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.RevisionNumber\"}}},{\"name\":\"scan.exiftool.ScaleCrop\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ScaleCrop.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ScaleCrop\"}}},{\"name\":\"scan.exiftool.Security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Security.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Security\"}}},{\"name\":\"scan.exiftool.SharedDoc\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.SharedDoc.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SharedDoc\"}}},{\"name\":\"scan.exiftool.Software\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Software.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Software\"}}},{\"name\":\"scan.exiftool.SourceFile\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.SourceFile.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SourceFile\"}}},{\"name\":\"scan.exiftool.SpecialBuild\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.SpecialBuild.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SpecialBuild\"}}},{\"name\":\"scan.exiftool.Subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Subject\"}}},{\"name\":\"scan.exiftool.Subsystem\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Subsystem.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Subsystem\"}}},{\"name\":\"scan.exiftool.SubsystemVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.SubsystemVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SubsystemVersion\"}}},{\"name\":\"scan.exiftool.SvnRevision\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.SvnRevision.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SvnRevision\"}}},{\"name\":\"scan.exiftool.Template\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Template.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Template\"}}},{\"name\":\"scan.exiftool.TimeStamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.TimeStamp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.TimeStamp\"}}},{\"name\":\"scan.exiftool.Title\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Title.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Title\"}}},{\"name\":\"scan.exiftool.TitleOfParts\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.TitleOfParts.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.TitleOfParts\"}}},{\"name\":\"scan.exiftool.TotalEditTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.TotalEditTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.TotalEditTime\"}}},{\"name\":\"scan.exiftool.Trapped\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Trapped.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Trapped\"}}},{\"name\":\"scan.exiftool.UninitializedDataSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.UninitializedDataSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.UninitializedDataSize\"}}},{\"name\":\"scan.exiftool.Warning\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Warning.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Warning\"}}},{\"name\":\"scan.exiftool.Words\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Words.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Words\"}}},{\"name\":\"scan.exiftool.XMPToolkit\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.XMPToolkit.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.XMPToolkit\"}}},{\"name\":\"scan.exiftool.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.header.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.header.header\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.header.header.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.header.header\"}}},{\"name\":\"scan.ini.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.ini.keys.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.ini.keys.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.ini.keys.name\"}}},{\"name\":\"scan.ini.keys.section\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.ini.keys.section.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.ini.keys.section\"}}},{\"name\":\"scan.ini.keys.value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.ini.keys.value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.ini.keys.value\"}}},{\"name\":\"scan.ini.sections\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.ini.sections.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.ini.sections\"}}},{\"name\":\"scan.libarchive.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.libarchive.total.extracted\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.libarchive.total.files\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.mmbot.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.mmbot.flags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.mmbot.flags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.mmbot.flags\"}}},{\"name\":\"scan.ocr.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.ole.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.ole.flags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.ole.flags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.ole.flags\"}}},{\"name\":\"scan.ole.total.extracted\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.ole.total.streams\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pdf.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pdf.total.extracted\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pdf.total.objects\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.debug.age\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.debug.guid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.debug.guid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.debug.guid\"}}},{\"name\":\"scan.pe.debug.pdb\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.debug.pdb.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.debug.pdb\"}}},{\"name\":\"scan.pe.debug.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.debug.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.debug.type\"}}},{\"name\":\"scan.pe.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.file_info.fixed.flags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.fixed.flags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.fixed.flags\"}}},{\"name\":\"scan.pe.file_info.fixed.operating_systems\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.fixed.operating_systems.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.fixed.operating_systems\"}}},{\"name\":\"scan.pe.file_info.fixed.type.primary\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.fixed.type.primary.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.fixed.type.primary\"}}},{\"name\":\"scan.pe.file_info.string.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.string.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.string.name\"}}},{\"name\":\"scan.pe.file_info.string.value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.string.value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.string.value\"}}},{\"name\":\"scan.pe.file_info.var.character_set\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.var.character_set.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.var.character_set\"}}},{\"name\":\"scan.pe.file_info.var.language\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.var.language.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.var.language\"}}},{\"name\":\"scan.pe.flags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.flags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.flags\"}}},{\"name\":\"scan.pe.header.address.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.address.data\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.address.entry_point\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.address.image\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.alignment.file\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.alignment.section\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.characteristics.dll\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.header.characteristics.dll.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.characteristics.dll\"}}},{\"name\":\"scan.pe.header.characteristics.image\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.header.characteristics.image.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.characteristics.image\"}}},{\"name\":\"scan.pe.header.checksum\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.machine.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.machine.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.header.machine.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.machine.type\"}}},{\"name\":\"scan.pe.header.magic.dos\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.header.magic.dos.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.magic.dos\"}}},{\"name\":\"scan.pe.header.magic.image\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.header.magic.image.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.magic.image\"}}},{\"name\":\"scan.pe.header.size.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.data.initialized\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.data.uninitialized\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.headers\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.heap.commit\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.heap.reserve\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.image\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.stack.commit\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.stack.reserve\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.subsystem\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.header.subsystem.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.subsystem\"}}},{\"name\":\"scan.pe.header.timestamp\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.version.image\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.version.linker\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.version.operating_system\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.version.subsystem\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.imphash\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.imphash.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.imphash\"}}},{\"name\":\"scan.pe.resources.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.resources.language.primary\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.resources.language.primary.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.resources.language.primary\"}}},{\"name\":\"scan.pe.resources.language.sub\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.resources.language.sub.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.resources.language.sub\"}}},{\"name\":\"scan.pe.resources.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.resources.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.resources.name\"}}},{\"name\":\"scan.pe.resources.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.resources.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.resources.type\"}}},{\"name\":\"scan.pe.sections.address.physical\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.sections.address.virtual\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.sections.characteristics\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.sections.characteristics.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.sections.characteristics\"}}},{\"name\":\"scan.pe.sections.entropy\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.sections.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.sections.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.sections.name\"}}},{\"name\":\"scan.pe.sections.size\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.symbols.exported\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.exported.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.exported\"}}},{\"name\":\"scan.pe.symbols.imported\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.imported.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.imported\"}}},{\"name\":\"scan.pe.symbols.libraries\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.libraries.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.libraries\"}}},{\"name\":\"scan.pe.symbols.table.address\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.symbols.table.library\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.table.library.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.table.library\"}}},{\"name\":\"scan.pe.symbols.table.symbol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.table.symbol.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.table.symbol\"}}},{\"name\":\"scan.pe.symbols.table.symbols\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.table.symbols.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.table.symbols\"}}},{\"name\":\"scan.pe.symbols.table.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.table.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.table.type\"}}},{\"name\":\"scan.pe.total.libraries\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.total.resources\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.total.sections\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.total.symbols\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pkcs7.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pkcs7.total.certificates\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pkcs7.total.extracted\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.upx.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.url.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.url.urls\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.url.urls.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.url.urls\"}}},{\"name\":\"scan.vb.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.vb.functions\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vb.functions.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vb.functions\"}}},{\"name\":\"scan.vb.names\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vb.names.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vb.names\"}}},{\"name\":\"scan.vb.operators\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vb.operators.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vb.operators\"}}},{\"name\":\"scan.vb.strings\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vb.strings.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vb.strings\"}}},{\"name\":\"scan.vb.tokens\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vb.tokens.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vb.tokens\"}}},{\"name\":\"scan.vba.auto_exec\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vba.auto_exec.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vba.auto_exec\"}}},{\"name\":\"scan.vba.base64\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vba.base64.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vba.base64\"}}},{\"name\":\"scan.vba.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.vba.ioc\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vba.ioc.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vba.ioc\"}}},{\"name\":\"scan.vba.suspicious\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vba.suspicious.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vba.suspicious\"}}},{\"name\":\"scan.vba.total.extracted\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.vba.total.files\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.x509.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.x509.expired\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.x509.fingerprint\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.x509.fingerprint.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.x509.fingerprint\"}}},{\"name\":\"scan.x509.issuer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.x509.issuer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.x509.issuer\"}}},{\"name\":\"scan.x509.not_after\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.x509.not_before\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.x509.serial_number\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.x509.serial_number.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.x509.serial_number\"}}},{\"name\":\"scan.x509.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.x509.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.x509.subject\"}}},{\"name\":\"scan.x509.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.xml.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.xml.namespaces\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.xml.namespaces.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.xml.namespaces\"}}},{\"name\":\"scan.xml.tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.xml.tags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.xml.tags\"}}},{\"name\":\"scan.xml.total.extracted\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.xml.total.tags\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.xml.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.xml.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.xml.version\"}}},{\"name\":\"scan.yara.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.yara.matches\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.yara.matches.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.yara.matches\"}}},{\"name\":\"scan.yara.meta.identifier\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.yara.meta.identifier.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.yara.meta.identifier\"}}},{\"name\":\"scan.yara.meta.rule\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.yara.meta.rule.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.yara.meta.rule\"}}},{\"name\":\"scan.yara.meta.value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.yara.meta.value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.yara.meta.value\"}}},{\"name\":\"server.address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"server.address\"}}},{\"name\":\"server.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"server.ip\"}}},{\"name\":\"server.ip_bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.port\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.port.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"server.port\"}}},{\"name\":\"server.reply_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.reply_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.reply_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"server.reply_message\"}}},{\"name\":\"server.status_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.status_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.status_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"server.status_message\"}}},{\"name\":\"sip.call_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.call_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.call_id\"}}},{\"name\":\"sip.content_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.content_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.content_type\"}}},{\"name\":\"sip.date\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.date.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.date\"}}},{\"name\":\"sip.method\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.method.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.method\"}}},{\"name\":\"sip.request.body.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sip.request.from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.request.from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.request.from\"}}},{\"name\":\"sip.request.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.request.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.request.path\"}}},{\"name\":\"sip.request.to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.request.to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.request.to\"}}},{\"name\":\"sip.response.body.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sip.response.from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.response.from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.response.from\"}}},{\"name\":\"sip.response.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.response.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.response.path\"}}},{\"name\":\"sip.response.to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.response.to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.response.to\"}}},{\"name\":\"sip.seq\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.seq.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.seq\"}}},{\"name\":\"sip.transaction.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sip.uri\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.uri.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.uri\"}}},{\"name\":\"sip.warning\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.warning.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.warning\"}}},{\"name\":\"smb.file_system\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smb.file_system.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smb.file_system\"}}},{\"name\":\"smb.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smb.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smb.path\"}}},{\"name\":\"smb.service\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smb.service.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smb.service\"}}},{\"name\":\"smb.share_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smb.share_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smb.share_type\"}}},{\"name\":\"smtp.cc\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.cc.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.cc\"}}},{\"name\":\"smtp.first_received\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.first_received.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.first_received\"}}},{\"name\":\"smtp.from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.from\"}}},{\"name\":\"smtp.helo\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.helo.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.helo\"}}},{\"name\":\"smtp.in_reply_to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.in_reply_to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.in_reply_to\"}}},{\"name\":\"smtp.is_webmail\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"smtp.last_reply\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.last_reply.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.last_reply\"}}},{\"name\":\"smtp.mail_date\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.mail_date.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.mail_date\"}}},{\"name\":\"smtp.mail_from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.mail_from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.mail_from\"}}},{\"name\":\"smtp.message_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.message_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.message_id\"}}},{\"name\":\"smtp.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.path\"}}},{\"name\":\"smtp.recipient_to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.recipient_to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.recipient_to\"}}},{\"name\":\"smtp.second_received\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.second_received.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.second_received\"}}},{\"name\":\"smtp.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.subject\"}}},{\"name\":\"smtp.tls\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"smtp.to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.to\"}}},{\"name\":\"smtp.transaction_depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"smtp.useragent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.useragent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.useragent\"}}},{\"name\":\"snmp.community\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"snmp.community.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"snmp.community\"}}},{\"name\":\"snmp.display_string\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"snmp.display_string.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"snmp.display_string\"}}},{\"name\":\"snmp.get.bulk_requests\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"snmp.get.requests\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"snmp.get.responses\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"snmp.set.requests\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"snmp.up_since\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"snmp.up_since.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"snmp.up_since\"}}},{\"name\":\"snmp.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"snmp.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"snmp.version\"}}},{\"name\":\"socks.bound.host\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"socks.bound.host.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"socks.bound.host\"}}},{\"name\":\"socks.bound.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"socks.request.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"socks.request.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"socks.request.name\"}}},{\"name\":\"socks.request.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"socks.status\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"socks.status.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"socks.status\"}}},{\"name\":\"socks.user\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"socks.user.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"socks.user\"}}},{\"name\":\"socks.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"software.name\"}}},{\"name\":\"software.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"software.type\"}}},{\"name\":\"software.version.additional_info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software.version.additional_info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"software.version.additional_info\"}}},{\"name\":\"software.version.major\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software.version.minor\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software.version.minor2\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software.version.unparsed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software.version.unparsed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"software.version.unparsed\"}}},{\"name\":\"source.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.city_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.city_name\"}}},{\"name\":\"source.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.continent_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.continent_name\"}}},{\"name\":\"source.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.country_iso_code.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.country_iso_code\"}}},{\"name\":\"source.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.country_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.country_name\"}}},{\"name\":\"source.geo.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.ip\"}}},{\"name\":\"source.geo.location.lat\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.location.lon\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.region_iso_code.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.region_iso_code\"}}},{\"name\":\"source.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.region_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.region_name\"}}},{\"name\":\"source.geo.timezone\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.timezone.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.timezone\"}}},{\"name\":\"source.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.ip\"}}},{\"name\":\"source.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.latitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.longitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssh.authentication.attempts\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssh.authentication.success\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssh.cipher_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.cipher_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.cipher_algorithm\"}}},{\"name\":\"ssh.client\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.client.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.client\"}}},{\"name\":\"ssh.client_host_key_algorithms\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.client_host_key_algorithms.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.client_host_key_algorithms\"}}},{\"name\":\"ssh.compression_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.compression_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.compression_algorithm\"}}},{\"name\":\"ssh.direction\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.direction.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.direction\"}}},{\"name\":\"ssh.hassh_algorithms\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.hassh_algorithms.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_algorithms\"}}},{\"name\":\"ssh.hassh_server\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.hassh_server.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_server\"}}},{\"name\":\"ssh.hassh_server_algorithms\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.hassh_server_algorithms.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_server_algorithms\"}}},{\"name\":\"ssh.hassh_version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.hassh_version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_version\"}}},{\"name\":\"ssh.host_key\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.host_key.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.host_key\"}}},{\"name\":\"ssh.host_key_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.host_key_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.host_key_algorithm\"}}},{\"name\":\"ssh.kex_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.kex_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.kex_algorithm\"}}},{\"name\":\"ssh.mac_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.mac_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.mac_algorithm\"}}},{\"name\":\"ssh.server\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.server.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.server\"}}},{\"name\":\"ssh.server_host_key_algorithms\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.server_host_key_algorithms.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.server_host_key_algorithms\"}}},{\"name\":\"ssh.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssl.certificate.chain_fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.certificate.chain_fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.certificate.chain_fuids\"}}},{\"name\":\"ssl.certificate.issuer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.certificate.issuer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.certificate.issuer\"}}},{\"name\":\"ssl.certificate.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.certificate.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.certificate.subject\"}}},{\"name\":\"ssl.cipher\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.cipher.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.cipher\"}}},{\"name\":\"ssl.client.certificate.chain_fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.client.certificate.chain_fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.client.certificate.chain_fuids\"}}},{\"name\":\"ssl.client.issuer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.client.issuer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.client.issuer\"}}},{\"name\":\"ssl.client.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.client.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.client.subject\"}}},{\"name\":\"ssl.curve\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.curve.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.curve\"}}},{\"name\":\"ssl.established\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssl.last_alert\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.last_alert.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.last_alert\"}}},{\"name\":\"ssl.next_protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.next_protocol.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.next_protocol\"}}},{\"name\":\"ssl.resumed\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssl.server_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.server_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.server_name\"}}},{\"name\":\"ssl.validation_status\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.validation_status.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.validation_status\"}}},{\"name\":\"ssl.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.version\"}}},{\"name\":\"syslog.facility\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog.facility.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syslog.facility\"}}},{\"name\":\"syslog.severity\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog.severity.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syslog.severity\"}}},{\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tags\"}}},{\"name\":\"tunnel.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tunnel.type\"}}},{\"name\":\"user.gid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user.gid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user.gid\"}}},{\"name\":\"user.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user.name\"}}},{\"name\":\"user.shell\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user.shell.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user.shell\"}}},{\"name\":\"user.uid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user.uid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user.uid\"}}},{\"name\":\"version.minor3\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"weird.additional_info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"weird.additional_info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"weird.additional_info\"}}},{\"name\":\"weird.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"weird.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"weird.name\"}}},{\"name\":\"weird.notice\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"weird.peer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"weird.peer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"weird.peer\"}}},{\"name\":\"winlog.activity_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.activity_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.activity_id\"}}},{\"name\":\"winlog.api\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.api.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.api\"}}},{\"name\":\"winlog.channel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.channel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.channel\"}}},{\"name\":\"winlog.computer_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.computer_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.computer_name\"}}},{\"name\":\"winlog.event_data.Address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Address\"}}},{\"name\":\"winlog.event_data.AddressLength\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.AddressLength.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.AddressLength\"}}},{\"name\":\"winlog.event_data.Binary\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Binary.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Binary\"}}},{\"name\":\"winlog.event_data.BufferSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.BufferSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.BufferSize\"}}},{\"name\":\"winlog.event_data.Company\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Company.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Company\"}}},{\"name\":\"winlog.event_data.CreationUtcTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.CreationUtcTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.CreationUtcTime\"}}},{\"name\":\"winlog.event_data.CurrentStratumNumber\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.CurrentStratumNumber.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.CurrentStratumNumber\"}}},{\"name\":\"winlog.event_data.DeviceName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.DeviceName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceName\"}}},{\"name\":\"winlog.event_data.DeviceNameLength\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.DeviceNameLength.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceNameLength\"}}},{\"name\":\"winlog.event_data.DeviceTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.DeviceTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceTime\"}}},{\"name\":\"winlog.event_data.DeviceVersionMajor\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.DeviceVersionMajor.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceVersionMajor\"}}},{\"name\":\"winlog.event_data.DeviceVersionMinor\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.DeviceVersionMinor.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceVersionMinor\"}}},{\"name\":\"winlog.event_data.DomainPeer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.DomainPeer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DomainPeer\"}}},{\"name\":\"winlog.event_data.ErrorMessage\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.ErrorMessage.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ErrorMessage\"}}},{\"name\":\"winlog.event_data.FinalStatus\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.FinalStatus.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.FinalStatus\"}}},{\"name\":\"winlog.event_data.Hashes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Hashes.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Hashes\"}}},{\"name\":\"winlog.event_data.ImageLoaded\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.ImageLoaded.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ImageLoaded\"}}},{\"name\":\"winlog.event_data.IntegrityLevel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.IntegrityLevel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.IntegrityLevel\"}}},{\"name\":\"winlog.event_data.Library\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Library.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Library\"}}},{\"name\":\"winlog.event_data.LogonGuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.LogonGuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.LogonGuid\"}}},{\"name\":\"winlog.event_data.LogonId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.LogonId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.LogonId\"}}},{\"name\":\"winlog.event_data.MaxSystemTimeChangeSeconds\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.MaxSystemTimeChangeSeconds.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.MaxSystemTimeChangeSeconds\"}}},{\"name\":\"winlog.event_data.NewTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.NewTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.NewTime\"}}},{\"name\":\"winlog.event_data.OldTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.OldTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.OldTime\"}}},{\"name\":\"winlog.event_data.PreviousCreationUtcTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.PreviousCreationUtcTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.PreviousCreationUtcTime\"}}},{\"name\":\"winlog.event_data.PreviousTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.PreviousTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.PreviousTime\"}}},{\"name\":\"winlog.event_data.ProcessId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.ProcessId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ProcessId\"}}},{\"name\":\"winlog.event_data.ProcessName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.ProcessName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ProcessName\"}}},{\"name\":\"winlog.event_data.QueryName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.QueryName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.QueryName\"}}},{\"name\":\"winlog.event_data.QueryResults\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.QueryResults.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.QueryResults\"}}},{\"name\":\"winlog.event_data.QueryStatus\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.QueryStatus.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.QueryStatus\"}}},{\"name\":\"winlog.event_data.Reason\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Reason.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Reason\"}}},{\"name\":\"winlog.event_data.RequiredSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.RequiredSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.RequiredSize\"}}},{\"name\":\"winlog.event_data.RetryMinutes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.RetryMinutes.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.RetryMinutes\"}}},{\"name\":\"winlog.event_data.RuleName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.RuleName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.RuleName\"}}},{\"name\":\"winlog.event_data.Service\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Service.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Service\"}}},{\"name\":\"winlog.event_data.Signature\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Signature.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Signature\"}}},{\"name\":\"winlog.event_data.SignatureStatus\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.SignatureStatus.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.SignatureStatus\"}}},{\"name\":\"winlog.event_data.Signed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Signed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Signed\"}}},{\"name\":\"winlog.event_data.SubjectDomainName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.SubjectDomainName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.SubjectDomainName\"}}},{\"name\":\"winlog.event_data.SubjectLogonId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.SubjectLogonId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.SubjectLogonId\"}}},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.SubjectUserSid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.SubjectUserSid\"}}},{\"name\":\"winlog.event_data.SystemTimeChangeSeconds\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.SystemTimeChangeSeconds.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.SystemTimeChangeSeconds\"}}},{\"name\":\"winlog.event_data.TargetFilename\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.TargetFilename.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.TargetFilename\"}}},{\"name\":\"winlog.event_data.TerminalSessionId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.TerminalSessionId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.TerminalSessionId\"}}},{\"name\":\"winlog.event_data.TimeOffsetSeconds\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.TimeOffsetSeconds.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.TimeOffsetSeconds\"}}},{\"name\":\"winlog.event_data.TimeSource\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.TimeSource.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.TimeSource\"}}},{\"name\":\"winlog.event_data.TimeSourceRefId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.TimeSourceRefId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.TimeSourceRefId\"}}},{\"name\":\"winlog.event_data.UtcTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.UtcTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.UtcTime\"}}},{\"name\":\"winlog.event_data.errorCode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.errorCode.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.errorCode\"}}},{\"name\":\"winlog.event_data.param1\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param1.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param1\"}}},{\"name\":\"winlog.event_data.param2\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param2.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param2\"}}},{\"name\":\"winlog.event_data.param3\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param3.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param3\"}}},{\"name\":\"winlog.event_data.param4\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param4.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param4\"}}},{\"name\":\"winlog.event_data.param5\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param5.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param5\"}}},{\"name\":\"winlog.event_data.param6\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param6.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param6\"}}},{\"name\":\"winlog.event_data.param7\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param7.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param7\"}}},{\"name\":\"winlog.event_data.serviceGuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.serviceGuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.serviceGuid\"}}},{\"name\":\"winlog.event_data.updateGuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.updateGuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.updateGuid\"}}},{\"name\":\"winlog.event_data.updateRevisionNumber\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.updateRevisionNumber.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.updateRevisionNumber\"}}},{\"name\":\"winlog.event_data.updateTitle\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.updateTitle.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.updateTitle\"}}},{\"name\":\"winlog.event_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.keywords\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.keywords.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.keywords\"}}},{\"name\":\"winlog.opcode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.opcode.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.opcode\"}}},{\"name\":\"winlog.process.pid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.process.thread.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.provider_guid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.provider_guid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.provider_guid\"}}},{\"name\":\"winlog.provider_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.provider_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.provider_name\"}}},{\"name\":\"winlog.record_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.task\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.task.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.task\"}}},{\"name\":\"winlog.user.domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user.domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user.domain\"}}},{\"name\":\"winlog.user.identifier\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user.identifier.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user.identifier\"}}},{\"name\":\"winlog.user.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user.name\"}}},{\"name\":\"winlog.user.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user.type\"}}},{\"name\":\"winlog.user_data.RebootReasons\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user_data.RebootReasons.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.RebootReasons\"}}},{\"name\":\"winlog.user_data.RmSessionId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user_data.RmSessionId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.RmSessionId\"}}},{\"name\":\"winlog.user_data.UTCStartTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user_data.UTCStartTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.UTCStartTime\"}}},{\"name\":\"winlog.user_data.nApplications\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user_data.nApplications.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.nApplications\"}}},{\"name\":\"winlog.user_data.xml_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user_data.xml_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.xml_name\"}}},{\"name\":\"winlog.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x509.basic_constraints.ca\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x509.certificate.curve\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.curve.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.curve\"}}},{\"name\":\"x509.certificate.exponent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.exponent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.exponent\"}}},{\"name\":\"x509.certificate.issuer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.issuer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.issuer\"}}},{\"name\":\"x509.certificate.key.algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.key.algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.key.algorithm\"}}},{\"name\":\"x509.certificate.key.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x509.certificate.key.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.key.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.key.type\"}}},{\"name\":\"x509.certificate.not_valid_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.not_valid_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.not_valid_after\"}}},{\"name\":\"x509.certificate.not_valid_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.not_valid_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.not_valid_before\"}}},{\"name\":\"x509.certificate.serial\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.serial.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.serial\"}}},{\"name\":\"x509.certificate.signing_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.signing_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.signing_algorithm\"}}},{\"name\":\"x509.certificate.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.subject\"}}},{\"name\":\"x509.certificate.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x509.san_dns\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.san_dns.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.san_dns\"}}},{\"name\":\"Push to TheHive\",\"type\":\"string\",\"count\":0,\"scripted\":true,\"script\":\"'https://PLACEHOLDER/soctopus/thehive/alert/' + doc['_id'].value\",\"lang\":\"painless\",\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false}]","timeFieldName":"@timestamp","title":"*:so-*"},"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-07-16T16:56:13.728Z","version":"Wzg0NCwyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - All Logs","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - All Logs\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":29}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}"},"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQsMV0="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Logs Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Logs Over Time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":null,\"y\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}]}"},"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUsMV0="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Source IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Source IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}"},"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYsMV0="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Destination IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Destination IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}}]}"},"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzcsMV0="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMTP - Sender","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMTP - Sender\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smtp.from.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"From\"}}]}"},"id":"7a789740-75e7-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzgsMV0="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMTP - Recipient","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMTP - Recipient\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"To\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smtp.to.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Recipient\"}}]}"},"id":"a5742950-75e7-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzksMV0="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMTP - TLS","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - SMTP - TLS\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"boolean\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"smtp.tls: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"smtp.tls\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"TLS\"}}]}"},"id":"e77a2b60-75e7-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEwLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMTP - Subject","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMTP - Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"smtp.subject.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smtp.subject.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Subject\"}}]}"},"id":"0713ebf0-75e8-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzExLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMTP - User Agent","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMTP - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smtp.useragent.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"User Agent\"}}]}"},"id":"4178ce00-75e8-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEyLDFd"} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:smtp\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":9,\"i\":\"a603d9db-ab4e-40b0-aeb8-0f1c1f84bd85\"},\"panelIndex\":\"a603d9db-ab4e-40b0-aeb8-0f1c1f84bd85\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":14,\"y\":0,\"w\":16,\"h\":9,\"i\":\"6fd30865-1d5d-4f8f-9173-77220bb23395\"},\"panelIndex\":\"6fd30865-1d5d-4f8f-9173-77220bb23395\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":9,\"i\":\"1b0acf7a-2a47-4eb4-9cb2-34cd6c499472\"},\"panelIndex\":\"1b0acf7a-2a47-4eb4-9cb2-34cd6c499472\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":9,\"h\":18,\"i\":\"d31027fb-a090-474f-9863-712ef30c0b3e\"},\"panelIndex\":\"d31027fb-a090-474f-9863-712ef30c0b3e\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":9,\"w\":9,\"h\":18,\"i\":\"fb5452b7-cb91-4415-ad6b-37f2c05955fa\"},\"panelIndex\":\"fb5452b7-cb91-4415-ad6b-37f2c05955fa\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":18,\"y\":9,\"w\":15,\"h\":18,\"i\":\"9aaa1369-1a61-4bb0-bb30-6bbb476fbb8a\"},\"panelIndex\":\"9aaa1369-1a61-4bb0-bb30-6bbb476fbb8a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":33,\"y\":9,\"w\":15,\"h\":18,\"i\":\"4bf1751e-8da2-4f5a-b66d-2f09338b2053\"},\"panelIndex\":\"4bf1751e-8da2-4f5a-b66d-2f09338b2053\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":18,\"h\":18,\"i\":\"9365d9e9-478f-499d-aa41-d8f42081ff1c\"},\"panelIndex\":\"9365d9e9-478f-499d-aa41-d8f42081ff1c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":18,\"y\":27,\"w\":15,\"h\":18,\"i\":\"18ad4f7a-1a1e-4dcb-8810-bb74d247c9fa\"},\"panelIndex\":\"18ad4f7a-1a1e-4dcb-8810-bb74d247c9fa\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":33,\"y\":27,\"w\":15,\"h\":18,\"i\":\"44a5b84f-2636-45f4-bb5e-9f8ab11f4107\"},\"panelIndex\":\"44a5b84f-2636-45f4-bb5e-9f8ab11f4107\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Security Onion - SMTP","version":1},"id":"00304500-75e7-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"7a789740-75e7-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"a5742950-75e7-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"e77a2b60-75e7-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"0713ebf0-75e8-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"},{"id":"4178ce00-75e8-11ea-9565-7315f4ee5cac","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEzLDFd"} +{"attributes":{"columns":["note","source_ip","destination_ip","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event_type:bro_notice\",\"default_field\":\"*\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Notices - Logs","version":1},"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE0LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Notices - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Notices - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"3027c4f0-34e4-11e7-9669-7f1d3242b798","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE1LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"},"title":"Navigation","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Home](/kibana/app/kibana#/dashboard/94b52620-342a-11e7-9d52-4f090484f59e) \\n[Help](/kibana/app/kibana#/dashboard/AV6-POJSDwoBUzALqKAg) \\n\\n**Alert Data** \\n[Bro Notices](/kibana/app/kibana#/dashboard/01600fb0-34e4-11e7-9669-7f1d3242b798) \\n[ElastAlert](/kibana/app/kibana#/dashboard/1d98d620-7dce-11e7-846a-150cdcaf3374) \\n[HIDS](/kibana/app/kibana#/dashboard/0de7a390-3644-11e7-a6f7-4f44d7bf1c33) \\n[NIDS](/kibana/app/kibana#/dashboard/7f27a830-34e5-11e7-9669-7f1d3242b798)   \\n\\n**Bro Hunting** \\n[Connections](/kibana/app/kibana#/dashboard/e0a34b90-34e6-11e7-9118-45bd317f0ca4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/46582d50-3af2-11e7-a83b-b1b4da7d15f4) \\n[DHCP](/kibana/app/kibana#/dashboard/85348270-357b-11e7-ac34-8965f6420c51) \\n[DNP3](/kibana/app/kibana#/dashboard/2fdf5bf0-3581-11e7-98ef-19df58fe538b) \\n[DNS](/kibana/app/kibana#/dashboard/ebf5ec90-34bf-11e7-9b32-bb903919ead9) \\n[Files](/kibana/app/kibana#/dashboard/2d315d80-3582-11e7-98ef-19df58fe538b) \\n[FTP](/kibana/app/kibana#/dashboard/27f3b380-3583-11e7-a588-05992195c551) \\n[HTTP](/kibana/app/kibana#/dashboard/230134a0-34c6-11e7-8360-0b86c90983fd) \\n[Intel](/kibana/app/kibana#/dashboard/468022c0-3583-11e7-a588-05992195c551) \\n[IRC](/kibana/app/kibana#/dashboard/56a34ce0-3583-11e7-a588-05992195c551) \\n[Kerberos](/kibana/app/kibana#/dashboard/6b0d4870-3583-11e7-a588-05992195c551) \\n[Modbus](/kibana/app/kibana#/dashboard/70c005f0-3583-11e7-a588-05992195c551) \\n[MySQL](/kibana/app/kibana#/dashboard/7929f430-3583-11e7-a588-05992195c551) \\n[NTLM](/kibana/app/kibana#/dashboard/022713e0-3ab0-11e7-a83b-b1b4da7d15f4) \\n[PE](/kibana/app/kibana#/dashboard/8a10e380-3583-11e7-a588-05992195c551) \\n[RADIUS](/kibana/app/kibana#/dashboard/90b246c0-3583-11e7-a588-05992195c551) \\n[RDP](/kibana/app/kibana#/dashboard/97f8c3a0-3583-11e7-a588-05992195c551) \\n[RFB](/kibana/app/kibana#/dashboard/9ef20ae0-3583-11e7-a588-05992195c551) \\n[SIP](/kibana/app/kibana#/dashboard/ad3c0830-3583-11e7-a588-05992195c551) \\n[SMB](/kibana/app/kibana#/dashboard/b3a53710-3aaa-11e7-8b17-0d8709b02c80) \\n[SMTP](/kibana/app/kibana#/dashboard/b10a9c60-3583-11e7-a588-05992195c551) \\n[SNMP](/kibana/app/kibana#/dashboard/b65c2710-3583-11e7-a588-05992195c551) \\n[Software](/kibana/app/kibana#/dashboard/c2c99c30-3583-11e7-a588-05992195c551) \\n[SSH](/kibana/app/kibana#/dashboard/c6ccfc00-3583-11e7-a588-05992195c551) \\n[SSL](/kibana/app/kibana#/dashboard/cca67b60-3583-11e7-a588-05992195c551) \\n[Syslog](/kibana/app/kibana#/dashboard/c4bbe040-76b3-11e7-ba96-cba76a1e264d) \\n[Tunnels](/kibana/app/kibana#/dashboard/d7b54ae0-3583-11e7-a588-05992195c551) \\n[Weird](/kibana/app/kibana#/dashboard/de2da250-3583-11e7-a588-05992195c551) \\n[X.509](/kibana/app/kibana#/dashboard/e5aa7170-3583-11e7-a588-05992195c551) \\n\\n**Host Hunting** \\n[Autoruns](/kibana/app/kibana#/dashboard/61d43810-6d62-11e7-8ddb-e71eb260f4a3) \\n[Beats](/kibana/app/kibana#/dashboard/AWBLNS3CRuBloj96jxub) \\n[Osquery](/kibana/app/kibana#/dashboard/9d0e2da0-14e1-11e9-82f7-0da02d93a48b) \\n[OSSEC](/kibana/app/kibana#/dashboard/3a457d70-3583-11e7-a588-05992195c551)  \\n[Sysmon](/kibana/app/kibana#/dashboard/6d189680-6d62-11e7-8ddb-e71eb260f4a3) \\n\\n**Other** \\n[Domain Stats](/kibana/app/kibana#/dashboard/AWAi6wvxAvKNGEbUWO_j) \\n[Firewall](/kibana/app/kibana#/dashboard/50173bd0-3582-11e7-98ef-19df58fe538b) \\n[Frequency](/kibana/app/kibana#/dashboard/AWAi5k4jAvKNGEbUWFis) \\n[Stats](/kibana/app/kibana#/dashboard/130017f0-46ce-11e7-946f-1bfb1be7c36b) \\n[Syslog](/kibana/app/kibana#/dashboard/4323af90-76e5-11e7-ab14-e1a4c1bc11e0)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}"},"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","migrationVersion":{"visualization":"7.7.0"},"references":[],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE2LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Notices - Source IP Addresses","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Notices - Source IP Addresses\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"66e26ad0-3580-11e7-98ef-19df58fe538b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE3LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Notices - Destination IP Addresses","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Notices - Destination IP Addresses\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"7c47b650-3580-11e7-98ef-19df58fe538b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE4LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Notices - Notice Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Notices - Notice Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"note.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type\"}}],\"listeners\":{}}"},"id":"07fdf9e0-39ad-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE5LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Notices - File MIME Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Notices - File MIME Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file_mime_type.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}],\"listeners\":{}}"},"id":"53c62730-39ad-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIwLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Notices - File Description","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Notices - File Description\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file_description.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Description\"}}],\"listeners\":{}}"},"id":"793c2640-39ad-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIxLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Notice - Destination Port (Vertical Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Notice - Destination Port (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"Port\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}]}"},"id":"e85e2150-6e0e-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIyLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Notice - Message/Sub-Message","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Bro - Notice - Message/Sub-Message\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"msg.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Message\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sub_msg.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Sub-Message\"}}],\"listeners\":{}}"},"id":"bfeb6210-7bb9-11e7-90ec-cdd3dff73b38","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIzLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Notices - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Notices - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG1uC-xQT5EBNmq3dP","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI0LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Bro - Notices - Notice Types","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Bro - Notices - Notice Types\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"note.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Note\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}]}"},"id":"2a949080-4a3d-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI1LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Notices - Destination Country","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Notices - Destination Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"1a879c90-4ca5-11e8-888d-71b91451cf05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI2LDFd"} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"4\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"4\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"7\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":48,\"i\":\"7\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":48,\"i\":\"8\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":72,\"i\":\"11\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"12\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":72,\"i\":\"12\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":136,\"i\":\"13\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"14\",\"gridData\":{\"w\":40,\"h\":16,\"x\":8,\"y\":32,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"15\",\"gridData\":{\"w\":48,\"h\":40,\"x\":0,\"y\":96,\"i\":\"15\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"16\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"16\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"17\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":160,\"i\":\"17\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{}},{\"panelIndex\":\"18\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":8,\"i\":\"18\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"panelIndex\":\"19\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":8,\"i\":\"19\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - Notices","version":1},"id":"01600fb0-34e4-11e7-9669-7f1d3242b798","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"3027c4f0-34e4-11e7-9669-7f1d3242b798","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"66e26ad0-3580-11e7-98ef-19df58fe538b","name":"panel_2","type":"visualization"},{"id":"7c47b650-3580-11e7-98ef-19df58fe538b","name":"panel_3","type":"visualization"},{"id":"07fdf9e0-39ad-11e7-8472-0151e5b2b475","name":"panel_4","type":"visualization"},{"id":"53c62730-39ad-11e7-8472-0151e5b2b475","name":"panel_5","type":"visualization"},{"id":"793c2640-39ad-11e7-8472-0151e5b2b475","name":"panel_6","type":"visualization"},{"id":"e85e2150-6e0e-11e7-8624-1fb07dd76c6a","name":"panel_7","type":"visualization"},{"id":"bfeb6210-7bb9-11e7-90ec-cdd3dff73b38","name":"panel_8","type":"visualization"},{"id":"AWDG1uC-xQT5EBNmq3dP","name":"panel_9","type":"visualization"},{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"panel_10","type":"search"},{"id":"2a949080-4a3d-11e8-9b0a-f1d33346f773","name":"panel_11","type":"visualization"},{"id":"1a879c90-4ca5-11e8-888d-71b91451cf05","name":"panel_12","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI3LDFd"} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_ntlm\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"NTLM - Logs","version":1},"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI4LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"NTLM - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per minute\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"36f23eb0-3ab0-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI5LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Hostname","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Hostname\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hostname.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Hostname\"}}],\"listeners\":{}}"},"id":"e2c8e040-3ab0-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMwLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Username","uiStateJSON":"{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}","version":1,"visState":"{\"title\":\"NTLM - Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}],\"listeners\":{}}"},"id":"4d869ee0-3ab1-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMxLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"d37b9330-3af1-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMyLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"f3a92f50-3af1-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMzLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"d7f162b0-6e1c-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM0LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"NTLM - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHCEx7xQT5EBNmq4Vf","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM1LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"NTLM - Hostname to Username","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Hostname to Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hostname.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Hostname\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"domain_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Domain\"}}]}"},"id":"75ab1050-4a59-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM2LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Server NetBIOS Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Server NetBIOS Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_nb_computer_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server NetBIOS Name\"}}]}"},"id":"c23ea470-0edc-11e9-9846-59f545e7293f","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM3LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Server DNS Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Server DNS Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_dns_computer_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server DNS Name\"}}]}"},"id":"ee6a03f0-0edc-11e9-9846-59f545e7293f","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM4LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Server Tree Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Server Tree Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_tree_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server Tree Name\"}}]}"},"id":"2a054320-0edd-11e9-9846-59f545e7293f","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM5LDFd"} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":53,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"x\":0,\"y\":77,\"w\":48,\"h\":24,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":36,\"y\":8,\"w\":12,\"h\":24,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":24,\"y\":8,\"w\":12,\"h\":24,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":16,\"y\":53,\"w\":16,\"h\":24,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":0,\"y\":53,\"w\":16,\"h\":24,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":32,\"y\":53,\"w\":16,\"h\":24,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"15\"},\"panelIndex\":\"15\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"gridData\":{\"x\":8,\"y\":8,\"w\":16,\"h\":24,\"i\":\"16\"},\"panelIndex\":\"16\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"x\":35,\"y\":32,\"w\":13,\"h\":21,\"i\":\"17\"},\"panelIndex\":\"17\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":22,\"y\":32,\"w\":13,\"h\":21,\"i\":\"18\"},\"panelIndex\":\"18\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":32,\"w\":14,\"h\":21,\"i\":\"19\"},\"panelIndex\":\"19\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"}]","timeRestore":false,"title":"Bro - NTLM","version":1},"id":"022713e0-3ab0-11e7-a83b-b1b4da7d15f4","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"36f23eb0-3ab0-11e7-a83b-b1b4da7d15f4","name":"panel_1","type":"visualization"},{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"panel_2","type":"search"},{"id":"e2c8e040-3ab0-11e7-a83b-b1b4da7d15f4","name":"panel_3","type":"visualization"},{"id":"4d869ee0-3ab1-11e7-a83b-b1b4da7d15f4","name":"panel_4","type":"visualization"},{"id":"d37b9330-3af1-11e7-a83b-b1b4da7d15f4","name":"panel_5","type":"visualization"},{"id":"f3a92f50-3af1-11e7-a83b-b1b4da7d15f4","name":"panel_6","type":"visualization"},{"id":"d7f162b0-6e1c-11e7-b553-7f80727663c1","name":"panel_7","type":"visualization"},{"id":"AWDHCEx7xQT5EBNmq4Vf","name":"panel_8","type":"visualization"},{"id":"75ab1050-4a59-11e8-9b0a-f1d33346f773","name":"panel_9","type":"visualization"},{"id":"c23ea470-0edc-11e9-9846-59f545e7293f","name":"panel_10","type":"visualization"},{"id":"ee6a03f0-0edc-11e9-9846-59f545e7293f","name":"panel_11","type":"visualization"},{"id":"2a054320-0edd-11e9-9846-59f545e7293f","name":"panel_12","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQwLDFd"} +{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.category:network\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Security Onion - Network Data","version":1},"id":"387f44c0-6ea7-11ea-9266-1fd14ca6af34","migrationVersion":{"search":"7.4.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQxLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Network - Source IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Network - Source IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"source.ip.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}"},"id":"0242ab70-6eae-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"387f44c0-6ea7-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQyLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"title":"Security Onion - Files","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Files\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Home](/kibana/app/kibana#/dashboard/a8411b30-6d03-11ea-b301-3d6c35840645) \\n \\n**Modules** \\n[Strelka](/kibana/app/kibana#/dashboard/ff689c50-75f3-11ea-9565-7315f4ee5cac) \\n[Zeek](/kibana/app/kibana#/dashboard/ad4d5d60-75f4-11ea-9565-7315f4ee5cac)\"},\"aggs\":[]}"},"id":"9a5058f0-6e99-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQzLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Log Count Over Time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true}],\"addTooltip\":false,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"HH:mm\"}},\"params\":{\"date\":true,\"interval\":\"PT30M\",\"intervalESValue\":30,\"intervalESUnit\":\"m\",\"format\":\"HH:mm\",\"bounds\":{\"min\":\"2020-03-29T18:17:18.800Z\",\"max\":\"2020-03-30T18:17:18.800Z\"}},\"label\":\"@timestamp per 30 minutes\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\",\"mode\":\"quick\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}]}"},"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ0LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.module:*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Modules","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.module.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Module\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"event.module.keyword: Descending\",\"aggType\":\"terms\"}]}},\"title\":\"Security Onion - Modules\"}"},"id":"8b065a80-6eca-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-16T13:08:54.117Z","version":"WzczMywyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Dataset","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Dataset\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Dataset\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"event.dataset.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.dataset.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Dataset\"}}]}"},"id":"ad398b70-6e9a-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ2LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - File - Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - File - Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.name.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}]}"},"id":"bcf25e30-75f1-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ3LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - FIle - Total Bytes","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}}","version":1,"visState":"{\"title\":\"Security Onion - FIle - Total Bytes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.bytes.total: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.bytes.total\",\"orderBy\":\"_key\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Total Bytes\"}}]}"},"id":"efc25540-75f1-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ4LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - File - MIME Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - File - MIME Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.mime_type.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.mime_type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MIMEType\"}}]}"},"id":"e8d35c50-75f3-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ5LDFd"} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:file*\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":7,\"h\":7,\"i\":\"6948ea4a-398f-4ab1-a269-e1e6ecd29e12\"},\"panelIndex\":\"6948ea4a-398f-4ab1-a269-e1e6ecd29e12\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":7,\"y\":0,\"w\":15,\"h\":7,\"i\":\"d09eef70-f2b5-4085-b619-11cae812be58\"},\"panelIndex\":\"d09eef70-f2b5-4085-b619-11cae812be58\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":22,\"y\":0,\"w\":26,\"h\":7,\"i\":\"0dd18bd2-6631-4772-b3d0-4a92ff713e3a\"},\"panelIndex\":\"0dd18bd2-6631-4772-b3d0-4a92ff713e3a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":7,\"w\":8,\"h\":20,\"i\":\"86d343d4-c030-46a3-9f3e-083ccbf28b04\"},\"panelIndex\":\"86d343d4-c030-46a3-9f3e-083ccbf28b04\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":7,\"w\":8,\"h\":20,\"i\":\"2fb5d1e8-4ac6-42c4-852e-9046c2970086\"},\"panelIndex\":\"2fb5d1e8-4ac6-42c4-852e-9046c2970086\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":16,\"y\":7,\"w\":10,\"h\":20,\"i\":\"7875de58-924b-4b27-bd51-159b5657659f\"},\"panelIndex\":\"7875de58-924b-4b27-bd51-159b5657659f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":26,\"y\":7,\"w\":10,\"h\":20,\"i\":\"f1f8a5c7-9e9f-460d-a2b8-eaca8d834c6b\"},\"panelIndex\":\"f1f8a5c7-9e9f-460d-a2b8-eaca8d834c6b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":36,\"y\":7,\"w\":12,\"h\":20,\"i\":\"06055634-ec80-478d-93d5-67e1cc46e1ab\"},\"panelIndex\":\"06055634-ec80-478d-93d5-67e1cc46e1ab\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - Files","version":1},"id":"0245be10-6ec1-11ea-9266-1fd14ca6af34","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"9a5058f0-6e99-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"8b065a80-6eca-11ea-9266-1fd14ca6af34","name":"panel_3","type":"visualization"},{"id":"ad398b70-6e9a-11ea-9266-1fd14ca6af34","name":"panel_4","type":"visualization"},{"id":"bcf25e30-75f1-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"efc25540-75f1-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"e8d35c50-75f3-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUwLDFd"} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_ssl\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"SSL - Logs","version":1},"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUxLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SSL - Version (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SSL - Version (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":false,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"version.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"02699580-365a-11e7-bf60-314364dd1cde","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUyLDFd"} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_sip\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"SIP - Logs","version":1},"id":"9e131480-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUzLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SIP - Status","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - Status\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"status_code\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Code\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"status_msg.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Message\"}}]}"},"id":"0291dba0-4c78-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU0LDFd"} +{"attributes":{"columns":["osquery.columns.permissions","osquery.columns.name"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_type: osquery AND osquery.name:*chrome* AND osquery.columns.permissions:('all_urls','privacy')\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"osquery - Chrome Extensions - Sensitive Permissions","version":1},"id":"040dda10-18d8-11e9-932c-d12d2cf4ee95","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU1LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"04e1aea0-3750-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU2LDFd"} +{"attributes":{"columns":["osquery.hostname","osquery.columns.username","osquery.LiveQuery","osquery.columns.name"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_type: osquery AND osquery.name:*chrome*\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"osquery - Chrome Extensions","version":1},"id":"0eee4360-18d4-11e9-932c-d12d2cf4ee95","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU3LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"osquery - Chrome Extensions - Changes by Hostname","uiStateJSON":"{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}","version":1,"visState":"{\"title\":\"osquery - Chrome Extensions - Changes by Hostname\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Changes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.hostname.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Hostname\"}}]}"},"id":"04f86530-1a59-11e9-ac0b-cb0ba10141ab","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0eee4360-18d4-11e9-932c-d12d2cf4ee95","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU4LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"network.protocol:*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Top Network Protocols","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Top Network Protocols\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false,\"metric\":{\"type\":\"vis_dimension\",\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}}},\"bucket\":{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"network.protocol.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}}]}"},"id":"d9eb5b30-6ea9-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU5LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Network - Transport","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Network - Transport\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":false,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"network.transport.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"network.transport.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"79cc9670-6ead-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"387f44c0-6ea7-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYwLDFd"} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.category: network\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":9,\"i\":\"b18f064d-2fba-45d8-a3c3-700ecec939a3\"},\"panelIndex\":\"b18f064d-2fba-45d8-a3c3-700ecec939a3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":14,\"h\":9,\"i\":\"3bf59d17-132e-47bc-b548-e1e073491ec5\"},\"panelIndex\":\"3bf59d17-132e-47bc-b548-e1e073491ec5\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":27,\"y\":0,\"w\":21,\"h\":9,\"i\":\"49c9ae10-3f16-4cec-b044-c5cf2db199ae\"},\"panelIndex\":\"49c9ae10-3f16-4cec-b044-c5cf2db199ae\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":13,\"h\":19,\"i\":\"87427ca5-e0b9-4ec8-bb5f-3452803befe1\"},\"panelIndex\":\"87427ca5-e0b9-4ec8-bb5f-3452803befe1\",\"embeddableConfig\":{\"legendOpen\":false,\"vis\":{\"legendOpen\":true}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":24,\"y\":9,\"w\":12,\"h\":19,\"i\":\"a7745b0f-1c69-4837-9f7e-3d79b5a2ac60\"},\"panelIndex\":\"a7745b0f-1c69-4837-9f7e-3d79b5a2ac60\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":36,\"y\":9,\"w\":12,\"h\":19,\"i\":\"221a543a-98d4-46dd-8e7c-bf97bb292021\"},\"panelIndex\":\"221a543a-98d4-46dd-8e7c-bf97bb292021\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":9,\"w\":11,\"h\":19,\"i\":\"3d3199e1-d839-4738-bc99-e030365b7070\"},\"panelIndex\":\"3d3199e1-d839-4738-bc99-e030365b7070\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - Network","version":1},"id":"04ff3ef0-6ea4-11ea-9266-1fd14ca6af34","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"d9eb5b30-6ea9-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"79cc9670-6ead-11ea-9266-1fd14ca6af34","name":"panel_3","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"ad398b70-6e9a-11ea-9266-1fd14ca6af34","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYxLDFd"} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"size\":10,\"query\":{\"query_string\":{\"query\":\"event_type:bro_conn\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Connections - Logs","version":1},"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYyLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Missed Bytes","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Missed Bytes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"missed_bytes\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Missed Bytes\"}}],\"listeners\":{}}"},"id":"05088150-3670-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYzLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMB - Path","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMB - Path\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"smb.path.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smb.path.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Path\"}}]}"},"id":"052df440-75f0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY0LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Rule - GID/SID","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Rule - GID/SID\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"GID\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"SID\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rule.rev: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.gid\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"GID\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.signature_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"SID\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.rev\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Revision\"}}]}"},"id":"053f7130-7734-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY1LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Source - Originator Bytes ( Tile Map)","uiStateJSON":"{\"mapZoom\":3,\"mapCenter\":[39.70718665682654,-44.912109375]}","version":1,"visState":"{\"title\":\"Connections - Source - Originator Bytes ( Tile Map)\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"original_bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}"},"id":"05809df0-46cb-11e7-946f-1bfb1be7c36b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY2LDFd"} +{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_type: osquery\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"osquery - Logs","version":1},"id":"84116380-14e1-11e9-82f7-0da02d93a48b","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY3LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"osquery - Changes by Hostname","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"osquery - Changes by Hostname\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Changes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.hostname.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Hostname\"}}]}"},"id":"05a5ed10-14e4-11e9-82f7-0da02d93a48b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"84116380-14e1-11e9-82f7-0da02d93a48b","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY4LDFd"} +{"attributes":{"columns":["source_ip","destination_ip","destination_port","uid","fuid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_ftp\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"FTP - Logs","version":1},"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY5LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"FTP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"06f21d60-35b6-11e7-a994-c528746bc6e8","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzcwLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DNS - Query","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DNS - Query\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"dns.query.name.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dns.query.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Query\"}}]}"},"id":"07065340-72ba-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzcxLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - PE - Section","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.section_names.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Section\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"},\"title\":\"Security Onion - PE - Section\"}"},"id":"07419650-c763-11ea-bebb-37c5ab5894ea","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-16T12:51:12.564Z","version":"WzczMCwyXQ=="} +{"attributes":{"columns":["source_ip","destination_ip","destination_port","uid","fuid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_intel\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Intel - Logs","version":1},"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzcyLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Intel - Indicator Type (Vertical Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Intel - Indicator Type (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Indicator Type\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"indicator_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Indicator Type\"}}]}"},"id":"07622d60-6e16-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzczLDFd"} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_mysql\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"MySQL - Logs","version":1},"id":"5d624230-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"Wzc0LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"MySQL - Command/Argument","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"MySQL - Command/Argument\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mysql_command.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Command\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mysql_argument.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Argument\"}}],\"listeners\":{}}"},"id":"07e25650-3812-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5d624230-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"Wzc1LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - HTTP - Method","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - Method\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"http.method.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"http.method.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Method\"}}]}"},"id":"088aad70-7377-11ea-a3da-cbdb4f8a90c0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"Wzc2LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Hash - SHA256","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Hash - SHA256\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.hash.sha256.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hash.sha256.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"08c0b770-772e-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"Wzc3LDFd"} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_ssh\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"SSH - Logs","version":1},"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"Wzc4LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSH - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SSH - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"09457310-3641-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"Wzc5LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Hash - MD5","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Hash - MD5\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hash.md5.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MD5\"}}]}"},"id":"09fc6ef0-7732-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzgwLDFd"} +{"attributes":{"columns":["source_ip","syslog-host_from","syslog-priority"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"tags:syslog\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Syslog (All) - Logs","version":1},"id":"5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzgxLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Syslog - Host From","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Syslog - Host From\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog-host_from.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Host (From)\"}}],\"listeners\":{}}"},"id":"0a2ce700-76e6-11e7-ab14-e1a4c1bc11e0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzgyLDFd"} +{"attributes":{"columns":["host","certificate_subject","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_x509\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"X.509 - Logs","version":1},"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzgzLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"X.509 - Certificate Issuer","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"X.509 - Certificate Issuer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"certificate_issuer.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Issuer\"}}],\"listeners\":{}}"},"id":"0a5f7b30-37d9-11e7-9efb-91e89505091f","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"Wzg0LDFd"} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_rdp\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"RDP - Logs","version":1},"id":"823dd600-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"Wzg1LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RDP - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RDP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"0b9dea80-371c-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"Wzg2LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RDP - Certificate Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RDP - Certificate Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rdp.certificate_type.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rdp.certificate_type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Type\"}}]}"},"id":"0c006bb0-75c6-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"Wzg3LDFd"} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_dns\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"DNS - Logs","version":1},"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"Wzg4LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNS - Query Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Query Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"query_type_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query Type\"}}]}"},"id":"0c338e50-4a4e-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"Wzg5LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RADIUS - Reply","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RADIUS - Reply\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"radius.reply_message.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"radius.reply_message.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Reply\"}}]}"},"id":"0ca071b0-75c5-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzkwLDFd"} +{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.module:sysmon\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Security Onion - Sysmon","version":1},"id":"6281da80-c780-11ea-bebb-37c5ab5894ea","migrationVersion":{"search":"7.4.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-16T16:21:21.064Z","version":"WzgzOSwyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Security Onion - Sysmon Datasets","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.dataset.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Dataset\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"host.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Hostname\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"},\"title\":\"Security Onion - Sysmon Datasets\"}"},"id":"0caa7df0-c781-11ea-bebb-37c5ab5894ea","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"6281da80-c780-11ea-bebb-37c5ab5894ea","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-16T16:26:06.541Z","version":"Wzg0MCwyXQ=="} +{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:conn\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Security Onion - Connections","version":1},"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","migrationVersion":{"search":"7.4.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzkxLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Connections Over Time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date_range\",\"params\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}}},\"params\":{},\"label\":\"@timestamp date ranges\",\"aggType\":\"date_range\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}]}"},"id":"34721460-6ebc-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzkyLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}"},"id":"c9121690-6ea0-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzkzLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - State","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - State\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"connection.state.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"connection.state.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"State\"}}]}"},"id":"23b65290-6ea2-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"Wzk0LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Connections - State (Desc)","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"connection.state_description.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Connection State\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"},\"title\":\"Security Onion - Connections - State (Desc)\"}"},"id":"dc3f2c10-c6d6-11ea-bebb-37c5ab5894ea","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T20:07:50.857Z","version":"WzcwOSwyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - Client Bytes","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - Client Bytes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Client Bytes\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"client.bytes\",\"orderBy\":\"_key\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Client Bytes\"}}]}"},"id":"98f6e9d0-6ea1-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"Wzk1LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - Responder Bytes","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - Responder Bytes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Server Bytes\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server.bytes\",\"orderBy\":\"_key\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server Bytes\"}}]}"},"id":"70565ec0-6ea1-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"Wzk2LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - History","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - History\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"connection.history.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"History\"}}]}"},"id":"5414ad60-6ea2-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"Wzk3LDFd"} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:conn\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":9,\"i\":\"a05b7540-74b1-40db-b1d6-0e151f5bbaba\"},\"panelIndex\":\"a05b7540-74b1-40db-b1d6-0e151f5bbaba\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":13,\"h\":9,\"i\":\"78f096e9-6e6b-4144-a63f-3767deab6c8c\"},\"panelIndex\":\"78f096e9-6e6b-4144-a63f-3767deab6c8c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":26,\"y\":0,\"w\":22,\"h\":9,\"i\":\"f24faa4b-0270-44e6-af45-639e2d39c2c3\"},\"panelIndex\":\"f24faa4b-0270-44e6-af45-639e2d39c2c3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":11,\"h\":18,\"i\":\"8cc3f2ee-fcc8-4ddb-8f44-ec0b08da4756\"},\"panelIndex\":\"8cc3f2ee-fcc8-4ddb-8f44-ec0b08da4756\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":11,\"y\":9,\"w\":12,\"h\":18,\"i\":\"5558d00d-f3fd-4051-96a4-384134149228\"},\"panelIndex\":\"5558d00d-f3fd-4051-96a4-384134149228\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":23,\"y\":9,\"w\":13,\"h\":18,\"i\":\"ccdbd90c-299e-4e60-a139-1505f1329071\"},\"panelIndex\":\"ccdbd90c-299e-4e60-a139-1505f1329071\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":36,\"y\":9,\"w\":12,\"h\":18,\"i\":\"d678bf2f-f183-4981-9142-976880029daa\"},\"panelIndex\":\"d678bf2f-f183-4981-9142-976880029daa\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":19,\"h\":18,\"i\":\"97f0546b-01c5-41c1-9316-099f2b3c8d91\"},\"panelIndex\":\"97f0546b-01c5-41c1-9316-099f2b3c8d91\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":19,\"y\":27,\"w\":9,\"h\":18,\"i\":\"598bda31-1136-4474-9384-451491a71d23\"},\"panelIndex\":\"598bda31-1136-4474-9384-451491a71d23\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":28,\"y\":27,\"w\":9,\"h\":18,\"i\":\"8192def5-399b-4728-8646-edf393b63b7e\"},\"panelIndex\":\"8192def5-399b-4728-8646-edf393b63b7e\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":37,\"y\":27,\"w\":11,\"h\":18,\"i\":\"755322ff-13a8-4121-a2db-6322c037e8b3\"},\"panelIndex\":\"755322ff-13a8-4121-a2db-6322c037e8b3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"}]","timeRestore":false,"title":"Security Onion - Connections","version":1},"id":"0cc628b0-6e9f-11ea-9266-1fd14ca6af34","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"34721460-6ebc-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"c9121690-6ea0-11ea-9266-1fd14ca6af34","name":"panel_5","type":"visualization"},{"id":"23b65290-6ea2-11ea-9266-1fd14ca6af34","name":"panel_6","type":"visualization"},{"id":"dc3f2c10-c6d6-11ea-bebb-37c5ab5894ea","name":"panel_7","type":"visualization"},{"id":"98f6e9d0-6ea1-11ea-9266-1fd14ca6af34","name":"panel_8","type":"visualization"},{"id":"70565ec0-6ea1-11ea-9266-1fd14ca6af34","name":"panel_9","type":"visualization"},{"id":"5414ad60-6ea2-11ea-9266-1fd14ca6af34","name":"panel_10","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T20:08:44.243Z","version":"WzcxMCwyXQ=="} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_modbus\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Modbus - Logs","version":1},"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"Wzk5LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Modbus - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Modbus - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"0d168a30-363f-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEwMCwxXQ=="} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_weird\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Weird - Logs","version":1},"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEwMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Weird - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"@timestamp per 12 hours\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Weird - Log Count Over TIme\",\"type\":\"line\"}"},"id":"0dbcade0-3642-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEwMiwxXQ=="} +{"attributes":{"columns":["alert_level","classification","description"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[{\"meta\":{\"negate\":false,\"key\":\"tags\",\"value\":\"alert\",\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"tags\":{\"query\":\"alert\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"query\":{\"query_string\":{\"query\":\"event_type:ossec\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"OSSEC - Alerts","version":1},"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEwMywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"OSSEC Alerts - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"OSSEC Alerts - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"4fa0e530-3644-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEwNCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"OSSEC Alerts - Alert Level (Pie Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"OSSEC Alerts - Alert Level (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"alert_level.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Alert Level\"}}]}"},"id":"69d98570-398b-11e7-84f8-a1f7cef50fcb","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEwNSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"OSSEC Alerts - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"OSSEC Alerts - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG4pcDxQT5EBNmq3pi","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEwNiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"OSSEC Alerts - Event Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"OSSEC Alerts - Event Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"description.keyword\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Description\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.name.keyword\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Agent\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"\",\"customLabel\":\"Username\"}}]}"},"id":"ee0ba080-4a3d-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEwNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"OSSEC Alerts - User to Escalated User (Data Table)","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"OSSEC Alerts - User to Escalated User (Data Table)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"User\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"escalated_user.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Escalated User\"}}]}"},"id":"1de31b40-4a42-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEwOCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"OSSEC Alerts - Command (Data Table)","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"OSSEC Alerts - Command (Data Table)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"command.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Command\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}]}"},"id":"9ff34f60-4a42-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEwOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"OSSEC Alerts - Process and Username (Data Table)","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"OSSEC Alerts - Process and Username (Data Table)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Process\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}]}"},"id":"447bd2f0-4a43-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzExMCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"h\":60,\"i\":\"1\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":28,\"i\":\"6\",\"w\":16,\"x\":32,\"y\":8},\"panelIndex\":\"6\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"gridData\":{\"h\":56,\"i\":\"11\",\"w\":48,\"x\":0,\"y\":88},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{\"columns\":[\"alert_level\",\"classification\",\"description\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"12\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"gridData\":{\"h\":28,\"i\":\"13\",\"w\":24,\"x\":8,\"y\":8},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{}},{\"gridData\":{\"h\":24,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":36},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"gridData\":{\"h\":28,\"i\":\"15\",\"w\":48,\"x\":0,\"y\":60},\"panelIndex\":\"15\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"embeddableConfig\":{\"spy\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":24,\"i\":\"16\",\"w\":24,\"x\":8,\"y\":36},\"panelIndex\":\"16\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"OSSEC Alerts","version":1},"id":"0de7a390-3644-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"4fa0e530-3644-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"69d98570-398b-11e7-84f8-a1f7cef50fcb","name":"panel_2","type":"visualization"},{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"panel_3","type":"search"},{"id":"AWDG4pcDxQT5EBNmq3pi","name":"panel_4","type":"visualization"},{"id":"ee0ba080-4a3d-11e8-9b0a-f1d33346f773","name":"panel_5","type":"visualization"},{"id":"1de31b40-4a42-11e8-9b0a-f1d33346f773","name":"panel_6","type":"visualization"},{"id":"9ff34f60-4a42-11e8-9b0a-f1d33346f773","name":"panel_7","type":"visualization"},{"id":"447bd2f0-4a43-11e8-9b0a-f1d33346f773","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzExMSwxXQ=="} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_snmp\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"SNMP - Logs","version":1},"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzExMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SNMP - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SNMP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"0defabb0-36b9-11e7-9786-41a1d72e15ad","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzExMywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"title":"Security Onion - Alert Data","uiStateJSON":"{}","version":1,"visState":"{\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Home](/kibana/app/kibana#/dashboard/a8411b30-6d03-11ea-b301-3d6c35840645) \\n \\n**Modules** \\n[Playbook](/kibana/app/kibana#/dashboard/f449f0a0-c77c-11ea-bebb-37c5ab5894ea) \\n[Suricata](/kibana/app/kibana#/dashboard/81057f40-7733-11ea-bee5-af7f7c7b8e05) \\n[Wazuh](/kibana/app/kibana#/dashboard/9480f190-7732-11ea-bee5-af7f7c7b8e05) \\n[Zeek](/kibana/app/kibana#/dashboard/fa9ed760-7734-11ea-bee5-af7f7c7b8e05) \\n\"},\"title\":\"Security Onion - Alert Data\"}"},"id":"30df00e0-7733-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[],"type":"visualization","updated_at":"2020-07-16T15:57:30.488Z","version":"WzgyNCwyXQ=="} +{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:alert\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Security Onion - Alerts","version":1},"id":"5c3effd0-72ae-11ea-8dd2-9d8795a1200b","migrationVersion":{"search":"7.4.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzExNSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Alerts - Count","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Alerts - Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":40}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}"},"id":"931cb6f0-72ae-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5c3effd0-72ae-11ea-8dd2-9d8795a1200b","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzExNiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Alerts Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Alerts Over Time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":null,\"y\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}]}"},"id":"b419b100-72ae-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5c3effd0-72ae-11ea-8dd2-9d8795a1200b","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzExNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Security Onion - Rule - Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.module.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Module\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rule.name.keyword: Descending\",\"aggType\":\"terms\"}]}},\"title\":\"Security Onion - Rule - Name\"}"},"id":"508fb520-72af-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5c3effd0-72ae-11ea-8dd2-9d8795a1200b","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-16T15:41:34.211Z","version":"WzgwMiwyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Rule - Severity","uiStateJSON":"{}","version":1,"visState":"{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event.severity_label.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Severity\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"title\":\"Security Onion - Rule - Severity\"}"},"id":"a37b9fa0-72b0-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-16T15:42:56.387Z","version":"WzgwNywyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Rule - Category","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Rule - Category\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.category.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Category\"}}]}"},"id":"f7e1d570-72ae-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5c3effd0-72ae-11ea-8dd2-9d8795a1200b","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEyMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Destination Ports","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Destination Ports\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"destination.port: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}"},"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEyMSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: alert\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":\"Low & Medium Severity\",\"disabled\":true,\"key\":\"event.severity\",\"negate\":false,\"params\":{\"gte\":1,\"lt\":3},\"type\":\"range\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"range\":{\"event.severity\":{\"gte\":1,\"lt\":3}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":\"High & Critical Severity\",\"disabled\":true,\"key\":\"event.severity\",\"negate\":false,\"params\":{\"gte\":3,\"lt\":5},\"type\":\"range\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"range\":{\"event.severity\":{\"gte\":3,\"lt\":5}}}]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"c2ddba4b-b0a1-4204-b952-fdc8073dd3c6\",\"w\":10,\"x\":0,\"y\":0},\"panelIndex\":\"c2ddba4b-b0a1-4204-b952-fdc8073dd3c6\",\"version\":\"7.7.1\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"5a22818d-a0f7-4b39-978f-bee1e4280a54\",\"w\":13,\"x\":10,\"y\":0},\"panelIndex\":\"5a22818d-a0f7-4b39-978f-bee1e4280a54\",\"version\":\"7.7.1\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"41a7c313-2dc3-4563-8545-a55f57af532c\",\"w\":25,\"x\":23,\"y\":0},\"panelIndex\":\"41a7c313-2dc3-4563-8545-a55f57af532c\",\"version\":\"7.7.1\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"7f00befc-4315-45d2-b686-fa99db9fb79c\",\"w\":29,\"x\":0,\"y\":8},\"panelIndex\":\"7f00befc-4315-45d2-b686-fa99db9fb79c\",\"version\":\"7.7.1\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"1fa5c765-6991-4ece-a6a4-cdb6f2d35553\",\"w\":19,\"x\":29,\"y\":8},\"panelIndex\":\"1fa5c765-6991-4ece-a6a4-cdb6f2d35553\",\"version\":\"7.7.1\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"eee74597-fa74-4bf6-9c71-429bfe4c3ecd\",\"w\":19,\"x\":0,\"y\":27},\"panelIndex\":\"eee74597-fa74-4bf6-9c71-429bfe4c3ecd\",\"version\":\"7.7.1\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"fa0e8955-a837-400c-abcb-43394471b39d\",\"w\":10,\"x\":19,\"y\":27},\"panelIndex\":\"fa0e8955-a837-400c-abcb-43394471b39d\",\"version\":\"7.7.1\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"b60abef8-9b1e-4bae-ac3f-d7eb5a230430\",\"w\":10,\"x\":29,\"y\":27},\"panelIndex\":\"b60abef8-9b1e-4bae-ac3f-d7eb5a230430\",\"version\":\"7.7.1\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"799598a4-39de-455d-bc39-409466b8b119\",\"w\":9,\"x\":39,\"y\":27},\"panelIndex\":\"799598a4-39de-455d-bc39-409466b8b119\",\"version\":\"7.7.1\",\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - Alerts","version":1},"id":"0e4af1d0-72ae-11ea-8dd2-9d8795a1200b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"},{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index","type":"index-pattern"},{"id":"30df00e0-7733-11ea-bee5-af7f7c7b8e05","name":"panel_0","type":"visualization"},{"id":"931cb6f0-72ae-11ea-8dd2-9d8795a1200b","name":"panel_1","type":"visualization"},{"id":"b419b100-72ae-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"508fb520-72af-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"a37b9fa0-72b0-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"f7e1d570-72ae-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_6","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_7","type":"visualization"},{"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-16T15:47:02.445Z","version":"WzgxMywyXQ=="} +{"attributes":{"columns":["event_type","source_ip","source_port","destination_ip","destination_port","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:sysmon\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Sysmon - Logs","version":1},"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEyMywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Sysmon - Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"image_path.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Image\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_hostname.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source Hostname\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_hostname.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Hostname\"}},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}],\"listeners\":{}}"},"id":"0eb1fd80-6d70-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEyNCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Kerberos Client","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Kerberos Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"kerberos.client.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"kerberos.client.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Client\"}}]}"},"id":"0ecc7310-75bd-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEyNSwxXQ=="} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"All Logs","version":1},"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEyNiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Sensors/Devices - Total Number of Logs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sensors/Devices - Total Number of Logs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog-host_from.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Sensor/Device\"}}]}"},"id":"0f25aac0-3434-11e7-8867-29a39c0f86b2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEyNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSH - Direction","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - SSH - Direction\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssh.direction.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ssh.direction.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Direction\"}}]}"},"id":"104a4a90-75eb-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEyOCwxXQ=="} +{"attributes":{"columns":["source_ip","destination_ip","message_types","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event_type:bro_dhcp\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"DHCP - Logs","version":1},"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEyOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DHCP - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DHCP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"}}]}"},"id":"1055ada0-3655-11e7-baa7-b7de4ee40605","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEzMCwxXQ=="} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_dce_rpc\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"DCE/RPC - Logs","version":1},"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEzMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"10b8a610-3af3-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEzMiwxXQ=="} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_radius\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"RADIUS - Logs","version":1},"id":"75545310-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEzMywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RADIUS - MAC","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RADIUS - MAC\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mac.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MAC Address\"}}],\"listeners\":{}}"},"id":"10cd7190-3809-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEzNCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Source - Sum of Total Bytes ( Tile Map)","uiStateJSON":"{\"mapZoom\":3,\"mapCenter\":[39.70718665682654,-44.912109375]}","version":1,"visState":"{\"title\":\"Connections - Source - Sum of Total Bytes ( Tile Map)\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}"},"id":"1156b1e0-46c7-11e7-946f-1bfb1be7c36b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEzNSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Logstash - Processing Performance","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Logstash - Processing Performance\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Log Type\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Average processing time\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"4\",\"label\":\"Standard Deviation of logstash_time\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"avg\",\"schema\":\"metric\",\"params\":{\"field\":\"logstash_time\",\"customLabel\":\"Average processing time\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event_type.keyword\",\"size\":20,\"orderAgg\":{\"id\":\"2-orderAgg\",\"enabled\":true,\"type\":\"avg\",\"schema\":\"orderAgg\",\"params\":{\"field\":\"logstash_time\"}},\"order\":\"desc\",\"orderBy\":\"custom\",\"customLabel\":\"Log Type\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"std_dev\",\"schema\":\"metric\",\"params\":{\"field\":\"logstash_time\"}}],\"listeners\":{}}"},"id":"f86bc870-46ce-11e7-946f-1bfb1be7c36b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEzNiwxXQ=="} +{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"tags:_grokparsefailure OR tags:_csvparsefailure OR tags:_rubyexception\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Errors","version":1},"id":"ef487fd0-46cf-11e7-ba56-317a6969f55c","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEzNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Logstash - Error Type (Donut Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Logstash - Error Type (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"tags.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"exclude\":\"\",\"include\":\"_csvparsefailure|_grokparsefailure|_rubyexception\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"3a273780-46d0-11e7-946f-1bfb1be7c36b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ef487fd0-46cf-11e7-ba56-317a6969f55c","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEzOCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Logstash - Avg Processing Time","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Logstash - Avg Processing Time\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"avg\",\"schema\":\"metric\",\"params\":{\"field\":\"logstash_time\"}}],\"listeners\":{}}"},"id":"AWDHIynExQT5EBNmq49q","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEzOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Logstash - Median Processing TIme","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Logstash - Median Processing TIme\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"median\",\"schema\":\"metric\",\"params\":{\"field\":\"logstash_time\",\"percents\":[50]}}],\"listeners\":{}}"},"id":"AWDHJY1BxQT5EBNmq5Ay","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE0MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Logstash - Max Processing Time","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Logstash - Max Processing Time\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"logstash_time\"}}],\"listeners\":{}}"},"id":"AWDHJpuBxQT5EBNmq5Cr","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE0MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"tags:_grokparsefailure OR tags:_csvparsefailure OR tags:_rubyexception\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Logstash - Error Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Logstash - Error Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHKEF2xQT5EBNmq5FA","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE0MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Sensors/Devices and Services","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sensors/Devices and Services\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sensor_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Sensor\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"service.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Service\"}}]}"},"id":"d8214de0-4a3a-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE0MywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":12,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":12,\"h\":28,\"x\":8,\"y\":36,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":64,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":8,\"h\":64,\"x\":0,\"y\":0,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":48,\"h\":64,\"x\":0,\"y\":88,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"columns\":[\"_source\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":12,\"x\":8,\"y\":0,\"i\":\"15\"},\"panelIndex\":\"15\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":12,\"x\":16,\"y\":0,\"i\":\"16\"},\"panelIndex\":\"16\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":12,\"x\":24,\"y\":0,\"i\":\"17\"},\"panelIndex\":\"17\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":12,\"x\":32,\"y\":0,\"i\":\"18\"},\"panelIndex\":\"18\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}},\"gridData\":{\"w\":28,\"h\":28,\"x\":20,\"y\":36,\"i\":\"19\"},\"panelIndex\":\"19\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Stats","version":1},"id":"130017f0-46ce-11e7-946f-1bfb1be7c36b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"f86bc870-46ce-11e7-946f-1bfb1be7c36b","name":"panel_0","type":"visualization"},{"id":"0f25aac0-3434-11e7-8867-29a39c0f86b2","name":"panel_1","type":"visualization"},{"id":"3a273780-46d0-11e7-946f-1bfb1be7c36b","name":"panel_2","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_3","type":"visualization"},{"id":"ef487fd0-46cf-11e7-ba56-317a6969f55c","name":"panel_4","type":"search"},{"id":"AWDHIynExQT5EBNmq49q","name":"panel_5","type":"visualization"},{"id":"AWDHJY1BxQT5EBNmq5Ay","name":"panel_6","type":"visualization"},{"id":"AWDHJpuBxQT5EBNmq5Cr","name":"panel_7","type":"visualization"},{"id":"AWDHKEF2xQT5EBNmq5FA","name":"panel_8","type":"visualization"},{"id":"d8214de0-4a3a-11e8-9b0a-f1d33346f773","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE0NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Destination - Sum of Total Bytes ( Tile Map)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Destination - Sum of Total Bytes ( Tile Map)\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}"},"id":"1342e630-4632-11e7-9903-85f789353078","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE0NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DNS - Response Code Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dns.response.code_name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Response Code Name\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"},\"title\":\"Security Onion - DNS - Response Code Name\"}"},"id":"13cda410-c770-11ea-bebb-37c5ab5894ea","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-16T14:24:37.072Z","version":"Wzc1NywyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Sysmon - Username","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon - Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"User\"}}]}"},"id":"13ed0810-6d72-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE0NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Connection State","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Connection State\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"connection_state_description.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Connection State Description\"}}],\"listeners\":{}}"},"id":"13fe29c0-3b17-11e7-b871-5f76306b9694","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE0NywxXQ=="} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_rfb\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"RFB - Logs","version":1},"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE0OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Exclusive Session (Donut Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":true}}","version":1,"visState":"{\"title\":\"RFB - Exclusive Session (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"share_flag.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"14274040-371f-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE0OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Agents","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Agents\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"agent.type.keyword: Descending\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"agent.version.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Agent\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Version\"}}]}"},"id":"14ed9540-6ed7-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE1MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"X.509 - Certificate Key Length (Vertical Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"X.509 - Certificate Key Length (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Key Length\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"certificate_key_length\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Key Length\"}}],\"listeners\":{}}"},"id":"150f7280-6e37-11e7-a8d6-ed2e692de531","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE1MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Rule - Description","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Rule - Description\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.description.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}]}"},"id":"1563f380-7737-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE1MiwxXQ=="} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query_string\":{\"query\":\"(event_type:bro_smb_mapping OR event_type:bro_smb_files)\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"SMB - Logs","version":1},"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE1MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMB - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMB - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"15b4e7a0-3aad-11e7-8b17-0d8709b02c80","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE1NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DHCP - Server Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DHCP - Server Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Server Address\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server.address.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server Address\"}}]}"},"id":"15fa3b30-7375-11ea-a3da-cbdb4f8a90c0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE1NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Modbus - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Modbus - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"178209e0-6e1b-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE1NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"RDP - Destination Port","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RDP - Destination Port\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"19dfd180-371c-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE1NywxXQ=="} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event_type:ids\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"NIDS - Alerts","version":1},"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE1OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS - Drilldown - Alert Title","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"NIDS - Drilldown - Alert Title\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":false},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":12}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"top_hits\",\"schema\":\"metric\",\"params\":{\"field\":\"alert.keyword\",\"aggregate\":\"concat\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"}}]}"},"id":"1b3faca0-e064-11e9-8f0c-2ddbf5ed9290","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE1OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Weird - Source IP Address","uiStateJSON":"{\"P-5\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-6\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Weird - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"1b837b00-364e-11e7-9dc3-d35061cb642d","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE2MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Total Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Total Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"1c2aeb50-365e-11e7-b896-5bdd6bfa1561","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE2MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMB - Service","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMB - Service\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smb.service.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"1c6567b0-75f0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE2MiwxXQ=="} +{"attributes":{"columns":["entry","entry_location","image_path","hostname","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:autoruns\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Autoruns - Logs","version":1},"id":"dd700830-6d69-11e7-ad64-15aa071374a6","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE2MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Profile","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Autoruns - Profile\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"profile.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Profile\"}}],\"listeners\":{}}"},"id":"1cd6a970-6d79-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE2NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"ElastAlert - Log Count Over Time","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"ElastAlert - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"969e4820-7dce-11e7-a1a2-3be6827d22ce","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE2NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"ElastAlert - Alert Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"ElastAlert - Alert Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"alert_info.type.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Alert Type\"}}],\"listeners\":{}}"},"id":"f7998d60-7dce-11e7-a1a2-3be6827d22ce","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE2NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"ElastAlert - Rule","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"ElastAlert - Rule\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule_name\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Rule\"}}],\"listeners\":{}}"},"id":"5e1dc100-7dcf-11e7-a1a2-3be6827d22ce","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE2NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"ElastAlert - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"ElastAlert - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"match_body.source_ip.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}}],\"listeners\":{}}"},"id":"8ec77cb0-7dcf-11e7-a1a2-3be6827d22ce","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE2OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"ElastAlert - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"ElastAlert - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"match_body.destination_ip.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}}],\"listeners\":{}}"},"id":"a26faee0-7dcf-11e7-a1a2-3be6827d22ce","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE2OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"ElastAlert - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"ElastAlert - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"match_body.destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"ce25b750-7dcf-11e7-a1a2-3be6827d22ce","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE3MCwxXQ=="} +{"attributes":{"columns":["rule_name","matches","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"ElastAlert","version":1},"id":"e8840d40-7dcf-11e7-a1a2-3be6827d22ce","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE3MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Elastalert - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Elastalert - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG7DVRxQT5EBNmq3zM","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE3MiwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":56,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"4\",\"gridData\":{\"x\":8,\"y\":8,\"w\":16,\"h\":24,\"i\":\"4\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"5\",\"gridData\":{\"x\":24,\"y\":8,\"w\":24,\"h\":24,\"i\":\"5\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"6\",\"gridData\":{\"x\":8,\"y\":32,\"w\":14,\"h\":24,\"i\":\"6\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"7\",\"gridData\":{\"x\":22,\"y\":32,\"w\":14,\"h\":24,\"i\":\"7\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":36,\"y\":32,\"w\":12,\"h\":24,\"i\":\"8\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"9\",\"gridData\":{\"x\":0,\"y\":56,\"w\":48,\"h\":48,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{\"columns\":[\"rule_name\",\"matches\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"10\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"10\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"},\"legendOpen\":false}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"ElastAlert","version":1},"id":"1d98d620-7dce-11e7-846a-150cdcaf3374","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"969e4820-7dce-11e7-a1a2-3be6827d22ce","name":"panel_1","type":"visualization"},{"id":"f7998d60-7dce-11e7-a1a2-3be6827d22ce","name":"panel_2","type":"visualization"},{"id":"5e1dc100-7dcf-11e7-a1a2-3be6827d22ce","name":"panel_3","type":"visualization"},{"id":"8ec77cb0-7dcf-11e7-a1a2-3be6827d22ce","name":"panel_4","type":"visualization"},{"id":"a26faee0-7dcf-11e7-a1a2-3be6827d22ce","name":"panel_5","type":"visualization"},{"id":"ce25b750-7dcf-11e7-a1a2-3be6827d22ce","name":"panel_6","type":"visualization"},{"id":"e8840d40-7dcf-11e7-a1a2-3be6827d22ce","name":"panel_7","type":"search"},{"id":"AWDG7DVRxQT5EBNmq3zM","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE3MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNS - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"DNS - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"1ecdd2e0-34c0-11e7-9b32-bb903919ead9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE3NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Method (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SIP - Method (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"method.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Method\"}}],\"listeners\":{}}"},"id":"1ef5c230-6e24-11e7-a261-55504638cf3b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE3NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - MySQL - Command/Argument","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - MySQL - Command/Argument\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"mysql.command.keyword: Descending\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"mysql.argument.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mysql.command.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Command\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mysql.argument.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Argument\"}}]}"},"id":"1f306f60-75c0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE3NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Modbus - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Modbus - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"20eabd60-380b-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE3NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DNP3 - FC Reply","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - DNP3 - FC Reply\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dnp3.fc_reply.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"FC Reply\"}}]}"},"id":"214793c0-75b9-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE3OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Destination Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Destination Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"21d090d0-365b-11e7-8bd0-1db2c55fb7a1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE3OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNS - Response Code (Name)","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Response Code (Name)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rcode_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Response Code (Name)\"}}]}"},"id":"22f7de30-4949-11e8-9576-313be7c6b44b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE4MCwxXQ=="} +{"attributes":{"columns":["source_ip","destination_ip","destination_port","resp_fuids","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_http\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"HTTP - Logs","version":1},"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE4MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"HTTP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"37f19e40-34c6-11e7-8360-0b86c90983fd","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE4MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - Sites","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - Sites\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"virtual_host.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Site\"}}],\"listeners\":{}}"},"id":"8ba31820-34c6-11e7-8360-0b86c90983fd","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE4MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query_string\":{\"query\":\"\\\"application/x-dosexec\\\"\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"HTTP - Sites Hosting EXEs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - Sites Hosting EXEs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"virtual_host.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Site\"}}],\"listeners\":{}}"},"id":"7153e7f0-34c7-11e7-8360-0b86c90983fd","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE4NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - URIs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - URIs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"uri.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"URI\"}}],\"listeners\":{}}"},"id":"aa7abb00-34e3-11e7-9669-7f1d3242b798","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE4NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"ae1f1fb0-3648-11e7-bf60-314364dd1cde","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE4NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"d0f56da0-3648-11e7-bf60-314364dd1cde","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE4NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - User Agent","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"useragent.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"User Agent\"}}],\"listeners\":{}}"},"id":"ae591c20-4164-11e7-9850-b78558d0ac17","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE4OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - Referrer","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - Referrer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"referrer.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"2a7c21d0-4165-11e7-9850-b78558d0ac17","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE4OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - MIME Type (Tag Cloud)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"HTTP - MIME Type (Tag Cloud)\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":14,\"maxFontSize\":40},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"resp_mime_types.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}],\"listeners\":{}}"},"id":"934fe550-6e08-11e7-9370-174c4785d3e1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE5MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"HTTP - Destination Port (Vertical Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"HTTP - Destination Port (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":75},\"title\":{\"text\":\"Port\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}]}"},"id":"3f4abb40-6e0a-11e7-84cc-b363f104b3c7","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE5MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"HTTP - Destination Country (Vertical Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"HTTP - Destination Country (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"Country\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}]}"},"id":"e41a0bd0-6e0a-11e7-84cc-b363f104b3c7","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE5MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"HTTP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG97t7xQT5EBNmq4E1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE5MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"HTTP - Status and Method","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}","version":1,"visState":"{\"title\":\"HTTP - Status and Method\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"status_message.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Status Message\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"method.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Method\"}}]}"},"id":"66faa650-4c99-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE5NCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":52,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"5\",\"gridData\":{\"x\":0,\"y\":88,\"w\":48,\"h\":24,\"i\":\"5\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"6\",\"gridData\":{\"x\":0,\"y\":112,\"w\":48,\"h\":24,\"i\":\"6\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":0,\"y\":136,\"w\":48,\"h\":24,\"i\":\"8\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"9\",\"gridData\":{\"x\":0,\"y\":216,\"w\":48,\"h\":36,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"resp_fuids\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"14\",\"gridData\":{\"x\":0,\"y\":52,\"w\":24,\"h\":24,\"i\":\"14\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"15\",\"gridData\":{\"x\":24,\"y\":52,\"w\":24,\"h\":24,\"i\":\"15\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"16\",\"gridData\":{\"x\":0,\"y\":188,\"w\":48,\"h\":28,\"i\":\"16\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"17\",\"gridData\":{\"x\":0,\"y\":160,\"w\":48,\"h\":28,\"i\":\"17\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"19\",\"gridData\":{\"x\":0,\"y\":76,\"w\":48,\"h\":12,\"i\":\"19\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{}},{\"panelIndex\":\"20\",\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":20,\"i\":\"20\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"panelIndex\":\"21\",\"gridData\":{\"x\":8,\"y\":8,\"w\":20,\"h\":20,\"i\":\"21\"},\"embeddableConfig\":{\"vis\":{\"colors\":{\"Count\":\"#629E51\"}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"},{\"panelIndex\":\"23\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"23\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\"},{\"panelIndex\":\"24\",\"gridData\":{\"x\":8,\"y\":28,\"w\":40,\"h\":24,\"i\":\"24\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_14\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - HTTP","version":1},"id":"230134a0-34c6-11e7-8360-0b86c90983fd","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"37f19e40-34c6-11e7-8360-0b86c90983fd","name":"panel_1","type":"visualization"},{"id":"8ba31820-34c6-11e7-8360-0b86c90983fd","name":"panel_2","type":"visualization"},{"id":"7153e7f0-34c7-11e7-8360-0b86c90983fd","name":"panel_3","type":"visualization"},{"id":"aa7abb00-34e3-11e7-9669-7f1d3242b798","name":"panel_4","type":"visualization"},{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"panel_5","type":"search"},{"id":"ae1f1fb0-3648-11e7-bf60-314364dd1cde","name":"panel_6","type":"visualization"},{"id":"d0f56da0-3648-11e7-bf60-314364dd1cde","name":"panel_7","type":"visualization"},{"id":"ae591c20-4164-11e7-9850-b78558d0ac17","name":"panel_8","type":"visualization"},{"id":"2a7c21d0-4165-11e7-9850-b78558d0ac17","name":"panel_9","type":"visualization"},{"id":"934fe550-6e08-11e7-9370-174c4785d3e1","name":"panel_10","type":"visualization"},{"id":"3f4abb40-6e0a-11e7-84cc-b363f104b3c7","name":"panel_11","type":"visualization"},{"id":"e41a0bd0-6e0a-11e7-84cc-b363f104b3c7","name":"panel_12","type":"visualization"},{"id":"AWDG97t7xQT5EBNmq4E1","name":"panel_13","type":"visualization"},{"id":"66faa650-4c99-11e8-9b0a-f1d33346f773","name":"panel_14","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE5NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Validation Status","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Validation Status\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"validation_status.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Validation Status\"}}],\"listeners\":{}}"},"id":"23d22bd0-70b4-11e7-810e-2bafe9e41c10","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE5NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"},"title":"Connections - Bytes and Duration","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Bytes and Duration\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Top Total Bytes](/kibana/app/kibana#/dashboard/a2ab0c40-3b0a-11e7-a6f9-5d3fe735ec2b) \\n[Source - Originator Bytes](/kibana/app/kibana#/dashboard/68f738e0-46ca-11e7-946f-1bfb1be7c36b) | [Destination - Responder Bytes](/kibana/app/kibana#/dashboard/b65775e0-46cb-11e7-946f-1bfb1be7c36b) \\n[Source - Sum of Total Bytes](/kibana/app/kibana#/dashboard/f042ad60-46c6-11e7-946f-1bfb1be7c36b) | [Destination - Sum of Total Bytes](/kibana/app/kibana#/dashboard/ccfcc540-4638-11e7-a82e-d97152153689) \\n[Source - Top Connection Duration](/kibana/app/kibana#/dashboard/4e108070-46c7-11e7-946f-1bfb1be7c36b) | [Destination - Top Connection Duration](/kibana/app/kibana#/dashboard/ea211360-46c4-11e7-a82e-d97152153689)\",\"fontSize\":12,\"openLinksInNewTab\":false},\"aggs\":[]}"},"id":"25ce6eb0-463b-11e7-a82e-d97152153689","migrationVersion":{"visualization":"7.7.0"},"references":[],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE5NywxXQ=="} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_tunnels\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Tunnels - Logs","version":1},"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE5OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Tunnels - Destination Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Tunnels - Destination Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"26457730-3808-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE5OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RFB - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"265a04d0-3640-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIwMCwxXQ=="} +{"attributes":{"columns":["source_ip","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_syslog\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Syslog (Bro) - Logs","version":1},"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIwMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SIP - Method","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SIP - Method\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"sip.method.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sip.method.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Method\"}}]}"},"id":"272b8ab0-75ca-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIwMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Bro - Connections - Service By Destination Country","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Bro - Connections - Service By Destination Country\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\",\"row\":false}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"service.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Service\"}}]}"},"id":"277f3250-4161-11e7-8493-51634b0a4565","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIwMywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RADIUS - Result","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - RADIUS - Result\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"radius.result.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Result\"}}]}"},"id":"27ab8260-75c5-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIwNCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Argument","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FTP - Argument\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ftp_argument.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Argument\"}}],\"listeners\":{}}"},"id":"e1907430-35b6-11e7-a994-c528746bc6e8","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIwNSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Reply Message","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FTP - Reply Message\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"reply_message.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Reply Message\"}}],\"listeners\":{}}"},"id":"adcd38e0-3679-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIwNiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"FTP - Reply Code","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"FTP - Reply Code\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"reply_code.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"a0cb0860-367a-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIwNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FTP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"cf9e5660-367a-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIwOCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Destination Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FTP - Destination Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"f1d3d070-367a-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIwOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Username","uiStateJSON":"{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}","version":1,"visState":"{\"title\":\"FTP - Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}],\"listeners\":{}}"},"id":"f9904390-3bff-11e7-be35-e7fc4052ff75","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIxMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FTP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"eead8540-6e14-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIxMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"FTP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG9sT_xQT5EBNmq4DI","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIxMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"FTP - Command","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FTP - Command\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ftp_command.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Command\"}}]}"},"id":"d5681260-4c8c-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIxMywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"2\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":16,\"h\":24,\"x\":20,\"y\":8,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":32,\"i\":\"8\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":8,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{}},{\"panelIndex\":\"10\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":56,\"i\":\"10\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":56,\"i\":\"11\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"12\",\"gridData\":{\"w\":16,\"h\":24,\"x\":8,\"y\":32,\"i\":\"12\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":80,\"i\":\"13\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"uid\",\"fuid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"14\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":56,\"i\":\"14\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"15\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"15\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"panelIndex\":\"16\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":8,\"i\":\"16\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - FTP","version":1},"id":"27f3b380-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"06f21d60-35b6-11e7-a994-c528746bc6e8","name":"panel_1","type":"visualization"},{"id":"e1907430-35b6-11e7-a994-c528746bc6e8","name":"panel_2","type":"visualization"},{"id":"adcd38e0-3679-11e7-8c78-e3086faf385c","name":"panel_3","type":"visualization"},{"id":"a0cb0860-367a-11e7-8c78-e3086faf385c","name":"panel_4","type":"visualization"},{"id":"cf9e5660-367a-11e7-8c78-e3086faf385c","name":"panel_5","type":"visualization"},{"id":"f1d3d070-367a-11e7-8c78-e3086faf385c","name":"panel_6","type":"visualization"},{"id":"f9904390-3bff-11e7-be35-e7fc4052ff75","name":"panel_7","type":"visualization"},{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"panel_8","type":"search"},{"id":"eead8540-6e14-11e7-8624-1fb07dd76c6a","name":"panel_9","type":"visualization"},{"id":"AWDG9sT_xQT5EBNmq4DI","name":"panel_10","type":"visualization"},{"id":"d5681260-4c8c-11e8-9b0a-f1d33346f773","name":"panel_11","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIxNCwxXQ=="} +{"attributes":{"columns":["alert_level","classification","description"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query_string\":{\"query\":\"event_type:ossec\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"OSSEC - Logs","version":1},"id":"efba60c0-3642-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIxNSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"OSSEC - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"OSSEC - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"2817b300-3643-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"efba60c0-3642-11e7-a6f7-4f44d7bf1c33","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIxNiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - PE - Machine","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.machine.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Machine\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"},\"title\":\"Security Onion - PE - Machine\"}"},"id":"282bf2c0-c763-11ea-bebb-37c5ab5894ea","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-16T12:52:07.788Z","version":"WzczMSwyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - X.509 - Key Type (Donut)","uiStateJSON":"{}","version":1,"visState":"{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"x509.certificate.key.type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"boolean\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"x509.basic_constraints.ca: Descending\",\"aggType\":\"terms\"}]}},\"title\":\"Security Onion - X.509 - Key Type (Donut)\"}"},"id":"2895c940-75ef-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-16T15:53:07.934Z","version":"WzgyMCwyXQ=="} +{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:http\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Security Onion - HTTP","version":1},"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","migrationVersion":{"search":"7.4.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIxOCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - Virtual Host","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - Virtual Host\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"http.virtual_host.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Virtual Host\"}}]}"},"id":"28bf2ef0-6eb7-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIxOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Top Source IPs","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Top Source IPs\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"source_ip\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"28c27f80-3b05-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIyMCwxXQ=="} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","request_type","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_kerberos\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Kerberos - Logs","version":1},"id":"452daa10-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIyMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Kerberos - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"28d04080-3636-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIyMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSH - Client","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SSH - Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"CLient\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssh.client.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Client\"}}]}"},"id":"292b1db0-75ea-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIyMywxXQ=="} +{"attributes":{"columns":["file_ip","destination_ip","source","uid","fuid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event_type:bro_files\"}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Files - Logs","version":1},"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIyNCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FIles - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FIles - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"295d7ed0-3656-11e7-baa7-b7de4ee40605","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIyNSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Sysmon - Target Filename","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon - Target Filename\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"target_filename.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Filename\"}}],\"listeners\":{}}"},"id":"29611940-6d75-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIyNiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Source Country","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Source Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_geo.country_name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}],\"listeners\":{}}"},"id":"296823d0-366f-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIyNywxXQ=="} +{"attributes":{"columns":["action","reason","source_ip","source_port","destination_ip","destination_port","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:firewall\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Firewall - Logs","version":1},"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIyOCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Firewall - Action/Reason (Vertical Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Firewall - Action/Reason (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"Action\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"action.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Action\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"reason.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Reason\"}}],\"listeners\":{}}"},"id":"2a1eb100-6d82-11e7-bcd4-0d514e0e7da1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIyOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SNMP - Version","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SNMP - Version\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"version.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"2a3ae810-36ba-11e7-9786-41a1d72e15ad","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIzMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DHCP - Lease Time","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DHCP - Lease Time\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"dhcp.lease_time: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dhcp.lease_time\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Lease Time\"}}]}"},"id":"2af5f980-96e2-11ea-814e-bb515e873c2c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIzMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSH - Client/Server","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSH - Client/Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"client.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}],\"listeners\":{}}"},"id":"2bbdc020-6e34-11e7-9a19-a5996f8250c6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIzMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Files - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Files - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"6571ee10-3584-11e7-a588-05992195c551","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIzMywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Files - Files By Size (Bytes)","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Files - Files By Size (Bytes)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"seen_bytes\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Bytes Seen\"}}],\"listeners\":{}}"},"id":"cb3f3850-3585-11e7-8f28-2b291d0f6d86","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIzNCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FIles - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FIles - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file_ip.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File IP Address\"}}],\"listeners\":{}}"},"id":"67ab33d0-3656-11e7-baa7-b7de4ee40605","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIzNSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Files - MIME Type (Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Files - MIME Type (Bar Chart)\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"MIME Type\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"mimetype.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}]}"},"id":"8c57f3d0-3674-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIzNiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FIles - MIME Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FIles - MIME Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mimetype.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}],\"listeners\":{}}"},"id":"aa021c90-3678-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIzNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Files - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Files - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG9goqxQT5EBNmq4BP","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIzOCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Files - Source","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Files - Source\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source\"}}]}"},"id":"dff32860-4c8b-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIzOSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"2\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"2\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"panelIndex\":\"3\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":72,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"file_ip\",\"destination_ip\",\"source\",\"uid\",\"fuid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"6\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":24,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"7\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":48,\"i\":\"7\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":48,\"i\":\"8\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":40,\"h\":16,\"x\":8,\"y\":8,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"panelIndex\":\"10\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":48,\"i\":\"10\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"11\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"12\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":24,\"i\":\"12\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - Files","version":1},"id":"2d315d80-3582-11e7-98ef-19df58fe538b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"6571ee10-3584-11e7-a588-05992195c551","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"panel_2","type":"search"},{"id":"cb3f3850-3585-11e7-8f28-2b291d0f6d86","name":"panel_3","type":"visualization"},{"id":"295d7ed0-3656-11e7-baa7-b7de4ee40605","name":"panel_4","type":"visualization"},{"id":"67ab33d0-3656-11e7-baa7-b7de4ee40605","name":"panel_5","type":"visualization"},{"id":"8c57f3d0-3674-11e7-8c78-e3086faf385c","name":"panel_6","type":"visualization"},{"id":"aa021c90-3678-11e7-8c78-e3086faf385c","name":"panel_7","type":"visualization"},{"id":"AWDG9goqxQT5EBNmq4BP","name":"panel_8","type":"visualization"},{"id":"dff32860-4c8b-11e8-9b0a-f1d33346f773","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI0MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Kerberos - Request Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Kerberos - Request Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"kerberos.request_type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Request Type\"}}]}"},"id":"2d73e460-75bd-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI0MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"2da139c0-34e7-11e7-9118-45bd317f0ca4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI0MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SIP - Content Type (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SIP - Content Type (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"content_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"2db47070-3754-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI0MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - X.509 - Subject","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - X.509 - Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"x509.certificate.subject.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Subject\"}}]}"},"id":"e3fb39a0-75ee-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI0NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - X.509 - SAN DNS","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - X.509 - SAN DNS\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"x509.san_dns.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"x509.san_dns.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"SAN DNS\"}}]}"},"id":"47f40770-75ef-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI0NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - X.509 - Issuer","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - X.509 - Issuer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"x509.certificate.issuer.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"x509.certificate.issuer.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Issuer\"}}]}"},"id":"b7334c00-75ee-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI0NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - X509 - Key Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"x509.certificate.key.type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Key Type\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"},\"title\":\"Security Onion - X509 - Key Type\"}"},"id":"8d4a9990-c77c-11ea-bebb-37c5ab5894ea","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-16T15:53:54.857Z","version":"WzgyMSwyXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:x509\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":8,\"i\":\"2d374b61-ac4b-4f89-aec2-254ab0a2e011\"},\"panelIndex\":\"2d374b61-ac4b-4f89-aec2-254ab0a2e011\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":14,\"y\":0,\"w\":16,\"h\":8,\"i\":\"7372042e-3e70-4764-abb1-0c4c9288ff23\"},\"panelIndex\":\"7372042e-3e70-4764-abb1-0c4c9288ff23\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":8,\"i\":\"eee8c3b6-66eb-4427-99ed-459c294599c7\"},\"panelIndex\":\"eee8c3b6-66eb-4427-99ed-459c294599c7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":30,\"h\":22,\"i\":\"3c5d4fc3-bad7-435e-aadc-21de562b638d\"},\"panelIndex\":\"3c5d4fc3-bad7-435e-aadc-21de562b638d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":30,\"y\":8,\"w\":18,\"h\":22,\"i\":\"3fb3ec30-312a-45aa-93be-b8955615bf71\"},\"panelIndex\":\"3fb3ec30-312a-45aa-93be-b8955615bf71\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":30,\"w\":30,\"h\":21,\"i\":\"0a395978-b95f-4bfc-82fa-737307cd8ebd\"},\"panelIndex\":\"0a395978-b95f-4bfc-82fa-737307cd8ebd\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":30,\"y\":30,\"w\":18,\"h\":21,\"i\":\"e6e39ec1-063a-4e34-a909-4f47397fa79b\"},\"panelIndex\":\"e6e39ec1-063a-4e34-a909-4f47397fa79b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - X509","version":1},"id":"2e0865f0-75ee-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"e3fb39a0-75ee-11ea-9565-7315f4ee5cac","name":"panel_3","type":"visualization"},{"id":"47f40770-75ef-11ea-9565-7315f4ee5cac","name":"panel_4","type":"visualization"},{"id":"b7334c00-75ee-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"8d4a9990-c77c-11ea-bebb-37c5ab5894ea","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-16T15:55:10.553Z","version":"WzgyMiwyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RDP - Cookie","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RDP - Cookie\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rdp.cookie.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rdp.cookie.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Cookie\"}}]}"},"id":"2e7363f0-75c6-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI0OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Entry","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Autoruns - Entry\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"entry.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Entry\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"entry_location.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Entry Location\"}}],\"listeners\":{}}"},"id":"2ef9ccd0-6d7a-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI0OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"osquery - Change Stats","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"osquery - Change Stats\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Changes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"osquery.hostIdentifier.keyword\",\"customLabel\":\"Endpoints\"}}]}"},"id":"2f556c90-14e3-11e9-82f7-0da02d93a48b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"84116380-14e1-11e9-82f7-0da02d93a48b","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI1MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.dataset:files\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - File - Analyzer","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - File - Analyzer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.analyzer.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.analyzer.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Analyzer\"}}]}"},"id":"2fc4bea0-7730-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI1MSwxXQ=="} +{"attributes":{"columns":["source_ip","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_dnp3\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"DNP3 - Logs","version":1},"id":"c2587840-342d-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI1MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNP3 - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"DNP3 - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"593f1850-3581-11e7-98ef-19df58fe538b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI1MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNP3 - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNP3 - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"dde8c8a0-3719-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI1NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNP3 - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNP3 - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"ef7546c0-3719-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI1NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNP3 - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNP3 - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"4898f230-6e0e-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI1NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNP3 - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"DNP3 - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG9DWvxQT5EBNmq3-m","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI1NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNP3 - Function Request","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNP3 - Function Request\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"fc_request.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Request\"}}]}"},"id":"857c6760-4a4d-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI1OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNP3 - Function Reply","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNP3 - Function Reply\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"fc_reply.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Reply\"}}]}"},"id":"bd5435f0-4a4d-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI1OSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":56,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"7\",\"gridData\":{\"x\":8,\"y\":32,\"w\":12,\"h\":24,\"i\":\"7\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":20,\"y\":32,\"w\":12,\"h\":24,\"i\":\"8\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"10\",\"gridData\":{\"x\":0,\"y\":56,\"w\":48,\"h\":24,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"11\",\"gridData\":{\"x\":32,\"y\":32,\"w\":16,\"h\":24,\"i\":\"11\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"12\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"12\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"13\",\"gridData\":{\"x\":8,\"y\":8,\"w\":20,\"h\":24,\"i\":\"13\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"14\",\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":24,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - DNP3","version":1},"id":"2fdf5bf0-3581-11e7-98ef-19df58fe538b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"593f1850-3581-11e7-98ef-19df58fe538b","name":"panel_1","type":"visualization"},{"id":"dde8c8a0-3719-11e7-90f8-87842d5eedc9","name":"panel_2","type":"visualization"},{"id":"ef7546c0-3719-11e7-90f8-87842d5eedc9","name":"panel_3","type":"visualization"},{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"panel_4","type":"search"},{"id":"4898f230-6e0e-11e7-8624-1fb07dd76c6a","name":"panel_5","type":"visualization"},{"id":"AWDG9DWvxQT5EBNmq3-m","name":"panel_6","type":"visualization"},{"id":"857c6760-4a4d-11e8-9b0a-f1d33346f773","name":"panel_7","type":"visualization"},{"id":"bd5435f0-4a4d-11e8-9b0a-f1d33346f773","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI2MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Intel - Seen (Donut Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":true}}","version":1,"visState":"{\"title\":\"Intel - Seen (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"seen_where.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Seen (Where)\"}}]}"},"id":"3013af40-399b-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI2MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"RADIUS - Authentication Result","uiStateJSON":"{\"vis\":{\"legendOpen\":true}}","version":1,"visState":"{\"title\":\"RADIUS - Authentication Result\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"result.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"30348db0-4a5b-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI2MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMB - File/Path Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"desc\"}}}}","version":1,"visState":"{\"title\":\"SMB - File/Path Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"path.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File Path\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"name.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"File Name\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"action.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Action\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}],\"listeners\":{}}"},"id":"306c4330-4175-11e7-a0f7-47f4c03e3306","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI2MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Sysmon - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_hostname.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Hostname\"}}]}"},"id":"3072c750-6d71-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI2NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"title":"Security Onion - Navigation","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Navigation\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Home](/kibana/app/kibana#/dashboard/a8411b30-6d03-11ea-b301-3d6c35840645) \\n \\n**Event Category** \\n[Alert](/kibana/app/kibana#/dashboard/0e4af1d0-72ae-11ea-8dd2-9d8795a1200b) | \\n[File](/kibana/app/kibana#/dashboard/0245be10-6ec1-11ea-9266-1fd14ca6af34) |\\n[Host](/kibana/app/kibana#/dashboard/92e63cc0-6ec0-11ea-9266-1fd14ca6af34) | [Network](/kibana/app/kibana#/dashboard/04ff3ef0-6ea4-11ea-9266-1fd14ca6af34) \"},\"aggs\":[]}"},"id":"8cfec8c0-6ec2-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI2NSwxXQ=="} +{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Security Onion - All Logs","version":1},"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","migrationVersion":{"search":"7.4.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI2NiwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"*\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":9,\"h\":8,\"i\":\"c706b8e5-9d49-4700-a3ea-26e86ac3a4c4\"},\"panelIndex\":\"c706b8e5-9d49-4700-a3ea-26e86ac3a4c4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":0,\"w\":16,\"h\":8,\"i\":\"77c5d557-83e4-40b9-9177-388db29d711d\"},\"panelIndex\":\"77c5d557-83e4-40b9-9177-388db29d711d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":25,\"y\":0,\"w\":23,\"h\":8,\"i\":\"f044ff9c-455a-4085-88c8-92e9ead2bba0\"},\"panelIndex\":\"f044ff9c-455a-4085-88c8-92e9ead2bba0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":19,\"i\":\"54873f75-4452-4938-840d-3a2f50547a88\"},\"panelIndex\":\"54873f75-4452-4938-840d-3a2f50547a88\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":8,\"w\":13,\"h\":19,\"i\":\"30749cb6-18ad-4069-b18d-5912086fff9c\"},\"panelIndex\":\"30749cb6-18ad-4069-b18d-5912086fff9c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":22,\"y\":8,\"w\":13,\"h\":19,\"i\":\"7c498d50-d009-493a-a8c9-c91303ad5556\"},\"panelIndex\":\"7c498d50-d009-493a-a8c9-c91303ad5556\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":35,\"y\":8,\"w\":13,\"h\":19,\"i\":\"2f69e716-e6e9-4595-801d-8f59b7d2c574\"},\"panelIndex\":\"2f69e716-e6e9-4595-801d-8f59b7d2c574\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":31,\"i\":\"6ddfd0a2-337e-47d1-8d4c-bc386a4210af\"},\"panelIndex\":\"6ddfd0a2-337e-47d1-8d4c-bc386a4210af\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - Indicator","version":1},"id":"30d0ac90-729f-11ea-8dd2-9d8795a1200b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"8cfec8c0-6ec2-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"d9eb5b30-6ea9-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"ad398b70-6e9a-11ea-9266-1fd14ca6af34","name":"panel_3","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_6","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_7","type":"search"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI2NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - Destination IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - Destination IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Source IP\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}}]}"},"id":"30e97190-6eb6-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI2OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Weird - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Weird - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"312cd460-364e-11e7-9dc3-d35061cb642d","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI2OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RFB - Server Version","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RFB - Server Version\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rfb.server_major_version.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rfb.server_major_version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Major Version\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rfb.server_minor_version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Minor Version\"}}]}"},"id":"316e90a0-75c8-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI3MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DHCP - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DHCP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"}}]}"},"id":"317f8410-3655-11e7-baa7-b7de4ee40605","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI3MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMB - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMB - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"31f5e040-3aad-11e7-8b17-0d8709b02c80","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI3MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"title":"Security Onion - Host Data","uiStateJSON":"{}","version":1,"visState":"{\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Home](/kibana/app/kibana#/dashboard/a8411b30-6d03-11ea-b301-3d6c35840645) \\n \\n**Modules** \\n[Osquery](/kibana/app/kibana#/dashboard/bf7cf8d0-7732-11ea-bee5-af7f7c7b8e05) \\n[Sysmon](/kibana/app/kibana#/dashboard/32f01e80-c780-11ea-bebb-37c5ab5894ea) \\n[Wazuh](/kibana/app/kibana#/dashboard/9480f190-7732-11ea-bee5-af7f7c7b8e05) \\n\"},\"title\":\"Security Onion - Host Data\"}"},"id":"df50eba0-6ec0-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[],"type":"visualization","updated_at":"2020-07-16T16:20:30.720Z","version":"WzgzOCwyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Username","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"user.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Username\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"},\"title\":\"Security Onion - Username\"}"},"id":"767c89f0-af4c-11ea-b262-353d451b125b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ2NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Host - Process CLI","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Host - Process CLI\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"process.command_line.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process.command_line.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Command Line\"}}]}"},"id":"758187b0-72bd-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ2NSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.module:sysmon\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":7,\"h\":7,\"i\":\"7f9eaa30-b358-4027-a312-249defe273c4\"},\"panelIndex\":\"7f9eaa30-b358-4027-a312-249defe273c4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":7,\"y\":0,\"w\":17,\"h\":7,\"i\":\"ca041a33-b29f-4ce6-8762-2dd86a9c27a2\"},\"panelIndex\":\"ca041a33-b29f-4ce6-8762-2dd86a9c27a2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":7,\"i\":\"4e6cdaec-ad6d-46b2-abdc-7383382635c7\"},\"panelIndex\":\"4e6cdaec-ad6d-46b2-abdc-7383382635c7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":7,\"w\":12,\"h\":16,\"i\":\"a49b6a25-fbb1-45bb-9585-c6ade0fced1f\"},\"panelIndex\":\"a49b6a25-fbb1-45bb-9585-c6ade0fced1f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":12,\"y\":7,\"w\":12,\"h\":16,\"i\":\"0172c75f-b90b-4bd6-852f-0852a2ace598\"},\"panelIndex\":\"0172c75f-b90b-4bd6-852f-0852a2ace598\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":24,\"y\":7,\"w\":24,\"h\":16,\"i\":\"1d246882-3945-4a7e-b602-15ccf3f09310\"},\"panelIndex\":\"1d246882-3945-4a7e-b602-15ccf3f09310\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":23,\"w\":48,\"h\":31,\"i\":\"db4fa812-32fb-43c8-baa8-e88206cae126\"},\"panelIndex\":\"db4fa812-32fb-43c8-baa8-e88206cae126\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - Sysmon","version":1},"id":"32f01e80-c780-11ea-bebb-37c5ab5894ea","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"df50eba0-6ec0-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"ad398b70-6e9a-11ea-9266-1fd14ca6af34","name":"panel_3","type":"visualization"},{"id":"767c89f0-af4c-11ea-b262-353d451b125b","name":"panel_4","type":"visualization"},{"id":"758187b0-72bd-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_6","type":"search"}],"type":"dashboard","updated_at":"2020-07-16T16:30:59.797Z","version":"Wzg0MSwyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Tunnels - Action (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Tunnels - Action (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"action.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Action\"}}]}"},"id":"33b39a60-6e35-11e7-9a19-a5996f8250c6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI3MywxXQ=="} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_irc\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"IRC - Logs","version":1},"id":"344c6010-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI3NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Syslog - Severity (Horizontal Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false},\"spy\":{\"mode\":{\"name\":null,\"fill\":false}}}","version":1,"visState":"{\"title\":\"Bro - Syslog - Severity (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":false,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{\"text\":\"Severity\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"severity.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Severity\"}}],\"listeners\":{}}"},"id":"346e5c30-76b7-11e7-94e1-3d2ec4e57ed9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI3NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMB - Share Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMB - Share Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smb.share_type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"34762420-75f0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI3NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Intel - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"361d0bd0-35b7-11e7-a994-c528746bc6e8","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI3NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DHCP - Message Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dhcp.message_types.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Message Type\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"},\"title\":\"Security Onion - DHCP - Message Type\"}"},"id":"36200e40-c76b-11ea-bebb-37c5ab5894ea","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-16T13:49:47.172Z","version":"WzczOCwyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"osquery - Changes by Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"osquery - Changes by Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Change Type\"}}]}"},"id":"369e16e0-14e4-11e9-82f7-0da02d93a48b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"84116380-14e1-11e9-82f7-0da02d93a48b","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI3OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Certificate Subject","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Certificate Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"certificate_subject.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Subject\"}}],\"listeners\":{}}"},"id":"3753e110-365a-11e7-bf60-314364dd1cde","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI3OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - IRC - Command Info","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - IRC - Command Info\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"irc.command.info.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"irc.command.info.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Command Info\"}}]}"},"id":"db279540-75bb-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI4MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - User Command Overview","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - User Command Overview\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"irc.nickname.keyword: Descending\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Command Type\",\"aggType\":\"terms\"},{\"accessor\":4,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"irc.username.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"irc.username.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"irc.nickname.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"irc.command.type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Command Type\"}}]}"},"id":"f7ee5fb0-75bb-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI4MSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:irc\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"2d2b4444-14c0-4812-a22e-ca6d509a0c7f\",\"w\":13,\"x\":0,\"y\":0},\"panelIndex\":\"2d2b4444-14c0-4812-a22e-ca6d509a0c7f\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"0035e7f6-2c85-494d-88aa-0f6ebc21f6c8\",\"w\":16,\"x\":13,\"y\":0},\"panelIndex\":\"0035e7f6-2c85-494d-88aa-0f6ebc21f6c8\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"147c5d40-556b-4b41-a1bb-ed0976fae0c8\",\"w\":19,\"x\":29,\"y\":0},\"panelIndex\":\"147c5d40-556b-4b41-a1bb-ed0976fae0c8\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"9a9084a5-0f74-4bdd-befd-b9bece56ea53\",\"w\":8,\"x\":0,\"y\":8},\"panelIndex\":\"9a9084a5-0f74-4bdd-befd-b9bece56ea53\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"9ffba622-36f6-4343-b0a3-1c59e3f6d297\",\"w\":9,\"x\":8,\"y\":8},\"panelIndex\":\"9ffba622-36f6-4343-b0a3-1c59e3f6d297\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"f0f0af04-4f81-437a-ada5-173a1ef8bd11\",\"w\":15,\"x\":17,\"y\":8},\"panelIndex\":\"f0f0af04-4f81-437a-ada5-173a1ef8bd11\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"3dab7339-3266-4127-86f3-eef2108d5dbf\",\"w\":16,\"x\":32,\"y\":8},\"panelIndex\":\"3dab7339-3266-4127-86f3-eef2108d5dbf\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - IRC","version":1},"id":"38523560-75ba-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"db279540-75bb-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"f7ee5fb0-75bb-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI4MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"NIDS - Alert Summary - Drilldown","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS - Alert Summary - Drilldown\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP Address\"}}]}"},"id":"3a1b54b0-e061-11e9-8f0c-2ddbf5ed9290","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI4MywxXQ=="} +{"attributes":{"columns":["message"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:ossec_archive\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"OSSEC - Archive","version":1},"id":"ebf74e90-342f-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI4NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"OSSEC - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"OSSEC - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHHXl3xQT5EBNmq42U","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"efba60c0-3642-11e7-a6f7-4f44d7bf1c33","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI4NSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":8,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"alert_level\",\"classification\",\"description\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"5\",\"gridData\":{\"w\":48,\"h\":28,\"x\":0,\"y\":48,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{\"columns\":[\"message\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"6\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"6\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}}]","timeRestore":false,"title":"OSSEC","version":1},"id":"3a457d70-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"2817b300-3643-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"efba60c0-3642-11e7-a6f7-4f44d7bf1c33","name":"panel_2","type":"search"},{"id":"ebf74e90-342f-11e7-9e93-53b62e1857b2","name":"panel_3","type":"search"},{"id":"AWDHHXl3xQT5EBNmq42U","name":"panel_4","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI4NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - MySQL - Response","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - MySQL - Response\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mysql.response.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"3af496e0-75c0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI4NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"},"savedSearchRefName":"search_0","title":"Sysmon - Image","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}","version":1,"visState":"{\"title\":\"Sysmon - Image\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"image_path.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"None\",\"exclude\":\"\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Image\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"parent_image_path.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"None\",\"exclude\":\"\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Parent Image\"}}]}"},"id":"3b6c92c0-6d72-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI4OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Syslog - Priority (Vertical bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Syslog - Priority (Vertical bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Priority\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"syslog-priority.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Priority\"}}],\"listeners\":{}}"},"id":"3bf1fdc0-76e6-11e7-ab14-e1a4c1bc11e0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI4OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"IRC - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"IRC - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}]}"},"id":"3c073d20-6e17-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI5MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Modbus - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Modbus - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}]}"},"id":"3c65f500-380b-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI5MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Tunnels - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Tunnels - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"3cdf2400-3808-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI5MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - File - Source","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - File - Source\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.action.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.source.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"3e6037d0-75f2-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI5MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"NIDS - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}]}"},"id":"3f040620-4a44-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI5NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Kerberos - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"3f34faa0-3636-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI5NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Agent - Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Agent - Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}]}"},"id":"407784f0-7738-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI5NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Connections - Top 10 - Total Bytes By Source IP","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Top 10 - Total Bytes By Source IP\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Source IP Address\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"left\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Total Bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total Bytes\"},\"type\":\"value\"}],\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes\",\"customLabel\":\"Total Bytes\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"source_ip\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"source_ip\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP Address\"}}]}"},"id":"41a33c80-3b0d-11e7-a6f9-5d3fe735ec2b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI5NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"X.509 - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"X.509 - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"41bee360-3642-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI5OCwxXQ=="} +{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query_string\":{\"query\":\"event_type:bro_dns AND _exists_:creation_date AND creation_date:[now-3M TO now]\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"DNS - Domains with creation date < 3 months","version":1},"id":"fce833e0-6f12-11e7-86c8-a1b6db3b051a","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI5OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNS - Baby Domain Requests","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Baby Domain Requests\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"highest_registered_domain.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Domain\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"creation_date\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"_term\"}}],\"listeners\":{}}"},"id":"41ec0ca0-6f13-11e7-86c8-a1b6db3b051a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fce833e0-6f12-11e7-86c8-a1b6db3b051a","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMwMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SNMP - Community String","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SNMP - Community String\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"snmp.community.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"snmp.community.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Community String\"}}]}"},"id":"424ace90-75e9-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMwMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"endpoint.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Endpoint\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"operation.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Operation\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"named_pipe.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Named Pipe\"}}]}"},"id":"42b17660-4a47-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMwMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Syslog - Log Count Over Time","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Syslog - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 10 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"79a2a4e0-76e5-11e7-ab14-e1a4c1bc11e0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMwMywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Syslog - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Syslog - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog-sourceip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"}}]}"},"id":"e7a99b10-76e5-11e7-ab14-e1a4c1bc11e0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMwNCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Syslog - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Syslog - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHKVLMxQT5EBNmq5HX","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMwNSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"2\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"5\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":24,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"6\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":24,\"i\":\"6\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"7\",\"gridData\":{\"w\":40,\"h\":16,\"x\":8,\"y\":8,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{}},{\"panelIndex\":\"9\",\"gridData\":{\"w\":48,\"h\":60,\"x\":0,\"y\":48,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"syslog-host_from\",\"syslog-priority\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"10\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}}]","timeRestore":false,"title":"Syslog","version":1},"id":"4323af90-76e5-11e7-ab14-e1a4c1bc11e0","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"79a2a4e0-76e5-11e7-ab14-e1a4c1bc11e0","name":"panel_1","type":"visualization"},{"id":"e7a99b10-76e5-11e7-ab14-e1a4c1bc11e0","name":"panel_2","type":"visualization"},{"id":"0a2ce700-76e6-11e7-ab14-e1a4c1bc11e0","name":"panel_3","type":"visualization"},{"id":"3bf1fdc0-76e6-11e7-ab14-e1a4c1bc11e0","name":"panel_4","type":"visualization"},{"id":"5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0","name":"panel_5","type":"search"},{"id":"AWDHKVLMxQT5EBNmq5HX","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMwNiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Tunnels - Type (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Tunnels - Type (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"tunnel_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"43b2b040-3807-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMwNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"X.509 - Certificate Key Algorithm (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"X.509 - Certificate Key Algorithm (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"certificate_key_algorithm.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Algorithm\"}}],\"listeners\":{}}"},"id":"446e85c0-6e37-11e7-a8d6-ed2e692de531","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMwOCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Least Common HTTP Methods","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Least Common HTTP Methods\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":13,\"maxFontSize\":39,\"showLabel\":false,\"metric\":{\"type\":\"vis_dimension\",\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}}},\"bucket\":{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"http.method.keyword\",\"orderBy\":\"1\",\"order\":\"asc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"6411e5b0-6eb2-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMwOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"destination.port: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Port\"}}]}"},"id":"51ad64d0-6eb7-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMxMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - Source IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - Source IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Destination IP\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}"},"id":"6d0fb2b0-6eb6-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMxMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - UserAgent","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - UserAgent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"http.useragent.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"UserAgent\"}}]}"},"id":"c2f93f40-6ed7-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMxMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - URI","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - URI\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"http.uri.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"http.uri.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"URI\"}}]}"},"id":"f22e8660-6eb6-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMxMywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:http\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":9,\"i\":\"6e3caf86-a1ea-4363-9c73-205de5f43ba9\"},\"panelIndex\":\"6e3caf86-a1ea-4363-9c73-205de5f43ba9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":14,\"y\":0,\"w\":16,\"h\":9,\"i\":\"0b0546ef-637b-4a40-b87b-a454b78cc810\"},\"panelIndex\":\"0b0546ef-637b-4a40-b87b-a454b78cc810\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":9,\"i\":\"9c49b93a-5b5d-4613-8342-c01c69970bce\"},\"panelIndex\":\"9c49b93a-5b5d-4613-8342-c01c69970bce\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":16,\"y\":9,\"w\":9,\"h\":18,\"i\":\"377e3099-7aec-474c-9201-2f1845c58d24\"},\"panelIndex\":\"377e3099-7aec-474c-9201-2f1845c58d24\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":8,\"h\":18,\"i\":\"15d7c88b-1619-4290-8968-fa2adfddd72f\"},\"panelIndex\":\"15d7c88b-1619-4290-8968-fa2adfddd72f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":9,\"w\":8,\"h\":18,\"i\":\"d1219968-6b7f-4040-9c75-0611b9cbf8a0\"},\"panelIndex\":\"d1219968-6b7f-4040-9c75-0611b9cbf8a0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":25,\"y\":9,\"w\":23,\"h\":18,\"i\":\"1b444602-2f1c-4c32-85fc-1e5f46235303\"},\"panelIndex\":\"1b444602-2f1c-4c32-85fc-1e5f46235303\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":11,\"h\":18,\"i\":\"9b1df72c-b6fd-4abd-a961-32176c26cc3d\"},\"panelIndex\":\"9b1df72c-b6fd-4abd-a961-32176c26cc3d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":11,\"y\":27,\"w\":10,\"h\":18,\"i\":\"52c3ab70-9b8d-4c26-953d-f1a943fdff38\"},\"panelIndex\":\"52c3ab70-9b8d-4c26-953d-f1a943fdff38\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":21,\"y\":27,\"w\":27,\"h\":18,\"i\":\"ea97cb71-fbb6-46ae-bb4a-4d01c3a6edb2\"},\"panelIndex\":\"ea97cb71-fbb6-46ae-bb4a-4d01c3a6edb2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Security Onion - HTTP","version":1},"id":"44e9c820-6eb1-11ea-9266-1fd14ca6af34","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"6411e5b0-6eb2-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"51ad64d0-6eb7-11ea-9266-1fd14ca6af34","name":"panel_3","type":"visualization"},{"id":"6d0fb2b0-6eb6-11ea-9266-1fd14ca6af34","name":"panel_4","type":"visualization"},{"id":"30e97190-6eb6-11ea-9266-1fd14ca6af34","name":"panel_5","type":"visualization"},{"id":"c2f93f40-6ed7-11ea-9266-1fd14ca6af34","name":"panel_6","type":"visualization"},{"id":"088aad70-7377-11ea-a3da-cbdb4f8a90c0","name":"panel_7","type":"visualization"},{"id":"28bf2ef0-6eb7-11ea-9266-1fd14ca6af34","name":"panel_8","type":"visualization"},{"id":"f22e8660-6eb6-11ea-9266-1fd14ca6af34","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMxNCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Modbus - Function","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Modbus - Function\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"function.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Function\"}}]}"},"id":"453f8b90-4a58-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMxNSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"NIDS Alerts - Category","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"NIDS Alerts - Category\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Category\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"category.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Category\"}}]}"},"id":"45464b50-3af6-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMxNiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNS - Query Class (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"DNS - Query Class (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"query_class_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query Class\"}}]}"},"id":"45a652b0-34c1-11e7-917c-af7a9d11771a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMxNywxXQ=="} +{"attributes":{"columns":["message","fuid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_pe\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"PE - Logs","version":1},"id":"66288140-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMxOCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"PE - OS (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"PE - OS (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"os.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"45c4ae10-380c-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"66288140-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMxOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSH - Server","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SSH - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssh.server.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssh.server.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server\"}}]}"},"id":"46221fe0-75ea-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMyMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"DCE/RPC - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"cbb67b00-3af2-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMyMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"f52f8bc0-3af2-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMyMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Endpoint","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Endpoint\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"endpoint.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Endpoint\"}}],\"listeners\":{}}"},"id":"553acbb0-3af3-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMyMywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Named Pipe","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Named Pipe\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"named_pipe.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Named Pipe\"}}],\"listeners\":{}}"},"id":"6b7122d0-3af3-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMyNCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Operation","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Operation\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"operation.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Operation\"}}],\"listeners\":{}}"},"id":"86107960-3af3-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMyNSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Round Trip Time","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Round Trip Time\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rtt\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Round Trip Time\"}}]}"},"id":"f275f490-3af3-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMyNiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG8k4OxQT5EBNmq37a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMyNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}]}"},"id":"d979b0f0-4a45-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMyOCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":104,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"4\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":32,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":56,\"i\":\"8\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":56,\"i\":\"9\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":8,\"i\":\"10\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":80,\"i\":\"11\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"14\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"14\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"16\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":8,\"i\":\"16\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{}},{\"panelIndex\":\"17\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":80,\"i\":\"17\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - DCE/RPC","version":1},"id":"46582d50-3af2-11e7-a83b-b1b4da7d15f4","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"panel_0","type":"search"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"cbb67b00-3af2-11e7-a83b-b1b4da7d15f4","name":"panel_2","type":"visualization"},{"id":"f52f8bc0-3af2-11e7-a83b-b1b4da7d15f4","name":"panel_3","type":"visualization"},{"id":"10b8a610-3af3-11e7-a83b-b1b4da7d15f4","name":"panel_4","type":"visualization"},{"id":"553acbb0-3af3-11e7-a83b-b1b4da7d15f4","name":"panel_5","type":"visualization"},{"id":"6b7122d0-3af3-11e7-a83b-b1b4da7d15f4","name":"panel_6","type":"visualization"},{"id":"86107960-3af3-11e7-a83b-b1b4da7d15f4","name":"panel_7","type":"visualization"},{"id":"f275f490-3af3-11e7-a83b-b1b4da7d15f4","name":"panel_8","type":"visualization"},{"id":"AWDG8k4OxQT5EBNmq37a","name":"panel_9","type":"visualization"},{"id":"d979b0f0-4a45-11e8-9b0a-f1d33346f773","name":"panel_10","type":"visualization"},{"id":"42b17660-4a47-11e8-9b0a-f1d33346f773","name":"panel_11","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMyOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Source","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Intel - Source\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sources.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source\"}}],\"listeners\":{}}"},"id":"613de590-399b-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMzMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Intel - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"a5571030-399b-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMzMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Intel - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"ba2d3b10-399b-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMzMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Indicator","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Intel - Indicator\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"indicator.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Indicator\"}}],\"listeners\":{}}"},"id":"6380b430-399c-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMzMywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - MIME Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Intel - MIME Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mimetype.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}],\"listeners\":{}}"},"id":"af614b80-399c-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMzNCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Matched","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Intel - Matched\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"matched.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type Matched\"}}],\"listeners\":{}}"},"id":"c8540380-399c-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMzNSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Intel - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"a5bcec80-6e15-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMzNiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Intel - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG-Qf8xQT5EBNmq4G5","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMzNywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"gridData\":{\"w\":20,\"h\":16,\"x\":8,\"y\":8,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":24,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":72,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":72,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":24,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":28,\"h\":24,\"x\":20,\"y\":48,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":0,\"y\":48,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":96,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"uid\",\"fuid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":72,\"i\":\"15\"},\"panelIndex\":\"15\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"gridData\":{\"w\":20,\"h\":16,\"x\":28,\"y\":8,\"i\":\"16\"},\"panelIndex\":\"16\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"17\"},\"panelIndex\":\"17\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"}]","timeRestore":false,"title":"Bro - Intel","version":1},"id":"468022c0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"361d0bd0-35b7-11e7-a994-c528746bc6e8","name":"panel_1","type":"visualization"},{"id":"3013af40-399b-11e7-8472-0151e5b2b475","name":"panel_2","type":"visualization"},{"id":"613de590-399b-11e7-8472-0151e5b2b475","name":"panel_3","type":"visualization"},{"id":"a5571030-399b-11e7-8472-0151e5b2b475","name":"panel_4","type":"visualization"},{"id":"ba2d3b10-399b-11e7-8472-0151e5b2b475","name":"panel_5","type":"visualization"},{"id":"6380b430-399c-11e7-8472-0151e5b2b475","name":"panel_6","type":"visualization"},{"id":"af614b80-399c-11e7-8472-0151e5b2b475","name":"panel_7","type":"visualization"},{"id":"c8540380-399c-11e7-8472-0151e5b2b475","name":"panel_8","type":"visualization"},{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"panel_9","type":"search"},{"id":"a5bcec80-6e15-11e7-8624-1fb07dd76c6a","name":"panel_10","type":"visualization"},{"id":"07622d60-6e16-11e7-8624-1fb07dd76c6a","name":"panel_11","type":"visualization"},{"id":"AWDG-Qf8xQT5EBNmq4G5","name":"panel_12","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMzOCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Category","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Autoruns - Category\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":75},\"title\":{\"text\":\"Category\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"category.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Category\"}}],\"listeners\":{}}"},"id":"482be9b0-6d78-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMzOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Kerberos - Service","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Kerberos - Service\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"kerberos.service.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"kerberos.service.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Service\"}}]}"},"id":"48331f00-75bd-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM0MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SIP - Request From","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SIP - Request From\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"sip.request.from.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sip.request.from.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Request From\"}}]}"},"id":"49384710-75ca-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM0MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"network.transport:*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Network - Transport","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Network - Transport\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"network.transport.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"network.transport.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Network Transport\"}}]}"},"id":"499a0690-6ead-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM0MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Strelka - File - Source","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Strelka - File - Source\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.source.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source\"}}]}"},"id":"49cfe850-772c-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM0MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNS - Protocol (Donut Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"DNS - Protocol (Donut Chart)\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"protocol.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Protocol\"}}]}"},"id":"49e04860-4a4e-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM0NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Kerberos - Request Type (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Kerberos - Request Type (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"request_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Request Type\"}}]}"},"id":"4aa0b2a0-6e1a-11e7-89e4-613b96f597e1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM0NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Network - Destination IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Network - Destination IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IPs\"}}]}"},"id":"4adca340-6eae-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"387f44c0-6ea7-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM0NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_dns AND highest_registered_domain:google.com~ -highest_registered_domain:google.com AND highest_registered_domain:youtube.com~ -highest_registered_domain:youtube.com AND highest_registered_domain:facebook.com~ -highest_registered_domain:facebook.com AND highest_registered_domain:wikipedia.org~ -highest_registered_domain:wikipedia.org AND highest_registered_domain:google.co.in~ -highest_registered_domain:google.co.in AND highest_registered_domain:reddit.com~ -highest_registered_domain:reddit.com AND highest_registered_domain:amazon.com~ -highest_registered_domain:amazon.com AND highest_registered_domain:taobao.com~ -highest_registered_domain:taobao.com AND highest_registered_domain:twitter.com~ -highest_registered_domain:twitter.com AND highest_registered_domain:google.co.jp~ -highest_registered_domain:google.co.jp AND highest_registered_domain:instagram.com~ -highest_registered_domain:instagram.com AND highest_registered_domain:sina.com.cn~ -highest_registered_domain:sina.com.cn AND highest_registered_domain:google.co.uk~ -highest_registered_domain:google.co.uk AND highest_registered_domain:linkedin.com~ -highest_registered_domain:linkedin.com AND highest_registered_domain:list.tmall.com~ -highest_registered_domain:list.tmall.com AND highest_registered_domain:google.com.br~ -highest_registered_domain:google.com.br AND highest_registered_domain:google.com.hk~ -highest_registered_domain:google.com.hk AND highest_registered_domain:netflix.com~ -highest_registered_domain:netflix.com AND highest_registered_domain:yahoo.co.jp~ -highest_registered_domain:yahoo.co.jp AND highest_registered_domain:pornhub.com~ -highest_registered_domain:pornhub.com AND highest_registered_domain:xvideos.com~ -highest_registered_domain:xvideos.com AND highest_registered_domain:microsoft.com~ -highest_registered_domain:microsoft.com AND highest_registered_domain:livejasmin.com~ -highest_registered_domain:livejasmin.com AND highest_registered_domain:aliexpress.com~ -highest_registered_domain:aliexpress.com AND highest_registered_domain:stackoverflow.com~ -highest_registered_domain:stackoverflow.com AND highest_registered_domain:wordpress.com~ -highest_registered_domain:wordpress.com AND highest_registered_domain:hao123.com~ -highest_registered_domain:hao123.com AND highest_registered_domain:github.com~ -highest_registered_domain:github.com AND highest_registered_domain:amazon.co.jp~ -highest_registered_domain:amazon.co.jp AND highest_registered_domain:blogspot.com~ -highest_registered_domain:blogspot.com AND highest_registered_domain:pinterest.com~ -highest_registered_domain:pinterest.com AND highest_registered_domain:bongacams.com~ -highest_registered_domain:bongacams.com AND highest_registered_domain:google.com.tr~ -highest_registered_domain:google.com.tr AND highest_registered_domain:popads.net~ -highest_registered_domain:popads.net AND highest_registered_domain:paypal.com~ -highest_registered_domain:paypal.com AND highest_registered_domain:office.com~ -highest_registered_domain:office.com AND highest_registered_domain:google.com.tw~ -highest_registered_domain:google.com.tw AND highest_registered_domain:google.com.au~ -highest_registered_domain:google.com.au AND highest_registered_domain:whatsapp.com~ -highest_registered_domain:whatsapp.com AND highest_registered_domain:microsoftonline.com~ -highest_registered_domain:microsoftonline.com\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"DNS - Phishing Attempts Against Alexa Top Sites","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 0\":\"rgb(0,104,55)\",\"1 - 999999\":\"rgb(165,0,38)\"}}}","version":1,"visState":"{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Phishing attempts against your domain(s)\"},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"gauge\":{\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":0},{\"from\":1,\"to\":999999}],\"extendRange\":true,\"gaugeColorMode\":\"Labels\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Arc\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":true},\"style\":{\"bgColor\":false,\"bgFill\":\"#eee\",\"bgMask\":false,\"bgWidth\":0.9,\"fontSize\":60,\"labelColor\":true,\"mask\":false,\"maskBars\":50,\"subText\":\"Edit this to reflect your domain(s)\",\"width\":0.9},\"type\":\"meter\",\"alignment\":\"horizontal\"}},\"title\":\"DNS - Phishing Attempts Against Alexa Top Sites\",\"type\":\"gauge\"}"},"id":"4d89e140-6f09-11e7-9d31-23c0596994a7","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM0NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Source - Top Connection Duration (Tile Map)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Source - Top Connection Duration (Tile Map)\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"duration\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}"},"id":"5ea38360-46c7-11e7-946f-1bfb1be7c36b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM0OCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"mapCenter\":[14.604847155053898,0.17578125],\"mapZoom\":2}}]","timeRestore":false,"title":"Connections - Source - Top Connection Duration","version":1},"id":"4e108070-46c7-11e7-946f-1bfb1be7c36b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"5ea38360-46c7-11e7-946f-1bfb1be7c36b","name":"panel_1","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM0OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"PE - Section Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"PE - Section Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"section_names.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"4e56b4d0-416f-11e7-9850-b78558d0ac17","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"66288140-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM1MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DHCP - IP to MAC Assignment","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DHCP - IP to MAC Assignment\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"assigned_ip.keyword\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Assigned IP Address\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mac.keyword\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MAC Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP Address\"}}]}"},"id":"4e877100-4a48-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM1MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSL - Issuer","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SSL - Issuer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssl.certificate.issuer.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssl.certificate.issuer.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Issuer\"}}]}"},"id":"4e8cbf80-75ec-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM1MiwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":false}","panelsJSON":"[]","timeRestore":false,"title":"OSSEC","version":1},"id":"4f6f3440-6d62-11e7-8ddb-e71eb260f4a3","migrationVersion":{"dashboard":"7.3.0"},"references":[],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM1MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Server Version","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RFB - Server Version\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_major_version.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Major Version\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_minor_version.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Minor Version\"}}],\"listeners\":{}}"},"id":"4fade7b0-6e22-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM1NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Firewall - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Firewall - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"e76d2eb0-6d6b-11e7-ad64-15aa071374a6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM1NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Firewall - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Firewall - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"c3a06740-6d75-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM1NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Firewall - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Firewall - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"df06de60-6d75-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM1OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Firewall - Destination Port","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Firewall - Destination Port\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"fcf75bc0-6d75-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM1OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Firewall - Protocol","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Firewall - Protocol\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"ipv4_protocol.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"f8f0dbc0-6d82-11e7-912f-0950e6d5c322","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM2MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Firewall - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Firewall - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHH3kBxQT5EBNmq459","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM2MSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":60,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":36,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"5\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":36,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"7\",\"gridData\":{\"w\":24,\"h\":16,\"x\":8,\"y\":8,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{}},{\"panelIndex\":\"8\",\"gridData\":{\"w\":16,\"h\":16,\"x\":32,\"y\":8,\"i\":\"8\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{}},{\"panelIndex\":\"9\",\"gridData\":{\"w\":40,\"h\":12,\"x\":8,\"y\":24,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"panelIndex\":\"10\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":60,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{\"columns\":[\"action\",\"reason\",\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"11\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}}]","timeRestore":false,"title":"Firewall","version":1},"id":"50173bd0-3582-11e7-98ef-19df58fe538b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"e76d2eb0-6d6b-11e7-ad64-15aa071374a6","name":"panel_1","type":"visualization"},{"id":"c3a06740-6d75-11e7-b09b-f57b22df6524","name":"panel_2","type":"visualization"},{"id":"df06de60-6d75-11e7-b09b-f57b22df6524","name":"panel_3","type":"visualization"},{"id":"2a1eb100-6d82-11e7-bcd4-0d514e0e7da1","name":"panel_4","type":"visualization"},{"id":"fcf75bc0-6d75-11e7-b09b-f57b22df6524","name":"panel_5","type":"visualization"},{"id":"f8f0dbc0-6d82-11e7-912f-0950e6d5c322","name":"panel_6","type":"visualization"},{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"panel_7","type":"search"},{"id":"AWDHH3kBxQT5EBNmq459","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM2MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - File Size","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - File Size\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.size: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.size\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Size\"}}]}"},"id":"50b4c880-72df-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM2MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RDP - Client","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RDP - Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"client_name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client\"}}],\"listeners\":{}}"},"id":"524e13b0-371c-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM2NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DNS - Answers","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DNS - Answers\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"dns.answers.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dns.answers.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Answer\"}}]}"},"id":"536876a0-72ba-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM2NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Tunnels - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Tunnels - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"53824da0-6e35-11e7-9a19-a5996f8250c6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM2NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SIP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"5393c710-3640-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM2NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Server","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}],\"listeners\":{}}"},"id":"53ac63e0-365b-11e7-8bd0-1db2c55fb7a1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM2OCwxXQ=="} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_smtp\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"SMTP - Logs","version":1},"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM2OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - Webmail - True/False (Vertical Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"SMTP - Webmail - True/False (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Webmail\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"is_webmail.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Webmail\"}}],\"listeners\":{}}"},"id":"53beb0d0-6e29-11e7-8b76-75eee0095daa","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM3MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSH - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSH - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"54d78f50-6e33-11e7-9a19-a5996f8250c6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM3MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - NTLM - Success","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - NTLM - Success\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"boolean\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ntlm.success: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ntlm.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Success\"}}]}"},"id":"e9f31a70-75c2-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM3MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - NTLM - Tree","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - NTLM - Tree\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ntlm.server.tree.name.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ntlm.server.tree.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Tree\"}}]}"},"id":"8cb83890-75c2-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM3MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - NTLM - Server","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - NTLM - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Netbios\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"DNS\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ntlm.server.nb.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"NetBIOS\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ntlm.server.dns.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"\",\"customLabel\":\"DNS\"}}]}"},"id":"63f139c0-75c2-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM3NCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:ntlm\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":9,\"i\":\"4555a871-9c2c-48d4-b143-bffc6d41ea4d\"},\"panelIndex\":\"4555a871-9c2c-48d4-b143-bffc6d41ea4d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":14,\"y\":0,\"w\":16,\"h\":9,\"i\":\"0bc9ae29-cbc1-4272-ad27-9c2ff51c19ff\"},\"panelIndex\":\"0bc9ae29-cbc1-4272-ad27-9c2ff51c19ff\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":9,\"i\":\"d32748d9-d47b-41bb-ab9f-b59817230998\"},\"panelIndex\":\"d32748d9-d47b-41bb-ab9f-b59817230998\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":8,\"h\":18,\"i\":\"2f7a5ee8-2258-4c8d-af2d-99a9e11defa2\"},\"panelIndex\":\"2f7a5ee8-2258-4c8d-af2d-99a9e11defa2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":9,\"w\":8,\"h\":18,\"i\":\"4a50def3-c905-4493-b352-59741d68326e\"},\"panelIndex\":\"4a50def3-c905-4493-b352-59741d68326e\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":16,\"y\":9,\"w\":10,\"h\":18,\"i\":\"075d7365-e106-4a1e-b003-bab7abbb7146\"},\"panelIndex\":\"075d7365-e106-4a1e-b003-bab7abbb7146\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":26,\"y\":9,\"w\":9,\"h\":18,\"i\":\"5202d0b2-7f34-4182-8e25-ec87d4df0965\"},\"panelIndex\":\"5202d0b2-7f34-4182-8e25-ec87d4df0965\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":35,\"y\":9,\"w\":13,\"h\":18,\"i\":\"f93042fa-bdd7-495f-af7b-eec95073e015\"},\"panelIndex\":\"f93042fa-bdd7-495f-af7b-eec95073e015\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - NTLM","version":1},"id":"558292e0-75c1-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"e9f31a70-75c2-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"8cb83890-75c2-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"63f139c0-75c2-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM3NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DNS - Response Code Name (Donut)","uiStateJSON":"{}","version":1,"visState":"{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dns.response.code_name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"dns.response.code_name.keyword: Descending\",\"aggType\":\"terms\"}]}},\"title\":\"Security Onion - DNS - Response Code Name (Donut)\"}"},"id":"a9bd4090-72b9-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-16T14:23:44.153Z","version":"Wzc1NiwyXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:dns\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":9,\"i\":\"ae3e83b1-5e53-40eb-8e4f-541e4851ddd2\"},\"panelIndex\":\"ae3e83b1-5e53-40eb-8e4f-541e4851ddd2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":14,\"y\":0,\"w\":14,\"h\":9,\"i\":\"4b8b4859-bd5c-446c-94e1-6d9b57cbe922\"},\"panelIndex\":\"4b8b4859-bd5c-446c-94e1-6d9b57cbe922\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":28,\"y\":0,\"w\":20,\"h\":9,\"i\":\"ee03c5c1-9e26-42e3-b569-afa2712d7047\"},\"panelIndex\":\"ee03c5c1-9e26-42e3-b569-afa2712d7047\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":9,\"h\":19,\"i\":\"706d8a5a-a263-48d0-8eb8-12eeade27115\"},\"panelIndex\":\"706d8a5a-a263-48d0-8eb8-12eeade27115\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":9,\"y\":9,\"w\":9,\"h\":19,\"i\":\"bf29b086-8b8d-47a5-8280-afeb737d6163\"},\"panelIndex\":\"bf29b086-8b8d-47a5-8280-afeb737d6163\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":18,\"y\":9,\"w\":8,\"h\":19,\"i\":\"e99fb09c-6d8a-4a26-87ca-9ab82ef137c9\"},\"panelIndex\":\"e99fb09c-6d8a-4a26-87ca-9ab82ef137c9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":26,\"y\":9,\"w\":11,\"h\":19,\"i\":\"499d1548-292c-47a9-8f26-73a6af91d004\"},\"panelIndex\":\"499d1548-292c-47a9-8f26-73a6af91d004\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":37,\"y\":9,\"w\":11,\"h\":19,\"i\":\"f3761ba4-c0d3-4158-9da2-3c7740fcffc3\"},\"panelIndex\":\"f3761ba4-c0d3-4158-9da2-3c7740fcffc3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":28,\"w\":23,\"h\":21,\"i\":\"e41240ec-8024-4f3f-9de0-869622470e4d\"},\"panelIndex\":\"e41240ec-8024-4f3f-9de0-869622470e4d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":23,\"y\":28,\"w\":25,\"h\":21,\"i\":\"fe297ab2-9a4b-438c-913b-7b5d1dea6182\"},\"panelIndex\":\"fe297ab2-9a4b-438c-913b-7b5d1dea6182\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Security Onion - DNS","version":1},"id":"55ac6bf0-6ec4-11ea-9266-1fd14ca6af34","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"13cda410-c770-11ea-bebb-37c5ab5894ea","name":"panel_6","type":"visualization"},{"id":"a9bd4090-72b9-11ea-8dd2-9d8795a1200b","name":"panel_7","type":"visualization"},{"id":"07065340-72ba-11ea-8dd2-9d8795a1200b","name":"panel_8","type":"visualization"},{"id":"536876a0-72ba-11ea-8dd2-9d8795a1200b","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-16T14:25:34.715Z","version":"Wzc1OCwyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"IRC - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"IRC - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"85b1f890-35b7-11e7-a994-c528746bc6e8","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM3OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"IRC - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"IRC - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"bf959cb0-35b7-11e7-a994-c528746bc6e8","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM3OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"IRC - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"IRC - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"e4615200-35b7-11e7-a994-c528746bc6e8","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM4MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"IRC - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"IRC - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG_HoKxQT5EBNmq4KN","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM4MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"IRC - Destination Country","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"IRC - Destination Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Country\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_geo.city_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination City\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}]}"},"id":"f625b7b0-4a56-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM4MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"IRC - Command","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"IRC - Command\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"irc_command.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Command\"}}]}"},"id":"7bc09930-4a57-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM4MywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"2\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"4\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":32,\"i\":\"5\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":32,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"11\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":32,\"i\":\"11\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"12\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"12\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":8,\"i\":\"13\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"15\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":8,\"i\":\"15\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - IRC","version":1},"id":"56a34ce0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"85b1f890-35b7-11e7-a994-c528746bc6e8","name":"panel_1","type":"visualization"},{"id":"bf959cb0-35b7-11e7-a994-c528746bc6e8","name":"panel_2","type":"visualization"},{"id":"e4615200-35b7-11e7-a994-c528746bc6e8","name":"panel_3","type":"visualization"},{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"panel_4","type":"search"},{"id":"3c073d20-6e17-11e7-8624-1fb07dd76c6a","name":"panel_5","type":"visualization"},{"id":"AWDG_HoKxQT5EBNmq4KN","name":"panel_6","type":"visualization"},{"id":"f625b7b0-4a56-11e8-9b0a-f1d33346f773","name":"panel_7","type":"visualization"},{"id":"7bc09930-4a57-11e8-9b0a-f1d33346f773","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM4NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNS - Client","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client\"}}],\"listeners\":{}}"},"id":"57a9a3f0-34c0-11e7-9b32-bb903919ead9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM4NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DHCP - Lease Time","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DHCP - Lease Time\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"lease_time.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Lease Time\"}}]}"},"id":"58c84f60-0edb-11e9-9846-59f545e7293f","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM4NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Devices - Log Count By Device","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Devices - Log Count By Device\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog-host_from.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Device\"}}]}"},"id":"5b3988c0-a840-11e7-893a-1b88920b2837","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM4NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RDP - Client Build","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RDP - Client Build\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rdp.client_build.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rdp.client_build.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Build\"}}]}"},"id":"bdae8640-75c5-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM4OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RDP - Security Protocol","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RDP - Security Protocol\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rdp.security_protocol.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rdp.security_protocol.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}}]}"},"id":"dad85840-75c5-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM4OSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:rdp\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"1aacbaf6-078a-4b6e-bbd2-ae21a4974aba\",\"w\":13,\"x\":0,\"y\":0},\"panelIndex\":\"1aacbaf6-078a-4b6e-bbd2-ae21a4974aba\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"8abc0250-1076-45e8-b62b-54dc7dd0cfca\",\"w\":16,\"x\":13,\"y\":0},\"panelIndex\":\"8abc0250-1076-45e8-b62b-54dc7dd0cfca\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"dc48b27e-f00b-4723-87ab-64f726e51e74\",\"w\":19,\"x\":29,\"y\":0},\"panelIndex\":\"dc48b27e-f00b-4723-87ab-64f726e51e74\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"da3945b4-9e74-4bb9-8868-a13f1d9bc0d8\",\"w\":9,\"x\":0,\"y\":8},\"panelIndex\":\"da3945b4-9e74-4bb9-8868-a13f1d9bc0d8\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"f4437b55-61ef-4818-a8c4-448407c7052b\",\"w\":9,\"x\":9,\"y\":8},\"panelIndex\":\"f4437b55-61ef-4818-a8c4-448407c7052b\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"33630c53-4de4-4064-a319-bd71be01dc06\",\"w\":7,\"x\":18,\"y\":8},\"panelIndex\":\"33630c53-4de4-4064-a319-bd71be01dc06\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"ed8dee78-79d4-47cf-9ed5-6120f00f3aaf\",\"w\":7,\"x\":25,\"y\":8},\"panelIndex\":\"ed8dee78-79d4-47cf-9ed5-6120f00f3aaf\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"35083762-4591-44ac-a31f-36bed3414af2\",\"w\":7,\"x\":32,\"y\":8},\"panelIndex\":\"35083762-4591-44ac-a31f-36bed3414af2\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"66e7cf00-ec90-4df3-acd3-02fb271f0959\",\"w\":9,\"x\":39,\"y\":8},\"panelIndex\":\"66e7cf00-ec90-4df3-acd3-02fb271f0959\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - RDP","version":1},"id":"5b743150-75c5-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"bdae8640-75c5-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"dad85840-75c5-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"0c006bb0-75c6-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"2e7363f0-75c6-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM5MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Nodes","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Nodes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}]}"},"id":"5cba9760-6e9b-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM5MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"MySQL - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"MySQL - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"5d9031a0-363f-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5d624230-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM5MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RFB - Client Version","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RFB - Client Version\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Major Version\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rfb.client_major_version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Major Version\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rfb.client_minor_version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Minor Version\"}}]}"},"id":"5dcf09e0-75c8-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM5MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RADIUS - Connection Information","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RADIUS - Connection Information\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"connect_info.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Connection Info\"}}],\"listeners\":{}}"},"id":"5df79fe0-3809-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM5NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Host - Process Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process.executable.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Process Image\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"process.command_line.keyword: Descending\",\"aggType\":\"terms\"}]}},\"title\":\"Security Onion - Host - Process Name\"}"},"id":"5e18a970-c77f-11ea-bebb-37c5ab5894ea","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-16T16:18:12.759Z","version":"WzgzNCwyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - URI","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - URI\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"uri.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"URI\"}}],\"listeners\":{}}"},"id":"5e36c370-3753-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM5NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - FTP - Argument","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - FTP - Argument\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ftp.argument.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"5fcdb0c0-755f-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM5NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMB - FIle Path","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMB - FIle Path\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"path.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File Path\"}}],\"listeners\":{}}"},"id":"60384e00-3aaf-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM5NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Data Types","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Data Types\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event_type.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Data Type\"}}],\"listeners\":{}}"},"id":"60925490-34bf-11e7-9b32-bb903919ead9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM5OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SSL - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"6139edd0-3641-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM5OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Autoruns - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"bf5ab2d0-6d6b-11e7-ad64-15aa071374a6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQwMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Hostname (Tag Cloud)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Autoruns - Hostname (Tag Cloud)\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":10,\"maxFontSize\":30},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"hostname.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"c5d58f60-6d78-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQwMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Hostname","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Autoruns - Hostname\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hostname.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Hostname\"}}],\"listeners\":{}}"},"id":"df5e9e80-6d79-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQwMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Launch String","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Autoruns - Launch String\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"launch_string.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Launch String\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"image_path.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Image\"}}],\"listeners\":{}}"},"id":"cfd94590-6d7a-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQwMywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Company","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Autoruns - Company\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":14,\"maxFontSize\":36},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"company.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"96105ff0-6d7b-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQwNCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Signer","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Autoruns - Signer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"signer.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Signer\"}}],\"listeners\":{}}"},"id":"6cf187b0-6d7c-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQwNSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Autoruns - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHG1IaxQT5EBNmq4yR","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQwNiwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":40,\"h\":16,\"x\":8,\"y\":8,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{}},{\"panelIndex\":\"6\",\"gridData\":{\"w\":16,\"h\":24,\"x\":8,\"y\":24,\"i\":\"6\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{}},{\"panelIndex\":\"7\",\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":24,\"i\":\"7\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":12,\"h\":24,\"x\":24,\"y\":24,\"i\":\"8\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":72,\"i\":\"9\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":96,\"i\":\"10\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":28,\"h\":24,\"x\":20,\"y\":48,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{}},{\"panelIndex\":\"12\",\"gridData\":{\"w\":20,\"h\":24,\"x\":0,\"y\":48,\"i\":\"12\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":48,\"h\":32,\"x\":0,\"y\":120,\"i\":\"13\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{\"columns\":[\"entry\",\"entry_location\",\"image_path\",\"hostname\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"14\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"14\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"}]","timeRestore":false,"title":"Autoruns","version":1},"id":"61d43810-6d62-11e7-8ddb-e71eb260f4a3","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"bf5ab2d0-6d6b-11e7-ad64-15aa071374a6","name":"panel_1","type":"visualization"},{"id":"482be9b0-6d78-11e7-b09b-f57b22df6524","name":"panel_2","type":"visualization"},{"id":"c5d58f60-6d78-11e7-b09b-f57b22df6524","name":"panel_3","type":"visualization"},{"id":"1cd6a970-6d79-11e7-b09b-f57b22df6524","name":"panel_4","type":"visualization"},{"id":"df5e9e80-6d79-11e7-b09b-f57b22df6524","name":"panel_5","type":"visualization"},{"id":"2ef9ccd0-6d7a-11e7-b09b-f57b22df6524","name":"panel_6","type":"visualization"},{"id":"cfd94590-6d7a-11e7-b09b-f57b22df6524","name":"panel_7","type":"visualization"},{"id":"96105ff0-6d7b-11e7-b09b-f57b22df6524","name":"panel_8","type":"visualization"},{"id":"6cf187b0-6d7c-11e7-b09b-f57b22df6524","name":"panel_9","type":"visualization"},{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"panel_10","type":"search"},{"id":"AWDHG1IaxQT5EBNmq4yR","name":"panel_11","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQwNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS Alerts - Source Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS Alerts - Source Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"620283e0-3af5-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQwOCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Modbus - Function","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Modbus - Function\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"modbus.function.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"modbus.function.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function\"}}]}"},"id":"62449800-75be-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQwOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - MySQL - Success","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - MySQL - Success\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mysql.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Success\"}}]}"},"id":"62969db0-75c0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQxMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - Top Destination IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - Top Destination IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}}]}"},"id":"62ac4060-6ea0-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQxMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Desktop Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RFB - Desktop Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"desktop_name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Desktop Name\"}}],\"listeners\":{}}"},"id":"63c072c0-371f-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQxMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS - Drilldown - Rule Signature","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS - Drilldown - Rule Signature\",\"type\":\"table\",\"params\":{\"perPage\":1,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"top_hits\",\"schema\":\"metric\",\"params\":{\"field\":\"rule_signature.keyword\",\"aggregate\":\"concat\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\",\"customLabel\":\"NIDS Signature\"}}]}"},"id":"6533dd40-e064-11e9-8f0c-2ddbf5ed9290","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQxMywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Syslog - Facility","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Syslog - Facility\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"syslog.facility.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog.facility.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Facility\"}}]}"},"id":"e017cb80-777b-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQxNCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Syslog - Severity","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog.severity.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Severity\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"},\"title\":\"Security Onion - Syslog - Severity\"}"},"id":"9e1a4240-c77a-11ea-bebb-37c5ab5894ea","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-16T15:40:04.068Z","version":"WzgwMCwyXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:syslog\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"9c4d23d9-2dd5-4a9f-aa67-edc6b73f3086\"},\"panelIndex\":\"9c4d23d9-2dd5-4a9f-aa67-edc6b73f3086\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":16,\"h\":8,\"i\":\"a3e3afae-dd54-4024-9d09-608a6baecd42\"},\"panelIndex\":\"a3e3afae-dd54-4024-9d09-608a6baecd42\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":8,\"i\":\"e7dbc7be-d1ef-499a-bbb6-2963bfdaabfb\"},\"panelIndex\":\"e7dbc7be-d1ef-499a-bbb6-2963bfdaabfb\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":8,\"h\":18,\"i\":\"e1ea8adf-acd8-4577-9c81-1acb711d20ce\"},\"panelIndex\":\"e1ea8adf-acd8-4577-9c81-1acb711d20ce\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":8,\"y\":8,\"w\":8,\"h\":18,\"i\":\"16f2046a-4417-4e78-9699-65d253db78cb\"},\"panelIndex\":\"16f2046a-4417-4e78-9699-65d253db78cb\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":16,\"y\":8,\"w\":11,\"h\":18,\"i\":\"226810af-b55b-4fba-99c8-0c28ca99aa37\"},\"panelIndex\":\"226810af-b55b-4fba-99c8-0c28ca99aa37\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":27,\"y\":8,\"w\":9,\"h\":18,\"i\":\"9cc5fffe-3834-4550-84e3-33d1246f68f6\"},\"panelIndex\":\"9cc5fffe-3834-4550-84e3-33d1246f68f6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":36,\"y\":8,\"w\":12,\"h\":18,\"i\":\"cdad19b0-4f35-4143-8677-0a64a64dbca6\"},\"panelIndex\":\"cdad19b0-4f35-4143-8677-0a64a64dbca6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - Syslog","version":1},"id":"66499a20-75ed-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"e017cb80-777b-11ea-bee5-af7f7c7b8e05","name":"panel_6","type":"visualization"},{"id":"9e1a4240-c77a-11ea-bebb-37c5ab5894ea","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-16T15:40:57.523Z","version":"WzgwMSwyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNS - Query/Answer","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Query/Answer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"query.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"answers.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Answer\"}}],\"listeners\":{}}"},"id":"e8e3b8a0-34c1-11e7-917c-af7a9d11771a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQxNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS - Alerts","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS - Alerts\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"alert.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"c7eed4c0-3649-11e7-bf60-314364dd1cde","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQxOCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNS - Server","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}],\"listeners\":{}}"},"id":"6ef90c30-34c0-11e7-9b32-bb903919ead9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQxOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Sensors - Sensor and Services (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Sensors - Sensor and Services (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"sensor_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Sensor\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"service.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"9c979ea0-345b-11e7-8867-29a39c0f86b2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQyMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Top 50 - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Top 50 - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP\"}}]}"},"id":"73806f30-4948-11e8-9576-313be7c6b44b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQyMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Top 50 - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Top 50 - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP\"}}]}"},"id":"c0de57b0-4948-11e8-9576-313be7c6b44b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQyMiwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"2\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":0,\"i\":\"2\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"4\",\"gridData\":{\"w\":32,\"h\":24,\"x\":16,\"y\":120,\"i\":\"4\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":144,\"i\":\"5\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":144,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":180,\"i\":\"8\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":180,\"i\":\"9\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":24,\"i\":\"13\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"16\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":120,\"i\":\"16\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"18\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":48,\"i\":\"18\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{\"columns\":[\"hostname\",\"alert_level\",\"description\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"19\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":204,\"i\":\"19\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"20\",\"gridData\":{\"w\":48,\"h\":12,\"x\":0,\"y\":168,\"i\":\"20\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"panelIndex\":\"21\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":144,\"i\":\"21\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\",\"embeddableConfig\":{}},{\"panelIndex\":\"22\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":96,\"i\":\"22\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\"},{\"panelIndex\":\"23\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":96,\"i\":\"23\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_14\"},{\"panelIndex\":\"24\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":24,\"i\":\"24\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_15\"},{\"panelIndex\":\"26\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":0,\"i\":\"26\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_16\",\"embeddableConfig\":{}},{\"panelIndex\":\"27\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":72,\"i\":\"27\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_17\",\"embeddableConfig\":{}},{\"panelIndex\":\"28\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":72,\"i\":\"28\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_18\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Indicator","version":1},"id":"68563ed0-34bf-11e7-9b32-bb903919ead9","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"60925490-34bf-11e7-9b32-bb903919ead9","name":"panel_1","type":"visualization"},{"id":"e8e3b8a0-34c1-11e7-917c-af7a9d11771a","name":"panel_2","type":"visualization"},{"id":"ae1f1fb0-3648-11e7-bf60-314364dd1cde","name":"panel_3","type":"visualization"},{"id":"d0f56da0-3648-11e7-bf60-314364dd1cde","name":"panel_4","type":"visualization"},{"id":"8ba31820-34c6-11e7-8360-0b86c90983fd","name":"panel_5","type":"visualization"},{"id":"7153e7f0-34c7-11e7-8360-0b86c90983fd","name":"panel_6","type":"visualization"},{"id":"c7eed4c0-3649-11e7-bf60-314364dd1cde","name":"panel_7","type":"visualization"},{"id":"45a652b0-34c1-11e7-917c-af7a9d11771a","name":"panel_8","type":"visualization"},{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"panel_9","type":"search"},{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"panel_10","type":"search"},{"id":"934fe550-6e08-11e7-9370-174c4785d3e1","name":"panel_11","type":"visualization"},{"id":"3f4abb40-6e0a-11e7-84cc-b363f104b3c7","name":"panel_12","type":"visualization"},{"id":"53ac63e0-365b-11e7-8bd0-1db2c55fb7a1","name":"panel_13","type":"visualization"},{"id":"6ef90c30-34c0-11e7-9b32-bb903919ead9","name":"panel_14","type":"visualization"},{"id":"07fdf9e0-39ad-11e7-8472-0151e5b2b475","name":"panel_15","type":"visualization"},{"id":"9c979ea0-345b-11e7-8867-29a39c0f86b2","name":"panel_16","type":"visualization"},{"id":"73806f30-4948-11e8-9576-313be7c6b44b","name":"panel_17","type":"visualization"},{"id":"c0de57b0-4948-11e8-9576-313be7c6b44b","name":"panel_18","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQyMywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Network Data - Count","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Network Data - Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":false},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":40}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}"},"id":"689991b0-6ea7-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"387f44c0-6ea7-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQyNCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"mapCenter\":[25.16517336866393,0.17578125],\"mapZoom\":2}}]","timeRestore":false,"title":"Connections - Source - Originator Bytes","version":1},"id":"68f738e0-46ca-11e7-946f-1bfb1be7c36b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"05809df0-46cb-11e7-946f-1bfb1be7c36b","name":"panel_1","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQyNSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMTP - Version","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - SMTP - Version\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"snmp.version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Version\"}}]}"},"id":"690ef880-75e9-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQyNiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Weird - Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Weird - Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Name\"}}]}"},"id":"691ade50-4c85-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQyNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Kerberos - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"c97cd4c0-35ba-11e7-b9ee-834112670159","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQyOCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Client","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Kerberos - Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"client.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client\"}}],\"listeners\":{}}"},"id":"710ccbf0-35bb-11e7-b9ee-834112670159","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQyOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Kerberos - Success Status (Donut Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Kerberos - Success Status (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"kerberos_success.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"b31231c0-35bb-11e7-b9ee-834112670159","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQzMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Server","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Kerberos - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"service.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}],\"listeners\":{}}"},"id":"f0178840-35bb-11e7-b9ee-834112670159","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQzMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Kerberos - Cipher (Donut Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Kerberos - Cipher (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"cipher.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"e3fffae0-3635-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQzMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Kerberos - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"84f28670-3636-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQzMywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Service","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Kerberos - Service\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"service.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Service\"}}],\"listeners\":{}}"},"id":"f7c48a20-6e19-11e7-89e4-613b96f597e1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQzNCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Renewable","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Kerberos - Renewable\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"renewable.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Renewable\"}}],\"listeners\":{}}"},"id":"bb748470-6e1a-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQzNSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Kerberos - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG_UbkxQT5EBNmq4Lg","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQzNiwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":120,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"request_type\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"embeddableConfig\":{},\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":48,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"gridData\":{\"w\":20,\"h\":16,\"x\":28,\"y\":8,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":48,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"gridData\":{\"w\":20,\"h\":16,\"x\":8,\"y\":8,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":96,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":96,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":96,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":28,\"h\":24,\"x\":0,\"y\":72,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":24,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":72,\"i\":\"15\"},\"panelIndex\":\"15\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"16\"},\"panelIndex\":\"16\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\"}]","timeRestore":false,"title":"Bro - Kerberos","version":1},"id":"6b0d4870-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"c97cd4c0-35ba-11e7-b9ee-834112670159","name":"panel_1","type":"visualization"},{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"panel_2","type":"search"},{"id":"710ccbf0-35bb-11e7-b9ee-834112670159","name":"panel_3","type":"visualization"},{"id":"b31231c0-35bb-11e7-b9ee-834112670159","name":"panel_4","type":"visualization"},{"id":"f0178840-35bb-11e7-b9ee-834112670159","name":"panel_5","type":"visualization"},{"id":"e3fffae0-3635-11e7-a6f7-4f44d7bf1c33","name":"panel_6","type":"visualization"},{"id":"28d04080-3636-11e7-a6f7-4f44d7bf1c33","name":"panel_7","type":"visualization"},{"id":"3f34faa0-3636-11e7-a6f7-4f44d7bf1c33","name":"panel_8","type":"visualization"},{"id":"84f28670-3636-11e7-a6f7-4f44d7bf1c33","name":"panel_9","type":"visualization"},{"id":"f7c48a20-6e19-11e7-89e4-613b96f597e1","name":"panel_10","type":"visualization"},{"id":"4aa0b2a0-6e1a-11e7-89e4-613b96f597e1","name":"panel_11","type":"visualization"},{"id":"bb748470-6e1a-11e7-b553-7f80727663c1","name":"panel_12","type":"visualization"},{"id":"AWDG_UbkxQT5EBNmq4Lg","name":"panel_13","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQzNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Sysmon - Destination Port","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Sysmon - Destination Port\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Port\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"6b70b840-6d75-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQzOCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Syslog - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Bro - Syslog - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"6c60a280-76b5-11e7-94e1-3d2ec4e57ed9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQzOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Sysmon - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Sysmon - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"8cfdeff0-6d6b-11e7-ad64-15aa071374a6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ0MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Sysmon - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_hostname.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Hostname\"}}],\"listeners\":{}}"},"id":"7bc74b40-6d71-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ0MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Sysmon - Event ID (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Sysmon - Event ID (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"event_id\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Event Type\"}}]}"},"id":"e09f6010-6d72-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ0MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Sysmon - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Sysmon - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHHk1sxQT5EBNmq43Y","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ0MywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"2\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"2\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":96,\"i\":\"6\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"7\",\"gridData\":{\"w\":20,\"h\":28,\"x\":8,\"y\":20,\"i\":\"7\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":20,\"h\":28,\"x\":28,\"y\":20,\"i\":\"8\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":72,\"i\":\"9\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":48,\"i\":\"10\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":8,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"12\",\"gridData\":{\"w\":32,\"h\":24,\"x\":16,\"y\":72,\"i\":\"12\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":8,\"i\":\"13\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}},{\"panelIndex\":\"14\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":120,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{\"columns\":[\"event_type\",\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"15\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"15\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"}]","timeRestore":false,"title":"Sysmon - Logs","version":1},"id":"6d189680-6d62-11e7-8ddb-e71eb260f4a3","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"8cfdeff0-6d6b-11e7-ad64-15aa071374a6","name":"panel_1","type":"visualization"},{"id":"0eb1fd80-6d70-11e7-b09b-f57b22df6524","name":"panel_2","type":"visualization"},{"id":"3072c750-6d71-11e7-b09b-f57b22df6524","name":"panel_3","type":"visualization"},{"id":"7bc74b40-6d71-11e7-b09b-f57b22df6524","name":"panel_4","type":"visualization"},{"id":"13ed0810-6d72-11e7-b09b-f57b22df6524","name":"panel_5","type":"visualization"},{"id":"3b6c92c0-6d72-11e7-b09b-f57b22df6524","name":"panel_6","type":"visualization"},{"id":"e09f6010-6d72-11e7-b09b-f57b22df6524","name":"panel_7","type":"visualization"},{"id":"29611940-6d75-11e7-b09b-f57b22df6524","name":"panel_8","type":"visualization"},{"id":"6b70b840-6d75-11e7-b09b-f57b22df6524","name":"panel_9","type":"visualization"},{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"panel_10","type":"search"},{"id":"AWDHHk1sxQT5EBNmq43Y","name":"panel_11","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ0NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SMB - Action (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SMB - Action (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"action.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"6f883480-3aad-11e7-8b17-0d8709b02c80","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ0NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSL - Subject","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SSL - Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssl.certificate.subject.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssl.certificate.subject.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Subject\"}}]}"},"id":"6fccb600-75ec-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ0NiwxXQ=="} +{"attributes":{"buildNum":29118,"dashboard:defaultDarkTheme":true,"defaultIndex":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute":"/app/kibana#/dashboard/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize":"100","theme:darkMode":true,"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\",\n \"mode\": \"quick\"\n}"},"id":"7.6.1","references":[],"type":"config","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ0NywxXQ=="} +{"attributes":{"buildNum":30896,"dashboard:defaultDarkTheme":true,"defaultIndex":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute":"/app/kibana#/dashboard/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize":"100","theme:darkMode":true,"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\",\n \"mode\": \"quick\"\n}"},"id":"7.7.1","references":[],"type":"config","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ0OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Strelka - File - MIME Flavors","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Strelka - File - MIME Flavors\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.flavors.mime.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"70243970-772c-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ0OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Modbus - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Modbus - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG_9KpxQT5EBNmq4Oo","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ1MCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"2\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":32,\"i\":\"6\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"8\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"9\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":32,\"i\":\"9\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"10\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":8,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - Modbus","version":1},"id":"70c005f0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"0d168a30-363f-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"20eabd60-380b-11e7-a1cc-ebc6a7e70e84","name":"panel_2","type":"visualization"},{"id":"3c65f500-380b-11e7-a1cc-ebc6a7e70e84","name":"panel_3","type":"visualization"},{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"panel_4","type":"search"},{"id":"178209e0-6e1b-11e7-b553-7f80727663c1","name":"panel_5","type":"visualization"},{"id":"AWDG_9KpxQT5EBNmq4Oo","name":"panel_6","type":"visualization"},{"id":"453f8b90-4a58-11e8-9b0a-f1d33346f773","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ1MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"osquery - Chrome Extensions - Change Stats","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"osquery - ChromeExt - Change Stats\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":70}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Changes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"osquery.hostIdentifier.keyword\",\"customLabel\":\"Endpoints\"}}]}"},"id":"71538370-18d5-11e9-932c-d12d2cf4ee95","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0eee4360-18d4-11e9-932c-d12d2cf4ee95","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ1MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Connections - Total Bytes Per Source/Destination IP Pair","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Total Bytes\",\"field\":\"total_bytes\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_term\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source IP\",\"field\":\"source_ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderAgg\":{\"enabled\":true,\"id\":\"2-orderAgg\",\"params\":{\"field\":\"total_bytes\"},\"schema\":{\"aggFilter\":[\"!top_hits\",\"!percentiles\",\"!median\",\"!std_dev\",\"!derivative\",\"!moving_avg\",\"!serial_diff\",\"!cumulative_sum\",\"!avg_bucket\",\"!max_bucket\",\"!min_bucket\",\"!sum_bucket\"],\"deprecate\":false,\"editor\":false,\"group\":\"none\",\"hideCustomLabel\":true,\"max\":null,\"min\":0,\"name\":\"orderAgg\",\"params\":[],\"title\":\"Order Agg\"},\"type\":\"cardinality\"},\"orderBy\":\"custom\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination IP\",\"field\":\"destination_ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderAgg\":{\"enabled\":true,\"id\":\"3-orderAgg\",\"params\":{\"field\":\"total_bytes\"},\"schema\":{\"aggFilter\":[\"!top_hits\",\"!percentiles\",\"!median\",\"!std_dev\",\"!derivative\",\"!moving_avg\",\"!serial_diff\",\"!cumulative_sum\",\"!avg_bucket\",\"!max_bucket\",\"!min_bucket\",\"!sum_bucket\"],\"deprecate\":false,\"editor\":false,\"group\":\"none\",\"hideCustomLabel\":true,\"max\":null,\"min\":0,\"name\":\"orderAgg\",\"params\":[],\"title\":\"Order Agg\"},\"type\":\"cardinality\"},\"orderBy\":\"custom\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connections - Total Bytes Per Source/Destination IP Pair\",\"type\":\"table\"}"},"id":"726cc040-48cf-11e8-9576-313be7c6b44b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ1MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMB - File Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMB - File Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File Name\"}}],\"listeners\":{}}"},"id":"72f0f010-3aaf-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ1NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Log Type Per Sensor/Device","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Log Type Per Sensor/Device\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog-host_from.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Sensor/Device\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Log Type\"}}]}"},"id":"733ce440-494d-11e8-9576-313be7c6b44b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ1NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"X.509 - Certificate Signing Algorithm","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"X.509 - Certificate Signing Algorithm\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"certificate_signing_algorithm.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Algorithm\"}}]}"},"id":"738127f0-37d7-11e7-9efb-91e89505091f","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ1NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - FTP - Command","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - FTP - Command\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ftp.command.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"d3435690-755f-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ1NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - FTP - User","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"ftp.user.keyword\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/kibana\",\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\"}}},\"label\":\"ftp.user.keyword: Descending\",\"params\":{}}],\"metrics\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Security Onion - FTP - User\",\"type\":\"table\"}"},"id":"8346bc70-7561-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ1OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - FTP - Password","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - FTP - Password\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ftp.password.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ftp.password.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Password\"}}]}"},"id":"bc3e2bd0-7561-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ1OSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.dataset:ftp\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"728d0151-5dc6-429d-9b14-b457ab73d3fd\"},\"panelIndex\":\"728d0151-5dc6-429d-9b14-b457ab73d3fd\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":15,\"h\":8,\"i\":\"1b99097d-a957-4163-9810-263a0e653c18\"},\"panelIndex\":\"1b99097d-a957-4163-9810-263a0e653c18\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":28,\"y\":0,\"w\":20,\"h\":8,\"i\":\"43bb3cf4-ee4a-4eba-8eea-8e133957fd48\"},\"panelIndex\":\"43bb3cf4-ee4a-4eba-8eea-8e133957fd48\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":19,\"i\":\"87f23747-38c9-4d15-a85b-8beff66abaf4\"},\"panelIndex\":\"87f23747-38c9-4d15-a85b-8beff66abaf4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":8,\"w\":9,\"h\":19,\"i\":\"d10ae5ac-6400-4a2c-a376-e6e74ed529ad\"},\"panelIndex\":\"d10ae5ac-6400-4a2c-a376-e6e74ed529ad\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":18,\"y\":8,\"w\":13,\"h\":19,\"i\":\"1bf79bc6-8595-41e0-8a7e-2b21bd2bd928\"},\"panelIndex\":\"1bf79bc6-8595-41e0-8a7e-2b21bd2bd928\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":31,\"y\":8,\"w\":17,\"h\":19,\"i\":\"e244437a-17a5-4e00-9176-f4e88ac54938\"},\"panelIndex\":\"e244437a-17a5-4e00-9176-f4e88ac54938\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":22,\"h\":16,\"i\":\"9196bb67-30ad-4a8e-b75f-22a9cced6f35\"},\"panelIndex\":\"9196bb67-30ad-4a8e-b75f-22a9cced6f35\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":22,\"y\":27,\"w\":26,\"h\":16,\"i\":\"9da1ff1b-aebe-45fb-9e48-420eafb1b655\"},\"panelIndex\":\"9da1ff1b-aebe-45fb-9e48-420eafb1b655\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - FTP","version":1},"id":"739bfad0-755a-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"d3435690-755f-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"5fcdb0c0-755f-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"8346bc70-7561-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"bc3e2bd0-7561-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ2MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - \"From\" Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMTP - \\\"From\\\" Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mail_from.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\\\"From\\\" Address\"}}],\"listeners\":{}}"},"id":"73b1b240-39a2-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ2MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - User Agent","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"user_agent.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"User Agent\"}}],\"listeners\":{}}"},"id":"73f663f0-3753-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ2MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_dns AND highest_registered_domain:securityonion.net~ -securityonion.net\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"DNS - Phishing Attempts Against Organizational Domain(s)","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 0\":\"rgb(0,104,55)\",\"1 - 999999\":\"rgb(165,0,38)\"}}}","version":1,"visState":"{\"title\":\"DNS - Phishing Attempts Against Organizational Domain(s)\",\"type\":\"gauge\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"gauge\":{\"extendRange\":true,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":0},{\"from\":1,\"to\":999999}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":true,\"labels\":false,\"color\":\"#333\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"#eee\",\"bgColor\":false,\"subText\":\"Edit this to reflect your domain(s)\",\"fontSize\":60,\"labelColor\":true},\"alignment\":\"horizontal\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Phishing attempts against your domain(s)\"}}],\"listeners\":{}}"},"id":"74861280-6f06-11e7-b253-211f64f37eda","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ2MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RDP - Cookie","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RDP - Cookie\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"cookie.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Cookie\"}}],\"listeners\":{}}"},"id":"75597b60-371c-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ2NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Tunnels - Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Tunnels - Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"tunnel.type.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"tunnel.type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Type\"}}]}"},"id":"781447d0-75ef-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ2NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"osquery - Chrome Extensions - Sensitive Permissions","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"osquery - Chrome Extensions - Sensitive Permissions\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.columns.name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Extension Name\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.columns.permissions.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Permissions\"}}]}"},"id":"78cf8bf0-1a59-11e9-ac0b-cb0ba10141ab","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"040dda10-18d8-11e9-932c-d12d2cf4ee95","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ2OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"MySQL - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"MySQL - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHBRrrxQT5EBNmq4TI","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5d624230-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ2OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"MySQL - Response","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"MySQL - Response\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"response.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Response\"}}]}"},"id":"9c411ad0-4a58-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5d624230-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ3MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"MySQL - Success","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"MySQL - Success\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"mysql_success.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"c48925a0-4a58-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5d624230-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ3MSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":8,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":16,\"h\":24,\"x\":8,\"y\":8,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - MySQL","version":1},"id":"7929f430-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"5d9031a0-363f-11e7-a6f7-4f44d7bf1c33","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"07e25650-3812-11e7-a1cc-ebc6a7e70e84","name":"panel_2","type":"visualization"},{"id":"5d624230-342e-11e7-9e93-53b62e1857b2","name":"panel_3","type":"search"},{"id":"AWDHBRrrxQT5EBNmq4TI","name":"panel_4","type":"visualization"},{"id":"9c411ad0-4a58-11e8-9b0a-f1d33346f773","name":"panel_5","type":"visualization"},{"id":"c48925a0-4a58-11e8-9b0a-f1d33346f773","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ3MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - FIle - Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - FIle - Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"File Name\"}}]}"},"id":"7a88adc0-75f0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ3MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Client Version","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RFB - Client Version\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"client_major_version.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Major Version\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"client_minor_version.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Minor Version\"}}],\"listeners\":{}}"},"id":"7c1e3f70-6e22-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ3NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SMTP - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"7c922990-3640-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ3NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_http AND _exists_:virtual_host_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"HTTP - Virtual Host Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - Virtual Host Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"virtual_host_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"virtual_host.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Virtual Host\"}}],\"listeners\":{}}"},"id":"7d1ede50-6f19-11e7-86c8-a1b6db3b051a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ3NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSH - Authentication Sucess","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - SSH - Authentication Sucess\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"boolean\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssh.authentication.success: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ssh.authentication.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Success\"}}]}"},"id":"7d61f430-75ea-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ3NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SNMP - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SNMP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"7dc62970-6e2a-11e7-8b76-75eee0095daa","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ3OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"PE - Machine","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"PE - Machine\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"machine.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Machine\"}}],\"listeners\":{}}"},"id":"7de76e10-6e1f-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"66288140-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ3OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_dns AND _exists_:highest_registered_domain_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"DNS - Highest Registered Domain Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Highest Registered Domain Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"highest_registered_domain_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"highest_registered_domain.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Domain\"}}],\"listeners\":{}}"},"id":"7f1f00a0-6f04-11e7-b253-211f64f37eda","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ4MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS - Alerts Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"NIDS - Alerts Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"d58ec1a0-34e4-11e7-9669-7f1d3242b798","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ4MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS Alerts - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS Alerts - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"a6df8820-399f-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ4MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS Alerts - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS Alerts - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"db04aef0-399f-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ4MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS Alerts - Severity (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"NIDS Alerts - Severity (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"priority.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Priority\"}}],\"listeners\":{}}"},"id":"ba60bcf0-3af5-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ4NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS - Alerts By Country (Vertical Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"NIDS - Alerts By Country (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":75},\"title\":{\"text\":\"Country\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}],\"listeners\":{}}"},"id":"81de16f0-6e0f-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ4NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS - Alert Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"NIDS - Alert Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG3ym0xQT5EBNmq3mG","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ4NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"NIDS - Alert Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS - Alert Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"alert.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Alert\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}]}"},"id":"96c2cf10-4a3d-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ4NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"NIDS - Classification","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS - Classification\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"classification.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Classification\"}}]}"},"id":"d66d54c0-4c89-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ4OCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"panelIndex\":\"4\",\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"6\",\"gridData\":{\"w\":48,\"h\":68,\"x\":0,\"y\":120,\"i\":\"6\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"8\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":96,\"i\":\"8\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":96,\"i\":\"9\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"12\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":72,\"i\":\"12\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":72,\"i\":\"13\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"panelIndex\":\"14\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":8,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"15\",\"gridData\":{\"w\":40,\"h\":12,\"x\":8,\"y\":32,\"i\":\"15\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{}},{\"panelIndex\":\"16\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"16\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"17\",\"gridData\":{\"w\":48,\"h\":28,\"x\":0,\"y\":44,\"i\":\"17\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{}},{\"panelIndex\":\"18\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":72,\"i\":\"18\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"panelIndex\":\"19\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":8,\"i\":\"19\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"NIDS","version":1},"id":"7f27a830-34e5-11e7-9669-7f1d3242b798","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"d58ec1a0-34e4-11e7-9669-7f1d3242b798","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"panel_2","type":"search"},{"id":"a6df8820-399f-11e7-8472-0151e5b2b475","name":"panel_3","type":"visualization"},{"id":"db04aef0-399f-11e7-8472-0151e5b2b475","name":"panel_4","type":"visualization"},{"id":"620283e0-3af5-11e7-a83b-b1b4da7d15f4","name":"panel_5","type":"visualization"},{"id":"ba60bcf0-3af5-11e7-a83b-b1b4da7d15f4","name":"panel_6","type":"visualization"},{"id":"45464b50-3af6-11e7-a83b-b1b4da7d15f4","name":"panel_7","type":"visualization"},{"id":"81de16f0-6e0f-11e7-8624-1fb07dd76c6a","name":"panel_8","type":"visualization"},{"id":"AWDG3ym0xQT5EBNmq3mG","name":"panel_9","type":"visualization"},{"id":"96c2cf10-4a3d-11e8-9b0a-f1d33346f773","name":"panel_10","type":"visualization"},{"id":"3f040620-4a44-11e8-9b0a-f1d33346f773","name":"panel_11","type":"visualization"},{"id":"d66d54c0-4c89-11e8-9b0a-f1d33346f773","name":"panel_12","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ4OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Destination - Top Connection Duration (Tile Map)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Destination - Top Connection Duration (Tile Map)\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"duration\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}"},"id":"7f7492d0-46c4-11e7-a82e-d97152153689","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ5MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Host - MAC","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Host - MAC\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"host.mac.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MAC\"}}]}"},"id":"eaa31ba0-7374-11ea-a3da-cbdb4f8a90c0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ5MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DHCP - Requested Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DHCP - Requested Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dhcp.requested_address.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Requested Address\"}}]}"},"id":"9a693c50-7374-11ea-a3da-cbdb4f8a90c0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ5MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DHCP - Assigned Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DHCP - Assigned Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dhcp.assigned_ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Assigned Address\"}}]}"},"id":"cc3aaf20-7374-11ea-a3da-cbdb4f8a90c0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ5MywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:dhcp\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":9,\"i\":\"7e10f47b-2096-452d-9b40-be150226504f\"},\"panelIndex\":\"7e10f47b-2096-452d-9b40-be150226504f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":10,\"h\":9,\"i\":\"a795e5b9-2afd-43ef-91db-cd9c23a996f9\"},\"panelIndex\":\"a795e5b9-2afd-43ef-91db-cd9c23a996f9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":23,\"y\":0,\"w\":25,\"h\":9,\"i\":\"d0f65b83-17cd-4a8c-950d-06e5e88bf80b\"},\"panelIndex\":\"d0f65b83-17cd-4a8c-950d-06e5e88bf80b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":8,\"h\":20,\"i\":\"c5565d1e-719c-4401-b886-1ad84638b855\"},\"panelIndex\":\"c5565d1e-719c-4401-b886-1ad84638b855\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":8,\"y\":9,\"w\":8,\"h\":20,\"i\":\"ada9481a-335b-4091-ac4e-5f94c96e4cea\"},\"panelIndex\":\"ada9481a-335b-4091-ac4e-5f94c96e4cea\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":16,\"y\":9,\"w\":8,\"h\":20,\"i\":\"bcba795f-8008-4f91-887d-35b5aff11022\"},\"panelIndex\":\"bcba795f-8008-4f91-887d-35b5aff11022\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":24,\"y\":9,\"w\":7,\"h\":20,\"i\":\"a9615bc2-7e50-4a88-be1c-53eb7096e093\"},\"panelIndex\":\"a9615bc2-7e50-4a88-be1c-53eb7096e093\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":31,\"y\":9,\"w\":17,\"h\":20,\"i\":\"87dce718-7595-4bb0-b1be-b2f51518f026\"},\"panelIndex\":\"87dce718-7595-4bb0-b1be-b2f51518f026\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - DHCP","version":1},"id":"80625c10-96dd-11ea-814e-bb515e873c2c","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"eaa31ba0-7374-11ea-a3da-cbdb4f8a90c0","name":"panel_3","type":"visualization"},{"id":"9a693c50-7374-11ea-a3da-cbdb4f8a90c0","name":"panel_4","type":"visualization"},{"id":"cc3aaf20-7374-11ea-a3da-cbdb4f8a90c0","name":"panel_5","type":"visualization"},{"id":"2af5f980-96e2-11ea-814e-bb515e873c2c","name":"panel_6","type":"visualization"},{"id":"36200e40-c76b-11ea-bebb-37c5ab5894ea","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-16T13:50:09.463Z","version":"WzczOSwyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"PE - Subsystem (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"PE - Subsystem (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"subsystem.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"807da390-380c-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"66288140-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ5NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - PE - Subsytem","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.subsystem.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Subsystem\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"},\"title\":\"Security Onion - PE - Subsytem\"}"},"id":"80a39cb0-c762-11ea-bebb-37c5ab5894ea","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-16T12:49:05.687Z","version":"WzcyOSwyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - MySQL - Success","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - MySQL - Success\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"boolean\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"mysql.success: Descending\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"mysql.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Success\"}}]}"},"id":"80aa0c60-75c0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ5NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Rule - SID","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Rule - SID\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.uuid\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Rule ID\"}}]}"},"id":"a47ffc70-96f0-11ea-814e-bb515e873c2c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ5OCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:alert AND event.module:suricata\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":7,\"h\":8,\"i\":\"afb23064-13dc-4b97-b1be-cf672a6cfb56\"},\"panelIndex\":\"afb23064-13dc-4b97-b1be-cf672a6cfb56\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":7,\"y\":0,\"w\":17,\"h\":8,\"i\":\"67961875-85aa-443b-9cac-130c8783cd8d\"},\"panelIndex\":\"67961875-85aa-443b-9cac-130c8783cd8d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":8,\"i\":\"44bf55fb-18d8-4ae6-a15a-902042d3623c\"},\"panelIndex\":\"44bf55fb-18d8-4ae6-a15a-902042d3623c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":28,\"y\":8,\"w\":10,\"h\":20,\"i\":\"ab088b32-c40e-4a1c-9dcd-758c1ad97edc\"},\"panelIndex\":\"ab088b32-c40e-4a1c-9dcd-758c1ad97edc\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":38,\"y\":8,\"w\":10,\"h\":20,\"i\":\"2faea405-e4d3-488b-adfa-373b135d2122\"},\"panelIndex\":\"2faea405-e4d3-488b-adfa-373b135d2122\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":19,\"h\":20,\"i\":\"cedf23aa-c331-496a-bf27-7c9c8f587d80\"},\"panelIndex\":\"cedf23aa-c331-496a-bf27-7c9c8f587d80\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":19,\"y\":8,\"w\":9,\"h\":20,\"i\":\"a2e54d3b-ee05-4d67-82d2-4ac917d9ec4b\"},\"panelIndex\":\"a2e54d3b-ee05-4d67-82d2-4ac917d9ec4b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":38,\"y\":28,\"w\":10,\"h\":18,\"i\":\"0681c2c1-531d-4f5e-a73f-8382789cbd14\"},\"panelIndex\":\"0681c2c1-531d-4f5e-a73f-8382789cbd14\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":28,\"w\":16,\"h\":18,\"i\":\"728a4c22-9a7e-4152-a4d6-eed2d728abb8\"},\"panelIndex\":\"728a4c22-9a7e-4152-a4d6-eed2d728abb8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":16,\"y\":28,\"w\":22,\"h\":18,\"i\":\"32459b34-f7be-4ac0-a672-7a9697ce3bca\"},\"panelIndex\":\"32459b34-f7be-4ac0-a672-7a9697ce3bca\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Security Onion - Alerts - Suricata","version":1},"id":"81057f40-7733-11ea-bee5-af7f7c7b8e05","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"30df00e0-7733-11ea-bee5-af7f7c7b8e05","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"508fb520-72af-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_6","type":"visualization"},{"id":"a47ffc70-96f0-11ea-814e-bb515e873c2c","name":"panel_7","type":"visualization"},{"id":"a37b9fa0-72b0-11ea-8dd2-9d8795a1200b","name":"panel_8","type":"visualization"},{"id":"f7e1d570-72ae-11ea-8dd2-9d8795a1200b","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-16T16:34:37.522Z","version":"Wzg0MiwyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SIP - Response From","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SIP - Response From\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"sip.response.from.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sip.response.from.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Response From\"}}]}"},"id":"81a1a740-75ca-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUwMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"8261cf00-366e-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUwMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SNMP - Community String","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SNMP - Community String\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"community.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Community String\"}}]}"},"id":"83a91450-4c79-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUwMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Network Data Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Network Data Over Time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":true},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":true,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"HH:mm\"}},\"params\":{\"date\":true,\"interval\":\"PT30M\",\"intervalESValue\":30,\"intervalESUnit\":\"m\",\"format\":\"HH:mm\",\"bounds\":{\"min\":\"2020-03-24T15:15:25.819Z\",\"max\":\"2020-03-25T15:15:25.819Z\"}},\"label\":\"@timestamp per 30 minutes\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\",\"mode\":\"quick\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}]}"},"id":"8491c4b0-6eab-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"387f44c0-6ea7-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUwMywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DHCP - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"DHCP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"e9a7fe80-357b-11e7-ac34-8965f6420c51","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUwNCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DHCP - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"DHCP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG80RwxQT5EBNmq38x","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUwNSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DHCP - Message Types","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DHCP - Message Types\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"message_types.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Message Types\"}}]}"},"id":"a88e1020-0edb-11e9-9846-59f545e7293f","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUwNiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DHCP - Domain Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DHCP - Domain Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"domain_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Domain Name\"}}]}"},"id":"ce859b40-0edb-11e9-9846-59f545e7293f","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUwNywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":76,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":21,\"y\":52,\"w\":13,\"h\":24,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":8,\"y\":52,\"w\":13,\"h\":24,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"gridData\":{\"x\":8,\"y\":8,\"w\":40,\"h\":25,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":76,\"w\":48,\"h\":20,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":null}}}},\"gridData\":{\"x\":34,\"y\":52,\"w\":14,\"h\":24,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":33,\"w\":26,\"h\":19,\"i\":\"15\"},\"panelIndex\":\"15\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"gridData\":{\"x\":34,\"y\":33,\"w\":14,\"h\":19,\"i\":\"16\"},\"version\":\"7.3.0\",\"panelIndex\":\"16\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Bro - DHCP","version":1},"id":"85348270-357b-11e7-ac34-8965f6420c51","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"e9a7fe80-357b-11e7-ac34-8965f6420c51","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"1055ada0-3655-11e7-baa7-b7de4ee40605","name":"panel_2","type":"visualization"},{"id":"317f8410-3655-11e7-baa7-b7de4ee40605","name":"panel_3","type":"visualization"},{"id":"AWDG80RwxQT5EBNmq38x","name":"panel_4","type":"visualization"},{"id":"4e877100-4a48-11e8-9b0a-f1d33346f773","name":"panel_5","type":"visualization"},{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"panel_6","type":"search"},{"id":"58c84f60-0edb-11e9-9846-59f545e7293f","name":"panel_7","type":"visualization"},{"id":"a88e1020-0edb-11e9-9846-59f545e7293f","name":"panel_8","type":"visualization"},{"id":"ce859b40-0edb-11e9-9846-59f545e7293f","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUwOCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMB - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SMB - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per minute\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"85e40a70-3aac-11e7-8b17-0d8709b02c80","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUwOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Authentication Status (Donut Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RFB - Authentication Status (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"auth.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Authentication Status\"}}],\"listeners\":{}}"},"id":"869e3030-371e-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUxMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Modbus - Exception","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Modbus - Exception\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"modbus.exception.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"modbus.exception.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Exception\"}}]}"},"id":"93cdb730-75be-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUxMSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:modbus\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"dcdc1d0b-bec1-402d-a34b-39464e9a2749\"},\"panelIndex\":\"dcdc1d0b-bec1-402d-a34b-39464e9a2749\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":17,\"h\":8,\"i\":\"ccbb40c9-d2e4-4592-a91f-b1f6912a35f9\"},\"panelIndex\":\"ccbb40c9-d2e4-4592-a91f-b1f6912a35f9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":8,\"i\":\"32fd8cfa-64ad-41d7-b4f7-2c71f351916a\"},\"panelIndex\":\"32fd8cfa-64ad-41d7-b4f7-2c71f351916a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":8,\"h\":19,\"i\":\"b15f438a-6f24-4099-90e6-d66f950029bc\"},\"panelIndex\":\"b15f438a-6f24-4099-90e6-d66f950029bc\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":8,\"w\":8,\"h\":19,\"i\":\"089f29d5-cf23-4b6a-8b80-27911ffd6b1a\"},\"panelIndex\":\"089f29d5-cf23-4b6a-8b80-27911ffd6b1a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":16,\"y\":8,\"w\":14,\"h\":19,\"i\":\"4154e8b1-e314-4623-aaf4-0404a108551a\"},\"panelIndex\":\"4154e8b1-e314-4623-aaf4-0404a108551a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":8,\"w\":18,\"h\":19,\"i\":\"8acbc44d-4fe2-42b0-a6e9-4a3bc4e4aeb6\"},\"panelIndex\":\"8acbc44d-4fe2-42b0-a6e9-4a3bc4e4aeb6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - Modbus","version":1},"id":"886a7b90-75bd-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"62449800-75be-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"93cdb730-75be-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUxMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"PE - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"PE - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"9cffd160-363f-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"66288140-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUxMywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"PE - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"PE - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHCUeZxQT5EBNmq4Xy","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"66288140-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUxNCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"gridData\":{\"w\":20,\"h\":16,\"x\":28,\"y\":8,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":20,\"h\":16,\"x\":8,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":48,\"h\":28,\"x\":0,\"y\":48,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"columns\":[\"fuid\",\"machine\",\"is_exe\",\"is_64bit\",\"subsystem\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":24,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":24,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Bro - PE","version":1},"id":"8a10e380-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"9cffd160-363f-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"45c4ae10-380c-11e7-a1cc-ebc6a7e70e84","name":"panel_2","type":"visualization"},{"id":"807da390-380c-11e7-a1cc-ebc6a7e70e84","name":"panel_3","type":"visualization"},{"id":"66288140-342e-11e7-9e93-53b62e1857b2","name":"panel_4","type":"search"},{"id":"4e56b4d0-416f-11e7-9850-b78558d0ac17","name":"panel_5","type":"visualization"},{"id":"7de76e10-6e1f-11e7-b553-7f80727663c1","name":"panel_6","type":"visualization"},{"id":"AWDHCUeZxQT5EBNmq4Xy","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUxNSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSH - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSH - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"8a60eb50-365f-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUxNiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSH - HASSH","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SSH - HASSH\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hash.hassh.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"8afa5f50-75eb-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUxNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Weird - Notice Generated (Donut Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Weird - Notice Generated (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"notice.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"8dbbbed0-364e-11e7-9dc3-d35061cb642d","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUxOCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"RDP - Client Build","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RDP - Client Build\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"client_build.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client Build\"}}]}"},"id":"8e18ee60-371c-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUxOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_ssl AND _exists_:certificate_common_name_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"SSL - Certificate Common Name Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Certificate Common Name Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"certificate_common_name_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"certificate_common_name.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Common Name\"}}],\"listeners\":{}}"},"id":"8fa702e0-6f0b-11e7-9d31-23c0596994a7","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUyMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Files - MIME Type","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Files - MIME Type\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.mimetype.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"file.mimetype.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MIMEType\"}}]}"},"id":"8fb3c480-75f2-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUyMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"All Sensors - Log Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"All Sensors - Log Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Log Type(s)\"}}]}"},"id":"901bda80-a83f-11e7-893a-1b88920b2837","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUyMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RADIUS - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RADIUS - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"ccb3e270-363f-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUyMywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RADIUS - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RADIUS - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"b48442b0-3808-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUyNCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RADIUS - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RADIUS - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"cea78b70-3808-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUyNSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RADIUS - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RADIUS - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"b0456970-6e1f-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUyNiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RADIUS - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"RADIUS - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHCgWzxQT5EBNmq4Y5","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUyNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"RADIUS - Username","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RADIUS - Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}]}"},"id":"e827bab0-4a5a-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUyOCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":56,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"6\",\"gridData\":{\"x\":8,\"y\":32,\"w\":14,\"h\":24,\"i\":\"6\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"7\",\"gridData\":{\"x\":22,\"y\":32,\"w\":14,\"h\":24,\"i\":\"7\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":24,\"y\":56,\"w\":24,\"h\":24,\"i\":\"8\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"9\",\"gridData\":{\"x\":0,\"y\":56,\"w\":24,\"h\":24,\"i\":\"9\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"11\",\"gridData\":{\"x\":0,\"y\":80,\"w\":48,\"h\":24,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"12\",\"gridData\":{\"x\":36,\"y\":32,\"w\":12,\"h\":24,\"i\":\"12\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"14\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"14\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"15\",\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":24,\"i\":\"15\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}},{\"panelIndex\":\"16\",\"gridData\":{\"x\":8,\"y\":8,\"w\":20,\"h\":24,\"i\":\"16\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - RADIUS","version":1},"id":"90b246c0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"ccb3e270-363f-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"b48442b0-3808-11e7-a1cc-ebc6a7e70e84","name":"panel_2","type":"visualization"},{"id":"cea78b70-3808-11e7-a1cc-ebc6a7e70e84","name":"panel_3","type":"visualization"},{"id":"10cd7190-3809-11e7-a1cc-ebc6a7e70e84","name":"panel_4","type":"visualization"},{"id":"5df79fe0-3809-11e7-a1cc-ebc6a7e70e84","name":"panel_5","type":"visualization"},{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"panel_6","type":"search"},{"id":"b0456970-6e1f-11e7-b553-7f80727663c1","name":"panel_7","type":"visualization"},{"id":"AWDHCgWzxQT5EBNmq4Y5","name":"panel_8","type":"visualization"},{"id":"e827bab0-4a5a-11e8-9b0a-f1d33346f773","name":"panel_9","type":"visualization"},{"id":"30348db0-4a5b-11e8-9b0a-f1d33346f773","name":"panel_10","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUyOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SIP - Destination Country (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SIP - Destination Country (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"90bf0a80-3750-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUzMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Rule - ID","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Rule - ID\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.id.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"ID\"}}]}"},"id":"91bd9990-7737-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUzMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Syslog - Log Count Over Time","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Bro - Syslog - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"92b202e0-76b4-11e7-94e1-3d2ec4e57ed9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUzMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Host - Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Host - Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Agent Name\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}]}"},"id":"f03402e0-72bc-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUzNCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.category:host\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":8,\"i\":\"c743998d-d4c5-429f-87ce-67bac2649e72\"},\"panelIndex\":\"c743998d-d4c5-429f-87ce-67bac2649e72\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":8,\"y\":0,\"w\":15,\"h\":8,\"i\":\"8acc6336-35b7-4c1a-b0ef-3b3ec6870b1f\"},\"panelIndex\":\"8acc6336-35b7-4c1a-b0ef-3b3ec6870b1f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":23,\"y\":0,\"w\":25,\"h\":8,\"i\":\"8485e0bf-8342-42ff-82b4-eb2611191060\"},\"panelIndex\":\"8485e0bf-8342-42ff-82b4-eb2611191060\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":7,\"h\":18,\"i\":\"ba08df96-10b9-4b30-803f-f40387867ccc\"},\"panelIndex\":\"ba08df96-10b9-4b30-803f-f40387867ccc\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":7,\"y\":8,\"w\":7,\"h\":18,\"i\":\"254bcae3-60d3-4193-b258-6f9f3eba0af3\"},\"panelIndex\":\"254bcae3-60d3-4193-b258-6f9f3eba0af3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":14,\"y\":8,\"w\":9,\"h\":18,\"i\":\"89d115c0-ee70-4250-9742-fb3c554e69a7\"},\"panelIndex\":\"89d115c0-ee70-4250-9742-fb3c554e69a7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":23,\"y\":8,\"w\":25,\"h\":18,\"i\":\"0c1675bb-01ef-4020-95f1-3f35e0c6fad8\"},\"panelIndex\":\"0c1675bb-01ef-4020-95f1-3f35e0c6fad8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - Host","version":1},"id":"92e63cc0-6ec0-11ea-9266-1fd14ca6af34","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"df50eba0-6ec0-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"8b065a80-6eca-11ea-9266-1fd14ca6af34","name":"panel_3","type":"visualization"},{"id":"ad398b70-6e9a-11ea-9266-1fd14ca6af34","name":"panel_4","type":"visualization"},{"id":"f03402e0-72bc-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"758187b0-72bd-11ea-8dd2-9d8795a1200b","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-16T16:19:17.868Z","version":"WzgzNiwyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Content Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - Content Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"content_type.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Content Type\"}}],\"listeners\":{}}"},"id":"930b1600-3753-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUzNiwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.module:ossec AND event.dataset:alert\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":8,\"i\":\"c2172038-7740-458c-977a-98d139c438c2\"},\"panelIndex\":\"c2172038-7740-458c-977a-98d139c438c2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":0,\"w\":18,\"h\":8,\"i\":\"b18f1671-c1a0-44c8-946b-71bc21e62482\"},\"panelIndex\":\"b18f1671-c1a0-44c8-946b-71bc21e62482\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":26,\"y\":0,\"w\":22,\"h\":8,\"i\":\"b26faccc-11d5-4cc3-8fd2-484b5e3659bc\"},\"panelIndex\":\"b26faccc-11d5-4cc3-8fd2-484b5e3659bc\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":12,\"h\":19,\"i\":\"1f88747a-06f5-4450-8d08-150d0cd37667\"},\"panelIndex\":\"1f88747a-06f5-4450-8d08-150d0cd37667\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":12,\"y\":8,\"w\":11,\"h\":19,\"i\":\"0b5a83d1-8f56-4616-b0aa-af25a1995379\"},\"panelIndex\":\"0b5a83d1-8f56-4616-b0aa-af25a1995379\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":23,\"y\":8,\"w\":7,\"h\":19,\"i\":\"a4bd8139-6fdd-476e-b6ff-8dd036e0f747\"},\"panelIndex\":\"a4bd8139-6fdd-476e-b6ff-8dd036e0f747\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":8,\"w\":8,\"h\":19,\"i\":\"df2cccc2-5ac2-4522-9756-76a16ba2b0ce\"},\"panelIndex\":\"df2cccc2-5ac2-4522-9756-76a16ba2b0ce\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":38,\"y\":8,\"w\":10,\"h\":19,\"i\":\"8b5674df-aad2-4af7-aa91-90a9d3e3980c\"},\"panelIndex\":\"8b5674df-aad2-4af7-aa91-90a9d3e3980c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":21,\"i\":\"28431fa5-4ce9-40db-a190-541b3390f9d0\"},\"panelIndex\":\"28431fa5-4ce9-40db-a190-541b3390f9d0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - Wazuh","version":1},"id":"9480f190-7732-11ea-bee5-af7f7c7b8e05","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"30df00e0-7733-11ea-bee5-af7f7c7b8e05","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"508fb520-72af-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"f7e1d570-72ae-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"91bd9990-7737-11ea-bee5-af7f7c7b8e05","name":"panel_5","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_6","type":"visualization"},{"id":"407784f0-7738-11ea-bee5-af7f7c7b8e05","name":"panel_7","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_8","type":"search"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUzNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Total Number of Logs","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Total Number of Logs\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Total Number of Logs\"}}],\"listeners\":{}}"},"id":"AWDGyaGxxQT5EBNmq3K9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUzOCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Sensors - Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Sensors - Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"sensor_name.keyword\"}}],\"listeners\":{}}"},"id":"AWDGzmzcxQT5EBNmq3Sj","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUzOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Devices - Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Devices - Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"syslog-host_from.keyword\"}}],\"listeners\":{}}"},"id":"AWDG0UDvxQT5EBNmq3WD","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU0MCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"8\",\"gridData\":{\"w\":48,\"h\":64,\"x\":0,\"y\":132,\"i\":\"8\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"12\",\"gridData\":{\"w\":28,\"h\":8,\"x\":20,\"y\":0,\"i\":\"12\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"19\",\"gridData\":{\"w\":48,\"h\":16,\"x\":0,\"y\":56,\"i\":\"19\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"21\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":8,\"i\":\"21\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"23\",\"gridData\":{\"w\":16,\"h\":32,\"x\":32,\"y\":24,\"i\":\"23\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"32\",\"gridData\":{\"w\":12,\"h\":8,\"x\":8,\"y\":0,\"i\":\"32\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"33\",\"gridData\":{\"w\":8,\"h\":16,\"x\":32,\"y\":8,\"i\":\"33\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"34\",\"gridData\":{\"w\":8,\"h\":16,\"x\":40,\"y\":8,\"i\":\"34\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"35\",\"gridData\":{\"w\":16,\"h\":8,\"x\":0,\"y\":72,\"i\":\"35\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"36\",\"gridData\":{\"w\":16,\"h\":8,\"x\":16,\"y\":72,\"i\":\"36\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"panelIndex\":\"37\",\"gridData\":{\"w\":16,\"h\":8,\"x\":32,\"y\":72,\"i\":\"37\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\"},{\"panelIndex\":\"38\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":32,\"i\":\"38\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\",\"embeddableConfig\":{}},{\"panelIndex\":\"39\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":108,\"i\":\"39\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\",\"embeddableConfig\":{}},{\"panelIndex\":\"40\",\"gridData\":{\"w\":24,\"h\":28,\"x\":24,\"y\":80,\"i\":\"40\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_14\",\"embeddableConfig\":{}},{\"panelIndex\":\"41\",\"gridData\":{\"w\":24,\"h\":28,\"x\":0,\"y\":80,\"i\":\"41\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_15\"}]","timeRestore":false,"title":"Overview","version":1},"id":"94b52620-342a-11e7-9d52-4f090484f59e","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"panel_1","type":"search"},{"id":"1c2aeb50-365e-11e7-b896-5bdd6bfa1561","name":"panel_2","type":"visualization"},{"id":"277f3250-4161-11e7-8493-51634b0a4565","name":"panel_3","type":"visualization"},{"id":"901bda80-a83f-11e7-893a-1b88920b2837","name":"panel_4","type":"visualization"},{"id":"5b3988c0-a840-11e7-893a-1b88920b2837","name":"panel_5","type":"visualization"},{"id":"AWDGyaGxxQT5EBNmq3K9","name":"panel_6","type":"visualization"},{"id":"AWDGzmzcxQT5EBNmq3Sj","name":"panel_7","type":"visualization"},{"id":"AWDG0UDvxQT5EBNmq3WD","name":"panel_8","type":"visualization"},{"id":"AWDG1uC-xQT5EBNmq3dP","name":"panel_9","type":"visualization"},{"id":"AWDG3ym0xQT5EBNmq3mG","name":"panel_10","type":"visualization"},{"id":"AWDG4pcDxQT5EBNmq3pi","name":"panel_11","type":"visualization"},{"id":"733ce440-494d-11e8-9576-313be7c6b44b","name":"panel_12","type":"visualization"},{"id":"2a949080-4a3d-11e8-9b0a-f1d33346f773","name":"panel_13","type":"visualization"},{"id":"96c2cf10-4a3d-11e8-9b0a-f1d33346f773","name":"panel_14","type":"visualization"},{"id":"ee0ba080-4a3d-11e8-9b0a-f1d33346f773","name":"panel_15","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU0MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - PE - OS","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.os.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"OS\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"},\"title\":\"Security Onion - PE - OS\"}"},"id":"b449a870-c762-11ea-bebb-37c5ab5894ea","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-16T12:48:53.367Z","version":"WzcyOCwyXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:pe\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":9,\"i\":\"858c0209-49ab-4c0c-9b9c-bc71e363be32\"},\"panelIndex\":\"858c0209-49ab-4c0c-9b9c-bc71e363be32\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":12,\"h\":9,\"i\":\"94db978d-70ba-4ade-a680-1297961aa832\"},\"panelIndex\":\"94db978d-70ba-4ade-a680-1297961aa832\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":25,\"y\":0,\"w\":23,\"h\":9,\"i\":\"8973a749-ddc9-4476-8946-280e748da61e\"},\"panelIndex\":\"8973a749-ddc9-4476-8946-280e748da61e\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":10,\"h\":18,\"i\":\"8797e1d3-84b0-4840-9ba3-6e74f15a5f08\"},\"panelIndex\":\"8797e1d3-84b0-4840-9ba3-6e74f15a5f08\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":10,\"y\":9,\"w\":15,\"h\":18,\"i\":\"b9da8481-6781-4431-83de-c51834199de7\"},\"panelIndex\":\"b9da8481-6781-4431-83de-c51834199de7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":25,\"y\":9,\"w\":10,\"h\":18,\"i\":\"ceba5670-4f26-411e-a19a-e130cf715228\"},\"panelIndex\":\"ceba5670-4f26-411e-a19a-e130cf715228\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":35,\"y\":9,\"w\":13,\"h\":18,\"i\":\"5f1b3a55-7919-448d-897c-fc7166b283d0\"},\"panelIndex\":\"5f1b3a55-7919-448d-897c-fc7166b283d0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - PE","version":1},"id":"94b55b90-c761-11ea-bebb-37c5ab5894ea","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"80a39cb0-c762-11ea-bebb-37c5ab5894ea","name":"panel_3","type":"visualization"},{"id":"b449a870-c762-11ea-bebb-37c5ab5894ea","name":"panel_4","type":"visualization"},{"id":"07419650-c763-11ea-bebb-37c5ab5894ea","name":"panel_5","type":"visualization"},{"id":"282bf2c0-c763-11ea-bebb-37c5ab5894ea","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-16T12:52:57.735Z","version":"WzczMiwyXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:snmp\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"752f2974-3abc-482c-afdc-c85cf5643cc6\",\"w\":13,\"x\":0,\"y\":0},\"panelIndex\":\"752f2974-3abc-482c-afdc-c85cf5643cc6\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"dfa3b3da-b86b-4d11-add3-c7e18c40654b\",\"w\":17,\"x\":13,\"y\":0},\"panelIndex\":\"dfa3b3da-b86b-4d11-add3-c7e18c40654b\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"4c444c07-93f9-43d2-966e-1a0db864c011\",\"w\":18,\"x\":30,\"y\":0},\"panelIndex\":\"4c444c07-93f9-43d2-966e-1a0db864c011\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"3f20fbbb-d47b-4b9e-94a0-f5f144ce0dd2\",\"w\":9,\"x\":0,\"y\":8},\"panelIndex\":\"3f20fbbb-d47b-4b9e-94a0-f5f144ce0dd2\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"5c5850b6-1e17-4d4a-9122-8d6a6b275fb0\",\"w\":10,\"x\":9,\"y\":8},\"panelIndex\":\"5c5850b6-1e17-4d4a-9122-8d6a6b275fb0\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"2df47b07-dcfd-46a9-a908-cd03bb3ae82e\",\"w\":11,\"x\":19,\"y\":8},\"panelIndex\":\"2df47b07-dcfd-46a9-a908-cd03bb3ae82e\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"7fec36da-2c28-4eef-9d15-bd5d64628d1d\",\"w\":18,\"x\":30,\"y\":8},\"panelIndex\":\"7fec36da-2c28-4eef-9d15-bd5d64628d1d\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - SNMP","version":1},"id":"96522610-75e8-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"424ace90-75e9-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"690ef880-75e9-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU0MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - \"To\" Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMTP - \\\"To\\\" Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"recipient_to.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\\\"To\\\" Address\"}}],\"listeners\":{}}"},"id":"96767400-39a2-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU0MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RDP - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RDP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"fd549d70-363f-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU0NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RDP - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RDP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"f9a16c80-371b-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU0NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"RDP - Keyboard Layout (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RDP - Keyboard Layout (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"keyboard_layout.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Keyboard Layout\"}}]}"},"id":"be7637c0-371c-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU0NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"RDP - Result (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RDP - Result (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"result.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Result\"}}]}"},"id":"c4f37d70-6e20-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU0NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"RDP - Encryption Level (Vertical Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"RDP - Encryption Level (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Encryption Level\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"encryption_level.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Encryption Level\"}}]}"},"id":"ef307a70-6e20-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU0OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RDP - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"RDP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHCvBexQT5EBNmq4aK","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU0OSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":80,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":32,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"gridData\":{\"w\":12,\"h\":12,\"x\":36,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":56,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":56,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":12,\"h\":12,\"x\":8,\"y\":8,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"gridData\":{\"w\":16,\"h\":12,\"x\":20,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":20,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":20,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"}]","timeRestore":false,"title":"Bro - RDP","version":1},"id":"97f8c3a0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"fd549d70-363f-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"panel_2","type":"search"},{"id":"f9a16c80-371b-11e7-90f8-87842d5eedc9","name":"panel_3","type":"visualization"},{"id":"0b9dea80-371c-11e7-90f8-87842d5eedc9","name":"panel_4","type":"visualization"},{"id":"19dfd180-371c-11e7-90f8-87842d5eedc9","name":"panel_5","type":"visualization"},{"id":"524e13b0-371c-11e7-90f8-87842d5eedc9","name":"panel_6","type":"visualization"},{"id":"75597b60-371c-11e7-90f8-87842d5eedc9","name":"panel_7","type":"visualization"},{"id":"8e18ee60-371c-11e7-90f8-87842d5eedc9","name":"panel_8","type":"visualization"},{"id":"be7637c0-371c-11e7-90f8-87842d5eedc9","name":"panel_9","type":"visualization"},{"id":"c4f37d70-6e20-11e7-b553-7f80727663c1","name":"panel_10","type":"visualization"},{"id":"ef307a70-6e20-11e7-b553-7f80727663c1","name":"panel_11","type":"visualization"},{"id":"AWDHCvBexQT5EBNmq4aK","name":"panel_12","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU1MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSH - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSH - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"9a33f9a0-365f-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU1MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"9a54f150-366e-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU1MiwxXQ=="} +{"attributes":{"columns":["source_ip","name","software_type"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_software\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Software - Logs","version":1},"id":"ba3d77e0-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU1MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Software - Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Software - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Name\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"version_major.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Major Version\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"version_minor.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Minor Version\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"software_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}}]}"},"id":"9b0f6a80-4c7a-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ba3d77e0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU1NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Zeek - Notice","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Zeek - Notice\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"notice.note.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Notice\"}}]}"},"id":"9c6ccff0-7a84-11ea-9d13-57f5db13d1ed","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU1NSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[{\"meta\":{\"negate\":true,\"disabled\":true,\"alias\":\"Initial Systems/Queries\",\"type\":\"phrase\",\"key\":\"osquery.counter\",\"value\":\"0\",\"params\":{\"query\":0,\"type\":\"phrase\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"osquery.counter\":{\"query\":0,\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"type\":\"phrases\",\"key\":\"osquery.codename\",\"value\":\"server\",\"params\":[\"server\"],\"negate\":false,\"disabled\":true,\"alias\":\"Servers Only\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"bool\":{\"should\":[{\"match_phrase\":{\"osquery.codename\":\"server\"}}],\"minimum_should_match\":1}},\"$state\":{\"store\":\"appState\"}}],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":64,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{\"columns\":[\"osquery.hostname\",\"osquery.name\",\"osquery.LiveQuery\",\"osquery.EndpointIP1\",\"osquery.EndpointIP2\"]},\"gridData\":{\"x\":8,\"y\":27,\"w\":40,\"h\":21,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":17,\"h\":13,\"i\":\"12\"},\"panelIndex\":\"12\",\"title\":\"\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"gridData\":{\"x\":8,\"y\":13,\"w\":40,\"h\":14,\"i\":\"13\"},\"version\":\"7.3.0\",\"panelIndex\":\"13\",\"embeddableConfig\":{},\"title\":\"Changes by Type\",\"panelRefName\":\"panel_3\"},{\"gridData\":{\"x\":25,\"y\":0,\"w\":23,\"h\":13,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelIndex\":\"14\",\"embeddableConfig\":{},\"title\":\"Changes by Hostname\",\"panelRefName\":\"panel_4\"}]","timeRestore":false,"title":"osquery - Overview","version":1},"id":"9d0e2da0-14e1-11e9-82f7-0da02d93a48b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"},{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index","type":"index-pattern"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"84116380-14e1-11e9-82f7-0da02d93a48b","name":"panel_1","type":"search"},{"id":"2f556c90-14e3-11e9-82f7-0da02d93a48b","name":"panel_2","type":"visualization"},{"id":"369e16e0-14e4-11e9-82f7-0da02d93a48b","name":"panel_3","type":"visualization"},{"id":"05a5ed10-14e4-11e9-82f7-0da02d93a48b","name":"panel_4","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU1NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - Top Source Ports","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - Top Source Ports\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source Port\"}}]}"},"id":"9d3413c0-6ea0-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU1NywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.dataset:ssh\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"b816ee0e-45c6-438d-a4ed-799d9e80a9f0\"},\"panelIndex\":\"b816ee0e-45c6-438d-a4ed-799d9e80a9f0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":17,\"h\":8,\"i\":\"cbfd7081-d82b-4e29-b21c-6e9584d67328\"},\"panelIndex\":\"cbfd7081-d82b-4e29-b21c-6e9584d67328\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":8,\"i\":\"d9b0c92a-8625-4e72-8a7c-333381e17244\"},\"panelIndex\":\"d9b0c92a-8625-4e72-8a7c-333381e17244\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":10,\"h\":19,\"i\":\"766c95ce-e20f-4e88-935f-2211b7be6b65\"},\"panelIndex\":\"766c95ce-e20f-4e88-935f-2211b7be6b65\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":10,\"y\":8,\"w\":10,\"h\":19,\"i\":\"e9ec8c9e-8a76-4501-abcb-2c9c08adfc44\"},\"panelIndex\":\"e9ec8c9e-8a76-4501-abcb-2c9c08adfc44\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":20,\"y\":8,\"w\":13,\"h\":19,\"i\":\"c2747e56-14c2-4a70-a1a7-e31affae20f8\"},\"panelIndex\":\"c2747e56-14c2-4a70-a1a7-e31affae20f8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":33,\"y\":8,\"w\":15,\"h\":19,\"i\":\"ff324073-699d-4b26-b4fd-28190fa3803b\"},\"panelIndex\":\"ff324073-699d-4b26-b4fd-28190fa3803b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":17,\"h\":18,\"i\":\"248c6442-b868-4e06-bfaa-e6da2d2d7463\"},\"panelIndex\":\"248c6442-b868-4e06-bfaa-e6da2d2d7463\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":17,\"y\":27,\"w\":16,\"h\":18,\"i\":\"d24e4833-8b52-45ac-ac3f-bb31379e8380\"},\"panelIndex\":\"d24e4833-8b52-45ac-ac3f-bb31379e8380\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":33,\"y\":27,\"w\":15,\"h\":18,\"i\":\"6711f807-284e-4025-99bb-cee25c0e970d\"},\"panelIndex\":\"6711f807-284e-4025-99bb-cee25c0e970d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Security Onion - SSH","version":1},"id":"9dfd77e0-75eb-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"292b1db0-75ea-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"46221fe0-75ea-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"7d61f430-75ea-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"104a4a90-75eb-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"},{"id":"8afa5f50-75eb-11ea-9565-7315f4ee5cac","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU1OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DCE/RPC - Endpoint","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DCE/RPC - Endpoint\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dce_rpc.endpoint.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Endpoint\"}}]}"},"id":"a427d6e0-96db-11ea-814e-bb515e873c2c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU1OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DCE/RPC - Named Pipe","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DCE/RPC - Named Pipe\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dce_rpc.named_pipe.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Named Pipe\"}}]}"},"id":"c2f21270-96db-11ea-814e-bb515e873c2c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU2MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DCE/RPC - Operation","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DCE/RPC - Operation\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dce_rpc.operation.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Operation\"}}]}"},"id":"df7989f0-96db-11ea-814e-bb515e873c2c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU2MSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:dce_rpc\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":9,\"i\":\"95dc50d5-926a-4ab3-a746-0e53f475d658\"},\"panelIndex\":\"95dc50d5-926a-4ab3-a746-0e53f475d658\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":14,\"y\":0,\"w\":14,\"h\":9,\"i\":\"5b559994-ed67-43c8-8eed-ab30fd8b3d26\"},\"panelIndex\":\"5b559994-ed67-43c8-8eed-ab30fd8b3d26\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":28,\"y\":0,\"w\":20,\"h\":9,\"i\":\"4251a61c-1dcd-47b3-9866-f7ed939c73d4\"},\"panelIndex\":\"4251a61c-1dcd-47b3-9866-f7ed939c73d4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":8,\"h\":21,\"i\":\"e74255f5-4dc6-4df0-ab24-032dd7d4bc02\"},\"panelIndex\":\"e74255f5-4dc6-4df0-ab24-032dd7d4bc02\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":9,\"w\":8,\"h\":21,\"i\":\"55f5c9e0-264b-44d1-9b49-0bb7890ef4bd\"},\"panelIndex\":\"55f5c9e0-264b-44d1-9b49-0bb7890ef4bd\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":16,\"y\":9,\"w\":9,\"h\":21,\"i\":\"2a33a3df-4690-4ea4-a71a-9c98cb612213\"},\"panelIndex\":\"2a33a3df-4690-4ea4-a71a-9c98cb612213\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":25,\"y\":9,\"w\":8,\"h\":21,\"i\":\"ee61c32f-e801-494f-a819-b5788bed856f\"},\"panelIndex\":\"ee61c32f-e801-494f-a819-b5788bed856f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":33,\"y\":9,\"w\":15,\"h\":21,\"i\":\"f7c23591-431c-4a4c-a69b-a349c37697da\"},\"panelIndex\":\"f7c23591-431c-4a4c-a69b-a349c37697da\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - DCE/RPC","version":1},"id":"9e882df0-72c5-11ea-8dd2-9d8795a1200b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"a427d6e0-96db-11ea-814e-bb515e873c2c","name":"panel_5","type":"visualization"},{"id":"c2f21270-96db-11ea-814e-bb515e873c2c","name":"panel_6","type":"visualization"},{"id":"df7989f0-96db-11ea-814e-bb515e873c2c","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU2MiwxXQ=="} +{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.module:osquery\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Security Onion - Osquery","version":1},"id":"9eed5fc0-afcb-11ea-b262-353d451b125b","migrationVersion":{"search":"7.4.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU2MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Authentication Method","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RFB - Authentication Method\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"authentication_method.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Authentication Method\"}}],\"listeners\":{}}"},"id":"bf47f4c0-371e-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU2NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RFB - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"bbbe5a80-6e21-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU2NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RFB - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"d6ec3570-6e21-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU2NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RFB - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"e8982270-6e21-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU2NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Authentication Method (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RFB - Authentication Method (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"authentication_method.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Method\"}}],\"listeners\":{}}"},"id":"c24191f0-6e22-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU2OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"RFB - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHC8iGxQT5EBNmq4bs","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU2OSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":8,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{}},{\"panelIndex\":\"6\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":56,\"i\":\"6\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"7\",\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":8,\"i\":\"7\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":32,\"i\":\"8\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":48,\"h\":28,\"x\":0,\"y\":104,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"11\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":56,\"i\":\"11\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"12\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":56,\"i\":\"12\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":80,\"i\":\"13\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"14\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":80,\"i\":\"14\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"},{\"panelIndex\":\"15\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":80,\"i\":\"15\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"},{\"panelIndex\":\"16\",\"gridData\":{\"w\":40,\"h\":12,\"x\":8,\"y\":20,\"i\":\"16\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\",\"embeddableConfig\":{}},{\"panelIndex\":\"17\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"17\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_13\"}]","timeRestore":false,"title":"Bro - RFB","version":1},"id":"9ef20ae0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"265a04d0-3640-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"869e3030-371e-11e7-90f8-87842d5eedc9","name":"panel_2","type":"visualization"},{"id":"bf47f4c0-371e-11e7-90f8-87842d5eedc9","name":"panel_3","type":"visualization"},{"id":"14274040-371f-11e7-90f8-87842d5eedc9","name":"panel_4","type":"visualization"},{"id":"63c072c0-371f-11e7-90f8-87842d5eedc9","name":"panel_5","type":"visualization"},{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"panel_6","type":"search"},{"id":"bbbe5a80-6e21-11e7-b553-7f80727663c1","name":"panel_7","type":"visualization"},{"id":"d6ec3570-6e21-11e7-b553-7f80727663c1","name":"panel_8","type":"visualization"},{"id":"e8982270-6e21-11e7-b553-7f80727663c1","name":"panel_9","type":"visualization"},{"id":"4fade7b0-6e22-11e7-b553-7f80727663c1","name":"panel_10","type":"visualization"},{"id":"7c1e3f70-6e22-11e7-b553-7f80727663c1","name":"panel_11","type":"visualization"},{"id":"c24191f0-6e22-11e7-b553-7f80727663c1","name":"panel_12","type":"visualization"},{"id":"AWDHC8iGxQT5EBNmq4bs","name":"panel_13","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU3MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SIP - Content Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SIP - Content Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"sip.content_type.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sip.content_type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Type\"}}]}"},"id":"9ff24600-75ca-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU3MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":{\"match_all\":{}},\"language\":\"lucene\"},\"filter\":[]}"},"title":"Help","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Help\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"markdown\":\"## Introduction\\nWelcome to the Security Onion Elastic Stack! This is our implementation of the Elastic Stack on Security Onion. The Elastic Stack consists of three primary components:\\n- `Elasticsearch` - stores logs\\n- `Logstash` - collects and enriches logs before storing them in Elasticsearch\\n- `Kibana` - web interface for visualizing logs\\n\\n## Sidebar\\nStarting on the far left side of the page, you see the Sidebar. This contains links such as:\\n- `Discover` - search data\\n- `Visualize` - create visualizations based on searches\\n- `Dashboard` - view or create dashboards based on visualizations\\n- `Timelion` - timeline analysis\\n- `Dev Tools` - query Elasticsearch directly\\n- `Management` - view or modify Kibana settings\\n- `Squert` - separate web interface for viewing NIDS and HIDS alerts\\n- `Logout` - log out of your session\\n\\nThe first six of those links are within Kibana itself. If you click one of those and then want to get back to the Dashboards area where you started, simply click the `Dashboard` link.\\n\\nClicking the `Squert` link will take you out of Kibana and into Squert. You will not be required to authenticate to Squert since you already have an active Single Sign On (SSO) session.\\n\\nClicking the `Logout` link in either Squert or Kibana will log you out of your SSO session and take you back to the logon screen.\\n\\n## Navigation Panel\\nWhen you are in the Kibana Dashboard area, the panel to the immediate right of the sidebar is the Navigation Panel and it includes links to our dashboards such as Home, Help (this page), Bro Notices, ElastAlert, HIDS, NIDS, etc. Clicking one of the links in the Navigation Panel will take you to a dashboard dedicated to that particular log type. \\n\\n## Dashboards\\nAll dashboards are designed to work at 1024x768 screen resolution in order to maximize compatibility.\\n\\n### Dashboard Hyperlinks\\n\\nThe `source_ip` and `destination_ip` fields are hyperlinked. These hyperlinks will take you to the Indicator dashboard which will help you analyze the traffic relating to that particular IP address.\\n\\n`UID` fields are also hyperlinked. This hyperlink will start a new Kibana search for that particular UID. In the case of Bro UIDs this will show you all Bro logs related to that particular connection.\\n\\nEach log entry also has an `_id` field that is hyperlinked. This hyperlink will take you to CapMe, allowing you to request full packet capture for any arbitrary log type. This assumes that the log is for tcp or udp traffic that was seen by Bro and Bro recorded it correctly in its conn.log. \\n\\n### Overview Dashboard\\nWhen you first go to the Kibana Dashboard area, you are automatically placed into the Overview dashboard, where you will see overview information, such as total number of logs and sensors. Use the information on the Overview dashboard to determine which of the other dashboards on the Navigation Panel you might want to visit next.\\n\\n### Dashboard Categories\\nOur remaining dashboards are grouped into a few categories:\\n- `Alert Data` - dashboards that display alerts created by rules or signatures\\n- `Bro Hunting` - dashboards that allow you to slice and dice network metadata for hunting\\n- `Host Hunting` - dashboards that allow you to hunt via host telemetry\\n- `Other` - dashboards that don't fit into the categories above\\n\\n### Bro Notices\\nBro sniffs network traffic and generates notices such as `SSL::Invalid Server Cert` and `TeamCymruMalwareHashRegistry::Match`.\\n\\n### ElastAlert\\nElastAlert queries Elasticsearch on a regular basis and then generates alerts based on your desired criteria. Security Onion includes two example rules that alert on new IDS events and new connection logs. You can add your own ElastAlert rules in `/etc/elastalert/rules/`.\\n\\n### HIDS\\nOSSEC analyzes log files and generates Host Intrusion Detection System alerts based on its ruleset at `/var/ossec/rules/`. You can add your own rules in `/var/ossec/rules/local_rules.xml`.\\n\\n### NIDS\\nSecurity Onion can use either Snort or Suricata to sniff network traffic and generate Network Intrusion Detection System alerts. \\n\\n### Connections\\nBro sniffs network traffic and logs connection metadata including source IP/port, destination IP/port, protocol, and number of bytes.\\n\\n### DCE/RPC\\nBro sniffs network traffic and logs DCE/RPC metadata including source IP/port, destination IP/port, operation, endpoint, and named pipe.\\n\\n### DHCP\\nBro sniffs network traffic and logs DHCP requests and responses including source IP/port, destination IP/port, and MAC addresses.\\n\\n### DNP3\\nBro sniffs network traffic and logs DNP3 metadata including source IP/port, destination IP/port, function request, function reply.\\n\\n### DNS\\nBro sniffs network traffic and logs DNS queries and answers. Bro also includes other name lookups such as Windows NetBIOS name service requests and Bonjour.\\n\\n### Files\\nBro sniffs network traffic and logs metadata related to files being transferred over the network including IP addresses, MIME type, source, and checksums.\\n\\n### FTP\\nBro sniffs network traffic and logs FTP metadata including source IP/port, destination IP/port, command, reply code, argument, and username.\\n\\n### HTTP\\nBro sniffs network traffic and logs HTTP metadata including source IP/port, destination IP/port, method, status message, MIME type, site name, referer, and user agent.\\n\\n### Intel\\nBro sniffs network traffic and watches for indicators using the Intel framework. You can add your own indicators to `/opt/bro/share/bro/intel/intel.dat`.\\n\\n### IRC\\nBro sniffs network traffic and logs IRC metadata including source IP/port, destination IP/port, command, and username.\\n\\n### Kerberos\\nBro sniffs network traffic and logs Kerberos metadata including source IP/port, destination IP/port, cipher, client, server, service, request type, and success status.\\n\\n### Modbus\\nBro sniffs network traffic and logs Modbus metadata including source IP/port, destination IP/port, and function.\\n\\n### MySQL\\nBro sniffs network traffic and logs MySQL metadata including source IP/port, destination IP/port, command/argument, status, and response.\\n\\n### NTLM\\nBro sniffs network traffic and logs NTLM metadata including source IP/port, destination IP/port, hostname, username, and status.\\n\\n### PE\\nBro sniffs network traffic and logs PE metadata including OS, subsystem, machine, and section name.\\n\\n### RADIUS\\nBro sniffs network traffic and logs RADIUS metadata including source IP/port, destination IP/port, username, and result.\\n\\n### RDP\\nBro sniffs network traffic and logs RDP metadata including source IP/port, destination IP/port, client build, keyboard layout, encryption level, and result.\\n\\n### RFB\\nBro sniffs network traffic and logs RFB metadata including source IP/port, destination IP/port, authentication method, authentication status, client version, server version, and desktop name.\\n\\n### SIP\\nBro sniffs network traffic and logs SIP metadata including source IP/port, destination IP/port, method, content type, status, uri, and user agent.\\n\\n### SMB\\nBro sniffs network traffic and logs SMB metadata including source IP/port, destination IP/port, file name, and action.\\n\\n### SMTP\\nBro sniffs network traffic and logs SMTP metadata including source IP/port, destination IP/port, from, to, subject, and user agent.\\n\\n### SNMP\\nBro sniffs network traffic and logs SNMP metadata including source IP/port, destination IP/port, version, community, and duration.\\n\\n### Software\\nBro sniffs network traffic and logs metadata relating to the kinds of software that generated that traffic including name, type, and version.\\n\\n### SSH\\nBro sniffs network traffic and logs SSH metadata including source IP/port, destination IP/port, client version, server version, and success.\\n\\n### SSL\\nBro sniffs network traffic and logs SSL metadata including source IP/port, destination IP/port, server name, certificate subject, cipher, and validation status.\\n\\n### Syslog\\nBro sniffs network traffic and logs Syslog metadata including source IP/port, destination IP/port, severity, and protocol.\\n\\n### Tunnels\\nBro sniffs network traffic and detects IP, GRE, SOCKS, TEREDO, and AVAYA tunnels. It logs metadata including source IP/port, destination IP/port, type, and action.\\n\\n### Weird\\nBro sniffs network traffic and logs protocol anomalies metadata including source IP/port, destination IP/port, and the type of anomaly.\\n\\n### X.509\\nBro sniffs network traffic and logs X.509 metadata including certificate subject, issuer, key algorithm, key length, and signing algorithm.\\n\\n### Autoruns\\nSysinternals Autoruns can identify the processes which Windows is configured to automatically run. Autoruns data can then be ingested via [Autoruns To WinEventLog](https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog).\\n\\n### Beats\\nElastic Beats can be deployed on endpoints to collect host telemetry and send to Logstash for storage in Elasticsearch.\\n\\n### OSSEC\\nOSSEC agents can be deployed on endpoints to collect host telemetry and send to the OSSEC Server included in Security Onion. OSSEC Alerts can be found in the Alert Data category at the top of the Navigation Panel. This OSSEC hunting dashboard will allow you to hunt through all OSSEC logs, not just alerts.\\n\\n### Sysmon\\nSysinternal Sysmon provides comprehensive telemetry for Windows hosts. Its logs can be consumed using Beats, OSSEC, or other transport mechanism.\\n\\n### Domain Stats\\nSecurity Onion includes a tool called domain_stats which will do a whois lookup on a domain name to determine the age of the domain. If enabled, this dashboard looks for baby domains that have been recently registered. Please note that domain_stats is only enabled when running in Evaluation Mode.\\n\\n### Firewall\\nFirewall logs can be consumed via syslog or other transport mechanism. Once consumed, this dashboard allows you to slice and dice those firewall logs based on source IP/port, destination IP/port, protocol, and action.\\n\\n### Frequency\\nSecurity Onion includes a tool called freq_server which can perform frequency analysis of hostnames. If enabled, this dashboard will show hostnames with a frequency analysis score that indicates that they could have been randomly generated. Please note that freq_server is only enabled when running in Evaluation Mode.\\n\\n### Stats\\nThis dashboard shows statistics for Logstash including processing times for different log types and any errors that may have occurred.\\n\\n## More Information\\nFor additional information, please refer to our documentation at:\\n\\nhttps://securityonion.net/docs/Elastic\",\"type\":\"markdown\"},\"aggs\":[]}"},"id":"AV6-PHKnDwoBUzALqJ_c","migrationVersion":{"visualization":"7.7.0"},"references":[],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU3MiwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"match_all\":{}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":40,\"h\":204,\"x\":8,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"2\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Help","version":1},"id":"AV6-POJSDwoBUzALqKAg","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"AV6-PHKnDwoBUzALqJ_c","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU3MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_ssl AND _exists_:issuer_common_name_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"SSL - Certificate Issuer Common Name Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Certificate Issuer Common Name Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"issuer_common_name_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"issuer_common_name.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Issuer Common Name\"}}],\"listeners\":{}}"},"id":"a83f17c0-6f0b-11e7-9d31-23c0596994a7","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU3NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_ssl AND _exists_:server_name_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"SSL - Certificate Server Name Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Certificate Server Name Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"server_name_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_name.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Server Name\"}}],\"listeners\":{}}"},"id":"c2e54c20-6f0b-11e7-9d31-23c0596994a7","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU3NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_x509 AND _exists_:certificate_common_name_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"X.509 - Certificate Common Name Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"X.509 - Certificate Common Name Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"certificate_common_name_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"certificate_common_name.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Common Name\"}}],\"listeners\":{}}"},"id":"e03ba1d0-6f0a-11e7-83d2-adea2f314dc5","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU3NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_x509 AND _exists_:issuer_common_name_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"X.509 - Certificate Issuer Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"X.509 - Certificate Issuer Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"issuer_common_name_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"issuer_common_name.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Issuer\"}}],\"listeners\":{}}"},"id":"acd38970-6f0a-11e7-83d2-adea2f314dc5","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU3NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_x509 AND _exists_:issuer_organization_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"X.509 - Certificate Issuer Organization Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"X.509 - Certificate Issuer Organization Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"issuer_organization_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"issuer_organization.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Issuer Organization\"}}],\"listeners\":{}}"},"id":"c3f244c0-6f0a-11e7-83d2-adea2f314dc5","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU3OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_dns AND _exists_:parent_domain_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"DNS - Parent Domain Frequency Analysis","uiStateJSON":"{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}","version":1,"visState":"{\"title\":\"DNS - Parent Domain Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"parent_domain_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"highest_registered_domain.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Domain\"}}],\"listeners\":{}}"},"id":"c9f5d3a0-6f05-11e7-b253-211f64f37eda","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU3OSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"match_all\":{}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"2\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":52,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":76,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"5\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":76,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"6\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":100,\"i\":\"6\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"7\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":100,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"8\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":124,\"i\":\"8\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"9\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":124,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"10\",\"gridData\":{\"w\":8,\"h\":52,\"x\":0,\"y\":0,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{}},{\"panelIndex\":\"11\",\"gridData\":{\"w\":48,\"h\":80,\"x\":0,\"y\":148,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"12\",\"gridData\":{\"w\":40,\"h\":28,\"x\":8,\"y\":24,\"i\":\"12\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}]","timeRestore":false,"title":"Frequency Analysis","version":1},"id":"AWAi5k4jAvKNGEbUWFis","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f1f00a0-6f04-11e7-b253-211f64f37eda","name":"panel_0","type":"visualization"},{"id":"7d1ede50-6f19-11e7-86c8-a1b6db3b051a","name":"panel_1","type":"visualization"},{"id":"8fa702e0-6f0b-11e7-9d31-23c0596994a7","name":"panel_2","type":"visualization"},{"id":"a83f17c0-6f0b-11e7-9d31-23c0596994a7","name":"panel_3","type":"visualization"},{"id":"c2e54c20-6f0b-11e7-9d31-23c0596994a7","name":"panel_4","type":"visualization"},{"id":"e03ba1d0-6f0a-11e7-83d2-adea2f314dc5","name":"panel_5","type":"visualization"},{"id":"acd38970-6f0a-11e7-83d2-adea2f314dc5","name":"panel_6","type":"visualization"},{"id":"c3f244c0-6f0a-11e7-83d2-adea2f314dc5","name":"panel_7","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_8","type":"visualization"},{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"panel_9","type":"search"},{"id":"c9f5d3a0-6f05-11e7-b253-211f64f37eda","name":"panel_10","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU4MCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"match_all\":{}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":40,\"h\":48,\"x\":8,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"2\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":48,\"h\":36,\"x\":0,\"y\":48,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"_source\"],\"sort\":[\"@timestamp\",\"desc\"]}}]","timeRestore":false,"title":"Baby Domains","version":1},"id":"AWAi6wvxAvKNGEbUWO_j","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"41ec0ca0-6f13-11e7-86c8-a1b6db3b051a","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"fce833e0-6f12-11e7-86c8-a1b6db3b051a","name":"panel_2","type":"search"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU4MSwxXQ=="} +{"attributes":{"fieldFormatMap":"{\"process_id\":{\"id\":\"number\",\"params\":{\"pattern\":\"0\"}},\"event_id\":{\"id\":\"number\",\"params\":{\"pattern\":\"0\"}}}","fields":"[{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"aa\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"aa.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"activity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"additional_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"additional_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"age\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"age.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_level\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"analyzer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"analyzer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"answers\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"answers.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"apache2.access.body_sent.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.geoip.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.geoip.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.http_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.remote_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.response_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.device\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.os_major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.os_minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.os_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.patch\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.client\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"apache2.error.module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.tid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"assigned_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"assigned_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.a0\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.acct\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.geoip.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.geoip.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.item\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.items\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.new_auid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.new_ses\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.old_auid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.old_ses\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.ppid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.record_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.res\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.sequence\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auth\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"auth.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_attempts\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"basic_constraints_ca\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"basic_constraints_ca.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"basic_constraints_path_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"bound_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"call_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"call_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"category.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cc\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cc.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_chain_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_chain_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_common_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_curve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_curve.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_exponent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_exponent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_issuer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_issuer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_key_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_key_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_locality\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_locality.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_not_valid_after\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_not_valid_before\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_number_days_valid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_organization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_organization.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_organization_unit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_organization_unit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_permanent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_permanent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_serial\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_serial.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_serial_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_serial_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_signing_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_signing_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"checksum\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"checksum.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cipher\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cipher.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cipher_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cipher_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"class\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"class.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"classification\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"classification.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_build\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_build.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_chain_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_chain_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_digital_product_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_digital_product_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_issuer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_issuer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_major_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_major_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_minor_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_minor_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"community\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"community.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"company.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"compile_ts\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"compile_ts.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"compression_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"compression_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"computer_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"computer_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connect_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connect_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection_state_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection_state_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"content_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cookie\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cookie.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"creation_date\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"creation_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"current_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"current_directory.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"curve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"curve.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_destination_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_destination_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_passive\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data_channel_passive.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_source_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dcc_file_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dcc_mime_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_mime_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"depth\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_height\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"desktop_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_width\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dest_is_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dest_is_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_city\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_city.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.city_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.longitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.postal_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.region_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.region_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_latitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_longitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_region\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_region.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"details\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"details.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dir\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dir.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"direction\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"direction.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"display_string\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"display_string.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"docker.container.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"docker.container.image\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"docker.container.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"domain_age\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"domain_age.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"domain_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"domain_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dropped\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dropped.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"duration\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"enabled\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"enabled.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"encryption_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"encryption_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"encryption_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"encryption_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"endpoint\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"endpoint.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"entry\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"entry.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"entry_location\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"entry_location.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"error.code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"error.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"error.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"error_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"error_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"escalated_user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"escalated_user.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"established\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"established.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.AccountName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.AlgorithmName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.AuthenticationPackageName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Binary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.CommandLine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Configuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ConfigurationFileHash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.CreationUtcTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.CurrentDirectory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DestinationIp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DestinationIsIpv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DestinationPort\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Details\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DeviceName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DeviceNameLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DeviceTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DeviceVersionMajor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DeviceVersionMinor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DirtyPages\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ElevatedToken\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.EventType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ExtraInfoLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ExtraInfoString\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.FilterID\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.FinalStatus\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Hashes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.HiveName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.HiveNameLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Image\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ImagePath\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ImpersonationLevel\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Initiated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.IntegrityLevel\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.IpAddress\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.IpPort\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.KeyFilePath\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.KeyLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.KeyName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.KeyType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.KeysUpdated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.LmPackageName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.LogonGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.LogonId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.LogonProcessName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.LogonType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.NewSize\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.NewTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.OldTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.OriginalSize\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ParentCommandLine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ParentImage\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ParentProcessGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ParentProcessId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.PreviousCreationUtcTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.PreviousTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.PrivilegeList\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ProcessGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ProcessId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ProcessName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ProviderName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.RestrictedAdminMode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ReturnCode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SchemaVersion\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ServiceName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ServiceType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SourceHostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SourceIp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SourceIsIpv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SourcePort\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.StartType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.State\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SubjectDomainName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SubjectLogonId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SubjectUserName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SubjectUserSid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetDomainName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetFilename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetLinkedLogonId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetLogonId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetObject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetOutboundDomainName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetOutboundUserName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetUserName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetUserSid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TerminalSessionId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TransmittedServices\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.User\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.UtcTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.VirtualAccount\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Workstation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WorkstationName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param10\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param11\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param12\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param13\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param14\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param15\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param16\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param17\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param19\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param20\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param21\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param22\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param4\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param7\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param8\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param9\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.serviceGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.updateGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.updateRevisionNumber\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.updateTitle\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"exception\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"exception.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"extracted\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"extracted.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"facility.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fc_reply\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fc_reply.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fc_request\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fc_request.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_mime_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_mime_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fileset.module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fileset.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"first_received\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"first_received.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"flow_label\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"flow_label.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"forwardable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"forwardable.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"freq_virtual_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"freq_virtual_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"frequency_scores\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"frequency_scores.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp_argument\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp_argument.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"function\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"function.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"get_bulk_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"get_bulk_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"get_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"get_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_cert_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_cert_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_debug_data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_debug_data.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_export_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_export_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_import_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_import_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"height\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"helo\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"helo.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"highest_registered_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"highest_registered_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"highest_registered_domain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"history\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"history.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hop_limit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hop_limit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_key\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_key.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_key_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_key_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.debug.facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.debug.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"icinga.debug.severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.main.facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.main.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"icinga.main.severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.startup.facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.startup.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"icinga.startup.severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"iin\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"iin.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"image_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"in_reply_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"in_reply_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"indicator\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"indicator.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"indicator_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"indicator_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"info_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"info_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"info_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"initiated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"initiated.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"integrity_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"integrity_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"interface\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"interface.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ip_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_flags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_offset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_offset.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_protocol_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_tos\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_tos.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_ttl\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"irc_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_64bit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_64bit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_exe\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_exe.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_orig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_orig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_source_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_source_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_webmail\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_webmail.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_common_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_distinguished_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_distinguished_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_locality\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_locality.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_organization.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization_unit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_organization_unit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_serial_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_serial_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kafka.log.class\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kafka.log.component\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kafka.log.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kafka.log.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kafka.log.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kafka.log.trace.class\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kafka.log.trace.full\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kafka.log.trace.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kex_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kex_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"keyboard_layout\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"keyboard_layout.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"keywords\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kubernetes.container.image\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kubernetes.container.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kubernetes.namespace\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kubernetes.pod.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"last_alert\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"last_alert.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"last_reply\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"last_reply.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"launch_string\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"launch_string.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"lease_time\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"lease_time.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"length\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"length.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"local_orig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"local_orig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"local_respond\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"local_respond.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"location\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"location.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logged\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logged.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.log.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.log.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.log.module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.log.thread\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.slowlog.event\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.slowlog.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.slowlog.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.slowlog.module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.slowlog.plugin_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.slowlog.plugin_params\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.slowlog.plugin_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.slowlog.thread\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.slowlog.took_in_millis\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.slowlog.took_in_nanos\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash_time\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mac\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mac.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mac_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mac_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"machine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"machine.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mail_date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mail_date.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mail_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mail_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"matched\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"matched.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"md5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message_error\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.availability_zone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.instance_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.instance_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.machine_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.project_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.provider\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.region\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mimetype\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mimetype.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"missed_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"missing_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.error.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.error.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql.error.thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.error.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.lock_time.sec\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.query_time.sec\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.rows_examined\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.rows_sent\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.timestamp\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_argument\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_argument.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"n\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"named_pipe\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"named_pipe.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"native_file_system\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"native_file_system.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"next_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"next_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"nginx.access.body_sent.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.geoip.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.geoip.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.http_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.remote_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.response_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.device\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.os_major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.os_minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.os_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.patch\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.error.connection_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.error.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.error.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"nginx.error.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.error.tid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nick\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"nick.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"note\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"note.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"notice\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ntlm_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"num_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"offset\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"opcode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"operation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_filenames\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_filenames.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_mime_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_mime_types.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"original_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_ip_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"os.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ossec_agent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ossec_agent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ossec_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ossec_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"overflow_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"p\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_image_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"password\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"password.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"peer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"peer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"peer_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"peer_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pesha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pesha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pesha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pesha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"port.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.database\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.duration\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"postgresql.log.query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"prev_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"prev_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_arguments\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_arguments.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_guid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"profile\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"profile.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"program\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"program.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"prospector.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"provider_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"proxied\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"proxied.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_class\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_class_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query_class_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_type\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_type_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query_type_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ra\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ra.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rcode\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rcode_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rcode_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rd.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"read_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reason.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"recipient_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"recipient_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"record_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.log.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.log.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"redis.log.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.log.role\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.slowlog.args\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.slowlog.cmd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.slowlog.duration.us\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.slowlog.id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.slowlog.key\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"referrer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rejected\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rejected.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"related_activity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"remote_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"renewable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"renewable.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_body_len\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_body_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_port.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_color_depth\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"requested_color_depth.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_resource\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"requested_resource.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_filenames\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_filenames.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_mime_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_mime_types.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_ip_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_body_len\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_body_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"result\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"result.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resumed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resumed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rev\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rev.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rows\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rows.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rtt\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rtt.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"san_dns\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"san_dns.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"second_received\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"second_received.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"section_names\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"section_names.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"security_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"security_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_node\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seen_node.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_where\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seen_where.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sensor_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sensor_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seq\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seq.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_certificate_fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_certificate_fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_major_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_major_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_minor_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_minor_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"set_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"set_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"severity.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"share_flag\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"share_flag.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"share_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"share_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signature_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"site\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"site.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.city_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.postal_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.region_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.region_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sources\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sources.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status_msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"stream\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sub_msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sub_msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sub_rule_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sub_rule_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subdomain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subsystem\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subsystem.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"suppress_for\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-facility.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-host_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-host_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-legacy_msghdr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-legacy_msghdr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-sourceip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sysmon_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sysmon_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.groupadd.gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.groupadd.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.program\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.dropped_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.event\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.geoip.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.geoip.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.error\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.pwd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.home\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.shell\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.uid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.syslog.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.syslog.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.syslog.pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.syslog.program\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.syslog.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_filename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_filename.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"task\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tc\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tc.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"terminal_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"terminal_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"timed_out\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"timed_out.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_accessed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_accessed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_changed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_changed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_created\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_created.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_modified\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_modified.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tld.subdomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tld.subdomain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tls\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tls.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"top_level_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"top_level_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"total_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tracker_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tracker_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"traefik.access.backend_url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"traefik.access.body_sent.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.frontend_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"traefik.access.geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.geoip.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.geoip.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.http_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.remote_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.request_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.response_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.device\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.os_major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.os_minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.os_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.patch\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"trans_depth\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"transaction_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ttls\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tty.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tunnel_parents\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel_parents.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tunnel_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"unparsed_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"unparsed_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"up_since\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"up_since.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uri\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uri.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uri_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_agent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.binaryData\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.binaryDataSize\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.param1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.param2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.xml_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"useragent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"useragent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"useragent_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"username.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_aslr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_aslr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_code_integrity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_code_integrity.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_dep\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_dep.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_seh\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_seh.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"valid_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"valid_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"valid_till\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"valid_till.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"validation_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"validation_status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_additional_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_additional_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_major\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_major.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"virtual_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"warning\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"warning.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"width\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"width.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x_originating_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"xml\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"year\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"z\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"z.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]","notExpandable":true,"timeFieldName":"@timestamp","title":"*:logstash-beats-*"},"id":"AWBLHZaBRuBloj96jvrD","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU4MiwxXQ=="} +{"attributes":{"columns":["computer_name","process_id","user.name","event_id","event_data.Image"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"All Beats Logs","version":1},"id":"AWBLMr9vRuBloj96jxp1","migrationVersion":{"search":"7.4.0"},"references":[{"id":"AWBLHZaBRuBloj96jvrD","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU4MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Beats - Process IDs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Beats - Process IDs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_id\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"AWBLN7X2RuBloj96jxxY","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"AWBLHZaBRuBloj96jvrD","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU4NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Beats - Computer Names","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Beats - Computer Names\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"computer_name.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"AWBLNriuRuBloj96jxv3","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"AWBLHZaBRuBloj96jvrD","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU4NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Beats - Event IDs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Beats - Event IDs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event_id\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"AWBLOT8MRuBloj96jx0N","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"AWBLHZaBRuBloj96jvrD","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU4NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Beats - Usernames","uiStateJSON":"{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}","version":1,"visState":"{\"title\":\"Beats - Usernames\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"user.name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"AWBLONJCRuBloj96jxzY","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"AWBLHZaBRuBloj96jvrD","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU4NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Beats - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Beats - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"line\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"AWBLQ2__RuBloj96jyDn","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"AWBLHZaBRuBloj96jvrD","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU4OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Beats - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Beats - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHHHR8xQT5EBNmq4z7","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"AWBLHZaBRuBloj96jvrD","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU4OSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"match_all\":{}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":48,\"h\":44,\"x\":0,\"y\":56,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{\"columns\":[\"computer_name\",\"process_id\",\"user.name\",\"event_id\",\"event_data.Image\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"2\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":8,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":32,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":32,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"5\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":8,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"7\",\"gridData\":{\"w\":28,\"h\":8,\"x\":20,\"y\":0,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}}},{\"panelIndex\":\"8\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"8\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"panelIndex\":\"9\",\"gridData\":{\"w\":12,\"h\":8,\"x\":8,\"y\":0,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}}]","timeRestore":false,"title":"Beats","version":1},"id":"AWBLNS3CRuBloj96jxub","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"AWBLMr9vRuBloj96jxp1","name":"panel_0","type":"search"},{"id":"AWBLNriuRuBloj96jxv3","name":"panel_1","type":"visualization"},{"id":"AWBLN7X2RuBloj96jxxY","name":"panel_2","type":"visualization"},{"id":"AWBLOT8MRuBloj96jx0N","name":"panel_3","type":"visualization"},{"id":"AWBLONJCRuBloj96jxzY","name":"panel_4","type":"visualization"},{"id":"AWBLQ2__RuBloj96jyDn","name":"panel_5","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_6","type":"visualization"},{"id":"AWDHHHR8xQT5EBNmq4z7","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU5MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Connections - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG71xFxQT5EBNmq336","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU5MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNS - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"DNS - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG9Qx0xQT5EBNmq3_2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU5MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SNMP - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"SNMP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHD-LfxQT5EBNmq4iB","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU5MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"SIP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHDNS4xQT5EBNmq4dF","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU5NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMB - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"SMB - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHDfDkxQT5EBNmq4fQ","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU5NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"SMTP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHDsr0xQT5EBNmq4gw","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU5NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Syslog - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Bro - Syslog - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHE-_wxQT5EBNmq4n3","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU5NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Software - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Software - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHEKJUxQT5EBNmq4jW","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ba3d77e0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU5OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSH - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"SSH - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHEYk4xQT5EBNmq4k5","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU5OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"SSL - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHElRWxQT5EBNmq4lz","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYwMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Tunnels - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Tunnels - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHFYrqxQT5EBNmq4qT","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYwMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Weird - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Weird - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHGXk-xQT5EBNmq4uf","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYwMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"X.509 - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"X.509 - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHGklsxQT5EBNmq4wG","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYwMywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Top 10 - Total Bytes By Connection","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Top 10 - Total Bytes By Connection\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Connection ID\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"left\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Total Bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total Bytes\"},\"type\":\"value\"}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes\",\"customLabel\":\"Total Bytes\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"uid.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Connection ID\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"uid.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Connection ID\"}}],\"listeners\":{}}"},"id":"f1325230-3b0d-11e7-a0fe-29878c6f414a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYwNCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Top 10 - Total Bytes By Destination Port","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Top 10 - Total Bytes By Destination Port\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Destination Port\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Max total_bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total Bytes\"},\"type\":\"value\"}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"destination_port\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_port\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}],\"listeners\":{}}"},"id":"acd65230-3b0d-11e7-a0fe-29878c6f414a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYwNSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Top 10 - Total Bytes By Destination IP","uiStateJSON":"{}","version":1,"visState":"{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Bytes\",\"field\":\"total_bytes\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination IP Address\",\"field\":\"destination_ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Destination IP Address\",\"field\":\"destination_ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Destination IP Address\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Total Bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total Bytes\"},\"type\":\"value\"}]},\"title\":\"Connections - Top 10 - Total Bytes By Destination IP\",\"type\":\"histogram\"}"},"id":"eeafbb70-3b0c-11e7-a6f9-5d3fe735ec2b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYwNiwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":71,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":20,\"h\":18,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":28,\"y\":0,\"w\":20,\"h\":18,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":18,\"w\":20,\"h\":20,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":38,\"w\":40,\"h\":33,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"gridData\":{\"x\":0,\"y\":71,\"w\":48,\"h\":35,\"i\":\"6\"},\"version\":\"7.3.0\",\"panelIndex\":\"6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"gridData\":{\"x\":28,\"y\":18,\"w\":20,\"h\":20,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelIndex\":\"7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Connections - Total Bytes","version":1},"id":"a2ab0c40-3b0a-11e7-a6f9-5d3fe735ec2b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"f1325230-3b0d-11e7-a0fe-29878c6f414a","name":"panel_1","type":"visualization"},{"id":"acd65230-3b0d-11e7-a0fe-29878c6f414a","name":"panel_2","type":"visualization"},{"id":"41a33c80-3b0d-11e7-a6f9-5d3fe735ec2b","name":"panel_3","type":"visualization"},{"id":"726cc040-48cf-11e8-9576-313be7c6b44b","name":"panel_4","type":"visualization"},{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"panel_5","type":"search"},{"id":"eeafbb70-3b0c-11e7-a6f9-5d3fe735ec2b","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYwNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMTP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"a5045e20-3bd1-11e7-a3ae-1754b87179c0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYwOCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SMB - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMB - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}]}"},"id":"a663e070-4c78-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYwOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SNMP - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SNMP - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"a67546c0-3640-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYxMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Strelka - Request - Client","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Strelka - Request - Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"request.client.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"request.client.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Client\"}}]}"},"id":"a7ebb450-772c-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYxMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Data Overview","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Data Overview\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":false,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":false,\"last_level\":false,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Category\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"url\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:event.module.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.module.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now%2Fw,to:now%2Fw))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"params\":{},\"label\":\"event.module.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event.category.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Category\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event.module.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"ac6b1720-7559-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYxMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"observer.name:* OR agent.name:*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Log Count By Node ","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Log Count By Node \",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"observer.name.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"observer.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Node\"}}]}"},"id":"a9fae5c0-6e9b-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYxMywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"e243c0f0-f7cf-453e-8f5c-dc93e4651d69\",\"w\":9,\"x\":0,\"y\":0},\"panelIndex\":\"e243c0f0-f7cf-453e-8f5c-dc93e4651d69\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"5fdac8ff-799a-4d54-8dcb-ee1728d9623d\",\"w\":17,\"x\":9,\"y\":0},\"panelIndex\":\"5fdac8ff-799a-4d54-8dcb-ee1728d9623d\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"126f5365-8829-469d-8349-a08874975584\",\"w\":22,\"x\":26,\"y\":0},\"panelIndex\":\"126f5365-8829-469d-8349-a08874975584\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":26,\"i\":\"9c61759c-0b14-433b-bca7-fd22f9a20630\",\"w\":22,\"x\":0,\"y\":8},\"panelIndex\":\"9c61759c-0b14-433b-bca7-fd22f9a20630\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":26,\"i\":\"504e0ba1-08f7-4601-833d-6615d84e8fba\",\"w\":9,\"x\":22,\"y\":8},\"panelIndex\":\"504e0ba1-08f7-4601-833d-6615d84e8fba\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":26,\"i\":\"e3425787-250b-4dad-8244-4c7ba65df3d9\",\"w\":8,\"x\":31,\"y\":8},\"panelIndex\":\"e3425787-250b-4dad-8244-4c7ba65df3d9\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":26,\"i\":\"9c133f8f-ca11-4a4b-ac5a-3dfe3b87f20e\",\"w\":9,\"x\":39,\"y\":8},\"panelIndex\":\"9c133f8f-ca11-4a4b-ac5a-3dfe3b87f20e\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - Home","version":1},"id":"a8411b30-6d03-11ea-b301-3d6c35840645","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"8cfec8c0-6ec2-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"ac6b1720-7559-11ea-9565-7315f4ee5cac","name":"panel_3","type":"visualization"},{"id":"ad398b70-6e9a-11ea-9266-1fd14ca6af34","name":"panel_4","type":"visualization"},{"id":"8b065a80-6eca-11ea-9266-1fd14ca6af34","name":"panel_5","type":"visualization"},{"id":"a9fae5c0-6e9b-11ea-9266-1fd14ca6af34","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYxNCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Security Onion - Osquery - Query Results Count","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.result.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Query Results\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.result.hostname.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Endpoint\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.result.live_query.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Live Query Pivot\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.result.endpoint_ip1.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Endpoint Primary IP\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"},\"title\":\"Security Onion - Osquery - Query Results Count\"}"},"id":"ab47a590-afcc-11ea-b262-353d451b125b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9eed5fc0-afcb-11ea-b262-353d451b125b","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYxNSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"3919aa4b-bef6-4545-a780-484bae2df9ee\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"3919aa4b-bef6-4545-a780-484bae2df9ee\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_0\"}]","timeRestore":false,"title":"Security Onion - Users","version":1},"id":"abbe1140-72c7-11ea-8dd2-9d8795a1200b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"8cfec8c0-6ec2-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYxNiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Dataset By Node","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Dataset By Node\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Dataset\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"event.dataset.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.dataset.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Dataset\"}}]}"},"id":"abffa080-6ec9-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYxNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"f5166880-374f-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYxOCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Request Path","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - Request Path\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"request_path.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Request Path\"}}],\"listeners\":{}}"},"id":"dddb4430-3752-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYxOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"dfd1dc00-6e24-11e7-a261-55504638cf3b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYyMCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":48,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"5\",\"gridData\":{\"x\":0,\"y\":72,\"w\":16,\"h\":24,\"i\":\"5\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"6\",\"gridData\":{\"x\":16,\"y\":72,\"w\":16,\"h\":24,\"i\":\"6\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"9\",\"gridData\":{\"x\":20,\"y\":8,\"w\":12,\"h\":16,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{}},{\"panelIndex\":\"11\",\"gridData\":{\"x\":0,\"y\":96,\"w\":48,\"h\":24,\"i\":\"11\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"13\",\"gridData\":{\"x\":20,\"y\":48,\"w\":28,\"h\":24,\"i\":\"13\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"14\",\"gridData\":{\"x\":32,\"y\":24,\"w\":16,\"h\":24,\"i\":\"14\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"15\",\"gridData\":{\"x\":0,\"y\":48,\"w\":20,\"h\":24,\"i\":\"15\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"16\",\"gridData\":{\"x\":8,\"y\":8,\"w\":12,\"h\":16,\"i\":\"16\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}},{\"panelIndex\":\"17\",\"gridData\":{\"x\":0,\"y\":120,\"w\":48,\"h\":30,\"i\":\"17\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"18\",\"gridData\":{\"x\":32,\"y\":8,\"w\":16,\"h\":16,\"i\":\"18\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"panelIndex\":\"19\",\"gridData\":{\"x\":32,\"y\":72,\"w\":16,\"h\":24,\"i\":\"19\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"},{\"panelIndex\":\"20\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"20\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\"},{\"panelIndex\":\"21\",\"gridData\":{\"x\":8,\"y\":24,\"w\":24,\"h\":24,\"i\":\"21\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_14\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - SIP","version":1},"id":"ad3c0830-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"5393c710-3640-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"f5166880-374f-11e7-b74a-f5057991ccd2","name":"panel_2","type":"visualization"},{"id":"04e1aea0-3750-11e7-b74a-f5057991ccd2","name":"panel_3","type":"visualization"},{"id":"90bf0a80-3750-11e7-b74a-f5057991ccd2","name":"panel_4","type":"visualization"},{"id":"dddb4430-3752-11e7-b74a-f5057991ccd2","name":"panel_5","type":"visualization"},{"id":"5e36c370-3753-11e7-b74a-f5057991ccd2","name":"panel_6","type":"visualization"},{"id":"73f663f0-3753-11e7-b74a-f5057991ccd2","name":"panel_7","type":"visualization"},{"id":"930b1600-3753-11e7-b74a-f5057991ccd2","name":"panel_8","type":"visualization"},{"id":"2db47070-3754-11e7-b74a-f5057991ccd2","name":"panel_9","type":"visualization"},{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"panel_10","type":"search"},{"id":"1ef5c230-6e24-11e7-a261-55504638cf3b","name":"panel_11","type":"visualization"},{"id":"dfd1dc00-6e24-11e7-a261-55504638cf3b","name":"panel_12","type":"visualization"},{"id":"AWDHDNS4xQT5EBNmq4dF","name":"panel_13","type":"visualization"},{"id":"0291dba0-4c78-11e8-9b0a-f1d33346f773","name":"panel_14","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYyMSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:files\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":7,\"i\":\"257c130f-3673-410c-9f60-d67deb13b580\"},\"panelIndex\":\"257c130f-3673-410c-9f60-d67deb13b580\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":0,\"w\":17,\"h\":7,\"i\":\"de6206b4-7adb-44a0-ae00-2d28274478c8\"},\"panelIndex\":\"de6206b4-7adb-44a0-ae00-2d28274478c8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":25,\"y\":0,\"w\":23,\"h\":7,\"i\":\"93532ba0-f446-4a97-8783-a04dd4347485\"},\"panelIndex\":\"93532ba0-f446-4a97-8783-a04dd4347485\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":7,\"w\":8,\"h\":19,\"i\":\"a2af856c-7069-46b2-974c-e8b9054af929\"},\"panelIndex\":\"a2af856c-7069-46b2-974c-e8b9054af929\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":7,\"w\":9,\"h\":19,\"i\":\"4a3de026-5001-46a6-af20-78db885bd4bb\"},\"panelIndex\":\"4a3de026-5001-46a6-af20-78db885bd4bb\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":17,\"y\":7,\"w\":17,\"h\":19,\"i\":\"74071657-abfc-49e7-a0c3-e318b72a9d4c\"},\"panelIndex\":\"74071657-abfc-49e7-a0c3-e318b72a9d4c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":34,\"y\":7,\"w\":14,\"h\":19,\"i\":\"2379029c-c749-4804-91df-3d9be3fc4f8a\"},\"panelIndex\":\"2379029c-c749-4804-91df-3d9be3fc4f8a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":26,\"w\":21,\"h\":19,\"i\":\"0e36a0b5-5905-43c6-8ae1-f3eb348571a0\"},\"panelIndex\":\"0e36a0b5-5905-43c6-8ae1-f3eb348571a0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":21,\"y\":26,\"w\":8,\"h\":19,\"i\":\"99813eab-a19b-47d2-a8ee-8bcb667eedbf\"},\"panelIndex\":\"99813eab-a19b-47d2-a8ee-8bcb667eedbf\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":26,\"w\":10,\"h\":19,\"i\":\"18a734f4-78a1-4d84-9f7f-7c5aa6d3b1c2\"},\"panelIndex\":\"18a734f4-78a1-4d84-9f7f-7c5aa6d3b1c2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":39,\"y\":26,\"w\":9,\"h\":19,\"i\":\"c51df9f8-9010-4cae-9c7c-76ca7af98f13\"},\"panelIndex\":\"c51df9f8-9010-4cae-9c7c-76ca7af98f13\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":45,\"w\":48,\"h\":24,\"i\":\"226350dd-3afe-4135-a8da-71db63287a95\"},\"panelIndex\":\"226350dd-3afe-4135-a8da-71db63287a95\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"}]","timeRestore":false,"title":"Security Onion - Zeek Files","version":1},"id":"ad4d5d60-75f4-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"8cfec8c0-6ec2-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"bcf25e30-75f1-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"e8d35c50-75f3-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"09fc6ef0-7732-11ea-bee5-af7f7c7b8e05","name":"panel_7","type":"visualization"},{"id":"2fc4bea0-7730-11ea-bee5-af7f7c7b8e05","name":"panel_8","type":"visualization"},{"id":"49cfe850-772c-11ea-bee5-af7f7c7b8e05","name":"panel_9","type":"visualization"},{"id":"efc25540-75f1-11ea-9565-7315f4ee5cac","name":"panel_10","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_11","type":"search"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYyMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Syslog - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Bro - Syslog - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"ae4e88b0-76b5-11e7-94e1-3d2ec4e57ed9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYyMywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SSL - Destination Country (Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SSL - Destination Country (Bar Chart)\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"destination_geo.country_name.keyword: Descending\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"ae959820-365c-11e7-8bd0-1db2c55fb7a1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYyNCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - TLS - True/False (Vertical Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"SMTP - TLS - True/False (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"TLS\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"tls.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"TLS\"}}],\"listeners\":{}}"},"id":"aeb71cc0-6e29-11e7-8b76-75eee0095daa","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYyNSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":\"Initial Systems/Queries\",\"disabled\":true,\"key\":\"osquery.counter\",\"negate\":true,\"params\":{\"query\":0,\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"0\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"osquery.counter\":{\"query\":0,\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":\"Servers Only\",\"disabled\":true,\"key\":\"osquery.codename\",\"negate\":false,\"params\":{\"query\":\"server\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"server\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"match\":{\"osquery.codename\":{\"query\":\"server\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":64,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":17,\"h\":11,\"i\":\"16\"},\"panelIndex\":\"16\",\"title\":\"\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":29,\"w\":40,\"h\":20,\"i\":\"18\"},\"panelIndex\":\"18\",\"title\":\"Chrome Extensions - Logs\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":11,\"w\":40,\"h\":18,\"i\":\"19\"},\"panelIndex\":\"19\",\"title\":\"Chrome Extensions - Sensitive Permissions\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"gridData\":{\"x\":25,\"y\":0,\"w\":23,\"h\":11,\"i\":\"20\"},\"version\":\"7.3.0\",\"panelIndex\":\"20\",\"embeddableConfig\":{},\"title\":\"Chrome Extensions - Changes by Hostname\",\"panelRefName\":\"panel_4\"}]","timeRestore":false,"title":"osquery - Chrome Extensions","version":1},"id":"af0ea750-18d3-11e9-932c-d12d2cf4ee95","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"},{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index","type":"index-pattern"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"71538370-18d5-11e9-932c-d12d2cf4ee95","name":"panel_1","type":"visualization"},{"id":"0eee4360-18d4-11e9-932c-d12d2cf4ee95","name":"panel_2","type":"search"},{"id":"78cf8bf0-1a59-11e9-ac0b-cb0ba10141ab","name":"panel_3","type":"visualization"},{"id":"04f86530-1a59-11e9-ac0b-cb0ba10141ab","name":"panel_4","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYyNiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Security Onion - Osquery - Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rule.name.keyword: Descending\",\"aggType\":\"terms\"}]}},\"title\":\"Security Onion - Osquery - Name\"}"},"id":"af139720-afcb-11ea-b262-353d451b125b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5c3effd0-72ae-11ea-8dd2-9d8795a1200b","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYyNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DHCP - Message Type (Donut)","uiStateJSON":"{}","version":1,"visState":"{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dhcp.message_types.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Message Type\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"title\":\"Security Onion - DHCP - Message Type (Donut)\"}"},"id":"af26c6e0-96e6-11ea-814e-bb515e873c2c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-16T13:48:58.637Z","version":"WzczNywyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - Subject","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMTP - Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"subject.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"SMTP\"}}],\"listeners\":{}}"},"id":"c47e2a10-39a1-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYyOCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SMTP - Destination Country (Donut Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SMTP - Destination Country (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}]}"},"id":"dfe23030-39a1-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYyOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - TLS (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SMTP - TLS (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"tls.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"c3bb32c0-39a2-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYzMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMTP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"f18a0480-3bd0-11e7-9c09-4f161b0766dd","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYzMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - User Agent","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMTP - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"useragent.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"d776e510-6e28-11e7-8b76-75eee0095daa","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYzMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMTP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"d5aa6d00-6e29-11e7-8b76-75eee0095daa","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYzMywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":32,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":80,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":80,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":56,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":16,\"y\":56,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"gridData\":{\"w\":48,\"h\":28,\"x\":0,\"y\":104,\"i\":\"15\"},\"panelIndex\":\"15\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":32,\"i\":\"16\"},\"panelIndex\":\"16\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":20,\"i\":\"17\"},\"panelIndex\":\"17\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":20,\"i\":\"18\"},\"panelIndex\":\"18\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":56,\"i\":\"19\"},\"panelIndex\":\"19\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"20\"},\"panelIndex\":\"20\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_14\"}]","timeRestore":false,"title":"Bro - SMTP","version":1},"id":"b10a9c60-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"7c922990-3640-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"c47e2a10-39a1-11e7-8472-0151e5b2b475","name":"panel_2","type":"visualization"},{"id":"dfe23030-39a1-11e7-8472-0151e5b2b475","name":"panel_3","type":"visualization"},{"id":"73b1b240-39a2-11e7-8472-0151e5b2b475","name":"panel_4","type":"visualization"},{"id":"96767400-39a2-11e7-8472-0151e5b2b475","name":"panel_5","type":"visualization"},{"id":"c3bb32c0-39a2-11e7-8472-0151e5b2b475","name":"panel_6","type":"visualization"},{"id":"f18a0480-3bd0-11e7-9c09-4f161b0766dd","name":"panel_7","type":"visualization"},{"id":"a5045e20-3bd1-11e7-a3ae-1754b87179c0","name":"panel_8","type":"visualization"},{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"panel_9","type":"search"},{"id":"d776e510-6e28-11e7-8b76-75eee0095daa","name":"panel_10","type":"visualization"},{"id":"53beb0d0-6e29-11e7-8b76-75eee0095daa","name":"panel_11","type":"visualization"},{"id":"aeb71cc0-6e29-11e7-8b76-75eee0095daa","name":"panel_12","type":"visualization"},{"id":"d5aa6d00-6e29-11e7-8b76-75eee0095daa","name":"panel_13","type":"visualization"},{"id":"AWDHDsr0xQT5EBNmq4gw","name":"panel_14","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYzNCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DNP3 - IIN","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DNP3 - IIN\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"dnp3.iin: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dnp3.iin\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IIN\"}}]}"},"id":"f991b6d0-75b8-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYzNSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:dnp3\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"728d0151-5dc6-429d-9b14-b457ab73d3fd\"},\"panelIndex\":\"728d0151-5dc6-429d-9b14-b457ab73d3fd\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":15,\"h\":8,\"i\":\"1b99097d-a957-4163-9810-263a0e653c18\"},\"panelIndex\":\"1b99097d-a957-4163-9810-263a0e653c18\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":28,\"y\":0,\"w\":20,\"h\":8,\"i\":\"43bb3cf4-ee4a-4eba-8eea-8e133957fd48\"},\"panelIndex\":\"43bb3cf4-ee4a-4eba-8eea-8e133957fd48\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":8,\"h\":19,\"i\":\"87f23747-38c9-4d15-a85b-8beff66abaf4\"},\"panelIndex\":\"87f23747-38c9-4d15-a85b-8beff66abaf4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":8,\"w\":8,\"h\":19,\"i\":\"d10ae5ac-6400-4a2c-a376-e6e74ed529ad\"},\"panelIndex\":\"d10ae5ac-6400-4a2c-a376-e6e74ed529ad\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":16,\"y\":8,\"w\":12,\"h\":19,\"i\":\"a9916c8f-c82b-413d-8561-64ce0d68d3b8\"},\"panelIndex\":\"a9916c8f-c82b-413d-8561-64ce0d68d3b8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":19,\"i\":\"04426d00-3313-40eb-a0c9-2541a7ea99f3\"},\"panelIndex\":\"04426d00-3313-40eb-a0c9-2541a7ea99f3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - DNP3","version":1},"id":"b1f52180-755a-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"f991b6d0-75b8-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"214793c0-75b9-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYzNiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RFB - Authentication Method","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RFB - Authentication Method\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rfb.authentication.method.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rfb.authentication.method.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Method\"}}]}"},"id":"b2053990-75c7-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYzNywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.dataset:kerberos\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":9,\"i\":\"caa0aaa2-ed03-47b4-9a9f-c0f9b8d50da9\"},\"panelIndex\":\"caa0aaa2-ed03-47b4-9a9f-c0f9b8d50da9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":14,\"y\":0,\"w\":15,\"h\":9,\"i\":\"e0e4a50d-887b-472b-a790-302966fb6f49\"},\"panelIndex\":\"e0e4a50d-887b-472b-a790-302966fb6f49\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":9,\"i\":\"5cca2c4b-7299-4122-a3d5-3637ef23dc5d\"},\"panelIndex\":\"5cca2c4b-7299-4122-a3d5-3637ef23dc5d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":10,\"h\":19,\"i\":\"aa944a94-288e-490f-9e04-f5b3bc2cf19f\"},\"panelIndex\":\"aa944a94-288e-490f-9e04-f5b3bc2cf19f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":10,\"y\":9,\"w\":10,\"h\":19,\"i\":\"ebc359a7-3dce-4e7d-bd70-355cc8099437\"},\"panelIndex\":\"ebc359a7-3dce-4e7d-bd70-355cc8099437\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":20,\"y\":9,\"w\":11,\"h\":19,\"i\":\"251dacac-b4c5-481a-9e41-8173e9bc27ab\"},\"panelIndex\":\"251dacac-b4c5-481a-9e41-8173e9bc27ab\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":31,\"y\":9,\"w\":7,\"h\":19,\"i\":\"1a78a61c-7b0a-425f-ade8-bcbb302a2585\"},\"panelIndex\":\"1a78a61c-7b0a-425f-ade8-bcbb302a2585\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":38,\"y\":9,\"w\":10,\"h\":19,\"i\":\"eba2e210-8b36-41a7-8ac5-7d63cfc022e1\"},\"panelIndex\":\"eba2e210-8b36-41a7-8ac5-7d63cfc022e1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - Kerberos","version":1},"id":"b207ab90-75bc-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"0ecc7310-75bd-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"2d73e460-75bd-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"48331f00-75bd-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYzOCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":104,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"4\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":56,\"i\":\"5\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":56,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":8,\"i\":\"8\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{}},{\"panelIndex\":\"9\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":32,\"i\":\"9\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":8,\"i\":\"10\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":80,\"i\":\"11\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"13\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"14\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":32,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - SMB","version":1},"id":"b3a53710-3aaa-11e7-8b17-0d8709b02c80","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"panel_0","type":"search"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"85e40a70-3aac-11e7-8b17-0d8709b02c80","name":"panel_2","type":"visualization"},{"id":"15b4e7a0-3aad-11e7-8b17-0d8709b02c80","name":"panel_3","type":"visualization"},{"id":"31f5e040-3aad-11e7-8b17-0d8709b02c80","name":"panel_4","type":"visualization"},{"id":"6f883480-3aad-11e7-8b17-0d8709b02c80","name":"panel_5","type":"visualization"},{"id":"60384e00-3aaf-11e7-a83b-b1b4da7d15f4","name":"panel_6","type":"visualization"},{"id":"72f0f010-3aaf-11e7-a83b-b1b4da7d15f4","name":"panel_7","type":"visualization"},{"id":"306c4330-4175-11e7-a0f7-47f4c03e3306","name":"panel_8","type":"visualization"},{"id":"AWDHDfDkxQT5EBNmq4fQ","name":"panel_9","type":"visualization"},{"id":"a663e070-4c78-11e8-9b0a-f1d33346f773","name":"panel_10","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYzOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Responder Bytes","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Responder Bytes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"respond_bytes\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Responder Bytes\"}}],\"listeners\":{}}"},"id":"b50912f0-366f-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY0MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Tunnels - Type","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Tunnels - Type\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"tunnel.type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Type\"}}]}"},"id":"b6120810-75ef-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY0MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Source - Responder Bytes ( Tile Map)","uiStateJSON":"{\"mapZoom\":3,\"mapCenter\":[39.70718665682654,-44.912109375]}","version":1,"visState":"{\"title\":\"Connections - Source - Responder Bytes ( Tile Map)\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"respond_bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}"},"id":"f3bc9fa0-46cb-11e7-946f-1bfb1be7c36b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY0MiwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"mapCenter\":[24.84656534821976,0.17578125],\"mapZoom\":2}}]","timeRestore":false,"title":"Connections - Source - Responder Bytes","version":1},"id":"b65775e0-46cb-11e7-946f-1bfb1be7c36b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"f3bc9fa0-46cb-11e7-946f-1bfb1be7c36b","name":"panel_1","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY0MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SNMP - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SNMP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"e8511600-36b8-11e7-9786-41a1d72e15ad","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY0NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SNMP - Session Duration","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SNMP - Session Duration\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"duration\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Duration\"}}],\"listeners\":{}}"},"id":"e47015d0-36b9-11e7-9786-41a1d72e15ad","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY0NSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":16,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":12,\"h\":24,\"x\":24,\"y\":32,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":8,\"i\":\"9\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":8,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{}},{\"panelIndex\":\"11\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"12\",\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":32,\"i\":\"12\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"13\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"14\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":8,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - SNMP","version":1},"id":"b65c2710-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"a67546c0-3640-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"e8511600-36b8-11e7-9786-41a1d72e15ad","name":"panel_2","type":"visualization"},{"id":"0defabb0-36b9-11e7-9786-41a1d72e15ad","name":"panel_3","type":"visualization"},{"id":"e47015d0-36b9-11e7-9786-41a1d72e15ad","name":"panel_4","type":"visualization"},{"id":"2a3ae810-36ba-11e7-9786-41a1d72e15ad","name":"panel_5","type":"visualization"},{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"panel_6","type":"search"},{"id":"7dc62970-6e2a-11e7-8b76-75eee0095daa","name":"panel_7","type":"visualization"},{"id":"AWDHD-LfxQT5EBNmq4iB","name":"panel_8","type":"visualization"},{"id":"83a91450-4c79-11e8-9b0a-f1d33346f773","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY0NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSL - Validation Status","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - SSL - Validation Status\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssl.validation_status.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ssl.validation_status.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Status\"}}]}"},"id":"b8371250-75ec-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY0NywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:radius\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":9,\"i\":\"005ac000-9db8-4310-97d5-4574cdaf0e49\"},\"panelIndex\":\"005ac000-9db8-4310-97d5-4574cdaf0e49\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":17,\"h\":9,\"i\":\"a65d1358-9fa9-4457-8a46-5790a748d1fa\"},\"panelIndex\":\"a65d1358-9fa9-4457-8a46-5790a748d1fa\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":9,\"i\":\"d38d991e-53e4-4b71-8e3f-c0d4b0d454da\"},\"panelIndex\":\"d38d991e-53e4-4b71-8e3f-c0d4b0d454da\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":8,\"h\":19,\"i\":\"9304c1a2-e55f-4f51-bd04-d15892b754a4\"},\"panelIndex\":\"9304c1a2-e55f-4f51-bd04-d15892b754a4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":8,\"y\":9,\"w\":8,\"h\":19,\"i\":\"7075ea4f-e935-470c-9329-9a0b15202385\"},\"panelIndex\":\"7075ea4f-e935-470c-9329-9a0b15202385\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":16,\"y\":9,\"w\":8,\"h\":19,\"i\":\"91a90e9d-71f7-484c-a561-6aef6a3b8f09\"},\"panelIndex\":\"91a90e9d-71f7-484c-a561-6aef6a3b8f09\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":24,\"y\":9,\"w\":9,\"h\":19,\"i\":\"9058f9ee-39d1-4e2b-a99b-ed4c2fb26efd\"},\"panelIndex\":\"9058f9ee-39d1-4e2b-a99b-ed4c2fb26efd\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":33,\"y\":9,\"w\":15,\"h\":19,\"i\":\"766f8f9b-3f31-47d8-9734-442fc1fcff84\"},\"panelIndex\":\"766f8f9b-3f31-47d8-9734-442fc1fcff84\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - RADIUS","version":1},"id":"b9769e60-75c4-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"767c89f0-af4c-11ea-b262-353d451b125b","name":"panel_5","type":"visualization"},{"id":"0ca071b0-75c5-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"27ab8260-75c5-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY0OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Connections - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}]}"},"id":"bc7fbe00-4a44-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY0OSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.module:osquery\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":7,\"h\":7,\"i\":\"7f9eaa30-b358-4027-a312-249defe273c4\"},\"panelIndex\":\"7f9eaa30-b358-4027-a312-249defe273c4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":7,\"y\":0,\"w\":17,\"h\":7,\"i\":\"ca041a33-b29f-4ce6-8762-2dd86a9c27a2\"},\"panelIndex\":\"ca041a33-b29f-4ce6-8762-2dd86a9c27a2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":7,\"i\":\"4e6cdaec-ad6d-46b2-abdc-7383382635c7\"},\"panelIndex\":\"4e6cdaec-ad6d-46b2-abdc-7383382635c7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":7,\"w\":48,\"h\":16,\"i\":\"fae63e28-6a3c-4641-94fd-e5b033ac55b9\"},\"panelIndex\":\"fae63e28-6a3c-4641-94fd-e5b033ac55b9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":23,\"w\":48,\"h\":31,\"i\":\"db4fa812-32fb-43c8-baa8-e88206cae126\"},\"panelIndex\":\"db4fa812-32fb-43c8-baa8-e88206cae126\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"}]","timeRestore":false,"title":"Security Onion - Osquery","version":1},"id":"bf7cf8d0-7732-11ea-bee5-af7f7c7b8e05","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"df50eba0-6ec0-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"ab47a590-afcc-11ea-b262-353d451b125b","name":"panel_3","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"search"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY1MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Software - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Software - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"da4cc2c0-3640-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ba3d77e0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY1MSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":48,\"h\":40,\"x\":0,\"y\":44,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"name\",\"software_type\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"10\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"10\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":40,\"h\":36,\"x\":8,\"y\":8,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - Software","version":1},"id":"c2c99c30-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"da4cc2c0-3640-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"ba3d77e0-342e-11e7-9e93-53b62e1857b2","name":"panel_2","type":"search"},{"id":"AWDHEKJUxQT5EBNmq4jW","name":"panel_3","type":"visualization"},{"id":"9b0f6a80-4c7a-11e8-9b0a-f1d33346f773","name":"panel_4","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY1MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Connections - Protocol (Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Connections - Protocol (Bar Chart)\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Protocol\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"protocol.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Protocol\"}}]}"},"id":"c3152010-3673-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY1MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - MySQL - Success","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - MySQL - Success\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"mysql.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"ec40c5e0-75c0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY1NCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.dataset:mysql\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":9,\"i\":\"b08e3120-b482-4817-b3e9-f521f5acd8f2\"},\"panelIndex\":\"b08e3120-b482-4817-b3e9-f521f5acd8f2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":16,\"h\":9,\"i\":\"e23b2681-5eae-4de6-8933-ba755508ec5b\"},\"panelIndex\":\"e23b2681-5eae-4de6-8933-ba755508ec5b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":9,\"i\":\"53e06ed2-d64f-46dc-b864-5b884a8c53dc\"},\"panelIndex\":\"53e06ed2-d64f-46dc-b864-5b884a8c53dc\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":9,\"h\":18,\"i\":\"2bfa498b-d0a8-48ee-9a47-bcf288127d2a\"},\"panelIndex\":\"2bfa498b-d0a8-48ee-9a47-bcf288127d2a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":9,\"w\":9,\"h\":18,\"i\":\"e6a27aaf-ef8d-41a3-aebc-9c26ab2dc189\"},\"panelIndex\":\"e6a27aaf-ef8d-41a3-aebc-9c26ab2dc189\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":18,\"y\":9,\"w\":15,\"h\":18,\"i\":\"e2f6f286-c4ba-4642-b650-366aca2c3d2d\"},\"panelIndex\":\"e2f6f286-c4ba-4642-b650-366aca2c3d2d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":33,\"y\":9,\"w\":15,\"h\":18,\"i\":\"f84a5dbd-d99c-4c24-895f-18f1d419af93\"},\"panelIndex\":\"f84a5dbd-d99c-4c24-895f-18f1d419af93\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":16,\"i\":\"3b2e66eb-aa46-4363-b8ad-efd564b95279\"},\"panelIndex\":\"3b2e66eb-aa46-4363-b8ad-efd564b95279\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - MySQL","version":1},"id":"c3ced6d0-75be-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"ec40c5e0-75c0-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"1f306f60-75c0-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"3af496e0-75c0-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY1NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Syslog - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Bro - Syslog - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"ca9ffc10-76b5-11e7-94e1-3d2ec4e57ed9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY1NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Syslog - Protocol","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Bro - Syslog - Protocol\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"protocol.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Protocol\"}}],\"listeners\":{}}"},"id":"e9d5ae30-76b6-11e7-94e1-3d2ec4e57ed9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY1NywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"5\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"6\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":32,\"i\":\"6\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"7\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":32,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"8\",\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":8,\"i\":\"8\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"9\",\"gridData\":{\"w\":28,\"h\":24,\"x\":8,\"y\":8,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"10\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}}]","timeRestore":false,"title":"Bro - Syslog","version":1},"id":"c4bbe040-76b3-11e7-ba96-cba76a1e264d","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"92b202e0-76b4-11e7-94e1-3d2ec4e57ed9","name":"panel_1","type":"visualization"},{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"panel_2","type":"search"},{"id":"6c60a280-76b5-11e7-94e1-3d2ec4e57ed9","name":"panel_3","type":"visualization"},{"id":"ae4e88b0-76b5-11e7-94e1-3d2ec4e57ed9","name":"panel_4","type":"visualization"},{"id":"ca9ffc10-76b5-11e7-94e1-3d2ec4e57ed9","name":"panel_5","type":"visualization"},{"id":"e9d5ae30-76b6-11e7-94e1-3d2ec4e57ed9","name":"panel_6","type":"visualization"},{"id":"346e5c30-76b7-11e7-94e1-3d2ec4e57ed9","name":"panel_7","type":"visualization"},{"id":"AWDHE-_wxQT5EBNmq4n3","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY1OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSH - Authentication Success","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"SSH - Authentication Success\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Authentication Success\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"authentication_success.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Authentication Success\"}}],\"listeners\":{}}"},"id":"dcea2790-6e33-11e7-9a19-a5996f8250c6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY1OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SSH -Server","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSH -Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}]}"},"id":"e64833a0-4c7b-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY2MCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":56,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"7\",\"gridData\":{\"x\":8,\"y\":32,\"w\":14,\"h\":24,\"i\":\"7\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":22,\"y\":32,\"w\":14,\"h\":24,\"i\":\"8\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"10\",\"gridData\":{\"x\":0,\"y\":80,\"w\":48,\"h\":24,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"11\",\"gridData\":{\"x\":36,\"y\":32,\"w\":12,\"h\":24,\"i\":\"11\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"12\",\"gridData\":{\"x\":36,\"y\":8,\"w\":12,\"h\":24,\"i\":\"12\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"panelIndex\":\"13\",\"gridData\":{\"x\":0,\"y\":56,\"w\":48,\"h\":24,\"i\":\"13\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"14\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"14\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"15\",\"gridData\":{\"x\":8,\"y\":8,\"w\":28,\"h\":24,\"i\":\"15\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - SSH","version":1},"id":"c6ccfc00-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"09457310-3641-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"8a60eb50-365f-11e7-8c78-e3086faf385c","name":"panel_2","type":"visualization"},{"id":"9a33f9a0-365f-11e7-8c78-e3086faf385c","name":"panel_3","type":"visualization"},{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"panel_4","type":"search"},{"id":"54d78f50-6e33-11e7-9a19-a5996f8250c6","name":"panel_5","type":"visualization"},{"id":"dcea2790-6e33-11e7-9a19-a5996f8250c6","name":"panel_6","type":"visualization"},{"id":"2bbdc020-6e34-11e7-9a19-a5996f8250c6","name":"panel_7","type":"visualization"},{"id":"AWDHEYk4xQT5EBNmq4k5","name":"panel_8","type":"visualization"},{"id":"e64833a0-4c7b-11e8-9b0a-f1d33346f773","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY2MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - Count","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":false},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":40}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}"},"id":"c7484350-6eb1-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY2MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Zeek - Notice Message","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Zeek - Notice Message\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"notice.message.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"notice.message.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Message\"}}]}"},"id":"c8039090-7a84-11ea-9d13-57f5db13d1ed","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY2MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RFB - Share Flag","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - RFB - Share Flag\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"rfb.share_flag\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"d5e72b20-75c7-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY2NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RFB - Desktop Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RFB - Desktop Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rfb.desktop.name.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rfb.desktop.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Desktop Name\"}}]}"},"id":"fe62c910-75c7-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY2NSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:rfb\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"f64f888f-f9bb-4be1-ab75-80d2a11303ed\"},\"panelIndex\":\"f64f888f-f9bb-4be1-ab75-80d2a11303ed\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":17,\"h\":8,\"i\":\"0e12fa96-b29d-4815-ae19-b6e894948597\"},\"panelIndex\":\"0e12fa96-b29d-4815-ae19-b6e894948597\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":8,\"i\":\"7c1a7e05-c37b-4f81-b6b6-b30cfa0897e2\"},\"panelIndex\":\"7c1a7e05-c37b-4f81-b6b6-b30cfa0897e2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":19,\"i\":\"c1bb39f4-4d9f-4154-a131-65e727fc0049\"},\"panelIndex\":\"c1bb39f4-4d9f-4154-a131-65e727fc0049\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":8,\"w\":9,\"h\":19,\"i\":\"e51c88d1-a11a-4d5f-b5a7-f6ac79b23054\"},\"panelIndex\":\"e51c88d1-a11a-4d5f-b5a7-f6ac79b23054\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":18,\"y\":8,\"w\":14,\"h\":19,\"i\":\"b9412112-bc5a-4b16-ba5e-ded11a0e299d\"},\"panelIndex\":\"b9412112-bc5a-4b16-ba5e-ded11a0e299d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":32,\"y\":8,\"w\":16,\"h\":19,\"i\":\"edfbec77-b174-40ac-9f11-776da22fe82d\"},\"panelIndex\":\"edfbec77-b174-40ac-9f11-776da22fe82d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":24,\"h\":15,\"i\":\"d2d1ebcb-83a9-44ca-80f2-2f0fc2abcecf\"},\"panelIndex\":\"d2d1ebcb-83a9-44ca-80f2-2f0fc2abcecf\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":24,\"y\":27,\"w\":12,\"h\":15,\"i\":\"aedad86f-ec5e-4330-bab0-468351eb8355\"},\"panelIndex\":\"aedad86f-ec5e-4330-bab0-468351eb8355\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":36,\"y\":27,\"w\":12,\"h\":15,\"i\":\"8092b313-2e40-47e4-96a2-51086f98e53f\"},\"panelIndex\":\"8092b313-2e40-47e4-96a2-51086f98e53f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Security Onion - RFB","version":1},"id":"c8b3c360-75c6-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"b2053990-75c7-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"d5e72b20-75c7-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"fe62c910-75c7-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"5dcf09e0-75c8-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"},{"id":"316e90a0-75c8-11ea-9565-7315f4ee5cac","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY2NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connection Count","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Connection Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":40}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}"},"id":"c94e2aa0-6e9f-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY2NywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:tunnel\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"19aef080-5875-4182-81a8-2a6639c75489\"},\"panelIndex\":\"19aef080-5875-4182-81a8-2a6639c75489\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":16,\"h\":8,\"i\":\"70939be7-5bb9-4d13-ab89-683b3eda7a98\"},\"panelIndex\":\"70939be7-5bb9-4d13-ab89-683b3eda7a98\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":8,\"i\":\"21848a06-ca96-4869-b069-7524caf3ae06\"},\"panelIndex\":\"21848a06-ca96-4869-b069-7524caf3ae06\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":10,\"h\":19,\"i\":\"8020a914-8f9f-4bd6-be32-1c6afa27f9e4\"},\"panelIndex\":\"8020a914-8f9f-4bd6-be32-1c6afa27f9e4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":10,\"y\":8,\"w\":10,\"h\":19,\"i\":\"9f72f316-c3a2-4658-8d03-932fa590e216\"},\"panelIndex\":\"9f72f316-c3a2-4658-8d03-932fa590e216\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":20,\"y\":8,\"w\":9,\"h\":19,\"i\":\"fa1bc43a-2be3-4699-97af-677bded82273\"},\"panelIndex\":\"fa1bc43a-2be3-4699-97af-677bded82273\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":8,\"w\":19,\"h\":19,\"i\":\"7c522eab-36bc-4933-abea-29a4c4a4f918\"},\"panelIndex\":\"7c522eab-36bc-4933-abea-29a4c4a4f918\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - Tunnels","version":1},"id":"c962dd60-75ed-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"b6120810-75ef-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY2OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Weird - Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}","version":1,"visState":"{\"title\":\"Weird - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"name.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}],\"listeners\":{}}"},"id":"ca3e57d0-4172-11e7-9850-b78558d0ac17","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY2OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DNP3 - FC Reply","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DNP3 - FC Reply\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"dnp3.fc_reply.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dnp3.fc_reply.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"FC Reply\"}}]}"},"id":"cb29fbe0-75b8-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY3MCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\",\"gridData\":{\"x\":12,\"y\":20,\"w\":24,\"h\":20,\"i\":\"1\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}},{\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\",\"gridData\":{\"x\":12,\"y\":0,\"w\":24,\"h\":20,\"i\":\"2\"},\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":40,\"i\":\"3\"},\"embeddableConfig\":{}},{\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\",\"gridData\":{\"x\":0,\"y\":40,\"w\":48,\"h\":24,\"i\":\"4\"},\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}}]","timeRestore":false,"title":"Connections - Top Source IPs","version":1},"id":"cb367060-3b04-11e7-a83b-b1b4da7d15f4","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"8261cf00-366e-11e7-8c78-e3086faf385c","name":"panel_0","type":"visualization"},{"id":"28c27f80-3b05-11e7-a83b-b1b4da7d15f4","name":"panel_1","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_2","type":"visualization"},{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"panel_3","type":"search"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY3MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"db570800-365a-11e7-8bd0-1db2c55fb7a1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY3MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"f0700840-365a-11e7-8bd0-1db2c55fb7a1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY3MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SSL - Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server Name\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"certificate_common_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Common Name\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"validation_status.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Validation Status\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"version.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"TLS Version\"}}]}"},"id":"ebec2ea0-4c7c-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY3NCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":80,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"7\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":8,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{}},{\"panelIndex\":\"9\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":104,\"i\":\"9\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":104,\"i\":\"10\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":20,\"h\":24,\"x\":16,\"y\":104,\"i\":\"11\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"12\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":56,\"i\":\"12\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"14\",\"gridData\":{\"w\":16,\"h\":24,\"x\":8,\"y\":8,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{}},{\"panelIndex\":\"15\",\"gridData\":{\"w\":48,\"h\":72,\"x\":0,\"y\":128,\"i\":\"15\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"19\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":56,\"i\":\"19\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"panelIndex\":\"20\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"20\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\"},{\"panelIndex\":\"21\",\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":32,\"i\":\"21\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"}]","timeRestore":false,"title":"Bro - SSL","version":1},"id":"cca67b60-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"6139edd0-3641-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"3753e110-365a-11e7-bf60-314364dd1cde","name":"panel_2","type":"visualization"},{"id":"02699580-365a-11e7-bf60-314364dd1cde","name":"panel_3","type":"visualization"},{"id":"db570800-365a-11e7-8bd0-1db2c55fb7a1","name":"panel_4","type":"visualization"},{"id":"f0700840-365a-11e7-8bd0-1db2c55fb7a1","name":"panel_5","type":"visualization"},{"id":"21d090d0-365b-11e7-8bd0-1db2c55fb7a1","name":"panel_6","type":"visualization"},{"id":"53ac63e0-365b-11e7-8bd0-1db2c55fb7a1","name":"panel_7","type":"visualization"},{"id":"ae959820-365c-11e7-8bd0-1db2c55fb7a1","name":"panel_8","type":"visualization"},{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"panel_9","type":"search"},{"id":"23d22bd0-70b4-11e7-810e-2bafe9e41c10","name":"panel_10","type":"visualization"},{"id":"AWDHElRWxQT5EBNmq4lz","name":"panel_11","type":"visualization"},{"id":"ebec2ea0-4c7c-11e8-9b0a-f1d33346f773","name":"panel_12","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY3NSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{\"mapCenter\":[24.846565348219734,0.087890625],\"mapZoom\":2}},{\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Connections - Destination - Sum of Total Bytes","version":1},"id":"ccfcc540-4638-11e7-a82e-d97152153689","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"1342e630-4632-11e7-9903-85f789353078","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY3NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Strelka - File - Entropy","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}}","version":1,"visState":"{\"title\":\"Strelka - File - Entropy\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"scan.entropy.entropy\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Entropy\"}}]}"},"id":"ce9e03f0-772c-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY3NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SIP - Warning","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SIP - Warning\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"sip.warning.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sip.warning.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Warning\"}}]}"},"id":"cf56b070-75ca-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY3OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Tunnels - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Tunnels - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"e89c9700-3641-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY3OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Tunnels - Country","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Tunnels - Country\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Country\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}],\"listeners\":{}}"},"id":"f60e0c40-6e34-11e7-9a19-a5996f8250c6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY4MCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"gridData\":{\"w\":20,\"h\":20,\"x\":28,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":48,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":48,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":72,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"gridData\":{\"w\":20,\"h\":20,\"x\":8,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":40,\"h\":20,\"x\":8,\"y\":28,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":48,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Bro - Tunnels","version":1},"id":"d7b54ae0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"e89c9700-3641-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"43b2b040-3807-11e7-a1cc-ebc6a7e70e84","name":"panel_2","type":"visualization"},{"id":"26457730-3808-11e7-a1cc-ebc6a7e70e84","name":"panel_3","type":"visualization"},{"id":"3cdf2400-3808-11e7-a1cc-ebc6a7e70e84","name":"panel_4","type":"visualization"},{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"panel_5","type":"search"},{"id":"f60e0c40-6e34-11e7-9a19-a5996f8250c6","name":"panel_6","type":"visualization"},{"id":"33b39a60-6e35-11e7-9a19-a5996f8250c6","name":"panel_7","type":"visualization"},{"id":"53824da0-6e35-11e7-9a19-a5996f8250c6","name":"panel_8","type":"visualization"},{"id":"AWDHFYrqxQT5EBNmq4qT","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY4MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event_type:bro_conn\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Connections - Service","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Service\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"service.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Service\"}}]}"},"id":"d7d3dda0-54b9-11e9-a48f-b7dfb1d0f288","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY4MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSL - Server Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SSL - Server Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssl.server_name.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssl.server_name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server Name\"}}]}"},"id":"db4dc4a0-75ec-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY4MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Network Datasets","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Network Datasets\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Dataset\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"event.module.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.dataset.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Dataset\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.module.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Module\"}}]}"},"id":"dbe4cc20-6ea7-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"387f44c0-6ea7-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY4NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Weird - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Weird - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"dbfe2f00-6e35-11e7-9a19-a5996f8250c6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY4NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNS - Queries","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Queries\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"query.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query\"}}]}"},"id":"dcda5680-2927-11e8-b2a2-09f3986ae284","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY4NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SIP - URI","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SIP - URI\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sip.uri.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"f63cba40-75ca-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY4NywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:sip\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"1e84368a-ad74-4d57-9793-5c9ce813045b\"},\"panelIndex\":\"1e84368a-ad74-4d57-9793-5c9ce813045b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":17,\"h\":8,\"i\":\"304e7cd2-dc4f-4bf4-b1fe-747091d61b67\"},\"panelIndex\":\"304e7cd2-dc4f-4bf4-b1fe-747091d61b67\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":8,\"i\":\"e87052bf-935e-421b-8208-e798a37edf69\"},\"panelIndex\":\"e87052bf-935e-421b-8208-e798a37edf69\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":19,\"i\":\"b2055759-c7fd-43ab-8613-6031e8e148d3\"},\"panelIndex\":\"b2055759-c7fd-43ab-8613-6031e8e148d3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":8,\"w\":9,\"h\":19,\"i\":\"a303da32-bd43-45a5-acbf-093478d734f9\"},\"panelIndex\":\"a303da32-bd43-45a5-acbf-093478d734f9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":18,\"y\":8,\"w\":8,\"h\":19,\"i\":\"d8632aad-86f0-4290-9480-75ec477ae4cd\"},\"panelIndex\":\"d8632aad-86f0-4290-9480-75ec477ae4cd\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":26,\"y\":8,\"w\":8,\"h\":19,\"i\":\"ee3b0df5-4a03-470b-9d26-4eedf4f8b8d6\"},\"panelIndex\":\"ee3b0df5-4a03-470b-9d26-4eedf4f8b8d6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":34,\"y\":8,\"w\":14,\"h\":19,\"i\":\"dbe534a3-1a06-4185-b78a-293d7ec848c4\"},\"panelIndex\":\"dbe534a3-1a06-4185-b78a-293d7ec848c4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":12,\"h\":17,\"i\":\"45de60a4-61ab-4b78-8cc7-5a783070c9be\"},\"panelIndex\":\"45de60a4-61ab-4b78-8cc7-5a783070c9be\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":12,\"y\":27,\"w\":12,\"h\":17,\"i\":\"9cb368f2-b652-4dc9-8427-b88a592e8361\"},\"panelIndex\":\"9cb368f2-b652-4dc9-8427-b88a592e8361\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":24,\"y\":27,\"w\":24,\"h\":17,\"i\":\"b78c61e2-61c3-4c43-94d9-c3971ee375be\"},\"panelIndex\":\"b78c61e2-61c3-4c43-94d9-c3971ee375be\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"}]","timeRestore":false,"title":"Security Onion - SIP","version":1},"id":"dd98e260-75c6-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"272b8ab0-75ca-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"9ff24600-75ca-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"f63cba40-75ca-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"49384710-75ca-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"},{"id":"81a1a740-75ca-11ea-9565-7315f4ee5cac","name":"panel_9","type":"visualization"},{"id":"cf56b070-75ca-11ea-9565-7315f4ee5cac","name":"panel_10","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY4OCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":80,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"5\",\"gridData\":{\"x\":8,\"y\":32,\"w\":14,\"h\":24,\"i\":\"5\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"6\",\"gridData\":{\"x\":22,\"y\":32,\"w\":14,\"h\":24,\"i\":\"6\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":8,\"y\":8,\"w\":16,\"h\":24,\"i\":\"8\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{}},{\"panelIndex\":\"9\",\"gridData\":{\"x\":0,\"y\":80,\"w\":48,\"h\":24,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"10\",\"gridData\":{\"x\":8,\"y\":56,\"w\":40,\"h\":24,\"i\":\"10\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"12\",\"gridData\":{\"x\":36,\"y\":32,\"w\":12,\"h\":24,\"i\":\"12\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"13\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"13\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"14\",\"gridData\":{\"x\":24,\"y\":8,\"w\":24,\"h\":24,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - Weird","version":1},"id":"de2da250-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"0dbcade0-3642-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"1b837b00-364e-11e7-9dc3-d35061cb642d","name":"panel_2","type":"visualization"},{"id":"312cd460-364e-11e7-9dc3-d35061cb642d","name":"panel_3","type":"visualization"},{"id":"8dbbbed0-364e-11e7-9dc3-d35061cb642d","name":"panel_4","type":"visualization"},{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"panel_5","type":"search"},{"id":"ca3e57d0-4172-11e7-9850-b78558d0ac17","name":"panel_6","type":"visualization"},{"id":"dbfe2f00-6e35-11e7-9a19-a5996f8250c6","name":"panel_7","type":"visualization"},{"id":"AWDHGXk-xQT5EBNmq4uf","name":"panel_8","type":"visualization"},{"id":"691ade50-4c85-11e8-9b0a-f1d33346f773","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY4OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Hash - SSDeep","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Hash - SSDeep\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Hash\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hash.ssdeep.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"SSDeep\"}}]}"},"id":"e087c7d0-772d-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY5MCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":63,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":0,\"y\":63,\"w\":16,\"h\":28,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":16,\"y\":63,\"w\":16,\"h\":28,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":0,\"y\":91,\"w\":16,\"h\":24,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":16,\"y\":91,\"w\":16,\"h\":24,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":32,\"y\":91,\"w\":16,\"h\":24,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"gridData\":{\"x\":30,\"y\":8,\"w\":18,\"h\":16,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":8,\"y\":32,\"w\":40,\"h\":31,\"i\":\"19\"},\"panelIndex\":\"19\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"x\":0,\"y\":115,\"w\":48,\"h\":24,\"i\":\"25\"},\"panelIndex\":\"25\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"gridData\":{\"x\":30,\"y\":24,\"w\":18,\"h\":8,\"i\":\"26\"},\"panelIndex\":\"26\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"29\"},\"panelIndex\":\"29\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\"},{\"gridData\":{\"x\":32,\"y\":63,\"w\":16,\"h\":28,\"i\":\"31\"},\"panelIndex\":\"31\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":8,\"w\":22,\"h\":24,\"i\":\"32\"},\"panelIndex\":\"32\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\"}]","timeRestore":false,"title":"Bro - Connections","version":1},"id":"e0a34b90-34e6-11e7-9118-45bd317f0ca4","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"2da139c0-34e7-11e7-9118-45bd317f0ca4","name":"panel_1","type":"visualization"},{"id":"8261cf00-366e-11e7-8c78-e3086faf385c","name":"panel_2","type":"visualization"},{"id":"9a54f150-366e-11e7-8c78-e3086faf385c","name":"panel_3","type":"visualization"},{"id":"296823d0-366f-11e7-8c78-e3086faf385c","name":"panel_4","type":"visualization"},{"id":"b50912f0-366f-11e7-8c78-e3086faf385c","name":"panel_5","type":"visualization"},{"id":"05088150-3670-11e7-8c78-e3086faf385c","name":"panel_6","type":"visualization"},{"id":"c3152010-3673-11e7-8c78-e3086faf385c","name":"panel_7","type":"visualization"},{"id":"13fe29c0-3b17-11e7-b871-5f76306b9694","name":"panel_8","type":"visualization"},{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"panel_9","type":"search"},{"id":"25ce6eb0-463b-11e7-a82e-d97152153689","name":"panel_10","type":"visualization"},{"id":"AWDG71xFxQT5EBNmq336","name":"panel_11","type":"visualization"},{"id":"bc7fbe00-4a44-11e8-9b0a-f1d33346f773","name":"panel_12","type":"visualization"},{"id":"d7d3dda0-54b9-11e9-a48f-b7dfb1d0f288","name":"panel_13","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY5MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNS - Destination Port (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"DNS - Destination Port (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\"}}],\"listeners\":{}}"},"id":"e3717d80-6e0f-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY5MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"X.509 - Certificate Subject","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"X.509 - Certificate Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"certificate_subject.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Subject\"}}],\"listeners\":{}}"},"id":"fab4b560-37d8-11e7-9efb-91e89505091f","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY5MywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"4\",\"gridData\":{\"w\":48,\"h\":68,\"x\":0,\"y\":96,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"certificate_subject\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"7\",\"gridData\":{\"w\":20,\"h\":20,\"x\":8,\"y\":8,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{}},{\"panelIndex\":\"8\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":48,\"i\":\"8\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":72,\"i\":\"9\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":20,\"h\":20,\"x\":28,\"y\":8,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"panelIndex\":\"11\",\"gridData\":{\"w\":40,\"h\":20,\"x\":8,\"y\":28,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"12\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"12\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Bro - X.509","version":1},"id":"e5aa7170-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"41bee360-3642-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"panel_2","type":"search"},{"id":"738127f0-37d7-11e7-9efb-91e89505091f","name":"panel_3","type":"visualization"},{"id":"fab4b560-37d8-11e7-9efb-91e89505091f","name":"panel_4","type":"visualization"},{"id":"0a5f7b30-37d9-11e7-9efb-91e89505091f","name":"panel_5","type":"visualization"},{"id":"150f7280-6e37-11e7-a8d6-ed2e692de531","name":"panel_6","type":"visualization"},{"id":"446e85c0-6e37-11e7-a8d6-ed2e692de531","name":"panel_7","type":"visualization"},{"id":"AWDHGklsxQT5EBNmq4wG","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY5NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Host - Domain","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Host - Domain\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.domain.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Domain\"}}]}"},"id":"e80aa100-7375-11ea-a3da-cbdb4f8a90c0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY5NSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{\"mapCenter\":[39.639537564366684,0.17578125],\"mapZoom\":2}},{\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Connections - Destination - Top Connection Duration","version":1},"id":"ea211360-46c4-11e7-a82e-d97152153689","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f7492d0-46c4-11e7-a82e-d97152153689","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY5NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNS - Answers","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Answers\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"answers.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Answer\"}}]}"},"id":"ff2af9b0-2927-11e8-b2a2-09f3986ae284","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY5NywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":68,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"5\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":44,\"i\":\"5\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":44,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"7\",\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":8,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{}},{\"panelIndex\":\"10\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":92,\"i\":\"10\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"13\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"16\",\"gridData\":{\"w\":48,\"h\":64,\"x\":0,\"y\":116,\"i\":\"16\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"17\",\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":8,\"i\":\"17\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"21\",\"gridData\":{\"w\":16,\"h\":12,\"x\":32,\"y\":44,\"i\":\"21\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"22\",\"gridData\":{\"w\":16,\"h\":12,\"x\":32,\"y\":56,\"i\":\"22\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"23\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"23\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"panelIndex\":\"24\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":68,\"i\":\"24\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"panelIndex\":\"25\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":68,\"i\":\"25\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\",\"embeddableConfig\":{}},{\"panelIndex\":\"26\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":20,\"i\":\"26\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\",\"embeddableConfig\":{}},{\"panelIndex\":\"27\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":20,\"i\":\"27\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_14\",\"embeddableConfig\":{}},{\"panelIndex\":\"28\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":20,\"i\":\"28\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_15\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - DNS","version":1},"id":"ebf5ec90-34bf-11e7-9b32-bb903919ead9","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"6ef90c30-34c0-11e7-9b32-bb903919ead9","name":"panel_1","type":"visualization"},{"id":"57a9a3f0-34c0-11e7-9b32-bb903919ead9","name":"panel_2","type":"visualization"},{"id":"45a652b0-34c1-11e7-917c-af7a9d11771a","name":"panel_3","type":"visualization"},{"id":"e8e3b8a0-34c1-11e7-917c-af7a9d11771a","name":"panel_4","type":"visualization"},{"id":"1ecdd2e0-34c0-11e7-9b32-bb903919ead9","name":"panel_5","type":"visualization"},{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"panel_6","type":"search"},{"id":"e3717d80-6e0f-11e7-8624-1fb07dd76c6a","name":"panel_7","type":"visualization"},{"id":"4d89e140-6f09-11e7-9d31-23c0596994a7","name":"panel_8","type":"visualization"},{"id":"74861280-6f06-11e7-b253-211f64f37eda","name":"panel_9","type":"visualization"},{"id":"AWDG9Qx0xQT5EBNmq3_2","name":"panel_10","type":"visualization"},{"id":"dcda5680-2927-11e8-b2a2-09f3986ae284","name":"panel_11","type":"visualization"},{"id":"ff2af9b0-2927-11e8-b2a2-09f3986ae284","name":"panel_12","type":"visualization"},{"id":"22f7de30-4949-11e8-9576-313be7c6b44b","name":"panel_13","type":"visualization"},{"id":"0c338e50-4a4e-11e8-9b0a-f1d33346f773","name":"panel_14","type":"visualization"},{"id":"49e04860-4a4e-11e8-9b0a-f1d33346f773","name":"panel_15","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY5OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMB - File System","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMB - File System\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"smb.file_system.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smb.file_system.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"File System\"}}]}"},"id":"ed215680-75ef-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY5OSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"gridData\":{\"h\":51,\"i\":\"4\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":22,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":51},\"panelIndex\":\"6\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":17,\"i\":\"12\",\"w\":20,\"x\":8,\"y\":34},\"panelIndex\":\"12\",\"title\":\"NIDS Alert - Source Port\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"16\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"gridData\":{\"h\":17,\"i\":\"18\",\"w\":20,\"x\":28,\"y\":34},\"panelIndex\":\"18\",\"title\":\"NIDS Alert - Destination Port\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"19\",\"w\":40,\"x\":8,\"y\":18},\"panelIndex\":\"19\",\"title\":\"NIDS - Alert Summary \",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"20\",\"w\":17,\"x\":8,\"y\":8},\"panelIndex\":\"20\",\"title\":\"NIDS - Alert Title\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"21\",\"w\":23,\"x\":25,\"y\":8},\"panelIndex\":\"21\",\"title\":\"NIDS - Rule Signature\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"NIDS - SID Drilldown","version":1},"id":"ed6f7e20-e060-11e9-8f0c-2ddbf5ed9290","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"d58ec1a0-34e4-11e7-9669-7f1d3242b798","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"panel_2","type":"search"},{"id":"620283e0-3af5-11e7-a83b-b1b4da7d15f4","name":"panel_3","type":"visualization"},{"id":"AWDG3ym0xQT5EBNmq3mG","name":"panel_4","type":"visualization"},{"id":"3f040620-4a44-11e8-9b0a-f1d33346f773","name":"panel_5","type":"visualization"},{"id":"3a1b54b0-e061-11e9-8f0c-2ddbf5ed9290","name":"panel_6","type":"visualization"},{"id":"1b3faca0-e064-11e9-8f0c-2ddbf5ed9290","name":"panel_7","type":"visualization"},{"id":"6533dd40-e064-11e9-8f0c-2ddbf5ed9290","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzcwMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - Version","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - Version\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"http.version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"ede56800-6ed7-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzcwMSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:ssl\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"7ba54e84-e774-489e-b4e5-156bff163007\"},\"panelIndex\":\"7ba54e84-e774-489e-b4e5-156bff163007\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":16,\"h\":8,\"i\":\"83706228-debf-441c-ab7f-2e20c91ec132\"},\"panelIndex\":\"83706228-debf-441c-ab7f-2e20c91ec132\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":8,\"i\":\"e06b2a92-d78b-4d77-9948-40a96a630656\"},\"panelIndex\":\"e06b2a92-d78b-4d77-9948-40a96a630656\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":20,\"i\":\"6f2ba042-522e-43a3-8b9f-0d00e1b60070\"},\"panelIndex\":\"6f2ba042-522e-43a3-8b9f-0d00e1b60070\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":8,\"w\":10,\"h\":20,\"i\":\"f9b0f61d-4ff7-4bfb-a210-61ac7c07407a\"},\"panelIndex\":\"f9b0f61d-4ff7-4bfb-a210-61ac7c07407a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":19,\"y\":8,\"w\":11,\"h\":20,\"i\":\"19764782-13cb-4b14-b272-d30fbdead5a2\"},\"panelIndex\":\"19764782-13cb-4b14-b272-d30fbdead5a2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":8,\"w\":18,\"h\":20,\"i\":\"8e0caa58-2dba-4d73-bf54-2c5452b7e5ff\"},\"panelIndex\":\"8e0caa58-2dba-4d73-bf54-2c5452b7e5ff\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":28,\"w\":23,\"h\":20,\"i\":\"6ce88ef8-a636-4f1c-85e9-922ab70a500f\"},\"panelIndex\":\"6ce88ef8-a636-4f1c-85e9-922ab70a500f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":23,\"y\":28,\"w\":25,\"h\":20,\"i\":\"a804d523-cf9b-47f1-85ca-4931defc69ce\"},\"panelIndex\":\"a804d523-cf9b-47f1-85ca-4931defc69ce\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - SSL","version":1},"id":"efae8de0-75eb-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"db4dc4a0-75ec-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"b8371250-75ec-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"6fccb600-75ec-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"4e8cbf80-75ec-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzcwMiwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"mapCenter\":[24.84656534821976,0.17578125],\"mapZoom\":2}}]","timeRestore":false,"title":"Connections - Source - Sum of Total Bytes","version":1},"id":"f042ad60-46c6-11e7-946f-1bfb1be7c36b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"1156b1e0-46c7-11e7-946f-1bfb1be7c36b","name":"panel_1","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzcwMywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:smb*\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"4f0e2e7d-aeee-4de8-82f0-9faffa596a05\"},\"panelIndex\":\"4f0e2e7d-aeee-4de8-82f0-9faffa596a05\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":16,\"h\":8,\"i\":\"efd2f5f0-c795-41e8-b0d7-7a3012e04d4d\"},\"panelIndex\":\"efd2f5f0-c795-41e8-b0d7-7a3012e04d4d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":8,\"i\":\"c4342fbe-e949-42d7-959c-c1ce6978033a\"},\"panelIndex\":\"c4342fbe-e949-42d7-959c-c1ce6978033a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":19,\"i\":\"f59a811c-5a72-4337-84bd-32a5d1dce308\"},\"panelIndex\":\"f59a811c-5a72-4337-84bd-32a5d1dce308\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":8,\"w\":9,\"h\":19,\"i\":\"5bb49dfa-0703-448b-a249-6cebb45e101c\"},\"panelIndex\":\"5bb49dfa-0703-448b-a249-6cebb45e101c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":18,\"y\":8,\"w\":10,\"h\":19,\"i\":\"4f886675-43c8-46c9-a471-717010d40e67\"},\"panelIndex\":\"4f886675-43c8-46c9-a471-717010d40e67\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":28,\"y\":8,\"w\":10,\"h\":19,\"i\":\"f00a4afd-cd5f-48a4-a8d3-bc80f7367285\"},\"panelIndex\":\"f00a4afd-cd5f-48a4-a8d3-bc80f7367285\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":38,\"y\":8,\"w\":10,\"h\":19,\"i\":\"c88f8f9f-c3d9-43c1-bfb1-bb2b7f64b92f\"},\"panelIndex\":\"c88f8f9f-c3d9-43c1-bfb1-bb2b7f64b92f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":20,\"i\":\"d76e30ec-3114-4100-a806-2a77ba987bbe\"},\"panelIndex\":\"d76e30ec-3114-4100-a806-2a77ba987bbe\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - SMB","version":1},"id":"f24d7b80-75c6-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"34762420-75f0-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"1c6567b0-75f0-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"ed215680-75ef-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"052df440-75f0-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzcwNCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.module:playbook AND event.dataset:alert\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":8,\"i\":\"c2172038-7740-458c-977a-98d139c438c2\"},\"panelIndex\":\"c2172038-7740-458c-977a-98d139c438c2\",\"embeddableConfig\":{\"title\":\"Security Onion - Alert Data\"},\"title\":\"Security Onion - Alert Data\",\"panelRefName\":\"panel_0\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":8,\"y\":0,\"w\":18,\"h\":8,\"i\":\"b18f1671-c1a0-44c8-946b-71bc21e62482\"},\"panelIndex\":\"b18f1671-c1a0-44c8-946b-71bc21e62482\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":26,\"y\":0,\"w\":22,\"h\":8,\"i\":\"b26faccc-11d5-4cc3-8fd2-484b5e3659bc\"},\"panelIndex\":\"b26faccc-11d5-4cc3-8fd2-484b5e3659bc\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":26,\"h\":18,\"i\":\"1f88747a-06f5-4450-8d08-150d0cd37667\"},\"panelIndex\":\"1f88747a-06f5-4450-8d08-150d0cd37667\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":26,\"y\":8,\"w\":22,\"h\":18,\"i\":\"0b5a83d1-8f56-4616-b0aa-af25a1995379\"},\"panelIndex\":\"0b5a83d1-8f56-4616-b0aa-af25a1995379\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":26,\"w\":48,\"h\":21,\"i\":\"28431fa5-4ce9-40db-a190-541b3390f9d0\"},\"panelIndex\":\"28431fa5-4ce9-40db-a190-541b3390f9d0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"}]","timeRestore":false,"title":"Security Onion - Playbook","version":1},"id":"f449f0a0-c77c-11ea-bebb-37c5ab5894ea","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"30df00e0-7733-11ea-bee5-af7f7c7b8e05","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"508fb520-72af-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"f7e1d570-72ae-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"search"}],"type":"dashboard","updated_at":"2020-07-16T16:10:05.109Z","version":"WzgyOCwyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Zeek - Notice Action","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Zeek - Notice Action\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"notice.p: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"notice.action.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"fafba910-7a84-11ea-9d13-57f5db13d1ed","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzcwNSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:notice AND event.module:zeek\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":8,\"i\":\"3c981b35-b930-4523-bef4-7f5193148816\"},\"panelIndex\":\"3c981b35-b930-4523-bef4-7f5193148816\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":0,\"w\":16,\"h\":8,\"i\":\"eb1b234a-2d6b-46af-9afe-a420a389dad1\"},\"panelIndex\":\"eb1b234a-2d6b-46af-9afe-a420a389dad1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":8,\"i\":\"7d323b2f-3502-4397-93fd-b430d9011d92\"},\"panelIndex\":\"7d323b2f-3502-4397-93fd-b430d9011d92\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":19,\"h\":18,\"i\":\"298b9cf4-5e54-45f5-805c-e04b31044401\"},\"panelIndex\":\"298b9cf4-5e54-45f5-805c-e04b31044401\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":19,\"y\":8,\"w\":29,\"h\":18,\"i\":\"1fa5b7c2-2680-4dd0-9c07-a714d8d8968a\"},\"panelIndex\":\"1fa5b7c2-2680-4dd0-9c07-a714d8d8968a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":26,\"w\":11,\"h\":23,\"i\":\"9056cf20-d882-4316-ba02-91ecbd1d4df9\"},\"panelIndex\":\"9056cf20-d882-4316-ba02-91ecbd1d4df9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":11,\"y\":26,\"w\":11,\"h\":23,\"i\":\"5f855acb-fec5-4155-b2ef-0961a6d9a89c\"},\"panelIndex\":\"5f855acb-fec5-4155-b2ef-0961a6d9a89c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":22,\"y\":26,\"w\":10,\"h\":23,\"i\":\"208bc4b2-013a-4aab-b72c-45a618077791\"},\"panelIndex\":\"208bc4b2-013a-4aab-b72c-45a618077791\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":32,\"y\":26,\"w\":16,\"h\":23,\"i\":\"5429bbba-3d62-4a93-9932-4a2cc4369775\"},\"panelIndex\":\"5429bbba-3d62-4a93-9932-4a2cc4369775\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - Zeek - Notices","version":1},"id":"fa9ed760-7734-11ea-bee5-af7f7c7b8e05","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"30df00e0-7733-11ea-bee5-af7f7c7b8e05","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"9c6ccff0-7a84-11ea-9d13-57f5db13d1ed","name":"panel_3","type":"visualization"},{"id":"c8039090-7a84-11ea-9d13-57f5db13d1ed","name":"panel_4","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_6","type":"visualization"},{"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_7","type":"visualization"},{"id":"fafba910-7a84-11ea-9d13-57f5db13d1ed","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzcwNiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"key\":\"event.module.keyword\",\"negate\":true,\"params\":{\"query\":\"suricata\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"event.module.keyword\":\"suricata\"}}}]}"},"savedSearchRefName":"search_0","title":"Security Onion - Playbook - Rules","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.module.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Module\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rule.name.keyword: Descending\",\"aggType\":\"terms\"}]}},\"title\":\"Security Onion - Playbook - Rules\"}"},"id":"faaf66e0-c77d-11ea-bebb-37c5ab5894ea","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"},{"id":"5c3effd0-72ae-11ea-8dd2-9d8795a1200b","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-16T16:04:07.886Z","version":"WzgyNywyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Syslog - Severity (Donut)","uiStateJSON":"{}","version":1,"visState":"{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"syslog.severity.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Severity\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"syslog.severity.keyword: Descending\",\"aggType\":\"terms\"}]}},\"title\":\"Security Onion - Syslog - Severity (Donut)\"}"},"id":"fc8d41a0-777b-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-16T15:39:24.060Z","version":"Wzc5OSwyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - Top Source IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - Top Source IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"source.ip.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}"},"id":"fd8b4640-6e9f-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzcwNywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.module:strelka\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":7,\"i\":\"a2e0a619-a5c5-40d9-8593-e60f13ae22bf\"},\"panelIndex\":\"a2e0a619-a5c5-40d9-8593-e60f13ae22bf\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":0,\"w\":21,\"h\":7,\"i\":\"566a9d04-f2dc-4868-9625-97a19d985703\"},\"panelIndex\":\"566a9d04-f2dc-4868-9625-97a19d985703\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":7,\"i\":\"f247ec64-c278-4e05-ac4d-983bea9dfb7d\"},\"panelIndex\":\"f247ec64-c278-4e05-ac4d-983bea9dfb7d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":7,\"w\":12,\"h\":20,\"i\":\"6e80a142-ab0e-4fd3-891c-e495b78a1625\"},\"panelIndex\":\"6e80a142-ab0e-4fd3-891c-e495b78a1625\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":12,\"y\":7,\"w\":11,\"h\":20,\"i\":\"292cc879-6bc0-4541-ba92-3b3c5f4e3368\"},\"panelIndex\":\"292cc879-6bc0-4541-ba92-3b3c5f4e3368\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":23,\"y\":7,\"w\":14,\"h\":20,\"i\":\"66979b2c-e7c1-4291-91ac-16537b7f9ec3\"},\"panelIndex\":\"66979b2c-e7c1-4291-91ac-16537b7f9ec3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":37,\"y\":7,\"w\":11,\"h\":20,\"i\":\"8bb1cf98-0401-4a2d-9dd8-deca08205a22\"},\"panelIndex\":\"8bb1cf98-0401-4a2d-9dd8-deca08205a22\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":8,\"h\":20,\"i\":\"393f3cec-3ee0-4275-b319-f307e7a260c6\"},\"panelIndex\":\"393f3cec-3ee0-4275-b319-f307e7a260c6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":27,\"w\":15,\"h\":20,\"i\":\"0e8800a9-a6f5-4a79-8370-61713f584886\"},\"panelIndex\":\"0e8800a9-a6f5-4a79-8370-61713f584886\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":23,\"y\":27,\"w\":25,\"h\":20,\"i\":\"be9a0a2a-d8c6-4d15-b5d7-d5599d0482a3\"},\"panelIndex\":\"be9a0a2a-d8c6-4d15-b5d7-d5599d0482a3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":47,\"w\":48,\"h\":27,\"i\":\"40296d2b-cb6f-423f-989c-3fdaa82d2aad\"},\"panelIndex\":\"40296d2b-cb6f-423f-989c-3fdaa82d2aad\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"}]","timeRestore":false,"title":"Security Onion - Strelka","version":1},"id":"ff689c50-75f3-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"8cfec8c0-6ec2-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"7a88adc0-75f0-11ea-9565-7315f4ee5cac","name":"panel_3","type":"visualization"},{"id":"49cfe850-772c-11ea-bee5-af7f7c7b8e05","name":"panel_4","type":"visualization"},{"id":"70243970-772c-11ea-bee5-af7f7c7b8e05","name":"panel_5","type":"visualization"},{"id":"ce9e03f0-772c-11ea-bee5-af7f7c7b8e05","name":"panel_6","type":"visualization"},{"id":"a7ebb450-772c-11ea-bee5-af7f7c7b8e05","name":"panel_7","type":"visualization"},{"id":"08c0b770-772e-11ea-bee5-af7f7c7b8e05","name":"panel_8","type":"visualization"},{"id":"e087c7d0-772d-11ea-bee5-af7f7c7b8e05","name":"panel_9","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_10","type":"search"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzcwOCwxXQ=="} +{"exportedCount":724,"missingRefCount":0,"missingReferences":[]} From 958d614beff083a6d5c937afd1ff1f1a58c2eb45 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 17 Jul 2020 09:21:47 -0400 Subject: [PATCH 268/314] [fix] Only show motd ip message on manager node --- salt/motd/files/so_motd.jinja | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/salt/motd/files/so_motd.jinja b/salt/motd/files/so_motd.jinja index 4b22eb56c..43ad3b4de 100644 --- a/salt/motd/files/so_motd.jinja +++ b/salt/motd/files/so_motd.jinja @@ -1,9 +1,11 @@ {% set needs_restarting_check = salt['mine.get']('*', 'needs_restarting.check', tgt_type='glob') -%} +{% set role = grains.id.split('_') | last -%} {% set url = salt['pillar.get']('manager:url_base') -%} - +{% if role in ['eval', 'managersearch', 'manager', 'standalone'] %} Access the Security Onion web interface at https://{{ url }} (You may need to run so-allow first if you haven't yet) +{% endif %} {%- if needs_restarting_check %} {%- set minions_need_restarted = [] %} From e91aa751a79dd2a201be526df0766d8d4822b604 Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 17 Jul 2020 09:38:43 -0400 Subject: [PATCH 269/314] Change verbiage --- salt/wazuh/files/agent/ossec.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/wazuh/files/agent/ossec.conf b/salt/wazuh/files/agent/ossec.conf index 37971aa93..8d38868ef 100644 --- a/salt/wazuh/files/agent/ossec.conf +++ b/salt/wazuh/files/agent/ossec.conf @@ -6,7 +6,7 @@ {%- set ip = salt['pillar.get']('sensor:mainip', '') %} {%- endif %} From 6f077e66e6400b82010d36b3999e9677a20ae117 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 17 Jul 2020 10:05:54 -0400 Subject: [PATCH 270/314] dont try to copy schedules if the directory is empty --- setup/so-functions | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 0bbc013b2..8c2c18d2a 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -465,7 +465,9 @@ copy_minion_tmp_files() { ssh -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/pillar; ssh -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/schedules; scp -prv -i /root/.ssh/so.key "$temp_install_dir"/pillar/minions/* soremote@"$MSRV":/tmp/"$MINION_ID"/pillar/; - scp -prv -i /root/.ssh/so.key "$temp_install_dir"/salt/patch/os/schedules/* soremote@"$MSRV":/tmp/"$MINION_ID"/schedules; + if [ "$(ls -A $temp_install_dir/salt/patch/os/schedules/)" ]; then + scp -prv -i /root/.ssh/so.key "$temp_install_dir"/salt/patch/os/schedules/* soremote@"$MSRV":/tmp/"$MINION_ID"/schedules; + fi ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/manager/files/add_minion.sh "$MINION_ID"; } >> "$setup_log" 2>&1 ;; From 2541f4d8e8aff3f896a525e8d0d55f825bfc484c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 17 Jul 2020 10:23:51 -0400 Subject: [PATCH 271/314] dont try to copy schedules if the directory is empty --- setup/so-functions | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 8c2c18d2a..b159f286f 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -465,8 +465,10 @@ copy_minion_tmp_files() { ssh -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/pillar; ssh -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/schedules; scp -prv -i /root/.ssh/so.key "$temp_install_dir"/pillar/minions/* soremote@"$MSRV":/tmp/"$MINION_ID"/pillar/; - if [ "$(ls -A $temp_install_dir/salt/patch/os/schedules/)" ]; then - scp -prv -i /root/.ssh/so.key "$temp_install_dir"/salt/patch/os/schedules/* soremote@"$MSRV":/tmp/"$MINION_ID"/schedules; + if [ -d "$temp_install_dir"/salt/patch/os/schedules/ ]; then + if [ "$(ls -A $temp_install_dir/salt/patch/os/schedules/)" ]; then + scp -prv -i /root/.ssh/so.key "$temp_install_dir"/salt/patch/os/schedules/* soremote@"$MSRV":/tmp/"$MINION_ID"/schedules; + fi fi ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/manager/files/add_minion.sh "$MINION_ID"; } >> "$setup_log" 2>&1 From 6e4eb7639344046f9ac00abc8b6621114a24a3ab Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Fri, 17 Jul 2020 10:25:48 -0400 Subject: [PATCH 272/314] Eval Ubuntu Fleet fix --- salt/ssl/init.sls | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index a0780ecf6..efa3032dc 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -142,6 +142,7 @@ regkeyperms: - signing_policy: managerssl - public_key: /etc/pki/managerssl.key - CN: {{ manager }} + - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} {% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }} {% endif %} - days_remaining: 0 - days_valid: 820 - backup: True @@ -289,4 +290,4 @@ fleetkeyperms: - mode: 640 - group: 939 -{% endif %} +{% endif %} \ No newline at end of file From 17e3bde2f828357e4a8c491bd55d2a551a3557e1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 17 Jul 2020 10:55:30 -0400 Subject: [PATCH 273/314] Create home dir for adduser function --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index b159f286f..cb7345abb 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -79,7 +79,7 @@ so_add_user() { echo "Add $username user" >> "$setup_log" 2>&1 groupadd --gid "$gid" "$username" - useradd --uid "$uid" --gid "$gid" --home-dir "$home_dir" "$username" + useradd -m --uid "$uid" --gid "$gid" --home-dir "$home_dir" "$username" # If a password has been passed in, set the password if [ "$pass" ]; then From d97271cca34107d35d74f89f9c4dd03bcc5b6168 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 17 Jul 2020 11:08:31 -0400 Subject: [PATCH 274/314] [fix] Don't drop to shell while running so-allow --- setup/so-setup | 18 +++++++++++------- setup/so-whiptail | 9 +++++++++ 2 files changed, 20 insertions(+), 7 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 7cf0c70f8..7f8862841 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -622,24 +622,28 @@ fi } | progress success=$(tail -10 $setup_log | grep Failed | awk '{ print $2}') +if [[ $success != 0 ]]; then SO_ERROR=1; fi -if [[ $success != 0 ]]; then SO_ERROR=1; fi # evaluate success first so it doesn't check against the output of so-allow if [[ -n $SO_ERROR ]]; then echo "Errors detected during setup; skipping post-setup steps to allow for analysis of failures." >> $setup_log 2>&1 SKIP_REBOOT=1 whiptail_setup_failed else - if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then - echo "Running so-allow -${ALLOW_ROLE} for ${ALLOW_CIDR}" >> $setup_log 2>&1 - IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1 - fi + { + if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then + set_progress_str 98 "Running so-allow -${ALLOW_ROLE} for ${ALLOW_CIDR}" + IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1 + fi - if [[ $THEHIVE == 1 ]]; then check_hive_init >> $setup_log 2>&1; fi + set_progress_str 99 'Waiting for TheHive to start up' + if [[ $THEHIVE == 1 ]]; then check_hive_init >> $setup_log 2>&1; fi - install_cleanup >> $setup_log 2>&1 + } | whiptail_gauge_post_setup "Running post-installation steps..." whiptail_setup_complete fi +install_cleanup >> $setup_log 2>&1 + if [[ -z $SKIP_REBOOT ]]; then shutdown -r now; else exit; fi diff --git a/setup/so-whiptail b/setup/so-whiptail index 3556a8245..358a18909 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1086,6 +1086,15 @@ whiptail_so_allow() { whiptail_check_exitstatus $exitstatus } +whiptail_gauge_post_setup() { + + [ -n "$TESTING" ] && return + + local msg=$1 + + whiptail --title "Security Onion Setup" --guage "$msg" 6 60 96 +} + whiptail_strelka_rules() { [ -n "$TESTING" ] && return From ede250d9e4febd070161cd2494ef29169925765d Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 17 Jul 2020 11:09:08 -0400 Subject: [PATCH 275/314] [feat] Merge access method dialogs together --- setup/so-functions | 1 - setup/so-whiptail | 10 +--------- 2 files changed, 1 insertion(+), 10 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 0bbc013b2..660b64393 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -867,7 +867,6 @@ generate_passwords(){ } get_redirect() { - whiptail_set_redirect_info whiptail_set_redirect if [ "$REDIRECTINFO" = "OTHER" ]; then whiptail_set_redirect_host diff --git a/setup/so-whiptail b/setup/so-whiptail index 358a18909..486428ca5 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -997,7 +997,7 @@ whiptail_set_redirect() { [ -n "$TESTING" ] && return REDIRECTINFO=$(whiptail --title "Security Onion Setup" --radiolist \ - "Choose the access method for the web interface:" 20 75 4 \ + "Choose the access method for the web interface: \nNOTE: For security reasons, we use strict cookie enforcement" 20 75 4 \ "IP" "Use IP to access the web interface" ON \ "HOSTNAME" "Use hostname to access the web interface" OFF \ "OTHER" "Use a different name like a FQDN or Load Balancer" OFF 3>&1 1>&2 2>&3 ) @@ -1015,14 +1015,6 @@ whiptail_set_redirect_host() { whiptail_check_exitstatus $exitstatus } -whiptail_set_redirect_info() { - - [ -n "$TESTING" ] && return - - whiptail --title "Security Onion Setup" --msgbox "The following selection refers to accessing the web interface. \n -For security reasons, we use strict cookie enforcement." 10 75 -} - whiptail_setup_complete() { [ -n "$TESTING" ] && return From 9cbc7ad8f52d9a0d43a40eb4a7e9528d3589d1c5 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 17 Jul 2020 12:08:16 -0400 Subject: [PATCH 276/314] [fix] guage -> gauge --- setup/so-whiptail | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 486428ca5..3c00a30d3 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1084,7 +1084,7 @@ whiptail_gauge_post_setup() { local msg=$1 - whiptail --title "Security Onion Setup" --guage "$msg" 6 60 96 + whiptail --title "Security Onion Setup" --gauge "$msg" 6 60 96 } whiptail_strelka_rules() { From d88e15ecb4e1ae76509f0ea875f6e8f0306cd360 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 17 Jul 2020 12:33:25 -0400 Subject: [PATCH 277/314] [fix] Use `| tee` instead of redirect when already redirecting to setup log --- setup/so-functions | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index ac72d4fb2..f54ea5446 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1314,7 +1314,7 @@ saltify() { # Add saltstack repo(s) wget -q --inet4-only -O - https://repo.saltstack.com"$py_ver_url_path"/ubuntu/"$ubuntu_version"/amd64/archive/2019.2.5/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 - echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/2019.2.5 $OSVER main" > /etc/apt/sources.list.d/saltstack2019.list + echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/2019.2.5 $OSVER main" | tee /etc/apt/sources.list.d/saltstack2019.list >> "$setup_log" 2>&1 # Add Docker repo curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - >> "$setup_log" 2>&1 @@ -1346,7 +1346,7 @@ saltify() { echo "Using apt-key add to add SALTSTACK-GPG-KEY.pub and GPG-KEY-WAZUH" >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/GPG-KEY-WAZUH >> "$setup_log" 2>&1 - echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/2019.2.5/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list >> "$setup_log" 2>&1 + echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/2019.2.5/ $OSVER main" | tee /etc/apt/sources.list.d/saltstack.list >> "$setup_log" 2>&1 echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list >> "$setup_log" 2>&1 ;; esac From 1abf324654095a2ee95cfe9f78e906415798de51 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 17 Jul 2020 12:59:17 -0400 Subject: [PATCH 278/314] [fix] Set `py_ver_url_path` for all install types --- setup/so-functions | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index f54ea5446..58bde1aba 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -588,7 +588,7 @@ configure_network_sensor() { } detect_cloud() { - echo "Testing if setup is running on a cloud instance" + echo "Testing if setup is running on a cloud instance..." if ( curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null ) || ( dmidecode -s bios-vendor | grep -q Google > /dev/null); then export is_cloud="true"; fi } @@ -609,7 +609,7 @@ detect_os() { exit 1 fi - echo "Installing required packages to run installer" + echo "Installing required packages to run installer..." # Install bind-utils so the host command exists if ! command -v host > /dev/null 2>&1; then yum -y install bind-utils >> "$setup_log" 2>&1 @@ -640,7 +640,7 @@ detect_os() { exit 1 fi - echo "Installing required packages to run installer" + echo "Installing required packages to run installer..." # Install network manager so we can do interface stuff if ! command -v nmcli > /dev/null 2>&1; then { @@ -1304,13 +1304,13 @@ saltify() { # Grab the version from the os-release file local ubuntu_version ubuntu_version=$(grep VERSION_ID /etc/os-release | awk -F '[ "]' '{print $2}') + if [ "$OSVER" != "xenial" ]; then local py_ver_url_path="/py3"; else local py_ver_url_path="/apt"; fi case "$install_type" in 'FLEET') if [ "$OSVER" != 'xenial' ]; then apt-get -y install python3-mysqldb >> "$setup_log" 2>&1; else apt-get -y install python-mysqldb >> "$setup_log" 2>&1; fi ;; 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE') # TODO: should this also be HELIXSENSOR? - if [ "$OSVER" != "xenial" ]; then local py_ver_url_path="/py3"; else local py_ver_url_path="/apt"; fi # Add saltstack repo(s) wget -q --inet4-only -O - https://repo.saltstack.com"$py_ver_url_path"/ubuntu/"$ubuntu_version"/amd64/archive/2019.2.5/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 @@ -1322,7 +1322,7 @@ saltify() { # Get gpg keys mkdir -p /opt/so/gpg >> "$setup_log" 2>&1 - wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/apt/ubuntu/"$ubuntu_version"/amd64/latest/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 + wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com$py_ver_url_path/ubuntu/"$ubuntu_version"/amd64/latest/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg >> "$setup_log" 2>&1 wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH >> "$setup_log" 2>&1 From da155b5dea650a98737889d7c11e8471477e73ab Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Fri, 17 Jul 2020 13:00:03 -0400 Subject: [PATCH 279/314] Kibana Fleet Pivot Fix --- salt/kibana/bin/so-kibana-config-load | 2 +- salt/kibana/files/saved_objects.ndjson | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/kibana/bin/so-kibana-config-load b/salt/kibana/bin/so-kibana-config-load index f59d0c10d..451e848a1 100644 --- a/salt/kibana/bin/so-kibana-config-load +++ b/salt/kibana/bin/so-kibana-config-load @@ -10,7 +10,7 @@ cp /opt/so/conf/kibana/saved_objects.ndjson.template /opt/so/conf/kibana/saved_o # {% if FLEET_NODE or FLEET_MANAGER %} # Fleet IP -sed -i "s/FLEETPLACEHOLDER/{{ MANAGER }}/g" /opt/so/conf/kibana/saved_objects.ndjson +#sed -i "s/FLEETPLACEHOLDER/{{ MANAGER }}/g" /opt/so/conf/kibana/saved_objects.ndjson # {% endif %} # SOCtopus and Manager diff --git a/salt/kibana/files/saved_objects.ndjson b/salt/kibana/files/saved_objects.ndjson index 81051c94b..4bbf891b4 100644 --- a/salt/kibana/files/saved_objects.ndjson +++ b/salt/kibana/files/saved_objects.ndjson @@ -1,7 +1,7 @@ {"attributes":{"fieldFormatMap":"{\"match_body.source_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"match_body.destination_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}}}","fields":"[{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"alert_info.slack_username_override\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert_info.slack_username_override.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_info.slack_webhook_url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert_info.slack_webhook_url.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_info.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert_info.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_sent\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.rule\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.rule.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"endtime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"exponent\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hits\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.@version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.signature_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.signature_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body._id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body._id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body._index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body._index.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body._type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body._type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.alert\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.alert.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.category.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.classification\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.classification.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.connection_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.connection_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.connection_state_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.connection_state_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.country_code2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.country_code3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.country_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.location.lat\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.location.lon\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_ip.keyword\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.duration\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.history\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.history.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.local_orig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.local_orig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.local_respond\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.local_respond.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.logstash_time\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.missed_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.num_hits\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.num_matches\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.original_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.original_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.original_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.original_ipbytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.original_ipbytes.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.original_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.respond_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.respond_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.respond_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.respond_ipbytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.respond_ipbytes.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.respond_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.rev\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.rev.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.rule\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.rule.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.rule_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.rule_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.sensor_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.sensor_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.service\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.service.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.sid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.source_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.source_ip.keyword\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.source_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.source_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.source_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-facility.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-host_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-host_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-legacy_msghdr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-legacy_msghdr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-sourceip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-sourceip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.total_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.tunnel_parents\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.tunnel_parents.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"matches\",\"type\":\"number\",\"count\":3,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_name\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"starttime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"time_taken\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traceback\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"traceback.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"until\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]","notExpandable":true,"timeFieldName":"@timestamp","title":"*:elastalert_status*"},"id":"*:elastalert_status*","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-07-15T13:17:15.442Z","version":"WzAsMV0="} -{"attributes":{"fieldFormatMap":"{\"_id\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://PCAPPLACEHOLDER/securityonion/joblookup?esid={{ value }}\",\"labelTemplate\":\"{{value}}\"}},\"uid\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"source_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"destination_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"source_port\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'source_port:\\\"{{value}}\\\" OR destination_port:\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"destination_port\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'source_port:\\\"{{value}}\\\" OR destination_port:\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"fuid\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"resp_fuids\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"orig_fuids\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"sid\":{\"id\":\"number\",\"params\":{\"pattern\":\"0\"}},\"port\":{\"id\":\"number\",\"params\":{\"pattern\":\"0.[000]\"}},\"query\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"query.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"server_name\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"server_name.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"virtual_host\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"virtual_host.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"indicator\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"indicator.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"file_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"file_ip.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"signature_info\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"{{rawValue}}\",\"labelTemplate\":\"{{value}}\"}},\"highest_registered_domain\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"highest_registered_domain.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"domain_name\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"domain_name.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"duration\":{\"id\":\"duration\",\"params\":{\"outputFormat\":\"asSeconds\",\"outputPrecision\":6}},\"missed_bytes\":{\"id\":\"bytes\"},\"missing_bytes\":{\"id\":\"bytes\"},\"original_bytes\":{\"id\":\"bytes\"},\"original_ip_bytes\":{\"id\":\"bytes\"},\"overflow_bytes\":{\"id\":\"bytes\"},\"respond_bytes\":{\"id\":\"bytes\"},\"respond_ip_bytes\":{\"id\":\"bytes\"},\"seen_bytes\":{\"id\":\"bytes\"},\"total_bytes\":{\"id\":\"bytes\"},\"rtt\":{\"id\":\"number\",\"params\":{\"pattern\":\"0,0.[0000000]\"}},\"uids\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"osquery.LiveQuery\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://FLEETPLACEHOLDER/queries/new?host_uuids={{rawValue}}\",\"labelTemplate\":\"LiveQuery\"}},\"TheHive\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"\",\"labelTemplate\":\"Add2Hive\"}}}","fields":"[{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"aa\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"aa.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ack\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ack.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"additional_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"additional_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"age\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"age.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_level\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"analyzer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"analyzer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"answers\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"answers.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"assigned_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"assigned_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auth\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"auth.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_attempts\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"basic_constraints.path_len\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"basic_constraints_ca\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"basic_constraints_ca.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"basic_constraints_path_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat_host.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_host.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"bound_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"call_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"call_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"category.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cc\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cc.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_chain_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_chain_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_chain_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_common_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_curve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_curve.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_exponent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_exponent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_issuer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_issuer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_key_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_key_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_locality\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_locality.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_not_valid_after\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_not_valid_before\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_number_days_valid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_organization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_organization.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_organization_unit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_organization_unit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_permanent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_permanent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_serial\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_serial.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_serial_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_serial_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_signing_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_signing_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"checksum\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"checksum.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cipher\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cipher.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cipher_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cipher_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"class\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"class.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"classification\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"classification.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_build\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_build.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_chain_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_chain_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_digital_product_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_digital_product_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_fqdn\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_fqdn.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_host_key_algorithms\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_host_key_algorithms.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_issuer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_issuer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_major_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_major_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_minor_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_minor_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"community\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"community.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"company.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"compile_ts\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"compile_ts.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"compression_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"compression_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connect_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connect_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection_state_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection_state_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"content_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cookie\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cookie.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"creation_date\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"creation_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"current_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"current_directory.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"curve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"curve.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.arch\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.arch.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.data.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.dpkg_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.dpkg_status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.file\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.file.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.cpu_cores\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.cpu_cores.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.cpu_mhz\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.cpu_mhz.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.cpu_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.cpu_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.ram_free\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.ram_free.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.ram_total\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.ram_total.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.ram_usage\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.ram_usage.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.serial\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.serial.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.address.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.broadcast\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.broadcast.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.dhcp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.dhcp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.gateway\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.gateway.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.metric\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.metric.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.netmask\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.netmask.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv6.address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv6.address.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv6.dhcp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv6.dhcp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv6.netmask\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv6.netmask.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.mac\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.mac.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.mtu\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.mtu.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.rx_bytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_bytes.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.rx_dropped\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_dropped.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.rx_errors\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_errors.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.rx_packets\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_packets.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.tx_bytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_bytes.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.tx_dropped\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_dropped.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.tx_errors\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_errors.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.tx_packets\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_packets.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.architecture.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.codename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.codename.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.major\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.major.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.minor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.minor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.platform\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.platform.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.release\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.release.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.release_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.release_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.sysname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.sysname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.package\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.package.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.inode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.inode.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.local_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.local_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.local_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.local_port.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.remote_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.remote_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.remote_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.remote_port.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.rx_queue\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.rx_queue.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.tx_queue\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.tx_queue.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.args\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.args.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.cmd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.cmd.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.egroup\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.egroup.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.euser\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.euser.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.fgroup\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.fgroup.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.nice\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.nice.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.nlwp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.nlwp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.pgrp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.pgrp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.ppid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.ppid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.processor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.processor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.resident\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.resident.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.rgroup\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.rgroup.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.ruser\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.ruser.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.session\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.session.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.sgroup\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.sgroup.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.share\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.share.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.start_time\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.start_time.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.stime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.stime.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.suser\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.suser.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.tgid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.tgid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.tty.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.utime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.utime.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.vm_size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.vm_size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.architecture.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.format\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.format.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.multiarch\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.multiarch.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.section\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.section.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.source\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.source.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.vendor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.vendor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.pwd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.pwd.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.title\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.title.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.tty.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_destination_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_destination_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_passive\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data_channel_passive.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_source_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dcc_file_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dcc_mime_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_mime_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"decoder.ftscomment\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"decoder.ftscomment.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"decoder.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"decoder.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"decoder.parent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"decoder.parent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"depth\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_height\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"desktop_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_width\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dest_is_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dest_is_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_city\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_city.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.city_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.continent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_code2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_code3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_iso_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.longitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.postal_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.region_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.region_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.region_iso_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.region_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_latitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_longitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_region\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_region.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"details\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"details.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dir\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dir.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"direction\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"direction.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"display_string\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"display_string.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"domain_age\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"domain_age.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"domain_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"domain_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dropped\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dropped.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"duration\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"enabled\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"enabled.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"encryption_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"encryption_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"encryption_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"encryption_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"endpoint\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"endpoint.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"entry\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"entry.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"entry_location\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"entry_location.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"error_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"error_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"escalated_user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"escalated_user.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"established\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"established.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"exception\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"exception.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"extracted\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"extracted.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"extracted_cutoff\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"extracted_cutoff.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"facility.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fc_reply\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fc_reply.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fc_request\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fc_request.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_mime_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_mime_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"first_received\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"first_received.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"flow_label\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"flow_label.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"forwardable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"forwardable.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"framed_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"framed_addr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"freq_virtual_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"freq_virtual_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"frequency_scores\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"frequency_scores.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp_argument\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp_argument.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"full_log\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"full_log.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"function\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"function.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"get_bulk_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"get_bulk_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"get_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"get_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"get_responses\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"get_responses.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_cert_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_cert_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_debug_data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_debug_data.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_export_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_export_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_import_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_import_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh_algorithms\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh_algorithms.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh_server\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh_server.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh_server_algorithms\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh_server_algorithms.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"height\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"helo\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"helo.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"highest_registered_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"highest_registered_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"highest_registered_domain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"history\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"history.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hop_limit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hop_limit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_key\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_key.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_key_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_key_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"iin\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"iin.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"image_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"in_reply_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"in_reply_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"indicator\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"indicator.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"indicator_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"indicator_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"info_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"info_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"info_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"initiated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"initiated.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"input.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"input.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"integrity_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"integrity_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"interface\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"interface.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ip_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_ecn\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_ecn.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_flags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_offset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_offset.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_protocol_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_tos\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_tos.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_ttl\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"irc_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"irc_username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc_username.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_64bit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_64bit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_exe\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_exe.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_orig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_orig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_source_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_source_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_webmail\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_webmail.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_common_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_distinguished_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_distinguished_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_locality\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_locality.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_organization.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization_unit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_organization_unit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_serial_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_serial_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ja3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ja3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ja3s\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ja3s.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kerberos_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kex_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kex_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"keyboard_layout\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"keyboard_layout.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"last_alert\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"last_alert.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"last_reply\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"last_reply.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"launch_string\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"launch_string.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"lease_time\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"lease_time.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"length\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"length.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"local_orig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"local_orig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"local_respond\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"local_respond.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"location\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"location.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log.file.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.file.path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logged\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logged.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash_time\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mac\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mac.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mac_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mac_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"machine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"machine.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mail_date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mail_date.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mail_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mail_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"manager.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"manager.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"matched\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"matched.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"md5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message_types.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mimetype\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mimetype.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"missed_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"missing_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_argument\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_argument.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"n\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"named_pipe\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"named_pipe.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"native_file_system\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"native_file_system.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"next_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"next_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nick\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"nick.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"note\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"note.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"notice\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ntlm_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"num_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"offset\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"operation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"options\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"options.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_filenames\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_filenames.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_mime_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_mime_types.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"original_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_ip_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"os.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.EndpointIP1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.EndpointIP1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.EndpointIP2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.EndpointIP2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.LiveQuery\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.LiveQuery.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.calendarTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.calendarTime.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.codename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.codename.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.directory.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.gid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.gid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.gid_signed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.gid_signed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.shell\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.shell.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.uid_signed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.uid_signed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.username.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.uuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.uuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.counter\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.epoch\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.hardware_serial\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.hardware_serial.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.hostIdentifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.hostIdentifier.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.unixTime\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ossec_agent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ossec_agent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ossec_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ossec_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"overflow_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"p\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_image_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"password\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"password.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"peer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"peer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"peer_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"peer_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pesha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pesha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pesha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pesha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"port.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"predecoder.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"predecoder.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"predecoder.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"predecoder.timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"prev_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"prev_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_arguments\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_arguments.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_guid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"profile\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"profile.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"program\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"program.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"prospector.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"prospector.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"proxied\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"proxied.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_class\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_class_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query_class_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_type\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_type_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query_type_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ra\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ra.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rcode\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rcode_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rcode_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rd.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reason.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"recipient_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"recipient_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"referrer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rejected\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rejected.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"remote_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"remote_location.country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"renewable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"renewable.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_body_len\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_body_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_port.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_color_depth\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"requested_color_depth.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_resource\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"requested_resource.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_filenames\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_filenames.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_mime_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_mime_types.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"respond_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_ip_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_body_len\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_body_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"result\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"result.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resumed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resumed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rev\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rev.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rows\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rows.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rtt\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rtt.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule_signature.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"san_dns\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"san_dns.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"second_received\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"second_received.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"section_names\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"section_names.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"security_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"security_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_node\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seen_node.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_where\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seen_where.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sensor_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sensor_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seq\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seq.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sequence_number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_certificate_fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_certificate_fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_dns_computer_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_dns_computer_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_host_key_algorithms\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_host_key_algorithms.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_major_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_major_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_minor_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_minor_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_nb_computer_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_nb_computer_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_tree_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_tree_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"set_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"set_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"severity.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"share_flag\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"share_flag.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"share_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"share_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signature_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"site\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"site.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.city_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.country_code2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.country_code3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.country_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.postal_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.region_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.region_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sources\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sources.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status_msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sub_msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sub_msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sub_rule_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sub_rule_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subdomain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subsystem\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subsystem.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"suppress_for\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.event\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.event.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.gid_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.gid_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.gname_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.gname_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.inode_after\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.md5_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.md5_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.md5_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.md5_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.mtime_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.mtime_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.mtime_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.mtime_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.perm_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.perm_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.sha1_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.sha1_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.sha1_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.sha1_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.sha256_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.sha256_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.sha256_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.sha256_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.size_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.size_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.size_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.size_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.uid_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.uid_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.uname_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.uname_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-facility.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-host_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-host_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-legacy_msghdr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-legacy_msghdr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-sourceip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sysmon_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sysmon_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_filename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_filename.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tc\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tc.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tcp_flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tcp_flags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"terminal_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"terminal_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"timed_out\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"timed_out.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_accessed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_accessed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_changed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_changed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_created\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_created.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_modified\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_modified.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tld.subdomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tld.subdomain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tls\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tls.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"top_level_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"top_level_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"total_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tracker_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tracker_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"trans_depth\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"transaction_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ttls\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tty.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tunnel_parents\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel_parents.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tunnel_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"unparsed_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"unparsed_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"up_since\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"up_since.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"urg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"urg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uri\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uri.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uri_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_agent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"useragent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"useragent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"useragent_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"username.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_aslr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_aslr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_code_integrity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_code_integrity.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_dep\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_dep.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_seh\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_seh.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"valid_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"valid_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"valid_till\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"valid_till.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"validation_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"validation_status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_additional_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_additional_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_major\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_major.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"virtual_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"warning\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"warning.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.firedtimes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.gdpr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.gdpr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.gpg13\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.gpg13.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.groups\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.groups.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.mail\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.pci_dss\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.pci_dss.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"width\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"width.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"window\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"window.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x_originating_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"year\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"z\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"z.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"TheHive\",\"type\":\"string\",\"count\":0,\"scripted\":true,\"script\":\"'soctopus/thehive/alert/' + doc['_id'].value\",\"lang\":\"painless\",\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false}]","notExpandable":true,"timeFieldName":"@timestamp","title":"*:logstash-*"},"id":"*:logstash-*","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEsMV0="} +{"attributes":{"fieldFormatMap":"{\"_id\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://PCAPPLACEHOLDER/securityonion/joblookup?esid={{ value }}\",\"labelTemplate\":\"{{value}}\"}},\"uid\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"source_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"destination_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"source_port\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'source_port:\\\"{{value}}\\\" OR destination_port:\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"destination_port\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'source_port:\\\"{{value}}\\\" OR destination_port:\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"fuid\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"resp_fuids\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"orig_fuids\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"sid\":{\"id\":\"number\",\"params\":{\"pattern\":\"0\"}},\"port\":{\"id\":\"number\",\"params\":{\"pattern\":\"0.[000]\"}},\"query\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"query.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"server_name\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"server_name.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"virtual_host\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"virtual_host.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"indicator\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"indicator.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"file_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"file_ip.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"signature_info\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"{{rawValue}}\",\"labelTemplate\":\"{{value}}\"}},\"highest_registered_domain\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"highest_registered_domain.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"domain_name\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"domain_name.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"duration\":{\"id\":\"duration\",\"params\":{\"outputFormat\":\"asSeconds\",\"outputPrecision\":6}},\"missed_bytes\":{\"id\":\"bytes\"},\"missing_bytes\":{\"id\":\"bytes\"},\"original_bytes\":{\"id\":\"bytes\"},\"original_ip_bytes\":{\"id\":\"bytes\"},\"overflow_bytes\":{\"id\":\"bytes\"},\"respond_bytes\":{\"id\":\"bytes\"},\"respond_ip_bytes\":{\"id\":\"bytes\"},\"seen_bytes\":{\"id\":\"bytes\"},\"total_bytes\":{\"id\":\"bytes\"},\"rtt\":{\"id\":\"number\",\"params\":{\"pattern\":\"0,0.[0000000]\"}},\"uids\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"osquery.LiveQuery\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://PLACEHOLDER/queries/new?host_uuids={{rawValue}}\",\"labelTemplate\":\"LiveQuery\"}},\"TheHive\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"\",\"labelTemplate\":\"Add2Hive\"}}}","fields":"[{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"aa\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"aa.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ack\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ack.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"additional_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"additional_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"age\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"age.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_level\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"analyzer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"analyzer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"answers\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"answers.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"assigned_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"assigned_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auth\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"auth.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_attempts\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"basic_constraints.path_len\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"basic_constraints_ca\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"basic_constraints_ca.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"basic_constraints_path_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat_host.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_host.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"bound_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"call_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"call_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"category.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cc\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cc.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_chain_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_chain_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_chain_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_common_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_curve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_curve.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_exponent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_exponent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_issuer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_issuer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_key_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_key_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_locality\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_locality.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_not_valid_after\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_not_valid_before\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_number_days_valid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_organization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_organization.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_organization_unit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_organization_unit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_permanent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_permanent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_serial\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_serial.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_serial_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_serial_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_signing_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_signing_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"checksum\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"checksum.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cipher\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cipher.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cipher_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cipher_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"class\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"class.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"classification\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"classification.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_build\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_build.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_chain_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_chain_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_digital_product_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_digital_product_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_fqdn\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_fqdn.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_host_key_algorithms\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_host_key_algorithms.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_issuer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_issuer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_major_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_major_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_minor_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_minor_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"community\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"community.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"company.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"compile_ts\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"compile_ts.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"compression_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"compression_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connect_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connect_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection_state_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection_state_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"content_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cookie\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cookie.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"creation_date\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"creation_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"current_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"current_directory.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"curve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"curve.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.arch\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.arch.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.data.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.dpkg_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.dpkg_status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.file\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.file.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.cpu_cores\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.cpu_cores.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.cpu_mhz\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.cpu_mhz.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.cpu_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.cpu_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.ram_free\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.ram_free.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.ram_total\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.ram_total.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.ram_usage\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.ram_usage.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.serial\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.serial.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.address.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.broadcast\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.broadcast.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.dhcp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.dhcp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.gateway\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.gateway.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.metric\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.metric.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.netmask\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.netmask.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv6.address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv6.address.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv6.dhcp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv6.dhcp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv6.netmask\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv6.netmask.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.mac\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.mac.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.mtu\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.mtu.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.rx_bytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_bytes.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.rx_dropped\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_dropped.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.rx_errors\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_errors.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.rx_packets\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_packets.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.tx_bytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_bytes.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.tx_dropped\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_dropped.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.tx_errors\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_errors.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.tx_packets\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_packets.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.architecture.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.codename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.codename.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.major\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.major.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.minor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.minor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.platform\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.platform.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.release\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.release.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.release_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.release_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.sysname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.sysname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.package\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.package.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.inode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.inode.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.local_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.local_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.local_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.local_port.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.remote_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.remote_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.remote_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.remote_port.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.rx_queue\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.rx_queue.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.tx_queue\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.tx_queue.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.args\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.args.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.cmd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.cmd.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.egroup\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.egroup.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.euser\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.euser.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.fgroup\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.fgroup.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.nice\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.nice.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.nlwp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.nlwp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.pgrp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.pgrp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.ppid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.ppid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.processor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.processor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.resident\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.resident.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.rgroup\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.rgroup.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.ruser\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.ruser.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.session\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.session.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.sgroup\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.sgroup.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.share\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.share.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.start_time\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.start_time.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.stime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.stime.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.suser\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.suser.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.tgid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.tgid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.tty.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.utime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.utime.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.vm_size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.vm_size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.architecture.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.format\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.format.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.multiarch\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.multiarch.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.section\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.section.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.source\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.source.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.vendor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.vendor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.pwd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.pwd.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.title\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.title.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.tty.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_destination_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_destination_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_passive\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data_channel_passive.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_source_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dcc_file_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dcc_mime_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_mime_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"decoder.ftscomment\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"decoder.ftscomment.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"decoder.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"decoder.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"decoder.parent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"decoder.parent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"depth\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_height\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"desktop_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_width\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dest_is_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dest_is_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_city\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_city.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.city_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.continent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_code2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_code3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_iso_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.longitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.postal_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.region_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.region_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.region_iso_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.region_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_latitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_longitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_region\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_region.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"details\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"details.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dir\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dir.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"direction\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"direction.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"display_string\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"display_string.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"domain_age\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"domain_age.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"domain_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"domain_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dropped\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dropped.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"duration\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"enabled\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"enabled.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"encryption_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"encryption_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"encryption_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"encryption_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"endpoint\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"endpoint.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"entry\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"entry.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"entry_location\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"entry_location.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"error_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"error_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"escalated_user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"escalated_user.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"established\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"established.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"exception\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"exception.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"extracted\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"extracted.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"extracted_cutoff\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"extracted_cutoff.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"facility.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fc_reply\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fc_reply.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fc_request\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fc_request.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_mime_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_mime_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"first_received\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"first_received.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"flow_label\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"flow_label.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"forwardable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"forwardable.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"framed_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"framed_addr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"freq_virtual_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"freq_virtual_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"frequency_scores\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"frequency_scores.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp_argument\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp_argument.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"full_log\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"full_log.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"function\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"function.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"get_bulk_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"get_bulk_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"get_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"get_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"get_responses\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"get_responses.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_cert_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_cert_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_debug_data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_debug_data.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_export_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_export_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_import_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_import_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh_algorithms\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh_algorithms.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh_server\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh_server.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh_server_algorithms\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh_server_algorithms.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"height\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"helo\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"helo.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"highest_registered_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"highest_registered_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"highest_registered_domain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"history\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"history.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hop_limit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hop_limit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_key\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_key.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_key_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_key_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"iin\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"iin.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"image_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"in_reply_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"in_reply_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"indicator\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"indicator.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"indicator_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"indicator_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"info_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"info_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"info_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"initiated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"initiated.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"input.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"input.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"integrity_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"integrity_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"interface\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"interface.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ip_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_ecn\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_ecn.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_flags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_offset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_offset.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_protocol_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_tos\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_tos.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_ttl\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"irc_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"irc_username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc_username.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_64bit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_64bit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_exe\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_exe.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_orig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_orig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_source_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_source_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_webmail\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_webmail.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_common_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_distinguished_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_distinguished_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_locality\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_locality.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_organization.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization_unit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_organization_unit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_serial_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_serial_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ja3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ja3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ja3s\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ja3s.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kerberos_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kex_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kex_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"keyboard_layout\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"keyboard_layout.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"last_alert\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"last_alert.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"last_reply\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"last_reply.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"launch_string\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"launch_string.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"lease_time\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"lease_time.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"length\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"length.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"local_orig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"local_orig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"local_respond\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"local_respond.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"location\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"location.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log.file.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.file.path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logged\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logged.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash_time\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mac\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mac.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mac_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mac_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"machine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"machine.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mail_date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mail_date.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mail_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mail_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"manager.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"manager.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"matched\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"matched.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"md5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message_types.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mimetype\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mimetype.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"missed_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"missing_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_argument\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_argument.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"n\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"named_pipe\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"named_pipe.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"native_file_system\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"native_file_system.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"next_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"next_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nick\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"nick.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"note\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"note.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"notice\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ntlm_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"num_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"offset\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"operation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"options\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"options.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_filenames\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_filenames.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_mime_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_mime_types.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"original_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_ip_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"os.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.EndpointIP1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.EndpointIP1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.EndpointIP2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.EndpointIP2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.LiveQuery\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.LiveQuery.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.calendarTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.calendarTime.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.codename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.codename.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.directory.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.gid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.gid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.gid_signed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.gid_signed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.shell\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.shell.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.uid_signed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.uid_signed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.username.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.uuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.uuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.counter\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.epoch\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.hardware_serial\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.hardware_serial.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.hostIdentifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.hostIdentifier.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.unixTime\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ossec_agent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ossec_agent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ossec_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ossec_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"overflow_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"p\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_image_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"password\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"password.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"peer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"peer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"peer_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"peer_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pesha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pesha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pesha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pesha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"port.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"predecoder.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"predecoder.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"predecoder.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"predecoder.timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"prev_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"prev_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_arguments\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_arguments.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_guid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"profile\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"profile.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"program\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"program.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"prospector.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"prospector.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"proxied\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"proxied.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_class\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_class_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query_class_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_type\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_type_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query_type_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ra\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ra.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rcode\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rcode_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rcode_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rd.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reason.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"recipient_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"recipient_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"referrer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rejected\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rejected.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"remote_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"remote_location.country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"renewable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"renewable.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_body_len\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_body_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_port.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_color_depth\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"requested_color_depth.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_resource\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"requested_resource.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_filenames\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_filenames.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_mime_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_mime_types.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"respond_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_ip_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_body_len\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_body_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"result\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"result.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resumed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resumed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rev\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rev.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rows\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rows.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rtt\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rtt.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule_signature.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"san_dns\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"san_dns.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"second_received\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"second_received.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"section_names\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"section_names.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"security_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"security_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_node\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seen_node.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_where\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seen_where.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sensor_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sensor_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seq\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seq.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sequence_number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_certificate_fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_certificate_fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_dns_computer_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_dns_computer_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_host_key_algorithms\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_host_key_algorithms.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_major_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_major_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_minor_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_minor_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_nb_computer_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_nb_computer_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_tree_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_tree_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"set_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"set_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"severity.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"share_flag\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"share_flag.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"share_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"share_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signature_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"site\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"site.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.city_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.country_code2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.country_code3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.country_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.postal_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.region_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.region_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sources\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sources.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status_msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sub_msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sub_msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sub_rule_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sub_rule_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subdomain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subsystem\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subsystem.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"suppress_for\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.event\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.event.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.gid_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.gid_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.gname_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.gname_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.inode_after\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.md5_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.md5_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.md5_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.md5_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.mtime_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.mtime_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.mtime_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.mtime_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.perm_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.perm_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.sha1_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.sha1_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.sha1_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.sha1_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.sha256_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.sha256_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.sha256_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.sha256_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.size_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.size_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.size_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.size_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.uid_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.uid_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.uname_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.uname_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-facility.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-host_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-host_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-legacy_msghdr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-legacy_msghdr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-sourceip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sysmon_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sysmon_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_filename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_filename.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tc\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tc.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tcp_flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tcp_flags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"terminal_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"terminal_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"timed_out\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"timed_out.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_accessed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_accessed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_changed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_changed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_created\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_created.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_modified\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_modified.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tld.subdomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tld.subdomain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tls\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tls.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"top_level_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"top_level_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"total_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tracker_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tracker_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"trans_depth\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"transaction_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ttls\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tty.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tunnel_parents\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel_parents.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tunnel_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"unparsed_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"unparsed_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"up_since\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"up_since.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"urg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"urg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uri\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uri.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uri_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_agent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"useragent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"useragent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"useragent_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"username.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_aslr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_aslr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_code_integrity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_code_integrity.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_dep\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_dep.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_seh\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_seh.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"valid_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"valid_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"valid_till\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"valid_till.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"validation_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"validation_status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_additional_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_additional_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_major\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_major.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"virtual_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"warning\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"warning.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.firedtimes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.gdpr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.gdpr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.gpg13\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.gpg13.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.groups\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.groups.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.mail\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.pci_dss\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.pci_dss.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"width\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"width.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"window\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"window.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x_originating_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"year\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"z\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"z.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"TheHive\",\"type\":\"string\",\"count\":0,\"scripted\":true,\"script\":\"'soctopus/thehive/alert/' + doc['_id'].value\",\"lang\":\"painless\",\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false}]","notExpandable":true,"timeFieldName":"@timestamp","title":"*:logstash-*"},"id":"*:logstash-*","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEsMV0="} {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"title":"Security Onion - Network Data","uiStateJSON":"{}","version":1,"visState":"{\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Home](/kibana/app/kibana#/dashboard/a8411b30-6d03-11ea-b301-3d6c35840645) \\n \\n**Datasets** \\n[Connections](/kibana/app/kibana#/dashboard/0cc628b0-6e9f-11ea-9266-1fd14ca6af34) | [DCE/RPC](/kibana/app/kibana#/dashboard/9e882df0-72c5-11ea-8dd2-9d8795a1200b) |\\n[DHCP](/kibana/app/kibana#/dashboard/80625c10-96dd-11ea-814e-bb515e873c2c) \\n[DNP3](/kibana/app/kibana#/dashboard/b1f52180-755a-11ea-9565-7315f4ee5cac) | [DNS](/kibana/app/kibana#/dashboard/55ac6bf0-6ec4-11ea-9266-1fd14ca6af34) |\\n[FTP](/kibana/app/kibana#/dashboard/739bfad0-755a-11ea-9565-7315f4ee5cac) |\\n[HTTP](/kibana/app/kibana#/dashboard/44e9c820-6eb1-11ea-9266-1fd14ca6af34) | [IRC](/kibana/app/kibana#/dashboard/38523560-75ba-11ea-9565-7315f4ee5cac) |\\n[Kerberos](/kibana/app/kibana#/dashboard/b207ab90-75bc-11ea-9565-7315f4ee5cac) \\n[Modbus](/kibana/app/kibana#/dashboard/886a7b90-75bd-11ea-9565-7315f4ee5cac) | \\n[MySQL](/kibana/app/kibana#/dashboard/c3ced6d0-75be-11ea-9565-7315f4ee5cac) | \\n[NTLM](/kibana/app/kibana#/dashboard/558292e0-75c1-11ea-9565-7315f4ee5cac) | \\n[PE](kibana/app/kibana#/dashboard/94b55b90-c761-11ea-bebb-37c5ab5894ea) |\\n[RADIUS](/kibana/app/kibana#/dashboard/b9769e60-75c4-11ea-9565-7315f4ee5cac) | [RDP](/kibana/app/kibana#/dashboard/5b743150-75c5-11ea-9565-7315f4ee5cac) | \\n[RFB](/kibana/app/kibana#/dashboard/c8b3c360-75c6-11ea-9565-7315f4ee5cac) | [SIP](/kibana/app/kibana#/dashboard/dd98e260-75c6-11ea-9565-7315f4ee5cac) \\n[SMB](/kibana/app/kibana#/dashboard/f24d7b80-75c6-11ea-9565-7315f4ee5cac) | [SMTP](/kibana/app/kibana#/dashboard/00304500-75e7-11ea-9565-7315f4ee5cac) | [SNMP](/kibana/app/kibana#/dashboard/96522610-75e8-11ea-9565-7315f4ee5cac) | \\n[SSH](/kibana/app/kibana#/dashboard/9dfd77e0-75eb-11ea-9565-7315f4ee5cac) | [SSL](/kibana/app/kibana#/dashboard/efae8de0-75eb-11ea-9565-7315f4ee5cac) | [Syslog](/kibana/app/kibana#/dashboard/66499a20-75ed-11ea-9565-7315f4ee5cac) | [Tunnels](/kibana/app/kibana#/dashboard/c962dd60-75ed-11ea-9565-7315f4ee5cac) | [X.509](/kibana/app/kibana#/dashboard/2e0865f0-75ee-11ea-9565-7315f4ee5cac) \\n\"},\"title\":\"Security Onion - Network Data\"}"},"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[],"type":"visualization","updated_at":"2020-07-16T12:42:36.125Z","version":"WzcyNSwyXQ=="} -{"attributes":{"fieldFormatMap":"{\"network.community_id\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:network.community_id,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(network.community_id:'{{ value }}')))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"source.ip\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.ip.keyword:'{{ value }}')),(term:(destination.ip.keyword:'{{ value }}')))),meta:(alias:'source.ip:%20!'{{ value }}!'%20OR%20destination.ip:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.ip.keyword%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.ip.keyword%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"destination.ip\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.ip.keyword:'{{ value }}')),(term:(destination.ip.keyword:'{{ value }}')))),meta:(alias:'source.ip:%20!'{{ value }}!'%20OR%20destination.ip:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.ip.keyword%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.ip.keyword%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"source.ip.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.ip.keyword:'{{ value }}')),(term:(destination.ip.keyword:'{{ value }}')))),meta:(alias:'source.ip:%20!'{{ value }}!'%20OR%20destination.ip:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.ip.keyword%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.ip.keyword%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"destination.ip.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.ip.keyword:'{{ value }}')),(term:(destination.ip.keyword:'{{ value }}')))),meta:(alias:'source.ip:%20!'{{ value }}!'%20OR%20destination.ip:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.ip.keyword%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.ip.keyword%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"source.port\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.port:'{{ value }}')),(term:(destination.port:'{{ value }}')))),meta:(alias:'source.port:%20!'{{ value }}!'%20OR%20destination.port:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.port%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.port%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"destination.port\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.port:'{{ value }}')),(term:(destination.port:'{{ value }}')))),meta:(alias:'source.port:%20!'{{ value }}!'%20OR%20destination.port:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.port%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.port%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"log.id.fuid\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:log.id.fuid,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(log.id.fuid:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"log.id.fuid.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:log.id.fuid,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(log.id.fuid:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"log.id.uid\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:log.id.uid,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(log.id.uid:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"log.id.uid.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:log.id.uid,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(log.id.uid:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"_id\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"https://PLACEHOLDER/securityonion/joblookup?esid={{ value }}\",\"labelTemplate\":\"{{ value }}\"}},\"client.bytes\":{\"id\":\"bytes\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"server.bytes\":{\"id\":\"bytes\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"Push to TheHive\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"\",\"labelTemplate\":\"Click to create an alert in TheHive\"}},\"event.dataset\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:event.dataset.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.dataset.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"event.dataset.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:event.dataset.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.dataset.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"event.module\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:event.module.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.module.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now%2Fw,to:now%2Fw))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"event.module.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:event.module.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.module.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now%2Fw,to:now%2Fw))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"agent.name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:agent.name.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(agent.name.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now%2Fw,to:now%2Fw))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"agent.name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:agent.name.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(agent.name.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now%2Fw,to:now%2Fw))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"rule.name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:rule.name,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(rule.name:'{{ value }}')))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:''),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"rule.name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:rule.name,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(rule.name:'{{ value }}')))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:''),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"osquery.result.live_query\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"https://FLEETPLACEHOLDER/fleet/queries/new?host_uuids={{rawValue}}\",\"labelTemplate\":\"Live Query\"}},\"osquery.result.live_query.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"https://FLEETPLACEHOLDER/fleet/queries/new?host_uuids={{rawValue}}\",\"labelTemplate\":\"Live Query\"}},\"connection.state_description\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:connection.state_description,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(connection.state_description:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"connection.state_description.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:connection.state_description,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(connection.state_description:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"rule.category.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:rule.category,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(rule.category:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"rule.category\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:rule.category,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(rule.category:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"rule.uuid\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:rule.uuid,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(rule.uuid:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"connection.history\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:connection.history,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(connection.history:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"connection.history.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:connection.history,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(connection.history:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.message_types\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.message_types,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(dhcp.message_types:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.message_types.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.message_types,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(dhcp.message_types:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.requested_address\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.requested_address,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dhcp.requested_address:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.requested_address.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.requested_address,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dhcp.requested_address:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.assigned_ip\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.assigned_ip,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dhcp.assigned_ip:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.assigned_ip.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.assigned_ip,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dhcp.assigned_ip:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"host.mac\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:host.mac,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(host.mac:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"host.mac.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:host.mac,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(host.mac:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.lease_time\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.lease_time,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dhcp.lease_time:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dns.query.name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dns.query.name,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dns.query.name:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }{}\"}},\"dns.query.name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dns.query.name,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dns.query.name:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dns.answers\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dns.answers,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dns.answers:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dns.answers.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dns.answers,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dns.answers:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dns.response.code_name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dns.response.code_name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(dns.response.code_name:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dns.response.code_name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dns.response.code_name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(dns.response.code_name:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"file.name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:file.name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(file.name:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"file.mime_type\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:file.mime_type,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(file.mime_type:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"file.mime_type.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:file.mime_type,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(file.mime_type:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"file.name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:file.name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(file.name:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ftp.argument\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ftp.argument,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(ftp.argument:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ftp.argument.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ftp.argument,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(ftp.argument:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ftp.user\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ftp.user,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(ftp.user:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ftp.user.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ftp.user,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(ftp.user:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ftp.password\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ftp.password,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(ftp.password:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ftp.password.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ftp.password,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(ftp.password:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.useragent\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.useragent,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(http.useragent:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.useragent.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.useragent,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(http.useragent:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.method\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.method,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(http.method:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.method.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.method,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(http.method:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.virtual_host\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.virtual_host,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(http.virtual_host:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.virtual_host.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.virtual_host,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(http.virtual_host:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.uri.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.uri.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(http.uri.keyword:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.uri\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.uri.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(http.uri.keyword:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"notice.note.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:notice.note,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(notice.note:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"notice.message.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:notice.message,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(notice.message:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"notice.note\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:notice.note,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(notice.note:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"notice.message\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:notice.message,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(notice.message:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ssl.server_name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ssl.server_name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(ssl.server_name:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ssl.server_name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ssl.server_name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(ssl.server_name:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ssl.certificate.subject\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ssl.certificate.subject,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(ssl.certificate.subject:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ssl.certificate.subject.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ssl.certificate.subject,negate:!f,params:(query:'O%3DDefault%20Company%20Ltd,L%3DDefault%20City,C%3DXX'),type:phrase),query:(match_phrase:(ssl.certificate.subject:'O%3DDefault%20Company%20Ltd,L%3DDefault%20City,C%3DXX')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ssl.certificate.issuer\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ssl.certificate.issuer,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(ssl.certificate.issuer:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ssl.certificate.issuer.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ssl.certificate.issuer,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(ssl.certificate.issuer:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"syslog.facility\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:syslog.facility,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(syslog.facility:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"syslog.facility.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:syslog.facility,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(syslog.facility:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"syslog.severity\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:syslog.severity,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(syslog.severity:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"syslog.severity.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:syslog.severity,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(syslog.severity:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.certificate.subject\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.certificate.subject,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(x509.certificate.subject:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.certificate.subject.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.certificate.subject,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(x509.certificate.subject:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.certificate.issuer\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.certificate.issuer,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(x509.certificate.issuer:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.certificate.issuer.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.certificate.issuer,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(x509.certificate.issuer:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.san_dns\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.san_dns,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(x509.san_dns:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.san_dns.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.san_dns,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(x509.san_dns:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.certificate.key.type\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.certificate.key.type,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(x509.certificate.key.type:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:edit)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.certificate.key.type.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.certificate.key.type,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(x509.certificate.key.type:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:edit)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}}}","fields":"[{\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.ephemeral_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.ephemeral_id\"}}},{\"name\":\"agent.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.hostname\"}}},{\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.id\"}}},{\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.name\"}}},{\"name\":\"agent.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.type\"}}},{\"name\":\"agent.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.version\"}}},{\"name\":\"client.address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.address\"}}},{\"name\":\"client.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client.id.product\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.id.product.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.id.product\"}}},{\"name\":\"client.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.ip\"}}},{\"name\":\"client.ip_bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.name\"}}},{\"name\":\"client.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client.port\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.port.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.port\"}}},{\"name\":\"client.user_agent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.user_agent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.user_agent\"}}},{\"name\":\"connection.bytes.missed\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection.history\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection.history.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"connection.history\"}}},{\"name\":\"connection.local.originator\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection.local.responder\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection.state\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection.state.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"connection.state\"}}},{\"name\":\"connection.state_description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection.state_description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"connection.state_description\"}}},{\"name\":\"data.@timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.@timestamp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.@timestamp\"}}},{\"name\":\"data.@version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.@version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.@version\"}}},{\"name\":\"data._id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data._id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data._id\"}}},{\"name\":\"data._index\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data._index.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data._index\"}}},{\"name\":\"data._type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data._type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data._type\"}}},{\"name\":\"data.agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.agent.ephemeral_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.agent.ephemeral_id\"}}},{\"name\":\"data.agent.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.agent.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.agent.id\"}}},{\"name\":\"data.agent.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.agent.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.agent.name\"}}},{\"name\":\"data.agent.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.agent.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.agent.type\"}}},{\"name\":\"data.agent.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.agent.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.agent.version\"}}},{\"name\":\"data.ecs.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.ecs.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.ecs.version\"}}},{\"name\":\"data.event.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.event.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.event.action\"}}},{\"name\":\"data.event.category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.event.category.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.event.category\"}}},{\"name\":\"data.event.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.event.created\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.event.created.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.event.created\"}}},{\"name\":\"data.event.dataset\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.event.dataset.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.event.dataset\"}}},{\"name\":\"data.event.kind\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.event.kind.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.event.kind\"}}},{\"name\":\"data.event.module\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.event.module.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.event.module\"}}},{\"name\":\"data.event.provider\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.event.provider.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.event.provider\"}}},{\"name\":\"data.fields.module\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.fields.module.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.fields.module\"}}},{\"name\":\"data.host.architecture\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.architecture.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.architecture\"}}},{\"name\":\"data.host.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.hostname\"}}},{\"name\":\"data.host.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.id\"}}},{\"name\":\"data.host.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.name\"}}},{\"name\":\"data.host.os.build\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.os.build.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.os.build\"}}},{\"name\":\"data.host.os.family\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.os.family.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.os.family\"}}},{\"name\":\"data.host.os.kernel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.os.kernel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.os.kernel\"}}},{\"name\":\"data.host.os.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.os.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.os.name\"}}},{\"name\":\"data.host.os.platform\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.os.platform.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.os.platform\"}}},{\"name\":\"data.host.os.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.os.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.os.version\"}}},{\"name\":\"data.log.level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.log.level.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.log.level\"}}},{\"name\":\"data.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.message\"}}},{\"name\":\"data.module\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.module.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.module\"}}},{\"name\":\"data.num_hits\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.num_matches\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.command_line\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.command_line.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.command_line\"}}},{\"name\":\"data.process.entity_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.entity_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.entity_id\"}}},{\"name\":\"data.process.executable\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.executable.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.executable\"}}},{\"name\":\"data.process.parent.command_line\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.parent.command_line.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.parent.command_line\"}}},{\"name\":\"data.process.parent.entity_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.parent.entity_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.parent.entity_id\"}}},{\"name\":\"data.process.parent.executable\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.parent.executable.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.parent.executable\"}}},{\"name\":\"data.process.pe.description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.pe.description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.pe.description\"}}},{\"name\":\"data.process.pe.file_version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.pe.file_version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.pe.file_version\"}}},{\"name\":\"data.process.pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.pe.original_file_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.pe.original_file_name\"}}},{\"name\":\"data.process.pe.product\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.pe.product.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.pe.product\"}}},{\"name\":\"data.process.ppid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.ppid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.ppid\"}}},{\"name\":\"data.process.working_directory\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.working_directory.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.working_directory\"}}},{\"name\":\"data.tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.tags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.tags\"}}},{\"name\":\"data.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.type\"}}},{\"name\":\"data.user.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.user.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.user.name\"}}},{\"name\":\"data.winlog.api\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.api.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.api\"}}},{\"name\":\"data.winlog.channel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.channel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.channel\"}}},{\"name\":\"data.winlog.computer_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.computer_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.computer_name\"}}},{\"name\":\"data.winlog.event_data.Company\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.event_data.Company.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.event_data.Company\"}}},{\"name\":\"data.winlog.event_data.Hashes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.event_data.Hashes.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.event_data.Hashes\"}}},{\"name\":\"data.winlog.event_data.IntegrityLevel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.event_data.IntegrityLevel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.event_data.IntegrityLevel\"}}},{\"name\":\"data.winlog.event_data.LogonGuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.event_data.LogonGuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.event_data.LogonGuid\"}}},{\"name\":\"data.winlog.event_data.LogonId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.event_data.LogonId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.event_data.LogonId\"}}},{\"name\":\"data.winlog.event_data.ProcessId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.event_data.ProcessId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.event_data.ProcessId\"}}},{\"name\":\"data.winlog.event_data.RuleName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.event_data.RuleName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.event_data.RuleName\"}}},{\"name\":\"data.winlog.event_data.TerminalSessionId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.event_data.TerminalSessionId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.event_data.TerminalSessionId\"}}},{\"name\":\"data.winlog.event_data.UtcTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.event_data.UtcTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.event_data.UtcTime\"}}},{\"name\":\"data.winlog.event_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.winlog.opcode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.opcode.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.opcode\"}}},{\"name\":\"data.winlog.process.pid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.winlog.process.thread.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.winlog.provider_guid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.provider_guid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.provider_guid\"}}},{\"name\":\"data.winlog.provider_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.provider_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.provider_name\"}}},{\"name\":\"data.winlog.record_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.winlog.task\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.task.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.task\"}}},{\"name\":\"data.winlog.user.domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.user.domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.user.domain\"}}},{\"name\":\"data.winlog.user.identifier\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.user.identifier.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.user.identifier\"}}},{\"name\":\"data.winlog.user.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.user.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.user.name\"}}},{\"name\":\"data.winlog.user.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.user.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.user.type\"}}},{\"name\":\"data.winlog.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dce_rpc.endpoint\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dce_rpc.endpoint.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dce_rpc.endpoint\"}}},{\"name\":\"dce_rpc.named_pipe\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dce_rpc.named_pipe.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dce_rpc.named_pipe\"}}},{\"name\":\"dce_rpc.operation\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dce_rpc.operation.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dce_rpc.operation\"}}},{\"name\":\"destination.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.city_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.city_name\"}}},{\"name\":\"destination.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.continent_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.continent_name\"}}},{\"name\":\"destination.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.country_iso_code.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.country_iso_code\"}}},{\"name\":\"destination.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.country_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.country_name\"}}},{\"name\":\"destination.geo.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.ip\"}}},{\"name\":\"destination.geo.location.lat\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.location.lon\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.region_iso_code.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.region_iso_code\"}}},{\"name\":\"destination.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.region_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.region_name\"}}},{\"name\":\"destination.geo.timezone\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.timezone.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.timezone\"}}},{\"name\":\"destination.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.ip\"}}},{\"name\":\"destination.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.latitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.longitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dhcp.assigned_ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dhcp.assigned_ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dhcp.assigned_ip\"}}},{\"name\":\"dhcp.lease_time\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dhcp.message_types\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dhcp.message_types.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dhcp.message_types\"}}},{\"name\":\"dhcp.requested_address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dhcp.requested_address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dhcp.requested_address\"}}},{\"name\":\"dnp3.fc_reply\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dnp3.fc_reply.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dnp3.fc_reply\"}}},{\"name\":\"dnp3.fc_request\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dnp3.fc_request.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dnp3.fc_request\"}}},{\"name\":\"dnp3.iin\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.answers\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.answers.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.answers\"}}},{\"name\":\"dns.authoritative\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.highest_registered_domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.highest_registered_domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.highest_registered_domain\"}}},{\"name\":\"dns.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.parent_domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.parent_domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.parent_domain\"}}},{\"name\":\"dns.parent_domain_length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.class\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.class_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.query.class_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.query.class_name\"}}},{\"name\":\"dns.query.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.query.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.query.name\"}}},{\"name\":\"dns.query.rejected\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.type\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.type_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.query.type_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.query.type_name\"}}},{\"name\":\"dns.recursion.available\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.recursion.desired\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.reserved\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.response.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.response.code_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.response.code_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.response.code_name\"}}},{\"name\":\"dns.subdomain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.subdomain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.subdomain\"}}},{\"name\":\"dns.subdomain_length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.top_level_domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.top_level_domain\"}}},{\"name\":\"dns.truncated\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.ttls\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ecs.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ecs.version\"}}},{\"name\":\"error.reason\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"error.reason.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"error.reason\"}}},{\"name\":\"event.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.action\"}}},{\"name\":\"event.category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.category.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.category\"}}},{\"name\":\"event.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.created\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.created.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.created\"}}},{\"name\":\"event.dataset\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.dataset.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.dataset\"}}},{\"name\":\"event.duration\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.kind\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.kind.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.kind\"}}},{\"name\":\"event.module\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.module.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.module\"}}},{\"name\":\"event.provider\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.provider.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.provider\"}}},{\"name\":\"event.severity\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.severity_label\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.severity_label.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.severity_label\"}}},{\"name\":\"event.timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.timestamp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.timestamp\"}}},{\"name\":\"file.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.action\"}}},{\"name\":\"file.analyzer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.analyzer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.analyzer\"}}},{\"name\":\"file.aslr\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.bytes.missing\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.bytes.overflow\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.bytes.seen\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.bytes.total\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.code_integrity\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.compile_timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.compile_timestamp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.compile_timestamp\"}}},{\"name\":\"file.debug_data\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.dep\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.extracted.cutoff\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.extracted.filename\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.extracted.filename.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.extracted.filename\"}}},{\"name\":\"file.flavors.mime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.flavors.mime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.flavors.mime\"}}},{\"name\":\"file.flavors.yara\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.flavors.yara.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.flavors.yara\"}}},{\"name\":\"file.is_64bit\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.is_exe\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.is_orig\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.local_orig\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.machine\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.machine.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.machine\"}}},{\"name\":\"file.mime_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.mime_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.mime_type\"}}},{\"name\":\"file.mimetype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.mimetype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.mimetype\"}}},{\"name\":\"file.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.name\"}}},{\"name\":\"file.orig_filenames\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.orig_filenames.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.orig_filenames\"}}},{\"name\":\"file.orig_mime_types\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.orig_mime_types.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.orig_mime_types\"}}},{\"name\":\"file.os\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.os.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.os\"}}},{\"name\":\"file.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.path\"}}},{\"name\":\"file.resp_filenames\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.resp_filenames.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.resp_filenames\"}}},{\"name\":\"file.resp_mime_types\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.resp_mime_types.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.resp_mime_types\"}}},{\"name\":\"file.scanners\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.scanners.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.scanners\"}}},{\"name\":\"file.section_names\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.section_names.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.section_names\"}}},{\"name\":\"file.seh\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.size\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.source.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.source\"}}},{\"name\":\"file.subsystem\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.subsystem.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.subsystem\"}}},{\"name\":\"file.table.cert\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.table.export\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.table.import\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.timed_out\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.times_accessed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.times_accessed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.times_accessed\"}}},{\"name\":\"file.times_changed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.times_changed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.times_changed\"}}},{\"name\":\"file.times_created\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.times_created.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.times_created\"}}},{\"name\":\"file.times_modified\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.times_modified.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.times_modified\"}}},{\"name\":\"file.tree.node\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.tree.node.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.tree.node\"}}},{\"name\":\"file.tree.parent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.tree.parent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.tree.parent\"}}},{\"name\":\"file.tree.root\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.tree.root.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.tree.root\"}}},{\"name\":\"ftp.argument\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.argument.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.argument\"}}},{\"name\":\"ftp.command\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.command.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.command\"}}},{\"name\":\"ftp.data_channel_destination.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.data_channel_destination.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.data_channel_destination.ip\"}}},{\"name\":\"ftp.data_channel_destination.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp.data_channel_passive\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp.data_channel_source.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.data_channel_source.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.data_channel_source.ip\"}}},{\"name\":\"ftp.password\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.password.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.password\"}}},{\"name\":\"ftp.user\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.user.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.user\"}}},{\"name\":\"geoip.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.latitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.longitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash.hassh\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.hassh.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.hassh\"}}},{\"name\":\"hash.ja3\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.ja3.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.ja3\"}}},{\"name\":\"hash.ja3s\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.ja3s.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.ja3s\"}}},{\"name\":\"hash.md5\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.md5.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.md5\"}}},{\"name\":\"hash.sha1\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.sha1.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.sha1\"}}},{\"name\":\"hash.sha256\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.sha256.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.sha256\"}}},{\"name\":\"hash.ssdeep\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.ssdeep.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.ssdeep\"}}},{\"name\":\"host.architecture\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.architecture.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.architecture\"}}},{\"name\":\"host.domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.domain\"}}},{\"name\":\"host.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.hostname\"}}},{\"name\":\"host.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.id\"}}},{\"name\":\"host.mac\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.mac.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.mac\"}}},{\"name\":\"host.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.name\"}}},{\"name\":\"host.os.build\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.build.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.build\"}}},{\"name\":\"host.os.family\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.family.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.family\"}}},{\"name\":\"host.os.kernel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.kernel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.kernel\"}}},{\"name\":\"host.os.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.name\"}}},{\"name\":\"host.os.platform\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.platform.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.platform\"}}},{\"name\":\"host.os.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.version\"}}},{\"name\":\"host.syscheck.event\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.event.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.event\"}}},{\"name\":\"host.syscheck.gid_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.gid_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.gid_after\"}}},{\"name\":\"host.syscheck.gname_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.gname_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.gname_after\"}}},{\"name\":\"host.syscheck.inode_after\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.syscheck.inode_before\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.syscheck.md5_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.md5_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.md5_after\"}}},{\"name\":\"host.syscheck.md5_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.md5_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.md5_before\"}}},{\"name\":\"host.syscheck.mtime_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.mtime_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.mtime_after\"}}},{\"name\":\"host.syscheck.mtime_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.mtime_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.mtime_before\"}}},{\"name\":\"host.syscheck.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.path\"}}},{\"name\":\"host.syscheck.perm_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.perm_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.perm_after\"}}},{\"name\":\"host.syscheck.sha1_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.sha1_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha1_after\"}}},{\"name\":\"host.syscheck.sha1_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.sha1_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha1_before\"}}},{\"name\":\"host.syscheck.sha256_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.sha256_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha256_after\"}}},{\"name\":\"host.syscheck.sha256_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.sha256_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha256_before\"}}},{\"name\":\"host.syscheck.size_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.size_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.size_after\"}}},{\"name\":\"host.syscheck.uid_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.uid_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.uid_after\"}}},{\"name\":\"host.syscheck.uname_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.uname_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.uname_after\"}}},{\"name\":\"http.info_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.info_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.info_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.info_message\"}}},{\"name\":\"http.method\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.method.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.method\"}}},{\"name\":\"http.proxied\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.proxied.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.proxied\"}}},{\"name\":\"http.referrer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.referrer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.referrer\"}}},{\"name\":\"http.request.body.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.response.body.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.status_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.status_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.status_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.status_message\"}}},{\"name\":\"http.trans_depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.uri\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.uri.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.uri\"}}},{\"name\":\"http.useragent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.useragent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.useragent\"}}},{\"name\":\"http.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.version\"}}},{\"name\":\"http.virtual_host\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.virtual_host.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.virtual_host\"}}},{\"name\":\"ingest.timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ingest.timestamp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ingest.timestamp\"}}},{\"name\":\"irc.command.info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.command.info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.command.info\"}}},{\"name\":\"irc.command.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.command.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.command.type\"}}},{\"name\":\"irc.command.value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.command.value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.command.value\"}}},{\"name\":\"irc.nickname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.nickname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.nickname\"}}},{\"name\":\"irc.username\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.username.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.username\"}}},{\"name\":\"kerberos.client\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.client.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.client\"}}},{\"name\":\"kerberos.client_certificate_subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.client_certificate_subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.client_certificate_subject\"}}},{\"name\":\"kerberos.error_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.error_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.error_message\"}}},{\"name\":\"kerberos.request_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.request_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.request_type\"}}},{\"name\":\"kerberos.server_certificate_subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.server_certificate_subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.server_certificate_subject\"}}},{\"name\":\"kerberos.service\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.service.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.service\"}}},{\"name\":\"kerberos.success\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kerberos.ticket.cipher\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.ticket.cipher.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.ticket.cipher\"}}},{\"name\":\"kerberos.ticket.forwardable\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kerberos.ticket.renewable\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kerberos.ticket.valid.from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.ticket.valid.from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.ticket.valid.from\"}}},{\"name\":\"kerberos.ticket.valid.until\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.ticket.valid.until.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.ticket.valid.until\"}}},{\"name\":\"log.file.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.file.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.file.path\"}}},{\"name\":\"log.full\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.full.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.full\"}}},{\"name\":\"log.id.client_certificate_fuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.client_certificate_fuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.client_certificate_fuid\"}}},{\"name\":\"log.id.fuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.fuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.fuid\"}}},{\"name\":\"log.id.fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.fuids\"}}},{\"name\":\"log.id.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.id\"}}},{\"name\":\"log.id.orig_fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.orig_fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.orig_fuids\"}}},{\"name\":\"log.id.resp_fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.resp_fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.resp_fuids\"}}},{\"name\":\"log.id.server_certificate_fuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.server_certificate_fuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.server_certificate_fuid\"}}},{\"name\":\"log.id.tunnel_parents\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.tunnel_parents.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.tunnel_parents\"}}},{\"name\":\"log.id.uid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.uid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.uid\"}}},{\"name\":\"log.id.uids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.uids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.uids\"}}},{\"name\":\"log.level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.level.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.level\"}}},{\"name\":\"log.location\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.location.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.location\"}}},{\"name\":\"log.offset\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"manager.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"manager.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"manager.name\"}}},{\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message\"}}},{\"name\":\"modbus.exception\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"modbus.exception.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"modbus.exception\"}}},{\"name\":\"modbus.function\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"modbus.function.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"modbus.function\"}}},{\"name\":\"mysql.argument\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql.argument.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"mysql.argument\"}}},{\"name\":\"mysql.command\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql.command.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"mysql.command\"}}},{\"name\":\"mysql.response\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql.response.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"mysql.response\"}}},{\"name\":\"mysql.rows\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.success\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.community_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network.community_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network.community_id\"}}},{\"name\":\"network.data.decoded\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network.data.decoded.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network.data.decoded\"}}},{\"name\":\"network.protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network.protocol.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network.protocol\"}}},{\"name\":\"network.transport\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network.transport.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network.transport\"}}},{\"name\":\"notice.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.action\"}}},{\"name\":\"notice.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.message\"}}},{\"name\":\"notice.note\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.note.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.note\"}}},{\"name\":\"notice.p\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"notice.peer_description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.peer_description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.peer_description\"}}},{\"name\":\"notice.sub_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.sub_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.sub_message\"}}},{\"name\":\"notice.suppress_for\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ntlm.server.dns.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm.server.dns.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ntlm.server.dns.name\"}}},{\"name\":\"ntlm.server.nb.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm.server.nb.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ntlm.server.nb.name\"}}},{\"name\":\"ntlm.server.tree.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm.server.tree.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ntlm.server.tree.name\"}}},{\"name\":\"ntlm.success\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"observer.analyzer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"observer.analyzer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"observer.analyzer\"}}},{\"name\":\"observer.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"observer.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"observer.name\"}}},{\"name\":\"osquery.result.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.action\"}}},{\"name\":\"osquery.result.calendar_time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.calendar_time.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.calendar_time\"}}},{\"name\":\"osquery.result.codename\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.codename.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.codename\"}}},{\"name\":\"osquery.result.columns.description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.description\"}}},{\"name\":\"osquery.result.columns.directory\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.directory.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.directory\"}}},{\"name\":\"osquery.result.columns.gid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.gid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.gid\"}}},{\"name\":\"osquery.result.columns.gid_signed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.gid_signed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.gid_signed\"}}},{\"name\":\"osquery.result.columns.shell\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.shell.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.shell\"}}},{\"name\":\"osquery.result.columns.uid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.uid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.uid\"}}},{\"name\":\"osquery.result.columns.uid_signed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.uid_signed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.uid_signed\"}}},{\"name\":\"osquery.result.columns.username\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.username.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.username\"}}},{\"name\":\"osquery.result.columns.uuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.uuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.uuid\"}}},{\"name\":\"osquery.result.counter\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.result.endpoint_ip1\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.endpoint_ip1.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.endpoint_ip1\"}}},{\"name\":\"osquery.result.endpoint_ip2\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.endpoint_ip2.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.endpoint_ip2\"}}},{\"name\":\"osquery.result.epoch\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.result.hardware_serial\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.hardware_serial.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.hardware_serial\"}}},{\"name\":\"osquery.result.host_identifier\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.host_identifier.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.host_identifier\"}}},{\"name\":\"osquery.result.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.hostname\"}}},{\"name\":\"osquery.result.live_query\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.live_query.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.live_query\"}}},{\"name\":\"osquery.result.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.name\"}}},{\"name\":\"osquery.result.numerics\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.result.unix_time\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.command_line\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.command_line.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.command_line\"}}},{\"name\":\"process.entity_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.entity_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.entity_id\"}}},{\"name\":\"process.executable\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.executable.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.executable\"}}},{\"name\":\"process.parent.command_line\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.parent.command_line.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.parent.command_line\"}}},{\"name\":\"process.parent.entity_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.parent.entity_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.parent.entity_id\"}}},{\"name\":\"process.parent.executable\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.parent.executable.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.parent.executable\"}}},{\"name\":\"process.pe.description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pe.description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pe.description\"}}},{\"name\":\"process.pe.file_version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pe.file_version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pe.file_version\"}}},{\"name\":\"process.pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pe.original_file_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pe.original_file_name\"}}},{\"name\":\"process.pe.product\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pe.product.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pe.product\"}}},{\"name\":\"process.pid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pid\"}}},{\"name\":\"process.ppid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.ppid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.ppid\"}}},{\"name\":\"process.working_directory\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.working_directory.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.working_directory\"}}},{\"name\":\"radius.framed_address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"radius.framed_address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"radius.framed_address\"}}},{\"name\":\"radius.reply_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"radius.reply_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"radius.reply_message\"}}},{\"name\":\"radius.result\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"radius.result.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"radius.result\"}}},{\"name\":\"rdp.certificate_count\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rdp.certificate_permanent\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rdp.certificate_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.certificate_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.certificate_type\"}}},{\"name\":\"rdp.client_build\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.client_build.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.client_build\"}}},{\"name\":\"rdp.cookie\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.cookie.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.cookie\"}}},{\"name\":\"rdp.desktop.height\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rdp.desktop.width\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rdp.encryption_level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.encryption_level.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.encryption_level\"}}},{\"name\":\"rdp.encryption_method\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.encryption_method.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.encryption_method\"}}},{\"name\":\"rdp.keyboard_layout\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.keyboard_layout.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.keyboard_layout\"}}},{\"name\":\"rdp.requested_color_depth\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.requested_color_depth.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.requested_color_depth\"}}},{\"name\":\"rdp.result\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.result.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.result\"}}},{\"name\":\"rdp.security_protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.security_protocol.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.security_protocol\"}}},{\"name\":\"request.attributes.filename\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request.attributes.filename.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"request.attributes.filename\"}}},{\"name\":\"request.client\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request.client.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"request.client\"}}},{\"name\":\"request.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"request.id\"}}},{\"name\":\"request.source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request.source.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"request.source\"}}},{\"name\":\"request.time\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.action\"}}},{\"name\":\"rule.category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.category.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.category\"}}},{\"name\":\"rule.firedtimes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.gdpr\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.gdpr.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.gdpr\"}}},{\"name\":\"rule.gid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.gpg13\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.gpg13.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.gpg13\"}}},{\"name\":\"rule.groups\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.groups.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.groups\"}}},{\"name\":\"rule.hipaa\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.hipaa.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.hipaa\"}}},{\"name\":\"rule.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.id\"}}},{\"name\":\"rule.level\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.mail\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.metadata.affected_product\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.affected_product.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.affected_product\"}}},{\"name\":\"rule.metadata.attack_target\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.attack_target.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.attack_target\"}}},{\"name\":\"rule.metadata.created_at\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.created_at.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.created_at\"}}},{\"name\":\"rule.metadata.deployment\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.deployment.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.deployment\"}}},{\"name\":\"rule.metadata.former_category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.former_category.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.former_category\"}}},{\"name\":\"rule.metadata.malware_family\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.malware_family.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.malware_family\"}}},{\"name\":\"rule.metadata.performance_impact\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.performance_impact.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.performance_impact\"}}},{\"name\":\"rule.metadata.signature_severity\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.signature_severity.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.signature_severity\"}}},{\"name\":\"rule.metadata.tag\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.tag.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.tag\"}}},{\"name\":\"rule.metadata.updated_at\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.updated_at.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.updated_at\"}}},{\"name\":\"rule.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.name\"}}},{\"name\":\"rule.nist_800_53\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.nist_800_53.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.nist_800_53\"}}},{\"name\":\"rule.pci_dss\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.pci_dss.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.pci_dss\"}}},{\"name\":\"rule.rev\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.rule\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.rule.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.rule\"}}},{\"name\":\"rule.severity\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.uuid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.entropy.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.entropy.entropy\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.exiftool.About\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.About.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.About\"}}},{\"name\":\"scan.exiftool.AppVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.AppVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.AppVersion\"}}},{\"name\":\"scan.exiftool.Author\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Author.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Author\"}}},{\"name\":\"scan.exiftool.BitDepth\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.BitDepth.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.BitDepth\"}}},{\"name\":\"scan.exiftool.BuildID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.BuildID.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.BuildID\"}}},{\"name\":\"scan.exiftool.CharCountWithSpaces\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CharCountWithSpaces.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CharCountWithSpaces\"}}},{\"name\":\"scan.exiftool.CharacterSet\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CharacterSet.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CharacterSet\"}}},{\"name\":\"scan.exiftool.Characters\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Characters.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Characters\"}}},{\"name\":\"scan.exiftool.CodePage\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CodePage.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CodePage\"}}},{\"name\":\"scan.exiftool.CodeSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CodeSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CodeSize\"}}},{\"name\":\"scan.exiftool.ColorType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ColorType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ColorType\"}}},{\"name\":\"scan.exiftool.Comments\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Comments.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Comments\"}}},{\"name\":\"scan.exiftool.CompObjUserType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CompObjUserType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CompObjUserType\"}}},{\"name\":\"scan.exiftool.CompObjUserTypeLen\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CompObjUserTypeLen.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CompObjUserTypeLen\"}}},{\"name\":\"scan.exiftool.Company\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Company.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Company\"}}},{\"name\":\"scan.exiftool.CompanyName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CompanyName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CompanyName\"}}},{\"name\":\"scan.exiftool.Compression\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Compression.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Compression\"}}},{\"name\":\"scan.exiftool.CreateDate\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CreateDate.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CreateDate\"}}},{\"name\":\"scan.exiftool.Creator\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Creator.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Creator\"}}},{\"name\":\"scan.exiftool.CreatorTool\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CreatorTool.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CreatorTool\"}}},{\"name\":\"scan.exiftool.DerivedFromDocumentID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.DerivedFromDocumentID.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.DerivedFromDocumentID\"}}},{\"name\":\"scan.exiftool.DerivedFromInstanceID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.DerivedFromInstanceID.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.DerivedFromInstanceID\"}}},{\"name\":\"scan.exiftool.Directory\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Directory.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Directory\"}}},{\"name\":\"scan.exiftool.DocumentID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.DocumentID.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.DocumentID\"}}},{\"name\":\"scan.exiftool.EntryPoint\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.EntryPoint.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.EntryPoint\"}}},{\"name\":\"scan.exiftool.Error\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Error.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Error\"}}},{\"name\":\"scan.exiftool.ExifToolVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ExifToolVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ExifToolVersion\"}}},{\"name\":\"scan.exiftool.FileAccessDate\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileAccessDate.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileAccessDate\"}}},{\"name\":\"scan.exiftool.FileDescription\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileDescription.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileDescription\"}}},{\"name\":\"scan.exiftool.FileFlags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileFlags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileFlags\"}}},{\"name\":\"scan.exiftool.FileFlagsMask\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileFlagsMask.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileFlagsMask\"}}},{\"name\":\"scan.exiftool.FileInodeChangeDate\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileInodeChangeDate.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileInodeChangeDate\"}}},{\"name\":\"scan.exiftool.FileModifyDate\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileModifyDate.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileModifyDate\"}}},{\"name\":\"scan.exiftool.FileName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileName\"}}},{\"name\":\"scan.exiftool.FileOS\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileOS.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileOS\"}}},{\"name\":\"scan.exiftool.FilePermissions\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FilePermissions.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FilePermissions\"}}},{\"name\":\"scan.exiftool.FileSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileSize\"}}},{\"name\":\"scan.exiftool.FileSubtype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileSubtype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileSubtype\"}}},{\"name\":\"scan.exiftool.FileType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileType\"}}},{\"name\":\"scan.exiftool.FileTypeExtension\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileTypeExtension.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileTypeExtension\"}}},{\"name\":\"scan.exiftool.FileVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileVersion\"}}},{\"name\":\"scan.exiftool.FileVersionNumber\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileVersionNumber.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileVersionNumber\"}}},{\"name\":\"scan.exiftool.Filter\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Filter.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Filter\"}}},{\"name\":\"scan.exiftool.Format\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Format.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Format\"}}},{\"name\":\"scan.exiftool.HasXFA\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.HasXFA.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.HasXFA\"}}},{\"name\":\"scan.exiftool.HeadingPairs\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.HeadingPairs.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.HeadingPairs\"}}},{\"name\":\"scan.exiftool.HyperlinksChanged\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.HyperlinksChanged.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.HyperlinksChanged\"}}},{\"name\":\"scan.exiftool.ImageHeight\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ImageHeight.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ImageHeight\"}}},{\"name\":\"scan.exiftool.ImageSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ImageSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ImageSize\"}}},{\"name\":\"scan.exiftool.ImageVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ImageVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ImageVersion\"}}},{\"name\":\"scan.exiftool.ImageWidth\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ImageWidth.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ImageWidth\"}}},{\"name\":\"scan.exiftool.InitializedDataSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.InitializedDataSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.InitializedDataSize\"}}},{\"name\":\"scan.exiftool.InstanceID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.InstanceID.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.InstanceID\"}}},{\"name\":\"scan.exiftool.Interlace\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Interlace.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Interlace\"}}},{\"name\":\"scan.exiftool.InternalName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.InternalName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.InternalName\"}}},{\"name\":\"scan.exiftool.Keywords\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Keywords.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Keywords\"}}},{\"name\":\"scan.exiftool.Language\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Language.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Language\"}}},{\"name\":\"scan.exiftool.LanguageCode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.LanguageCode.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LanguageCode\"}}},{\"name\":\"scan.exiftool.LastModifiedBy\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.LastModifiedBy.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LastModifiedBy\"}}},{\"name\":\"scan.exiftool.LegalCopyright\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.LegalCopyright.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LegalCopyright\"}}},{\"name\":\"scan.exiftool.LegalTrademarks\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.LegalTrademarks.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LegalTrademarks\"}}},{\"name\":\"scan.exiftool.Linearized\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Linearized.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Linearized\"}}},{\"name\":\"scan.exiftool.Lines\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Lines.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Lines\"}}},{\"name\":\"scan.exiftool.LinkerVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.LinkerVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LinkerVersion\"}}},{\"name\":\"scan.exiftool.LinksUpToDate\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.LinksUpToDate.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LinksUpToDate\"}}},{\"name\":\"scan.exiftool.MIMEType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.MIMEType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.MIMEType\"}}},{\"name\":\"scan.exiftool.MachineType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.MachineType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.MachineType\"}}},{\"name\":\"scan.exiftool.Megapixels\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Megapixels.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Megapixels\"}}},{\"name\":\"scan.exiftool.ModifyDate\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ModifyDate.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ModifyDate\"}}},{\"name\":\"scan.exiftool.OSVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.OSVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.OSVersion\"}}},{\"name\":\"scan.exiftool.ObjectFileType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ObjectFileType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ObjectFileType\"}}},{\"name\":\"scan.exiftool.OriginalFileName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.OriginalFileName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.OriginalFileName\"}}},{\"name\":\"scan.exiftool.PDFVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.PDFVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PDFVersion\"}}},{\"name\":\"scan.exiftool.PEType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.PEType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PEType\"}}},{\"name\":\"scan.exiftool.PTEX_Fullbanner\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.PTEX_Fullbanner.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PTEX_Fullbanner\"}}},{\"name\":\"scan.exiftool.PageCount\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.PageCount.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PageCount\"}}},{\"name\":\"scan.exiftool.Pages\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Pages.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Pages\"}}},{\"name\":\"scan.exiftool.Paragraphs\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Paragraphs.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Paragraphs\"}}},{\"name\":\"scan.exiftool.PrivateBuild\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.PrivateBuild.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PrivateBuild\"}}},{\"name\":\"scan.exiftool.Producer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Producer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Producer\"}}},{\"name\":\"scan.exiftool.ProductName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ProductName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ProductName\"}}},{\"name\":\"scan.exiftool.ProductVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ProductVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ProductVersion\"}}},{\"name\":\"scan.exiftool.ProductVersionNumber\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ProductVersionNumber.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ProductVersionNumber\"}}},{\"name\":\"scan.exiftool.RevisionNumber\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.RevisionNumber.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.RevisionNumber\"}}},{\"name\":\"scan.exiftool.ScaleCrop\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ScaleCrop.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ScaleCrop\"}}},{\"name\":\"scan.exiftool.Security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Security.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Security\"}}},{\"name\":\"scan.exiftool.SharedDoc\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.SharedDoc.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SharedDoc\"}}},{\"name\":\"scan.exiftool.Software\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Software.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Software\"}}},{\"name\":\"scan.exiftool.SourceFile\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.SourceFile.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SourceFile\"}}},{\"name\":\"scan.exiftool.SpecialBuild\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.SpecialBuild.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SpecialBuild\"}}},{\"name\":\"scan.exiftool.Subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Subject\"}}},{\"name\":\"scan.exiftool.Subsystem\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Subsystem.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Subsystem\"}}},{\"name\":\"scan.exiftool.SubsystemVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.SubsystemVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SubsystemVersion\"}}},{\"name\":\"scan.exiftool.SvnRevision\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.SvnRevision.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SvnRevision\"}}},{\"name\":\"scan.exiftool.Template\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Template.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Template\"}}},{\"name\":\"scan.exiftool.TimeStamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.TimeStamp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.TimeStamp\"}}},{\"name\":\"scan.exiftool.Title\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Title.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Title\"}}},{\"name\":\"scan.exiftool.TitleOfParts\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.TitleOfParts.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.TitleOfParts\"}}},{\"name\":\"scan.exiftool.TotalEditTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.TotalEditTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.TotalEditTime\"}}},{\"name\":\"scan.exiftool.Trapped\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Trapped.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Trapped\"}}},{\"name\":\"scan.exiftool.UninitializedDataSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.UninitializedDataSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.UninitializedDataSize\"}}},{\"name\":\"scan.exiftool.Warning\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Warning.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Warning\"}}},{\"name\":\"scan.exiftool.Words\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Words.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Words\"}}},{\"name\":\"scan.exiftool.XMPToolkit\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.XMPToolkit.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.XMPToolkit\"}}},{\"name\":\"scan.exiftool.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.header.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.header.header\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.header.header.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.header.header\"}}},{\"name\":\"scan.ini.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.ini.keys.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.ini.keys.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.ini.keys.name\"}}},{\"name\":\"scan.ini.keys.section\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.ini.keys.section.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.ini.keys.section\"}}},{\"name\":\"scan.ini.keys.value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.ini.keys.value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.ini.keys.value\"}}},{\"name\":\"scan.ini.sections\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.ini.sections.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.ini.sections\"}}},{\"name\":\"scan.libarchive.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.libarchive.total.extracted\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.libarchive.total.files\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.mmbot.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.mmbot.flags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.mmbot.flags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.mmbot.flags\"}}},{\"name\":\"scan.ocr.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.ole.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.ole.flags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.ole.flags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.ole.flags\"}}},{\"name\":\"scan.ole.total.extracted\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.ole.total.streams\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pdf.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pdf.total.extracted\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pdf.total.objects\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.debug.age\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.debug.guid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.debug.guid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.debug.guid\"}}},{\"name\":\"scan.pe.debug.pdb\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.debug.pdb.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.debug.pdb\"}}},{\"name\":\"scan.pe.debug.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.debug.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.debug.type\"}}},{\"name\":\"scan.pe.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.file_info.fixed.flags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.fixed.flags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.fixed.flags\"}}},{\"name\":\"scan.pe.file_info.fixed.operating_systems\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.fixed.operating_systems.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.fixed.operating_systems\"}}},{\"name\":\"scan.pe.file_info.fixed.type.primary\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.fixed.type.primary.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.fixed.type.primary\"}}},{\"name\":\"scan.pe.file_info.string.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.string.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.string.name\"}}},{\"name\":\"scan.pe.file_info.string.value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.string.value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.string.value\"}}},{\"name\":\"scan.pe.file_info.var.character_set\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.var.character_set.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.var.character_set\"}}},{\"name\":\"scan.pe.file_info.var.language\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.var.language.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.var.language\"}}},{\"name\":\"scan.pe.flags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.flags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.flags\"}}},{\"name\":\"scan.pe.header.address.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.address.data\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.address.entry_point\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.address.image\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.alignment.file\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.alignment.section\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.characteristics.dll\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.header.characteristics.dll.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.characteristics.dll\"}}},{\"name\":\"scan.pe.header.characteristics.image\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.header.characteristics.image.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.characteristics.image\"}}},{\"name\":\"scan.pe.header.checksum\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.machine.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.machine.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.header.machine.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.machine.type\"}}},{\"name\":\"scan.pe.header.magic.dos\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.header.magic.dos.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.magic.dos\"}}},{\"name\":\"scan.pe.header.magic.image\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.header.magic.image.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.magic.image\"}}},{\"name\":\"scan.pe.header.size.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.data.initialized\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.data.uninitialized\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.headers\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.heap.commit\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.heap.reserve\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.image\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.stack.commit\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.stack.reserve\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.subsystem\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.header.subsystem.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.subsystem\"}}},{\"name\":\"scan.pe.header.timestamp\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.version.image\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.version.linker\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.version.operating_system\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.version.subsystem\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.imphash\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.imphash.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.imphash\"}}},{\"name\":\"scan.pe.resources.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.resources.language.primary\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.resources.language.primary.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.resources.language.primary\"}}},{\"name\":\"scan.pe.resources.language.sub\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.resources.language.sub.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.resources.language.sub\"}}},{\"name\":\"scan.pe.resources.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.resources.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.resources.name\"}}},{\"name\":\"scan.pe.resources.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.resources.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.resources.type\"}}},{\"name\":\"scan.pe.sections.address.physical\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.sections.address.virtual\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.sections.characteristics\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.sections.characteristics.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.sections.characteristics\"}}},{\"name\":\"scan.pe.sections.entropy\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.sections.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.sections.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.sections.name\"}}},{\"name\":\"scan.pe.sections.size\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.symbols.exported\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.exported.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.exported\"}}},{\"name\":\"scan.pe.symbols.imported\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.imported.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.imported\"}}},{\"name\":\"scan.pe.symbols.libraries\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.libraries.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.libraries\"}}},{\"name\":\"scan.pe.symbols.table.address\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.symbols.table.library\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.table.library.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.table.library\"}}},{\"name\":\"scan.pe.symbols.table.symbol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.table.symbol.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.table.symbol\"}}},{\"name\":\"scan.pe.symbols.table.symbols\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.table.symbols.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.table.symbols\"}}},{\"name\":\"scan.pe.symbols.table.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.table.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.table.type\"}}},{\"name\":\"scan.pe.total.libraries\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.total.resources\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.total.sections\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.total.symbols\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pkcs7.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pkcs7.total.certificates\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pkcs7.total.extracted\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.upx.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.url.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.url.urls\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.url.urls.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.url.urls\"}}},{\"name\":\"scan.vb.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.vb.functions\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vb.functions.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vb.functions\"}}},{\"name\":\"scan.vb.names\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vb.names.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vb.names\"}}},{\"name\":\"scan.vb.operators\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vb.operators.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vb.operators\"}}},{\"name\":\"scan.vb.strings\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vb.strings.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vb.strings\"}}},{\"name\":\"scan.vb.tokens\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vb.tokens.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vb.tokens\"}}},{\"name\":\"scan.vba.auto_exec\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vba.auto_exec.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vba.auto_exec\"}}},{\"name\":\"scan.vba.base64\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vba.base64.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vba.base64\"}}},{\"name\":\"scan.vba.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.vba.ioc\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vba.ioc.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vba.ioc\"}}},{\"name\":\"scan.vba.suspicious\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vba.suspicious.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vba.suspicious\"}}},{\"name\":\"scan.vba.total.extracted\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.vba.total.files\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.x509.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.x509.expired\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.x509.fingerprint\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.x509.fingerprint.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.x509.fingerprint\"}}},{\"name\":\"scan.x509.issuer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.x509.issuer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.x509.issuer\"}}},{\"name\":\"scan.x509.not_after\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.x509.not_before\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.x509.serial_number\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.x509.serial_number.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.x509.serial_number\"}}},{\"name\":\"scan.x509.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.x509.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.x509.subject\"}}},{\"name\":\"scan.x509.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.xml.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.xml.namespaces\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.xml.namespaces.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.xml.namespaces\"}}},{\"name\":\"scan.xml.tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.xml.tags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.xml.tags\"}}},{\"name\":\"scan.xml.total.extracted\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.xml.total.tags\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.xml.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.xml.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.xml.version\"}}},{\"name\":\"scan.yara.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.yara.matches\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.yara.matches.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.yara.matches\"}}},{\"name\":\"scan.yara.meta.identifier\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.yara.meta.identifier.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.yara.meta.identifier\"}}},{\"name\":\"scan.yara.meta.rule\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.yara.meta.rule.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.yara.meta.rule\"}}},{\"name\":\"scan.yara.meta.value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.yara.meta.value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.yara.meta.value\"}}},{\"name\":\"server.address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"server.address\"}}},{\"name\":\"server.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"server.ip\"}}},{\"name\":\"server.ip_bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.port\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.port.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"server.port\"}}},{\"name\":\"server.reply_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.reply_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.reply_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"server.reply_message\"}}},{\"name\":\"server.status_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.status_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.status_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"server.status_message\"}}},{\"name\":\"sip.call_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.call_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.call_id\"}}},{\"name\":\"sip.content_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.content_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.content_type\"}}},{\"name\":\"sip.date\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.date.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.date\"}}},{\"name\":\"sip.method\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.method.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.method\"}}},{\"name\":\"sip.request.body.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sip.request.from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.request.from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.request.from\"}}},{\"name\":\"sip.request.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.request.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.request.path\"}}},{\"name\":\"sip.request.to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.request.to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.request.to\"}}},{\"name\":\"sip.response.body.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sip.response.from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.response.from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.response.from\"}}},{\"name\":\"sip.response.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.response.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.response.path\"}}},{\"name\":\"sip.response.to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.response.to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.response.to\"}}},{\"name\":\"sip.seq\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.seq.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.seq\"}}},{\"name\":\"sip.transaction.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sip.uri\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.uri.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.uri\"}}},{\"name\":\"sip.warning\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.warning.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.warning\"}}},{\"name\":\"smb.file_system\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smb.file_system.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smb.file_system\"}}},{\"name\":\"smb.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smb.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smb.path\"}}},{\"name\":\"smb.service\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smb.service.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smb.service\"}}},{\"name\":\"smb.share_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smb.share_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smb.share_type\"}}},{\"name\":\"smtp.cc\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.cc.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.cc\"}}},{\"name\":\"smtp.first_received\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.first_received.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.first_received\"}}},{\"name\":\"smtp.from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.from\"}}},{\"name\":\"smtp.helo\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.helo.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.helo\"}}},{\"name\":\"smtp.in_reply_to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.in_reply_to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.in_reply_to\"}}},{\"name\":\"smtp.is_webmail\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"smtp.last_reply\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.last_reply.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.last_reply\"}}},{\"name\":\"smtp.mail_date\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.mail_date.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.mail_date\"}}},{\"name\":\"smtp.mail_from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.mail_from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.mail_from\"}}},{\"name\":\"smtp.message_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.message_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.message_id\"}}},{\"name\":\"smtp.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.path\"}}},{\"name\":\"smtp.recipient_to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.recipient_to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.recipient_to\"}}},{\"name\":\"smtp.second_received\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.second_received.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.second_received\"}}},{\"name\":\"smtp.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.subject\"}}},{\"name\":\"smtp.tls\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"smtp.to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.to\"}}},{\"name\":\"smtp.transaction_depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"smtp.useragent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.useragent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.useragent\"}}},{\"name\":\"snmp.community\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"snmp.community.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"snmp.community\"}}},{\"name\":\"snmp.display_string\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"snmp.display_string.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"snmp.display_string\"}}},{\"name\":\"snmp.get.bulk_requests\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"snmp.get.requests\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"snmp.get.responses\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"snmp.set.requests\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"snmp.up_since\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"snmp.up_since.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"snmp.up_since\"}}},{\"name\":\"snmp.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"snmp.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"snmp.version\"}}},{\"name\":\"socks.bound.host\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"socks.bound.host.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"socks.bound.host\"}}},{\"name\":\"socks.bound.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"socks.request.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"socks.request.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"socks.request.name\"}}},{\"name\":\"socks.request.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"socks.status\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"socks.status.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"socks.status\"}}},{\"name\":\"socks.user\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"socks.user.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"socks.user\"}}},{\"name\":\"socks.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"software.name\"}}},{\"name\":\"software.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"software.type\"}}},{\"name\":\"software.version.additional_info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software.version.additional_info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"software.version.additional_info\"}}},{\"name\":\"software.version.major\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software.version.minor\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software.version.minor2\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software.version.unparsed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software.version.unparsed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"software.version.unparsed\"}}},{\"name\":\"source.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.city_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.city_name\"}}},{\"name\":\"source.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.continent_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.continent_name\"}}},{\"name\":\"source.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.country_iso_code.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.country_iso_code\"}}},{\"name\":\"source.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.country_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.country_name\"}}},{\"name\":\"source.geo.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.ip\"}}},{\"name\":\"source.geo.location.lat\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.location.lon\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.region_iso_code.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.region_iso_code\"}}},{\"name\":\"source.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.region_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.region_name\"}}},{\"name\":\"source.geo.timezone\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.timezone.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.timezone\"}}},{\"name\":\"source.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.ip\"}}},{\"name\":\"source.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.latitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.longitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssh.authentication.attempts\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssh.authentication.success\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssh.cipher_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.cipher_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.cipher_algorithm\"}}},{\"name\":\"ssh.client\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.client.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.client\"}}},{\"name\":\"ssh.client_host_key_algorithms\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.client_host_key_algorithms.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.client_host_key_algorithms\"}}},{\"name\":\"ssh.compression_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.compression_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.compression_algorithm\"}}},{\"name\":\"ssh.direction\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.direction.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.direction\"}}},{\"name\":\"ssh.hassh_algorithms\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.hassh_algorithms.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_algorithms\"}}},{\"name\":\"ssh.hassh_server\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.hassh_server.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_server\"}}},{\"name\":\"ssh.hassh_server_algorithms\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.hassh_server_algorithms.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_server_algorithms\"}}},{\"name\":\"ssh.hassh_version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.hassh_version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_version\"}}},{\"name\":\"ssh.host_key\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.host_key.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.host_key\"}}},{\"name\":\"ssh.host_key_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.host_key_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.host_key_algorithm\"}}},{\"name\":\"ssh.kex_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.kex_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.kex_algorithm\"}}},{\"name\":\"ssh.mac_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.mac_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.mac_algorithm\"}}},{\"name\":\"ssh.server\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.server.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.server\"}}},{\"name\":\"ssh.server_host_key_algorithms\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.server_host_key_algorithms.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.server_host_key_algorithms\"}}},{\"name\":\"ssh.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssl.certificate.chain_fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.certificate.chain_fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.certificate.chain_fuids\"}}},{\"name\":\"ssl.certificate.issuer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.certificate.issuer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.certificate.issuer\"}}},{\"name\":\"ssl.certificate.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.certificate.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.certificate.subject\"}}},{\"name\":\"ssl.cipher\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.cipher.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.cipher\"}}},{\"name\":\"ssl.client.certificate.chain_fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.client.certificate.chain_fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.client.certificate.chain_fuids\"}}},{\"name\":\"ssl.client.issuer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.client.issuer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.client.issuer\"}}},{\"name\":\"ssl.client.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.client.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.client.subject\"}}},{\"name\":\"ssl.curve\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.curve.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.curve\"}}},{\"name\":\"ssl.established\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssl.last_alert\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.last_alert.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.last_alert\"}}},{\"name\":\"ssl.next_protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.next_protocol.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.next_protocol\"}}},{\"name\":\"ssl.resumed\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssl.server_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.server_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.server_name\"}}},{\"name\":\"ssl.validation_status\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.validation_status.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.validation_status\"}}},{\"name\":\"ssl.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.version\"}}},{\"name\":\"syslog.facility\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog.facility.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syslog.facility\"}}},{\"name\":\"syslog.severity\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog.severity.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syslog.severity\"}}},{\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tags\"}}},{\"name\":\"tunnel.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tunnel.type\"}}},{\"name\":\"user.gid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user.gid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user.gid\"}}},{\"name\":\"user.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user.name\"}}},{\"name\":\"user.shell\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user.shell.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user.shell\"}}},{\"name\":\"user.uid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user.uid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user.uid\"}}},{\"name\":\"version.minor3\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"weird.additional_info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"weird.additional_info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"weird.additional_info\"}}},{\"name\":\"weird.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"weird.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"weird.name\"}}},{\"name\":\"weird.notice\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"weird.peer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"weird.peer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"weird.peer\"}}},{\"name\":\"winlog.activity_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.activity_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.activity_id\"}}},{\"name\":\"winlog.api\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.api.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.api\"}}},{\"name\":\"winlog.channel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.channel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.channel\"}}},{\"name\":\"winlog.computer_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.computer_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.computer_name\"}}},{\"name\":\"winlog.event_data.Address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Address\"}}},{\"name\":\"winlog.event_data.AddressLength\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.AddressLength.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.AddressLength\"}}},{\"name\":\"winlog.event_data.Binary\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Binary.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Binary\"}}},{\"name\":\"winlog.event_data.BufferSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.BufferSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.BufferSize\"}}},{\"name\":\"winlog.event_data.Company\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Company.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Company\"}}},{\"name\":\"winlog.event_data.CreationUtcTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.CreationUtcTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.CreationUtcTime\"}}},{\"name\":\"winlog.event_data.CurrentStratumNumber\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.CurrentStratumNumber.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.CurrentStratumNumber\"}}},{\"name\":\"winlog.event_data.DeviceName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.DeviceName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceName\"}}},{\"name\":\"winlog.event_data.DeviceNameLength\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.DeviceNameLength.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceNameLength\"}}},{\"name\":\"winlog.event_data.DeviceTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.DeviceTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceTime\"}}},{\"name\":\"winlog.event_data.DeviceVersionMajor\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.DeviceVersionMajor.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceVersionMajor\"}}},{\"name\":\"winlog.event_data.DeviceVersionMinor\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.DeviceVersionMinor.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceVersionMinor\"}}},{\"name\":\"winlog.event_data.DomainPeer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.DomainPeer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DomainPeer\"}}},{\"name\":\"winlog.event_data.ErrorMessage\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.ErrorMessage.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ErrorMessage\"}}},{\"name\":\"winlog.event_data.FinalStatus\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.FinalStatus.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.FinalStatus\"}}},{\"name\":\"winlog.event_data.Hashes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Hashes.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Hashes\"}}},{\"name\":\"winlog.event_data.ImageLoaded\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.ImageLoaded.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ImageLoaded\"}}},{\"name\":\"winlog.event_data.IntegrityLevel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.IntegrityLevel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.IntegrityLevel\"}}},{\"name\":\"winlog.event_data.Library\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Library.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Library\"}}},{\"name\":\"winlog.event_data.LogonGuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.LogonGuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.LogonGuid\"}}},{\"name\":\"winlog.event_data.LogonId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.LogonId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.LogonId\"}}},{\"name\":\"winlog.event_data.MaxSystemTimeChangeSeconds\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.MaxSystemTimeChangeSeconds.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.MaxSystemTimeChangeSeconds\"}}},{\"name\":\"winlog.event_data.NewTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.NewTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.NewTime\"}}},{\"name\":\"winlog.event_data.OldTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.OldTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.OldTime\"}}},{\"name\":\"winlog.event_data.PreviousCreationUtcTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.PreviousCreationUtcTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.PreviousCreationUtcTime\"}}},{\"name\":\"winlog.event_data.PreviousTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.PreviousTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.PreviousTime\"}}},{\"name\":\"winlog.event_data.ProcessId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.ProcessId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ProcessId\"}}},{\"name\":\"winlog.event_data.ProcessName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.ProcessName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ProcessName\"}}},{\"name\":\"winlog.event_data.QueryName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.QueryName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.QueryName\"}}},{\"name\":\"winlog.event_data.QueryResults\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.QueryResults.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.QueryResults\"}}},{\"name\":\"winlog.event_data.QueryStatus\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.QueryStatus.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.QueryStatus\"}}},{\"name\":\"winlog.event_data.Reason\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Reason.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Reason\"}}},{\"name\":\"winlog.event_data.RequiredSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.RequiredSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.RequiredSize\"}}},{\"name\":\"winlog.event_data.RetryMinutes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.RetryMinutes.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.RetryMinutes\"}}},{\"name\":\"winlog.event_data.RuleName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.RuleName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.RuleName\"}}},{\"name\":\"winlog.event_data.Service\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Service.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Service\"}}},{\"name\":\"winlog.event_data.Signature\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Signature.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Signature\"}}},{\"name\":\"winlog.event_data.SignatureStatus\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.SignatureStatus.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.SignatureStatus\"}}},{\"name\":\"winlog.event_data.Signed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Signed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Signed\"}}},{\"name\":\"winlog.event_data.SubjectDomainName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.SubjectDomainName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.SubjectDomainName\"}}},{\"name\":\"winlog.event_data.SubjectLogonId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.SubjectLogonId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.SubjectLogonId\"}}},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.SubjectUserSid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.SubjectUserSid\"}}},{\"name\":\"winlog.event_data.SystemTimeChangeSeconds\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.SystemTimeChangeSeconds.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.SystemTimeChangeSeconds\"}}},{\"name\":\"winlog.event_data.TargetFilename\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.TargetFilename.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.TargetFilename\"}}},{\"name\":\"winlog.event_data.TerminalSessionId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.TerminalSessionId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.TerminalSessionId\"}}},{\"name\":\"winlog.event_data.TimeOffsetSeconds\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.TimeOffsetSeconds.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.TimeOffsetSeconds\"}}},{\"name\":\"winlog.event_data.TimeSource\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.TimeSource.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.TimeSource\"}}},{\"name\":\"winlog.event_data.TimeSourceRefId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.TimeSourceRefId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.TimeSourceRefId\"}}},{\"name\":\"winlog.event_data.UtcTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.UtcTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.UtcTime\"}}},{\"name\":\"winlog.event_data.errorCode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.errorCode.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.errorCode\"}}},{\"name\":\"winlog.event_data.param1\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param1.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param1\"}}},{\"name\":\"winlog.event_data.param2\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param2.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param2\"}}},{\"name\":\"winlog.event_data.param3\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param3.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param3\"}}},{\"name\":\"winlog.event_data.param4\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param4.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param4\"}}},{\"name\":\"winlog.event_data.param5\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param5.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param5\"}}},{\"name\":\"winlog.event_data.param6\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param6.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param6\"}}},{\"name\":\"winlog.event_data.param7\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param7.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param7\"}}},{\"name\":\"winlog.event_data.serviceGuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.serviceGuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.serviceGuid\"}}},{\"name\":\"winlog.event_data.updateGuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.updateGuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.updateGuid\"}}},{\"name\":\"winlog.event_data.updateRevisionNumber\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.updateRevisionNumber.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.updateRevisionNumber\"}}},{\"name\":\"winlog.event_data.updateTitle\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.updateTitle.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.updateTitle\"}}},{\"name\":\"winlog.event_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.keywords\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.keywords.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.keywords\"}}},{\"name\":\"winlog.opcode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.opcode.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.opcode\"}}},{\"name\":\"winlog.process.pid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.process.thread.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.provider_guid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.provider_guid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.provider_guid\"}}},{\"name\":\"winlog.provider_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.provider_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.provider_name\"}}},{\"name\":\"winlog.record_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.task\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.task.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.task\"}}},{\"name\":\"winlog.user.domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user.domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user.domain\"}}},{\"name\":\"winlog.user.identifier\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user.identifier.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user.identifier\"}}},{\"name\":\"winlog.user.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user.name\"}}},{\"name\":\"winlog.user.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user.type\"}}},{\"name\":\"winlog.user_data.RebootReasons\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user_data.RebootReasons.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.RebootReasons\"}}},{\"name\":\"winlog.user_data.RmSessionId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user_data.RmSessionId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.RmSessionId\"}}},{\"name\":\"winlog.user_data.UTCStartTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user_data.UTCStartTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.UTCStartTime\"}}},{\"name\":\"winlog.user_data.nApplications\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user_data.nApplications.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.nApplications\"}}},{\"name\":\"winlog.user_data.xml_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user_data.xml_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.xml_name\"}}},{\"name\":\"winlog.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x509.basic_constraints.ca\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x509.certificate.curve\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.curve.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.curve\"}}},{\"name\":\"x509.certificate.exponent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.exponent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.exponent\"}}},{\"name\":\"x509.certificate.issuer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.issuer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.issuer\"}}},{\"name\":\"x509.certificate.key.algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.key.algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.key.algorithm\"}}},{\"name\":\"x509.certificate.key.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x509.certificate.key.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.key.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.key.type\"}}},{\"name\":\"x509.certificate.not_valid_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.not_valid_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.not_valid_after\"}}},{\"name\":\"x509.certificate.not_valid_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.not_valid_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.not_valid_before\"}}},{\"name\":\"x509.certificate.serial\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.serial.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.serial\"}}},{\"name\":\"x509.certificate.signing_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.signing_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.signing_algorithm\"}}},{\"name\":\"x509.certificate.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.subject\"}}},{\"name\":\"x509.certificate.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x509.san_dns\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.san_dns.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.san_dns\"}}},{\"name\":\"Push to TheHive\",\"type\":\"string\",\"count\":0,\"scripted\":true,\"script\":\"'https://PLACEHOLDER/soctopus/thehive/alert/' + doc['_id'].value\",\"lang\":\"painless\",\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false}]","timeFieldName":"@timestamp","title":"*:so-*"},"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-07-16T16:56:13.728Z","version":"Wzg0NCwyXQ=="} +{"attributes":{"fieldFormatMap":"{\"network.community_id\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:network.community_id,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(network.community_id:'{{ value }}')))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"source.ip\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.ip.keyword:'{{ value }}')),(term:(destination.ip.keyword:'{{ value }}')))),meta:(alias:'source.ip:%20!'{{ value }}!'%20OR%20destination.ip:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.ip.keyword%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.ip.keyword%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"destination.ip\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.ip.keyword:'{{ value }}')),(term:(destination.ip.keyword:'{{ value }}')))),meta:(alias:'source.ip:%20!'{{ value }}!'%20OR%20destination.ip:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.ip.keyword%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.ip.keyword%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"source.ip.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.ip.keyword:'{{ value }}')),(term:(destination.ip.keyword:'{{ value }}')))),meta:(alias:'source.ip:%20!'{{ value }}!'%20OR%20destination.ip:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.ip.keyword%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.ip.keyword%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"destination.ip.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.ip.keyword:'{{ value }}')),(term:(destination.ip.keyword:'{{ value }}')))),meta:(alias:'source.ip:%20!'{{ value }}!'%20OR%20destination.ip:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.ip.keyword%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.ip.keyword%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"source.port\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.port:'{{ value }}')),(term:(destination.port:'{{ value }}')))),meta:(alias:'source.port:%20!'{{ value }}!'%20OR%20destination.port:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.port%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.port%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"destination.port\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.port:'{{ value }}')),(term:(destination.port:'{{ value }}')))),meta:(alias:'source.port:%20!'{{ value }}!'%20OR%20destination.port:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.port%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.port%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"log.id.fuid\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:log.id.fuid,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(log.id.fuid:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"log.id.fuid.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:log.id.fuid,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(log.id.fuid:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"log.id.uid\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:log.id.uid,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(log.id.uid:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"log.id.uid.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:log.id.uid,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(log.id.uid:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"_id\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"https://PLACEHOLDER/securityonion/joblookup?esid={{ value }}\",\"labelTemplate\":\"{{ value }}\"}},\"client.bytes\":{\"id\":\"bytes\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"server.bytes\":{\"id\":\"bytes\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"Push to TheHive\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"\",\"labelTemplate\":\"Click to create an alert in TheHive\"}},\"event.dataset\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:event.dataset.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.dataset.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"event.dataset.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:event.dataset.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.dataset.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"event.module\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:event.module.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.module.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now%2Fw,to:now%2Fw))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"event.module.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:event.module.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.module.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now%2Fw,to:now%2Fw))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"agent.name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:agent.name.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(agent.name.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now%2Fw,to:now%2Fw))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"agent.name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:agent.name.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(agent.name.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now%2Fw,to:now%2Fw))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"rule.name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:rule.name,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(rule.name:'{{ value }}')))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:''),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"rule.name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:rule.name,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(rule.name:'{{ value }}')))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:''),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"osquery.result.live_query\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"https://PLACEHOLDER/fleet/queries/new?host_uuids={{rawValue}}\",\"labelTemplate\":\"Live Query\"}},\"osquery.result.live_query.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"https://PLACEHOLDER/fleet/queries/new?host_uuids={{rawValue}}\",\"labelTemplate\":\"Live Query\"}},\"connection.state_description\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:connection.state_description,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(connection.state_description:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"connection.state_description.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:connection.state_description,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(connection.state_description:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"rule.category.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:rule.category,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(rule.category:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"rule.category\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:rule.category,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(rule.category:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"rule.uuid\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:rule.uuid,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(rule.uuid:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"connection.history\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:connection.history,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(connection.history:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"connection.history.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:connection.history,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(connection.history:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.message_types\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.message_types,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(dhcp.message_types:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.message_types.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.message_types,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(dhcp.message_types:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.requested_address\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.requested_address,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dhcp.requested_address:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.requested_address.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.requested_address,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dhcp.requested_address:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.assigned_ip\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.assigned_ip,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dhcp.assigned_ip:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.assigned_ip.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.assigned_ip,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dhcp.assigned_ip:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"host.mac\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:host.mac,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(host.mac:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"host.mac.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:host.mac,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(host.mac:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.lease_time\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.lease_time,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dhcp.lease_time:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dns.query.name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dns.query.name,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dns.query.name:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }{}\"}},\"dns.query.name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dns.query.name,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dns.query.name:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dns.answers\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dns.answers,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dns.answers:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dns.answers.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dns.answers,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dns.answers:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dns.response.code_name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dns.response.code_name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(dns.response.code_name:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dns.response.code_name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dns.response.code_name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(dns.response.code_name:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"file.name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:file.name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(file.name:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"file.mime_type\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:file.mime_type,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(file.mime_type:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"file.mime_type.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:file.mime_type,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(file.mime_type:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"file.name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:file.name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(file.name:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ftp.argument\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ftp.argument,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(ftp.argument:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ftp.argument.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ftp.argument,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(ftp.argument:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ftp.user\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ftp.user,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(ftp.user:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ftp.user.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ftp.user,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(ftp.user:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ftp.password\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ftp.password,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(ftp.password:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ftp.password.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ftp.password,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(ftp.password:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.useragent\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.useragent,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(http.useragent:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.useragent.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.useragent,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(http.useragent:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.method\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.method,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(http.method:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.method.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.method,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(http.method:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.virtual_host\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.virtual_host,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(http.virtual_host:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.virtual_host.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.virtual_host,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(http.virtual_host:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.uri.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.uri.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(http.uri.keyword:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.uri\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.uri.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(http.uri.keyword:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"notice.note.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:notice.note,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(notice.note:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"notice.message.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:notice.message,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(notice.message:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"notice.note\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:notice.note,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(notice.note:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"notice.message\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:notice.message,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(notice.message:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ssl.server_name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ssl.server_name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(ssl.server_name:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ssl.server_name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ssl.server_name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(ssl.server_name:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ssl.certificate.subject\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ssl.certificate.subject,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(ssl.certificate.subject:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ssl.certificate.subject.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ssl.certificate.subject,negate:!f,params:(query:'O%3DDefault%20Company%20Ltd,L%3DDefault%20City,C%3DXX'),type:phrase),query:(match_phrase:(ssl.certificate.subject:'O%3DDefault%20Company%20Ltd,L%3DDefault%20City,C%3DXX')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ssl.certificate.issuer\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ssl.certificate.issuer,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(ssl.certificate.issuer:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ssl.certificate.issuer.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ssl.certificate.issuer,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(ssl.certificate.issuer:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"syslog.facility\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:syslog.facility,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(syslog.facility:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"syslog.facility.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:syslog.facility,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(syslog.facility:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"syslog.severity\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:syslog.severity,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(syslog.severity:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"syslog.severity.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:syslog.severity,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(syslog.severity:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.certificate.subject\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.certificate.subject,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(x509.certificate.subject:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.certificate.subject.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.certificate.subject,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(x509.certificate.subject:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.certificate.issuer\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.certificate.issuer,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(x509.certificate.issuer:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.certificate.issuer.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.certificate.issuer,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(x509.certificate.issuer:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.san_dns\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.san_dns,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(x509.san_dns:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.san_dns.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.san_dns,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(x509.san_dns:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.certificate.key.type\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.certificate.key.type,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(x509.certificate.key.type:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:edit)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.certificate.key.type.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.certificate.key.type,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(x509.certificate.key.type:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:edit)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}}}","fields":"[{\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.ephemeral_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.ephemeral_id\"}}},{\"name\":\"agent.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.hostname\"}}},{\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.id\"}}},{\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.name\"}}},{\"name\":\"agent.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.type\"}}},{\"name\":\"agent.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.version\"}}},{\"name\":\"client.address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.address\"}}},{\"name\":\"client.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client.id.product\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.id.product.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.id.product\"}}},{\"name\":\"client.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.ip\"}}},{\"name\":\"client.ip_bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.name\"}}},{\"name\":\"client.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client.port\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.port.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.port\"}}},{\"name\":\"client.user_agent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.user_agent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.user_agent\"}}},{\"name\":\"connection.bytes.missed\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection.history\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection.history.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"connection.history\"}}},{\"name\":\"connection.local.originator\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection.local.responder\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection.state\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection.state.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"connection.state\"}}},{\"name\":\"connection.state_description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection.state_description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"connection.state_description\"}}},{\"name\":\"data.@timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.@timestamp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.@timestamp\"}}},{\"name\":\"data.@version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.@version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.@version\"}}},{\"name\":\"data._id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data._id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data._id\"}}},{\"name\":\"data._index\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data._index.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data._index\"}}},{\"name\":\"data._type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data._type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data._type\"}}},{\"name\":\"data.agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.agent.ephemeral_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.agent.ephemeral_id\"}}},{\"name\":\"data.agent.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.agent.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.agent.id\"}}},{\"name\":\"data.agent.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.agent.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.agent.name\"}}},{\"name\":\"data.agent.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.agent.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.agent.type\"}}},{\"name\":\"data.agent.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.agent.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.agent.version\"}}},{\"name\":\"data.ecs.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.ecs.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.ecs.version\"}}},{\"name\":\"data.event.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.event.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.event.action\"}}},{\"name\":\"data.event.category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.event.category.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.event.category\"}}},{\"name\":\"data.event.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.event.created\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.event.created.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.event.created\"}}},{\"name\":\"data.event.dataset\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.event.dataset.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.event.dataset\"}}},{\"name\":\"data.event.kind\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.event.kind.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.event.kind\"}}},{\"name\":\"data.event.module\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.event.module.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.event.module\"}}},{\"name\":\"data.event.provider\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.event.provider.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.event.provider\"}}},{\"name\":\"data.fields.module\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.fields.module.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.fields.module\"}}},{\"name\":\"data.host.architecture\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.architecture.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.architecture\"}}},{\"name\":\"data.host.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.hostname\"}}},{\"name\":\"data.host.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.id\"}}},{\"name\":\"data.host.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.name\"}}},{\"name\":\"data.host.os.build\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.os.build.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.os.build\"}}},{\"name\":\"data.host.os.family\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.os.family.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.os.family\"}}},{\"name\":\"data.host.os.kernel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.os.kernel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.os.kernel\"}}},{\"name\":\"data.host.os.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.os.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.os.name\"}}},{\"name\":\"data.host.os.platform\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.os.platform.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.os.platform\"}}},{\"name\":\"data.host.os.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.os.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.os.version\"}}},{\"name\":\"data.log.level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.log.level.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.log.level\"}}},{\"name\":\"data.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.message\"}}},{\"name\":\"data.module\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.module.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.module\"}}},{\"name\":\"data.num_hits\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.num_matches\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.command_line\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.command_line.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.command_line\"}}},{\"name\":\"data.process.entity_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.entity_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.entity_id\"}}},{\"name\":\"data.process.executable\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.executable.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.executable\"}}},{\"name\":\"data.process.parent.command_line\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.parent.command_line.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.parent.command_line\"}}},{\"name\":\"data.process.parent.entity_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.parent.entity_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.parent.entity_id\"}}},{\"name\":\"data.process.parent.executable\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.parent.executable.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.parent.executable\"}}},{\"name\":\"data.process.pe.description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.pe.description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.pe.description\"}}},{\"name\":\"data.process.pe.file_version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.pe.file_version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.pe.file_version\"}}},{\"name\":\"data.process.pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.pe.original_file_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.pe.original_file_name\"}}},{\"name\":\"data.process.pe.product\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.pe.product.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.pe.product\"}}},{\"name\":\"data.process.ppid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.ppid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.ppid\"}}},{\"name\":\"data.process.working_directory\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.working_directory.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.working_directory\"}}},{\"name\":\"data.tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.tags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.tags\"}}},{\"name\":\"data.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.type\"}}},{\"name\":\"data.user.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.user.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.user.name\"}}},{\"name\":\"data.winlog.api\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.api.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.api\"}}},{\"name\":\"data.winlog.channel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.channel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.channel\"}}},{\"name\":\"data.winlog.computer_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.computer_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.computer_name\"}}},{\"name\":\"data.winlog.event_data.Company\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.event_data.Company.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.event_data.Company\"}}},{\"name\":\"data.winlog.event_data.Hashes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.event_data.Hashes.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.event_data.Hashes\"}}},{\"name\":\"data.winlog.event_data.IntegrityLevel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.event_data.IntegrityLevel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.event_data.IntegrityLevel\"}}},{\"name\":\"data.winlog.event_data.LogonGuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.event_data.LogonGuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.event_data.LogonGuid\"}}},{\"name\":\"data.winlog.event_data.LogonId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.event_data.LogonId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.event_data.LogonId\"}}},{\"name\":\"data.winlog.event_data.ProcessId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.event_data.ProcessId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.event_data.ProcessId\"}}},{\"name\":\"data.winlog.event_data.RuleName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.event_data.RuleName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.event_data.RuleName\"}}},{\"name\":\"data.winlog.event_data.TerminalSessionId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.event_data.TerminalSessionId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.event_data.TerminalSessionId\"}}},{\"name\":\"data.winlog.event_data.UtcTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.event_data.UtcTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.event_data.UtcTime\"}}},{\"name\":\"data.winlog.event_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.winlog.opcode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.opcode.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.opcode\"}}},{\"name\":\"data.winlog.process.pid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.winlog.process.thread.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.winlog.provider_guid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.provider_guid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.provider_guid\"}}},{\"name\":\"data.winlog.provider_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.provider_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.provider_name\"}}},{\"name\":\"data.winlog.record_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.winlog.task\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.task.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.task\"}}},{\"name\":\"data.winlog.user.domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.user.domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.user.domain\"}}},{\"name\":\"data.winlog.user.identifier\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.user.identifier.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.user.identifier\"}}},{\"name\":\"data.winlog.user.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.user.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.user.name\"}}},{\"name\":\"data.winlog.user.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.user.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.user.type\"}}},{\"name\":\"data.winlog.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dce_rpc.endpoint\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dce_rpc.endpoint.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dce_rpc.endpoint\"}}},{\"name\":\"dce_rpc.named_pipe\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dce_rpc.named_pipe.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dce_rpc.named_pipe\"}}},{\"name\":\"dce_rpc.operation\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dce_rpc.operation.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dce_rpc.operation\"}}},{\"name\":\"destination.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.city_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.city_name\"}}},{\"name\":\"destination.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.continent_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.continent_name\"}}},{\"name\":\"destination.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.country_iso_code.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.country_iso_code\"}}},{\"name\":\"destination.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.country_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.country_name\"}}},{\"name\":\"destination.geo.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.ip\"}}},{\"name\":\"destination.geo.location.lat\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.location.lon\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.region_iso_code.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.region_iso_code\"}}},{\"name\":\"destination.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.region_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.region_name\"}}},{\"name\":\"destination.geo.timezone\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.timezone.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.timezone\"}}},{\"name\":\"destination.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.ip\"}}},{\"name\":\"destination.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.latitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.longitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dhcp.assigned_ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dhcp.assigned_ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dhcp.assigned_ip\"}}},{\"name\":\"dhcp.lease_time\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dhcp.message_types\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dhcp.message_types.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dhcp.message_types\"}}},{\"name\":\"dhcp.requested_address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dhcp.requested_address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dhcp.requested_address\"}}},{\"name\":\"dnp3.fc_reply\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dnp3.fc_reply.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dnp3.fc_reply\"}}},{\"name\":\"dnp3.fc_request\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dnp3.fc_request.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dnp3.fc_request\"}}},{\"name\":\"dnp3.iin\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.answers\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.answers.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.answers\"}}},{\"name\":\"dns.authoritative\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.highest_registered_domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.highest_registered_domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.highest_registered_domain\"}}},{\"name\":\"dns.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.parent_domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.parent_domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.parent_domain\"}}},{\"name\":\"dns.parent_domain_length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.class\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.class_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.query.class_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.query.class_name\"}}},{\"name\":\"dns.query.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.query.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.query.name\"}}},{\"name\":\"dns.query.rejected\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.type\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.type_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.query.type_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.query.type_name\"}}},{\"name\":\"dns.recursion.available\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.recursion.desired\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.reserved\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.response.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.response.code_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.response.code_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.response.code_name\"}}},{\"name\":\"dns.subdomain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.subdomain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.subdomain\"}}},{\"name\":\"dns.subdomain_length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.top_level_domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.top_level_domain\"}}},{\"name\":\"dns.truncated\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.ttls\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ecs.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ecs.version\"}}},{\"name\":\"error.reason\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"error.reason.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"error.reason\"}}},{\"name\":\"event.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.action\"}}},{\"name\":\"event.category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.category.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.category\"}}},{\"name\":\"event.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.created\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.created.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.created\"}}},{\"name\":\"event.dataset\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.dataset.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.dataset\"}}},{\"name\":\"event.duration\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.kind\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.kind.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.kind\"}}},{\"name\":\"event.module\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.module.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.module\"}}},{\"name\":\"event.provider\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.provider.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.provider\"}}},{\"name\":\"event.severity\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.severity_label\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.severity_label.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.severity_label\"}}},{\"name\":\"event.timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.timestamp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.timestamp\"}}},{\"name\":\"file.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.action\"}}},{\"name\":\"file.analyzer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.analyzer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.analyzer\"}}},{\"name\":\"file.aslr\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.bytes.missing\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.bytes.overflow\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.bytes.seen\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.bytes.total\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.code_integrity\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.compile_timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.compile_timestamp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.compile_timestamp\"}}},{\"name\":\"file.debug_data\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.dep\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.extracted.cutoff\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.extracted.filename\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.extracted.filename.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.extracted.filename\"}}},{\"name\":\"file.flavors.mime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.flavors.mime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.flavors.mime\"}}},{\"name\":\"file.flavors.yara\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.flavors.yara.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.flavors.yara\"}}},{\"name\":\"file.is_64bit\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.is_exe\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.is_orig\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.local_orig\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.machine\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.machine.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.machine\"}}},{\"name\":\"file.mime_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.mime_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.mime_type\"}}},{\"name\":\"file.mimetype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.mimetype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.mimetype\"}}},{\"name\":\"file.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.name\"}}},{\"name\":\"file.orig_filenames\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.orig_filenames.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.orig_filenames\"}}},{\"name\":\"file.orig_mime_types\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.orig_mime_types.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.orig_mime_types\"}}},{\"name\":\"file.os\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.os.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.os\"}}},{\"name\":\"file.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.path\"}}},{\"name\":\"file.resp_filenames\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.resp_filenames.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.resp_filenames\"}}},{\"name\":\"file.resp_mime_types\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.resp_mime_types.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.resp_mime_types\"}}},{\"name\":\"file.scanners\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.scanners.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.scanners\"}}},{\"name\":\"file.section_names\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.section_names.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.section_names\"}}},{\"name\":\"file.seh\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.size\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.source.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.source\"}}},{\"name\":\"file.subsystem\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.subsystem.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.subsystem\"}}},{\"name\":\"file.table.cert\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.table.export\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.table.import\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.timed_out\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.times_accessed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.times_accessed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.times_accessed\"}}},{\"name\":\"file.times_changed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.times_changed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.times_changed\"}}},{\"name\":\"file.times_created\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.times_created.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.times_created\"}}},{\"name\":\"file.times_modified\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.times_modified.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.times_modified\"}}},{\"name\":\"file.tree.node\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.tree.node.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.tree.node\"}}},{\"name\":\"file.tree.parent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.tree.parent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.tree.parent\"}}},{\"name\":\"file.tree.root\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.tree.root.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.tree.root\"}}},{\"name\":\"ftp.argument\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.argument.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.argument\"}}},{\"name\":\"ftp.command\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.command.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.command\"}}},{\"name\":\"ftp.data_channel_destination.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.data_channel_destination.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.data_channel_destination.ip\"}}},{\"name\":\"ftp.data_channel_destination.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp.data_channel_passive\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp.data_channel_source.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.data_channel_source.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.data_channel_source.ip\"}}},{\"name\":\"ftp.password\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.password.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.password\"}}},{\"name\":\"ftp.user\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.user.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.user\"}}},{\"name\":\"geoip.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.latitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.longitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash.hassh\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.hassh.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.hassh\"}}},{\"name\":\"hash.ja3\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.ja3.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.ja3\"}}},{\"name\":\"hash.ja3s\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.ja3s.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.ja3s\"}}},{\"name\":\"hash.md5\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.md5.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.md5\"}}},{\"name\":\"hash.sha1\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.sha1.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.sha1\"}}},{\"name\":\"hash.sha256\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.sha256.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.sha256\"}}},{\"name\":\"hash.ssdeep\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.ssdeep.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.ssdeep\"}}},{\"name\":\"host.architecture\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.architecture.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.architecture\"}}},{\"name\":\"host.domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.domain\"}}},{\"name\":\"host.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.hostname\"}}},{\"name\":\"host.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.id\"}}},{\"name\":\"host.mac\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.mac.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.mac\"}}},{\"name\":\"host.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.name\"}}},{\"name\":\"host.os.build\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.build.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.build\"}}},{\"name\":\"host.os.family\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.family.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.family\"}}},{\"name\":\"host.os.kernel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.kernel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.kernel\"}}},{\"name\":\"host.os.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.name\"}}},{\"name\":\"host.os.platform\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.platform.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.platform\"}}},{\"name\":\"host.os.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.version\"}}},{\"name\":\"host.syscheck.event\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.event.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.event\"}}},{\"name\":\"host.syscheck.gid_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.gid_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.gid_after\"}}},{\"name\":\"host.syscheck.gname_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.gname_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.gname_after\"}}},{\"name\":\"host.syscheck.inode_after\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.syscheck.inode_before\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.syscheck.md5_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.md5_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.md5_after\"}}},{\"name\":\"host.syscheck.md5_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.md5_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.md5_before\"}}},{\"name\":\"host.syscheck.mtime_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.mtime_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.mtime_after\"}}},{\"name\":\"host.syscheck.mtime_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.mtime_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.mtime_before\"}}},{\"name\":\"host.syscheck.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.path\"}}},{\"name\":\"host.syscheck.perm_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.perm_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.perm_after\"}}},{\"name\":\"host.syscheck.sha1_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.sha1_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha1_after\"}}},{\"name\":\"host.syscheck.sha1_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.sha1_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha1_before\"}}},{\"name\":\"host.syscheck.sha256_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.sha256_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha256_after\"}}},{\"name\":\"host.syscheck.sha256_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.sha256_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha256_before\"}}},{\"name\":\"host.syscheck.size_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.size_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.size_after\"}}},{\"name\":\"host.syscheck.uid_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.uid_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.uid_after\"}}},{\"name\":\"host.syscheck.uname_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.uname_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.uname_after\"}}},{\"name\":\"http.info_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.info_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.info_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.info_message\"}}},{\"name\":\"http.method\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.method.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.method\"}}},{\"name\":\"http.proxied\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.proxied.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.proxied\"}}},{\"name\":\"http.referrer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.referrer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.referrer\"}}},{\"name\":\"http.request.body.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.response.body.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.status_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.status_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.status_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.status_message\"}}},{\"name\":\"http.trans_depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.uri\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.uri.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.uri\"}}},{\"name\":\"http.useragent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.useragent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.useragent\"}}},{\"name\":\"http.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.version\"}}},{\"name\":\"http.virtual_host\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.virtual_host.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.virtual_host\"}}},{\"name\":\"ingest.timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ingest.timestamp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ingest.timestamp\"}}},{\"name\":\"irc.command.info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.command.info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.command.info\"}}},{\"name\":\"irc.command.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.command.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.command.type\"}}},{\"name\":\"irc.command.value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.command.value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.command.value\"}}},{\"name\":\"irc.nickname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.nickname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.nickname\"}}},{\"name\":\"irc.username\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.username.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.username\"}}},{\"name\":\"kerberos.client\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.client.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.client\"}}},{\"name\":\"kerberos.client_certificate_subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.client_certificate_subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.client_certificate_subject\"}}},{\"name\":\"kerberos.error_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.error_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.error_message\"}}},{\"name\":\"kerberos.request_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.request_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.request_type\"}}},{\"name\":\"kerberos.server_certificate_subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.server_certificate_subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.server_certificate_subject\"}}},{\"name\":\"kerberos.service\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.service.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.service\"}}},{\"name\":\"kerberos.success\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kerberos.ticket.cipher\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.ticket.cipher.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.ticket.cipher\"}}},{\"name\":\"kerberos.ticket.forwardable\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kerberos.ticket.renewable\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kerberos.ticket.valid.from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.ticket.valid.from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.ticket.valid.from\"}}},{\"name\":\"kerberos.ticket.valid.until\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.ticket.valid.until.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.ticket.valid.until\"}}},{\"name\":\"log.file.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.file.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.file.path\"}}},{\"name\":\"log.full\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.full.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.full\"}}},{\"name\":\"log.id.client_certificate_fuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.client_certificate_fuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.client_certificate_fuid\"}}},{\"name\":\"log.id.fuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.fuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.fuid\"}}},{\"name\":\"log.id.fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.fuids\"}}},{\"name\":\"log.id.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.id\"}}},{\"name\":\"log.id.orig_fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.orig_fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.orig_fuids\"}}},{\"name\":\"log.id.resp_fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.resp_fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.resp_fuids\"}}},{\"name\":\"log.id.server_certificate_fuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.server_certificate_fuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.server_certificate_fuid\"}}},{\"name\":\"log.id.tunnel_parents\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.tunnel_parents.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.tunnel_parents\"}}},{\"name\":\"log.id.uid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.uid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.uid\"}}},{\"name\":\"log.id.uids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.uids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.uids\"}}},{\"name\":\"log.level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.level.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.level\"}}},{\"name\":\"log.location\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.location.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.location\"}}},{\"name\":\"log.offset\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"manager.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"manager.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"manager.name\"}}},{\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message\"}}},{\"name\":\"modbus.exception\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"modbus.exception.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"modbus.exception\"}}},{\"name\":\"modbus.function\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"modbus.function.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"modbus.function\"}}},{\"name\":\"mysql.argument\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql.argument.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"mysql.argument\"}}},{\"name\":\"mysql.command\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql.command.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"mysql.command\"}}},{\"name\":\"mysql.response\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql.response.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"mysql.response\"}}},{\"name\":\"mysql.rows\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.success\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.community_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network.community_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network.community_id\"}}},{\"name\":\"network.data.decoded\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network.data.decoded.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network.data.decoded\"}}},{\"name\":\"network.protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network.protocol.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network.protocol\"}}},{\"name\":\"network.transport\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network.transport.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network.transport\"}}},{\"name\":\"notice.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.action\"}}},{\"name\":\"notice.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.message\"}}},{\"name\":\"notice.note\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.note.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.note\"}}},{\"name\":\"notice.p\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"notice.peer_description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.peer_description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.peer_description\"}}},{\"name\":\"notice.sub_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.sub_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.sub_message\"}}},{\"name\":\"notice.suppress_for\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ntlm.server.dns.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm.server.dns.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ntlm.server.dns.name\"}}},{\"name\":\"ntlm.server.nb.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm.server.nb.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ntlm.server.nb.name\"}}},{\"name\":\"ntlm.server.tree.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm.server.tree.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ntlm.server.tree.name\"}}},{\"name\":\"ntlm.success\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"observer.analyzer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"observer.analyzer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"observer.analyzer\"}}},{\"name\":\"observer.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"observer.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"observer.name\"}}},{\"name\":\"osquery.result.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.action\"}}},{\"name\":\"osquery.result.calendar_time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.calendar_time.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.calendar_time\"}}},{\"name\":\"osquery.result.codename\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.codename.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.codename\"}}},{\"name\":\"osquery.result.columns.description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.description\"}}},{\"name\":\"osquery.result.columns.directory\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.directory.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.directory\"}}},{\"name\":\"osquery.result.columns.gid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.gid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.gid\"}}},{\"name\":\"osquery.result.columns.gid_signed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.gid_signed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.gid_signed\"}}},{\"name\":\"osquery.result.columns.shell\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.shell.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.shell\"}}},{\"name\":\"osquery.result.columns.uid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.uid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.uid\"}}},{\"name\":\"osquery.result.columns.uid_signed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.uid_signed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.uid_signed\"}}},{\"name\":\"osquery.result.columns.username\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.username.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.username\"}}},{\"name\":\"osquery.result.columns.uuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.uuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.uuid\"}}},{\"name\":\"osquery.result.counter\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.result.endpoint_ip1\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.endpoint_ip1.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.endpoint_ip1\"}}},{\"name\":\"osquery.result.endpoint_ip2\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.endpoint_ip2.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.endpoint_ip2\"}}},{\"name\":\"osquery.result.epoch\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.result.hardware_serial\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.hardware_serial.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.hardware_serial\"}}},{\"name\":\"osquery.result.host_identifier\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.host_identifier.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.host_identifier\"}}},{\"name\":\"osquery.result.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.hostname\"}}},{\"name\":\"osquery.result.live_query\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.live_query.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.live_query\"}}},{\"name\":\"osquery.result.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.name\"}}},{\"name\":\"osquery.result.numerics\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.result.unix_time\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.command_line\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.command_line.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.command_line\"}}},{\"name\":\"process.entity_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.entity_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.entity_id\"}}},{\"name\":\"process.executable\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.executable.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.executable\"}}},{\"name\":\"process.parent.command_line\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.parent.command_line.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.parent.command_line\"}}},{\"name\":\"process.parent.entity_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.parent.entity_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.parent.entity_id\"}}},{\"name\":\"process.parent.executable\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.parent.executable.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.parent.executable\"}}},{\"name\":\"process.pe.description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pe.description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pe.description\"}}},{\"name\":\"process.pe.file_version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pe.file_version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pe.file_version\"}}},{\"name\":\"process.pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pe.original_file_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pe.original_file_name\"}}},{\"name\":\"process.pe.product\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pe.product.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pe.product\"}}},{\"name\":\"process.pid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pid\"}}},{\"name\":\"process.ppid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.ppid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.ppid\"}}},{\"name\":\"process.working_directory\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.working_directory.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.working_directory\"}}},{\"name\":\"radius.framed_address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"radius.framed_address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"radius.framed_address\"}}},{\"name\":\"radius.reply_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"radius.reply_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"radius.reply_message\"}}},{\"name\":\"radius.result\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"radius.result.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"radius.result\"}}},{\"name\":\"rdp.certificate_count\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rdp.certificate_permanent\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rdp.certificate_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.certificate_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.certificate_type\"}}},{\"name\":\"rdp.client_build\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.client_build.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.client_build\"}}},{\"name\":\"rdp.cookie\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.cookie.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.cookie\"}}},{\"name\":\"rdp.desktop.height\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rdp.desktop.width\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rdp.encryption_level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.encryption_level.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.encryption_level\"}}},{\"name\":\"rdp.encryption_method\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.encryption_method.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.encryption_method\"}}},{\"name\":\"rdp.keyboard_layout\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.keyboard_layout.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.keyboard_layout\"}}},{\"name\":\"rdp.requested_color_depth\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.requested_color_depth.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.requested_color_depth\"}}},{\"name\":\"rdp.result\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.result.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.result\"}}},{\"name\":\"rdp.security_protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.security_protocol.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.security_protocol\"}}},{\"name\":\"request.attributes.filename\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request.attributes.filename.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"request.attributes.filename\"}}},{\"name\":\"request.client\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request.client.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"request.client\"}}},{\"name\":\"request.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"request.id\"}}},{\"name\":\"request.source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request.source.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"request.source\"}}},{\"name\":\"request.time\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.action\"}}},{\"name\":\"rule.category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.category.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.category\"}}},{\"name\":\"rule.firedtimes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.gdpr\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.gdpr.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.gdpr\"}}},{\"name\":\"rule.gid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.gpg13\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.gpg13.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.gpg13\"}}},{\"name\":\"rule.groups\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.groups.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.groups\"}}},{\"name\":\"rule.hipaa\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.hipaa.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.hipaa\"}}},{\"name\":\"rule.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.id\"}}},{\"name\":\"rule.level\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.mail\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.metadata.affected_product\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.affected_product.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.affected_product\"}}},{\"name\":\"rule.metadata.attack_target\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.attack_target.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.attack_target\"}}},{\"name\":\"rule.metadata.created_at\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.created_at.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.created_at\"}}},{\"name\":\"rule.metadata.deployment\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.deployment.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.deployment\"}}},{\"name\":\"rule.metadata.former_category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.former_category.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.former_category\"}}},{\"name\":\"rule.metadata.malware_family\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.malware_family.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.malware_family\"}}},{\"name\":\"rule.metadata.performance_impact\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.performance_impact.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.performance_impact\"}}},{\"name\":\"rule.metadata.signature_severity\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.signature_severity.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.signature_severity\"}}},{\"name\":\"rule.metadata.tag\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.tag.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.tag\"}}},{\"name\":\"rule.metadata.updated_at\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.updated_at.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.updated_at\"}}},{\"name\":\"rule.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.name\"}}},{\"name\":\"rule.nist_800_53\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.nist_800_53.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.nist_800_53\"}}},{\"name\":\"rule.pci_dss\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.pci_dss.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.pci_dss\"}}},{\"name\":\"rule.rev\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.rule\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.rule.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.rule\"}}},{\"name\":\"rule.severity\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.uuid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.entropy.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.entropy.entropy\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.exiftool.About\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.About.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.About\"}}},{\"name\":\"scan.exiftool.AppVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.AppVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.AppVersion\"}}},{\"name\":\"scan.exiftool.Author\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Author.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Author\"}}},{\"name\":\"scan.exiftool.BitDepth\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.BitDepth.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.BitDepth\"}}},{\"name\":\"scan.exiftool.BuildID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.BuildID.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.BuildID\"}}},{\"name\":\"scan.exiftool.CharCountWithSpaces\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CharCountWithSpaces.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CharCountWithSpaces\"}}},{\"name\":\"scan.exiftool.CharacterSet\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CharacterSet.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CharacterSet\"}}},{\"name\":\"scan.exiftool.Characters\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Characters.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Characters\"}}},{\"name\":\"scan.exiftool.CodePage\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CodePage.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CodePage\"}}},{\"name\":\"scan.exiftool.CodeSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CodeSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CodeSize\"}}},{\"name\":\"scan.exiftool.ColorType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ColorType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ColorType\"}}},{\"name\":\"scan.exiftool.Comments\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Comments.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Comments\"}}},{\"name\":\"scan.exiftool.CompObjUserType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CompObjUserType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CompObjUserType\"}}},{\"name\":\"scan.exiftool.CompObjUserTypeLen\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CompObjUserTypeLen.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CompObjUserTypeLen\"}}},{\"name\":\"scan.exiftool.Company\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Company.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Company\"}}},{\"name\":\"scan.exiftool.CompanyName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CompanyName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CompanyName\"}}},{\"name\":\"scan.exiftool.Compression\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Compression.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Compression\"}}},{\"name\":\"scan.exiftool.CreateDate\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CreateDate.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CreateDate\"}}},{\"name\":\"scan.exiftool.Creator\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Creator.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Creator\"}}},{\"name\":\"scan.exiftool.CreatorTool\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CreatorTool.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CreatorTool\"}}},{\"name\":\"scan.exiftool.DerivedFromDocumentID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.DerivedFromDocumentID.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.DerivedFromDocumentID\"}}},{\"name\":\"scan.exiftool.DerivedFromInstanceID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.DerivedFromInstanceID.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.DerivedFromInstanceID\"}}},{\"name\":\"scan.exiftool.Directory\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Directory.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Directory\"}}},{\"name\":\"scan.exiftool.DocumentID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.DocumentID.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.DocumentID\"}}},{\"name\":\"scan.exiftool.EntryPoint\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.EntryPoint.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.EntryPoint\"}}},{\"name\":\"scan.exiftool.Error\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Error.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Error\"}}},{\"name\":\"scan.exiftool.ExifToolVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ExifToolVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ExifToolVersion\"}}},{\"name\":\"scan.exiftool.FileAccessDate\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileAccessDate.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileAccessDate\"}}},{\"name\":\"scan.exiftool.FileDescription\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileDescription.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileDescription\"}}},{\"name\":\"scan.exiftool.FileFlags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileFlags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileFlags\"}}},{\"name\":\"scan.exiftool.FileFlagsMask\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileFlagsMask.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileFlagsMask\"}}},{\"name\":\"scan.exiftool.FileInodeChangeDate\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileInodeChangeDate.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileInodeChangeDate\"}}},{\"name\":\"scan.exiftool.FileModifyDate\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileModifyDate.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileModifyDate\"}}},{\"name\":\"scan.exiftool.FileName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileName\"}}},{\"name\":\"scan.exiftool.FileOS\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileOS.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileOS\"}}},{\"name\":\"scan.exiftool.FilePermissions\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FilePermissions.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FilePermissions\"}}},{\"name\":\"scan.exiftool.FileSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileSize\"}}},{\"name\":\"scan.exiftool.FileSubtype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileSubtype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileSubtype\"}}},{\"name\":\"scan.exiftool.FileType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileType\"}}},{\"name\":\"scan.exiftool.FileTypeExtension\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileTypeExtension.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileTypeExtension\"}}},{\"name\":\"scan.exiftool.FileVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileVersion\"}}},{\"name\":\"scan.exiftool.FileVersionNumber\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileVersionNumber.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileVersionNumber\"}}},{\"name\":\"scan.exiftool.Filter\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Filter.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Filter\"}}},{\"name\":\"scan.exiftool.Format\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Format.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Format\"}}},{\"name\":\"scan.exiftool.HasXFA\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.HasXFA.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.HasXFA\"}}},{\"name\":\"scan.exiftool.HeadingPairs\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.HeadingPairs.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.HeadingPairs\"}}},{\"name\":\"scan.exiftool.HyperlinksChanged\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.HyperlinksChanged.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.HyperlinksChanged\"}}},{\"name\":\"scan.exiftool.ImageHeight\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ImageHeight.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ImageHeight\"}}},{\"name\":\"scan.exiftool.ImageSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ImageSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ImageSize\"}}},{\"name\":\"scan.exiftool.ImageVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ImageVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ImageVersion\"}}},{\"name\":\"scan.exiftool.ImageWidth\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ImageWidth.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ImageWidth\"}}},{\"name\":\"scan.exiftool.InitializedDataSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.InitializedDataSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.InitializedDataSize\"}}},{\"name\":\"scan.exiftool.InstanceID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.InstanceID.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.InstanceID\"}}},{\"name\":\"scan.exiftool.Interlace\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Interlace.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Interlace\"}}},{\"name\":\"scan.exiftool.InternalName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.InternalName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.InternalName\"}}},{\"name\":\"scan.exiftool.Keywords\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Keywords.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Keywords\"}}},{\"name\":\"scan.exiftool.Language\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Language.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Language\"}}},{\"name\":\"scan.exiftool.LanguageCode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.LanguageCode.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LanguageCode\"}}},{\"name\":\"scan.exiftool.LastModifiedBy\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.LastModifiedBy.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LastModifiedBy\"}}},{\"name\":\"scan.exiftool.LegalCopyright\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.LegalCopyright.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LegalCopyright\"}}},{\"name\":\"scan.exiftool.LegalTrademarks\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.LegalTrademarks.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LegalTrademarks\"}}},{\"name\":\"scan.exiftool.Linearized\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Linearized.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Linearized\"}}},{\"name\":\"scan.exiftool.Lines\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Lines.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Lines\"}}},{\"name\":\"scan.exiftool.LinkerVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.LinkerVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LinkerVersion\"}}},{\"name\":\"scan.exiftool.LinksUpToDate\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.LinksUpToDate.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LinksUpToDate\"}}},{\"name\":\"scan.exiftool.MIMEType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.MIMEType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.MIMEType\"}}},{\"name\":\"scan.exiftool.MachineType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.MachineType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.MachineType\"}}},{\"name\":\"scan.exiftool.Megapixels\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Megapixels.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Megapixels\"}}},{\"name\":\"scan.exiftool.ModifyDate\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ModifyDate.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ModifyDate\"}}},{\"name\":\"scan.exiftool.OSVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.OSVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.OSVersion\"}}},{\"name\":\"scan.exiftool.ObjectFileType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ObjectFileType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ObjectFileType\"}}},{\"name\":\"scan.exiftool.OriginalFileName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.OriginalFileName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.OriginalFileName\"}}},{\"name\":\"scan.exiftool.PDFVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.PDFVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PDFVersion\"}}},{\"name\":\"scan.exiftool.PEType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.PEType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PEType\"}}},{\"name\":\"scan.exiftool.PTEX_Fullbanner\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.PTEX_Fullbanner.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PTEX_Fullbanner\"}}},{\"name\":\"scan.exiftool.PageCount\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.PageCount.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PageCount\"}}},{\"name\":\"scan.exiftool.Pages\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Pages.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Pages\"}}},{\"name\":\"scan.exiftool.Paragraphs\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Paragraphs.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Paragraphs\"}}},{\"name\":\"scan.exiftool.PrivateBuild\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.PrivateBuild.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PrivateBuild\"}}},{\"name\":\"scan.exiftool.Producer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Producer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Producer\"}}},{\"name\":\"scan.exiftool.ProductName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ProductName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ProductName\"}}},{\"name\":\"scan.exiftool.ProductVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ProductVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ProductVersion\"}}},{\"name\":\"scan.exiftool.ProductVersionNumber\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ProductVersionNumber.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ProductVersionNumber\"}}},{\"name\":\"scan.exiftool.RevisionNumber\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.RevisionNumber.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.RevisionNumber\"}}},{\"name\":\"scan.exiftool.ScaleCrop\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ScaleCrop.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ScaleCrop\"}}},{\"name\":\"scan.exiftool.Security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Security.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Security\"}}},{\"name\":\"scan.exiftool.SharedDoc\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.SharedDoc.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SharedDoc\"}}},{\"name\":\"scan.exiftool.Software\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Software.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Software\"}}},{\"name\":\"scan.exiftool.SourceFile\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.SourceFile.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SourceFile\"}}},{\"name\":\"scan.exiftool.SpecialBuild\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.SpecialBuild.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SpecialBuild\"}}},{\"name\":\"scan.exiftool.Subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Subject\"}}},{\"name\":\"scan.exiftool.Subsystem\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Subsystem.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Subsystem\"}}},{\"name\":\"scan.exiftool.SubsystemVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.SubsystemVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SubsystemVersion\"}}},{\"name\":\"scan.exiftool.SvnRevision\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.SvnRevision.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SvnRevision\"}}},{\"name\":\"scan.exiftool.Template\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Template.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Template\"}}},{\"name\":\"scan.exiftool.TimeStamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.TimeStamp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.TimeStamp\"}}},{\"name\":\"scan.exiftool.Title\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Title.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Title\"}}},{\"name\":\"scan.exiftool.TitleOfParts\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.TitleOfParts.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.TitleOfParts\"}}},{\"name\":\"scan.exiftool.TotalEditTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.TotalEditTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.TotalEditTime\"}}},{\"name\":\"scan.exiftool.Trapped\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Trapped.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Trapped\"}}},{\"name\":\"scan.exiftool.UninitializedDataSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.UninitializedDataSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.UninitializedDataSize\"}}},{\"name\":\"scan.exiftool.Warning\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Warning.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Warning\"}}},{\"name\":\"scan.exiftool.Words\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Words.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Words\"}}},{\"name\":\"scan.exiftool.XMPToolkit\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.XMPToolkit.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.XMPToolkit\"}}},{\"name\":\"scan.exiftool.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.header.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.header.header\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.header.header.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.header.header\"}}},{\"name\":\"scan.ini.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.ini.keys.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.ini.keys.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.ini.keys.name\"}}},{\"name\":\"scan.ini.keys.section\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.ini.keys.section.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.ini.keys.section\"}}},{\"name\":\"scan.ini.keys.value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.ini.keys.value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.ini.keys.value\"}}},{\"name\":\"scan.ini.sections\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.ini.sections.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.ini.sections\"}}},{\"name\":\"scan.libarchive.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.libarchive.total.extracted\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.libarchive.total.files\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.mmbot.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.mmbot.flags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.mmbot.flags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.mmbot.flags\"}}},{\"name\":\"scan.ocr.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.ole.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.ole.flags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.ole.flags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.ole.flags\"}}},{\"name\":\"scan.ole.total.extracted\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.ole.total.streams\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pdf.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pdf.total.extracted\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pdf.total.objects\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.debug.age\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.debug.guid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.debug.guid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.debug.guid\"}}},{\"name\":\"scan.pe.debug.pdb\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.debug.pdb.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.debug.pdb\"}}},{\"name\":\"scan.pe.debug.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.debug.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.debug.type\"}}},{\"name\":\"scan.pe.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.file_info.fixed.flags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.fixed.flags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.fixed.flags\"}}},{\"name\":\"scan.pe.file_info.fixed.operating_systems\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.fixed.operating_systems.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.fixed.operating_systems\"}}},{\"name\":\"scan.pe.file_info.fixed.type.primary\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.fixed.type.primary.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.fixed.type.primary\"}}},{\"name\":\"scan.pe.file_info.string.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.string.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.string.name\"}}},{\"name\":\"scan.pe.file_info.string.value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.string.value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.string.value\"}}},{\"name\":\"scan.pe.file_info.var.character_set\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.var.character_set.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.var.character_set\"}}},{\"name\":\"scan.pe.file_info.var.language\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.var.language.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.var.language\"}}},{\"name\":\"scan.pe.flags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.flags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.flags\"}}},{\"name\":\"scan.pe.header.address.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.address.data\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.address.entry_point\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.address.image\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.alignment.file\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.alignment.section\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.characteristics.dll\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.header.characteristics.dll.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.characteristics.dll\"}}},{\"name\":\"scan.pe.header.characteristics.image\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.header.characteristics.image.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.characteristics.image\"}}},{\"name\":\"scan.pe.header.checksum\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.machine.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.machine.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.header.machine.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.machine.type\"}}},{\"name\":\"scan.pe.header.magic.dos\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.header.magic.dos.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.magic.dos\"}}},{\"name\":\"scan.pe.header.magic.image\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.header.magic.image.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.magic.image\"}}},{\"name\":\"scan.pe.header.size.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.data.initialized\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.data.uninitialized\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.headers\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.heap.commit\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.heap.reserve\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.image\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.stack.commit\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.stack.reserve\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.subsystem\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.header.subsystem.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.subsystem\"}}},{\"name\":\"scan.pe.header.timestamp\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.version.image\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.version.linker\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.version.operating_system\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.version.subsystem\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.imphash\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.imphash.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.imphash\"}}},{\"name\":\"scan.pe.resources.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.resources.language.primary\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.resources.language.primary.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.resources.language.primary\"}}},{\"name\":\"scan.pe.resources.language.sub\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.resources.language.sub.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.resources.language.sub\"}}},{\"name\":\"scan.pe.resources.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.resources.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.resources.name\"}}},{\"name\":\"scan.pe.resources.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.resources.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.resources.type\"}}},{\"name\":\"scan.pe.sections.address.physical\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.sections.address.virtual\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.sections.characteristics\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.sections.characteristics.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.sections.characteristics\"}}},{\"name\":\"scan.pe.sections.entropy\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.sections.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.sections.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.sections.name\"}}},{\"name\":\"scan.pe.sections.size\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.symbols.exported\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.exported.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.exported\"}}},{\"name\":\"scan.pe.symbols.imported\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.imported.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.imported\"}}},{\"name\":\"scan.pe.symbols.libraries\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.libraries.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.libraries\"}}},{\"name\":\"scan.pe.symbols.table.address\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.symbols.table.library\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.table.library.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.table.library\"}}},{\"name\":\"scan.pe.symbols.table.symbol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.table.symbol.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.table.symbol\"}}},{\"name\":\"scan.pe.symbols.table.symbols\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.table.symbols.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.table.symbols\"}}},{\"name\":\"scan.pe.symbols.table.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.table.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.table.type\"}}},{\"name\":\"scan.pe.total.libraries\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.total.resources\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.total.sections\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.total.symbols\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pkcs7.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pkcs7.total.certificates\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pkcs7.total.extracted\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.upx.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.url.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.url.urls\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.url.urls.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.url.urls\"}}},{\"name\":\"scan.vb.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.vb.functions\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vb.functions.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vb.functions\"}}},{\"name\":\"scan.vb.names\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vb.names.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vb.names\"}}},{\"name\":\"scan.vb.operators\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vb.operators.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vb.operators\"}}},{\"name\":\"scan.vb.strings\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vb.strings.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vb.strings\"}}},{\"name\":\"scan.vb.tokens\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vb.tokens.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vb.tokens\"}}},{\"name\":\"scan.vba.auto_exec\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vba.auto_exec.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vba.auto_exec\"}}},{\"name\":\"scan.vba.base64\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vba.base64.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vba.base64\"}}},{\"name\":\"scan.vba.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.vba.ioc\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vba.ioc.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vba.ioc\"}}},{\"name\":\"scan.vba.suspicious\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vba.suspicious.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vba.suspicious\"}}},{\"name\":\"scan.vba.total.extracted\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.vba.total.files\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.x509.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.x509.expired\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.x509.fingerprint\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.x509.fingerprint.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.x509.fingerprint\"}}},{\"name\":\"scan.x509.issuer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.x509.issuer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.x509.issuer\"}}},{\"name\":\"scan.x509.not_after\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.x509.not_before\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.x509.serial_number\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.x509.serial_number.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.x509.serial_number\"}}},{\"name\":\"scan.x509.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.x509.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.x509.subject\"}}},{\"name\":\"scan.x509.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.xml.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.xml.namespaces\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.xml.namespaces.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.xml.namespaces\"}}},{\"name\":\"scan.xml.tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.xml.tags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.xml.tags\"}}},{\"name\":\"scan.xml.total.extracted\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.xml.total.tags\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.xml.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.xml.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.xml.version\"}}},{\"name\":\"scan.yara.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.yara.matches\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.yara.matches.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.yara.matches\"}}},{\"name\":\"scan.yara.meta.identifier\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.yara.meta.identifier.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.yara.meta.identifier\"}}},{\"name\":\"scan.yara.meta.rule\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.yara.meta.rule.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.yara.meta.rule\"}}},{\"name\":\"scan.yara.meta.value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.yara.meta.value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.yara.meta.value\"}}},{\"name\":\"server.address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"server.address\"}}},{\"name\":\"server.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"server.ip\"}}},{\"name\":\"server.ip_bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.port\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.port.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"server.port\"}}},{\"name\":\"server.reply_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.reply_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.reply_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"server.reply_message\"}}},{\"name\":\"server.status_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.status_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.status_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"server.status_message\"}}},{\"name\":\"sip.call_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.call_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.call_id\"}}},{\"name\":\"sip.content_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.content_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.content_type\"}}},{\"name\":\"sip.date\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.date.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.date\"}}},{\"name\":\"sip.method\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.method.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.method\"}}},{\"name\":\"sip.request.body.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sip.request.from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.request.from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.request.from\"}}},{\"name\":\"sip.request.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.request.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.request.path\"}}},{\"name\":\"sip.request.to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.request.to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.request.to\"}}},{\"name\":\"sip.response.body.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sip.response.from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.response.from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.response.from\"}}},{\"name\":\"sip.response.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.response.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.response.path\"}}},{\"name\":\"sip.response.to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.response.to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.response.to\"}}},{\"name\":\"sip.seq\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.seq.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.seq\"}}},{\"name\":\"sip.transaction.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sip.uri\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.uri.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.uri\"}}},{\"name\":\"sip.warning\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.warning.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.warning\"}}},{\"name\":\"smb.file_system\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smb.file_system.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smb.file_system\"}}},{\"name\":\"smb.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smb.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smb.path\"}}},{\"name\":\"smb.service\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smb.service.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smb.service\"}}},{\"name\":\"smb.share_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smb.share_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smb.share_type\"}}},{\"name\":\"smtp.cc\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.cc.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.cc\"}}},{\"name\":\"smtp.first_received\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.first_received.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.first_received\"}}},{\"name\":\"smtp.from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.from\"}}},{\"name\":\"smtp.helo\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.helo.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.helo\"}}},{\"name\":\"smtp.in_reply_to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.in_reply_to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.in_reply_to\"}}},{\"name\":\"smtp.is_webmail\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"smtp.last_reply\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.last_reply.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.last_reply\"}}},{\"name\":\"smtp.mail_date\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.mail_date.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.mail_date\"}}},{\"name\":\"smtp.mail_from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.mail_from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.mail_from\"}}},{\"name\":\"smtp.message_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.message_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.message_id\"}}},{\"name\":\"smtp.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.path\"}}},{\"name\":\"smtp.recipient_to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.recipient_to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.recipient_to\"}}},{\"name\":\"smtp.second_received\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.second_received.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.second_received\"}}},{\"name\":\"smtp.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.subject\"}}},{\"name\":\"smtp.tls\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"smtp.to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.to\"}}},{\"name\":\"smtp.transaction_depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"smtp.useragent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.useragent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.useragent\"}}},{\"name\":\"snmp.community\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"snmp.community.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"snmp.community\"}}},{\"name\":\"snmp.display_string\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"snmp.display_string.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"snmp.display_string\"}}},{\"name\":\"snmp.get.bulk_requests\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"snmp.get.requests\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"snmp.get.responses\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"snmp.set.requests\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"snmp.up_since\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"snmp.up_since.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"snmp.up_since\"}}},{\"name\":\"snmp.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"snmp.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"snmp.version\"}}},{\"name\":\"socks.bound.host\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"socks.bound.host.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"socks.bound.host\"}}},{\"name\":\"socks.bound.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"socks.request.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"socks.request.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"socks.request.name\"}}},{\"name\":\"socks.request.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"socks.status\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"socks.status.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"socks.status\"}}},{\"name\":\"socks.user\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"socks.user.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"socks.user\"}}},{\"name\":\"socks.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"software.name\"}}},{\"name\":\"software.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"software.type\"}}},{\"name\":\"software.version.additional_info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software.version.additional_info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"software.version.additional_info\"}}},{\"name\":\"software.version.major\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software.version.minor\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software.version.minor2\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software.version.unparsed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software.version.unparsed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"software.version.unparsed\"}}},{\"name\":\"source.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.city_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.city_name\"}}},{\"name\":\"source.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.continent_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.continent_name\"}}},{\"name\":\"source.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.country_iso_code.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.country_iso_code\"}}},{\"name\":\"source.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.country_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.country_name\"}}},{\"name\":\"source.geo.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.ip\"}}},{\"name\":\"source.geo.location.lat\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.location.lon\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.region_iso_code.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.region_iso_code\"}}},{\"name\":\"source.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.region_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.region_name\"}}},{\"name\":\"source.geo.timezone\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.timezone.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.timezone\"}}},{\"name\":\"source.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.ip\"}}},{\"name\":\"source.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.latitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.longitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssh.authentication.attempts\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssh.authentication.success\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssh.cipher_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.cipher_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.cipher_algorithm\"}}},{\"name\":\"ssh.client\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.client.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.client\"}}},{\"name\":\"ssh.client_host_key_algorithms\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.client_host_key_algorithms.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.client_host_key_algorithms\"}}},{\"name\":\"ssh.compression_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.compression_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.compression_algorithm\"}}},{\"name\":\"ssh.direction\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.direction.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.direction\"}}},{\"name\":\"ssh.hassh_algorithms\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.hassh_algorithms.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_algorithms\"}}},{\"name\":\"ssh.hassh_server\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.hassh_server.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_server\"}}},{\"name\":\"ssh.hassh_server_algorithms\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.hassh_server_algorithms.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_server_algorithms\"}}},{\"name\":\"ssh.hassh_version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.hassh_version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_version\"}}},{\"name\":\"ssh.host_key\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.host_key.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.host_key\"}}},{\"name\":\"ssh.host_key_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.host_key_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.host_key_algorithm\"}}},{\"name\":\"ssh.kex_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.kex_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.kex_algorithm\"}}},{\"name\":\"ssh.mac_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.mac_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.mac_algorithm\"}}},{\"name\":\"ssh.server\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.server.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.server\"}}},{\"name\":\"ssh.server_host_key_algorithms\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.server_host_key_algorithms.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.server_host_key_algorithms\"}}},{\"name\":\"ssh.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssl.certificate.chain_fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.certificate.chain_fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.certificate.chain_fuids\"}}},{\"name\":\"ssl.certificate.issuer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.certificate.issuer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.certificate.issuer\"}}},{\"name\":\"ssl.certificate.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.certificate.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.certificate.subject\"}}},{\"name\":\"ssl.cipher\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.cipher.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.cipher\"}}},{\"name\":\"ssl.client.certificate.chain_fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.client.certificate.chain_fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.client.certificate.chain_fuids\"}}},{\"name\":\"ssl.client.issuer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.client.issuer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.client.issuer\"}}},{\"name\":\"ssl.client.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.client.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.client.subject\"}}},{\"name\":\"ssl.curve\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.curve.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.curve\"}}},{\"name\":\"ssl.established\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssl.last_alert\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.last_alert.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.last_alert\"}}},{\"name\":\"ssl.next_protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.next_protocol.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.next_protocol\"}}},{\"name\":\"ssl.resumed\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssl.server_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.server_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.server_name\"}}},{\"name\":\"ssl.validation_status\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.validation_status.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.validation_status\"}}},{\"name\":\"ssl.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.version\"}}},{\"name\":\"syslog.facility\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog.facility.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syslog.facility\"}}},{\"name\":\"syslog.severity\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog.severity.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syslog.severity\"}}},{\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tags\"}}},{\"name\":\"tunnel.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tunnel.type\"}}},{\"name\":\"user.gid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user.gid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user.gid\"}}},{\"name\":\"user.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user.name\"}}},{\"name\":\"user.shell\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user.shell.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user.shell\"}}},{\"name\":\"user.uid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user.uid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user.uid\"}}},{\"name\":\"version.minor3\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"weird.additional_info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"weird.additional_info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"weird.additional_info\"}}},{\"name\":\"weird.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"weird.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"weird.name\"}}},{\"name\":\"weird.notice\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"weird.peer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"weird.peer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"weird.peer\"}}},{\"name\":\"winlog.activity_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.activity_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.activity_id\"}}},{\"name\":\"winlog.api\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.api.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.api\"}}},{\"name\":\"winlog.channel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.channel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.channel\"}}},{\"name\":\"winlog.computer_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.computer_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.computer_name\"}}},{\"name\":\"winlog.event_data.Address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Address\"}}},{\"name\":\"winlog.event_data.AddressLength\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.AddressLength.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.AddressLength\"}}},{\"name\":\"winlog.event_data.Binary\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Binary.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Binary\"}}},{\"name\":\"winlog.event_data.BufferSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.BufferSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.BufferSize\"}}},{\"name\":\"winlog.event_data.Company\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Company.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Company\"}}},{\"name\":\"winlog.event_data.CreationUtcTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.CreationUtcTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.CreationUtcTime\"}}},{\"name\":\"winlog.event_data.CurrentStratumNumber\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.CurrentStratumNumber.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.CurrentStratumNumber\"}}},{\"name\":\"winlog.event_data.DeviceName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.DeviceName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceName\"}}},{\"name\":\"winlog.event_data.DeviceNameLength\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.DeviceNameLength.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceNameLength\"}}},{\"name\":\"winlog.event_data.DeviceTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.DeviceTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceTime\"}}},{\"name\":\"winlog.event_data.DeviceVersionMajor\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.DeviceVersionMajor.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceVersionMajor\"}}},{\"name\":\"winlog.event_data.DeviceVersionMinor\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.DeviceVersionMinor.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceVersionMinor\"}}},{\"name\":\"winlog.event_data.DomainPeer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.DomainPeer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DomainPeer\"}}},{\"name\":\"winlog.event_data.ErrorMessage\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.ErrorMessage.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ErrorMessage\"}}},{\"name\":\"winlog.event_data.FinalStatus\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.FinalStatus.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.FinalStatus\"}}},{\"name\":\"winlog.event_data.Hashes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Hashes.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Hashes\"}}},{\"name\":\"winlog.event_data.ImageLoaded\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.ImageLoaded.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ImageLoaded\"}}},{\"name\":\"winlog.event_data.IntegrityLevel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.IntegrityLevel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.IntegrityLevel\"}}},{\"name\":\"winlog.event_data.Library\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Library.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Library\"}}},{\"name\":\"winlog.event_data.LogonGuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.LogonGuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.LogonGuid\"}}},{\"name\":\"winlog.event_data.LogonId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.LogonId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.LogonId\"}}},{\"name\":\"winlog.event_data.MaxSystemTimeChangeSeconds\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.MaxSystemTimeChangeSeconds.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.MaxSystemTimeChangeSeconds\"}}},{\"name\":\"winlog.event_data.NewTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.NewTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.NewTime\"}}},{\"name\":\"winlog.event_data.OldTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.OldTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.OldTime\"}}},{\"name\":\"winlog.event_data.PreviousCreationUtcTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.PreviousCreationUtcTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.PreviousCreationUtcTime\"}}},{\"name\":\"winlog.event_data.PreviousTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.PreviousTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.PreviousTime\"}}},{\"name\":\"winlog.event_data.ProcessId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.ProcessId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ProcessId\"}}},{\"name\":\"winlog.event_data.ProcessName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.ProcessName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ProcessName\"}}},{\"name\":\"winlog.event_data.QueryName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.QueryName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.QueryName\"}}},{\"name\":\"winlog.event_data.QueryResults\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.QueryResults.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.QueryResults\"}}},{\"name\":\"winlog.event_data.QueryStatus\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.QueryStatus.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.QueryStatus\"}}},{\"name\":\"winlog.event_data.Reason\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Reason.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Reason\"}}},{\"name\":\"winlog.event_data.RequiredSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.RequiredSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.RequiredSize\"}}},{\"name\":\"winlog.event_data.RetryMinutes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.RetryMinutes.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.RetryMinutes\"}}},{\"name\":\"winlog.event_data.RuleName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.RuleName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.RuleName\"}}},{\"name\":\"winlog.event_data.Service\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Service.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Service\"}}},{\"name\":\"winlog.event_data.Signature\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Signature.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Signature\"}}},{\"name\":\"winlog.event_data.SignatureStatus\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.SignatureStatus.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.SignatureStatus\"}}},{\"name\":\"winlog.event_data.Signed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Signed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Signed\"}}},{\"name\":\"winlog.event_data.SubjectDomainName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.SubjectDomainName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.SubjectDomainName\"}}},{\"name\":\"winlog.event_data.SubjectLogonId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.SubjectLogonId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.SubjectLogonId\"}}},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.SubjectUserSid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.SubjectUserSid\"}}},{\"name\":\"winlog.event_data.SystemTimeChangeSeconds\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.SystemTimeChangeSeconds.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.SystemTimeChangeSeconds\"}}},{\"name\":\"winlog.event_data.TargetFilename\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.TargetFilename.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.TargetFilename\"}}},{\"name\":\"winlog.event_data.TerminalSessionId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.TerminalSessionId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.TerminalSessionId\"}}},{\"name\":\"winlog.event_data.TimeOffsetSeconds\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.TimeOffsetSeconds.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.TimeOffsetSeconds\"}}},{\"name\":\"winlog.event_data.TimeSource\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.TimeSource.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.TimeSource\"}}},{\"name\":\"winlog.event_data.TimeSourceRefId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.TimeSourceRefId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.TimeSourceRefId\"}}},{\"name\":\"winlog.event_data.UtcTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.UtcTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.UtcTime\"}}},{\"name\":\"winlog.event_data.errorCode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.errorCode.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.errorCode\"}}},{\"name\":\"winlog.event_data.param1\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param1.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param1\"}}},{\"name\":\"winlog.event_data.param2\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param2.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param2\"}}},{\"name\":\"winlog.event_data.param3\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param3.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param3\"}}},{\"name\":\"winlog.event_data.param4\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param4.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param4\"}}},{\"name\":\"winlog.event_data.param5\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param5.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param5\"}}},{\"name\":\"winlog.event_data.param6\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param6.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param6\"}}},{\"name\":\"winlog.event_data.param7\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param7.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param7\"}}},{\"name\":\"winlog.event_data.serviceGuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.serviceGuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.serviceGuid\"}}},{\"name\":\"winlog.event_data.updateGuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.updateGuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.updateGuid\"}}},{\"name\":\"winlog.event_data.updateRevisionNumber\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.updateRevisionNumber.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.updateRevisionNumber\"}}},{\"name\":\"winlog.event_data.updateTitle\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.updateTitle.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.updateTitle\"}}},{\"name\":\"winlog.event_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.keywords\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.keywords.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.keywords\"}}},{\"name\":\"winlog.opcode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.opcode.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.opcode\"}}},{\"name\":\"winlog.process.pid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.process.thread.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.provider_guid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.provider_guid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.provider_guid\"}}},{\"name\":\"winlog.provider_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.provider_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.provider_name\"}}},{\"name\":\"winlog.record_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.task\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.task.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.task\"}}},{\"name\":\"winlog.user.domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user.domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user.domain\"}}},{\"name\":\"winlog.user.identifier\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user.identifier.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user.identifier\"}}},{\"name\":\"winlog.user.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user.name\"}}},{\"name\":\"winlog.user.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user.type\"}}},{\"name\":\"winlog.user_data.RebootReasons\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user_data.RebootReasons.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.RebootReasons\"}}},{\"name\":\"winlog.user_data.RmSessionId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user_data.RmSessionId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.RmSessionId\"}}},{\"name\":\"winlog.user_data.UTCStartTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user_data.UTCStartTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.UTCStartTime\"}}},{\"name\":\"winlog.user_data.nApplications\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user_data.nApplications.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.nApplications\"}}},{\"name\":\"winlog.user_data.xml_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user_data.xml_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.xml_name\"}}},{\"name\":\"winlog.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x509.basic_constraints.ca\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x509.certificate.curve\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.curve.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.curve\"}}},{\"name\":\"x509.certificate.exponent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.exponent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.exponent\"}}},{\"name\":\"x509.certificate.issuer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.issuer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.issuer\"}}},{\"name\":\"x509.certificate.key.algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.key.algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.key.algorithm\"}}},{\"name\":\"x509.certificate.key.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x509.certificate.key.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.key.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.key.type\"}}},{\"name\":\"x509.certificate.not_valid_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.not_valid_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.not_valid_after\"}}},{\"name\":\"x509.certificate.not_valid_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.not_valid_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.not_valid_before\"}}},{\"name\":\"x509.certificate.serial\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.serial.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.serial\"}}},{\"name\":\"x509.certificate.signing_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.signing_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.signing_algorithm\"}}},{\"name\":\"x509.certificate.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.subject\"}}},{\"name\":\"x509.certificate.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x509.san_dns\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.san_dns.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.san_dns\"}}},{\"name\":\"Push to TheHive\",\"type\":\"string\",\"count\":0,\"scripted\":true,\"script\":\"'https://PLACEHOLDER/soctopus/thehive/alert/' + doc['_id'].value\",\"lang\":\"painless\",\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false}]","timeFieldName":"@timestamp","title":"*:so-*"},"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-07-16T16:56:13.728Z","version":"Wzg0NCwyXQ=="} {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - All Logs","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - All Logs\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":29}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}"},"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQsMV0="} {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Logs Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Logs Over Time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":null,\"y\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}]}"},"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUsMV0="} {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Source IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Source IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}"},"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYsMV0="} From 446817353ddb85e2d1a4a8e99e1fd8dd093443e4 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 17 Jul 2020 13:09:18 -0400 Subject: [PATCH 280/314] [refactor] `| tee ... >>` to `> ... 2>>` to show errors in log --- setup/so-functions | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 58bde1aba..75fa51534 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1314,7 +1314,7 @@ saltify() { # Add saltstack repo(s) wget -q --inet4-only -O - https://repo.saltstack.com"$py_ver_url_path"/ubuntu/"$ubuntu_version"/amd64/archive/2019.2.5/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 - echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/2019.2.5 $OSVER main" | tee /etc/apt/sources.list.d/saltstack2019.list >> "$setup_log" 2>&1 + echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/2019.2.5 $OSVER main" > /etc/apt/sources.list.d/saltstack2019.list 2>> "$setup_log" # Add Docker repo curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - >> "$setup_log" 2>&1 @@ -1329,7 +1329,7 @@ saltify() { # Get key and install wazuh curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - >> "$setup_log" 2>&1 # Add repo - echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list >> "$setup_log" 2>&1 + echo "deb https://packages.wazuh.com/3.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list 2>> "$setup_log" # Initialize the new repos apt-get update >> "$setup_log" 2>&1 set_progress_str 6 'Installing various dependencies' @@ -1346,8 +1346,8 @@ saltify() { echo "Using apt-key add to add SALTSTACK-GPG-KEY.pub and GPG-KEY-WAZUH" >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/GPG-KEY-WAZUH >> "$setup_log" 2>&1 - echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/2019.2.5/ $OSVER main" | tee /etc/apt/sources.list.d/saltstack.list >> "$setup_log" 2>&1 - echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list >> "$setup_log" 2>&1 + echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/2019.2.5/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" + echo "deb https://packages.wazuh.com/3.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list 2>> "$setup_log" ;; esac apt-get update >> "$setup_log" 2>&1 From 6ba342c08488724c14ee496493f85cc1444cd01d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 17 Jul 2020 13:30:05 -0400 Subject: [PATCH 281/314] remove quotes --- setup/so-functions | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index b159f286f..6be0bc63d 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -465,9 +465,9 @@ copy_minion_tmp_files() { ssh -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/pillar; ssh -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/schedules; scp -prv -i /root/.ssh/so.key "$temp_install_dir"/pillar/minions/* soremote@"$MSRV":/tmp/"$MINION_ID"/pillar/; - if [ -d "$temp_install_dir"/salt/patch/os/schedules/ ]; then + if [ -d $temp_install_dir/salt/patch/os/schedules/ ]; then if [ "$(ls -A $temp_install_dir/salt/patch/os/schedules/)" ]; then - scp -prv -i /root/.ssh/so.key "$temp_install_dir"/salt/patch/os/schedules/* soremote@"$MSRV":/tmp/"$MINION_ID"/schedules; + scp -prv -i /root/.ssh/so.key $temp_install_dir/salt/patch/os/schedules/* soremote@$MSRV:/tmp/$MINION_ID/schedules; fi fi ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/manager/files/add_minion.sh "$MINION_ID"; From 5570c778adb4aac915188656c8780d20d329d1f8 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 17 Jul 2020 13:30:08 -0400 Subject: [PATCH 282/314] [feat] Add hostname formatting check for manager hostname --- setup/so-whiptail | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/setup/so-whiptail b/setup/so-whiptail index 3c00a30d3..52889106e 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -604,6 +604,22 @@ whiptail_management_server() { local exitstatus=$? whiptail_check_exitstatus $exitstatus + while [[ $MSRV == *'localhost'* || ! ( $MSRV =~ ^[a-zA-Z0-9\-]*$ ) ]] ; do + local error_message + error_message=$(echo "Please choose a valid hostname. It cannot contain localhost; and must contain only \ + the ASCII letters 'A-Z' and 'a-z' (case-sensitive), the digits '0' through '9', \ + and hyphen ('-')" | tr -d '\t') + + whiptail --title "Security Onion Setup" \ + --msgbox "$error_message" 10 75 + + MSRV=$(whiptail --title "Security Onion Setup" --inputbox \ + "Enter your Manager Server hostname. It is CASE SENSITIVE!" 10 75 XXXX 3>&1 1>&2 2>&3) + + local exitstatus=$? + whiptail_check_exitstatus $exitstatus + done + if ! getent hosts "$MSRV"; then add_manager_hostfile fi @@ -982,10 +998,13 @@ whiptail_set_hostname() { error_message=$(echo "Please choose a valid hostname. It cannot contain localhost; and must contain only \ the ASCII letters 'a' through 'z' (case-insensitive), the digits '0' through '9', \ and hyphen ('-')" | tr -d '\t') + whiptail --title "Security Onion Setup" \ --msgbox "$error_message" 10 75 + HOSTNAME=$(whiptail --title "Security Onion Setup" --inputbox \ "Enter the hostname (not FQDN) you would like to set." 10 75 "$HOSTNAME" 3>&1 1>&2 2>&3) + local exitstatus=$? whiptail_check_exitstatus $exitstatus done From 74f6f2abeea73532795f10ede7d385212f1f87cd Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 17 Jul 2020 13:38:55 -0400 Subject: [PATCH 283/314] Update soup --- salt/common/tools/sbin/soup | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 0cec8fe72..75e5da10e 100644 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -130,7 +130,7 @@ update_dockers() { docker pull --disable-content-trust=false docker.io/$IMAGEREPO/$i:$NEWVERSION # Tag it with the new registry destination docker tag $IMAGEREPO/$i $HOSTNAME:5000/$IMAGEREPO/$i:$NEWVERSION - docker push $HOSTNAME:5000/$IMAGEREPO/$i:$NEWVERSION + docker push $HOSTNAME:5000/$IMAGEREPO/$i:$NEWVERSION done } @@ -139,6 +139,7 @@ update_version() { # Update the version to the latest echo "Updating the version file." echo $NEWVERSION > /etc/soversion + sed -i 's/$INSTALLEDVERSION/$NEWVERISON/g' /opt/so/saltstack/local/pillar/static.sls } upgrade_check() { @@ -177,4 +178,6 @@ clean_dockers update_dockers copy_new_files highstate -update_version \ No newline at end of file +update_version +echo "" +echo "Upgrade from $INSTALLEDVERSION to $NEWVERSION complete." From e3efaee864869dc4fd22553111d19a744604b2b0 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 17 Jul 2020 14:41:44 -0400 Subject: [PATCH 284/314] change reference from bro to zeek --- pillar/docker/config.sls | 6 +++--- pillar/top.sls | 10 +++++----- pillar/{brologs.sls => zeeklogs.sls} | 2 +- salt/common/maps/so-status.map.jinja | 4 ++-- salt/common/tools/sbin/so-bro-logs | 14 +++++++------- salt/filebeat/etc/filebeat.yml | 6 +++--- salt/suricata/init.sls | 2 +- salt/suricata/suricata_config.map.jinja | 2 +- salt/top.sls | 10 +++++----- salt/zeek/files/node.cfg | 2 +- setup/automation/pm_standalone_defaults | 4 ++-- setup/so-common-functions | 4 ++-- setup/so-functions | 22 +++++++++++----------- setup/so-setup | 12 ++++++------ setup/so-whiptail | 20 ++++++++++---------- 15 files changed, 60 insertions(+), 60 deletions(-) rename pillar/{brologs.sls => zeeklogs.sls} (97%) diff --git a/pillar/docker/config.sls b/pillar/docker/config.sls index dd73f3aa9..4d70fd517 100644 --- a/pillar/docker/config.sls +++ b/pillar/docker/config.sls @@ -5,7 +5,7 @@ {% set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %} {% set FREQSERVER = salt['pillar.get']('manager:freq', '0') %} {% set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') %} -{% set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %} +{% set ZEEKVER = salt['pillar.get']('static:zeekversion', 'COMMUNITY') %} {% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} eval: @@ -63,7 +63,7 @@ heavy_node: - so-suricata - so-wazuh - so-filebeat - {% if BROVER != 'SURICATA' %} + {% if ZEEKVER != 'SURICATA' %} - so-zeek {% endif %} helix: @@ -186,7 +186,7 @@ sensor: - so-telegraf - so-steno - so-suricata - {% if BROVER != 'SURICATA' %} + {% if ZEEKVER != 'SURICATA' %} - so-zeek {% endif %} - so-wazuh diff --git a/pillar/top.sls b/pillar/top.sls index 9ab170a97..889f0b63f 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -15,7 +15,7 @@ base: '*_sensor': - static - - brologs + - zeeklogs - healthcheck.sensor - minions.{{ grains.id }} @@ -32,7 +32,7 @@ base: '*_eval': - data.* - - brologs + - zeeklogs - secrets - healthcheck.eval - elasticsearch.eval @@ -45,7 +45,7 @@ base: - logstash.search - elasticsearch.search - data.* - - brologs + - zeeklogs - secrets - healthcheck.standalone - static @@ -57,13 +57,13 @@ base: '*_heavynode': - static - - brologs + - zeeklogs - minions.{{ grains.id }} '*_helix': - static - fireeye - - brologs + - zeeklogs - logstash - logstash.helix - minions.{{ grains.id }} diff --git a/pillar/brologs.sls b/pillar/zeeklogs.sls similarity index 97% rename from pillar/brologs.sls rename to pillar/zeeklogs.sls index 95f18691e..882cb92a9 100644 --- a/pillar/brologs.sls +++ b/pillar/zeeklogs.sls @@ -1,4 +1,4 @@ -brologs: +zeeklogs: enabled: - conn - dce_rpc diff --git a/salt/common/maps/so-status.map.jinja b/salt/common/maps/so-status.map.jinja index f30291f90..93f5f3d13 100644 --- a/salt/common/maps/so-status.map.jinja +++ b/salt/common/maps/so-status.map.jinja @@ -33,7 +33,7 @@ {% endif %} {% if role in ['heavynode', 'standalone'] %} - {{ append_containers('static', 'broversion', 'SURICATA') }} + {{ append_containers('static', 'zeekversion', 'SURICATA') }} {% endif %} {% if role == 'searchnode' %} @@ -41,5 +41,5 @@ {% endif %} {% if role == 'sensor' %} - {{ append_containers('static', 'broversion', 'SURICATA') }} + {{ append_containers('static', 'zeekversion', 'SURICATA') }} {% endif %} \ No newline at end of file diff --git a/salt/common/tools/sbin/so-bro-logs b/salt/common/tools/sbin/so-bro-logs index 4f55eb7f4..353eece1e 100755 --- a/salt/common/tools/sbin/so-bro-logs +++ b/salt/common/tools/sbin/so-bro-logs @@ -1,17 +1,17 @@ #!/bin/bash local_salt_dir=/opt/so/saltstack/local -bro_logs_enabled() { +zeek_logs_enabled() { - echo "brologs:" > $local_salt_dir/pillar/brologs.sls - echo " enabled:" >> $local_salt_dir/pillar/brologs.sls + echo "zeeklogs:" > $local_salt_dir/pillar/zeeklogs.sls + echo " enabled:" >> $local_salt_dir/pillar/zeeklogs.sls for BLOG in ${BLOGS[@]}; do - echo " - $BLOG" | tr -d '"' >> $local_salt_dir/pillar/brologs.sls + echo " - $BLOG" | tr -d '"' >> $local_salt_dir/pillar/zeeklogs.sls done } -whiptail_manager_adv_service_brologs() { +whiptail_manager_adv_service_zeeklogs() { BLOGS=$(whiptail --title "Security Onion Setup" --checklist "Please Select Logs to Send:" 24 78 12 \ "conn" "Connection Logging" ON \ @@ -54,5 +54,5 @@ whiptail_manager_adv_service_brologs() { "x509" "x.509 Logs" ON 3>&1 1>&2 2>&3 ) } -whiptail_manager_adv_service_brologs -bro_logs_enabled +whiptail_manager_adv_service_zeeklogs +zeek_logs_enabled diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 1342775b7..825ffaf64 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -6,7 +6,7 @@ {%- set HOSTNAME = salt['grains.get']('host', '') %} -{%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %} +{%- set ZEEKVER = salt['pillar.get']('static:zeekversion', 'COMMUNITY') %} {%- set WAZUHENABLED = salt['pillar.get']('static:wazuh', '0') %} {%- set STRELKAENABLED = salt['pillar.get']('strelka:enabled', '0') %} {%- set FLEETMANAGER = salt['pillar.get']('static:fleet_manager', False) -%} @@ -100,8 +100,8 @@ filebeat.inputs: - drop_fields: fields: ["source", "prospector", "input", "offset", "beat"] fields_under_root: true - {%- if BROVER != 'SURICATA' %} - {%- for LOGNAME in salt['pillar.get']('brologs:enabled', '') %} + {%- if ZEEKVER != 'SURICATA' %} + {%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '') %} - type: log paths: - /nsm/zeek/logs/current/{{ LOGNAME }}.log diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 4bb192316..c0677db16 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -14,7 +14,7 @@ # along with this program. If not, see . {% set interface = salt['pillar.get']('sensor:interface', 'bond0') %} -{% set BROVER = salt['pillar.get']('static:broversion', '') %} +{% set ZEEKVER = salt['pillar.get']('static:zeekversion', '') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} diff --git a/salt/suricata/suricata_config.map.jinja b/salt/suricata/suricata_config.map.jinja index 557d4e519..9fb3c9a7f 100644 --- a/salt/suricata/suricata_config.map.jinja +++ b/salt/suricata/suricata_config.map.jinja @@ -44,7 +44,7 @@ HOME_NET: "[{{salt['pillar.get']('static:hnmanager', '')}}]" {% endfor %} {% set surimeta_evelog_index = surimeta_evelog_index[0] %} -{% if salt['pillar.get']('static:broversion', 'ZEEK') == 'SURICATA' %} +{% if salt['pillar.get']('static:zeekversion', 'ZEEK') == 'SURICATA' %} {% do suricata_defaults.suricata.config.outputs[default_evelog_index]['eve-log'].types.extend(suricata_meta.suricata.config.outputs[surimeta_evelog_index]['eve-log'].types) %} {% endif %} diff --git a/salt/top.sls b/salt/top.sls index f95223354..5f316dd15 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -1,4 +1,4 @@ -{%- set BROVER = salt['pillar.get']('static:broversion', '') -%} +{%- set ZEEKVER = salt['pillar.get']('static:zeekversion', '') -%} {%- set WAZUH = salt['pillar.get']('static:wazuh', '0') -%} {%- set THEHIVE = salt['pillar.get']('manager:thehive', '0') -%} {%- set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') -%} @@ -48,7 +48,7 @@ base: - pcap - suricata - healthcheck - {%- if BROVER != 'SURICATA' %} + {%- if ZEEKVER != 'SURICATA' %} - zeek {%- endif %} - wazuh @@ -86,7 +86,7 @@ base: - kibana - pcap - suricata - {%- if BROVER != 'SURICATA' %} + {%- if ZEEKVER != 'SURICATA' %} - zeek {%- endif %} {%- if STRELKA %} @@ -188,7 +188,7 @@ base: - kibana - pcap - suricata - {%- if BROVER != 'SURICATA' %} + {%- if ZEEKVER != 'SURICATA' %} - zeek {%- endif %} {%- if STRELKA %} @@ -347,7 +347,7 @@ base: {%- endif %} - pcap - suricata - {%- if BROVER != 'SURICATA' %} + {%- if ZEEKVER != 'SURICATA' %} - zeek {%- endif %} - filebeat diff --git a/salt/zeek/files/node.cfg b/salt/zeek/files/node.cfg index 6be5aa5b1..55f77982c 100644 --- a/salt/zeek/files/node.cfg +++ b/salt/zeek/files/node.cfg @@ -38,7 +38,7 @@ af_packet_fanout_id=23 af_packet_fanout_mode=AF_Packet::FANOUT_HASH af_packet_buffer_size={{ salt['pillar.get']('sensor:zeek_buffer', 128*1024*1024) }} {%- else %} -[brosa] +[zeeksa] type=standalone host=localhost interface={{ interface }} diff --git a/setup/automation/pm_standalone_defaults b/setup/automation/pm_standalone_defaults index 156697a28..d7bc1ea1f 100644 --- a/setup/automation/pm_standalone_defaults +++ b/setup/automation/pm_standalone_defaults @@ -23,11 +23,11 @@ ADMINPASS1=onionuser ADMINPASS2=onionuser ALLOW_CIDR=0.0.0.0/0 ALLOW_ROLE=a -BASICBRO=7 +BASICZEEK=7 BASICSURI=7 # BLOGS= BNICS=eth1 -BROVERSION=ZEEK +ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC GRAFANA=1 diff --git a/setup/so-common-functions b/setup/so-common-functions index 078a721bf..c3df787cc 100644 --- a/setup/so-common-functions +++ b/setup/so-common-functions @@ -32,9 +32,9 @@ filter_unused_nics() { calculate_useable_cores() { # Calculate reasonable core usage - local cores_for_bro=$(( (num_cpu_cores/2) - 1 )) + local cores_for_zeek=$(( (num_cpu_cores/2) - 1 )) local lb_procs_round - lb_procs_round=$(printf "%.0f\n" $cores_for_bro) + lb_procs_round=$(printf "%.0f\n" $cores_for_zeek) if [ "$lb_procs_round" -lt 1 ]; then lb_procs=1; else lb_procs=$lb_procs_round; fi export lb_procs diff --git a/setup/so-functions b/setup/so-functions index 493030652..526fd37ae 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -143,18 +143,18 @@ secrets_pillar(){ } # Enable Bro Logs -bro_logs_enabled() { +zeek_logs_enabled() { echo "Enabling Bro Logs" >> "$setup_log" 2>&1 - local brologs_pillar=./pillar/brologs.sls + local zeeklogs_pillar=./pillar/zeeklogs.sls printf '%s\n'\ - "brologs:"\ - " enabled:" > "$brologs_pillar" + "zeeklogs:"\ + " enabled:" > "$zeeklogs_pillar" if [ "$MANAGERADV" = 'ADVANCED' ]; then for BLOG in "${BLOGS[@]}"; do - echo " - $BLOG" | tr -d '"' >> "$brologs_pillar" + echo " - $BLOG" | tr -d '"' >> "$zeeklogs_pillar" done else printf '%s\n'\ @@ -195,11 +195,11 @@ bro_logs_enabled() { " - weird"\ " - mysql"\ " - socks"\ - " - x509" >> "$brologs_pillar" + " - x509" >> "$zeeklogs_pillar" fi printf '%s\n' '----' >> "$setup_log" 2>&1 - cat "$brologs_pillar" >> "$setup_log" 2>&1 + cat "$zeeklogs_pillar" >> "$setup_log" 2>&1 } check_admin_pass() { @@ -1002,7 +1002,7 @@ manager_static() { " hnmanager: $HNMANAGER"\ " ntpserver: $NTPSERVER"\ " proxy: $PROXY"\ - " broversion: $BROVERSION"\ + " zeekversion: $ZEEKVERSION"\ " ids: $NIDS"\ " managerip: $MAINIP"\ " hiveuser: $WEBUSER"\ @@ -1470,7 +1470,7 @@ sensor_pillar() { if [ "$NSMSETUP" = 'ADVANCED' ]; then echo " zeek_pins:" >> "$pillar_file" - for PIN in "${BROPINS[@]}"; do + for PIN in "${ZEEKPINS[@]}"; do PIN=$(echo "$PIN" | cut -d\" -f2) echo " - $PIN" >> "$pillar_file" done @@ -1483,11 +1483,11 @@ sensor_pillar() { echo " zeek_lbprocs: $lb_procs" >> "$pillar_file" echo " suriprocs: $lb_procs" >> "$pillar_file" else - echo " zeek_lbprocs: $BASICBRO" >> "$pillar_file" + echo " zeek_lbprocs: $BASICZEEK" >> "$pillar_file" echo " suriprocs: $BASICSURI" >> "$pillar_file" fi printf '%s\n'\ - " brobpf:"\ + " zeekbpf:"\ " pcapbpf:"\ " nidsbpf:"\ " manager: $MSRV"\ diff --git a/setup/so-setup b/setup/so-setup index 7f8862841..b0aabbb89 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -230,7 +230,7 @@ if [[ $is_manager && $is_node ]]; then LSINPUTTHREADS=1 LSINPUTBATCHCOUNT=125 NIDS=Suricata - BROVERSION=ZEEK + ZEEKVERSION=ZEEK fi if [[ $is_node ]]; then @@ -253,7 +253,7 @@ fi if [[ $is_manager && ! $is_eval ]]; then whiptail_manager_adv - whiptail_bro_version + whiptail_zeek_version whiptail_nids whiptail_rule_setup @@ -261,8 +261,8 @@ if [[ $is_manager && ! $is_eval ]]; then whiptail_oinkcode fi - if [ "$MANAGERADV" = 'ADVANCED' ] && [ "$BROVERSION" != 'SURICATA' ]; then - whiptail_manager_adv_service_brologs + if [ "$MANAGERADV" = 'ADVANCED' ] && [ "$ZEEKVERSION" != 'SURICATA' ]; then + whiptail_manager_adv_service_zeeklogs fi fi @@ -295,11 +295,11 @@ if [[ $is_sensor && ! $is_eval ]]; then whiptail_homenet_sensor whiptail_sensor_config if [ $NSMSETUP == 'ADVANCED' ]; then - whiptail_bro_pins + whiptail_zeek_pins whiptail_suricata_pins whiptail_bond_nics_mtu else - whiptail_basic_bro + whiptail_basic_zeek whiptail_basic_suri fi fi diff --git a/setup/so-whiptail b/setup/so-whiptail index 52889106e..cd0fb393c 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -19,11 +19,11 @@ source ./so-variables source ./so-common-functions -whiptail_basic_bro() { +whiptail_basic_zeek() { [ -n "$TESTING" ] && return - BASICBRO=$(whiptail --title "Security Onion Setup" --inputbox \ + BASICZEEK=$(whiptail --title "Security Onion Setup" --inputbox \ "Enter the number of zeek processes:" 10 75 "$lb_procs" 3>&1 1>&2 2>&3) local exitstatus=$? @@ -42,7 +42,7 @@ whiptail_basic_suri() { } -whiptail_bro_pins() { +whiptail_zeek_pins() { [ -n "$TESTING" ] && return @@ -51,20 +51,20 @@ whiptail_bro_pins() { cpu_core_list_whiptail+=("$item" "OFF") done - BROPINS=$(whiptail --noitem --title "Pin Zeek CPUS" --checklist "Please select $lb_procs cores to pin Zeek to:" 20 75 12 "${cpu_core_list_whiptail[@]}" 3>&1 1>&2 2>&3 ) + ZEEKPINS=$(whiptail --noitem --title "Pin Zeek CPUS" --checklist "Please select $lb_procs cores to pin Zeek to:" 20 75 12 "${cpu_core_list_whiptail[@]}" 3>&1 1>&2 2>&3 ) local exitstatus=$? whiptail_check_exitstatus $exitstatus - BROPINS=$(echo "$BROPINS" | tr -d '"') + ZEEKPINS=$(echo "$ZEEKPINS" | tr -d '"') - IFS=' ' read -ra BROPINS <<< "$BROPINS" + IFS=' ' read -ra ZEEKPINS <<< "$ZEEKPINS" } -whiptail_bro_version() { +whiptail_zeek_version() { [ -n "$TESTING" ] && return - BROVERSION=$(whiptail --title "Security Onion Setup" --radiolist "What tool would you like to use to generate meta data?" 20 75 4 "ZEEK" "Install Zeek (aka Bro)" ON \ + ZEEKVERSION=$(whiptail --title "Security Onion Setup" --radiolist "What tool would you like to use to generate meta data?" 20 75 4 "ZEEK" "Install Zeek (aka Bro)" ON \ "SURICATA" "Use Suricata 5" OFF 3>&1 1>&2 2>&3) local exitstatus=$? @@ -642,7 +642,7 @@ whiptail_manager_adv() { } # Ask which additional components to install -whiptail_manager_adv_service_brologs() { +whiptail_manager_adv_service_zeeklogs() { [ -n "$TESTING" ] && return @@ -1122,7 +1122,7 @@ whiptail_suricata_pins() { [ -n "$TESTING" ] && return local filtered_core_list - readarray -t filtered_core_list <<< "$(echo "${cpu_core_list[@]}" "${BROPINS[@]}" | xargs -n1 | sort | uniq -u | awk '{print $1}')" + readarray -t filtered_core_list <<< "$(echo "${cpu_core_list[@]}" "${ZEEKPINS[@]}" | xargs -n1 | sort | uniq -u | awk '{print $1}')" local filtered_core_str=() for item in "${filtered_core_list[@]}"; do From 7176fdf7a178f0f38563f81eeabe56927f8f488f Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 17 Jul 2020 14:53:01 -0400 Subject: [PATCH 285/314] rename from bro to zeek --- salt/common/tools/sbin/{so-bro-logs => so-zeek-logs} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename salt/common/tools/sbin/{so-bro-logs => so-zeek-logs} (100%) diff --git a/salt/common/tools/sbin/so-bro-logs b/salt/common/tools/sbin/so-zeek-logs similarity index 100% rename from salt/common/tools/sbin/so-bro-logs rename to salt/common/tools/sbin/so-zeek-logs From 3c855ed793918385220270d7514525e52e9ee51f Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 17 Jul 2020 15:38:14 -0400 Subject: [PATCH 286/314] [fix] Set $percentage since it only exists in previous subshell --- setup/so-setup | 1 + 1 file changed, 1 insertion(+) diff --git a/setup/so-setup b/setup/so-setup index b0aabbb89..978a3b665 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -631,6 +631,7 @@ if [[ -n $SO_ERROR ]]; then whiptail_setup_failed else { + export percentage=95 # set to last percentage used in previous subshell if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then set_progress_str 98 "Running so-allow -${ALLOW_ROLE} for ${ALLOW_CIDR}" IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1 From 693a101d346a195e9f09d89b41ad60cc96b9990b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 17 Jul 2020 15:59:58 -0400 Subject: [PATCH 287/314] IDSTOOLS Pillar Items --- salt/idstools/etc/modify.conf | 4 ++++ salt/idstools/etc/rulecat.conf | 15 ++++++++++++++- setup/so-functions | 11 +++++++++++ setup/so-whiptail | 5 ++--- 4 files changed, 31 insertions(+), 4 deletions(-) diff --git a/salt/idstools/etc/modify.conf b/salt/idstools/etc/modify.conf index 79d038c26..a32725ada 100644 --- a/salt/idstools/etc/modify.conf +++ b/salt/idstools/etc/modify.conf @@ -1,3 +1,4 @@ +{% set modify_sids = salt['pillar.get']('idstools:sids:modify', {}) -%} # idstools-rulecat - modify.conf # Format: "" "" @@ -12,3 +13,6 @@ # For compatibility, most Oinkmaster modifysid lines should work as # well. #modifysid * "^drop(.*)noalert(.*)" | "alert${1}noalert${2}" +{%- for sid in modify_sids %} +{{ sid }} +{%- endfor %} \ No newline at end of file diff --git a/salt/idstools/etc/rulecat.conf b/salt/idstools/etc/rulecat.conf index 441ce3c5b..59a5ccda5 100644 --- a/salt/idstools/etc/rulecat.conf +++ b/salt/idstools/etc/rulecat.conf @@ -1,6 +1,19 @@ ---suricata-version=4.0 +{% set URLS = salt['pillar.get']('idstools:config:urls') -%} +{% set RULESET = salt['pillar.get']('idstools:config:ruleset') -%} +{% set OINKCODE = salt['pillar.get']('idstools:config:oinkcode') -%} +--suricata-version=5.0 --merged=/opt/so/rules/nids/all.rules --local=/opt/so/rules/nids/local.rules --disable=/opt/so/idstools/etc/disable.conf --enable=/opt/so/idstools/etc/enable.conf --modify=/opt/so/idstools/etc/modify.conf +{%- if RULESET == 'ETOPEN' %} +--etopen +{%- elif RULESET == 'ETPRO' %} +--etpro={{ OINKCODE }} +{%- elif RULESET == 'TALOS' %} +--url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ OINKCODE }} +{%- endif %} +{%- for URL in URLS %} +--url={{ URL }} +{%- endfor %} \ No newline at end of file diff --git a/setup/so-functions b/setup/so-functions index 526fd37ae..7493b3f0d 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -982,7 +982,18 @@ manager_pillar() { "pcap:">> "$pillar_file"\ " sensor_checkin_interval_ms: $SENSOR_CHECKIN_INTERVAL_MS"\ ""\ + "idstools:"\ + " config:"\ + " ruleset: $RULESETUP"\ + " oinkcode: $OINKCODE"\ + " url:"\ + " sids:"\ + " enabled:"\ + " disabled:"\ + " modify:"\ + "" "kratos:" >> "$pillar_file" + printf '%s\n'\ " kratoskey: $KRATOSKEY"\ diff --git a/setup/so-whiptail b/setup/so-whiptail index cd0fb393c..f0f1fb7b5 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -576,7 +576,7 @@ whiptail_oinkcode() { [ -n "$TESTING" ] && return OINKCODE=$(whiptail --title "Security Onion Setup" --inputbox \ - "Enter your oinkcode" 10 75 XXXXXXX 3>&1 1>&2 2>&3) + "Enter your ET Pro or oinkcode" 10 75 XXXXXXX 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -956,8 +956,7 @@ whiptail_rule_setup() { "Which IDS ruleset would you like to use?\n\nThis manager server is responsible for downloading the IDS ruleset from the Internet.\n\nSensors then pull a copy of this ruleset from the manager server.\n\nIf you select a commercial ruleset, it is your responsibility to purchase enough licenses for all of your sensors in compliance with your vendor's policies." 20 75 4 \ "ETOPEN" "Emerging Threats Open" ON \ "ETPRO" "Emerging Threats PRO" OFF \ - "TALOSET" "Snort Subscriber (Talos) and ET NoGPL rulesets" OFF \ - "TALOS" "Snort Subscriber (Talos) ruleset and set a policy" OFF \ + "TALOS" "Snort Subscriber ruleset - Experimental" OFF \ 3>&1 1>&2 2>&3) local exitstatus=$? From 2e2bcfb3b7e26e1e546e104f292526ddb85a3ad3 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 17 Jul 2020 17:33:36 -0400 Subject: [PATCH 288/314] Fix functions so pillars are correct --- setup/so-functions | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 7493b3f0d..fe0ea8cb5 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -987,11 +987,7 @@ manager_pillar() { " ruleset: $RULESETUP"\ " oinkcode: $OINKCODE"\ " url:"\ - " sids:"\ - " enabled:"\ - " disabled:"\ - " modify:"\ - "" + ""\ "kratos:" >> "$pillar_file" From aaca5c7ff2adb8f97d981a1bdfd0b94c68cfff70 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 17 Jul 2020 17:35:16 -0400 Subject: [PATCH 289/314] Update rulecat.conf --- salt/idstools/etc/rulecat.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/idstools/etc/rulecat.conf b/salt/idstools/etc/rulecat.conf index 59a5ccda5..b671d036e 100644 --- a/salt/idstools/etc/rulecat.conf +++ b/salt/idstools/etc/rulecat.conf @@ -1,4 +1,4 @@ -{% set URLS = salt['pillar.get']('idstools:config:urls') -%} +{% set URLS = salt['pillar.get']('idstools:config:urls, {}') -%} {% set RULESET = salt['pillar.get']('idstools:config:ruleset') -%} {% set OINKCODE = salt['pillar.get']('idstools:config:oinkcode') -%} --suricata-version=5.0 @@ -16,4 +16,4 @@ {%- endif %} {%- for URL in URLS %} --url={{ URL }} -{%- endfor %} \ No newline at end of file +{%- endfor %} From b75487dc743201c0f7a48bbfa2f03878ca8481a1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 17 Jul 2020 17:36:13 -0400 Subject: [PATCH 290/314] Update so-functions --- setup/so-functions | 1 - 1 file changed, 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index fe0ea8cb5..175471bd2 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -986,7 +986,6 @@ manager_pillar() { " config:"\ " ruleset: $RULESETUP"\ " oinkcode: $OINKCODE"\ - " url:"\ ""\ "kratos:" >> "$pillar_file" From 1d24d7bc7f3c85c973c280af4157704079ac3844 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 17 Jul 2020 17:38:10 -0400 Subject: [PATCH 291/314] Misc pillars --- salt/idstools/etc/disable.conf | 2 +- salt/idstools/etc/enable.conf | 2 +- salt/idstools/etc/modify.conf | 10 +---- salt/idstools/etc/rulecat.conf | 2 +- salt/zeek/fileextraction_defaults.yaml | 29 +++++++++++++++ salt/zeek/init.sls | 8 ++++ .../custom/ADD.CUSTOM.ZEEK.SCRIPTS.HERE | 0 salt/zeek/policy/intel/__load__.zeek | 7 +++- .../file-extraction/extract.zeek | 37 +++++-------------- setup/files/intel.dat | 5 +++ setup/so-functions | 10 +++-- 11 files changed, 68 insertions(+), 44 deletions(-) create mode 100644 salt/zeek/fileextraction_defaults.yaml delete mode 100644 salt/zeek/policy/custom/ADD.CUSTOM.ZEEK.SCRIPTS.HERE create mode 100644 setup/files/intel.dat diff --git a/salt/idstools/etc/disable.conf b/salt/idstools/etc/disable.conf index ff7197360..e667d54c7 100644 --- a/salt/idstools/etc/disable.conf +++ b/salt/idstools/etc/disable.conf @@ -1,4 +1,4 @@ -{% set disabled_sids = salt['pillar.get']('idstools:sids:disabled', {}) -%} +{%- set disabled_sids = salt['pillar.get']('idstools:sids:disabled', {}) -%} # idstools - disable.conf # Example of disabling a rule by signature ID (gid is optional). diff --git a/salt/idstools/etc/enable.conf b/salt/idstools/etc/enable.conf index c16b25986..da2dfb6af 100644 --- a/salt/idstools/etc/enable.conf +++ b/salt/idstools/etc/enable.conf @@ -1,4 +1,4 @@ -{% set enabled_sids = salt['pillar.get']('idstools:sids:enabled', {}) -%} +{%- set enabled_sids = salt['pillar.get']('idstools:sids:enabled', {}) -%} # idstools-rulecat - enable.conf # Example of enabling a rule by signature ID (gid is optional). diff --git a/salt/idstools/etc/modify.conf b/salt/idstools/etc/modify.conf index a32725ada..52c4ca2ea 100644 --- a/salt/idstools/etc/modify.conf +++ b/salt/idstools/etc/modify.conf @@ -1,18 +1,10 @@ -{% set modify_sids = salt['pillar.get']('idstools:sids:modify', {}) -%} +{%- set modify_sids = salt['pillar.get']('idstools:sids:modify', {}) -%} # idstools-rulecat - modify.conf # Format: "" "" # Example changing the seconds for rule 2019401 to 3600. #2019401 "seconds \d+" "seconds 3600" - -# Change all trojan-activity rules to drop. Its better to setup a -# drop.conf for this, but this does show the use of back references. -#re:classtype:trojan-activity "(alert)(.*)" "drop\\2" - -# For compatibility, most Oinkmaster modifysid lines should work as -# well. -#modifysid * "^drop(.*)noalert(.*)" | "alert${1}noalert${2}" {%- for sid in modify_sids %} {{ sid }} {%- endfor %} \ No newline at end of file diff --git a/salt/idstools/etc/rulecat.conf b/salt/idstools/etc/rulecat.conf index 59a5ccda5..1957c6c13 100644 --- a/salt/idstools/etc/rulecat.conf +++ b/salt/idstools/etc/rulecat.conf @@ -1,4 +1,4 @@ -{% set URLS = salt['pillar.get']('idstools:config:urls') -%} +{% set URLS = salt['pillar.get']('idstools:config:urls', {}) -%} {% set RULESET = salt['pillar.get']('idstools:config:ruleset') -%} {% set OINKCODE = salt['pillar.get']('idstools:config:oinkcode') -%} --suricata-version=5.0 diff --git a/salt/zeek/fileextraction_defaults.yaml b/salt/zeek/fileextraction_defaults.yaml new file mode 100644 index 000000000..3823b8203 --- /dev/null +++ b/salt/zeek/fileextraction_defaults.yaml @@ -0,0 +1,29 @@ +zeek: + policy: + file_extraction: + - application/x-dosexec: exe + - application/pdf: pdf + - application/msword: doc + - application/vnd.ms-powerpoint: doc + - application/rtf: doc + - application/vnd.ms-word.document.macroenabled.12: doc + - application/vnd.ms-word.template.macroenabled.12: doc + - application/vnd.ms-powerpoint.template.macroenabled.12: doc + - application/vnd.ms-excel: doc + - application/vnd.ms-excel.addin.macroenabled.12: doc + - application/vnd.ms-excel.sheet.binary.macroenabled.12: doc + - application/vnd.ms-excel.template.macroenabled.12: doc + - application/vnd.ms-excel.sheet.macroenabled.12: doc + - application/vnd.openxmlformats-officedocument.presentationml.presentation: doc + - application/vnd.openxmlformats-officedocument.presentationml.slide: doc + - application/vnd.openxmlformats-officedocument.presentationml.slideshow: doc + - application/vnd.openxmlformats-officedocument.presentationml.template: doc + - application/vnd.openxmlformats-officedocument.spreadsheetml.sheet: doc + - application/vnd.openxmlformats-officedocument.spreadsheetml.template: doc + - application/vnd.openxmlformats-officedocument.wordprocessingml.document: doc + - application/vnd.openxmlformats-officedocument.wordprocessingml.template: doc + - application/vnd.ms-powerpoint.addin.macroenabled.12: doc + - application/vnd.ms-powerpoint.slide.macroenabled.12: doc + - application/vnd.ms-powerpoint.presentation.macroenabled.12: doc + - application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc + - application/vnd.openxmlformats-officedocument: doc \ No newline at end of file diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index 103f36c5a..7b91632c9 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -68,6 +68,14 @@ zeekpolicysync: - group: 939 - template: jinja +# Sync Intel +zeekintelloadsync: + file.managed: + - name: /opt/so/conf/policy/intel/__load__.zeek + - source: salt://zeek/policy/intel/__load__.zeek + - user: 937 + - group: 939 + zeekctlcfg: file.managed: - name: /opt/so/conf/zeek/zeekctl.cfg diff --git a/salt/zeek/policy/custom/ADD.CUSTOM.ZEEK.SCRIPTS.HERE b/salt/zeek/policy/custom/ADD.CUSTOM.ZEEK.SCRIPTS.HERE deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/zeek/policy/intel/__load__.zeek b/salt/zeek/policy/intel/__load__.zeek index 4a4d603a7..4df4e0265 100644 --- a/salt/zeek/policy/intel/__load__.zeek +++ b/salt/zeek/policy/intel/__load__.zeek @@ -1 +1,6 @@ -#Intel +@load frameworks/intel/seen +@load frameworks/intel/do_notice +@load frameworks/files/hash-all-files +redef Intel::read_files += { + "/opt/zeek/share/zeek/policy/intel/intel.dat" +}; \ No newline at end of file diff --git a/salt/zeek/policy/securityonion/file-extraction/extract.zeek b/salt/zeek/policy/securityonion/file-extraction/extract.zeek index fbb635982..cf7b307ab 100644 --- a/salt/zeek/policy/securityonion/file-extraction/extract.zeek +++ b/salt/zeek/policy/securityonion/file-extraction/extract.zeek @@ -1,3 +1,4 @@ +{%- from zeek/fileextraction_defaults.yaml import zeek %} # Directory to stage Zeek extracted files before processing redef FileExtract::prefix = "/nsm/zeek/extracted/"; # Set a limit to the file size @@ -5,33 +6,15 @@ redef FileExtract::default_limit = 9000000; # These are the mimetypes we want to rip off the networks export { global _mime_whitelist: table[string] of string = { - ["application/x-dosexec"] = "exe", - ["application/pdf"] = "pdf", - ["application/msword"] = "doc", - ["application/vnd.ms-powerpoint"] = "doc", - ["application/rtf"] = "doc", - ["application/vnd.ms-word.document.macroenabled.12"] = "doc", - ["application/vnd.ms-word.template.macroenabled.12"] = "doc", - ["application/vnd.ms-powerpoint.template.macroenabled.12"] = "doc", - ["application/vnd.ms-excel"] = "doc", - ["application/vnd.ms-excel.addin.macroenabled.12"] = "doc", - ["application/vnd.ms-excel.sheet.binary.macroenabled.12"] = "doc", - ["application/vnd.ms-excel.template.macroenabled.12"] = "doc", - ["application/vnd.ms-excel.sheet.macroenabled.12"] = "doc", - ["application/vnd.openxmlformats-officedocument.presentationml.presentation"] = "doc", - ["application/vnd.openxmlformats-officedocument.presentationml.slide"] = "doc", - ["application/vnd.openxmlformats-officedocument.presentationml.slideshow"] = "doc", - ["application/vnd.openxmlformats-officedocument.presentationml.template"] = "doc", - ["application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"] = "doc", - ["application/vnd.openxmlformats-officedocument.spreadsheetml.template"] = "doc", - ["application/vnd.openxmlformats-officedocument.wordprocessingml.document"] = "doc", - ["application/vnd.openxmlformats-officedocument.wordprocessingml.template"] = "doc", - ["application/vnd.ms-powerpoint.addin.macroenabled.12"] = "doc", - ["application/vnd.ms-powerpoint.slide.macroenabled.12"] = "doc", - ["application/vnd.ms-powerpoint.presentation.macroenabled.12"] = "doc", - ["application/vnd.ms-powerpoint.slideshow.macroenabled.12"] = "doc", - ["application/vnd.openxmlformats-officedocument"] = "doc" - # Need to add other types such as zip, ps1, etc + {%- for li in zeek.policy.file_extraction %} + {%- for k,v in li %} + {%- if not loop.last %} + ["{{ k }}"] = "{{ v }}", + {%- else %} + ["{{ k }}"] = "{{ v }}" + {%- endif %} + {%- endfor %} + {%- endfor %} }; } # Start grabbing the file from the network if it matches the mimetype diff --git a/setup/files/intel.dat b/setup/files/intel.dat new file mode 100644 index 000000000..ca10994b6 --- /dev/null +++ b/setup/files/intel.dat @@ -0,0 +1,5 @@ +#fields indicator indicator_type meta.source meta.do_notice +# EXAMPLES: +#66.32.119.38 Intel::ADDR Test Address T +#www.honeynet.org Intel::DOMAIN Test Domain T +#4285358dd748ef74cb8161108e11cb73 Intel::FILE_HASH Test MD5 T diff --git a/setup/so-functions b/setup/so-functions index 7493b3f0d..ddf20c6d0 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -986,12 +986,12 @@ manager_pillar() { " config:"\ " ruleset: $RULESETUP"\ " oinkcode: $OINKCODE"\ - " url:"\ + " urls:"\ " sids:"\ " enabled:"\ " disabled:"\ " modify:"\ - "" + ""\ "kratos:" >> "$pillar_file" @@ -1441,9 +1441,11 @@ setup_salt_master_dirs() { if [ "$setup_type" = 'iso' ]; then rsync -avh --exclude 'TRANS.TBL' /home/$INSTALLUSERNAME/SecurityOnion/pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1 rsync -avh --exclude 'TRANS.TBL' /home/$INSTALLUSERNAME/SecurityOnion/salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1 + cp -Rv /home/$INSTALLUSERNAME/SecurityOnion/files/intel.dat $local_salt_dir/salt/zeek/policy/intel/ >> "$setup_log" 2>&1 else - cp -R ../pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1 - cp -R ../salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1 + cp -Rv ../pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1 + cp -Rv ../salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1 + cp -Rv files/intel.dat $local_salt_dir/salt/zeek/policy/intel/ >> "$setup_log" 2>&1 fi echo "Chown the salt dirs on the manager for socore" >> "$setup_log" 2>&1 From 23420ace560ce032608ddd4582699926e81b79f8 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Sat, 18 Jul 2020 08:36:01 -0400 Subject: [PATCH 292/314] Prevent nmcli, setterm, and echo output from leaking to console and crontab output --- setup/so-functions | 16 ++++++++-------- setup/so-setup | 2 +- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 175471bd2..cee4a84fd 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -522,7 +522,7 @@ configure_network_sensor() { # Create the bond interface only if it doesn't already exist - nmcli -f name,uuid -p con | grep -q "$INTERFACE" + nmcli -f name,uuid -p con | grep -q "$INTERFACE" >> "$setup_log" 2>&1 local found_int=$? if [[ $found_int != 0 ]]; then @@ -561,7 +561,7 @@ configure_network_sensor() { nmcli con up "$BNIC" >> "$setup_log" 2>&1 else # Check if the bond slave connection has already been created - nmcli -f name,uuid -p con | grep -q "bond0-slave-$BNIC" + nmcli -f name,uuid -p con | grep -q "bond0-slave-$BNIC" >> "$setup_log" 2>&1 local found_int=$? if [[ $found_int != 0 ]]; then @@ -588,7 +588,7 @@ configure_network_sensor() { } detect_cloud() { - echo "Testing if setup is running on a cloud instance..." + echo "Testing if setup is running on a cloud instance..." >> "$setup_log" 2>&1 if ( curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null ) || ( dmidecode -s bios-vendor | grep -q Google > /dev/null); then export is_cloud="true"; fi } @@ -609,7 +609,7 @@ detect_os() { exit 1 fi - echo "Installing required packages to run installer..." + echo "Installing required packages to run installer..." >> "$setup_log" 2>&1 # Install bind-utils so the host command exists if ! command -v host > /dev/null 2>&1; then yum -y install bind-utils >> "$setup_log" 2>&1 @@ -1634,8 +1634,8 @@ set_initial_firewall_policy() { set_management_interface() { if [ "$address_type" = 'DHCP' ]; then - nmcli con mod "$MNIC" connection.autoconnect yes - nmcli con up "$MNIC" + nmcli con mod "$MNIC" connection.autoconnect yes >> "$setup_log" 2>&1 + nmcli con up "$MNIC" >> "$setup_log" 2>&1 else # Set Static IP nmcli con mod "$MNIC" ipv4.addresses "$MIP"/"$MMASK"\ @@ -1643,8 +1643,8 @@ set_management_interface() { ipv4.dns "$MDNS"\ ipv4.dns-search "$MSEARCH"\ connection.autoconnect yes\ - ipv4.method manual - nmcli con up "$MNIC" + ipv4.method manual >> "$setup_log" 2>&1 + nmcli con up "$MNIC" >> "$setup_log" 2>&1 fi } diff --git a/setup/so-setup b/setup/so-setup index 978a3b665..b9a19e9c6 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -118,7 +118,7 @@ if [ "$OS" == ubuntu ]; then update-alternatives --set newt-palette /etc/newt/palette.original >> $setup_log 2>&1 fi -setterm -blank 0 +setterm -blank 0 > /dev/null if [ "$setup_type" == 'iso' ] || (whiptail_you_sure); then true From 3de2afe6189f4c989df3e0a9541445ed887aebba Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sat, 18 Jul 2020 17:29:11 -0400 Subject: [PATCH 293/314] Fix final bugs --- ...{broversion.map.jinja => zeekversion.map.jinja} | 0 salt/idstools/etc/rulecat.conf | 12 +++++++----- salt/zeek/init.sls | 6 ++++-- .../securityonion/file-extraction/extract.zeek | 14 ++++++++------ 4 files changed, 19 insertions(+), 13 deletions(-) rename salt/common/maps/{broversion.map.jinja => zeekversion.map.jinja} (100%) diff --git a/salt/common/maps/broversion.map.jinja b/salt/common/maps/zeekversion.map.jinja similarity index 100% rename from salt/common/maps/broversion.map.jinja rename to salt/common/maps/zeekversion.map.jinja diff --git a/salt/idstools/etc/rulecat.conf b/salt/idstools/etc/rulecat.conf index 1957c6c13..5501c9b50 100644 --- a/salt/idstools/etc/rulecat.conf +++ b/salt/idstools/etc/rulecat.conf @@ -1,6 +1,6 @@ -{% set URLS = salt['pillar.get']('idstools:config:urls', {}) -%} -{% set RULESET = salt['pillar.get']('idstools:config:ruleset') -%} -{% set OINKCODE = salt['pillar.get']('idstools:config:oinkcode') -%} +{%- set URLS = salt['pillar.get']('idstools:config:urls') -%} +{%- set RULESET = salt['pillar.get']('idstools:config:ruleset') -%} +{%- set OINKCODE = salt['pillar.get']('idstools:config:oinkcode', '' ) -%} --suricata-version=5.0 --merged=/opt/so/rules/nids/all.rules --local=/opt/so/rules/nids/local.rules @@ -10,10 +10,12 @@ {%- if RULESET == 'ETOPEN' %} --etopen {%- elif RULESET == 'ETPRO' %} ---etpro={{ OINKCODE }} +--etpro={{ OINCODE }} {%- elif RULESET == 'TALOS' %} --url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ OINKCODE }} {%- endif %} +{%- if URLS != None %} {%- for URL in URLS %} --url={{ URL }} -{%- endfor %} \ No newline at end of file +{%- endfor %} +{%- endif %} \ No newline at end of file diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index 7b91632c9..68908a2ce 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -43,7 +43,7 @@ zeekspooldir: file.directory: - name: /nsm/zeek/spool/manager - user: 937 - - makedirs: true + - makedirs: True # Zeek extracted zeekextractdir: @@ -57,7 +57,7 @@ zeekextractcompletedir: file.directory: - name: /nsm/zeek/extracted/complete - user: 937 - - makedirs: true + - makedirs: True # Sync the policies zeekpolicysync: @@ -75,6 +75,7 @@ zeekintelloadsync: - source: salt://zeek/policy/intel/__load__.zeek - user: 937 - group: 939 + - makedirs: True zeekctlcfg: file.managed: @@ -186,3 +187,4 @@ so-zeek: - file: /opt/so/conf/zeek/zeekctl.cfg - file: /opt/so/conf/zeek/policy - file: /opt/so/conf/zeek/bpf + \ No newline at end of file diff --git a/salt/zeek/policy/securityonion/file-extraction/extract.zeek b/salt/zeek/policy/securityonion/file-extraction/extract.zeek index cf7b307ab..6f59ed447 100644 --- a/salt/zeek/policy/securityonion/file-extraction/extract.zeek +++ b/salt/zeek/policy/securityonion/file-extraction/extract.zeek @@ -1,4 +1,4 @@ -{%- from zeek/fileextraction_defaults.yaml import zeek %} +{%- import_yaml "zeek/fileextraction_defaults.yaml" as zeek with context %} # Directory to stage Zeek extracted files before processing redef FileExtract::prefix = "/nsm/zeek/extracted/"; # Set a limit to the file size @@ -6,14 +6,16 @@ redef FileExtract::default_limit = 9000000; # These are the mimetypes we want to rip off the networks export { global _mime_whitelist: table[string] of string = { - {%- for li in zeek.policy.file_extraction %} - {%- for k,v in li %} + {%- for li in zeek.zeek.policy.file_extraction %} {%- if not loop.last %} + {%- for k,v in li.items() %} ["{{ k }}"] = "{{ v }}", - {%- else %} - ["{{ k }}"] = "{{ v }}" - {%- endif %} {%- endfor %} + {%- else %} + {%- for k,v in li.items() %} + ["{{ k }}"] = "{{ v }}" + {%- endfor %} + {%- endif %} {%- endfor %} }; } From 64bd70bb481a6a9f158dd0dee02b6ec621e19886 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sat, 18 Jul 2020 17:50:25 -0400 Subject: [PATCH 294/314] Update Release Notes --- salt/soc/files/soc/changes.json | 64 ++++++++++++++++++--------------- 1 file changed, 36 insertions(+), 28 deletions(-) diff --git a/salt/soc/files/soc/changes.json b/salt/soc/files/soc/changes.json index 384a2781d..03492cc0a 100644 --- a/salt/soc/files/soc/changes.json +++ b/salt/soc/files/soc/changes.json @@ -1,32 +1,40 @@ { - "title": "Introducing Hybrid Hunter 1.4.0 Beta 3", + "title": "Security Onion 2.0.0 RC1 is here!", "changes": [ - { "summary": "Complete overhaul of the way we handle custom and default settings and data. You will now see a default and local directory under the saltstack directory. All customizations are stored in local." }, - { "summary": "The way firewall rules are handled has been completely revamped. This will allow the user to customize firewall rules much easier." }, - { "summary": "Users can now change their own password in SOC." }, - { "summary": "Hunt now allows users to enable auto-hunt. This is a toggle which, when enabled, automatically submits a new hunt when filtering, grouping, etc." }, - { "summary": "Title bar now reflects current Hunt query. This will assist users in locating a previous query from their browser history." }, - { "summary": "Zeek 3.0.7" }, - { "summary": "Elastic 7.7.1" }, - { "summary": "Suricata can now be used for meta data generation." }, - { "summary": "Suricata eve.json has been moved to `/nsm` to align with storage of other data." }, - { "summary": "Suricata will now properly rotate its logs." }, - { "summary": "Grafana dashboards now work properly in standalone mode." }, - { "summary": "Kibana Dashboard updates including osquery, community_id." }, - { "summary": "New Elasticsearch Ingest processor to generate community_id from any log that includes the required fields." }, - { "summary": "Community_id generated for additional logs: Zeek HTTP/SMTP/ , Sysmon shipped with Osquery or Winlogbeat." }, - { "summary": "Major streamlining of Fleet setup & configuration - no need to run a secondary setup script anymore." }, - { "summary": "Fleet Standalone node now includes the ability to set a FQDN to point osquery endpoints to." }, - { "summary": "Distributed installs now support ingesting Windows Eventlogs via Winlogbeat - includes full parsing support for Sysmon." }, - { "summary": "SOC Downloads section now includes a link to the supported version of Winlogbeat." }, - { "summary": "Basic syslog ingestion capability now included." }, - { "summary": "Elasticsearch index name transition fixes for various components." }, - { "summary": "Updated URLs for pivot fields in Kibana." }, - { "summary": "Instances of \"hive\" renamed to \"thehive\"." }, - { "summary": "KNOWN ISSUE: The Hunt feature is currently considered \"Preview\" and although very useful in its current state, not everything works. We wanted to get this out as soon as possible to get the feedback from you! Let us know what you want to see! Let us know what you think we should call it!" }, - { "summary": "KNOWN ISSUE: You cannot pivot to PCAP from Suricata alerts in Kibana or Hunt." }, - { "summary": "KNOWN ISSUE: Navigator is currently not working when using hostname to access SOC. IP mode works correctly." }, - { "summary": "KNOWN ISSUE: Due to the move to ECS, the current Playbook plays may not alert correctly at this time." }, - { "summary": "KNOWN ISSUE: The osquery MacOS package does not install correctly." } + { "summary": "Re-branded 2.0 to give it a fresh look." }, + { "summary": "All documentation has moved to https://docs.securityonion.net/en/2.0 " }, + { "summary": "soup is alive! Note: This tool only updates Security Onion components. Please use the built-in OS update process to keep the OS and other components up to date." }, + { "summary": "so-import-pcap is back! See the docs here: http://docs.securityonion.net/en/2.0/so-import-pcap " }, + { "summary": "Fixed issue with so-features-enable." }, + { "summary": "Users can now pivot to PCAP from Suricata alerts." }, + { "summary": "ISO install now prompts users to create an admin/sudo user instead of using a default account name." }, + { "summary": "The web email & password set during setup is now used to create the initial accounts for TheHive, Cortex, and Fleet." }, + { "summary": "Fixed issue with disk cleanup." }, + { "summary": "Changed the default permissions for /opt/so to keep non-priviledged users from accessing salt and related files." }, + { "summary": "Locked down access to certain SSL keys." }, + { "summary": "Suricata logs now compress after they roll over." }, + { "summary": "Users can now easily customize shard counts per index." }, + { "summary": "Improved Elastic ingest parsers including Windows event logs and Sysmon logs shipped with WinLogbeat and Osquery (ECS)." }, + { "summary": "Elastic nodes are now HOT by default, making it easier to add a warm node later." }, + { "summary": "so-allow now runs at the end of an install so users can enable access right away." }, + { "summary": "Alert severities across Wazuh, Suricata and Playbook (Sigma) have been standardized and copied to `event.severity`:" }, + { "summary": " - 1-Low / 2-Medium / 3-High / 4-Critical." }, + { "summary": "Initial implementation of alerting queues:" }, + { "summary": " - Low & Medium alerts are accessible through Kibana & Hunt." }, + { "summary": " - High & Critical alerts are accessible through Kibana, Hunt and sent to TheHive for immediate analysis." }, + { "summary": " - ATT&CK Navigator is now a statically-hosted site in the nginx container." }, + { "summary": "Playbook:" }, + { "summary": " - All Sigma rules in the community repo (500+) are now imported and kept up to date." }, + { "summary": " - Initial implementation of automated testing when a Play's detection logic has been edited (i.e., Unit Testing)." }, + { "summary": " - Updated UI Theme." }, + { "summary": " - Once authenticated through SOC, users can now access Playbook with analyst permissions without login." }, + { "summary": "Kolide Launcher has been updated to include the ability to pass arbitrary flags. - New functionality sponsored by SOS." }, + { "summary": "Fixed issue with Wazuh authd registration service port not being correctly exposed." }, + { "summary": "Added option for exposure of Elasticsearch REST API (port 9200) to so-allow for easier external querying/integration with other tools." }, + { "summary": "Added option to so-allow for external Strelka file uploads (e.g., via strelka-fileshot)." }, + { "summary": "Added default YARA rules for Strelka - Default rules are maintained by Florian Roth and pulled from https://github.com/Neo23x0/signature-base" }, + { "summary": "Added the ability to use custom Zeek scripts." }, + { "summary": "Renamed "master server" to "manager node"." }, + { "summary": "Improved unification of Zeek and Strelka file data." }, ] } From 517edf19388bb520ecc5a5a902a0e8e7c8886258 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sat, 18 Jul 2020 17:55:35 -0400 Subject: [PATCH 295/314] Update Release Notes --- salt/soc/files/soc/changes.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/changes.json b/salt/soc/files/soc/changes.json index 03492cc0a..f9d779da4 100644 --- a/salt/soc/files/soc/changes.json +++ b/salt/soc/files/soc/changes.json @@ -34,7 +34,7 @@ { "summary": "Added option to so-allow for external Strelka file uploads (e.g., via strelka-fileshot)." }, { "summary": "Added default YARA rules for Strelka - Default rules are maintained by Florian Roth and pulled from https://github.com/Neo23x0/signature-base" }, { "summary": "Added the ability to use custom Zeek scripts." }, - { "summary": "Renamed "master server" to "manager node"." }, + { "summary": "Renamed \"master server\" to \"manager node\"." }, { "summary": "Improved unification of Zeek and Strelka file data." }, ] } From 1bcbcb1f98d727bf26a0c93d9ff028f9e498bc95 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sat, 18 Jul 2020 22:46:57 -0400 Subject: [PATCH 296/314] Fix idstools jinja --- salt/idstools/etc/disable.conf | 5 +++-- salt/idstools/etc/enable.conf | 5 +++-- salt/idstools/etc/modify.conf | 4 +++- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/salt/idstools/etc/disable.conf b/salt/idstools/etc/disable.conf index e667d54c7..84144a495 100644 --- a/salt/idstools/etc/disable.conf +++ b/salt/idstools/etc/disable.conf @@ -9,7 +9,8 @@ # - All regular expression matches are case insensitive. # re:hearbleed # re:MS(0[7-9]|10)-\d+ - +{%- if disabled_sids != None %} {%- for sid in disabled_sids %} {{ sid }} -{%- endfor %} \ No newline at end of file +{%- endfor %} +{%- endif %} \ No newline at end of file diff --git a/salt/idstools/etc/enable.conf b/salt/idstools/etc/enable.conf index da2dfb6af..5da0bfc61 100644 --- a/salt/idstools/etc/enable.conf +++ b/salt/idstools/etc/enable.conf @@ -9,7 +9,8 @@ # - All regular expression matches are case insensitive. # re:hearbleed # re:MS(0[7-9]|10)-\d+ - +{%- if enabled_sids != None %} {%- for sid in enabled_sids %} {{ sid }} -{%- endfor %} \ No newline at end of file +{%- endfor %} +{%- endif %} \ No newline at end of file diff --git a/salt/idstools/etc/modify.conf b/salt/idstools/etc/modify.conf index 52c4ca2ea..4ea75ada2 100644 --- a/salt/idstools/etc/modify.conf +++ b/salt/idstools/etc/modify.conf @@ -5,6 +5,8 @@ # Example changing the seconds for rule 2019401 to 3600. #2019401 "seconds \d+" "seconds 3600" +{%- if modify_sids != None %} {%- for sid in modify_sids %} {{ sid }} -{%- endfor %} \ No newline at end of file +{%- endfor %} +{%- endif %} \ No newline at end of file From 7b1ca5f361b3837a4ae45e990c7abacca16388c2 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sat, 18 Jul 2020 22:50:08 -0400 Subject: [PATCH 297/314] Fix common tools permissions --- salt/common/tools/sbin/so-docker-refresh | 0 salt/common/tools/sbin/so-elasticsearch-indices-rw | 0 salt/common/tools/sbin/so-fleet-setup | 0 salt/common/tools/sbin/so-saltstack-update | 0 salt/common/tools/sbin/so-sensor-clean | 0 salt/common/tools/sbin/so-zeek-stats | 0 salt/common/tools/sbin/soup | 0 7 files changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 salt/common/tools/sbin/so-docker-refresh mode change 100644 => 100755 salt/common/tools/sbin/so-elasticsearch-indices-rw mode change 100644 => 100755 salt/common/tools/sbin/so-fleet-setup mode change 100644 => 100755 salt/common/tools/sbin/so-saltstack-update mode change 100644 => 100755 salt/common/tools/sbin/so-sensor-clean mode change 100644 => 100755 salt/common/tools/sbin/so-zeek-stats mode change 100644 => 100755 salt/common/tools/sbin/soup diff --git a/salt/common/tools/sbin/so-docker-refresh b/salt/common/tools/sbin/so-docker-refresh old mode 100644 new mode 100755 diff --git a/salt/common/tools/sbin/so-elasticsearch-indices-rw b/salt/common/tools/sbin/so-elasticsearch-indices-rw old mode 100644 new mode 100755 diff --git a/salt/common/tools/sbin/so-fleet-setup b/salt/common/tools/sbin/so-fleet-setup old mode 100644 new mode 100755 diff --git a/salt/common/tools/sbin/so-saltstack-update b/salt/common/tools/sbin/so-saltstack-update old mode 100644 new mode 100755 diff --git a/salt/common/tools/sbin/so-sensor-clean b/salt/common/tools/sbin/so-sensor-clean old mode 100644 new mode 100755 diff --git a/salt/common/tools/sbin/so-zeek-stats b/salt/common/tools/sbin/so-zeek-stats old mode 100644 new mode 100755 diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup old mode 100644 new mode 100755 From fbc8a90083e614c0758d9f6cdc07239ebe802e6e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sat, 18 Jul 2020 22:58:15 -0400 Subject: [PATCH 298/314] Soup Update --- salt/common/tools/sbin/soup | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 75e5da10e..f6a2c293f 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -23,7 +23,7 @@ default_salt_dir=/opt/so/saltstack/default manager_check() { # Check to see if this is a manager MANAGERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}') - if [[ "$MANAGERCHECK" =~ ^('so-eval'|'so-manager'|'so-managersearch')$ ]]; then + if [[ "$MANAGERCHECK" =~ ^('so-eval'|'so-manager'|'so-standalone'|'so-managersearch')$ ]]; then echo "This is a manager. We can proceed" else echo "Please run soup on the manager. The manager controls all updates." @@ -169,15 +169,25 @@ verify_latest_update_script() { fi } +echo "Checking to see if this is a manager" manager_check +echo "Cloning latest code to a temporary location" clone_to_tmp +echo "Verifying we have the latest script" verify_latest_update_script +echo "Let's see if we need to update" upgrade_check +echo "Making pillar changes" pillar_changes +echo "Cleaning up old docker" clean_dockers +echo "Updating docker to $NEWVERSION" update_dockers +echo "Copying new code" copy_new_files +echo "Running a highstate to complete upgrade" highstate +echo "Updating version" update_version echo "" echo "Upgrade from $INSTALLEDVERSION to $NEWVERSION complete." From 847a9d76e0fb5df032b54f45fe15db75bbdef129 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sat, 18 Jul 2020 23:02:28 -0400 Subject: [PATCH 299/314] Soup Update --- salt/common/tools/sbin/soup | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index f6a2c293f..412c631b5 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -43,8 +43,8 @@ clone_to_tmp() { # Make a temp location for the files mkdir -p /tmp/sogh cd /tmp/sogh - #git clone -b dev https://github.com/Security-Onion-Solutions/securityonion.git - git clone https://github.com/Security-Onion-Solutions/securityonion.git + git clone -b dev https://github.com/Security-Onion-Solutions/securityonion.git + #git clone https://github.com/Security-Onion-Solutions/securityonion.git cd /tmp if [ ! -f $UPDATE_DIR/VERSION ]; then echo "Update was unable to pull from github. Please check your internet." From 095a87dc46abe2520f8e041a8c0845998f809564 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sat, 18 Jul 2020 23:06:31 -0400 Subject: [PATCH 300/314] Soup Update --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 412c631b5..601faf4d9 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -155,7 +155,7 @@ upgrade_check() { verify_latest_update_script() { # Check to see if the update scripts match. If not run the new one. - CURRENTSOUP=$(md5sum /usr/sbin/soup) + CURRENTSOUP=$(md5sum /opt/so/saltstack/default/salt/common/tools/sbin/soup) GITSOUP=$(md5sum /tmp/sogh/securityonion/salt/common/tools/sbin/soup) if [ "$CURRENTSOUP" == "$GITSOUP" ]; then echo "This version of the soup script is up to date. Verifying versions." From 27568f00473552e1d9eb403b700bcf9001498fb4 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sat, 18 Jul 2020 23:09:18 -0400 Subject: [PATCH 301/314] Soup Update --- salt/common/tools/sbin/soup | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 601faf4d9..135baac8a 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -157,6 +157,8 @@ verify_latest_update_script() { # Check to see if the update scripts match. If not run the new one. CURRENTSOUP=$(md5sum /opt/so/saltstack/default/salt/common/tools/sbin/soup) GITSOUP=$(md5sum /tmp/sogh/securityonion/salt/common/tools/sbin/soup) + echo "C is $CURRENTSOUP" + echo "G is $GITSOUP" if [ "$CURRENTSOUP" == "$GITSOUP" ]; then echo "This version of the soup script is up to date. Verifying versions." else From 5bab5ae7d19076f124bc1498a7117b3950b14b84 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sat, 18 Jul 2020 23:10:37 -0400 Subject: [PATCH 302/314] Soup Update --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 135baac8a..d42932eb7 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -159,7 +159,7 @@ verify_latest_update_script() { GITSOUP=$(md5sum /tmp/sogh/securityonion/salt/common/tools/sbin/soup) echo "C is $CURRENTSOUP" echo "G is $GITSOUP" - if [ "$CURRENTSOUP" == "$GITSOUP" ]; then + if [ $CURRENTSOUP = $GITSOUP ]; then echo "This version of the soup script is up to date. Verifying versions." else echo "You are not running the latest soup version. Updating soup." From 872f849204cd922318568f13037454e5fb4063e4 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sat, 18 Jul 2020 23:12:53 -0400 Subject: [PATCH 303/314] Soup Update --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index d42932eb7..a67c10aff 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -159,7 +159,7 @@ verify_latest_update_script() { GITSOUP=$(md5sum /tmp/sogh/securityonion/salt/common/tools/sbin/soup) echo "C is $CURRENTSOUP" echo "G is $GITSOUP" - if [ $CURRENTSOUP = $GITSOUP ]; then + if [[ "$CURRENTSOUP" == "$GITSOUP" ]]; then echo "This version of the soup script is up to date. Verifying versions." else echo "You are not running the latest soup version. Updating soup." From 954c12acfb950dece98e94f39583c6d679b3416f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sat, 18 Jul 2020 23:16:39 -0400 Subject: [PATCH 304/314] Soup Update --- salt/common/tools/sbin/soup | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index a67c10aff..eb02c6e89 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -155,8 +155,8 @@ upgrade_check() { verify_latest_update_script() { # Check to see if the update scripts match. If not run the new one. - CURRENTSOUP=$(md5sum /opt/so/saltstack/default/salt/common/tools/sbin/soup) - GITSOUP=$(md5sum /tmp/sogh/securityonion/salt/common/tools/sbin/soup) + CURRENTSOUP=$(md5sum /opt/so/saltstack/default/salt/common/tools/sbin/soup | awk '{print $1}') + GITSOUP=$(md5sum /tmp/sogh/securityonion/salt/common/tools/sbin/soup | awk '{print $1}') echo "C is $CURRENTSOUP" echo "G is $GITSOUP" if [[ "$CURRENTSOUP" == "$GITSOUP" ]]; then From 74e6846e8494d183daf79c8469a9a834ca2284e2 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sat, 18 Jul 2020 23:19:14 -0400 Subject: [PATCH 305/314] Soup Update --- salt/common/tools/sbin/soup | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index eb02c6e89..59a22bd7c 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -175,20 +175,28 @@ echo "Checking to see if this is a manager" manager_check echo "Cloning latest code to a temporary location" clone_to_tmp +echo "" echo "Verifying we have the latest script" verify_latest_update_script +echo "" echo "Let's see if we need to update" upgrade_check +echo "" echo "Making pillar changes" pillar_changes -echo "Cleaning up old docker" +echo "" +echo "Cleaning up old dockers" clean_dockers +echo "" echo "Updating docker to $NEWVERSION" update_dockers +echo "" echo "Copying new code" copy_new_files +echo "" echo "Running a highstate to complete upgrade" highstate +echo "" echo "Updating version" update_version echo "" From 0302d2b6acb1a5b2dccd9db7840389e57a757f0d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sat, 18 Jul 2020 23:19:52 -0400 Subject: [PATCH 306/314] Soup Update --- salt/common/tools/sbin/soup | 2 -- 1 file changed, 2 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 59a22bd7c..9d2c0f348 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -157,8 +157,6 @@ verify_latest_update_script() { # Check to see if the update scripts match. If not run the new one. CURRENTSOUP=$(md5sum /opt/so/saltstack/default/salt/common/tools/sbin/soup | awk '{print $1}') GITSOUP=$(md5sum /tmp/sogh/securityonion/salt/common/tools/sbin/soup | awk '{print $1}') - echo "C is $CURRENTSOUP" - echo "G is $GITSOUP" if [[ "$CURRENTSOUP" == "$GITSOUP" ]]; then echo "This version of the soup script is up to date. Verifying versions." else From 28a954db8232623e97ad32bad2d60097a8af867f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sat, 18 Jul 2020 23:24:22 -0400 Subject: [PATCH 307/314] Soup Update --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 9d2c0f348..46a472cc0 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -129,7 +129,7 @@ update_dockers() { echo "Downloading $i:$NEWVERSION" docker pull --disable-content-trust=false docker.io/$IMAGEREPO/$i:$NEWVERSION # Tag it with the new registry destination - docker tag $IMAGEREPO/$i $HOSTNAME:5000/$IMAGEREPO/$i:$NEWVERSION + docker tag $IMAGEREPO/$i:$NEWVERSION $HOSTNAME:5000/$IMAGEREPO/$i:$NEWVERSION docker push $HOSTNAME:5000/$IMAGEREPO/$i:$NEWVERSION done From 514df1211e4f250eaea79ff3007aa69d106a06fe Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sat, 18 Jul 2020 23:34:45 -0400 Subject: [PATCH 308/314] Soup Update --- salt/common/tools/sbin/soup | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 46a472cc0..878372e68 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -43,8 +43,8 @@ clone_to_tmp() { # Make a temp location for the files mkdir -p /tmp/sogh cd /tmp/sogh - git clone -b dev https://github.com/Security-Onion-Solutions/securityonion.git - #git clone https://github.com/Security-Onion-Solutions/securityonion.git + #git clone -b dev https://github.com/Security-Onion-Solutions/securityonion.git + git clone https://github.com/Security-Onion-Solutions/securityonion.git cd /tmp if [ ! -f $UPDATE_DIR/VERSION ]; then echo "Update was unable to pull from github. Please check your internet." @@ -158,7 +158,7 @@ verify_latest_update_script() { CURRENTSOUP=$(md5sum /opt/so/saltstack/default/salt/common/tools/sbin/soup | awk '{print $1}') GITSOUP=$(md5sum /tmp/sogh/securityonion/salt/common/tools/sbin/soup | awk '{print $1}') if [[ "$CURRENTSOUP" == "$GITSOUP" ]]; then - echo "This version of the soup script is up to date. Verifying versions." + echo "This version of the soup script is up to date. Proceeding." else echo "You are not running the latest soup version. Updating soup." cp $UPDATE_DIR/salt/common/tools/sbin/soup $default_salt_dir/salt/common/tools/sbin/ From 053f27eb35829bf8fcc9b3803ec9a7b5432159c6 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Sun, 19 Jul 2020 06:58:24 -0400 Subject: [PATCH 309/314] Run setterm, to blank terminal, only for non-automated installations --- setup/so-setup | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index b9a19e9c6..6a432fc9d 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -118,7 +118,9 @@ if [ "$OS" == ubuntu ]; then update-alternatives --set newt-palette /etc/newt/palette.original >> $setup_log 2>&1 fi -setterm -blank 0 > /dev/null +if [ $automated == no ]; then + setterm -blank 0 >> $setup_log 2>&1 +fi if [ "$setup_type" == 'iso' ] || (whiptail_you_sure); then true From bd70fdbb33b609c24d2b58b84bb397a2837cca9b Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Sun, 19 Jul 2020 08:11:57 -0400 Subject: [PATCH 310/314] Corrected JSON syntax to avoid a blank Overview screen in SOC; Applied HTML formatting of changes.json summaries for better markup handling. --- salt/soc/files/soc/changes.json | 36 +++++++++++++-------------------- 1 file changed, 14 insertions(+), 22 deletions(-) diff --git a/salt/soc/files/soc/changes.json b/salt/soc/files/soc/changes.json index f9d779da4..715b84566 100644 --- a/salt/soc/files/soc/changes.json +++ b/salt/soc/files/soc/changes.json @@ -2,10 +2,10 @@ "title": "Security Onion 2.0.0 RC1 is here!", "changes": [ { "summary": "Re-branded 2.0 to give it a fresh look." }, - { "summary": "All documentation has moved to https://docs.securityonion.net/en/2.0 " }, - { "summary": "soup is alive! Note: This tool only updates Security Onion components. Please use the built-in OS update process to keep the OS and other components up to date." }, - { "summary": "so-import-pcap is back! See the docs here: http://docs.securityonion.net/en/2.0/so-import-pcap " }, - { "summary": "Fixed issue with so-features-enable." }, + { "summary": "All documentation has moved to https://docs.securityonion.net/en/2.0" }, + { "summary": "soup is alive! Note: This tool only updates Security Onion components. Please use the built-in OS update process to keep the OS and other components up to date." }, + { "summary": "so-import-pcap is back! See the docs here: http://docs.securityonion.net/en/2.0/so-import-pcap." }, + { "summary": "Fixed issue with so-features-enable." }, { "summary": "Users can now pivot to PCAP from Suricata alerts." }, { "summary": "ISO install now prompts users to create an admin/sudo user instead of using a default account name." }, { "summary": "The web email & password set during setup is now used to create the initial accounts for TheHive, Cortex, and Fleet." }, @@ -16,25 +16,17 @@ { "summary": "Users can now easily customize shard counts per index." }, { "summary": "Improved Elastic ingest parsers including Windows event logs and Sysmon logs shipped with WinLogbeat and Osquery (ECS)." }, { "summary": "Elastic nodes are now HOT by default, making it easier to add a warm node later." }, - { "summary": "so-allow now runs at the end of an install so users can enable access right away." }, - { "summary": "Alert severities across Wazuh, Suricata and Playbook (Sigma) have been standardized and copied to `event.severity`:" }, - { "summary": " - 1-Low / 2-Medium / 3-High / 4-Critical." }, - { "summary": "Initial implementation of alerting queues:" }, - { "summary": " - Low & Medium alerts are accessible through Kibana & Hunt." }, - { "summary": " - High & Critical alerts are accessible through Kibana, Hunt and sent to TheHive for immediate analysis." }, - { "summary": " - ATT&CK Navigator is now a statically-hosted site in the nginx container." }, - { "summary": "Playbook:" }, - { "summary": " - All Sigma rules in the community repo (500+) are now imported and kept up to date." }, - { "summary": " - Initial implementation of automated testing when a Play's detection logic has been edited (i.e., Unit Testing)." }, - { "summary": " - Updated UI Theme." }, - { "summary": " - Once authenticated through SOC, users can now access Playbook with analyst permissions without login." }, - { "summary": "Kolide Launcher has been updated to include the ability to pass arbitrary flags. - New functionality sponsored by SOS." }, + { "summary": "so-allow now runs at the end of an install so users can enable access right away." }, + { "summary": "Alert severities across Wazuh, Suricata and Playbook (Sigma) have been standardized and copied to event.severity:

  1. Low
  2. Medium
  3. High
  4. Critical
" }, + { "summary": "Initial implementation of alerting queues:
  • Low & Medium alerts are accessible through Kibana & Hunt.
  • High & Critical alerts are accessible through Kibana, Hunt and TheHive for immediate analysis.
  • ATT&CK Navigator is now a statically-hosted site in the nginx container.
" }, + { "summary": "Playbook updates:
  • All Sigma rules in the community repo (500+) are now imported and kept up to date.
  • Initial implementation of automated testing when a Play's detection logic has been edited (i.e., Unit Testing).
  • Updated UI Theme.
  • Once authenticated through SOC, users can now access Playbook with analyst permissions without login.
" }, + { "summary": "Kolide Launcher has been updated to include the ability to pass arbitrary flags. This new functionality was sponsored by SOS." }, { "summary": "Fixed issue with Wazuh authd registration service port not being correctly exposed." }, - { "summary": "Added option for exposure of Elasticsearch REST API (port 9200) to so-allow for easier external querying/integration with other tools." }, - { "summary": "Added option to so-allow for external Strelka file uploads (e.g., via strelka-fileshot)." }, - { "summary": "Added default YARA rules for Strelka - Default rules are maintained by Florian Roth and pulled from https://github.com/Neo23x0/signature-base" }, + { "summary": "Added option for exposure of Elasticsearch REST API (port 9200) to so-allow for easier external querying/integration with other tools." }, + { "summary": "Added option to so-allow for external Strelka file uploads (e.g., via strelka-fileshot)." }, + { "summary": "Added default YARA rules for Strelka. Default rules are maintained by Florian Roth and pulled from https://github.com/Neo23x0/signature-base." }, { "summary": "Added the ability to use custom Zeek scripts." }, - { "summary": "Renamed \"master server\" to \"manager node\"." }, - { "summary": "Improved unification of Zeek and Strelka file data." }, + { "summary": "Renamed master server to manager node." }, + { "summary": "Improved unification of Zeek and Strelka file data." } ] } From beda859207552fc11ac07de7cb2097ddf7c54155 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 20 Jul 2020 08:47:09 -0400 Subject: [PATCH 311/314] Update changes.json sub-bullets to improve communication of the content --- salt/soc/files/soc/changes.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/salt/soc/files/soc/changes.json b/salt/soc/files/soc/changes.json index 715b84566..517816fcd 100644 --- a/salt/soc/files/soc/changes.json +++ b/salt/soc/files/soc/changes.json @@ -17,8 +17,9 @@ { "summary": "Improved Elastic ingest parsers including Windows event logs and Sysmon logs shipped with WinLogbeat and Osquery (ECS)." }, { "summary": "Elastic nodes are now HOT by default, making it easier to add a warm node later." }, { "summary": "so-allow now runs at the end of an install so users can enable access right away." }, - { "summary": "Alert severities across Wazuh, Suricata and Playbook (Sigma) have been standardized and copied to event.severity:
  1. Low
  2. Medium
  3. High
  4. Critical
" }, - { "summary": "Initial implementation of alerting queues:
  • Low & Medium alerts are accessible through Kibana & Hunt.
  • High & Critical alerts are accessible through Kibana, Hunt and TheHive for immediate analysis.
  • ATT&CK Navigator is now a statically-hosted site in the nginx container.
" }, + { "summary": "Alert severities across Wazuh, Suricata and Playbook (Sigma) have been standardized and copied to event.severity:
  • 1 = Low
  • 2 = Medium
  • 3 = High
  • 4 = Critical
" }, + { "summary": "Initial implementation of alerting queues:
  • Low & Medium alerts are accessible through Kibana & Hunt.
  • High & Critical alerts are accessible through Kibana, Hunt and TheHive for immediate analysis.
" }, + { "summary": "ATT&CK Navigator is now a statically-hosted site in the nginx container." }, { "summary": "Playbook updates:
  • All Sigma rules in the community repo (500+) are now imported and kept up to date.
  • Initial implementation of automated testing when a Play's detection logic has been edited (i.e., Unit Testing).
  • Updated UI Theme.
  • Once authenticated through SOC, users can now access Playbook with analyst permissions without login.
" }, { "summary": "Kolide Launcher has been updated to include the ability to pass arbitrary flags. This new functionality was sponsored by SOS." }, { "summary": "Fixed issue with Wazuh authd registration service port not being correctly exposed." }, From 9565050b82076348fdf972dc0e8c88a40c6683f9 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 20 Jul 2020 10:15:47 -0400 Subject: [PATCH 312/314] Fix Features script --- salt/common/tools/sbin/so-features-enable | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-features-enable b/salt/common/tools/sbin/so-features-enable index a7507290f..c94aebcba 100755 --- a/salt/common/tools/sbin/so-features-enable +++ b/salt/common/tools/sbin/so-features-enable @@ -20,11 +20,12 @@ local_salt_dir=/opt/so/saltstack/local manager_check() { # Check to see if this is a manager MANAGERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}') - if [ $MANAGERCHECK == 'so-eval' OR $MANAGERCHECK == 'so-manager' OR $MANAGERCHECK == 'so-managersearch' ]; then - echo "This is a manager. We can proceed." + if [[ "$MANAGERCHECK" =~ ^('so-eval'|'so-manager'|'so-standalone'|'so-managersearch')$ ]]; then + echo "This is a manager. We can proceed" else echo "Please run so-features-enable on the manager." exit 0 + fi } manager_check From 9ff3ffc401cdc8cd731e1f71e848c02ee0a66358 Mon Sep 17 00:00:00 2001 From: bryant-treacle Date: Wed, 24 Jun 2020 18:40:11 +0000 Subject: [PATCH 313/314] Issue #885: so-elastic-clear not removing so-* indices --- salt/common/tools/sbin/so-elastic-clear | 50 +++++++++++++++++++++++++ test.test | 0 2 files changed, 50 insertions(+) create mode 100644 test.test diff --git a/salt/common/tools/sbin/so-elastic-clear b/salt/common/tools/sbin/so-elastic-clear index 2db400839..b491c0453 100755 --- a/salt/common/tools/sbin/so-elastic-clear +++ b/salt/common/tools/sbin/so-elastic-clear @@ -13,7 +13,11 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License +<<<<<<< HEAD # along with this program. If not, see . +======= +# along with this program. If not, see .. /usr/sbin/so-common +>>>>>>> 08220e33... Issue #885: so-elastic-clear not removing so-* indices {%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%} . /usr/sbin/so-common @@ -63,8 +67,33 @@ if [ $SKIP -ne 1 ]; then if [ "$INPUT" != "AGREE" ] ; then exit 0; fi fi +<<<<<<< HEAD /usr/sbin/so-filebeat-stop /usr/sbin/so-logstash-stop +======= +# Check to see if Logstash/Filebeat are running +LS_ENABLED=$(so-status | grep logstash) +FB_ENABLED=$(so-status | grep filebeat) +EA_ENABLED=$(so-status | grep elastalert) + +if [ ! -z "$FB_ENABLED" ]; then + + /usr/sbin/so-filebeat-stop + +fi + +if [ ! -z "$LS_ENABLED" ]; then + + /usr/sbin/so-logstash-stop + +fi + +if [ ! -z "$EA_ENABLED" ]; then + + /usr/sbin/so-elastalert-stop + +fi +>>>>>>> 08220e33... Issue #885: so-elastic-clear not removing so-* indices # Delete data echo "Deleting data..." @@ -75,6 +104,27 @@ do curl -XDELETE "{{ MASTERIP }}:9200/${INDX}" > /dev/null 2>&1 done +<<<<<<< HEAD /usr/sbin/so-logstash-start /usr/sbin/so-filebeat-start +======= +#Start Logstash/Filebeat +if [ ! -z "$FB_ENABLED" ]; then + + /usr/sbin/so-filebeat-start + +fi + +if [ ! -z "$LS_ENABLED" ]; then + + /usr/sbin/so-logstash-start + +fi + +if [ ! -z "$EA_ENABLED" ]; then + + /usr/sbin/so-elastalert-start + +fi +>>>>>>> 08220e33... Issue #885: so-elastic-clear not removing so-* indices diff --git a/test.test b/test.test new file mode 100644 index 000000000..e69de29bb From 9be4756a900122333c49a75d210e071ebd5a24a7 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 20 Jul 2020 14:22:55 -0400 Subject: [PATCH 314/314] [fix] Resolve merge commits --- salt/common/tools/sbin/so-elastic-clear | 14 -------------- test.test | 0 2 files changed, 14 deletions(-) delete mode 100644 test.test diff --git a/salt/common/tools/sbin/so-elastic-clear b/salt/common/tools/sbin/so-elastic-clear index b491c0453..f402876cb 100755 --- a/salt/common/tools/sbin/so-elastic-clear +++ b/salt/common/tools/sbin/so-elastic-clear @@ -13,11 +13,7 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -<<<<<<< HEAD -# along with this program. If not, see . -======= # along with this program. If not, see .. /usr/sbin/so-common ->>>>>>> 08220e33... Issue #885: so-elastic-clear not removing so-* indices {%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%} . /usr/sbin/so-common @@ -67,10 +63,6 @@ if [ $SKIP -ne 1 ]; then if [ "$INPUT" != "AGREE" ] ; then exit 0; fi fi -<<<<<<< HEAD -/usr/sbin/so-filebeat-stop -/usr/sbin/so-logstash-stop -======= # Check to see if Logstash/Filebeat are running LS_ENABLED=$(so-status | grep logstash) FB_ENABLED=$(so-status | grep filebeat) @@ -93,7 +85,6 @@ if [ ! -z "$EA_ENABLED" ]; then /usr/sbin/so-elastalert-stop fi ->>>>>>> 08220e33... Issue #885: so-elastic-clear not removing so-* indices # Delete data echo "Deleting data..." @@ -104,10 +95,6 @@ do curl -XDELETE "{{ MASTERIP }}:9200/${INDX}" > /dev/null 2>&1 done -<<<<<<< HEAD -/usr/sbin/so-logstash-start -/usr/sbin/so-filebeat-start -======= #Start Logstash/Filebeat if [ ! -z "$FB_ENABLED" ]; then @@ -126,5 +113,4 @@ if [ ! -z "$EA_ENABLED" ]; then /usr/sbin/so-elastalert-start fi ->>>>>>> 08220e33... Issue #885: so-elastic-clear not removing so-* indices diff --git a/test.test b/test.test deleted file mode 100644 index e69de29bb..000000000